Intune – Permissions for iOS and Android Devices

I was going to include this in part 3 of my Intune RBAC guide, but it’s a lot of stuff, so I’m making a separate post for it. With that said, here are the permissions you will want to set for a normal, run of the mill iOS and Android device manager in Intune. This permission set has no Windows device permissions, so you will need to add those if you want a management role for all devices. Each section of this post is associated with a permission group in the Role Permissions blade. If it’s not here, leave it. Be aware: These permission settings grant complete control to devices that fall under their scope. This is for a level 2 technician that is meant to do everything he can with a phone in an environment. Here we go:

Android for Work

Android for work perms

Corporate Device Identifiers

corporate device identifiers

Device Compliance Policies

Intune Perms

NOTE: this particular permission group has the same settings in a few additional areas. Those are; Mobile Apps, Security Baselines, and Terms and Conditions

Enrollment Programs

intune enrollment programs

Managed Devices

intune managed devices

Remote Assistance

intune remote assistance

Remote Tasks

This is the big one. Be careful when assigning these permissions because it’s easy to grant too much permission, and if you do that you can end up with some big big messes.
intune remote tasks 1intune remote tasks 2


Once you have the permissions set, you should have 36 permissions assigned. The role itself will look like this before you hit create or accept:

That’s All Folks!

With those permissions set on your role, you will have a great role set up for your iOS and Android device admins to work with.


Leave a Reply