Permissions for preconfigured roles
The following tables list the permissions that are turned on by default for each preconfigured role in
BlackBerry UEM
. The Security Administrator role in BlackBerry UEM
has full permissions to the management console, including creating and managing roles and administrators.Roles and administrators
By default, the Security Administrator role in
BlackBerry UEM
includes permissions to create and manage roles and administrators. These permissions are not available in the management console and cannot be turned on for any other role.Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View roles | √ | NA | NA | NA |
Create and edit roles | √ | NA | NA | NA |
Delete roles | √ | NA | NA | NA |
Rank roles | √ | NA | NA | NA |
Create administrators | √ | NA | NA | NA |
Delete administrators | √ | NA | NA | NA |
Edit non-administrative attributes of administrators | √ | NA | NA | NA |
Change password for other administrators | √ | NA | NA | NA |
Change role membership for administrators | √ | NA | NA | NA |
Directory access
You can specify the company directories that the administrator can search.
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
All company directories | √ | √ | √ | √ |
Selected company directories only |
Group management
You can specify the groups that the administrator can manage. To manage users that do not belong to a group, administrators must have permission to manage all groups and users.
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
All groups and users | √ | √ | √ | √ |
Selected groups |
Users and devices
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View users and activated devices | √ | √ | √ | √ |
Create users | √ | √ | √ | |
Edit users | √ | √ | √ | √ |
Assign user roles | √ | √ | √ | √ |
Delete users | √ | √ | √ | |
Export user list | √ | √ | ||
Generate an activation password and send email | √ | √ | √ | √ |
Generate activation passwords and send activation email messages to multiple users | √ | √ | √ | |
Specify an activation password | √ | √ | √ | √ |
Specify multiple activation passwords with unique activation profiles for a user | √ | √ | ||
Specify whether activation passwords expire after first device is activated | √ | √ | ||
View user activation QR codes and access keys | √ | √ | ||
Specify account password | √ | √ | √ | √ |
Change multiple account passwords | √ | √ | √ | |
Set BlackBerry 2FA preauthentication | √ | √ | ||
Manage devices | √ | √ | √ | √ |
Enable work space | √ | √ | √ | √ |
Disable work space | √ | √ | √ | √ |
Lock work space | √ | √ | √ | √ |
Reset work space password | √ | √ | √ | √ |
Specify device password | √ | √ | √ | √ |
Lock device and set message | √ | √ | √ | √ |
Unlock device and clear password | √ | √ | √ | √ |
Delete only work data | √ | √ | √ | √ |
Delete only work data from multiple devices | √ | |||
Delete all device data | √ | √ | √ | √ |
Delete all device data from multiple devices | √ | |||
Delete device | √ | √ | ||
Delete multiple devices | √ | |||
Specify work password and lock | √ | √ | √ | √ |
Get device logs | √ | √ | √ | |
Enable Activation Lock | √ | √ | √ | √ |
Disable Activation Lock | √ | √ | √ | √ |
Lost Mode | √ | √ | √ | √ |
Turn on Lost Mode | √ | √ | √ | √ |
Turn off Lost Mode | √ | √ | √ | √ |
Locate device | √ | √ | √ | √ |
Check in device | √ | √ | √ | |
Restart device | √ | √ | √ | √ |
Update iOS software | √ | √ | √ | √ |
Update iOS software on multiple devices | √ | |||
Turn off device | √ | √ | √ | √ |
View device location details | √ | √ | √ | |
View device location history | √ | √ | ||
View Exchange gatekeeping information | √ | √ | ||
View Apple DEP device information | √ | √ | √ | √ |
Assign enrollment configurations | √ | √ | ||
