Skip Navigation

Permissions for preconfigured administrator roles

BlackBerry UEM
includes four preconfigured roles for administrators. The Security Administrator role has full permissions, including creating and managing roles and administrators. You cannot edit or delete this role. At least one administrator must be assigned the Security Administrator role. The Enterprise Administrator role (all permissions except for creating and managing roles and administrators), the Senior HelpDesk role (permissions to perform intermediate administrative tasks), and the Junior HelpDesk role (permissions to perform basic administrative tasks) can be edited or deleted. The following tables list the permissions that are turned on by default for each preconfigured role.
Some permissions are supported only in custom roles.

Roles and administrators

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View roles
NA
NA
NA
Create and edit roles
NA
NA
NA
Delete roles
NA
NA
NA
Rank roles
NA
NA
NA
Create administrators
NA
NA
NA
Delete administrators
NA
NA
NA
Edit non-administrative attributes of administrators
NA
NA
NA
Change password for other administrators
NA
NA
NA
Change role membership for administrators
NA
NA
NA

Directory access

You can specify the company directories that the administrator can search.
Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
All company directories
Selected company directories only

Group management

You can specify the groups that the administrator can manage. To manage users that do not belong to a group, administrators must have permission to manage all groups and users.
Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
All groups and users
Selected groups

Users and devices

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View users and activated devices
Create users
Create local users
Edit users
Assign user roles
Delete users
Export user list
Generate an activation password and send email
Generate activation passwords and send activation email messages to multiple users
Specify an activation password
Specify multiple activation passwords with unique activation profiles for a user
Specify whether activation passwords expire after first device is activated
View user activation QR codes and access keys
Specify account password
Change multiple account passwords
Set
BlackBerry 2FA
preauthentication
Manage devices
Enable work space
Disable work space
Lock work space
Reset work space password
Specify device password
Lock device and set message
Unlock device and clear password
Delete only work data
Delete only work data from multiple devices
Delete all device data
Delete all device data from multiple devices
Delete device
Delete multiple devices
Specify work password and lock
Get device logs
Enable Activation Lock
Disable Activation Lock
Lost Mode
Turn on Lost Mode
Turn off Lost Mode
Locate device
Check in device
Restart device
Update
iOS
software
Update
iOS
software on multiple devices
Turn off device
View device location details
View device location history
View Exchange gatekeeping information
View
Apple
DEP device information
Assign enrollment configurations
View One-time Password tokens
Assign One-time Password tokens
Send email to users
View Activation Lock bypass history
Manage
BlackBerry Dynamics
apps
Lock app
Unlock app
Delete app data
Control logging for app
Manage
Intune
apps

Dedicated device

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View shared device group settings
Create and edit shared device groups
Delete shared device groups
View public device group settings
Create and edit public device groups
Delete public device groups

Groups

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View group settings
Create and edit user groups
Assign user roles
Add and remove users from user groups
Delete user groups
Create and edit device groups
Delete device groups

