General Permissions
The general permissions of a user management entity (a user, group, or role) define the entity's level of access and control within the SOTI MobiControl console. Administrators can edit general permissions. If neither Allow nor Deny is explicitly set for permission, it defaults to Deny.
When changing permissions for roles, you can select Allow or Deny for any permission on the list. Permission check boxes are blue when selected and gray when cleared.
Users and groups inherit permissions from their assigned roles. The inherited Allow and Deny options display as solid blue squares. Selecting Allow or Deny for a permission removes inheritance from roles. Check boxes for explicitly selected (not inherited) permissions display as a blue check mark. Unselected check boxes display a gray square contour.
Note: Permissions are organized in a hierarchy, which is shown using multi-level indentations in
the list. When you change a permission, all related permissions above or below
it in the hierarchy are automatically updated. The permission list on the page
updates immediately to show these changes.
| Permission | Description |
|---|---|
| MobiControl Access | Allow or deny access to SOTI MobiControl permissions. |
| Web Console Access | Allow or deny access to the SOTI MobiControl console. |
| AI Assistance Access | Allow or deny users access to AI assistance in SOTI MobiControl. |
| Manage System and Device Alerts | Allow or deny users the ability to view and access alerts. |
| Configure Content Library | Allow or deny users the ability to access the Content Library tab. |
| Manage Content Library Profiles | Allow or deny users the ability to manage Content Library Policies. |
| Manage Files and Folders | Allow or deny users the ability to add or remove files from a Content Library on the Content Library tab. |
| Manage Library Path | Allow or deny users the ability to change the Content Library root folder reference from the Content Library tab. |
| Configure Content Library Policy | Allow or deny users the ability to define Content Library Policies. |
| Manage Files and Folders | Allow or deny users the ability to add or remove files from a Content Library on the Content Library tab. |
| Manage Library Path | Allow or deny users the ability to change the Content Library root folder reference from the Content Library tab. |
| Manage Content Library Policies | Allow or deny users the ability to create or edit Content Library policies from the Content Library tab. |
| Configure Devices/Device Groups | Allow or deny users the ability to add, remove or edit device groups. |
| Download Encrypted Personal Recovery Key | Allow or deny users the ability to download the encrypted personal recovery key. |
| Download Windows Enrollment Provisioning Package | Allow or deny users the ability to download the Windows enrollment provisioning package. |
| Generate and Print Reports | Allow or deny users access to the Reports tab under each device section. |
| Manage Report Scheduler | Allow or deny users the ability to set up or change scheduled reports from the Reports tab. |
| Geofence Management | Allow or deny users the ability to create, edit, or delete geofences. |
| Manage Servers and Global Settings | Allow or deny users the ability to change server and global settings for SOTI MobiControl. |
| Bypass Approval on Profile Creation | Allow or deny users to create/modify profiles without going through the approval process. |
| Configure Database Maintenance | Allow or deny users the ability to access the Configure Logging and Alerts Maintenance dialog box from the Servers tab. |
| Manage Console Authentication | Allow or deny users the ability to manage Console Settings in the Global Settings. |
| Manage Automated Device Enrollment - Accounts | Allow or deny users the ability to manage Automated Device Enrollment (ADE) accounts. |
| Manage Android Agents and Plugins | Allow or deny users the ability to manage SOTI MobiControl Android Device Agents and plugins. |
| Manage Android Enterprise Bindings | Allow or deny users the ability to edit Android Enterprise bindings. |
| Manage API Clients | Allow or deny users the ability to manage API clients. |
| Manage APNS Certificates | Allow or deny users the ability to upload new APNS certificates from the Servers tab. |
| Manage Apple Root Certificate | Allow or deny users the ability to configure the Apple Root Certificate settings. |
| Manage Approval Settings | Allow or deny users the ability to configure approval workflows for profile and enrollment requests. |
| Manage Authentication User Group Enrollment Limit | Allow or deny users the ability to manage the authentication user group enrollment limit and enrollment restrictions (see Restriction Rules). |
| Manage Microsoft Entra join Cloud Enrollment Integration | Allow or deny users the ability to manage Microsoft Entra join cloud enrollment integration. |
| Manage Certificate Authorities | Allow or deny users the ability to create or edit Certificate Authorities certificates and templates from the Servers tab. |
| Manage Google Workspace Bindings | Allow or deny users the ability to edit the Google Workspace bindings. |
| Manage Cisco ISE Settings | Allow or deny users the ability to configure Cisco ISE integration settings. |
| Manage Cloud Link Agents | Allow or deny users the ability to create, update, and delete a Cloud Link Agent or download the Cloud Link Agent installer from the Servers tab (see Cloud Link Agent Help). |
| Manage Automated Device Enrollment - Devices | Allow or deny users the ability to manage Apple devices as part of Automated Device Enrollment (ADE). |
| Manage Exchange Servers | Allow or deny users the ability to manage Exchange servers. |
| Manage PRK Encryption Certificate | Allow or deny users the ability to manage the PRK encryption certificate for encrypting the personal recovery key of your macOS device for storage in the SOTI MobiControl Server. |
