| Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.
a. MD user: able to log onto the application store and request approved applications
b. Server primary administrator: primary administrator for the server, including server installation, configuration, patching, and setting up admin accounts
c. Security configuration administrator: has the ability to define new policies but not to push them to managed mobile devices
d. Device user group administrator: has the ability to set up new user accounts, add devices, push security policies, and issue administrative commands to managed mobile devices or MDM agents
e. Auditor: has the ability to set audit configuration parameters and delete or modify the content of logs
SFR ID: FMT_SMR.1.1(1) Refinement |