Microsoft Teams IP Phones and Intune Enrollment
Published Feb 04 2019 12:06 PM 115K Views

Note: The firmware fix needed to handle the enrollment flow described below has been deployed and the workarounds are no longer needed

 

For customers who require desk phones and conference room phones to make and receive audio calls or join meetings, Microsoft Teams provides a growing portfolio of devices that can be purchased from our Teams Marketplace. For Teams phones including the Yealink T56A/T58A/CP960 and the Crestron Flex series IP phones that run on Android 5.x or later, there may be specific configurations that need to be enabled in the customer's tenant for the phones to successfully enroll into Intune.  

 

Allowing successful Intune enrollment for Android versions 5.x and up 

If all the following conditions below are true, you will need to enable a specific configuration setting in the Intune admin console to allow for a successful enrollment: 

  • You are deploying a Teams IP phone with Android OS version 5.x or later. 
  • You have connected your Intune tenant with managed Google Play in order to manage Android Enterprise devices. 
  • You have configured your enrollment restrictions such that Android work profile enrollment restrictions are applied to the end user account that you are using to enroll. 

The recommended deployment configuration is (only one of these two are necessary):  

  • Adjust your enrollment restrictions settings in Intune so that the user you are enrolling the IP phone is not targeted with Android work profile.  This approach is recommended if you are managing Android Enterprise work profile devices in the same Intune tenant as your Teams device. 
  • If you are not actively using Android Enterprise in your Intune tenant, you can remove the connection to managed Google Play following the directions here under "Disconnect your Android enterprise administrative account".  Disconnecting your Intune tenant from managed Google Play will disable Android Enterprise enrollment entirely for your tenant.  Therefore, this option is only recommended if you are not managing any Android Enterprise devices in your Intune tenant.     

We are actively pursuing a fix from the firmware to handle this enrollment flow. Once the fix has been published to the Microsoft Device Management solution and devices have been updated, neither of these workarounds would be necessary regardless of whether the three factors above are all true.

 

Device-based Exception via Intune 

Intune allows creating device compliance policies in the tenant for the Android-based devices accessing organizational data. These policies are applied to user accounts and currently do not provide the ability to distinguish device types on the same operating system (eg: Desk phones vs conventional mobile devices phones). Tenant administrators might need to provide exceptions to user accounts for Teams IP phones to complete sign in. 

59 Comments
Iron Contributor

MFA was enabled in AAD Admin Centre for device join in my tenant. MFA was required to login to the phone but this also prompted the handset to be encrypted which was only possible if a PSU was plugged into the handset according to the on screen warning which could not be bypassed. Disabling MFA resolved. I did this after disabling AFW and was then able to enroll the phone.

 

https://shawnharry.co.uk/2019/01/07/configuring-yealink-t58a-for-microsoft-teams/

 

cvsfbdb.jpg

@shawn harry Hi Shawn, MFA can be enabled without requiring encryption. 

Copper Contributor

I have a similar device Yealink T58A and it signs-in and kick out automatically, i see the sign-in has been successful when the Intune licenses are turned OFF for the account. I have already Opened a case MS and they suggested me to create an rule exception, which is not working apparently.

Iron Contributor

@Kruthika PonnusamyAware of that but encryption was not enabled in my tenant for MFA. The issue is easily reproducable and when MFA Auth Join was enabled enrollment wasn't possible due to the restrictions i already noted above.

Please provide more information about, how should AAD user (and needed licenses, Intune? etc.) for Android phone should be set-up, some best practice actions, intune compliance policies, shared meeting rooms (exchange resource room mailbox etc.) with shared Yealink phones are needed.

Iron Contributor

Looking forward to testing once the firmware has been updated to resolve this issue.

Iron Contributor

got answer, thanks

@Maheshwar Tayal - new Yealink desktop phone devices are based on Android OS with preinstalled Microsoft Teams apk

Copper Contributor

Hallo ,

I am only a Full Feature guy with M365 E5 and Direct Routing and very Limited Time on the day where I can spend for testing implementation of my teams devices I try to find for my adoptions. In this story I also find every Bug ever I believe existing in Teams Phone because we have to switch all  users in once to Teams Direct routing without having the right devices ( my users love Hardware). Now a Bird from Microsoft is spelling me that we have to switch soon to the right mode and the right hardware! 

 

In my tests I always seen that devices are not registered in the Teams Admin Portal and also I test the intune Integration but I don‘t find that it better run. 