| Manage Microsoft Integration | Allow or deny users the ability to configure the SOTI MobiControl connection for Microsoft Endpoint Management services. Available in . When denied, the user cannot view this setting page. |
| Manage SOTI Search | Allow or deny users the ability to manage SOTI Search. |
| Manage Shared Files | Allow or deny users the ability to manage the Shared File Browser from the console. |
| Manage SOTI Plugin | Allow or deny users to manage the SOTI plugin. |
| Manage System Health | Allow or deny users the ability to configure the settings for displaying Advanced Analytics charts. Available from . |
| Manage Terms and Conditions | Allow or deny users the ability to access the Terms and Conditions Manager dialog box from the Servers tab. |
| Manage SOTI VPN | Allow or deny users the ability to manage SOTI Virtual Private Network (VPN) service settings. |
| Manage Webhooks | Allow or deny users the ability to manage webhooks. |
| Manage Windows Autopilot | Allow or deny users the ability to configure Windows Autopilot deployment options. |
| Revoke Certificates | Allow or deny users the ability to revoke certificates. |
| Configure Secure Email Access Filter | Allow or deny users the ability to create or edit Secure Email Access Filter settings from the Servers tab. |
| Configure Deployment Servers | Allow or deny users the ability to delete and update properties of Deployment servers. If denied, a user cannot change the deployment server or access the right-click menu. |
| View Android Firmware Upgrade | Allow or deny users the ability to view available Android firmware upgrades. |
| Manage Android firmware upgrade | Allow or deny users the ability to manage Android firmware upgrades. |
| View OS Images | Allow or deny users the ability to view operating system image files. |
| Manage OS Images | Allow or deny users the ability to upload, edit, or delete operating system image files. |
| Import Reports | Allow or deny users the ability to import new reports. |
| Lookup Users and Group Membership | Allow or deny users the ability to retrieve user and group membership information. |
| Lookup Directory Users and Group Membership | Allow or deny users the ability to retrieve directory user and group membership information. |
| Manage Root Groups | Allow or deny users the ability to create root-level device groups. |
| Manage Shared Column View | Allow or deny users the ability to share column views with users, groups, or roles. See Creating Column Views and Changing the Columns of the Devices List for details. |
| Manage Shared Saved Search | Allow or deny users the ability to share saved searches with users, groups, or roles. See Searching for Devices for details. |
| Manage Users and Permissions | Allow or deny users the ability to manage General Permissions for SOTI MobiControl Users and Roles. If denied, users do not see the main menu option Users and Permissions. |
| View Policies | Allow or deny users the ability to view device management policies. |
| Manage Add Device Rules (Legacy) | Allow or deny users the ability to manage add devices rules. |
| Manage Device Relocation Policies | Allow or deny users the ability to manage device relocation rules. |
| View Alerts | Allow or deny users the ability to view alerts created through a Signal Policy. |
| View Installed Applications | Allow or deny users the ability to view the list of applications installed on a device. |
| View Non-managed Installed Applications (iOS only) | Allow or deny users the ability to view non-managed applications installed on a device (iOS only). |
| View App Dashboard | Allow or deny users the ability to access the App Dashboard. |
| View App Policies | Allow or deny users the ability to view details of app policies. Available from . |
| Manage App Policies | Allow or deny users the ability to manage app policies. |
| View Approval Request | Allow or deny users the ability to view Approval Requests from . See Managing Enrollment Requests for details. |
| Approve Device Enrollment Request | Allow or deny users the ability to Review (and then Approve or Reject) devices that are pending approval from Enrollment Requests. See Managing Enrollment Requests for details. |
| Approve Profile Request | Allow or deny users the ability to approve or reject profile change requests. |
| View Certificate Dashboard | Allow or deny users the ability to view certificate-related data in the Certificate Dashboard. |
| Manage Certificate Dashboard | Allow or deny users the ability to view certificate-related data in the Certificate Dashboard. |
| View Collected Data | Allow or deny users the ability to view collected data. |
| View Compliance Policies | Allow or deny users the ability to view details of compliance policies. Available from . |
| Manage Compliance Policies | Allow or deny users the ability to add, edit, or delete compliance policies. Available from . |
| View Data Collection Policies | Allow or deny users the ability to view data collection policies. |
| Manage Data Collection Policies | Allow or deny users the ability to manage data collection policies. |
| View Decrypted Personal Recovery Key | Allow or deny users the ability to decrypt and view the personal recovery key in real time. |
| View Device Administrator Password | Allow or deny users the ability to view stored administrator credentials for devices. |
| View Device Scripts | Allow or deny users the ability to view available device scripts. Available from . When denied, users cannot see preconfigured device scripts and cannot generate and save a new device script. |
| Manage Device Scripts | Allow or deny users the ability to view, update, delete and create new device scripts. Available in . |
| View Enrollment Policies | Allow or deny users the ability to view enrollment policies. |
| Manage Enrollment Policies | Allow or deny users the ability to manage enrollment policies. |
| View Enterprise Apps | Allow or deny users the ability to view the list of enterprise applications. |
| Manage Enterprise Apps | Allow or deny users the ability to add, update, or remove enterprise applications. |
