Endpoint Custom RBAC

This document outlines the custom Role-Based Access Control (RBAC) roles created for managing endpoints at Texas A&M University. These roles are designed to grant the principle of least privilege, ensuring administrators and operators have only the permissions necessary to perform their specific duties, thereby enhancing security and operational efficiency.

TL;DR

• These roles are built on the security principle of least privilege.
• Duties are segregated into specific roles like Application Management, Device Enrollment, and Security Operations.
• Each role has clearly defined permissions across Intune, and may have related permissions in Entra ID and MECM.

Background and Scope

In a large and complex environment like Texas A&M University, using built-in roles like "Intune Administrator" can grant overly broad permissions. To mitigate this risk, a set of custom roles has been developed. This approach allows for the delegation of specific tasks (e.g., wiping a device, managing Autopilot profiles) to different IT teams without exposing the entire Intune environment. This document serves as the central reference for the purpose, permissions, and intended use of each custom role.

Custom Role Definitions

TAMU Android Administrator

Provides full lifecycle management of Android Enterprise, FOTA updates, and Managed Google Play integration.

This role grants comprehensive permissions for administering Android devices and applications within Intune, including onboarding, app synchronization, enrollment profile updates, firmware-over-the-air (FOTA) management, and Managed Google Play integration.

Permissions

Intune

• Android Enterprise
  • Update onboarding: Manage onboarding settings for Android Enterprise.
  • Update app sync: Trigger synchronization of Android Enterprise apps.
  • Read: View Android Enterprise settings and configurations.
  • Update enrollment profiles: Modify enrollment profiles for Android Enterprise.
• Android FOTA
  • Delete: Remove FOTA updates.
  • Assign: Assign FOTA updates to devices or groups.
  • Create: Add new FOTA update configurations.
  • Read: View FOTA update details.
  • Update: Modify existing FOTA update configurations.
• Managed Google Play
  • Read: View Managed Google Play settings and app details.
  • Modify: Make changes to Managed Google Play app configurations.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Android Enterprise Administration: Manage onboarding, app synchronization, and enrollment profiles.
• FOTA Management: Control Android firmware updates, ensuring devices remain current and secure.
• Managed Google Play Integration: Oversee app publishing and configuration through Google Play.

Real-World Examples

• Updating Enrollment Profiles: Modify Android Enterprise profiles to match new enrollment requirements.
• Managing FOTA Updates: Assign the latest firmware updates to university-owned Android devices.
• Publishing Managed Apps: Configure or update Managed Google Play apps for faculty, staff, or student use.

TAMU Application Administrator

Handles the creation and deletion of applications.

Focused on the creation, deletion, and management of applications within the platform, ensuring that applications are properly deployed and maintained.

Permissions

Intune

• Mobile Apps
  • Create: Add new applications.
  • Delete: Remove applications from the environment.
  • Assign: Allocate applications to user groups or devices.
  • Update: Apply changes to application settings.
  • Read: View application properties.
• Android Enterprise
  • Create: Add new Android applications.
  • Delete: Remove Android applications.
  • Assign: Allocate Android applications to user groups or devices.
  • Update app sync: Sync app updates from the Android Enterprise platform.
  • Read: View Android Enterprise configurations and settings.

Entra ID

• Example

MECM

• Application deployment and management permissions
• Package creation and management permissions

Areas of Impact

• Application Management: Manage the lifecycle of applications from creation to deletion.

Real-World Examples

• Deploying a New Application: Add a new learning app for students and assign it to their devices.
• Removing Outdated Applications: Delete old applications that are no longer used.

TAMU Application Operator

Manages and assigns applications.

Handles the management and assignment of applications within the platform, ensuring that applications are deployed and maintained properly.

Permissions

Intune

• Mobile Apps
  • Assign: Allocate applications to user groups or devices.
  • Update: Apply changes to application settings.
  • Read: View application properties.
  • View reports: Access reports on app usage and performance.
• Android Enterprise
  • Edit: Modify Android application settings.
  • Update app sync: Sync app updates from the Android Enterprise platform.
  • Read: View Android Enterprise configurations and settings.

