Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Forefront Endpoint Protection 2010 – SCCM Console permissions

Posted on January 25, 2011 by Jörgen Nilsson

I have done some FEP installations now and a couple of questions always turn up like how to delegate permissions in the SCCM console for the FEP integration as there isn’t a new security delegation option created for it when installing the plugin for the SCCM Admin Console. I did some research for the different components and came to the following conclusion.

Forefront

The following permissions control the different areas/functions in the Forefront add-in to the SCCM Console.

Component Object Class Admin Permissions
Access to the FEP Dashboard Collection Administer, Advertise, Create, Delete, Delete resource, Modify, Modify Collection Settings, Modify resource, Read, Read resource
FEP Reports  Managed in SQL Reporting Services Browse permissions
FEP Policies Package &Advertisement Package = Administer, Create, Delete, Distribute, Manage Folders, Modify, ReadAdvertisement = Create, Delete, Manage Folders, Modify, Read
FEP Alerts Site Administer, Manage Status filter, Modify, Read
FEP Baselines Configuration Items Create, Delete, Distribute, Manage Folders, Modify, Read

 If an administrator only needs permissions to view the different components, Read permissions on the different objects are enough. Then the administrator can for instance see the policies but cannot create new ones or modify the existing ones.

Today before I posted this post I found that this excellent article was published yesterday about how to create a custom MMC and delegate permissions in SCCM to manage the FEP integration, it is really good! You should check it out
http://social.technet.microsoft.com/wiki/contents/articles/setting-up-a-new-fep-administrator.aspx

My conclusion is also that there is actually no good way of delegating only administration of FEP itself in the console. The link above shows the steps needed for delegating administrative permissions and creating a custom MMC. However, there is no way to stop the FEP admin from launching the full SCCM admin console and then have access to a lot more than just FEP.

So does this mean that SCCM administrators will now become the FEP administrators as well in the future? In some cases I believe so as knowledge in SCCM in needed.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Tweets by ccmexec

Recent Posts

  • Windows Servicing, Personal Teams and Success.cmd
  • Windows MDM Security Baseline – Settings Catalog
  • Configuring MS Edge Security Baseline v107 using Settings Catalog
  • Configuring Desktop App Installer using CSP and script?!
  • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT