|
Manager Console User Security |
IT administrators in security conscious organizations have roles-based security model(s) implemented to restrict the access to various applications and operations for personnel. The roles often reflect current organizational structures and business groups hierarchy.
When using a powerful, feature-rich mobile device management solution like MobiControl, it may be desirable to limit access to MobiControl's functionality for some individuals or groups of users. For example, for a multi-tier support and help desk team, an organization may want to limit the access of tier-one help desk personnel to the MobiControl Manager while added functionality and features might be available for tier-two personnel.
MobiControl User Access Control
With the introduction of the latest version of MobiControl, you can now use Integrated User Authentication with the MobiControl Manager. The new authentication system is very similar to that of Microsoft Active Directory, where a defined Username and Password will be required upon launching the MobiControl Manager, or MobiControl Web Console in-order to manage or support your mobile fleet.
MobiControl Manager Active Directory Security
MobiControl's user security system integrates with the Active Directory and the Windows security system to control access to the MobiControl system and implement existing organizational security structures. The option to allow read-only communication with the LDAP (Lightweight Directory Access Protocol) means that write access to the directory is not required so there is no risk to the directory schema.
Note:
- You can use both Active Directory users and groups and Basic User Authentication accounts as well.
Installing and Enabling MobiControl Security
- Open the MobiControl Manager, click Tools, click Options, and click the Security tab
- Click the Enable user access control checkbox to enable user security
- If you wish to use Active Directory security click the Integrate with Active Directory checkbox
- If you wish to apply Active Directory security to the Web Console click the Enable Active Directory access for the web console
MobiControl Active Directory dialog boxNote:
- The Autodetect button will locate the Primary Domain Controller on the domain, unless it is busy in which case it will locate a
Secondary Domain Controller. It is recommended to edit this field to reflect the name of the Domain itself so that if any of
the Domain Controllers go down, MobiControl will continue to function with Active Directory authentication (Provided
that there are more than 1 Domain Controller in the domain.)
-
Click the Add button to add a user account. You can add the following types of account:
Item Description Active Directory User/Group Import a user or group from the Active Directory User Add a user to MobiControl User Access Control User Group Add a group to MobiControl User Access Control
Once the type of user have been selected, you must select the type of permissions available to that user.
Add User Dialogue
Note:
If a User has been locked out of MobiControl for entering the password incorrectly too many times, you may un-lock the account from this dialogue by un-checking the "Lock This User's Account" option.
Operation Description MobiControl Manager Access The permission to log into the MobiControl Management Console Web Console Access The permission to log into the MobiControl Web Console MobiControl Manager Configuration To change the configuration settings of the MobiControl system that are accessed in the Options dialog box
This includes access to configuring the security settings.
Configure Devices/Device Groups To change configuration settings of devices, or to enable, disable, or delete devices, or to add, delete, or rename device groups Configure Rules To add, delete, rename, enable, or disable rules Configure Packages To add or delete packages Configure Deployment Servers To start, shutdown, enable, disable, or delete Deployment Servers, or to change configuration settings of Deployment Servers Change Registration Code To change the registration code currently used by the Deployment Server Note:- If the registration code has expired or is invalid, any user will have the ability to change the registration code.
Manage Alerts When permission is Denied, there is still an Alert pop-up notice, but "Acknowledge" and "Close" functions are disabled.
Generate Reports The ability to generate reports from Crystal Reports Import Reports The ability to import custom reports into the SQL Database
Once the basic account information has been entered you can also specify User Group memberships. Follow the above steps to also create a new User Group.
Add Group Membership DialogueWhen enabling Active Directory security in MobiControl, the security data that binds Active Directory users and groups to selected management operations is stored in the MobiControl SQL database. This avoids writing data to the Active Directory server and avoids the requirement for a Domain Administrator to configure MobiControl's security. Any domain user is able to install/enable the security system. Once enabled however, it is then up to that user to grant and deny permissions.
- Click the Policies button to enable additional user security features to your MobiControl basic user access accounts and groups.
Basic User Authentication Policies
If you selected to allow your users to reset a forgotten password, you have the ability to click the Add button and create a security question for them.
Create a Challenge QuestionOnce the security questions have been entered, the users must enter the answers to these questions. To do this log into the MobiControl Manager, and select File -> Security Questions
In order for a user to reset their own password, they must set up their security questions. The user will answer the questions from a list that is provided above.
Enter Security QuestionOnce these 3 questions have an answer, the user can now use the "Forgot Password" option when opening the MobiControl Manager.
Prompt for Username
Configuring Active Directory User or Group Security Settings
To configure Active Directory security for MobiControl, click the Tools menu, click Options, and select the Security tab. Click Add and then select Active Directory Users/Groups.
