I was going to include this in part 3 of my Intune RBAC guide, but it’s a lot of stuff, so I’m making a separate post for it. With that said, here are the permissions you will want to set for a normal, run of the mill iOS and Android device manager in Intune. This permission set has no Windows device permissions, so you will need to add those if you want a management role for all devices. Each section of this post is associated with a permission group in the Role Permissions blade. If it’s not here, leave it. Be aware: These permission settings grant complete control to devices that fall under their scope. This is for a level 2 technician that is meant to do everything he can with a phone in an environment. Here we go:
Android for Work
Corporate Device Identifiers
Device Compliance Policies
NOTE: this particular permission group has the same settings in a few additional areas. Those are; Mobile Apps, Security Baselines, and Terms and Conditions
Enrollment Programs
Managed Devices
Remote Assistance
Remote Tasks
This is the big one. Be careful when assigning these permissions because it’s easy to grant too much permission, and if you do that you can end up with some big big messes.
Results
Once you have the permissions set, you should have 36 permissions assigned. The role itself will look like this before you hit create or accept:
That’s All Folks!
With those permissions set on your role, you will have a great role set up for your iOS and Android device admins to work with.