View One-time Password tokens | √ | √ | √ | √ |
Assign One-time Password tokens | √ | √ | ||
Send email to users | √ | √ | √ | |
View Activation Lock bypass history | √ | √ | √ | |
Manage BlackBerry
Dynamics apps | √ | √ | √ | √ |
Lock app | √ | √ | √ | |
Unlock app | √ | √ | √ | √ |
Delete app data | √ | √ | √ | √ |
Control logging for app | √ | √ | √ | |
Manage Intune apps | √ | √ | √ |
Dedicated device
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View shared device group settings | √ | √ | ||
Create and edit shared device groups | √ | √ | ||
Delete shared device groups | √ | √ | ||
View public device group settings | √ | √ | ||
Create and edit public device groups | √ | √ | ||
Delete public device groups | √ | √ |
Groups
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View group settings | √ | √ | √ | √ |
Create and edit user groups | √ | √ | √ | |
Assign user roles | √ | √ | √ | |
Add and remove users from user groups | √ | √ | √ | |
Delete user groups | √ | √ | ||
Create and edit device groups | √ | √ | √ | |
Delete device groups | √ | √ |
Policies and profiles
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View IT policies | √ | √ | √ | √ |
Create and edit IT policies | √ | √ | ||
Delete IT policies | √ | √ | ||
View email profiles | √ | √ | √ | √ |
Create and edit email profiles | √ | √ | ||
Delete email profiles | √ | √ | ||
View IMAP/POP3 email profiles | √ | √ | √ | √ |
Create and edit IMAP/POP3 email profiles | √ | √ | ||
Delete IMAP/POP3 email profiles | √ | √ | ||
View enterprise connectivity profiles | √ | √ | √ | √ |
Create and edit enterprise connectivity profiles | √ | √ | ||
Delete enterprise connectivity profiles | √ | √ | ||
View device SR requirements profiles | √ | √ | √ | √ |
Create and edit device SR requirements profiles | √ | √ | ||
Delete device SR requirements profiles | √ | √ | ||
View activation profiles | √ | √ | √ | √ |
Create and edit activation profiles | √ | √ | ||
Delete activation profiles | √ | √ | ||
View Wi-Fi profiles | √ | √ | √ | √ |
Create and edit Wi-Fi profiles | √ | √ | ||
Delete Wi-Fi profiles | √ | √ | ||
View VPN profiles | √ | √ | √ | √ |
Create and edit VPN profiles | √ | √ | ||
Delete VPN profiles | √ | √ | ||
View compliance profiles | √ | √ | √ | √ |
Create and edit compliance profiles | √ | √ | ||
Delete compliance profiles | √ | √ | ||
View device profiles | √ | √ | √ | √ |
Create and edit device profiles | √ | |||
Delete device profiles | √ | √ | ||
View proxy profiles | √ | √ | √ | √ |
Create and edit proxy profiles | √ | √ | ||
Delete proxy profiles | √ | √ | ||
View web content filter profiles | √ | √ | √ | √ |
Create and edit web content filter profiles | √ | √ | ||
Delete web content filter profiles | √ | √ | ||
View FileVault profiles | √ | √ | √ | √ |
Create and edit FileVault profiles | √ | √ | ||
Delete FileVault profiles | √ | √ | ||
View location service profiles | √ | √ | √ | √ |
Create and edit location service profiles | √ | √ | ||
Delete location service profiles | √ | √ | ||
View app lock mode profiles | √ | √ | √ | √ |
Create and edit app lock mode profiles | √ | √ | ||
Delete app lock mode profiles | √ | √ | ||
View single sign-on profiles | √ | √ | √ | √ |
Create and edit single sign-on profiles | √ | √ | ||
Delete single sign-on profiles | √ | √ | ||
View CA certificate profiles | √ | √ | √ | √ |
Create and edit CA certificate profiles | √ | √ | ||
Delete CA certificate profiles | √ | √ | ||
View shared certificate profiles | √ | √ | √ | √ |
Create and edit shared certificate profiles | √ | √ | ||
Delete shared certificate profiles | √ | √ | ||
View SCEP profiles | √ | √ | √ | √ |
Create and edit SCEP profiles | √ | √ | ||
Delete SCEP profiles | √ | √ | ||
