General Permissions

The general permissions of a user management entity (user, group, or role) determine the entity's level of access and control within the SOTI MobiControl console. Administrators can edit general permissions. If neither Allow nor Deny is explicitly set for a permission, it defaults to Deny.

When changing permissions for roles, you can select Allow or Deny for any permission on the list. Permission checkboxes are blue when selected and gray when cleared.

Users and groups inherit permissions from their assigned roles. The inherited Allow and Deny options display as solid blue squares. Selecting Allow or Deny for a permission removes inheritance from roles. Checkboxes for an explicitly selected (not inherited) permission display as a blue check mark. Unselected checkboxes display a gray square contour.

Note: The permissions are hierarchical and visually communicated by multi-level indentations in the permission list. When you edit a permission, the change automatically affects permissions hierarchically related to the edited one. The permission list shown on the page reflects the change.
MobiControl Access Allow or deny access to SOTI MobiControl permissions
Options:
  • Allow—This permission and those below it are initially set to Allow.
  • Deny—This permission and those below it are initially set to Deny and disabled.
Web Console Access Allow or deny access to the SOTI MobiControl console.
Configure Devices/Device Groups Allow or deny users the ability to add, remove or edit device groups.
View Rules Allow or deny users the ability to view the Rules tab.
Options:
  • Allow—Rules below it are initially set to Allow.
  • Deny—Rules below it are initially set to Deny and disabled.
Manage Add Devices Rules Allow or deny users the ability to manage add devices rules.
Manage Device Relocation Rules Allow or deny users the ability to manage device relocation rules.
Manage Data Collection Rules Allow or deny users the ability to manage data collection rules.
Manage Alerts Rules Allow or deny users the ability to manage alerts rules.
Manage System and Device Alerts Allow or deny users the ability to view and access alerts.
Import Reports Allow or deny users the ability to import new reports.
Generate and Print Reports Allow or deny users access to the Reports tab under each device section.
Manage Report Scheduler Allow or deny users the ability to set up or change scheduled reports from the Reports tab.
Manage Users and Permissions Allows users to manage General Permissions for SOTI MobiControl Users and Roles. If denied, users do not see the main menu option Users and Permissions.
Manage Servers and Global Settings Allow or deny users the ability to change server and global settings for SOTI MobiControl.
Options:
  • Allow—Options below it are initially set to Allow.
  • Deny—Options below it are initially set to Deny and disabled.

Manage Console Authentication

Allows users to manage Console Settings (Global Settings > Console Settings).

Options:

  • Allow—Console Settings are available.
  • Deny—Console Settings is not visible within Global Settings.

Configure Deployment Servers

Allows users to delete and update properties of Deployment servers. When denied, a user cannot make changes to the deployment server or access the right-click menu.
Manage Terms and Conditions Allow or deny users the ability to access the Terms and Conditions Manager dialog box from the Servers tab.
Configure Secure Email Access Filter Allow or deny users the ability to create or edit Secure Email Access Filter settings from the Servers tab.
Manage APNS Certificates Allow or deny users the ability to upload new APNS certificates from the Servers tab.
Configure Database Maintenance Allow or deny users the ability to access the Configure Logging and Alerts Maintenance dialog box from the Servers tab.
Manage Certificate Authorities Allow or deny users the ability to create or edit Certificate Authorities certificates and templates from the Servers tab.
Revoke Certificates Allow or deny users the ability to revoke certificates.
Manage Shared Files Allow or deny users the ability to manage Shared File Browser from the console.
Manage Cloud Link Agents Allow or deny users the ability to create, update, and delete a Cloud Link Agent, or download the Cloud Link Agent installer from the Servers tab.

For more information, see Cloud Link Agent Help.

