Using the Restricted Actions settings page, you can configure the security-minded settings related to the actions that Workspace ONE UEM administrators can perform in the Workspace ONE UEM console.
What can you do with the Restricted Actions settings page?
The path to the settings page on the UEM console is .
With the Restricted Actions settings page, you can:
- Activate the setting that allows admins to message every device in the environment or a specific group of devices.
- Enforce a PIN requirement for specific action. It means the admin must enter a security PIN before performing the actions.
- Enforce requirement for a note that the admin must enter explaining the reason before performing the action.
Determine your Organization group hierarchy
Before you review and modify the settings, understand the two types of inheritance/override options for the organization group hierarchy available at the top and bottom of the settings page and determine your choice. For more information about these settings, see Override Versus Inherit Setting for Organization Groups.
- Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
- Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.
Send Message to All
- Enabled – Activate this setting to allow a System Administrator to send a message to all devices in your deployment from the Device List View.
Password Protect Admins
You can require that certain actions require admins to enter a PIN. For each action you choose to protect, select the appropriate Password Protect Actions button for Enabled or Disabled as appropriate. This requirement provides you with granular control over which actions you want to make more secure.
Note: Some actions always require a PIN and as a result cannot be disabled. Denoted by * following.
You can set the maximum number of failed attempts the system accepts before automatically logging out the session. If you reach the set number of attempts, you must log into the Workspace ONE UEM console and set a new security PIN.
| Setting | Description |
|---|---|
| Admin Account Delete | Prevents the deletion of an admin user account in . |
| Admin Password Change | Prevents the changing of an admin password, which is done by selecting the admin username from the upper-right corner of the console toolbar, select Manage Account Settings, then Password tab. |
| *Regenerate VMware Enterprise Systems Connector Certificate | Prevents the regeneration of the VMware Enterprise Systems Connector certificate in . |
| *APNs Certificate Change | Prevents the disabling of APNs for MDM in . |
| Application Delete/Deactivate/Retire | Prevents the deletion, deactivation, or retirement of an application in . |
| Content Delete/Deactivate | Prevents the deletion or deactivation of a content file in . |
| *Data Encryption Toggle | Prevents the Encryption of user information setting in . |
| Device Delete | Prevents the deletion of a device in . Admin security PIN is still required for bulk actions even when this setting is disabled. |
| *Device Wipe | Prevents any attempt to perform a device wipe from the Device List View or Device Details screens. |
| Enterprise Reset | Prevents any attempt to perform an enterprise reset on a device from the Devices Details page of a Windows Rugged, Rugged Android, or QNX device. |
| Enterprise Wipe | Prevents any attempt to perform an enterprise wipe on a device from the Devices Details page of a device. |
| Enterprise Wipe (Based on User Group Membership) | Prevents any attempt to perform an enterprise wipe on a device when it is removed from a user group. This setting is an optional setting that you can configure under on the Restrictions tab. If you Restrict Enrollment to Configured Groups on this tab, you then have the added option of performing an enterprise wipe a device when it is removed from a group. |
| *Organization Group Delete | Prevents any attempt to delete the current organization group from . |
| Profile Delete/Deactivate | Prevents any attempt to delete or deactivate a profile from . |
| Provisioning Product Delete | Prevents any attempt to delete a provisioning product from . |
| Provisioning Product (New) Delete | Prevents any attempt to delete a newly created product from . |
| Revoke Certificate | Prevents any attempt to revoke a certificate from . |
| *Secure Channel Certificate Clear | Protects from any attempt to clear an existing secure channel certificate from . |
| User Account Delete | Prevents any attempt to delete a user account from . |
| Change in Privacy Settings | Prevents any attempt to alter the privacy settings in . |
| Delete Telecom Plan | Prevents the deletion of a telecom plan in . |
| Override Job Log Level | Prevents attempts to override the currently selected job log level from . Overriding the Job Log Level is useful when a device or group of devices is having an issue. In this case, the admin can override those device settings by forcing an elevated log level to Verbose, which logs the maximum level of console activity, making it ideal for troubleshooting. |
| *App Scan Vendor Reset/Toggle | Prevents the resetting (and subsequent wiping) of your app scan integration settings. This action is performed in . |
| Reboot Device | Prevents any attempt to reboot the device in . |
| Shut Down | Prevents any attempt to shut down the device in . |
| Delete Workspace ONE Access Configuration | Prevents the deletion of a Workspace ONE Access configuration which you perform by navigating to . |
| Delete REST API Key | Prevents the deletion of REST API Keys, performed by navigating to and selecting the X to the far-right of a key's listing. |
| *Force Bios Password Reset | Prevents the forced BIOS password reset to a new auto-generated password on Windows 10 devices. |
| Maximum invalid PIN attempts | Defines the maximum number of invalid attempts at entering a PIN before the console locks down. This setting must be between 1 and 5. |
Required Notes for Action
You can also require admins to enter notes using the Require Notes check box and explain their reasoning when performing these actions.
| Setting | Description |
|---|---|
| Lock Device | Require a note for any attempt to lock a device from Device List View or Device Details. |
| Lock SSO | Require a note for any attempt to lock an SSO session from Device List View or Device Details. |
| Device Wipe | Require a note for any attempt to perform a device wipe from Device List View or Device Details. |
| Enterprise Reset | Require a note for any attempt to enterprise reset a device from the Device Details page of a Windows Rugged or Rugged Android device. |
| Enterprise Wipe | Require a note for any attempt to perform an enterprise wipe from Device Details. |
| Override Job Log Level | Require a note before attempts to override the default job log level from . |
| Reboot Device | Require a note before a reboot attempt from . |
| Shut Down | Require a note before a shut down attempt from . |