View OCSP profiles | √ | √ | √ | √ |
Create and edit OCSP profiles | √ | √ | ||
Delete OCSP profiles | √ | √ | ||
View certificate retrieval profiles | √ | √ | √ | √ |
Create and edit certificate retrieval profiles | √ | √ | ||
Delete certificate retrieval profiles | √ | √ | ||
View CRL profiles | √ | √ | √ | √ |
Create and edit CRL profiles | √ | √ | ||
Delete CRL profiles | √ | √ | ||
View managed domains profiles | √ | √ | √ | √ |
Create and edit managed domains profiles | √ | √ | ||
Delete managed domains profiles | √ | √ | ||
View user credential profiles | √ | √ | √ | √ |
Create and edit user credential profiles | √ | √ | ||
Delete user credential profiles | √ | √ | ||
View custom payload profiles | √ | √ | √ | √ |
Create and edit custom payload profiles | √ | √ | ||
Delete custom payload profiles | √ | √ | ||
Assign IT policies and profiles to users | √ | √ | √ | √ |
Assign IT policies and profiles to user groups | √ | √ | √ | √ |
Assign IT policies and profiles to device groups | √ | √ | √ | √ |
Assign IT policies and profiles to shared device groups | √ | √ | ||
Assign IT policies and profiles to public device groups | √ | √ | ||
Rank IT policies and profiles | √ | √ | ||
View CardDAV profiles | √ | √ | √ | √ |
Create and edit CardDAV profiles | √ | √ | ||
Delete CardDAV profiles | √ | √ | ||
View CalDAV profiles | √ | √ | √ | √ |
Create and edit CalDAV profiles | √ | √ | ||
Delete CalDAV profiles | √ | √ | ||
View AirPrint profiles | √ | √ | √ | √ |
Create and edit AirPrint profiles | √ | √ | ||
Delete AirPrint profiles | √ | √ | ||
View network usage profiles | √ | √ | √ | √ |
Create and edit network usage profiles | √ | √ | ||
Delete network usage profiles | √ | √ | ||
View AirPlay profiles | √ | √ | √ | √ |
Create and edit AirPlay profiles | √ | √ | ||
Delete AirPlay profiles | √ | √ | ||
View Enterprise Management Agent profiles | √ | √ | √ | √ |
Create and edit Enterprise Management Agent profiles | √ | √ | ||
Delete Enterprise Management Agent profiles | √ | √ | ||
View BlackBerry
Dynamics compliance profiles | √ | √ | √ | √ |
Delete BlackBerry
Dynamics compliance profiles | √ | √ | ||
View BlackBerry
Dynamics profiles | √ | √ | √ | √ |
Create and edit BlackBerry
Dynamics profiles | √ | √ | ||
Delete BlackBerry
Dynamics profiles | √ | √ | ||
View BlackBerry
Dynamics connectivity profiles | √ | √ | √ | √ |
Create and edit BlackBerry
Dynamics connectivity profiles | √ | √ | ||
Delete BlackBerry
Dynamics connectivity profiles | √ | √ | ||
View do not disturb profiles | √ | √ | √ | √ |
Create and edit do not disturb profiles | √ | √ | ||
Delete do not disturb profiles | √ | √ | ||
View BlackBerry 2FA profiles | √ | √ | √ | √ |
Create and edit BlackBerry 2FA profiles | √ | √ | ||
Delete BlackBerry 2FA profiles | √ | √ | ||
View Windows Information Protection profiles | √ | √ | √ | √ |
Create and edit Windows Information Protection profiles | √ | √ | ||
Delete Windows Information Protection profiles | √ | √ | ||
View per-app notification profiles | √ | √ | √ | √ |
Create and edit per-app notification profiles | √ | √ | ||
Delete per-app notification profiles | √ | √ | ||
View gatekeeping profiles | √ | √ | √ | √ |
Create and edit gatekeeping profiles | √ | √ | ||
Delete gatekeeping profiles | √ | √ | ||
View Microsoft Intune app protection profiles | √ | √ | √ | √ |
Create and edit Microsoft Intune app protection profiles | √ | √ | ||
Delete Microsoft Intune app protection profiles | √ | √ | ||
View home screen layout profiles | √ | √ | √ | √ |
Create and edit home screen layout profiles | √ | √ | ||
Delete home screen layout profiles | √ | √ | ||
View Enterprise Identity authentication policy | √ | √ | ||
Create and edit Enterprise Identity authentication policy | √ | √ | ||