Configure Printer Administration Servers Allow or deny users the ability to create or edit Printer Administration Server (PAS) interfaces from the Servers tab.
Manage Android Enterprise Bindings Allow or deny users the ability to edit Android Enterprise bindings.
Manage Automated Device Enrollment - Devices Allow or deny users the ability to manage Apple devices as part of Automated Device Enrollment (ADE).
Manage Automated Device Enrollment - Accounts Allow or deny users the ability to manage Automated Device Enrollment (ADE) accounts.
Manage Android Agents and Plugins Allow or deny users the ability to manage Android agents and plugins.
Manage Exchange Servers Allow or deny users the ability to manage Exchange servers.
Manage System Health Allows users to configure the settings for displaying Advanced Analytics charts. Available in the Main Menu > Global Settings > Console Settings > System Health > Advanced Analytics.

Manage Microsoft 365 Integration

Allows users to configure the SOTI MobiControl connection for Microsoft Endpoint Management services. Available in Main Menu > Global Settings > Services > Microsoft 365. When denied, the user cannot view this setting page.
Manage PRK Encryption Certificate Allow or deny users the ability to manage the PRK encryption certificate for encrypting the personal recovery key of your macOS device for storage in the SOTI MobiControl Server.
Manage API Clients Allow or deny users the ability to manage API clients
Manage Azure AD Join Cloud Enrollment Integration Allow or deny users the ability to manage Azure AD join cloud enrollment integration.
Manage Android Firmware Upgrade Allow or deny users the ability to manage Android firmware upgrades.
Manage Webhooks Allow or deny users the ability to manage webhooks.
Manage SOTI Search Allow or deny users the ability to manage SOTI Search.
Manage Authentication User Group Enrollment Limit Allow or deny users the ability to manage the authentication user group enrollment limit.
Configure Content Library Policy Allow or deny users the ability to access the Content Library tab.
Options:
  • Allow—Options below it are initially set to Allow.
  • Deny—Options below it are initially set to Deny and disabled.
Manage Content Library Policies Allow or deny users the ability to create or edit Content Library policies from the Content Library tab.
Manage Files and Folders Allow or deny users the ability to add or remove files from a Content Library on the Content Library tab.
Manage Library Path Allow or deny users the ability to change the Content Library root folder reference from the Content Library tab.
Manage Root Groups Allow or deny users the ability to create root-level device groups.
View Installed Applications Allow or deny users the ability to view the list of applications installed on a device.
View non-Managed Installed Applications (iOS only) Allow or deny users the ability to view non-managed applications installed on a device (iOS only).
View Profiles Allow or deny users the ability to access the Profiles tab.
Manage Profiles Allow or deny users the ability to edit profiles.

Manage Profile Lockdown Templates

Allows users to create, edit, duplicate, or delete custom templates. Users may also delete pre-defined templates and upload an HTML template file. Available in Main Menu > Profiles when editing or creating a profile that supports lockdown templates.

Manage Profile App Run Control Lists

Allows users to create, edit, or delete Application Run Control Lists. Available in Main Menu > Profiles when editing or creating a profile that supports Application Run Control.
Show Absolute Device Group Paths Allow or deny a user visibility of the full path of a device group if that user does not have view permission for the device group's ancestors.
View Activation Lock Bypass Code Allow or deny users the ability to view the activation lock bypass code.
View And Deploy Packages Allow or deny users the ability to view the Packages tab and to add packages to a profile.
Manage Packages Allow or deny users the ability to upload or delete packages.
Geofence Management Allow or deny users the ability to create, edit, or delete geofences.
Lookup Users and Group Membership Allow or deny users the ability to retrieve user and group membership information.
Lookup Directory Users and Group Membership Allow or deny users the ability to retrieve directory user and group membership information.

View Compliance Policies

Allows users to view details of compliance policies. Available in the Main Menu > Policies > Compliance.

Manage Compliance Policies

Allows users to add, edit, or delete compliance policies. Available in the Main Menu > Policies > Compliance.

