Management and Security powered by Landesk
Adding Endpoint Manager console users
Endpoint Manager users can log in to the console and perform specific tasks for specific devices on the network. The user that is logged in to the server during Endpoint Manager installation is automatically placed into the Windows Ivanti Administrators user group, which gives them full administrator permissions. This individual is responsible for adding additional groups of users to the console and assigning permissions and scopes. Once other administrators have been created, they can perform the same administrative tasks.
Endpoint Manager setup creates several local Windows groups on the core server. These groups control file system permissions to the Endpoint Manager and Security program folders on the core server. You must manually add console users to one of these local Windows groups:
- LANDESK Management Suite: This group allows basic core access. The Endpoint Manager folders are read-only. Users in this group can't write to the scripts directory, so they won't be able to manage scripts. Patching vulnerabilities and OS provisioning won't work correctly for users in this group because both those features use scripts.
- LANDESK Administrators: This is the failsafe group for console access. Anyone in this group has full rights in the console, including script writing. By default, the user account that installed Endpoint Manager is added to this group. If you don't have many console users or you don't want to limit the console users that you do have, you can bypass role-based administration entirely and just add users to this group.
When adding full administrators to the console, you can either add them to the core server's local LANDESK Administrators group or you can add them to a different group that has the LANDESK "Administrator" right. The only difference is that users in the Windows LANDESK Administrators group can't be deleted from the console until they are removed from the LANDESK Administrators group.
The Users tool's Users and groups tree shows the list of authorized console users. You can see the last time a console user logged in, their group, role, scope, remote control time restriction status, and team. You can also use this tree to see if users are in the LANDESK local Windows groups. Users won't be able to log in until you've added them to one of the LANDESK groups described in this section.
Users are stored in the database by unique security IDs (SIDs). If a user's active directory account name changes, for example if they got married, their SID should remain the same and their Endpoint Manager permissions will still apply.
IMPORTANT: Additional consoles and the core server must be members of the same domain or workgroup. Console users won't be able to authenticate with a core server that is in a different domain or workgroup.
Was this article useful?
The topic was:
Not what I expected
Copyright © 2017, Ivanti. All rights reserved.