Blog Post

Microsoft Teams Blog
2 MIN READ

Microsoft Teams IP Phones and Intune Enrollment

KruthikaPonnusamy's avatar
KruthikaPonnusamy
Icon for Microsoft rankMicrosoft
Feb 04, 2019
Note: The firmware fix needed to handle the enrollment flow described below has been deployed and the workarounds are no longer needed   For customers who require desk phones and conference room ...
Updated Jun 22, 2021
Version 3.0
Calling
Deployment
microsoft teams
Rob Hardman's avatar
Rob Hardman
Iron Contributor
May 01, 2020

As we have enrolled a number of Yealink Teams devices into Intune I thought I would share my set up. We use Android Work Profiles extensively and are unwilling to turn off that functionality. But we've found a workable compromise that balances security and usability for us. Please note that we have AAD Premium P2, we use Conditional Access and we also require MFA for device joins within our AAD's settings. If you're using Conditional Access, make sure your policies are set up not to inadvertently prevent sign-in before Intune can start registration. An easy way to check for this is to test with "What If?" and also to look at the sign in logs for the users concerned, in AAD.

 

Onwards.

 

  • Firstly, ensure all firmware on the devices is up-to-date. It was a bit of a PITA without Teams Admin Centre doing the work for us, but given the content of the original post, we decided it was prudent to "start right." 
  • We registered the serial number of each device as a corporate identifier within Intune. This was trivial to retrieve via the web interface of each device, or on the box. If you have a large fleet incoming, you should be able to get a .csv of SNs from your supplier.
  • We enabled Android Device Administrator within Intune (Android Enrolment > Personal and corporate-owned devices with device administrator privileges > Ticked the checkbox)
  • In our Enrolment restrictions, we set: Android Device Administrator: minimum OS version to 7.0 and blocked personally-owned. (This way, we don't need to differentiate restrictions by user group, although your own ruleset should be set up to accommodate your organisation's policies.)
  • An Android Device Administrator Compliance Policy was set up. This requires just:
    • min OS = 7.1 (current version on Yealink is 7.1.2. We settled on '7.1' in our policy.)
    • Company Portal App Integrity = require
    • device is not rooted = require
    • That's it. We couldn't get any further compliance restrictions to work - we got sign-in hangs otherwise.
  • Devices were confirmed as logged out and then power-cycled.
  • Devices were logged into by Intune- and Teams-licensed users.
  • The devices registered into Intune OK and were marked as compliant within a minute or two.

Hope this helps someone! The way we've set this up, our end users don't notice any difference - they are pointed to Android Enterprise on their own phones as usual.And no-one can add an Android device with its super-relaxed compliance policy unless it's prepped as a 'corporate' device in Intune. If you're using corporate Android smartphones in your fleet, you may have to tweak your restrictions ruleset to accommodate - YMMV.