Overview of Limited Access Mode

Overview of Limited Access Mode

Nerdio Manager accounts can be provisioned in what's called a Limited Access mode to restrict permissions granted to the Nerdio Manager enterprise app in the customer's Azure tenant. In addition, existing customer accounts that were not created in limited access mode, can be switched to limited access mode.

Note: Accounts in limited access mode have reduced functionality. For example, Users & Group management is not available. In addition, accounts in limited access mode do not have access to all the Intune Device Management features. See Overview of Intune Device Management for details.

Similarly, the Nerdio Manager install itself can be switched to limited access mode. This restricts the permissions granted to the Nerdio Manager enterprise app in MSP's Azure tenant.

Enable Limited Access Mode at the MSP Level

Nerdio Manager allows you to enable limited access mode at the MSP level.

To enable limited access mode at the MSP level:

  1. At the MSP level, navigate to SettingsEnvironment.

  2. On the right side of the banner, select the gears icon.

  3. Toggle on the Limited access option.

  4. Carefully review the confirmation pop-up.

  5. After you have reviewed the confirmation pop-up, select OK.

Once you enable the limited access setting at the MSP level, we suggest you replace Directory.ReadWrite.All with Directory.Read.All and add User.Invite.All permission. This action keeps all existing functionality. However, you can also remove Application.ReadWrite.All permission, wherein some functionality like enable REST API, enable Azure runbooks, manage user roles, and assign accounts to global images may not work.

For example, if you have previously enabled REST API, and then enabled limited access, and later disabled REST API, you are able to enable REST API again because the necessary app already exists. However, if you enable REST API for the first time after enabling limited access, Nerdio Manager is not able to create a REST API app registration in AD. Also, Nerdio Manager doesn't show warnings on pages when limited access functionality is enabled.

Tips:

  • If limited access mode is enabled, Nerdio Manager does not restore permissions while updating Nerdio Manager. However, Nerdio Manager always restores permissions during update, if limited access mode is not enabled.

  • If limited access mode is disabled, you would need to re-deploy your installation to restore all required permissions automatically, as shown below:

Enable Limited Access Mode at the Account Level

Nerdio Manager allows you to enable limited access mode at the account level. This can be done for new accounts or existing accounts. See Enable Limited Access Mode for New Accounts and Enable Limited Access Mode for Existing Accounts for details.

Enable Limited Access Mode for New Accounts

To enable limited access mode at the account level for a new account:

  1. At the MSP level, navigate to Accounts.

  2. Select Add account.

  3. On the right side of the banner, select the gears icon to turn on Limited Access mode.

  4. See Add an Account for full details about adding a new account.

Important Notes

Nerdio Manager creates an app registration for each account during provisioning. Here are a few points to note:

  • If Limited access is disabled, the app has the "Global Admin" role and the following permissions:

    • AuditLog.Read.All, Group.ReadWrite.All

    • Intune specific: DeviceManagementApps.ReadWrite.All

    • Cloud PC specific: CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All

    • For Intune and Cloud PC: DeviceManagementConfiguration.ReadWrite.All

  • If Limited access is enabled, the app registration does not have the "Global Admin" role and has the following permissions:

    • AuditLog.Read.All, Directory.Read.All, Group.Read.All

    • Cloud PC if it's enabled CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

    • Intune permissions can be assigned on the Settings > Integrations page after the account is created.

  • Nerdio Manager changes the AD applications during provisioning, so if limited access is enabled, Nerdio Manager assigns at the first step and removes at the second step of provisioning the following permissions: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All.

  • If limited access is enabled, Nerdio Manager displays an icon next to the first step's name:

  • And the same icon next to the account name on Accounts list:

  • Hover over the Limited Access icon, to view a tooltip that says: "Account is in limited access mode. User and Group management functionality is limited."

  • In Limited Access mode, Nerdio Manager prompts you to assign necessary permissions manually when you enable Intune or Cloud PC from the Settings > Integrations page:

  • When you disable Intune features, Nerdio Manager displays a list of permissions that can be removed:

  • Nerdio Manager displays warnings for all the functionality that is not available in limited access mode:

Enable Limited Access Mode for Existing Accounts

To enable limited access mode at the account level for an existing account:

  1. At the MSP level, navigate to Accounts.

  2. Locate the account you want to work with.

  3. From the action menu, select Enable limited access.

    Warning: This is an irreversible operation.

  4. Carefully review the confirmation pop-up.

  5. After you have reviewed the confirmation pop-up, type CONFIRM and then select OK.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.