| View eSIM Policies | Allow or deny users the ability to view eSIM policy configurations. |
| Manage eSIM Policies | Allow or deny users the ability to create, modify, or delete eSIM policies. |
| View File Sync Policies | Allow or deny users the ability to view file sync policies. |
| Manage File Sync Policies | Allow or deny users the ability to manage file sync policies. |
| View GPS location | Allow or deny users the ability to view GPS locations. |
| View Activation Lock Bypass Code | Allow or deny users the ability to view the activation lock bypass code. |
| View Directory Services | Allow or deny users the ability to view the available Directory services. Available from . When denied, users are unable to view the Directory tab. |
| Manage Directory Services | Allow or deny users the ability to view, add, configure, and delete directory services. Available from . When denied, users can only view existing directory services. |
| View License Information | Allow or deny users the ability to view license information. |
| Manage License Information | Allow or deny users the ability to manage license information. |
| View and Deploy Packages | Allow or deny users the ability to view the Packages tab and to add packages to a profile. |
| Manage Packages | Allow or deny users the ability to upload or delete packages. |
| View Profiles | Allow or deny users the ability to access the Profiles tab. |
| Manage Phone Call Records | Allow or deny users the ability to access and review phone call history for managed devices. |
| Manage Profile App Run Control Lists | Allow or deny users the ability to create, edit, or delete Application Run Control Lists. Available in when editing or creating a profile that supports Application Run Control. |
| Manage Profile Assignments | Allows assigning and revoking profiles to and from devices. |
| Manage Lockdown Home Screens and Templates | Allow or deny users the ability to create and configure customized lockdown mode home screens and templates for managed devices. |
| Manage Profile Setup | Allow or deny users the ability to create and edit profile configurations. |
| Manage Windows Registry Keys | Allow or deny users the ability to configure Windows Registry keys through device profiles. |
| View Profile Schedules | Allow or deny users the ability to view profile schedules. |
| Manage Profile Schedules | Allow or deny users the ability to manage profile schedules. |
| View Saved Assignment Filters | Allow or deny users the ability to view existing saved assignment filters. |
| Manage Saved Assignment Filters | Allow or deny users the ability to create or edit saved assignment filters. |
| View Script Status | Allow or deny users the ability to check the execution status of an action script. Available in the device details page of the scripts tab. |
| Access Script Output | Allow or deny users the ability to check the output of an action script. Available in the device details page of the scripts tab. |
| View Signal Policies | Allow or deny users the ability to view details of signal policies. Available from . When denied, users are unable to view signal policies. |
| Manage Signal Policies | Allow or deny users the ability add, edit, or delete signal policies. Available from . |
| View SOTI Announcements | Allow or deny users the ability to view SOTI's promotional announcements. These do not affect the functionality of SOTI MobiControl and are primarily for surveys. |
| View System Announcements | Allow or deny users the ability to view system-generated announcements, such as when
an SOTI MobiControl Android Device Agent upgrade is
available, or when most device licenses are in use. Note: When denied, users do not receive
system-generated announcements. |
| View System Health | Allow or deny users the ability view the System Health menu. The System Health menu is
accessible from the main menu and allows users to view important
information about the SOTI MobiControl servers,
database, and certificates, etc. Note: More
diagnostic information is available in the Advanced Analytics
tab for Premium Plus customers only. |
| View Telecom Expense Management Policies | Allow or deny users the ability to view telecom expense management policies. |
| Manage Telecom Expense Management Policies | Allow or deny users the ability to manage telecom expense management policies. |
| View Updates & Firmware Management Policies | Allow or deny users the ability to view update and firmware policy configurations. |
| View Apple Update Policies | Allow or deny users the ability to view Apple update-related policies. |
| Manage Apple Update Policies | Allow or deny users the ability to configure and deploy Apple update policies. |
| View Windows Devices Staging |
Allow or deny users the ability to view staging information for Windows devices. |
| Manage Windows Devices Staging | Allow or deny users the ability to configure and manage staging profiles for Windows devices. |
| View Windows Updates | Allow or deny users the ability to view Windows updates. |
| Manage Windows Updates | Allow or deny users the ability to manage Windows updates. |
| Self Service Portal Access | Allow or deny users the ability to access the Self Service Portal. The Self Service Portal enables users to self-manage their enrolled devices. |
| Lock | Allow or deny users the ability to lock their devices from within the Self Service Portal. |
| Reset Passcode | Allow or deny users the ability to set or clear a passcode on their devices from within the Self Service Portal. |
| Un-enroll | Allow or deny users the ability to unenroll their devices from within the Self Service Portal. |
| Locate | Allow or deny users the ability to locate their devices from within the Self Service Portal. |
| Send message | Allow or deny users the ability to send messages to their devices within the Self Service Portal. |
| Wipe | Allow or deny users the ability to wipe their devices from within the Self Service Portal. |
| Check-in | Allow or deny users the ability to check in their devices from within the Self Service Portal. |