 

Please is it possible to give a recommendation deployment plan to me so I know how to deploy all in the right and best way for my E5, Dial Only Conference Rooms, Desktop Apps , Phone Apps (IOS). And as you know the UI Feature set of Teams Phone is currently not fit for production and it would be nice to have a deployment plan when it will become interested to roll out.  

And which Guy in Germany can help me ? But not for selling me hours of service but to share experience and solution in any kind.

Copper Contributor

After a long struggle since this post i was unable to enroll the Yealink Device through Intune. Looks something might have changed at Microsoft Side on Intune. I was successfully able to enroll the Yealink T58A devices with Intune licenses today.

@Swaminathan Balakrishnan can you tell us more about your settings, for Yealink T58A android phone and Teams connection with Intune. Do you use account from real person with license, or you have some seperate generice / service account with license etc? Did you do automatic deployment / enrollment to Intune or manual, etc?

Iron Contributor

Hi, for us we did not have MFA enabled in AzureAD, but we do have conditional access setup with MFA to join devices to AzureAD, we are able to log into the device with a Team account (E3) but says the device is out of compliance so signs us out.  

EDIT: Resolved by completely enrolling it in Intune and complying with the policies

Copper Contributor

We just upgraded our T58A and CP690 phones to the Teams Edition and it has definitely been a bear, but we are getting closer...  We keep having an issue where we try logging in and it sits there at “we are signing you in please wait” but never goes beyond that until we reboot the phone again.  At times we will also receive an error that the device is out of compliance where it will say "Oops - You can't get to this yet."  We created a specific policy for Yealink in Intune and had to add the user to it, which isn't ideal because then we can't add them to any others (i.e. iOS or Android for mobile phones.)  The user has Office 365 E3 with Enterprise Mobility + Security E3 license.  My question is; do we know what specific Intune policies and Microsoft licenses are required for the user to successfully login to Teams on the phone once it is successfully upgraded?

Copper Contributor

Would like to follow this post. Waiting for the all clear on the following:

 

We are actively pursuing a fix from the firmware to handle this enrollment flow. Once the fix has been published to the Microsoft Device Management solution and devices have been updated, neither of these workarounds would be necessary regardless of whether the three factors above are all true.

Iron Contributor

@Kruthika Ponnusamy @Swaminathan Balakrishnan 

 

Hi, is there any update on this? We need to be able to sign into our Teams phones! As others have said above it just puts us in a loop and gets to a point where it says 'this device cannot access resources yet' or something.

 

 

Brass Contributor

Agreed - would really like an update.  Is there a User Voice request for this that we can keep track of?

Copper Contributor

I would also need some clarification on this topic!

Its not only Yealink but also Polycom that has the exact same issue to log in
when there is Intune present in the tenant.

There must be a good manual how to deploy IP Phones when using Intune??

 

Iron Contributor

As we have enrolled a number of Yealink Teams devices into Intune I thought I would share my set up. We use Android Work Profiles extensively and are unwilling to turn off that functionality. But we've found a workable compromise that balances security and usability for us. Please note that we have AAD Premium P2, we use Conditional Access and we also require MFA for device joins within our AAD's settings. If you're using Conditional Access, make sure your policies are set up not to inadvertently prevent sign-in before Intune can start registration. An easy way to check for this is to test with "What If?" and also to look at the sign in logs for the users concerned, in AAD.

 

Onwards.

 

  • Firstly, ensure all firmware on the devices is up-to-date. It was a bit of a PITA without Teams Admin Centre doing the work for us, but given the content of the original post, we decided it was prudent to "start right." 
  • We registered the serial number of each device as a corporate identifier within Intune. This was trivial to retrieve via the web interface of each device, or on the box. If you have a large fleet incoming, you should be able to get a .csv of SNs from your supplier.
  • We enabled Android Device Administrator within Intune (Android Enrolment > Personal and corporate-owned devices with device administrator privileges > Ticked the checkbox)
  • In our Enrolment restrictions, we set: Android Device Administrator: minimum OS version to 7.0 and blocked personally-owned. (This way, we don't need to differentiate restrictions by user group, although your own ruleset should be set up to accommodate your organisation's policies.)
  • An Android Device Administrator Compliance Policy was set up. This requires just:
    • min OS = 7.1 (current version on Yealink is 7.1.2. We settled on '7.1' in our policy.)
    • Company Portal App Integrity = require
    • device is not rooted = require
    • That's it. We couldn't get any further compliance restrictions to work - we got sign-in hangs otherwise.
  • Devices were confirmed as logged out and then power-cycled.
  • Devices were logged into by Intune- and Teams-licensed users.
  • The devices registered into Intune OK and were marked as compliant within a minute or two.

