How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions

You can make a custom role that allows a help desk admin to do only the things in Workspace ONE UEM that you allow them to do. Learn how accounts, roles, and programmable permissions all work together to get you where you need to go.

You must have an existing administrator account. This use case makes a custom role based on the “help desk” role, included with Workspace ONE UEM, and assigns it to your admin account.

Use Case: You need dedicated help desk resources to shoulder the task of adding users and devices without impacting your other administrators. These admins must also allowlist and denylist devices. At the same time, limiting the points of access to higher console abilities is crucial. You want to add a handful of admin accounts and give these accounts the ability to add users and devices, allowlist and denylist devices, and nothing else.

The role being made in this use case is outfitted with just a handful of console functions: adding users and devices, and allowlisting and denylisting devices. This role prohibits all other functions in Workspace ONE UEM.

Click this link to watch a video companion to this use case.

How to Create Restrictive Help Desk Admin Role (Right-click and select Open Link in New Tab)

  1. Navigate to Accounts > Administrators > Roles.

    The full listing of Administrator Roles displays.

  2. Enter the keyword ‘help’ in the search text box in the upper-right corner of the screen.

    All roles containing the text string ‘help’ display in the listing.

  3. Select the Help Desk role by selecting the check box to the left of the role name.

    A new button cluster appears under the main button cluster.

  4. Select the Copy button.

    The Copy Role screen displays.

  5. Enter the Name and Description for your custom help desk role.

  6. Select the orange pie chart to the right of the All category on the left side of the Copy Role screen. Select None from the Choose Edit Mode popup that displays.

    This partial screenshot of the Administrator Roles screen and how you can alter all permissions in a subcategory by selecting the orange pie chart and choosing between none, read, and edit.

    This action removes all permissions from this custom help desk role, giving you a clean slate. So the only permissions these admins have are the ones you give them here.

  7. Enable the following ten permissions. You can find the location of each permission check box by following the category, subcategory, and permission name from the table.

    Remember also that you can type the permission name in the Search Resources text box and jump directly to its location. For best search results, you should have the All category selected from the left side panel before entering your search keywords.

    Category > Subcategories Permission Name (check box type)
    Accounts > Users > Accounts User Accounts Add Device (Edit)
    Accounts > Users > Accounts User Registration Edit (Edit)
    Accounts > Users > Accounts User Accounts Add (Edit)
    Accounts > Users > Accounts User Accounts Edit (Edit)
    Accounts > Users > Accounts User Registration (Read)
    Device Management > Devices List View Device List View Access (Read)
    Device Management > Devices List View Devices (Read)
    Settings > Devices & Users > General Enrollment Restrictions edit (Edit)
    Settings > Devices & Users > General Add Denied Devices (Edit)
    Settings > Devices & Users > General Add Allowed Devices (Edit)

    Starting at the top of the table, here is a walk through of the first five permissions as an example. The first permission name we need (called User Accounts Add Device) can be found in the Copy Role screen by selecting the “Account” category from the left panel.

    In the same left panel, select the “Users” subcategory and lastly, select “Accounts” which is under Users. You can now see all the permissions in the right panel of the Copy Role screen.

    In this “Accounts > Users > Accounts” subcategory, there are five check boxes we are interested in for this role.

    1 & 2) Select the Details link for “Add Device”, then you should see the first two permissions in our list: “User Accounts Add Device” and “User Registration Edit”. Select the Edit check boxes for each.

    3 & 4) Select the Details link in “Add/Edit” to reveal two more permissions from the list. “User Accounts Add” and “User Accounts Edit”, and as before, select the Edit check boxes for each.

    5) One permission from this subcategory remains, called “User Registration” and it is found by selecting the Details link for “View”. It gets the Read check box.

    Follow the same process for the remaining five permissions in the table, starting with “Device List View Access”.

  8. Select Save to finalize the custom help desk role definition.

  9. Assign this custom role to your existing administrator account by navigating to Accounts > Administrators > List View and locate your administrator account from the listing.

  10. Select the Edit icon (The edit icon is in the shape of a grey pencil.) to the left of your admin account.

    The Add/Edit Admin screen displays.

  11. Select the Roles tab.

  12. Assign the custom help desk role to the administrator account.

    This use case dictates that only nine UEM Console functions are assigned to your administrator role. Despite this, you can add this custom help desk role and other roles to your admin account, even if your admin account already has one or more roles assigned to it.

  13. Select Save to finalize the role assignment.

When administrators with only this custom help desk role log into your Workspace ONE UEM environment, the only functions they have access to is the Add button, from which they can only select from two choices: Device and User. They also have access to the Devices main menu button which includes List View and Lifecycle > Enrollment Status, which is where you add allowlisted and denylisted devices.

check-circle-line exclamation-circle-line close-line
Scroll to top icon