Forefront Endpoint Protection 2010 – SCCM Console permissions

I have done some FEP installations now and a couple of questions always turn up like how to delegate permissions in the SCCM console for the FEP integration as there isn’t a new security delegation option created for it when installing the plugin for the SCCM Admin Console. I did some research for the different components and came to the following conclusion.

Forefront

The following permissions control the different areas/functions in the Forefront add-in to the SCCM Console.

Component Object Class Admin Permissions
Access to the FEP Dashboard Collection Administer, Advertise, Create, Delete, Delete resource, Modify, Modify Collection Settings, Modify resource, Read, Read resource
FEP Reports  Managed in SQL Reporting Services Browse permissions
FEP Policies Package &Advertisement Package = Administer, Create, Delete, Distribute, Manage Folders, Modify, ReadAdvertisement = Create, Delete, Manage Folders, Modify, Read
FEP Alerts Site Administer, Manage Status filter, Modify, Read
FEP Baselines Configuration Items Create, Delete, Distribute, Manage Folders, Modify, Read

 If an administrator only needs permissions to view the different components, Read permissions on the different objects are enough. Then the administrator can for instance see the policies but cannot create new ones or modify the existing ones.

Today before I posted this post I found that this excellent article was published yesterday about how to create a custom MMC and delegate permissions in SCCM to manage the FEP integration, it is really good! You should check it out
http://social.technet.microsoft.com/wiki/contents/articles/setting-up-a-new-fep-administrator.aspx

My conclusion is also that there is actually no good way of delegating only administration of FEP itself in the console. The link above shows the steps needed for delegating administrative permissions and creating a custom MMC. However, there is no way to stop the FEP admin from launching the full SCCM admin console and then have access to a lot more than just FEP.

So does this mean that SCCM administrators will now become the FEP administrators as well in the future? In some cases I believe so as knowledge in SCCM in needed.

Add a Comment

Your email address will not be published. Required fields are marked *