Forum Discussion
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
jangliss BrandonJ365 KruthikaPonnusamy
So can anyone actually say they have this working correctly and be confident with the system as im pulling my hair out with this now.
If a user signs in with a CAP license all is fine, Its up to the point someone signs in with higher license which includes intune. The device tries to register into endpoint but fails. At this point the phone is rendered a paper weight, No one either with or without a intune license can sign in. Either fails and loops round or signs in as "Unknown User"
We only have one CA for MFA, Ive added the Enrolment restriction mentioned in the fix for this forum.
Ideally i want any user CAP or higher to be able to sign in with no issues and the device not to enrol into intune? Is this even possible now as the public MS information is very conflicting, had no issues up until this update.
Can KruthikaPonnusamy provide a list of everything thats needed to be in place? This would make life alot easier for all.
Thanks
Not sure why you would let a user sign in with a CAP license. We have created dedicated accounts for the Common Area Phones. To prevent the logon issue happening we are using AAD (cloud only) accounts for the CAP devices. This also takes away the need to enroll into Intune, at least in our case.
If you want the device to enroll into Intune you need to enable the Android Device Administrator option for personal or corporate devices. We are using the corporate device option here which does have then the requirement to register the phone's serial number as corporate identifier in Intune. We are using this scenario for normal User phone's and our users have the full Intune license.
Both setups work fine for us. But you are right that Microsoft needs to come up with clear documentation on this topic. We also still have an open ticket with them on this topic.
Regards,
- Hi, yes this is behavior I have seen before. When we re-use a CAP phone to be used as normal User phone we perform a factory reset first.
This should prevent the issue you are describing. - We have a mix. Some phones will sign in as a CAP user and that will be it for the rest of the phones life. However in some of our areas these will get signed out and a normal user will sign in. Once this happens it renders the phone useless.