Manage Roles

Last updated June 5th, 2025

When you click the Roles tab, you’ll see a list of every role created in your Knox MSP Portal.

The following information is available in the table:

ROLE NAME — The name of the role created in your account. Click a name to view or edit the role’s permissions, or to delete the role from your account.
DESCRIPTION — A description of the role. This field is optional during role creation, and may not be available for all roles.
ADMINS — The number of admins associated with this role. Click the link to view the names of each associated admin.

Create a role

By default, the Knox MSP Portal includes two, roles built into the service: Super Admin and MSP Admin.

The primary account holder (the admin that first signed up for a Knox account) is automatically assigned the Super Admin role. As a Super Admin, you have full access to all Knox MSP Portal functionality, including the ability to delete other admins accounts.

When inviting other admins to manage your account, you can assign them the MSP Admin role. This role also grants the admins full access to all Knox MSP Portal functionality, however they cannot delete the Super Admin account.

If you don’t want to give admins full access to the Knox MSP Portal, you can instead create a custom role that limits them to specific functionality. To create a custom role:

On the left navigation pane, click Roles, then in the top-right, click CREATE ROLE.
On the Create role page, provide a name and description for the role in the BASIC INFORMATION field.
Under Permission type, choose whether you want to have the same permissions for both the Knox MSP and Customer portals, or whether you want the tow portals to have different permissions. Depending on the permission type selected, the available permission settings will vary. See Role permissions for more details.

The Permission type options will not appear until you’ve added a customer to the Knox MSP Portal. See Add customers for more information.
(Optional) Click VIEW-ONLY PERMISSIONS to automatically set all permissions to view-only status.
In the right column, customize your permissions for this role. See Role permissions to learn about each permission setting.
Click SAVE to create the role.

Role permissions

Depending on whether you selected SAME PERMISSIONS or DIFFERENT PERMISSIONS, the available role permission settings will vary.

Same permissions

When selecting SAME PERMISSIONS, any permissions common to both the Knox MSP Portal and the customer’s Knox Admin Portal can be configured at the same time. For example, when setting the Devices and uploads permission to View-only, then the admin will be able to view the Devices page on both portals, but will not be able to manage device information, or approve device uploads.

The following list describes the available role permissions when selecting SAME PERMISSIONS:

COMMON PERMISSIONS

Options:

View only — Admins can view the Customers page on the MSP console, but they cannot add a new customer or make any changes.
Manage customer account — Admins can add and edit your managed customers. After selecting this setting, you must select at least one of the following options:
- Add a new customer and edit customer information — Admins can add new customers to the Knox MSP portal and make changes to existing customer accounts.
- Delink customer — Admins can perform a DELINK action from the Customers page.

Options:

Invite and manage administrators | Admins will have access to the Administrators page on the MSP Portal, allowing them to invite, deactivate, reactivate, and revoke other Admins.

Allowing this permission gives the MSP admin the ability to delete, edit, or change permissions for other admins. Practice caution while giving these permissions.
Manage roles | Admins will have access to the Roles page on the MSP Portal, allowing them to create, edit, and delete other roles.

An admin with this permission can change their own role to include all permissions.

Options:

View only | Admins can view the Profiles page on the MSP Portal and on the Knox Configure and Knox Mobile Enrollment consoles, and the Campaigns page on the Knox E-FOTA console.
Manage profiles and campaigns | Admins can copy Profiles on the MSP Portal, create and edit Profiles in Knox Configure, and Knox Mobile Enrollment, and create and edit Campaigns in Knox E-FOTA.

Options:

View only | Admins can view the Devices page on the MSP and customer portals.
Manage devices | Admins can perform device actions and get access to the BULK ACTIONS tab on the Devices page on the MSP and customer portals, but they can’t delete devices.
Delete devices | Admins can also delete devices in addition to the actions allowed in the Manage devices permission.

Options:

View only | Admins can view the Licenses page on the MSP and customer portals.
Manage licenses | Admins can perform license actions like Get a license, Enter license key, and Replace a license on the MSP and customer portals.

Options:

View activity log | Admins can view the Activity log page on the MSP and customer portals.

If this permission is disabled, admins can still access the Activity log page from the console menu to view events that they trigger, but they won’t be able to view events triggered by any managed customers.

