1. SimpleMDM Help Center
  2. Documentation
  3. Account Setup

Adding Users & Roles



Users

SimpleMDM allows more than one individual in your organization to manage your SimpleMDM account. Inviting additional users to your account is easy.

To add an administrator to your account:

  1. Within SimpleMDM, click "Settings" on the left hand side of the screen.
  2. Select the "Users" sub-menu option below "Settings".
  3. Enter the email address of the user you'd like to add, select an appropriate user role, and click "Invite User".

Upon completing these steps, SimpleMDM will send an invitation to the email address specified. The individual will have the option to create a SimpleMDM login and will have shared access to your SimpleMDM account.

 

User Roles

Your company may require different permission levels for different SimpleMDM users. The User roles feature allows you to create custom roles with different permissions that are specific to your organizational needs. The User Roles interface is accessible from the Users management screen, as referenced in the above section.

The configurable permission currently available are:

Allow Devices Actions

This option controls the ability to send specific commands to devices, including:

  • Push Assigned Apps and Media
  • App Updates (via Device Details)
  • Wipe
  • Lock
  • Clear Passcode
  • Update Location
  • Send Message
  • Enable/Disable Lost Mode

Allow Configuration Changes

This options controls the ability to make configuration changes to devices.

Devices

  • Assign/unassign profiles at the device level
  • Set timezone
  • Refresh cellular plan
  • Remove or unenroll devices

Device Groups - *Note: This option has been deprecated and replaced by the "Allow group changes" permission set.

  • Modify profile assignments at the group level
  • Edit group settings

Apps and Media

  • Modify app & media assignments
  • Modify VPP settings

Profiles

  • Create/edit profiles
  • Create/edit providers
  • Create/edit custom attributes

Scripts

  • Create/edit scripts
  • Create/edit jobs

Enrollments

  • Create/edit enrollments

General

  • Modify account settings
  • Update Push Certificate

Allow Group Changes

Group Actions

  • Create, delete, and clone groups.

Device Assignments

  • Assign and unassign devices to groups.
  • Edit dynamic device filters.

Profile Assignments

  • Assign and unassign profiles to groups.

App Assignments

  • Assign and unassign apps to groups.
  • Edit assigned app settings such as install method and install type.

Media Assignments

  • Assign and unassign media to groups.

Group Settings

  • Edit group settings.
  • Edit group custom attribute values.

Allow User Management

  • Invite new users
  • Manage user roles

Allow API Management

  • Create API keys
  • View and reset API keys
  • Modify API key resource permissions

Allow Log Visibility

  • View device logs
  • View admin logs

Allow Billing Management

  • View Billing page
  • Update billing information
  • View billing history

Allow Secret Information Visibility

This section allows you to control access to view/modify sensitive information, including:

  • Activation Lock Bypass Codes: View Activation Lock Bypass Codes and send “Disable Activation Lock” command
  • Device Erase & Lock PINs: View PINs set when erasing or locking devices
  • Admin Passwords: View, reset, and rotate Auto-Admin passwords
  • FileVault Recovery Keys: View and rotate FDE Recovery Keys
  • Firmware Passwords: View stored firmware passwords and send “Clear Firmware Password” command
  • Profile Passwords: View passwords set in profiles
  • Recovery Lock Passwords: View stored recovery lock passwords and send “Clear Recovery Lock” command
  • Webhook Passwords: View and modify webhook passwords
  • Custom Attributes Marked As Secret: View custom attribute values that have been marked as secret

No Access

Users assigned the “No Access” role will be able to create a user account but will not be able to view or modify anything within the account, and will instead see a access restricted page upon sign in. This is commonly used to limit access for SAML-authenticated users that have not yet been approved or assigned a role by another admin in the account. While SAML access is often controlled on the identity provider side, this provides an alternative when that is not feasible.

Additional Security Options

SimpleMDM offers two advanced security options for User authentication:

Require Two-Factor Authentication

Administrators of a SimpleMDM account can require that all users accessing the administrator interface have two-factor authentication enabled. If they do not, they will be prompted to enable it before accessing the account. Currently, this feature requires the use of a third-party authentication app, such as Google Authenticator, Microsoft Authenticator, Authy, etc.

To enable this:

  1. Navigate to Account > Users.
  2. Click the Settings tab.
  3. Check the box labeled “Require Two-Factor Authentication”.

SAML Authentication

Your company can utilize a third-party identity provider (IdP) such as Microsoft Azure/Entra AD, Google Workspace, OneLogin, Okta, Ping Identity, etc. to grant access to the SimpleMDM administrator interface. SimpleMDM supports Just-In-Time (JIT) provisioning and Single Logout functionality to streamline administrative efforts and increase security.

To enable this:

  1. Navigate to Account > Users.
  2. Click the Settings tab.
  3. Under the “Single Sign On with SAML” section, select “Yes” in the “SAML Enabled” field.
  4. Additional configuration will be required and steps may vary depending on the identity provider. View the “SAML Integration Guides” section for more information based on your provider.
Sid DeVins
Updated

Related articles

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.