Policies and profiles

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View IT policies
Create and edit IT policies
Delete IT policies
View email profiles
Create and edit email profiles
Delete email profiles
View IMAP/POP3 email profiles
Create and edit IMAP/POP3 email profiles
Delete IMAP/POP3 email profiles
View enterprise connectivity profiles
Create and edit enterprise connectivity profiles
Delete enterprise connectivity profiles
View device SR requirements profiles
Create and edit device SR requirements profiles
Delete device SR requirements profiles
View activation profiles
Create and edit activation profiles
Delete activation profiles
View
Wi-Fi
profiles
Create and edit
Wi-Fi
profiles
Delete
Wi-Fi
profiles
View VPN profiles
Create and edit VPN profiles
Delete VPN profiles
View compliance profiles
Create and edit compliance profiles
Delete compliance profiles
View device profiles
Create and edit device profiles
Delete device profiles
View proxy profiles
Create and edit proxy profiles
Delete proxy profiles
View web content filter profiles
Create and edit web content filter profiles
Delete web content filter profiles
View
FileVault
profiles
Create and edit
FileVault
profiles
Delete
FileVault
profiles
View location service profiles
Create and edit location service profiles
Delete location service profiles
View app lock mode profiles
Create and edit app lock mode profiles
Delete app lock mode profiles
View single sign-on profiles
Create and edit single sign-on profiles
Delete single sign-on profiles
View CA certificate profiles
Create and edit CA certificate profiles
Delete CA certificate profiles
View shared certificate profiles
Create and edit shared certificate profiles
Delete shared certificate profiles
View SCEP profiles
Create and edit SCEP profiles
Delete SCEP profiles
View OCSP profiles
Create and edit OCSP profiles
Delete OCSP profiles
View certificate retrieval profiles
Create and edit certificate retrieval profiles
Delete certificate retrieval profiles
View CRL profiles
Create and edit CRL profiles
Delete CRL profiles
View managed domains profiles
Create and edit managed domains profiles
Delete managed domains profiles
View user credential profiles
Create and edit user credential profiles
Delete user credential profiles
View custom payload profiles
Create and edit custom payload profiles
Delete custom payload profiles
Assign IT policies and profiles to users
Assign IT policies and profiles to user groups
Assign IT policies and profiles to device groups
Assign IT policies and profiles to shared device groups
Assign IT policies and profiles to public device groups
Rank IT policies and profiles
View CardDAV profiles
Create and edit CardDAV profiles
Delete CardDAV profiles
View CalDAV profiles
Create and edit CalDAV profiles
Delete CalDAV profiles
View
AirPrint
profiles
Create and edit
AirPrint
profiles
Delete
AirPrint
profiles
View network usage profiles
Create and edit network usage profiles
Delete network usage profiles
View
AirPlay
profiles
Create and edit
AirPlay
profiles
Delete
AirPlay
profiles
View
Enterprise Management Agent
profiles
Create and edit
Enterprise Management Agent
profiles
Delete
Enterprise Management Agent
profiles
View
BlackBerry Dynamics
compliance profiles
Delete
BlackBerry Dynamics
compliance profiles
View
BlackBerry Dynamics
profiles
Create and edit
BlackBerry Dynamics
profiles
Delete
BlackBerry Dynamics
profiles
View
BlackBerry Dynamics
connectivity profiles
Create and edit
BlackBerry Dynamics
connectivity profiles
Delete
BlackBerry Dynamics
connectivity profiles
View do not disturb profiles
Create and edit do not disturb profiles
Delete do not disturb profiles
View
BlackBerry 2FA
profiles
Create and edit
BlackBerry 2FA
profiles
Delete
BlackBerry 2FA
profiles
View
Windows
Information Protection profiles
Create and edit
Windows
Information Protection profiles
Delete
Windows
Information Protection profiles
View per-app notification profiles
Create and edit per-app notification profiles
Delete per-app notification profiles
View gatekeeping profiles
Create and edit gatekeeping profiles
Delete gatekeeping profiles
View
Microsoft Intune
app protection profiles
Create and edit
Microsoft Intune
app protection profiles
Delete
Microsoft Intune
app protection profiles
View home screen layout profiles
Create and edit home screen layout profiles
Delete home screen layout profiles
View
Enterprise Identity
authentication policy
Create and edit
Enterprise Identity
authentication policy
Delete
Enterprise Identity
authentication policy
Assign
Enterprise Identity
authentication policy to users and groups

Apps

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View apps and app groups
Create and edit apps and app groups
Delete apps and app groups
Export app data
Assign apps and app groups to users
Assign apps and app groups to user groups
Assign apps and app groups to device groups
Assign apps and app groups to shared device groups
Assign apps and app groups to public device groups
Edit app rating and review settings
Delete app ratings and reviews
View app installation ranking
Edit app installation ranking
View app licenses
Create app licenses
Edit app licenses
Delete app licenses
Assign app licenses to apps or app groups

Restricted apps

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View restricted apps
Create restricted apps
Delete restricted apps

