8 Replies Latest reply on May 7, 2013 1:04 AM by warwickjames

    Custom roles within EMM?



      I need to be able to assign permissions to our service desk, to allow them to add and delete users within the 'authorised users' tab of the console.


      But the only role that allows this is 'System Administrators', which would mean I'm giving service desk staff WAY too much permission, and they can modify policy, settings, and generally break EMM.


      Is there something I'm missing? Is there a way to define a custom group role, so I can assign it to a group the same way the built-in ones are done?




      Running v10.1, proxyX2 and hubX1.

        • 1. Re: Custom roles within EMM?

          Unfortunately there is not a way to define a custom group.The four roles listed under console users  are not able to be altered  or customized You can always  add a specific user and assign them system administrators rights in the console.Keep in mind that you cannot edit the local user account listed under console access.You will have to delete  and recreate them and select  the role.

          1 of 1 people found this helpful
          • 2. Re: Custom roles within EMM?

            That's what I've found. I think the lack of this functionality is a real MISS for the EMM product. Every other product on the market has the permissions granularity to do this. Why not EMM.


            They've gone to the bother of listing all the roles and have ticks against them, depending upon the role. Why not go that extra length and allow editing of ticks, and having a save button. Geez.


            So, as it stands, only the System Administrator aka EMM root can add named users to use the product.


            We've enabled OTP, and to do this, the user MUST be defined within EMM PRIOR to them registering their device. Previously, it was just managed by group membership within AD, but you cannot define an OTP using that method.


            This side product has been very very poorly thought out. Minus points to McAfee.


            I bet it can be edited within the SQL tables, much like the SMS providers. I'll take a look there. Shouldn't have to though.

            1 of 1 people found this helpful
            • 3. Re: Custom roles within EMM?

              Would your user happen to be in a different domain than the the EMM server?


              We had an issue that we could set token for users in the same domain as the Authorized Users group but not users that was in a different domain. For the Update Token to work properly the user and group must be in the same domain.

              • 4. Re: Custom roles within EMM?



                We have received feedback from customers about the lack of flexibility with user roles and such. This is actually a fix we are targetting for EMM in a future release when it fully integrates with ePO. When this happens you will actually create the differnet emm admin users in ePO and assign differet roles based on built-in or custom permission sets. With the upcoming release of EMM11 (targeted for Early Q2) you will still have to have a System Admin role in ePO to be able to add authorized users to EMM because the integration with ePO is partial and there will be features that will still be handled on the EMM Hub and EMM database. It is not until the next version later this year (ETA is still TBD) that will allow you to customize the user roles even more in ePO so that you accomplish exactly what you are describing above.


                I would strongly discourage you from making any changes to the user roles or any other table in the database without consulting support first. Any changes that are made that are not properly tested by McAfee can make your system unstable and unsupported.





                • 5. Re: Custom roles within EMM?

                  Hi! No, same domain. Before OTP, we just used AD group membership to validate or authorise the registration of devices. But we found people were registering both their iPad AND iPhone, and only requesting one license. This of course is a problem.


                  So we first implemented OTP, and that's fine for users already in the system, but for new users, they'd have to be added to the 'authorised users' tab, otherwise there is nowhere to create an OTP! McAfee didn't think that through did they?


                  And on top of that, the ONLY user/group that can add users to this tab is the system administrators... aka root-level access.

                  • 6. Re: Custom roles within EMM?

                    What are the actual features of EMM11? Is there a Beta I can join, like I did for 10?

                    • 7. Re: Custom roles within EMM?



                      lookout for a public beta announcement around early to mid April. If you were part of the EMM 10.0 beta you will automatically receive the notification.





                      • 8. Re: Custom roles within EMM?

                        Any word on the beta announcement? I notice the beta site has been up since December 2012...