Share via

Limited Help Desk acess to specific mobile devices

Patch 21 Reputation points
2022-07-26T17:46:57.253+00:00

We have several help desk or in house administrators or local HR that we would like to provide limited access to managing mobile devices. The goal would be to give pin reset and device set access, but only for their specific site.

From what I have found so far, there doesn't seem to be a way to limit access to specific devices through Intune. Basically we only want them to have access to their own sites devices.

Any suggestions on how to best handle this, outside of building a separate UI and handling permissions externally. Seems like a error prone way to approach.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,513 questions
0 comments
Accepted answer
  1. Lu Dai-MSFT 28,361 Reputation points
    2022-07-27T03:59:44.243+00:00

    @BenHorbul-0927 Thanks for posting in our Q&A.

    For this issue, it is suggested to try to create a custom role and you can give permissions what you want to this role.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/create-custom-role

    Then we can add a user group under Members, add a devices group under Scope (Groups) and add Scope tags in this role assignment.
    https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control#role-assignments

    User group:
    224960-image.png

    Device group:
    225076-image.png

    Scope tag:
    225017-image.png

    Assignments under this custom role:
    225040-image.png

    When I used the target user included in the user group signing in intune portal, I only can see the devices included in the device group.
    225094-image.png

    What did you mean "pin reset"? Is it "Passcode reset" we can see in intune portal? If yes, please set "Passcode reset" to "Yes" in the custom role. However, not all devices support passcode reset. For more details, please refer to the following article:
    https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-passcode-reset

    Hope it will help.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patch 21 Reputation points
    2022-07-27T17:10:28.823+00:00

    Thank you for the detailed answer.

    I did mean Passcode Reset, but the terminology varies depending on talking from the administration side or from the device side.

    I would like to clarify as we have had some difficulty in the past and we don't want this to hinder our existing administrators. I also would like to clarify. When creating the custom role, I have two menus Properties and Assignments.

    Under the Custom Role's Properties, I have Basics, Permissions and Scope Tags headings.
    Under Assignments, I only see the Assign Option, where Assigning, create a new Role Assignment Title that I can assign Groups and tags. This UI matches your "Assignments under this custom role" section for - Help desk operator test with a subtitled assignment of "Help Desk". this section makes sense.

    My question is under the role itself, where in your case it is the "Help desk operator test" should a Scope Tag also be left as Default. Am I correct that Role => Properties => Scope Tags section is for limiting edit access to the scope itself and should not be assigned to the tag created earlier?