Forum Discussion

TompaB's avatar
TompaB
Copper Contributor
Sep 09, 2022

Exclude some Android devices from Intune

Hi, I have some challanges with older Android 4.4 devices that has no possibility to install and run Intune.  How can we exlude them from endpoint (Intune) when I'm trying to access our O365 teams ro...
Intune Administration
NielsScheffers's avatar
NielsScheffers
Iron Contributor
Sep 09, 2022

Hi TompaB!

 

Am I right to assume what you're really looking for is to deny access to Teams for unmanaged  (i.e. not Intune-enrolled) Android devices? If so, you will need to apply Conditional Access. For instance, a policy like below:

 

  • Users or workload identities: include "All users", or select a group that suits your needs. Make sure you don't lock yourself out by accident, so exclude your admin account while testing. 
  • Cloud apps or actions: include "Microsoft Teams", or all Office 365 apps if you want to deny access to things like Exchange Online as well. 
  • Conditions:
    • Device platforms: select "Yes" to enable this, and then include "Android".
    • Client apps: select "Yes" to enable this, and then include all client apps, assuming you want to block access in browsers and such as well. 
    • Filter for devices: select "Yes" to enable this, and then use a filter to exclude managed devices, like "(device.mdmAppId -in ["0000000a-0000-0000-c000-000000000000"])".

      This is the most important bit as this is where we make sure that devices managed by Intune (which is what that mdmAppID GUID means) will be excluded from this policy. See also: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices. 
  • Grant: select "Block access". 

Now, to complete your configuration, you may want to explicitly configure a minimal OS-version required for Intune enrollment (and not depend on it not being available). To do this, take a look under Devices > Enroll devices > Enrollment device platform restrictions. You can either change the base, catch-all "Default" policy, or create a new one with a higher priority.

 

Please note, this will still require the Conditional Access policy above to block access to cloud apps, like Teams. 

 

Finally, I'd like to add that keeping these Android 4.4 devices in your environment (even though you are blocking them like above) expands your attack surface. It's better to get rid of them completely, if at all possible.

TompaB's avatar
TompaB
Copper Contributor
Sep 14, 2022

NielsScheffers 

 

This is solved. We needed to approve the specific name of application in the intune portal.

When it was approved it never triggered to join intune.

Resources