2. Configuration
The following pages provide guidance on the initial setup and how administration and granular role assignment are achieved.

End User Scopes
An End User Scope is a collection of users that allows EndpointOps the assignment of granular permissions by segregating different user pools. It's best practice to match end user scopes with the support organization set up of your company. E.g.: 

 

 If a single helpdesk team supports all employees, consider creating a single End User Scope targeting an AAD Group with all users. 

 If your company supports employees based on the employee's location or division, consider creating a User Scope for each. 

 

 Required Permissions 

 End User Scopes are created and managed by EndpointOps Administrators. 

 

 Types of End User Scopes 

 EndpointOps supports different types of  End User Scopes to support a wide range of setups. 

 

 Type: User group membership 

 A simple way to set up End User Scopes is relying on an account's membership to an AAD Group, Administrative Unit(AU), or Global Azure Role. When selecting multiple AAD Groups/AUs, the membership of any AAD Group/AU will assign the user to the respective  End User Scope . 

 

 

 

 

 

 

 

 

 Type the name of an AAD Group, Administrative Unit, or Global Azure Role 

 Select an entry from the list 

 Selected objects will appear on the right side. Undo the selection with the  Remove Button 

 

 

 

 

 

 Type: User/Admin matching attribute 

 This option is recommended to set up country-, site-, or division-based End User Scope.  

 Instead of manually creating an AAD Group, a single "User/Admin matching attribute"- End User Scope can be created. Such an  End User Scope with the configuration of "Country" will dynamically assign the End User Scope to a user if the Helpdesk supporter's country property matches the end user's country property. Supported properties are Department, Country, State, City, and Postal code. 

 The Azure Active Directory Account properties are used for this assignment: 

 

 

 

 

 

 

 

 On EndpointOps: Helpdesk> Search for a user > AAD Account Information: 

 

 

 On the Azure Portal: 

 

 

 

 

 

 Type: Device Attribute 

 This option is recommended to set up to assign an  End User Scope to user-less devices. 

 When selecting this type, a Query editor will appear. 

 

 

 

 

 

 

 

 

  Select one of the device attributes you want to test against. All Intune-device attributes are available from the ManagedDevice object, and all Azure-device attributes from the AzureDevice attribute. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes. 

 Select the desired  Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an *   character after the operator (eg. attribute == 'sOmE vAlUe') 

 You can combine multiple verifications with a logical operator 

 Double-check or complete your query. 

 Verify the validity of your query or review the errors that appear. 

 

 Once valid, you can proceed with the  Next button 

 

 

 

 

 Type: User Attribute 

 Special use cases may require you to create a user attribute query. When selecting this type, a Query editor will appear. 

 

 

 

 

 

 

 

 

  Select one of the user attributes you want to test against. Review the examples for additional guidance. Note the URL at the end of the list for all available attributes. 

 Select the desired  Comparison Operator to complete your query. Note that you can make your query case insensitive by adding an * character after the operator (eg. attribute == 'sOmE vAlUe') 

 You can combine multiple verifications with a logical operator 

 Double-check or complete your query. 

 Verify the validity of your query or review the errors that appear. 

 

 Once valid, you can proceed with the  Next button 

 

 

 

 

 

 End User Scope Properties 

 The second step of any type of  End User Scope allows you to set the properties.  

 

 

 

 

 

 

 The name of the  End User Scope is visible to Helpdesk operators when searching for a user or device. Choose a unique and self explanatory name. 

 Users and devices might be members of multiple  End User Scopes . If the  Priority of a user's or device's  End User Scope is elevated, the user will only be part of the  End User Scopes with the highest priority. Following this logic you can achieve exclusions for special cases. Imagine an  End User Scope matching all users with the name "Default" and priority of 0, and second End User Scope called "VIP users" for a subset of users with a priority of 1 and higher. If a user is associated with the End User Scope  "VIP users", they will no longer be member of the "Default"  End User scope due to the elevated priority of the "VIP users"  End User Scope. Depending on your use case this will allow you to assign different set of permissions to the admin scopes (this could be more permissions, less permissions, or grant specific access to another Admin scope) 

 Enabled   End User Scopes will be used in Endpoint Ops, whereas  Disabled  End User Scopes are omitted. 

