Overview
With the addition of the Endpoint Central summary server, the scope of the network's endpoints expand significantly. As a result, the IT administrator's major concern is to define and manage the scope of each endpoint in the network. Endpoint Central addresses this concern with its user and role management module.
After the installation of the Endpoint Central Summary Server, the Summary Server Administrator must define the users and their roles in the network.
Role Management
Some of the most often used Roles are listed under Pre-defined Roles. However, under User-defined Roles, you can also create roles that best suit your needs and provide appropriate access. Here's a brief on the Pre-defined and User-defined roles respectively
Pre-defined roles :
Summary Server Administrator: Administrator role signifies the Super Admin who exercises full control over all probes and modules. The administrative tasks performed by the administrator affect all the probes of the network. The operations that can be performed are :
Administrator : The administrator role is similar to the Summary Server Administrator role but the scope of the role is reduced to specific probes by default. Although you can specify all the probes individually to a probe administrator, when a new probe is added to the network, the new probe will not be automatically mapped to the probe administrator. It has to be manually mapped by the summary server administrator.
Guest: The Guest Role retains the Read Only permission for all modules. A user who is associated to the Guest Role, will have the privilege to scan and view various information about different modules, although making changes is strictly prohibited. Guest Role also has Read Only permission for viewing MDM inventory details, reports, profiles and Apps of the mobile devices.
Technician: The Technician role has a well-defined set of permissions to do specific operations. Users under the Technician role are restricted from performing all the operations listed under the Admin tab. The operations that can be performed by users associated with the Technician Role include:
Auditor: The Auditor role is specially crafted for auditing purposes. This role will help you grant permissions to auditors view the details of software inventory, check for license compliance and have read-only permission for MDM Reports.
Remote Desktop Viewer: The Remote Desktop Viewer Role will allow the users associated with it to Invoke a Remote desktop connection and view details of users who had connected to a particular system.
IT Asset Manager: The IT Asset Manager has complete access to the Asset Management module and all the other features are inaccessible. IT Asset Manager can also view the Inventory details of all the Mobile Devices.
Patch Manager: The Patch Manager role has complete access to the Patch Management. Patch Manager will also have privilege to access to use "Tools", like Wake On LAN, Remote Shutdown, System Manager and the ability to schedule Patch Reports. All the other modules/features are inaccessible.
Mobile Device Manager: The Mobile Device Manager role has write permission for the Inventory, Reports, Profiles and Apps in Mobile Device Management module.;
OS Deployer: The OS deployer role provides the associated user the privilege to capture images of Windows OS and deploy it across the network computers.
User Defined Roles :
Using Endpoint Central Summary Server, you can create any number of roles and assign them the permissions you want based on your specific needs. These customized roles are classified as User-defined. In the following section, we will briefly explore how to construct a User-defined Role for a better understanding.
Note: Roles can be created only by administrators.
Follow the steps mentioned below to create a new User-defined role:
7. Click Add button.
You have successfully created a user-defined role.
Scope Management
Endpoint Central allows you to set a scope for users, which means you can define the target PCs that can be mapped to each user. By restricting the user's authorization to a specified set of computers, you can be confident that the user has enough permission to do their tasks but not too many permissions to take advantage of. The addition of the summary server allows an additional layer of scope definition
Probe Scope
The target that you define as the scope, can be one of the following:
All computers
When the target is set to 'All Computers,' the user will be able to execute all the privileges defined in the role on all computers. Although the scope includes all computers, the authorization level is defined solely by the role to which the user is assigned.
Unique Custom Groups
You can establish custom groups for administration purposes and assign them to users. The custom groups you create should be distinct, such that no machine can be a member of more than one custom group. These are computer-based custom groups that are built for user administration.
Remote Offices
You can define the scope for the users by creating specialized remote offices or by using existing remote offices. Multiple users can handle the same remote offices. Similarly, several remote offices can be mapped to the same user; however, a combination of remote offices and unique groups cannot be included in the scope.
User Management
How to create a new user?
A new user can only be created in the all probes scope by the summary server administrator. A probe administrator cannot create new users but can view the user information in read-only mode.
Follow the steps below to create a user:
Specify the devices to be managed for enabling modern management capabilities for the user.
You have successfully created a user and associated a role to an user along with the scope of the probes that need to be managed.
How to modify user?
A user can only be modified in the all probes view by the administrator. Follow the steps below to modify a user:
Login to Endpoint Central Summary Server as summary server administrator.
Select the all probes scope in the drop down. Navigate to Admin tab > under Global Settings > User Administration.
The list of users will be displayed. Against one particular user, under the Action column, choose Modify User.
How to delete User?
At times when you find a user's contribution obsolete, you can go ahead and delete the user from the User List. The deleted user will not be able to login to the Endpoint Central Summary Server.
Secure Authentication:
Endpoint Central's Secure Authentication feature allows users to ensure security by enabling two factor authentication and incorporating password policy. Secure authentication modules can be configured only by the summary server's all probe view and the configured settings apply to all probes in the network. The applied configurations will be visible in read-only mode for the probe administrator.
How to enable two factor authentication:
Login to Endpoint Central as summary server administrator.
Select the admin tab, click user administration under global settings. This opens the global administration page.
Navigate to the secure authentication tab and navigate to the Two Factor Authentication tab.
Click on enable under the authentication field and choose the preferred mode of authentication. There are two modes of authentication:
Click Save.
How to create a password policy :
Note: The configured password policy is applicable only when the user changes his/her password after configuring password policy. The existing password need not be inline with the configured password policy.