View System Health

Allows users to view the System Health menu. It is available in the Main Menu. System Health has information about the SOTI MobiControl servers, the database, Certificates, etc. More diagnostic data are available via the Advanced Analytics tab, available to Premium Plus customers only.
View App Policies Allows users to view details of app policies. Available in Main Menu > Policies > Apps.
Manage App Policies Allow or deny users the ability to manage app policies.

View Script Status

Allows a user to check the execution status of an action script. Available in the device details page of the scripts tab.

Access Script Output

Allows a user to check the output of an action script. Available in the device details page of the scripts tab.

View Directory Services

Allows users to view available Directory services. Available in Global Settings > Services > Directory. When denied, users are unable to view the Directory tab.

Manage Directory Services

Allows users to view, add, configure, and delete Directory services. Available in Global Settings > Services > Directory. When denied, users can only view existing Directory Services.

View System Announcements

Allows users to view system-generated announcements.
Examples:
  • Android Agent upgrade available
  • lmost all device licenses used up
When denied, users do not receive system-generated announcements.

View SOTI Announcements

Allows users to view SOTI's promotional announcements. These do not affect the functionality of SOTI MobiControl and are primarily for surveys.

View Device Scripts

Allows users to view available device scripts. Available in Device Actions > Send Script. When denied, users cannot see preconfigured device scripts and cannot generate and save a new device script.

Manage Device Scripts

Allows users to view, update, delete and create new device scripts. Available in Device Actions > Send Script.

View Windows Updates

Allow or deny users the ability to view Windows updates.

Manage Windows Updates

Allow or deny users the ability to manage Windows updates.

View Alerts

Allows users to view details of alert rules. Available in Main Menu > Policies > Alerts. The SOTI MobiControl legacy console still manages alert rules. When denied, users are unable to view this policy option.

View Signal Policies

Allows users to view details of signal policies. Available in Main Menu > Policies > Signal. When denied, users are unable to view signal policies.

Manage Signal Policies

Allows users to add, edit, or delete signal policies. Available in Main Menu > Policies > Signal.
Download Encrypted Personal Recovery Key Allow or deny users the ability to download the encrypted personal recovery key file to your device.
View Decrypted Personal Recovery Key Allow or deny users the ability to decrypt and view the personal recovery key in real time.
Download Windows Enrollment Provisioning Package Allow or deny users the ability to download the Windows enrollment provisioning package.
View License Information Allow or deny users the ability to view license information.
Manage License Information Allow or deny users the ability to manage license information.
View File Sync Policies Allow or deny users the ability to view file sync policies.
Manage File Sync Policies Allow or deny users the ability to manage file sync policies.
View Telecom Expense Management Policies Allow or deny users the ability to view telecom expense management policies.
Manage Telecom Expense Management Policies Allow or deny users the ability to manage telecom expense management policies.
View GPS Location Allow or deny users the ability to view GPS locations.
View Data Collection Policies Allow or deny users the ability to view data collection policies.
Manage Data Collection Policies Allow or deny users the ability to manage data collection policies.
View Enrollment Policies Allow or deny users the ability to view enrollment policies.
Manage Enrollment Policies Allow or deny users the ability to manage enrollment policies.
View Collected Data Allow or deny users the ability to view collected data.
View Profile Schedules Allow or deny users the ability to view profile schedules.
Manage Profile Schedules Allow or deny users the ability to manage profile schedules.
Self Service Portal Access Allow or deny users the ability to access the Self Service Portal. The Self Service Portal allows users to self-manage their enrolled devices.
Wipe Allow or deny users the ability to wipe their devices from within the Self Service Portal.
Lock Allow or deny users the ability to lock their devices from within the Self Service Portal.
Un-enroll Allow or deny users the ability to unenroll their devices from within the Self Service Portal.
Locate Allow or deny users the ability to locate their devices from within the Self Service Portal.
Send Message Allow or deny users the ability to send messages to their devices from within the Self Service Portal.
Reset Passcode Allow or deny users the ability to set or clear passcodes on their devices from within the Self Service Portal.
Check-in Allow or deny users the ability to check in their devices from within the Self Service Portal.