Options:

View only | Admins can view the Resellers page on the MSP and customer portals.
Manage resellers | Admins can register resellers and manage reseller preferences on the MSP and customer portals, but they can’t delete resellers.
Delete resellers | Admins can also delete resellers in addition to the actions allowed in the Manage resellers permission.

CUSTOMER PORTAL PERMISSIONS

Options:

View only | Admins can view the Device users page and download device users as a CSV file on the Knox Mobile Enrollment console.
Manage device users | Admins can add device users and edit passwords on the Knox Mobile Enrollment console.
Delete device users | Admins can also delete device users in addition to the actions allowed in the Manage device users permission.

Options:

View only | Admins can view the Library page on the Knox Configure console.
Manage library | Admins can add new mobile apps and perform app-related actions like Add app version, Update app in profile, and Download app.

You must also enable the Manage devices and Manage profiles and campaigns permissions to enable all options.
Delete library | Admins can also delete apps in addition to the actions allowed in the Manage library permission.

Options:

View only | Admins can view the Dashboard on the Knox E-FOTA console.
Manage dashboard view and data collection | Admins can perform actions on the Dashboard like Pin a campaign and Add a new chart.

Options:

View only | Admins can view the EMM groups page on the Knox E-FOTA console.
Manage EMM groups | Admins can add and edit EMM group information.

Options:

Manage default support information | Admins can modify the Default support information for Knox E-FOTA on the customer’s Knox Admin Portal account Settings page.

Admins can still view the current support information. They just can’t modify the information unless this permission is granted.
Manage Privacy policy settings | Admins can modify the Privacy policy settings for Knox E-FOTA on the customer’s Knox Admin Portal account Settings page.

Admins can still view the current privacy policy setting. They just can’t modify the policy unless this permission is granted.

Options:

Manage reporting settings | Admins can modify the email alert settings for Knox Asset Intelligence in the Knox Admin Portal account Settings page.

Options:

Manually start | Allow MSP admins to send a code to manually start a Knox Remote Support session.
Automatically start | Allow MSP admins to automatically start a Knox Remote Support session without a code.

Options:

View only | MSP admins can only view the device’s screen during a Knox Remote Support session.
Manage device during session > Capture screen, record screen, and transfer files | MSP admins can capture the device user’s screen, record screens, and transfer files.
Manage device during session > Control end-user devices remotel | MSP admins can control the device’s home screen menu, and have access to the power, volume, and rotate buttons.

KNOX MANAGE PERMISSIONS

Options:

View only | Admins have access to the customer’s Knox Manage console, but can’t make any changes.
Full access | Admins have full access to the customer’s Knox Manage console, and can make changes to devices, apps, and policies.

Different permissions

When selecting DIFFERENT PERMISSIONS, any permissions common to both the Knox MSP Portal and the customer’s Knox Admin Portal can be configured at the same time. For example, when setting the Devices and uploads permission to View-only, then the admin will be able to view the Devices page on both portals, but will not be able to manage device information, or approve device uploads.

The following list describes the available role permissions when selecting SAME PERMISSIONS:

COMMON PERMISSIONS

Options:

View only — Admins can view the Customers page on the MSP console, but they cannot add a new customer or make any changes.
Manage customer account — Admins can add and edit your managed customers. After selecting this setting, you must select at least one of the following options:
- Add a new customer and edit customer information — Admins can add new customers to the Knox MSP portal and make changes to existing customer accounts.
- Delink customer — Admins can perform a DELINK action from the Customers page.

Options:

Invite and manage administrators | Admins will have access to the Administrators page on the MSP Portal, allowing them to invite, deactivate, reactivate, and revoke other Admins.

Allowing this permission gives the MSP admin the ability to delete, edit, or change permissions for other admins. Practice caution while giving these permissions.
Manage roles | Admins will have access to the Roles page on the MSP Portal, allowing them to create, edit, and delete other roles.

An admin with this permission can change their own role to include all permissions.

Options:

View only | Admins can view the Profiles page on the MSP Portal and on the Knox Configure and Knox Mobile Enrollment consoles, and the Campaigns page on the Knox E-FOTA console.
Manage profiles and campaigns | Admins can copy Profiles on the MSP Portal, create and edit Profiles in Knox Configure, and Knox Mobile Enrollment, and create and edit Campaigns in Knox E-FOTA.