Entra ID

• Example

MECM

• Application deployment permissions

Areas of Impact

• Application Management: Manage and assign applications.

Real-World Examples

• Assigning Applications: Allocate applications to specific user groups or devices.
• Viewing Application Details: Check the properties and status of applications deployed to devices.

TAMU Autopilot Administrator

Handles the modification, creation, and deletion of Autopilot devices, deployment profiles, and enrollment status pages.

This grants full Autopilot administration from Autopilot policy creation to managing Autopilot-enrolled devices.

Permissions

Intune

• Audit Data
  • Read: View Autopilot-related logs and properties.
• Enrollment Programs
  • Read profile: View Autopilot profiles and enrollment status pages.
  • Delete device: Delete Autopilot devices.
  • Create device: Register new Autopilot devices.
  • Sync device: Force Intune to sync devices between Entra ID, Intune, and Autopilot.
  • Assign profile: Assign groups to Autopilot profiles and enrollment status pages.
  • Delete profile: Delete Autopilot profiles or enrollment status pages.
  • Update profile: Update profile settings and assignments.
  • Create profile: Create Autopilot profiles and enrollment status pages.
  • Read device: View registered Autopilot devices.
• Organization
  • Read: View organizational settings relevant to enrollment.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Autopilot Administration: Full lifecycle management of Autopilot devices, profiles, and enrollment configurations.

Real-World Examples

• Creating Autopilot Profiles: Develop new enrollment status pages and assign them to specific device groups.
• Managing Devices: Delete or reassign devices that were incorrectly registered.
• Updating Enrollment Policies: Modify existing profiles to align with updated enrollment requirements.

TAMU Autopilot Device Administrator

Manages Autopilot device objects including creation, deletion, syncing, and assignment of profiles.

This role provides administrative control over Autopilot devices while not extending to full profile lifecycle management. It ensures proper enrollment, synchronization, and profile assignment for devices registered in Autopilot.

Permissions

Intune

• Audit Data
  • Read: View Autopilot-related logs and device properties.
• Enrollment Programs
  • Read profile: View Autopilot profiles and enrollment status pages.
  • Delete device: Remove devices from Autopilot.
  • Create device: Register new devices in Autopilot.
  • Sync device: Force device sync across Intune, Entra ID, and Autopilot.
  • Assign profile: Assign Autopilot profiles to devices.
  • Update profile: Update device-to-profile assignments.
  • Read device: View registered Autopilot devices.
• Organization
  • Read: View organization-level enrollment information.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Device Administration: Manage Autopilot device registration, syncing, and assignments.
• Enrollment Assurance: Ensure devices are correctly registered and aligned with the intended Autopilot profiles.

Real-World Examples

• Registering Devices: Add new university-owned laptops into Autopilot for deployment.
• Syncing Devices: Force a sync to update Autopilot device information across Intune and Entra ID.
• Assigning Profiles: Assign or update profiles to ensure devices are provisioned with the correct configuration.

TAMU Device Wipe and Autopilot Reset

Allows for the wipe, reset, and reconfiguration of a device in Intune.

This role is focused on secure device lifecycle operations, granting the ability to perform wipes, Autopilot resets, and synchronization tasks to ensure devices are properly re-provisioned or decommissioned.

Permissions

Intune

• Remote Tasks
  • Clean PC: Initiate a Fresh Start on a Windows PC. Removes pre-installed OEM applications while keeping user data and settings, then updates to the latest version of Windows.
  • Sync devices: Trigger synchronization to ensure the device receives the latest policies and configurations.
  • Wipe: Perform a full wipe (factory reset) of the device, removing all apps, settings, and user data.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Device Lifecycle Management: Handle secure device resets and wipe actions.
• Autopilot Reset Operations: Prepare devices for reuse or re-enrollment.
• Policy Enforcement: Ensure devices are fully reset and receive fresh configurations.

