Provide the ability to separate retire, wipe and delete resource permissions for different security roles
At the moment, a person requires the delete resource right to wipe/retire a device. Some organisations would prefer to separate the ability to delete, wipe and retire devices.
Hybrid MDM is no longer supported by Configuration Manager. See: https://docs.microsoft.com/en-us/mem/configmgr/mdm/understand/what-happened-to-hybrid
Iain Fairbairn commented
I agree, we have basic service desk people that we want to give only lock and reset passcode but not retire or wipe. We got around that by obscuration by using a PowerShell GUI tool with Retire wipe disabled instead of using the CM2012 console. They still have the permissions to retire/wipe but the tool they have only has the lock reset passcode options enabled. downside is if they evr get the full CM20-12 console then they could retire/wipe with the permissions they have.