Options:

View only | Admins can view the Devices page on the MSP and customer portals.
Manage devices | Admins can perform device actions and get access to the BULK ACTIONS tab on the Devices page on the MSP and customer portals, but they can’t delete devices.
Delete devices | Admins can also delete devices in addition to the actions allowed in the Manage devices permission.

Options:

View only | Admins can view the Licenses page on the MSP and customer portals.
Manage licenses | Admins can perform license actions like Get a license, Enter license key, and Replace a license on the MSP and customer portals.

Options:

View activity log | Admins can view the Activity log page on the MSP and customer portals.

If this permission is disabled, admins can still access the Activity log page from the console menu to view events that they trigger, but they won’t be able to view events triggered by any managed customers.

Options:

View only | Admins can view the Resellers page on the MSP and customer portals.
Manage resellers | Admins can register resellers and manage reseller preferences on the MSP and customer portals, but they can’t delete resellers.
Delete resellers | Admins can also delete resellers in addition to the actions allowed in the Manage resellers permission.

CUSTOMER PORTAL PERMISSIONS

Options:

View only | Admins can view the Device users page and download device users as a CSV file on the Knox Mobile Enrollment console.
Manage device users | Admins can add device users and edit passwords on the Knox Mobile Enrollment console.
Delete device users | Admins can also delete device users in addition to the actions allowed in the Manage device users permission.

Options:

View only | Admins can view the Library page on the Knox Configure console.
Manage library | Admins can add new mobile apps and perform app-related actions like Add app version, Update app in profile, and Download app.

You must also enable the Manage devices and Manage profiles and campaigns permissions to enable all options.
Delete library | Admins can also delete apps in addition to the actions allowed in the Manage library permission.

Options:

View only | Admins can view the Dashboard on the Knox E-FOTA console.
Manage dashboard view and data collection | Admins can perform actions on the Dashboard like Pin a campaign and Add a new chart.

Options:

View only | Admins can view the EMM groups page on the Knox E-FOTA console.
Manage EMM groups | Admins can add and edit EMM group information.

Options:

Manage default support information | Admins can modify the Default support information for Knox E-FOTA on the customer’s Knox Admin Portal account Settings page.

Admins can still view the current support information. They just can’t modify the information unless this permission is granted.
Manage Privacy policy settings | Admins can modify the Privacy policy settings for Knox E-FOTA on the customer’s Knox Admin Portal account Settings page.

Admins can still view the current privacy policy setting. They just can’t modify the policy unless this permission is granted.

Options:

Manage reporting settings | Admins can modify the email alert settings for Knox Asset Intelligence in the Knox Admin Portal account Settings page.

Options:

Manually start | Allow MSP admins to send a code to manually start a Knox Remote Support session.
Automatically start | Allow MSP admins to automatically start a Knox Remote Support session without a code.

Options:

View only | MSP admins can only view the device’s screen during a Knox Remote Support session.
Manage device during session > Capture screen, record screen, and transfer files | MSP admins can capture the device user’s screen, record screens, and transfer files.
Manage device during session > Control end-user devices remotel | MSP admins can control the device’s home screen menu, and have access to the power, volume, and rotate buttons.

KNOX MANAGE PERMISSIONS

Options:

View only | Admins have access to the customer’s Knox Manage console, but can’t make any changes.
Full access | Admins have full access to the customer’s Knox Manage console, and can make changes to devices, apps, and policies.

Manage Roles

Create a role

Role permissions

Same permissions

COMMON PERMISSIONS

Customer

Admins & roles

Profiles and campaigns

Devices and uploads

Licenses

Activity log

Resellers

CUSTOMER PORTAL PERMISSIONS

Device users

Library

Dashboard

EMM

Services and Preferences

Reporting

Remote support session initiation

Remote support device control

KNOX MANAGE PERMISSIONS

Profiles and campaigns

Different permissions

COMMON PERMISSIONS

Customer

Admins & roles

Profiles and campaigns

Devices and uploads

Licenses

Activity log

Resellers

CUSTOMER PORTAL PERMISSIONS

Device users

Library

Dashboard

EMM

Services and Preferences

Reporting

Remote support session initiation

Remote support device control

KNOX MANAGE PERMISSIONS

Profiles and campaigns

On this page