SOTI Identity Roles removed from SOTI Identity after upgrading to MobiControl version 15.6.2 and above

If upgrading to MobiControl version 15.6.0 or 15.6.1 refer this article

Background  <

If upgrading to MobiControl version 15.6.0 or 15.6.1 refer this article

Background  

As of the August 2022 update to SOTI Identity, improvements were made to streamline user role management across all SOTI ONE products.  These changes only impact MobiControl versions 15.6.0 and greater. 

On upgrading from a version of MobiControl less than 15.6.0 to version 15.6.2 and above the following impacts will be observed: 

• Functions to add, modify and remove roles are no longer accessible within the SOTI Identity console. 
• SOTI Identity roles that appeared in MobiControl as SOTI Identity user groups will be removed as part of the upgrade.
• SOTI Identity roles that were associated with the MobiControl application will be migrated in MobiControl as MobiControl roles with the same set of permissions. 
• SOTI Identity users and groups that were mapped with SOTI Identity roles will be listed in MobiControl directly and mapped with the migrated MobiControl roles. 

As a result of the above impacts, if you were using SOTI Identity for device side authentication through Add Device rules or Enrollment policies, or if you had mapped SOTI Identity user groups in the MobiControl Shared Device configuration, you must remap these in MobiControl after upgrading. 

Below you will find an overview of the experience prior to MobiControl 15.6.0, what you can expect post upgrade to 15.6.2 and above, as well as recommendations to mitigate the impacts noted above. 

Review of SOTI Identity Role Management with SOTI MobiControl earlier than 15.6.0 

If you are using a SOTI MobiControl version earlier than 15.6.0, SOTI Identity provides an option to manage and assign roles for the SOTI MobiControl application: 

SOTI Identity roles for a specific SOTI MobiControl application were displayed as SOTI Identity Groups in SOTI MobiControl under the Groups tab in the Users and Permissions section. These Groups (or SOTI Identity Roles) were associated with a SOTI MobiControl role from where the permissions were inherited:

In SOTI Identity, you can assign the SOTI MobiControl application to different users and groups:

You should have associated these users and groups with a SOTI Identity role of a specific SOTI MobiControl application during the application assignment:

Also, you could use the SOTI Identity Roles described above (displayed as groups in SOTI MobiControl) in SOTI MobiControl under Enrollment Policies, Shared Device Groups, Profiles, App Policies and Compliance Policies:

Updated Role Management Experience with SOTI MobiControl 15.6.2 and above

If you are upgrading from a SOTI MobiControl version earlier than 15.6.0 that was integrated with SOTI Identity to a MobiControl version 15.6.2 and above, you will see the following changes:

• The "Manage Roles" action against a specific SOTI MobiControl application in SOTI Identity is removed. SOTI Identity now fetched roles directly from SOTI MobiControl:

• SOTI Identity Roles that appeared in SOTI MobiControl as SOTI Identity Groups in the Groups tab within Users and Permissions section will no longer be listed there.  The SOTI Identity Roles will be migrated to SOTI MobiControl Roles and will appear under the Roles tab instead.  The migration process will preserve the set of permissions associated with each role.:

• All the SOTI Identity users and groups that were mapped with those SOTI Identity roles in SOTI Identity will be listed in the Users and Permissions section under the Groups and Users tabs of SOTI MobiControl:

• These users and groups will be associated with the respectively migrated MobiControl roles that have the same permissions which SOTI Identity roles had prior to upgrading to SOTI MobiControl 15.6.2 and above:

What is impacted by this change?

If you were using a SOTI MobiControl version earlier than 15.6.0 that was integrated with SOTI Identity and upgraded to a SOTI MobiControl version 15.6.2 and above, you will be impacted in cases where:

1. SOTI Identity is used as an authentication option in Enrollment Policies/Add Device rules.
2. SOTI Identity user groups are used in Shared Device Groups configuration
3. SOTI Identity user groups are used in users filter for Profile Assignment
4. SOTI Identity user groups are used in users filter for App Policies Assignment
5. SOTI Identity user groups are used in users filter for Compliance Policies Assignment

• SOTI MobiControl will notify if you are impacted in these two ways:

• • In the SOTI MobiControl installer during upgrade:
    • The administrator will be notified within the installation process about the impacted areas. The names of the policies/rules in the case of Enrollment, Add Device Rule, Profiles, Apps and Compliance and the device group path in the case of Shared Device Group configuration will be shown:

• • By SOTI MobiControl announcements in the Web Console post upgrade
    • In the SOTI MobiControl Web Console when the user logs in for the first time post-upgrade, the user will see a mandatory announcement indicating that there are some impacted features post-upgrade:

• • • When the user clicks the View Updates button, SOTI MobiControl presents a list of the impacted areas with names of the policies/rules in the case of Enrollment, Add Device Rule, Profiles, Apps and Compliance and with the device group path in the case of Shared Device Group configuration:

Mitigation Strategies:

• • Enrollment Policies

• • • Navigate to the impacted Enrollment Policy and edit the policy. In the example above it is named “Enrollment Policy 1”.
    • Click the Groups tab of the policy. You should see the “Custom Role 1” role (which was a SOTI Identity role prior to upgrade) associated here with the policy:

• • • Delete this record from the table by hovering over the row and clicking the Delete button that appears on the far right.   
      Note: Make sure to record the SOTI MobiControl device group before deleting the entry which in this case is “My Company”:

• • • Once you have deleted the record, click the + button in the table:

• • • A pop-up appears that allows you to search for SOTI Identity user groups:

• • • Search and add all the SOTI Identity user groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• • • Make sure to select the same SOTI MobiControl device group (“My Company” in this example) for each SOTI Identity user group entry in this table because the “Custom Role 1” SOTI Identity role might have multiple user groups associated with it:

• • • Click Next, then Finish to save the policy

• • Shared Device Configuration
    • Navigate to the impacted device group. In this example it is \\My Company\Management Devices.
    • Right click and select Advanced Configuration.
    • In the Advanced Configuration pop-up click Shared Device.
    • Under Configuration Settings you should see the “Custom Role 1” entry under User Groups:

• • • Scroll towards the right and you should see a Delete button. Click to delete the record, then click +:

• • • Search for and add all the SOTI Identity user groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• • • Click SAVE to save the changes.

• • Profile/App Policy/Compliance Policy Assignment
    • Navigate to the impacted Profile/App Policy/Compliance Policy
    • Right click and select Assign
    • Navigate to the users tab on the assignment dialog
    • Under "User Group Targets" you should see Idp Group Name “Custom Role 1”:

• • • Remove the "Custom Role 1" and add all the SOTI Identity user groups that were associated with the “Custom Role 1” SOTI Identity role prior to upgrade:

• • • Click ASSIGN to save the changes.

If you have questions or need additional assistance, please contact our support team.'