 Proceed with the  Next button to Save your  End User Scope . 

 

 

 

 

 

 Edit or delete End User Scopes 

 End User Scopes can be updated or deleted at any point. Simply use the  Edit  or  Delete button on the respective  End User Scope.

Admin Scopes
An Admin Scope is a collection of administrators and allows granular permission assignment by segregating different user and admin pools. It's best practice to match admin groups with the support organization in your company: 

 

 If your company has a global or unified Support team , consider creating  a helpdesk group with non-invasive support permissions  and  another admin group with higher privileges . 

 If your company has support teams  based on their location or division , consider creating an  Admin Group, each with non-invasive support permissions  and  another admin group with higher privileges .. 

 

 Required Permissions 

 Admin Scopes  are created and managed by EndpointOps Administrators. 

 

 Admin Scope Creation 

 Admin Scopes follow a similar principle to the End User Scopes , but they only support User group membership assignments.  

 

 

 

 

 

 To create a new  Admin Scope: 

 

 Click on Create new Admin Scope 

 Type the name of an AAD Group, Administrative Unit, or Global Azure Role. The membership of one of the groups is sufficient to become associated with an  Admin Scope. 

 Select an entry from the list 

 Selected objects will appear on the right side. Undo the selection with the  Remove  Button 

 Use the  Next button to proceed with the second step. 

 

 

 

 

 

 

 

 

 

 The  name  of the  Admin Scope is visible to Helpdesk operators in the My Access 

 Enabled Admin  Scopes  will be used in Endpoint Ops, whereas  Disabled  Admin Scopes are omitted. 

 Proceed with the  Next  button to Save your  Admin Scope . 

 

 

 

 

 

 Edit or delete Admin Scopes 

 Admin Scopes can be updated or deleted at any point. Simply use the  Edit  or  Delete  button on the respective  Admin Scope.

Role Assignment
Once End User Scopes and Admin Scopes are configured, you can use these entities to assign permissions and allow Admins to perform activities against users. 

 Required Permissions 

 Role Assignments  are created and managed by EndpointOps Administrators. 

 

 App role assignments 

 App roles allow Administrators and Helpdesk operators to access areas within EndpointOps. Granting  User & Device Permissions  to Helpdesk operators will not have any effect if they don't have the role to access the Helpdesk area. 

 

 

 

 

 

 

 

 

 Use the  Edit button to switch into the editing view 

 

 

 

 

 

 

 

 

 

 

 

 

 Click on the slider to assign or un-assign the permission. The vertical axis lists all configured  Admin Sopes . The horizontal access lists all  App Roles 

 

 A red slider means that the permission is un-assigned.

 ( or  ) 

 

 A green slider means that the permission is assigned. 

 ( or ) 

 

 A slider is also considered un-assigned/unset if the slider is centered.

 ( or ) 

 

 

 Click on  Save Changes to persist your modifications. 

 

 

 

 

 User & Device Permissions 

 User & Device Permissions follow the same principle as the App roles but provide additional granularity. 

 

 

 

 

 

 

 

 

 Switch to the  User & Device Permissions tab 

 Select the  Admin Scope you want to view/edit the permission assignment 

 Use the  Edit button to switch to the editing view 

 A green slider means that the permission is assigned. 

 ( or ) 

 

 A red slider means that the permission is un-assigned.

 ( or  ) 

 

 A slider is also considered un-assigned/unset if the slider is centered.

 ( or ) 

 

 Device actions have an additional  Custom -setting that allows for additional granularity. The base setting allows the assignment and un-assignment of the device action for "(any device)". Selecting  Custom will enable 3 extra rows. There, you can assign/un-assign the permission based on the device's operating system (e.g. Allow retirement for iOS devices but prohibit the retirement of Android devices) for a given Admin Scope and End User Scope. 

 When using the Custom setting in a granular setting (like "MacOS, Any Configuration"), you can assign permissions even more granular based on the device's configuration. The three options are Supervised,  corporate-owned devices , and personal-owned devices . 

 Use the  Save Changes button to persist your modifications.