Real-World Examples

• Resetting Devices for Reassignment: Wipe and reset laptops for new student or staff assignments.
• Enforcing Security Compliance: Perform a wipe on a compromised device to prevent data loss.
• Preparing Devices for Autopilot: Reset devices so they re-enroll automatically with the correct Autopilot profile.

TAMU Endpoint Administrator

A senior administrator role for Intune that allows full device and policy management.

This role grants comprehensive administrative rights across Intune, including compliance, configuration, application management, security, analytics, and reporting. It is intended for senior administrators who require full lifecycle control of managed devices and policies.

Permissions

Intune

• Android Enterprise
  • Read: View Android Enterprise configurations and settings.
• Audit Data
  • Read: Access audit logs and activity data for Intune actions.
• Chrome Enterprise
  • Read: View Chrome Enterprise configurations.
  • Update connection settings: Modify Chrome Enterprise connection details.
• Cloud Attached Devices
  • View collections: Access device collections synced from ConfigMgr.
  • View timeline: Inspect device event history.
  • View resource explorer: Access hardware and software inventory details.
  • View scripts: View scripts deployed to devices.
  • View software updates: See available software updates for devices.
  • Run script: Execute scripts on devices.
  • Run CMPivot query: Run CMPivot queries against ConfigMgr-attached devices.
  • View client details: Access client agent details.
  • Take application actions: Install or uninstall apps via ConfigMgr.
  • View applications: View available apps for devices.
  • Enroll Now: Trigger immediate enrollment actions.
• Corporate Device Identifiers
  • Read / Create / Update / Delete: Manage corporate device identifiers for Autopilot and compliance.
• Customization
  • Read: View Intune branding and customization settings.
• Derived Credentials
  • Read: Access derived credential provider configurations.
• Device Compliance Policies
  • Read / Create / Update / Delete: Full lifecycle management of compliance policies.
  • Assign: Apply compliance policies to users or devices.
  • View reports: Generate compliance status reports.
• Device Configurations
  • Read / Create / Update / Delete: Full lifecycle management of configuration profiles.
  • Assign: Apply profiles to users or devices.
  • View reports: Generate reports on profile deployment and status.
• Device Enrollment Managers
  • Read: View enrollment manager accounts and assignments.
• Endpoint Analytics
  • Read / Create / Update / Delete: Manage Endpoint Analytics configuration and reports.
• Endpoint Protection Reports
  • Read: View endpoint protection-related reporting.
• Filters
  • Read / Create / Update: Manage filters used for dynamic targeting in assignments.
• Intune Data Warehouse
  • Read: Access data warehouse for reporting and analytics.
• Managed Apps
  • Read: View app protection and managed app policies.
• Managed Devices
  • Read / Update / Delete: Full management of devices in Intune.
  • Set primary user: Reassign the primary user for a device.
  • Read BIOS password: Retrieve BIOS/UEFI password (if managed).
  • Query: Send live queries to devices.
  • View reports: Access managed device reports.
• Microsoft Defender ATP
  • Read: View Microsoft Defender ATP integration and telemetry.
• Microsoft Store for Business
  • Read / Modify: Manage Microsoft Store for Business integration and apps.
• Mobile Apps
  • Read / Relate / Assign: Manage apps, relationships, and assignments.
  • View reports: Access app performance and deployment reports.
• Organization
  • Read: View organization-level Intune and tenant settings.
• Policy Sets
  • Read / Assign: View and assign policy sets to users or devices.
• Quiet Time Policies
  • Read / Create / Update / Delete: Manage quiet time (Do Not Disturb) policies.
  • Assign: Assign policies to users or devices.
  • View reports: Access quiet time compliance and activity reports.
• Remote Tasks
  • Set device name: Remotely rename a managed device.
• Security Baselines
  • Read / Create / Update / Delete: Full lifecycle management of security baselines.
  • Assign: Apply baselines to users or devices.
• Security Tasks
  • Read: View active and historical security tasks from Defender and Intune.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Device Lifecycle Management: Create, update, assign, and enforce device policies and configurations.
• Compliance and Security: Define and manage compliance rules, security baselines, and endpoint protection.
• Application Management: Assign, update, and relate applications across user and device groups.
• Analytics and Reporting: Generate comprehensive reports across devices, apps, and security posture.

