Employee-Owned / Locked-Down Assets (Restricted-Access Device Mode)

Feature Description

Introduce a device-level permission mode that designates an asset as Employee-Owned or Locked-Down, restricting all access except to its assigned owner and global administrators who can only remove the asset—not interact with it.

Intended behavior:

• A technician or employee can enroll their personal device or sensitive workstation into Gorelo for automation, monitoring, and self-service.

• Only the assigned owner may view the asset details, run scripts, browse files, or perform any device-level actions.

• No other technicians—including admins—can:

  • View the file system,

  • Run scripts,

  • Trigger commands,

  • View live data or sessions,

  • Access protected information contained on the device.

• Admins retain only one action: the ability to remove/delete the asset from the portal. They cannot inspect or interact with the device.

Primary use cases:

1. Employee personal devices running Gorelo automations

   • Staff may want their own automations or monitoring rules to operate, but the MSP should not have the ability to browse or interact with the device beyond what the employee triggers.

2. Executive, finance, & HR workstations

   • These assets benefit from automation, patching, and compliance monitoring, but must remain inaccessible to general technical staff—even with logging—due to data sensitivity.

Requested functionality:

• A per-device setting: “Locked-Down Asset (Owner Only Access)”

• Each asset may be assigned to a specific user/technician.

• Only that user sees full device controls; all others see the device as redacted/unavailable.

• Admins can only delete the asset—no access or actions allowed.

• Automations, monitoring, and alerts continue to function normally in the background.

Goal:
Provide MSPs and internal teams with a secure method to include sensitive or personal devices in the automation and RMM ecosystem without exposing data or high-risk access to other technicians.