SOTI Identity Roles removed from SOTI Identity after upgrading to MobiControl version 15.6.0 and 15.6.1

If upgrading to MobiControl version 15.6.2 or above refer this article

Background  

As of the August 2022 update to SOTI Identity, improvements were made to streamline user role management across all SOTI ONE products.  These changes only impact MobiControl versions 15.6.0 and greater. 

On upgrading from a version of MobiControl less than 15.6.0 to version 15.6.0 or 15.6.1 the following impacts will be observed: 

• Functions to add, modify and remove roles are no longer accessible within the SOTI Identity console. 
• SOTI Identity roles that appeared in MobiControl as SOTI Identity user groups will be removed as part of the upgrade.
• SOTI Identity users and groups that were mapped with SOTI Identity roles will be listed directly in MobiControl with the same permissions that those users and groups previously inherited from SOTI Identity roles. 

As a result of the above impacts, you may also have to recreate roles in MobiControl and associate them with the correct SOTI Identity users and groups. If you were using SOTI Identity for device side authentication through Add Device rules or Enrollment policies, or if you had mapped SOTI Identity user groups in the MobiControl Shared Device configuration, you must remap these in MobiControl after upgrading. 

Below you will find an overview of the experience prior to MobiControl 15.6.0, what you can expect post upgrade to 15.6.0 or 15.6.1, as well as recommendations to mitigate the impacts noted above. 

Review of SOTI Identity Role Management with SOTI MobiControl earlier than 15.6.0 

If you are using a SOTI MobiControl version earlier than 15.6.0, SOTI Identity provides an option to manage and assign roles for the SOTI MobiControl application: 

SOTI Identity roles for a specific SOTI MobiControl application were displayed as SOTI Identity Groups in SOTI MobiControl under the Groups tab in the Users and Permissions section. These Groups (or SOTI Identity Roles) were associated with a SOTI MobiControl role from where the permissions were inherited:

In SOTI Identity, you can assign the SOTI MobiControl application to different users and groups:

You should have associated these users and groups with a SOTI Identity role of a specific SOTI MobiControl application during the application assignment:

Also, you could use the SOTI Identity Roles described above (displayed as groups in SOTI MobiControl) in SOTI MobiControl under Enrollment Policies, Shared Device Groups, Profiles, App Policies and Compliance Policies:

Updated Role Management Experience with SOTI MobiControl 15.6.0 and 15.6.1

If you are upgrading from a SOTI MobiControl version earlier than 15.6.0 that was integrated with SOTI Identity to a MobiControl version 15.6.0 or 15.6.1, you will see the following changes:

• The "Manage Roles" action against a specific SOTI MobiControl application in SOTI Identity is removed. SOTI Identity now fetched roles directly from SOTI MobiControl:

• SOTI Identity Roles that appeared in SOTI MobiControl as SOTI Identity Groups in the Users and Permissions section under the Groups tab will no longer be listed.
• All the SOTI Identity users and groups that were mapped with SOTI Identity roles prior to upgrade will be listed in the Users and Permissions section under the Groups and Users tabs of SOTI MobiControl:

• These users and groups will be assigned permissions at a granular level and will be the same permissions as they inherited from their respective SOTI Identity roles prior to upgrading to SOTI MobiControl 15.6.0 or 15.6.1.
• Since these users and groups will be given permissions directly at a granular level, these users and groups will not inherit any permissions from any role after the upgrade:

What is impacted by this change?

If you were using a SOTI MobiControl version earlier than 15.6.0 that was integrated with SOTI Identity and upgraded to a SOTI MobiControl version 15.6.0 or 15.6.1, you will be impacted in cases where:

1. SOTI Identity is used as an authentication option for MobiControl Web Console access
2. SOTI Identity is used for accessing SOTI XSight
3. SOTI Identity used as an authentication option in Enrollment Policies/Add Device rules.
4. SOTI Identity user groups are used in Shared Device Groups configuration
5. SOTI Identity user groups are used in users filter for Profile Assignment
6. SOTI Identity user groups are used in users filter for App Policies Assignment
7. SOTI Identity user groups are used in users filter for Compliance Policies Assignment

• MobiControl Web Console access:
  • If you are using SOTI Identity for MobiControl web console access, you will not be impacted directly. All the existing users (individual or part of a group) will still be able to log in to SOTI MobiControl and perform the actions they were allowed in the past. The only impacted area in this case would be on the SOTI Identity side. Those users and groups that were associated with a SOTI Identity role prior to the upgrade will not have any role associated post-upgrade: 