Real-World Examples

• Defining Security Baselines: Apply baseline security standards across all managed Windows devices.
• Managing Configurations: Deploy Wi-Fi, VPN, and endpoint protection profiles to student and staff laptops.
• Running Queries: Use CMPivot queries to quickly gather live data from hybrid-attached devices.
• Reassigning Devices: Reset the primary user of a device when reissued to another staff member.

TAMU Endpoint Operator

A role concept for Intune that allows read-only visibility across Intune and the ability to assign policies, applications, and generate reports.

This role is designed for operators who need oversight of endpoint management with limited write actions. Operators can assign existing policies or apps and access detailed reports, but cannot create or delete most objects.

Permissions

Intune

• Android Enterprise
  • Read: View Android Enterprise configurations and settings.
• Audit Data
  • Read: Access audit logs and activity data.
• Corporate Device Identifiers
  • Read: View identifiers used for device enrollment and compliance.
• Device Compliance Policies
  • Read: View compliance policy definitions.
  • Assign: Assign compliance policies to users or devices.
  • View reports: Generate and access compliance reports.
• Device Configurations
  • Read: View configuration profiles.
  • Assign: Assign configuration profiles to devices or users.
  • View reports: Access deployment and configuration status reports.
• Endpoint Analytics
  • Read: Access analytics data for device performance and health.
• Endpoint Protection Reports
  • Read: View reports related to endpoint security posture.
• Filters
  • Read: View existing assignment filters.
  • Create / Update: Build or modify filters for assignment targeting.
• Intune Data Warehouse
  • Read: Access reporting and analytics data from the warehouse.
• Managed Apps
  • Read: View managed applications.
  • Assign: Assign managed applications to devices or groups.
• Managed Devices
  • Read: View device inventory and properties.
  • View reports: Generate managed device reports.
• Microsoft Defender ATP
  • Read: Access Microsoft Defender ATP integration and telemetry.
• Microsoft Store for Business
  • Read: View store for business settings and apps.
• Mobile Apps
  • Read: View mobile applications.
  • Assign: Assign mobile apps to groups or devices.
  • Relate: Manage app relationships such as supersedence.
  • View reports: Generate app deployment and performance reports.
• Organization
  • Read: View organization-level settings.
• Policy Sets
  • Read: View policy sets.
  • Assign: Assign existing policy sets to groups or devices.
• Quiet Time Policies
  • Read: View quiet time (Do Not Disturb) policies.
  • Assign: Apply quiet time policies to devices or users.
  • View reports: Generate quiet time compliance and activity reports.
• Security Baselines
  • Read: View baseline profiles and assignments.
• Security Tasks
  • Read: View security tasks and recommendations.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Policy Assignment: Assign compliance and configuration profiles without editing or creating new ones.
• Application Oversight: Assign existing applications and review deployment status.
• Reporting and Analytics: Generate and review reports on compliance, security, apps, and devices.
• Read-Only Visibility: Access configurations across Intune without full administrative permissions.

Real-World Examples

• Assigning Apps: Allocate an existing mobile app to a new group of devices for a department.
• Monitoring Compliance: Review reports to ensure devices meet university standards.
• Assigning Policy Sets: Apply a predefined policy set to newly onboarded devices.
• Viewing Analytics: Check device performance trends through Endpoint Analytics without making configuration changes.

TAMU Policy Administrator

Provides full lifecycle management of device policies and security baselines.

This role is responsible for creating, updating, assigning, and deleting Intune policies that control compliance, configuration, and security baselines. It grants administrators the ability to enforce standards across devices and ensure alignment with university security requirements.

