User management overview

This chapter explains how to manage local and LDAP users for Admin Portal. For information on managing local users in System Manager, refer to Ivanti EPMM System Manager Guide.

Types of users

Ivanti EPMM supports local users and LDAP users.

  • LDAP users are imported from your organization’s LDAP server. In most cases, you will configure an LDAP server and import LDAP users.

  • Local users are entities created in the local database. They are not known to the network or other corporate services.

    Local users are best for the following scenarios:

    • administration
    • testing

Local users created in the Admin Portal can be used for registering devices and accessing the Admin Portal and the user portal. Local users created in the System Manager can be used in the System Manager and the CLI.

The misystem user

The misystem user is a default Ivanti EPMM user used for the following tasks:

  • creates the default rules and policies
  • executes system maintenance tasks

This user is not listed in the Admin Portal, and it has no roles assigned to it.

Local users created during setup

The local user you define during setup actually results in two local users, one in the Admin Portal and one in the System Manager.

Though these two users start with the same name and password, they are separate users stored in separate databases. Changes made to one do not affect the other. For example, if you change the password for the Admin Portal user, the password for the System Manager user does not change.

Users and roles

Work with the following basic user and administrator types in the Admin Portal:

  • Device users: end users who use the managed devices (owned by themselves or the enterprise).

  • Super Administrators: manage devices and users throughout Ivanti EPMM. These administrators are assigned to the global space. The role that these administrators have that set them apart is Manage administrators and device spaces. Only administrators with this role can create and manage device spaces and assign roles and device spaces to administrators. Ivanti EPMM can have one or more Super Administrators.

  • Global Administrators: manage devices throughout Ivanti EPMM. These administrators are assigned to the global space and can be assigned any roles other than Manage administrators and device spaces.

    In order for users with global space permissions to see the App tab in the Dashboard, they need to be granted View App Dashboard permissions. See Viewing the App Dashboard.

  • Device Space Administrators: manage only the devices and users assigned to the device spaces to which they are assigned. For example, an administrator assigned to the Dallas Help Desk device space can only manage devices assigned to that device space. The roles that can be assigned to Device Space Administrators are limited. For example, Device Space Administrators, if assigned the correct role, can view configurations or apply and remove configurations from a label. However, they cannot create or edit configurations.

User roles and LDAP groups

In a large organization, assigning roles to individual users can be cumbersome. Instead, you can assign roles to LDAP groups or organizational units. By assigning roles to an LDAP group or organizational unit, you apply a given role to all the members of the group or organization unit at once.

Ivanti EPMM can support up to 15,000 LDAP groups, from Ivanti EPMM 11.2.0.0 and higher releases. Earlier releases can support up to 10,000 LDAP groups.

New restricted Manage Devices role created for remove and push profile actions

The Manage Devices role contains permission to Push profiles, Remove profiles, and Update Intune Compliance Status. As an administrator, you can remove the Manage Devices role from a user and instead give the user the Manage Devices Restricted role, which omits these three roles. In addition to this restricted role, you can grant the three separated roles in any combination.

To add or remove these roles individually:

  1. In the Admin Portal, go to Admin > Admins.
  2. Select an administrator.
  3. Go to Actions > Edit Roles.
  4. In the Device Management section, check or uncheck any of the following roles:
    • Push profiles in device details
    • Remove profiles in device details
    • Update Intune Compliance Status for devices
  5. Click Save.

Enforce Single Session role and concurrent session control

Concurrent session control is applied to administrators by assigning them the Enforce Single Session role. The concurrent session control feature automatically logs off an Ivanti EPMM session if the administrator has logged in on another machine or browser.

An administrator can use multiple tabs of a single browser without being logged off. An administrator can also use multiple windows of the same browser on the same machine without being logged off.

To enable concurrent session control:

Procedure 

  1. In the Admin Portal, go to Admin > Admins.
  2. Select an administrator.
  3. Go to Actions > Edit Roles.
  4. Select Enforce Single Session.

  5. Click Save. The role appears as Enforce single session (all spaces) in the list of roles for the administrator.