MCM roles and permissions

Use the WebUI Permissions service to take advantage of fine-grained control over permissions and preferences for users and groups of users in WebUI MDM.

To go to the Permissions page, as a Master Operator click on the gear icon, and from the dropdown menu, select Permissions.

Master Operator can configure two things with the Permissions and Preferences Services (PPS) with MDM:
  1. Configure visibility of the MCM app based on the user role
    • For example, users with mdm allow all role and mdm custom policy roles can see the MCM application; but users not in those roles do not have access to MCM application.
  2. Configure specific MCM permissions
    • Create, Edit and Delete Non-Custom Policies permission allows users to modify policies (passcode policies, kernel policies, certificate policies, restrictions policies, and full disk access policies) that WebUI natively supports.
    • Create, Edit, and Delete MCM Custom Policies permission allows users to modify custom policies that users define and upload on their own.

Permissions in WebUI work just like console permissions in that a user’s permissions is the union of all of their role permissions and global permissions. For example: If a user is part of four different roles and only one of them has access to MCM specific permission, that user has access to MCM. If a user is not part of any role that has any MCM specific permissions, but the Global Permissions of MCM has been set, that user also has access to MCM despite not having access through roles.