Restrict devices that administrators can control with Systems Manager
With Meraki Systems Manager, Enterprise Mobility Management (EMM) solution, very powerful controls are placed into the hands of IT administrators. With great power, comes great responsibility; it may not be desirable to have every administrator in your organization capable of wiping the CEO’s iPad!
This is why we have introduced the new limited access roles feature in the Meraki dashboard. It allows organizations to easily choose what devices an administrative user has access to, but most interestingly, this selection of devices can change dynamically based on parameters such as time and identity. For example, teachers can only be given responsibility for devices during the time of their class, or enterprise helpdesk staff can only manage devices in their Active Directory group.
Limited access roles can be found in the Meraki dashboard under Configure > General
The example above is based on a retail environment where helpdesk staff only have access to the devices they are responsible for, with three roles for each of the helpdesk teams. These are:
- A specialist team with knowledge of the Electronic Point of Sale (EPOS) system running on mobile handhelds
- A generalist team responsible for the customer facing kiosks’ tablets
- An emergency out of hours team able to help with anything
Tags are used to select the devices managed by each role, with both static and dynamic tags being used in our example. The grey tags represent static tags that have been applied to the device based on its role, while the green tags represent dynamic tags which can change. For these roles, time is being used as the dynamic tag corresponding to the stores operational hours.
With the times and roles defined, the user George has been given the ‘Shop floor EPOS help desk’ role. If George was part of another team and needed a different role, this can be selected from the drop–down.
Limited access roles help ensure privacy, protect against operator error, and simplify management of devices in the Meraki dashboard. This functionality has widespread applicability, while also being a core feature in education, where it is part of our Teacher’s Assistant functionality. Further information on this can be found in our previous blog post here.