Permissions

Intune

• Device Compliance Policies
  • Assign: Apply compliance policies to users or devices.
• Device Configurations
  • Create: Build new device configuration profiles (e.g., Wi-Fi, VPN, endpoint restrictions).
  • Read: View existing configuration profiles.
  • Update: Modify configuration profiles as requirements change.
  • Delete: Remove outdated or unnecessary profiles.
  • Assign: Apply profiles to users or devices.
  • View reports: Generate reports on profile status and deployment results.
• Security Baselines
  • Create: Develop new security baseline profiles (e.g., Windows security templates).
  • Read: View existing baselines and settings.
  • Update: Modify baseline settings as security standards evolve.
  • Delete: Remove baselines that are no longer applicable.
  • Assign: Apply security baselines to users or devices.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Policy Management: Full control over compliance, configuration, and baseline policies.
• Security Enforcement: Ability to enforce baseline security requirements across devices.
• Monitoring: Generate reports to verify policy compliance and success.

Real-World Examples

• Creating New Baselines: Develop a security baseline for Windows 11 and assign it to all faculty laptops.
• Updating Configurations: Modify a Wi-Fi configuration profile to update the SSID and certificate settings.
• Assigning Compliance Policies: Ensure all student devices meet encryption and PIN requirements.
• Removing Outdated Policies: Delete a legacy VPN configuration no longer in use.

TAMU Read-Only Operator

Provides a read-only view of endpoint configurations and compliance.

This role grants read-only access to endpoint configurations, compliance policies, and reports, allowing for oversight without modifications.

Permissions

Intune

• Device Compliance Policies
  • Read: View compliance policies.
  • View reports: Access reports on compliance status.
• Device Configurations
  • Read: View configuration profiles.
  • View reports: Access reports on configuration status.
• Managed Devices
  • Read: View managed device details.
  • View reports: Access reports on device status and compliance.
• Endpoint Analytics
  • Read: View analytics and performance data.
• Mobile Apps
  • Read: View mobile application details.
  • View reports: Access reports on application performance.

Entra ID

• Example

MECM

• Global Reader

Areas of Impact

• Monitoring: Provide oversight of endpoint configurations and compliance.
• Reporting: Generate detailed reports on device status and compliance.

Real-World Examples

• Reviewing Compliance Reports: Access and review reports on device compliance.
• Generating Device Status Reports: Create detailed reports on the status of managed devices.

TAMU Recovery Password Operator

Specializes in recovery operations, managing encryption keys.

A responsibility role that handles key recovery operations, including rotating encryption keys, managing device syncs, and recovering encryption keys, crucial for maintaining device security and data protection.

Permissions

Intune

• Remote Tasks
  • Rotate Encryption Keys (preview): Rotate encryption recovery keys.
  • Sync devices: Synchronize device statuses.
  • Recover Encryption Key: Retrieve encryption keys.
  • Rotate Local Admin Password: Change local admin passwords.

Entra ID

• Cloud Device Administrator: Users in this role can enable, disable, and delete devices in Microsoft Entra ID and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.

MECM

• Example

Areas of Impact

• Key Management: Handle critical security keys for device recovery and management.
• Device Sync: Ensure devices are up-to-date and in sync with policies.

Real-World Examples

• Rotating Encryption Keys: Rotate encryption recovery keys for devices to enhance security after a potential threat.
• Recovering Encryption Keys: Retrieve encryption keys for a device that needs to be re-enrolled.

TAMU Remote Administrator

A role concept for Intune that allows technicians and administrators to remotely assist customers.

This role grants advanced remote management capabilities, including remote help, diagnostics, remediation, and device control. It is designed for technicians and administrators who provide real-time support to users and manage remote device operations.

