This article will outline the steps needed to setup up SafeConsole into separate groups that can be managed by individual users. This can be beneficial if your organization is structured in a way that you would like certain admins to only manage the users and their respective devices that they are responsible for.
Step 1: Setup SafeConsole as the SafeConsole account owner, the following should be done:
- Configure the Default Policy, this policy will not be used if this guide is followed correctly, however it is still important that the policy be set. A recommendation can be to configure a very restrictive policy that blocks device connection just in case a device is incorrectly registered at some point. An example would be device state set to always and geofence set to Block all possible connections. See the SafeConsole Admin Guide for instructions on how to configure the default policy and the individual settings.
- Configure the following Registration setting found in Server Settings -> General
- Disable Machine ownership - checked
- Require a unique token for all registrations: Devices and SafeCrypt Drives - checked
- Require registration approval from Administrator - Unchecked
Also in the General section click the checkbox to Enable Custom Role-Based Security System
Step 2: Create the top level groups and the initial Group Admins
- In manage policies click Add New Path button in the top right then enter the name of the first group. Repeat for each group that will be added.
- Locate the newly added group and click the wrench icon, this will bring up the menu to Add New User
- Enter the user's name and email address and click Add
- After the user is created, you will be given the option to Promote to Group Admin, click the marked button to continue.
Add this point the user will be sent an email to create a login password and enable 2 factor authentication if enforced.
Note: if testing different admin permission sets on the same computer it is critical that you log out of the super admin profile before logging in as the new Group Admin. Failure to do so will show incorrect permissions. Try on a different system or in a new incognito browser if you experience this issue.
Continue Configuration: The promoted users, now Admins for their respective group can create additional users either manually or via CSV import. These will be the end-users that devices will be assigned to. They will not have access to the console. Once these end users are created devices will need there Unique Token. This is included in the Endpoint Setup Guide, which can be sent after the user is created or after importing users from a CSV file.