Forum Discussion
Teams Phone device refuse login with 1449/1.0.94.2021033002 firmware and ADFS
So I have a small update from Microsoft on this, and it's more of a temporary fix from what I understand.
- Login to https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesEnrollmentMenu/enrollmentRestrictions
- Create a new Device Type Restriction
- Give it a name
- On "Platform Settings" change "Android Enterprise (work profile)" to BLOCK
- Make sure "Android Device Administration" is set to ALLOW
- Click Next
- Click Next
- Under Assignments click Add Group and select the group of users that are signing into devices.
- Click through to finish the setup
Wait a few minutes, and reboot the phone, login again.
I'm still trying to find out how to resolve the issue correctly, but this seems to have helped most of the cases I've had issues with so far.
janglissSuper surprised this hasn't been answered yet but the simplest resolution I've found for this is the following:
In Endpoint Manager, Navigate to Devices/Enroll Devices/Enrollment Restrictions/Device type restrictions, make sure the Android Enterprise and Android DA are set to allow but leave personally owned set to blocked (or whatever choice is desired here).
Then navigate to Devices/Enroll Devices/Corporate device identifiers, here you will want to add the serial number (not mac) of the devices being used.
Unfortunately, M$ has not provided a way for intune to differentiate IP phones from "personally owned" devices (or provide an actual administration console for them) however, shout out to Eric O for pointing me in this direction. It took a lot of hours to figure it out but by adding the corporate ID, these devices bypass any enrollment restrictions imposed on personal devices. Ultimately, i would still suggest the CA policies for the individual model of phone in AAD to reduce the number of "false positives" for compliance issues in intune but if your not using it to manage other devices, this isnt a necessary step.
IMO, the InTune team should figure out a way to mark all of the certified teams phones as corporate by default, should be pretty easy by manufacturer/model... im pretty sure no one has bought one of them for personal use.
It was after an update of the Teams app that this issue started happening. I have been in a ticket about this issue with Microsoft since May of this year and there statements about the solution have changed a couple of times.
To me Microsoft does not want to admit they caused the issue in the first place. Our company want to manage the IP phones just like we manage other Teams Devices by just connecting them to the Teams Admin center. And not Intune, because that does not give an added value.
By they way this issue does not occur if you use AAD user accounts for the IP phones....
My ticket with Microsoft will remain open until the fix it.
- Please share latest development or the final fix for this. Our customer phones are looping in singin page.
I'd like to also echo Jeroen's mention and that is please advise on what progress is being made to stop customer phones from looping on the sign-in page of company portal. My understanding is that the MFA is failing to reach the user and hence loops. I also know that MS have also repro'd this issue on their own kit as per case I have opened. What would be great is a site where MS has a 'what issues we are aware of and are actively working on'.
Well in your case it at least works.
For us Intune doesn't help at all as device is not able to register in it.
It freezes or dropping on the registration stage (both poly and yealink).
And we've also noted that Android MTRs like Poly Studio or Logi Mini Bar are also affected as they''re most probably using the same kind of Teams Agent.
Using previous version of firmware solves the issue.
Disappointing situation.
We'll see what happens after promised fix by Microsoft.
