2. Configuration

The following pages provide guidance on the initial setup and how administration and granular role assignment are achieved.

End User Scopes
Admin Scopes
Role Assignment

End User Scopes

An End User Scope is a collection of users that allows EndpointOps the assignment of granular permissions by segregating different user pools. It's best practice to match end user scopes with the support organization set up of your company. E.g.:

If a single helpdesk team supports all employees, consider creating a single End User Scope targeting an AAD Group with all users.
If your company supports employees based on the employee's location or division, consider creating a User Scope for each.

Required Permissions

End User Scopes are created and managed by EndpointOps Administrators.

Types of End User Scopes

EndpointOps supports different types of End User Scopes to support a wide range of setups.

Type: User group membership

A simple way to set up End User Scopes is relying on an account's membership to an AAD Group, Administrative Unit(AU), or Global Azure Role. When selecting multiple AAD Groups/AUs, the membership of any AAD Group/AU will assign the user to the respective End User Scope.

Type the name of an AAD Group, Administrative Unit, or Global Azure Role
Select an entry from the list
Selected objects will appear on the right side. Undo the selection with the Remove Button

Type: User/Admin matching attribute

This option is recommended to set up country-, site-, or division-based End User Scope.

Instead of manually creating an AAD Group, a single "User/Admin matching attribute"-End User Scope can be created. Such an End User Scope with the configuration of "Country" will dynamically assign the End User Scope to a user if the Helpdesk supporter's country property matches the end user's country property. Supported properties are Department, Country, State, City, and Postal code.

The Azure Active Directory Account properties are used for this assignment:

On EndpointOps: Helpdesk> Search for a user > AAD Account Information:

On the Azure Portal:

Type: Device Attribute

This option is recommended to set up to assign an End User Scope to user-less devices.

When selecting this type, a Query editor will appear.

Select one of the device attributes you want to test against. All Intune-device attributes are available from the ManagedDevice object, and all Azure-device attributes from the AzureDevice attribute. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes.
Select the desired Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an * character after the operator (eg. attribute == 'sOmE vAlUe')
You can combine multiple verifications with a logical operator
Double-check or complete your query.
Verify the validity of your query or review the errors that appear.

Once valid, you can proceed with the Next button

Type: User Attribute

Special use cases may require you to create a user attribute query. When selecting this type, a Query editor will appear.

Select one of the user attributes you want to test against. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes.
Select the desired Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an * character after the operator (eg. attribute == 'sOmE vAlUe')
You can combine multiple verifications with a logical operator
Double-check or complete your query.
Verify the validity of your query or review the errors that appear.

Once valid, you can proceed with the Next button

End User Scope Properties

The second step of any type of End User Scope allows you to set the properties.

The name of the End User Scope is visible to Helpdesk operators when searching for a user or device. Choose a unique and self explanatory name.
Users and devices might be members of multiple End User Scopes. If the Priority of a user's or device's End User Scope is elevated, the user will only be part of the End User Scopes with the highest priority. Following this logic you can achieve exclusions for special cases. Imagine an End User Scope matching all users with the name "Default" and priority of 0, and second End User Scope called "VIP users" for a subset of users with a priority of 1 and higher. If a user is associated with the End User Scope "VIP users", they will no longer be member of the "Default" End User scope due to the elevated priority of the "VIP users" End User Scope. Depending on your use case this will allow you to assign different set of permissions to the admin scopes (this could be more permissions, less permissions, or grant specific access to another Admin scope)
Enabled End User Scopes will be used in Endpoint Ops, whereas Disabled End User Scopes are omitted.
Proceed with the Next button to Save your End User Scope.

Edit or delete End User Scopes

End User Scopes can be updated or deleted at any point. Simply use the Edit or Delete button on the respective End User Scope.

Admin Scopes

An Admin Scope is a collection of administrators and allows granular permission assignment by segregating different user and admin pools. It's best practice to match admin groups with the support organization in your company:

If your company has a global or unified Support team, consider creating a helpdesk group with non-invasive support permissions and another admin group with higher privileges.
If your company has support teams based on their location or division, consider creating an Admin Group, each with non-invasive support permissions and another admin group with higher privileges..

Required Permissions

Admin Scopes are created and managed by EndpointOps Administrators.

Admin Scope Creation

Admin Scopes follow a similar principle to the End User Scopes, but they only support User group membership assignments.

To create a new Admin Scope:

Click on Create new Admin Scope
Type the name of an AAD Group, Administrative Unit, or Global Azure Role. The membership of one of the groups is sufficient to become associated with an Admin Scope.
Select an entry from the list
Selected objects will appear on the right side. Undo the selection with the Remove Button
Use the Next button to proceed with the second step.

The name of the Admin Scope is visible to Helpdesk operators in the My Access
Enabled Admin Scopes will be used in Endpoint Ops, whereas Disabled Admin Scopes are omitted.
Proceed with the Next button to Save your Admin Scope.

Edit or delete Admin Scopes

Admin Scopes can be updated or deleted at any point. Simply use the Edit or Delete button on the respective Admin Scope.

Role Assignment

Once End User Scopes and Admin Scopes are configured, you can use these entities to assign permissions and allow Admins to perform activities against users.

Required Permissions

Role Assignments are created and managed by EndpointOps Administrators.

App role assignments

App roles allow Administrators and Helpdesk operators to access areas within EndpointOps. Granting User & Device Permissions to Helpdesk operators will not have any effect if they don't have the role to access the Helpdesk area.

Use the Edit button to switch into the editing view

Click on the slider to assign or un-assign the permission. The vertical axis lists all configured Admin Sopes. The horizontal access lists all App Roles

A red slider means that the permission is un-assigned.
(or )
A green slider means that the permission is assigned.

( or )
A slider is also considered un-assigned/unset if the slider is centered.
( or )

Click on Save Changes to persist your modifications.

User & Device Permissions

User & Device Permissions follow the same principle as the App roles but provide additional granularity.

Switch to the User & Device Permissions tab
Select the Admin Scope you want to view/edit the permission assignment
Use the Edit button to switch to the editing view
A green slider means that the permission is assigned.

( or )
A red slider means that the permission is un-assigned.
(or )
A slider is also considered un-assigned/unset if the slider is centered.
( or )
Device actions have an additional Custom-setting that allows for additional granularity. The base setting allows the assignment and un-assignment of the device action for "(any device)". Selecting Custom will enable 3 extra rows. There, you can assign/un-assign the permission based on the device's operating system (e.g. Allow retirement for iOS devices but prohibit the retirement of Android devices) for a given Admin Scope and End User Scope.
When using the Custom setting in a granular setting (like "MacOS, Any Configuration"), you can assign permissions even more granular based on the device's configuration. The three options are Supervised, corporate-owned devices, and personal-owned devices.
Use the Save Changes button to persist your modifications.