Forum Discussion
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
janglissSuper surprised this hasn't been answered yet but the simplest resolution I've found for this is the following:
In Endpoint Manager, Navigate to Devices/Enroll Devices/Enrollment Restrictions/Device type restrictions, make sure the Android Enterprise and Android DA are set to allow but leave personally owned set to blocked (or whatever choice is desired here).
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
Unfortunately, M$ has not provided a way for intune to differentiate IP phones from "personally owned" devices (or provide an actual administration console for them) however, shout out to Eric O for pointing me in this direction. It took a lot of hours to figure it out but by adding the corporate ID, these devices bypass any enrollment restrictions imposed on personal devices. Ultimately, i would still suggest the CA policies for the individual model of phone in AAD to reduce the number of "false positives" for compliance issues in intune but if your not using it to manage other devices, this isnt a necessary step.
IMO, the InTune team should figure out a way to mark all of the certified teams phones as corporate by default, should be pretty easy by manufacturer/model... im pretty sure no one has bought one of them for personal use.
kylecombs wrote:
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
This is a nice way of handling it, versus adding policies to block registrations for all android enterprise devices, which was Microsoft's recommendation.