Delete Enterprise Identity authentication policy | √ | √ | ||
Assign Enterprise Identity authentication policy to users and groups | √ | √ |
Apps
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View apps and app groups | √ | √ | √ | √ |
Create and edit apps and app groups | √ | √ | ||
Delete apps and app groups | √ | √ | ||
Export app data | √ | √ | √ | √ |
Assign apps and app groups to users | √ | √ | √ | √ |
Assign apps and app groups to user groups | √ | √ | √ | √ |
Assign apps and app groups to device groups | √ | √ | √ | √ |
Assign apps and app groups to shared device groups | √ | √ | ||
Assign apps and app groups to public device groups | √ | √ | ||
Edit app rating and review settings | √ | √ | ||
Delete app ratings and reviews | √ | √ | √ | √ |
View app installation ranking | √ | √ | √ | √ |
Edit app installation ranking | √ | √ | ||
View app licenses | √ | √ | √ | √ |
Create app licenses | √ | √ | ||
Edit app licenses | √ | √ | ||
Delete app licenses | √ | √ | ||
Assign app licenses to apps or app groups | √ | √ | √ | √ |
Restricted apps
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View restricted apps | √ | √ | √ | √ |
Create restricted apps | √ | √ | ||
Delete restricted apps | √ | √ |
Personal apps
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View personal apps | √ | √ |
Settings
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View general settings | √ | √ | √ | √ |
Edit activation defaults | √ | √ | ||
Create and edit email templates | √ | √ | ||
Delete email templates | √ | √ | ||
Edit console settings | √ | √ | ||
Edit language for automated emails | √ | √ | ||
Edit self-service console settings | √ | √ | ||
Create work space backup and restore settings 1 | √ | √ | ||
Delete work space backup and restore settings 1 | √ | √ | ||
Edit default variables 1 | √ | √ | ||
Edit login notices 1 | √ | √ | ||
Edit custom variables | √ | √ | ||
Edit organization notices | √ | √ | ||
Edit email domains | √ | √ | ||
Edit location service settings | √ | √ | ||
Edit customize console settings | √ | √ | ||
Edit delete command expiration settings | √ | √ | ||
Edit attestation settings | √ | √ | ||
Edit certificate settings | √ | √ | ||
Create and edit event notifications | √ | √ | ||
Delete event notifications | √ | √ | ||
Edit device support messages | √ | √ | ||
Edit certificate-based authentication settings 1 | √ | |||
Edit public web service access settings | √ | |||
View app management | √ | √ | √ | √ |
Edit BlackBerry World for Work | √ | √ | ||
Edit internal app storage 1 | √ | √ | ||
Edit Work
Apps for iOS | √ | √ | ||
Edit Windows 10 apps | √ | √ | ||
Edit default app rating and review settings | √ | √ | ||
View external integration settings | √ | √ | √ | √ |
Edit Apple Push Notification settings | √ | √ | ||
Edit SMTP server settings 1 | √ | √ | ||
Edit Apple DEP settings | √ | √ | ||
Edit BlackBerry 2FA server settings | √ | √ | ||
Edit BlackBerry Connectivity Node settings 2 | √ | √ | ||
View One-Time Password tokens | √ | √ | √ | √ |
Create and edit One-Time Password tokens | √ | √ | ||
Edit company directory settings | √ | √ | ||
Edit Microsoft Intune settings | √ | √ | ||
Edit Microsoft
Exchange gatekeeping settings | √ | √ | ||
Edit Android work profile settings | √ | √ | ||
Edit certification authority settings | √ | √ | ||
Edit Samsung Knox bulk enrollment settings | √ | √ | ||
View trusted certificates | √ | √ | ||
Add trusted certificates | √ | √ | ||
Delete trusted certificates | √ | √ | ||
View BlackBerry Connectivity Node servers | √ | √ | ||
Create and edit BlackBerry Connectivity Node servers | √ | √ | ||
Delete BlackBerry Connectivity Node servers | √ | √ | ||
