There are several default roles already provided by Workspace ONE UEM powered by AirWatch from which you can select. These default roles are available with every upgrade and help quickly assign roles to new users. If you require further customization, you can create custom roles to tailor the user privileges and permissions further.

Unlike default roles, custom roles require manual updates with every Workspace ONE UEM upgrade.

Each type of role includes inherent advantages and disadvantages. Default Roles save time in configuring a brand new role from scratch, logically suit various administrative privileges, and automatically update alongside new features and settings. However, Default Roles might not be a precise fit for your organization or MDM deployment, which is why Custom Roles were created.

Default End-User Roles

Roles are available by default to end users in the Unified Endpoint Management Console.

  • Full Access Role – Provides full permission to perform all the tasks on the Self-Service Portal.
  • Basic Access Role – Provides all permissions except MDM commands from the Self-Service Portal.

Custom Roles allow you to customize as many unique roles as you require, and to tweak large or small changes across different users and administrators. However, Custom Roles must be manually maintained over time and updated with new features.

Edit a Default End-User Role to Create a Custom User Role

If none of the available default roles provide the proper fit for your organization, consider modifying an existing user role and creating a custom user role.

Create a custom end-user role by editing a default role included with the UEM console.

  1. Ensure that you are currently in the organization group you want the new role to be associated with.
  2. Navigate to Accounts > Users > Roles.
  3. Determine which role from the list best fits the role you want to create. Then edit that role by selecting the edit icon (The edit icon is shaped like a gray pencil.) to the far right. The Add/Edit Role page displays.
  4. Edit the Name, Description, and Initial Landing Page text boxes as necessary. Review each of the check boxes. These options represent the various permissions, selecting and deselecting those options as necessary.
  5. Select Save to save your changes, overwriting the prior settings of the role in favor of the new settings.

Default Administrator Roles

The following roles are available by default to administrators in the Workspace ONE UEM console.

Use the Admin Role Compare tool to compare the specific permissions of two admin roles. For more information, see Create Administrator Role.

Role Description
System Administrator

The System Administrator role provides complete access to a Workspace ONE UEM environment. This role includes access to the Password and Security settings, Session Management, and UEM console audit information. This information is located the Administration tab under System Configuration.

This role is limited to environment managers, for example, SaaS Operations teams for all SaaS environments hosted by VMware.

AirWatch Administrator

The AirWatch Administrator role allows comprehensive access to the Workspace ONE UEM environment. However, this access excludes the Administration tab under System Configuration, because that tab manages top-level UEM console settings.

This role is limited to VMware employees with access to environments for troubleshooting, installation, and configuration purposes.

Console Administrator The Console Administrator role is the default admin role for shared SaaS environments. The role features limited functionality surrounding compliance policy attributes, report authoring, and organization group selection.
Device Manager

The Device Manager role grants users significant access to the UEM console. However, this role is not designed to configure most System Configurations. These configurations include Active Directory (AD)/Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), Agents, and so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator.

Report Viewer

The Report Viewer role allows viewing of the data captured through Mobile Device Management (MDM). This role limits its users to generating, viewing, exporting, and subscribing to reports from the UEM console.

Content Management

The Content Management role only includes access to VMware Content Locker management. Use this role for specialized administrators responsible for uploading and managing a device content.

Application Management

The Application Management role allows admins with this access to deploy and manage the device fleet's internal and public apps. Use this role for an application management administrator.

Help Desk

The Help Desk role provides the tools necessary for most Level 1 IT Help Desk functions. The primary tool available in this role is the ability to see and respond to device info with remote actions. However, this role also contains report viewing and device searching abilities.

App Catalog Only Administrator The App Catalog Only Admin role has much the same permissions as Application Management. Added to these permissions are abilities to add and maintain admin and user accounts, admin and user groups, device details, and tags.
Read Only

The Read Only role provides access to most of the UEM console, but limits access to read-only status. Use this role to audit or record the settings in a Workspace ONE UEM environment. This role is not useful for system operators or administrators.

Horizon Administrator The Horizon Administrator role is a specially designed set of permissions for complementing a Workspace ONE UEM configuration integrated with VMware Horizon View.
NSX Administrator The NSX Administrator role is a specially designed set of permissions intended to complement VMware NSX integrated with Workspace ONE UEM. This role offers the full complement of system and certificate management permissions, allowing administrators to bridge endpoint security with data center security.
Privacy Officer The Privacy Officer role provides read access to Monitor Overview, Device List View, View system settings, and full edit permissions for privacy settings.

Edit a Default Admin Role to Create a Custom Admin Role

If the available default roles provide no proper fit for admin resources in your organization, consider modifying an existing default role into a custom admin role.

Create a custom administrator role by editing a default role included with the UEM console.

  1. Ensure that you are currently in the organization group with which you want the new role to be associated.
  2. Navigate to Accounts > Administrators > Roles.
  3. Determine which role from the list best fits the role you want to create. Select the check box for that role.
  4. Select Copy from the actions menu above the listing. The Copy Role page displays.
  5. Edit specific settings of the copy in the resulting Copy Role page. Create a unique Name and Description for the customized role.
  6. Select Save.

What to do next: For more information, see Create Administrator Role.