Exclude some Android devices from Intune

New Contributor

Hi, I have some challanges with older Android 4.4 devices that has no possibility to install and run Intune.  How can we exlude them from endpoint (Intune) when I'm trying to access our O365 teams room?

 

We have unamarked Intune in AzureAD for the teams room. But I'll guess we need to do something in the endpoint portal? 

 

Any idea?

3 Replies

Hi @TompaB!

 

Am I right to assume what you're really looking for is to deny access to Teams for unmanaged  (i.e. not Intune-enrolled) Android devices? If so, you will need to apply Conditional Access. For instance, a policy like below:

 

  • Users or workload identities: include "All users", or select a group that suits your needs. Make sure you don't lock yourself out by accident, so exclude your admin account while testing. 
  • Cloud apps or actions: include "Microsoft Teams", or all Office 365 apps if you want to deny access to things like Exchange Online as well. 
  • Conditions:
    • Device platforms: select "Yes" to enable this, and then include "Android".
    • Client apps: select "Yes" to enable this, and then include all client apps, assuming you want to block access in browsers and such as well. 
    • Filter for devices: select "Yes" to enable this, and then use a filter to exclude managed devices, like "(device.mdmAppId -in ["0000000a-0000-0000-c000-000000000000"])".

      This is the most important bit as this is where we make sure that devices managed by Intune (which is what that mdmAppID GUID means) will be excluded from this policy. See also: Filter for devices as a condition in Conditional Access policy - Azure Active Directory - Microsoft ...
  • Grant: select "Block access". 

Now, to complete your configuration, you may want to explicitly configure a minimal OS-version required for Intune enrollment (and not depend on it not being available). To do this, take a look under Devices > Enroll devices > Enrollment device platform restrictions. You can either change the base, catch-all "Default" policy, or create a new one with a higher priority.

 

Please note, this will still require the Conditional Access policy above to block access to cloud apps, like Teams. 

 

Finally, I'd like to add that keeping these Android 4.4 devices in your environment (even though you are blocking them like above) expands your attack surface. It's better to get rid of them completely, if at all possible.

@NielsScheffers 

 

Hi thank you for the answer. We will try this.

 

I understand what you say regarding the unsecure part of the devices. In this case the vendors hardware has no possibility to upgrade the Android version.

@NielsScheffers 

 

This is solved. We needed to approve the specific name of application in the intune portal.

When it was approved it never triggered to join intune.