Personal apps

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View personal apps

Settings

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View general settings
Edit activation defaults
Create and edit email templates
Delete email templates
Edit console settings
Edit language for automated emails
Edit self-service console settings
Create work space backup and restore settings
1
Delete work space backup and restore settings
1
Edit default variables
1
Edit login notices
1
Edit custom variables
Edit organization notices
Edit email domains
Edit location service settings
Edit customize console settings
Edit delete command expiration settings
Edit attestation settings
Edit certificate settings
Create and edit event notifications
Delete event notifications
Edit device support messages
Edit certificate-based authentication settings
1
Edit public web service access settings
View app management
Edit
BlackBerry World
for Work
Edit internal app storage
1
Edit
Work Apps
for
iOS
Edit
Windows 10
apps
Edit default app rating and review settings
View external integration settings
Edit
Apple
Push Notification settings
Edit SMTP server settings
1
Edit
Apple
DEP settings
Edit
BlackBerry 2FA
server settings
Edit
BlackBerry Connectivity Node
settings
2
View One-Time Password tokens
Create and edit One-Time Password tokens
Edit company directory settings
Edit
Microsoft Intune
settings
Edit
Microsoft Exchange
gatekeeping settings
Edit
Android
work profile settings
Edit certification authority settings
Edit
Samsung Knox
bulk enrollment settings
View trusted certificates
Add trusted certificates
Delete trusted certificates
View
BlackBerry Connectivity Node
servers
Create and edit
BlackBerry Connectivity Node
servers
Delete
BlackBerry Connectivity Node
servers
View
BlackBerry Secure Gateway
settings
Edit
BlackBerry Secure Gateway
settings
View administrator users and roles
View licensing summary
Edit licensing settings
View migration settings
Edit migration settings
View infrastructure settings
Edit logging settings
1
Edit server-side proxy settings
1
View servers
1
Edit servers
1
Delete servers
1
Manage servers
1
View audit settings
1
Edit audit settings and purge data
1
View
BlackBerry Secure Connect Plus
settings
1
Edit
BlackBerry Secure Connect Plus
settings
1
View server certificates
1
Update server certificates
1
View
BlackBerry Control
settings
Edit
BlackBerry Control
settings
View
BlackBerry Dynamics
NOC proxy server settings
1
Edit
BlackBerry Dynamics
NOC proxy server settings
1
Edit SNMP settings
1
Import IT policy pack and device metadata
1
View collaboration service settings
1
Edit collaboration service settings
1
View
BlackBerry Dynamics
settings
View
BlackBerry Dynamics
app services
Edit
BlackBerry Dynamics
app services
Create
BlackBerry Dynamics
app services
Delete
BlackBerry Dynamics
app services
View
BlackBerry Dynamics
server properties
1
Edit
BlackBerry Dynamics
server properties
1
View
BlackBerry Dynamics Direct Connect
settings
Edit
BlackBerry Dynamics Direct Connect
settings
View
BlackBerry Dynamics
server cluster settings
1
Edit
BlackBerry Dynamics
server cluster settings
1
View
BlackBerry Dynamics
reporting
View
BlackBerry Dynamics
communication settings
1
Edit
BlackBerry Dynamics
communication settings
1
View
BEMS
Mail settings
2
Edit
BEMS
Mail settings
2
View
BEMS
Docs settings
2
Edit
BEMS
Docs settings
2
View
Enterprise Identity
settings
View
Enterprise Identity
Enterprise settings
Edit
Enterprise Identity
Enterprise settings
View
Enterprise Identity
service settings
Edit
Enterprise Identity
service settings
1
On-premises environments only
2
Cloud environments only

Dashboard

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View dashboard

Auditing

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
View system audit logs
1
View device performance logs
1
1
On-premises environments only

Workspaces

Permission
Security Administrator
Enterprise Administrator
Senior HelpDesk
Junior HelpDesk
Organization administrator
Helpdesk administrator
Audit helpdesk administrator