These security settings are applied to the higher level access of the MobiControl Manager:
Assign permissions to Users or Groups
| Operation | Description |
|---|---|
| MobiControl Manager Access | The permission to log into the MobiControl Management Console |
| Web Console Access | The permission to log into the MobiControl Web Console |
| MobiControl Manager Configuration |
To change the configuration settings of the MobiControl system that are accessed in the Options dialog box This includes access to configuring the security settings. |
| Configure Devices/Device Groups | To change configuration settings of devices, or to enable, disable, or delete devices, or to add, delete, or rename device groups |
| Configure Rules | To add, delete, rename, enable, or disable rules |
| Configure Packages | To add or delete packages |
| Configure Deployment Servers | To start, shutdown, enable, disable, or delete Deployment Servers, or to change configuration settings of Deployment Servers |
| Change Registration Code | To change the registration code currently used by the Deployment Server
|
| Manage Alerts |
When permission is Denied, there is still an Alert pop-up notice, but "Acknowledge" and "Close" functions are disabled. |
| Generate Reports | The ability to generate reports from Crystal Reports |
| Import Reports | The ability to import custom reports into the SQL Database |
| Check Names | Performs a check against the Active Directory server for the username that was entered, verifies it exists, and gives the full user name |
| Search | Allows you to browse the Active Directory entries and select those you would like to add |
Configuring Global Security Settings
From the Security tab, you can perform the following operations:
| Operation | Description |
|---|---|
| Enable user access control | Enables or Disables MobiControl Manager Security |
| Policies | Assign password complexity requirements to MobiControl Basic Users and Groups |
| Integrate with Active Directory | Allows you to use Active Directory users and groups with MobiControl Manager |
| Autodetect | Autodetects your Primary Domain Controller |
| Enable Active Directory access for the Web Console | Allows you to use Active Directory authentication for the MobiControl Web Console |
| Add | Allows you to Add a User or Group |
| Edit | Allows you to Edit a User or Group |
| Remove | Allows you to Remove a User or Group |
Add Users/Groups dialog box
From the Add Users/Groups dialog box, you can perform the following operations:
| Operation | Description |
|---|---|
| Add | Adds the selected user or group to the MobiControl security list |
| Remove | Removes a single selected user or group from the MobiControl security list |
| Add All | Adds all users or groups to the MobiControl security list |
| Remove All | Removes all users or groups from the MobiControl security list |
In most cases, only the Allow check box is needed. The Deny check box is only needed when you want to explicitly deny the permission for an user.
Example:
- Suppose the Allow box next to MobiControl Manager Access is checked for the user "TestUser." This means that TestUser can run the MobiControl Manager console. If the Allow box is not checked, then the permission for TestUser to run the MobiControl Manager console relies on if his or her group(s) have permission.
- Suppose the user "AManager" belongs to the Administrators group, and the Administrators group has permission on MobiControl Manager Access. To prevent AManager from running the MobiControl Manager console, add AManager to the user list and check the Deny box next to MobiControl Manager Access.
Configuring MobiControl Group Permissions
To configure permissions for management devices, right-click on the folder on which you would like to apply permissions and select Group Permissions. The permissions will be applied to all sub-folders for this folder.
Important:
After configuring the global security settings, you must explicitly assign permissions at a device tree group level. This is done by right-clicking on a group and choosing Group Permissions from the drop-down menu. Please see the Device Group Permissions page for more information about assigning group-level management console security permissions.
Configuring MobiControl User Security Settings with MMC Tool
If the MobiControl security settings are being written to the Active Directory server, then you may configure permissions via the Microsoft Management Console (MMC) tool.
- Start the Microsoft Management Console (MMC) by typing "
mmc" in the command prompt. - Add the Active Directory snap-in by clicking Console, and then clicking Add/Remove Snap-in. Click the Add button in the Add/Remove Snap-in dialog box. In the Add Standalone Snap-in dialog box, select the Active Directory Users and Computers item and then click the Add button. Close the Add/Remove Snap-in dialog box.
- In MMC, select the Active Directory Users and Computers item, then click the View menu item, make sure Advanced Features is checked.
- Expand the sub-trees of the Active Directory Users and Computers item, you will then be able to find the
MobiControl objects under the
System/MobiControlfolder. - Double-click the object to which you want to make changes to open the Property dialog box, select the Security tab, then configure the security settings of the selected object.
MobiControl uses the standard READ permission to check the user's access right. If you want to grant permission to a user to execute a MobiControl operation, you grant the user with the READ permission on the corresponding Active Directory object. To make user management easier, we recommend assigning access rights to domain user groups. You can use the existing groups, or you can create some groups for MobiControl. When you grant permissions to a group, all users who are members of this group will automatically have the same permissions. Furthermore, the users modifying the permissions must have the WRITE permission on the corresponding Active Directory objects.
MMC Security Settings page