Let’s learn how you can configure RBAC Permission to Run Remote Actions in Intune and manage the permissions and actions of helpdesk associates to perform quick actions and troubleshooting. Remote actions empower helpdesks to support users devices more securely.
Intune provides you with the ability to run device actions remotely. You can remotely manage Windows, Android, iOS/iPadOS, macOS, Linux, and supported device platforms, Also, you have granular control for Winodws 365 Cloud PC device actions in Intune like any other managed device, Cloud PC Remote Actions Windows 365 Device Actions.
You can also leverage the role-based access controls for remote help in Intune, admins gain the ability to configure parameters and define permissible actions during remote help sessions based on the role of the helpdesk associate.
Role-based access control (RBAC) enables Intune Administrators to manage and regulate the permissions granted to individuals for different Intune tasks within your organization. A set of twelve (12) predefined Intune roles is available, known as RBAC roles.
By leveraging these permissions, admins can control remote activities precisely, ensuring security and aligning with organizational requirements. If none of these roles aligns with your requirements, you can create custom Intune roles tailored to your scenario.
- BitLocker Recovery Key Process For Windows Autopilot New Update
- Create Dynamic Group Based On Employee Hire Date In Entra ID
RBAC Permission to Run Remote Actions in Intune
The following steps help you configure RBAC for Intune Remote actions, You can perform restart, Sync, Collect Diagnostics and more by using remote actions from the Intune portal. The remote action would differ based on the Platform. Also, you may require additional roles for the remote action.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- Navigate to Tenant administration > Roles.
In the All roles, you will find all the built-in roles, and created custom roles available in the tenant. The Help Desk Operators built-in role performs remote tasks on users and devices and can assign applications or policies to users or devices.
By default, the built-in Help Desk Operator role sets all these permissions to Yes. You can use the built-in role or create custom roles to grant only the remote tasks permissions you want different user groups to have.
In Endpoint Manager All roles, Click on Create and select Intune role from the appeared options to create a custom Intune role to run remote actions in Intune for the managed devices.
On the Basics page, enter a name and description for the custom role, then choose Next. To modify the roles associated with a particular category, navigate to the “Permissions” page. When creating custom roles, you can enable the relevant permissions by selecting “Remote tasks” and toggling the switch to “Yes” to select the appropriate roles.
The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:
| Permission | Descriptions |
|---|---|
| Remote tasks/Bypass activation lock | Remove the Activation Lock from supervised devices without requiring the user’s Apple ID and password. This may be required if a user leaves the company and returns the device; without the user’s Apple ID and password, there is no way to reactivate the device. Or, you need to reassign some devices to a different department during a device refresh in your organization. You can only reassign devices that do not have Activation Lock enabled. You must also have the Managed Device Read permission to view devices in the Azure portal before initiating this remote task. |
| Remote tasks/Clean PC | Initiate lost mode on lost or stolen iOS devices. This mode lets you enter a message and a phone number that appears on the lock screen of the device. To use lost mode, the device must be a corporate-owned iOS device in supervised mode. |
| Remote tasks/Collect diagnostics | Configure the permission for run remote actions in Intune to Collect device diagnostics |
| Remote tasks/Disable lost mode | Turn off the lost mode for an iOS device |
| Remote tasks/Enable lost mode | Initiate the lost mode ring sound on a device placed in MDM Lost mode. |
| Remote tasks/Enable Windows IntuneAgent | Enable Windows Intune agent. |
| Remote tasks/Get filevault key. | Get Mac FileVault key. |
| Remote tasks/Initiate Configuration Manager action | Initiate a remote action on a device managed by Configuration Manager. |
| Remote tasks/Locate device | View the location of a lost or stolen corporate-owned device on a map. Can locate supervised iOS/iPadOS devices, Android dedicated devices (COSU), and Windows devices. |
| Remote tasks/Manage shared device users | Log out the user with the current session on a shared device. This action does not delete users from a shared device, it will only force the user with a current session to be logged out. |
| Remote tasks/Offer remote assistance | Initiate a remote assistance session with a user’s device by using a remote assistance provider. The remote assistance option for your provider must be enabled for your tenant. |
| Remote tasks/Play lost mode sound | Initiates a forced removal of the passcode, and requires the device user to set a new passcode. Supported on iOS devices, and certain later versions of Android and Android for work. They are not supported on older Android versions, macOS, or Windows. |
| Remote tasks/Reboot now | Initiates a device restart. This causes the device you choose to be restarted. The device owner isn’t automatically notified of the restart, and they might lose work. |
| Remote tasks/Remote lock | The Remote lock device action locks the device. To unlock the device, the device owner enters their passcode. You can remotely lock devices that have a PIN or password set. Devices that don’t have a PIN or password can’t be remotely locked. |
| Remote tasks/Reset passcode | Initiates a forced removal of the passcode, and requires the device user to set a new passcode. Supported on iOS devices, and certain later versions of Android and Android for work. Not supported on older Android versions, macOS, or Windows. |
| Remote tasks/Retire | Initiates a retire action for a device. Also called remove company data. The Remove company data action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Remove company data action. Remove company data leaves the user’s personal data on the device. |
| Remote tasks/Revoke App Licenses | Revokes any iOS VPP application licenses that have been associated with the device. |
| Remote tasks/Rotate BitLockerKeys (preview) | Initiates a key rotation for BitLocker Recovery Passwords on the device. |
| Remote tasks/Rotate filevault key. | Rotate Mac FileVault key. |
| Remote tasks/Send custom notifications | Allows admin to send customized notifications to devices. Devices receive notifications in Company Portal. |
| Remote tasks/Set device name | Set or change the name of a device. |
| Remote tasks/Shut down | Initiates a shutdown of the device, and will automatically close all applications and running services and leave the device in a powered-off state. |
| Remote tasks/Sync devices. | Initiates a sync operation on the device and forces the selected device to immediately check in with Intune. When a device checks in, it immediately receives any pending actions or policies that have been assigned to it. |
| Remote tasks/Update cellular data plan | Activate the data plan for cellular iOS/iPadOS devices that support eSIM. |
| Remote tasks/Update device account | Allows changing the device account associated with Surface Hub devices, and set authentication options such as password rotation. |
| Remote tasks/Windows defender | Initiates a Windows Defender signature update. |
| Remote tasks/Wipe | Initiates a wipe of the device. Also called a factory reset. The Factory reset action restores a device to its factory default settings. The user data is kept or wiped depending on whether or not you choose the Retain enrollment state and user account checkbox. |
You can duplicate built-in roles to create, edit, or assign Intune roles. Here’s how you can duplicate Intune RBAC Roles. You can assign a built-in or custom role to an Intune user, choose the created role you want to assign > Assignments > + Assign.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.