Permissions

Intune

• Remote Help App
  • Elevation: Perform elevated actions within a user session.
  • View screen: View the user’s screen for support and troubleshooting.
  • Unattended control: Access a device without requiring user presence.
  • Take full control: Interact directly with the user’s device for support.
• Remote Tasks
  • Initiate Configuration Manager action: Trigger ConfigMgr client actions remotely.
  • Shut down: Remotely power off a device.
  • Update device account: Refresh or update device account information.
  • Play sound to locate lost devices: Emit sound to help find lost or misplaced devices.
  • Collect diagnostics: Gather diagnostic logs and performance information.
  • Reboot now: Restart the device immediately.
  • Sync devices: Trigger a device sync to enforce policies and configurations.
  • Enable Windows IntuneAgent: Re-enable the Intune agent on Windows devices.
  • Windows Defender
    • Locate device: Identify the physical location of a device.
    • Run Remediation: Execute remediation actions for detected security issues.
  • Manage shared device users: Add or remove users on multi-user shared devices.
  • Offer remote assistance: Provide real-time remote support to end users.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Remote Assistance: Enable direct, real-time support for faculty, staff, and students.
• Device Management: Perform remote tasks such as shutdown, reboot, diagnostics, and remediation.
• Security Response: Use Windows Defender and remediation tasks to address threats remotely.

Real-World Examples

• Providing Remote Help: A technician connects to a faculty member’s laptop to troubleshoot login issues.
• Collecting Diagnostics: Gather logs from a student device to investigate performance problems.
• Running Remediation: Use Defender integration to remediate malware or suspicious activity.
• Managing Shared Devices: Update user sessions on shared classroom or lab computers.

TAMU Remote Operator

Facilitates remote assistance and manages various remote tasks.

Tailored for remote support, this role enables technicians and administrators to provide remote assistance, manage remote tasks like device reboots or diagnostics collection, and oversee Windows Defender operations, ensuring timely support and security interventions.

Permissions

Intune

• Remote Help App
  • Elevation: Perform elevation tasks.
  • View screen: Access to view the user's screen.
  • Take full control: Gain full control for assistance.
• Remote Tasks
  • Initiate Configuration Manager action: Start actions via the Configuration Manager.
  • Shut down: Shut down devices remotely.
  • Update device account: Update account information on devices.
  • Play sound to locate lost devices: Activate sound on lost devices.
  • Collect diagnostics: Gather device diagnostics.
  • Reboot now: Remotely reboot devices.
  • Sync devices: Synchronize device statuses.
  • Enable Windows IntuneAgent: Enable the Intune agent on Windows devices.
  • Windows Defender
  • Locate device: Locate lost or stolen devices.
  • Run Remediation: Initiate remediation actions.
  • Additional Permissions
  • Manage shared device users: Handle user sessions on shared devices.
  • Offer remote assistance: Provide remote assistance to users.

Entra ID

• Example

MECM

• Example

Areas of Impact

• Remote Assistance: Provide real-time remote support and troubleshooting.
• Device Management: Perform remote tasks like rebooting devices and collecting diagnostics.

Real-World Examples

• Providing Remote Assistance: Help a faculty member troubleshoot and resolve an issue on their laptop by taking full control of the device.
• Collecting Diagnostics: Remotely collect diagnostics from a faculty, staff or lab device to investigate performance issues.

Reference & FAQs

Glossary

• RBAC (Role-Based Access Control) – A security model that restricts system access based on the roles of individual users within an enterprise.
• Least Privilege – The security principle of granting only the minimum permissions necessary for a user or system to perform its intended function.

Related Resources

• Intune Fundamentals - Custom Role
• Microsoft Intune Documentation
• Manage apps with Microsoft Intune
• Windows Autopilot overview
• Manage devices with Intune
• Monitor Intune device and app protection
• Intune device compliance policies
• Create and deploy device configuration profiles in Intune
• Endpoint Analytics in Intune
• Microsoft Defender for Endpoint integration with Intune

---

This guide was collaboratively developed by a human subject matter expert and an AI assistant to ensure it is both comprehensive and easy to understand.