Forum Discussion
Solved
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
Has anybody been using ADFS with Teams noticed an issue with the last two firmware updates, when performing logins off-network? I have a customer running Yealink MP56 phones and the latest firmwa...
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
I've had sporadic success with doing a factory reset after or before doing a firmware update. Not sure if the local cache is keeping some data that might be the cause or not. If I remember correctly, you can hold the * and # keys when you plug the power in to clear the Teams cache on Yealink devices.
I just did an MP56 and a T56a, both having been factory reset before (mostly because I was an idiot and signed into the wrong phone admin interface), and both successfully logged in after coming back up. I've got more testing to do (login to another tenant without adfs, etc) to see if I can break it again.
I just did an MP56 and a T56a, both having been factory reset before (mostly because I was an idiot and signed into the wrong phone admin interface), and both successfully logged in after coming back up. I've got more testing to do (login to another tenant without adfs, etc) to see if I can break it again.
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
- I was given the same and it was in no way suggested or hinted as being a temporary fix. I still have issues/concerns with the requirement of InTune and am challenging why the Common Area Phone license doesn't include an InTune license if it truly is a requirement. No word back as of yet.
We have implemented the above "solution" and it certainly does resolve the logon loop issue. However, we've seen plenty of inconsistency along the way. For example, in some cases....let's call it 20% of the time, the phone will halt at the feature apps company portal screen as if you are being offered apps to install similar to a mobile phone. Unplugging and replugging the phone gets it booting up to where it should be but still a nuisance.- The latest nugget from the Department of Infinite Wisdom with regard to common area phones:
"I have also reached out to PG from Intune, and they've confirmed Intune license is not required for Common Area Phone, but you will need to disable Conditional Access policies for it to work."
So just disable security features....got it.- KruthikaPonnusamy
Microsoft
Conditional access policies are enforced as part of intune enrollment. It was an oversight in previous builds where we were not enforcing license requirements for enrollment. This has been fixed.
It is by design that if you want to enforce CA policies, you will need an intune license. For CAP SKU, Intune license is an add-on.
- Thanks Brandon, I challenged the support rep for more details and they said it was "the fix and wasn't temporary" despite an earlier email stating it was "fix for now". Requesting more documentation and details, because if this is now a hard requirement, it needs to be written out and documented. None of the partner vendors I work with have heard of it, and there aren't any details written elsewhere either.
- Hi All
I also received this "workaround/permanent fix" from MS support after a call. They also told me that with this setup you do not need an Intune license which I concluded after testing is nonsense. With the Intune license it works yes off course because it enrolls into Intune but this I have already described in my previous posts.
So I have told MS support this cannot be the permanent fix and they will forward it again to the backend team.
We will see what happens.
And in terms of configuration you do need to setup a separate device restriction profile, that is only needed if you want to assign the Device Administrator option to a specific group.
One final note if you do not allow personal devices you can use the same scenario but you will have to upload the IP phone serial number as corporate identifier.
to be continued......
