This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 47%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I have recently been handed the Intune administrator role or a system with the base set up. I have created multiple auto enrollment profiles that I would like each "device manager" assigned to various departments to set to a device based off their needs. I have a custom role in place to try to allow these device managers access to view the token and assign profiles, the only problem is that they are unable to even see the token. These roles are similar to the built in Policy and Profile manager roles in Intune, but with a little more rights. I have all of the Enrollment program settings set to update/assign profiles and read tokens but missing a setting somewhere if they can't even view the token to start viewing devices and profiles.
@DJCOS Thanks for posting in our Q&A.
To clarify this issue, what did you mean auto enrollment profiles? Based on my understanding, an intune admin role is enough to assign profiles and configure device enrollment settings.
If there is anything update, feel free to let us know.
@Lu Dai-MSFT thank you for responding. When I go to assign a profile for an iPhone/iPad(currently only enrolling iOS devices) in Apple enrollment > Enrollment program tokens and select a token, I am now able to search/sync devices or view/create profiles. When setting up "Device Managers"(my role created for those enrolling devices) and having them go to enroll a device, they don't see any tokens listed. I would like for them to assign these profiles themselves if possible, but feel I am missing a setting in their custom roles. Hopefully that adds a little more clarity.
@Lu Dai-MSFT I may have discovered the cause, which was missing various scope tags for the tokens. Going to try to see if various device managers are available to give this a whirl.
@DJCOS Maybe you are right.
We can use role-based access control and scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. Roles determine what access admins have to which objects. Scope tags determine which objects admins can see.
Honestly, with the limitation resource, I haven't tried it.
Hope everything goes well with you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 7.000000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
In my case de "Default" tag is assigned to the enrollment profile which I would like to delegate permissions of. And this tag has been selected when assigning the custom role. @DJCOS did you manage to assign a profile after adding tags to tokens?
HI @John Snoek I was able to assign various scope roles and had each member assigned to each of these roles give it a try and each had success. Now to find a way to automatically assign the scope tags to the devices that get assigned these specific roles.