Providing secure access to Desktop and Mobile Helpdesk admins using Role-Based Access Control in MEM

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

By Pallavi Joshi – Program Manager | Microsoft Endpoint Manager - Intune

 

This article talks about using Role-based Access Control (RBAC) in Microsoft Intune to setup separate helpdesk roles for Desktop teams who manage Windows device estate and for Mobile teams who manage mobile device estate. RBAC in Intune helps you manage who has access to your organization's resources and what they can do with those resources.

 

With the rise in remote working, an increasing number of organizations are now managing their employees’ mobile and Windows devices using Microsoft Endpoint Manager. This requires the helpdesk teams to work securely and productively to enable end users with their daily workings.

 

Many customers that we work with have dedicated teams for managing Windows and mobile devices. The helpdesk admins, part of Windows team, manage Windows devices only, but do not manage mobile devices, and vice-versa. By the end of this blog, you will be able to provide access to the relevant workloads to these helpdesk teams so they get a customized view of the devices they need to manage, and also prevent access to devices outside their scope.

 

Steps to configure RBAC for Windows and Mobile Device Helpdesk team:

  1. Create Azure AD device groups for Windows and Mobile Devices
  2. Create Azure AD user groups for Windows and Mobile Helpdesk Admins
  3. Create scope tags and assign device groups
  4. Create Windows helpdesk admin role and add assignments
  5. Create Mobile helpdesk admin role and add assignments

 

Step 1 - Create Azure AD device groups for Windows and Mobile Devices

The first step to setup RBAC is to create separate Azure AD device groups based on device OS type.

 

As an example, I have created three Azure AD dynamic device groups based on the property deviceOSType – Android Devices, iOS Devices, and Windows Devices:

 

Android Dynamic membership rulesAndroid Dynamic membership rules

 

iOS Dynamic membership rulesiOS Dynamic membership rules

 

Windows Dynamic membership rulesWindows Dynamic membership rules

Step 2 - Create Azure AD user groups for Windows and Mobile Helpdesk Admin

 

The second step is two create two user groups, one for Windows Helpdesk Admins who manage Windows devices, and the other for Mobile Helpdesk Admins who manage mobile devices.

 

As an example, I have created two Azure AD user groups – Windows – Helpdesk Admins, Mobile – Helpdesk Admins and added helpdesk admins to each of these groups:

 

Azure AD groupAzure AD group

 

Step 3 - Create scope tags and assign device groups

The third step is to create separate scope tags, one for each Operating System. The device groups created in step 1 need to be assigned to the respective scope tags.

 

As an example, I have created three scope tags – Apple, Android and Windows. I have assigned the Android Devices group to Android scope tag, and so on. This ensures that all the devices part of the

Android Devices group will automatically get the Android scope tag assigned to them. Similarly, devices part of Windows Devices group will automatically get the Windows scope tag assigned to them, and so on.

 

The scope tags would be used in future steps to control the visibility of devices and other workloads for Helpdesk Admins.

 

Helpdesk admin Scope tagsHelpdesk admin Scope tags

 

Step 4 - Create Windows helpdesk admin role and add assignments

The fourth step is to create a custom role for Windows helpdesk admin and provide the permissions required by the helpdesk admin.

 

As an example, I have created Windows Helpdesk role, given Read permissions for all the workloads, and Wipe and Sync Device permissions under Remote Tasks. You can update the permissions based on your requirements.

 

Windows Helpdesk permissionsWindows Helpdesk permissions

 

Once the permissions are added and role is created, assignments need to be added to the role using the groups and scope tags created in the previous steps.

 

As an example, for the Windows Helpdesk role, I am adding Windows Assignment. The Members of this assignment are Windows – Helpdesk Admins created in Step 2, the Scope (Groups) has Windows Devices group created in Step 1 and Scope tags is defined as Windows created in Step 3.

 

Windows Helpdesk assignment propertiesWindows Helpdesk assignment properties

 

This ensures that users part of Windows – Helpdesk Admins group can assign policies, configurations and apps only to devices part of Windows Devices group, if they have permissions for the same. In this case, we have not provided assign permissions to helpdesk because we do not want them to be able to add or update assignments. This step also ensures that users who are part of Windows – Helpdesk Admins can view only the objects which have scope tag as Windows.

 

You can watch my Ignite session on Deep Dive into RBAC in Intune for deeper understanding on the topic.

 

Step 5 - Create Mobile helpdesk admin role and add assignments

The last step is to create a role for Mobile helpdesk admin and provide the permissions required by the helpdesk admin. The process is similar to Step 4, we just need to select different groups and permissions as per the requirements of mobile device team.

 

As an example, I have created Mobile Helpdesk role, given Read permissions for all the workloads, and Sync Device permissions under Remote Tasks. Based on my customer interactions, I have not given Wipe permission for this role for mobile helpdesk team. You can update the permissions as per your requirements.

 

Mobile Helpdesk propertiesMobile Helpdesk properties

 

This document contains information about creating custom role in Microsoft Endpoint Manager.

 

Once the permissions are added and role is created, assignments need to be added to the role using the groups and scope tags created in the previous steps.

 

As an example, for the Mobile Helpdesk role, I am adding Android & iOS Assignment. The Members of this assignment are Mobile – Helpdesk Admins created in Step 2, the Scope (Groups) has Android Devices and iOS Devices group created in Step 1 and Scope tags is defined as Android and Apple created in Step 3.

 

Mobile Helpdesk assignment propertiesMobile Helpdesk assignment properties

 

This ensures that users part of Mobile – Helpdesk Admins group can assign policies, configurations and apps only to devices part of Android Devices and iOS Devices group, if they have permissions for the same. In this case, we have not provided assign permissions to helpdesk. This also ensures that users part of Mobile – Helpdesk Admins can view only the objects which have scope tag as Android and Apple.

 

Once the configuration is complete, you will notice that Windows Helpdesk Admins can view only Windows devices. They are unable to view mobile devices. They can sync and wipe Windows devices remotely. Similarly, Mobile Helpdesk Admins can view Android and iOS devices, sync these devices remotely, and are unable to view Windows devices.

 

Note – For the scenarios where a helpdesk admin is part of both Mobile Helpdesk and Windows Helpdesk roles, they will be able to perform specific actions on devices defined in the relevant role.

In the above example, if a helpdesk admin is part of both Windows – Helpdesk Admins and Mobile – Helpdesk Admins groups, then they will be able to view both Windows and mobile devices. They would be able to sync and wipe Windows devices as defined in Windows Helpdesk role, but only sync mobile devices as defined in Mobile Helpdesk role.

 

This configuration ensures that you have created a boundary for your Desktop and Mobile Device helpdesk team to operate in, thus providing strong security. You are also able to customize their view, so they see only relevant devices, thus ensuring their productivity. Also, the automatic scope tag assignment and role assignments ensure that no manual tasks are required, ensuring scalability of the solution across your departments.

 

We hope this helps you in setting up RBAC for your helpdesk teams in Microsoft Endpoint Manager and enables them to work effectively.

 

If you have any questions on this post, just let us know by commenting back You can also ask quick questions at @IntuneSuppTeam out on Twitter.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.