Predeclared Devices needs to be administered by ConfigMgr users who are not full site admins
Within ConfigMgr 1606 the ability to predeclare devices was added, allowing you to import single or multiple 'company' mobile assets. Only full site admins can perform this action, this needs to be enabled as a security role or permission allowing non full site admins to complete the task.
We added permissions for the entire Corporate-owned Devices node — including Predeclared Devices — for the Asset Manager and Company Resource Access Manager roles back in the Configuration Manager 1610 Technical Preview as described here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1610#additional-security-role-support
We did roll this change into the Configuration Manager 1610 current branch release as well.
Does this meet your needs?
Has anyone found a solution to this? Currently running SCCM 1702. The above groups permissions do not seem to provide the necessary permissions to perform a DEP Sync.
Brian Clark commented
Hi Tyler, we are seeing issues with the 'DEP Sync' button specifically. We receive an error saying the following - (I have changed the domain/user name) in the example below.
ConfigMgr Error Object:
instance of SMS_ExtendedStatus
Description = "User \"domain\\user.name\" does not have permission to read/update Action Account Result. Full admin and all scope is needed.";
ErrorCode = 1112017920;
File = "e:\\qfe\\nts\\sms\\siteserver\\sdk_provider\\smsprov\\sspactionaccountresult.cpp";
Line = 85;
Operation = "PutInstance";
ParameterInfo = "";
ProviderName = "ExtnProv";
StatusCode = 2147749889;