View BlackBerry Secure Gateway settings | √ | √ | ||
Edit BlackBerry Secure Gateway settings | √ | √ | ||
View administrator users and roles | √ | √ | √ | √ |
View licensing summary | √ | √ | √ | √ |
Edit licensing settings | √ | √ | ||
View migration settings | √ | √ | ||
Edit migration settings | √ | √ | ||
View infrastructure settings | √ | √ | √ | |
Edit logging settings 1 | √ | √ | ||
Edit server-side proxy settings 1 | √ | √ | ||
View servers 1 | √ | √ | ||
Edit servers 1 | √ | √ | ||
Delete servers 1 | √ | √ | ||
Manage servers 1 | √ | √ | ||
View audit settings 1 | √ | √ | ||
Edit audit settings and purge data 1 | √ | √ | ||
View BlackBerry Secure Connect Plus settings 1 | √ | √ | ||
Edit BlackBerry Secure Connect Plus settings 1 | √ | √ | ||
View server certificates 1 | √ | √ | ||
Update server certificates 1 | √ | √ | ||
View BlackBerry Control settings | √ | √ | √ | √ |
Edit BlackBerry Control settings | √ | √ | ||
View BlackBerry
Dynamics NOC proxy server settings 1 | √ | √ | √ | √ |
Edit BlackBerry
Dynamics NOC proxy server settings 1 | √ | √ | √ | √ |
Edit SNMP settings 1 | √ | √ | ||
Import IT policy pack and device metadata 1 | √ | |||
View collaboration service settings 1 | √ | √ | √ | √ |
Edit collaboration service settings 1 | √ | √ | ||
View BlackBerry
Dynamics settings | √ | √ | √ | √ |
View BlackBerry
Dynamics app services | √ | √ | ||
Edit BlackBerry
Dynamics app services | √ | |||
Create BlackBerry
Dynamics app services | √ | |||
Delete BlackBerry
Dynamics app services | √ | |||
View BlackBerry
Dynamics server properties 1 | √ | √ | ||
Edit BlackBerry
Dynamics server properties 1 | √ | |||
View BlackBerry Dynamics Direct Connect settings | √ | √ | ||
Edit BlackBerry Dynamics Direct Connect settings | √ | |||
View BlackBerry
Dynamics server cluster settings 1 | √ | √ | ||
Edit BlackBerry
Dynamics server cluster settings 1 | √ | |||
View BlackBerry
Dynamics reporting | √ | √ | √ | |
View BlackBerry
Dynamics communication settings 1 | √ | √ | √ | |
Edit BlackBerry
Dynamics communication settings 1 | √ | |||
View BEMS Mail settings 2 | √ | √ | ||
Edit BEMS Mail settings 2 | √ | |||
View BEMS Docs settings 2 | √ | √ | ||
Edit BEMS Docs settings 2 | √ | |||
View Enterprise Identity settings | √ | √ | ||
View Enterprise Identity Enterprise settings | √ | √ | ||
Edit Enterprise Identity Enterprise settings | √ | √ | ||
View Enterprise Identity service settings | √ | √ | ||
Edit Enterprise Identity service settings | √ | √ |
1
On-premises environments only2
Cloud environments onlyDashboard
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View dashboard | √ | √ | √ | √ |
Auditing
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
View system audit logs 1 | √ | √ | ||
View device performance logs 1 | √ | √ |
1
On-premises environments onlyWorkspaces
Permission | Security Administrator | Enterprise Administrator | Senior HelpDesk | Junior HelpDesk |
|---|---|---|---|---|
Organization administrator | √ | |||
Helpdesk administrator | √ | |||
Audit helpdesk administrator | √ |
BlackBerry OS permissions
BlackBerry
OS permissionsIf you upgrade from
BES5
, the following additional permissions are available in on-premises environments:- ViewBlackBerryOS IT policies
- Create and editBlackBerryOS IT policies
- DeleteBlackBerryOS IT policies
- View jobs
- Edit jobs
- View default distribution settings for jobs
- Edit default distribution settings for jobs
- Manage job tasks
- Change status of job tasks
If you upgrade from
BES5
, the roles configuration in BES5
is copied to BlackBerry UEM
. Roles that are copied may have similar names but different permissions. You should review the permissions for each role to determine if you need to turn on or turn off any permissions.