Sep 09 2022 03:04 AM
Hi, I have some challanges with older Android 4.4 devices that has no possibility to install and run Intune. How can we exlude them from endpoint (Intune) when I'm trying to access our O365 teams room?
We have unamarked Intune in AzureAD for the teams room. But I'll guess we need to do something in the endpoint portal?
Any idea?
Sep 09 2022 04:40 AM - edited Sep 09 2022 05:20 AM
Hi @TompaB!
Am I right to assume what you're really looking for is to deny access to Teams for unmanaged (i.e. not Intune-enrolled) Android devices? If so, you will need to apply Conditional Access. For instance, a policy like below:
Now, to complete your configuration, you may want to explicitly configure a minimal OS-version required for Intune enrollment (and not depend on it not being available). To do this, take a look under Devices > Enroll devices > Enrollment device platform restrictions. You can either change the base, catch-all "Default" policy, or create a new one with a higher priority.
Please note, this will still require the Conditional Access policy above to block access to cloud apps, like Teams.
Finally, I'd like to add that keeping these Android 4.4 devices in your environment (even though you are blocking them like above) expands your attack surface. It's better to get rid of them completely, if at all possible.
Sep 09 2022 05:36 AM
Hi thank you for the answer. We will try this.
I understand what you say regarding the unsecure part of the devices. In this case the vendors hardware has no possibility to upgrade the Android version.
Sep 14 2022 05:18 AM
This is solved. We needed to approve the specific name of application in the intune portal.
When it was approved it never triggered to join intune.