• SOTI XSight access: Log in to SOTI XSight through SOTI Identity or the SOTI MobiControl console will be impacted. The user will be shown a No Access screen on their log in attempt because the role mapping in SOTI Identity is removed after upgrading to SOTI MobiControl 15.6.0 or 15.6.1

• SOTI MobiControl will notify if you are impacted in these two ways:

• • In the SOTI MobiControl installer during upgrade: 
    • The administrator will be notified within the installation process about the impacted areas. The names of the policies/rules in the case of Enrollment, Add Device Rule, Profiles, Apps and Compliance and the device group path in the case of Shared Device Group configuration will be shown:

• • By SOTI MobiControl announcements in the Web Console post upgrade
    • In the SOTI MobiControl Web Console when the user logs in for the first time post-upgrade, the user will see a mandatory announcement indicating that there are some impacted features post-upgrade:

• • • When the user clicks the View Updates button, SOTI MobiControl presents a list of the impacted areas with names of the policies/rules in the case of Enrollment, Add Device Rule, Profiles, Apps and Compliance and with the device group path in the case of Shared Device Group configuration:

Mitigation Strategies:

• Create custom roles in SOTI MobiControl
  • If you were using custom roles other than the four default roles (MC Administrator, MC BYOD Users, MC Technician and MC Viewer), then you should create the custom roles as SOTI MobiControl Roles and grant them the same permissions as the previous custom role.

  • To create a role in SOTI MobiControl

    • Log in to SOTI MobiControl, then click the main menu. Click Users and Permissions "+" button and select Add Role.
    • When you have added the role, assign general and device group permissions to this role by clicking the options:

Note: The permissions you assign to this role should be the same as the custom role in SOTI Identity prior to upgrading SOTI MobiControl.

• Associate users and groups with a role in SOTI Identity
  • In SOTI Identity, select the SOTI MobiControl application and click Assign User. You will see the list of users and groups assigned to your SOTI MobiControl application

• • Hover over any of the users/groups and click the Edit. A pop-up appears that allows you to edit the role. At this point you will not see any role associated with the user/group:

• • Click Select Role to map this user/group to a role. The list in this drop-down is fetched directly from SOTI MobiControl so you will see all SOTI MobiControl roles here.
  • Map your users and groups to roles based on the information in this table:

Note: Mapping the users and groups to a role in SOTI Identity as explained above will also resolve the SOTI XSight log in issue that was caused after upgrading to SOTI MobiControl 15.6.0 or 15.6.1.

• Re-map SOTI Identity groups to impacted SOTI MobiControl features:

• • Enrollment Policies

• • • Navigate to the impacted Enrollment Policy and edit the policy. In the example above it is named “Enrollment Policy 1”.
    • Click the Groups tab of the policy. You should see the “Custom Role 1” role (which was a SOTI Identity role prior to upgrade) associated here with the policy:

• • • Delete this record from the table by hovering over the row and clicking the Delete button that appears on the far right.   
      Note: Make sure to record the SOTI MobiControl device group before deleting the entry which in this case is “My Company”:

• • • Once you have deleted the record, click the + button in the table:

• • • A pop-up appears that allows you to search for SOTI Identity groups:

• • • Search and add all the SOTI Identity groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• • • Make sure to select the same SOTI MobiControl device group (“My Company” in this example) for each SOTI Identity group entry in this table because the “Custom Role 1” SOTI Identity role might have multiple groups associated with it:

• • • Click Next, then Finish to save the policy

• • Shared Device Configuration
    • Navigate to the affected device group. In this example it is \\My Company\Management Devices.
    • Right click and select Advanced Configuration.
    • In the Advanced Configuration pop-up click Shared Device.
    • Under Configuration Settings you should see the “Custom Role 1” entry under User Groups:

• • • Scroll towards the right and you should see a Delete button. Click to delete the record, then click +:

• • • Search and add all the SOTI Identity groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• • • Click SAVE to save the changes.

• Profile/App Policy/Compliance Policy Assignment
  • Navigate to the impacted Profile/App Policy/Compliance Policy
  • Right click and select Assign
  • Navigate to the users tab on the assignment dialog
  • Under "User Group Targets" you should see Idp Group Name “Custom Role 1”:

• Remove the "Custom Role 1" and add all the SOTI Identity user groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• Click ASSIGN to save the changes.

If you have questions or need additional assistance, please contact our support team.