User role
Having BenQ Boards at school is incredibly helpful with lessons, as they allow both teachers and students to utilize so many interactive tools and features. But since these boards are often permanent classroom fixtures, anyone can easily walk into a room and use them freely. This now brings up an essential security-related question: How much authority should you grant each user?
The answer really depends on your school’s security strategy. If your school is small enough, and it’s easy to keep tabs on how your students use the board, then just having usage guidelines should suffice. But if your boards are in environments where guests can come in at any time, then you may be opening up your school to potential data security risks.
Fortunately for schools, BenQ Boards come with security features that allow you to enforce stricter access controls.
Account management portals and access settings
The BenQ Account Management System (AMS) is mostly for teachers. AMS is an online platform that they can use to log in to their boards, personalize their home screens, bookmark webpages, and most importantly, link their cloud storage account for easy access to their lesson files. Administrators can also use AMS to assign roles for each user. We shall discuss this in more detail below.
On the other hand, you also have the BenQ Identity and Access Management (IAM) platform, which is designed for IT administrators. IAM is a cloud-based management console that allows admins to enforce access controls for their BenQ Boards. They can easily add and remove authorized users (either manually or by syncing with their school’s directory service) as well as assign them specific roles.
What roles can you assign to BenQ Board users?
Below is the list of different user roles. But before we get to that, we must first discuss three settings that affect the level of access these users have on the BenQ Board.
1. Is AMS enabled?
When setting up their boards, IT administrators have the option to either enable or disable the AMS service for their BenQ Board. Without AMS, everyone will have the same level of user privileges and access as an administrator. This can work for very small schools with only a handful of BenQ Boards, where teachers can easily enforce usage guidelines and monitor who can access their boards at any given time. But for larger schools, we highly recommend enabling the service for better control and security.
How to enable AMS
1. On the bottom left corner of the screen, tap User.
2. Enable AMS Service.
3. Enter the local administrator password, and then tap Log in.
2. Is Authentication mode enabled?
Authentication mode is a special setting that administrators can find on AMS. When activated, this mode requires everyone to log in with a registered user account on IAM before they can use the BenQ Board or access any of its features.
How to enable the Authentication mode
1. Log in to https://ams.benq.com.
2. Go to Equipment Management.
3. Select a device.
4. Click Set up equipment information.
5. Enable Authentication mode.
3. Are users assigned special roles?
IT administrators can go to their school’s AMS console and assign a special role (Restricted user or Administrator) to an individual user or user groups. When someone becomes a restricted user, they will only be able to modify the most basic BenQ Board settings, such as display brightness and volume controls. They won’t be able to tamper with critical device settings, which are normally reserved for those assigned the administrator role.
How to assign user roles
1. Log in to https://iam.benq.com.
2. Go to Accounts.
3. Select a user.
4. Click Edit service permissions.
5. For AMS, select a role.
You can select between User (also known as Authenticated User) and Restricted User.
Here’s the summary of all the user roles:
AMS Service
Public user
If AMS is disabled on the board, you cannot assign any of the roles listed below. The board is essentially for public use, and all users are considered public users and have administrator privileges.
Disabled
Guest user
A guest user is anyone without a registered user account on IAM.
Enabled
Administrator
This role is assigned to the people tasked to manage their BenQ Boards. They have access to all the device and user list settings.
Enabled
Authenticated user
Any user with a registered account on IAM is considered an authenticated user.
Enabled
Resticted user
This is an authenticated user who can only access their BenQ Board’s basic settings.
Enabled
Which role has the most privileges?
User role
Level of authority
Administrator
Since administrators require full access in order to effectively manage and maintain their BenQ Boards, they have control over all settings.
Highest
Public user
Similar to administrators, public users have access to the full set of device settings and all the local files and folders. But even with these privileges, they have no ability to monitor or control how other people access or use the device.
High
Authenticated user
As their accounts are registered on IAM, they can log into their board, access their files and folders, and are allowed to modify their device’s settings. But unlike administrators, they do not have access to critical settings such as factory reset, among other things.
Medium
Restricted user
With stricter controls imposed on their accounts, restricted users only have access to their files and folders as well as the board’s key features and some basic settings.
Low
Guest user
If Authentication mode is disabled, then guests can still use the board’s key features. These include connections to external input sources, the EZWrite whiteboard, and wireless screen sharing through InstaShare.
If Authentication mode is enabled, guests will not be able to use the board at all.
No Authority
User Role
AMS
Will the user be able to link their cloud storage accounts?
Is the user allowed to modify the board’s settings?
Will the user be able to access other users’ local files and folders?
Public user
Disabled
Full range of settings
All users
Guest user
Enabled
Authenticated user
Enabled
Regular user settings
Restricted user
Enabled
Only basic settings
Administrator
Enabled
Full range of settings
Only the administrator
What combination of settings offers the strongest security?
Earlier we noted that there are three different settings that affect user access on BenQ Boards:
Is AMS enabled?
Is Authentication mode enabled?
What roles are assigned to each user?
How you configure all three affect the types of users who can access the board, and subsequently, the level of security that comes with the level of access they have. The combination that offers the best security is when AMS and Authentication mode are enabled, and the Restricted user role is assigned to users.
The diagram and table below further explain what each combination of settings entails.
Level of security
Security Settings
Weakest
As mentioned earlier, if you opt to not use AMS on your BenQ Board, any person with physical access to the board can use features such as EZWrite and InstaShare, view and modify locally stored files and folders, and alter the device settings.
Since there is no way to limit who can do what on the board, it exposes the device and locally stored data to potential compromise and security risks.
Medium
Enabling AMS on your BenQ Board allows you to create or import user accounts, effectively giving authenticated users their own private folders on the board. This helps keep their files separate and prevents other users from changing their home screen preferences.
Guest users will still be able use the board, but they will only have access to the BenQ Board’s key features.
Strong
With the Authentication mode enabled on IAM, all users will be required to log in. This means that only authenticated users can use the board and its features.
Strongest
Assigning the Restricted user role to some authenticated users further enhances security as restricted users are not allowed to modify any critical BenQ Board settings.