Hope this helps someone! The way we've set this up, our end users don't notice any difference - they are pointed to Android Enterprise on their own phones as usual.And no-one can add an Android device with its super-relaxed compliance policy unless it's prepped as a 'corporate' device in Intune. If you're using corporate Android smartphones in your fleet, you may have to tweak your restrictions ruleset to accommodate - YMMV.

Copper Contributor

@Rob Hardman Thank you so much for posting the steps you took in your environment. This was very helpful in configuring in our own. Even with the new configurations in place, we were still unsuccessful in registering a device with Intune. After signing into Teams, we were being prompted to enroll with Intune and install Company Portal - this is where it failed, and we'd have to reboot the device. Yesterday, we upgraded two CCX600 devices to the latest firmware (5.9.13.0306, released 5/20/2020), and we were able to sign in and register the devices with Intune via Device Adminstrator. 

Copper Contributor

Thanks for the detailed setup guide Rob, we have a similar configuration and your guide was helpful to read through.

 

Microsoft recently published their InTune plan for change: Decreasing support for Android device administrator.

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#decreasing-support-for-android-de...

Has anyone been able to confirm if Android Device Administrator enrollment will continue to be supported for Teams Telephony devices?  Our Teams Telephony devices are running Android version 9 so it feels like impending doom for our setup.  I couldn't get Android Enterprise enrollment to work for these devices as they don't appear to support any of the enrollment options.  From the list of impacted services, if/when the devices upgrade to v10, only the corporate identifier feature would be a problem for us.

Anyone else have the same concerns or perhaps aware of the road map for Teams Telephony devices and Android Device Administrator enrollment?

Thanks.

Brass Contributor

@raymondlyle 

 

Hi,

 

Has anyone been able to enroll their Teams Telephony devices using Android Enterprise?  We are using Poly CCX 500’s and the enrollment does not work with Android Enterprise/ Work profile either.  Any info will be greatly appreciated.

 

Thanks!

Steel Contributor

@Kruthika Ponnusamy   is there any progress on Android Enterprise support?

Teams Android devices will require Device Administrator. Android Enterprise is currently not in scope for support.

Steel Contributor

@Kruthika Ponnusamy   ok so is the official message that as Device Administrator is removed from support from Intune, and Android, the phones will eventually become unmanaged as updates flow through?  Or is there no plan to ever update the version of android?  

@Dustin Halvorson Teams phones will continue to be supported on Intune via DA.  

Copper Contributor

I just recently upgraded a few test Poly CCX 600 to firmware version 6.2.21.1198. After unenrolling them and trying to enroll again thru the company portal on the phone it spins and then times out saying to try again later.  The older versions have no issues.  Do I need to now setup a managed Google Play account with Intune to use Android Enterprise instead of Device Administrator? They are working fine on firmware version 5.9.12.1122.

Brass Contributor

I'm not even sure we need to or should enroll these device in Intune anymore.  I also recently updated a CCX 500 to 6.2 and when I sign into the device, it never gets enrolled into Intune probably because of my enrollment restrictions. However, it seems to go past the company portal screen and signs me in anyway.  The device does show up in Teams but not in Intune.  Is this the best way to manage theses device now or should we try to enroll?

Iron Contributor

@Kurt - this is an excellent question, and one which I feel MS need to provide much more clarity and guidance on. My initial view was not to Intune enrol Teams IP Telephony devices. But we have changed direction and we will Intune enrol these devices. Why? Because we have a number of Conditional Access policies that apply to "untrusted" endpoints can adversely affect the user experience for accounts signed into a Teams IP phone. But by having these devices in Intune and marked as compliant, they are considered "trusted" so the conditional access policies don't apply. Word of warning, getting this working correctly is not easy and has required a lot of trial and error, and various issues along the way. We've already logged 2 PS tickets to try and get this working, and are currently on the third PS ticket. I think we are quite close to a working solution. Word of warning: Meeting Room SKU includes Intune licence, but Common area SKU does not, which is an additional frustration.

Brass Contributor

After our CCX phones updated to 6.2 they get stuck in the Verifying a few things... loop and never sign in. Very frustrating 

 

As much as MSFT is pushing teams you would think they would put resources into making it work for basic functions. 

Iron Contributor

Hi Keith - this is what I am seeing too: Device enrols into Intune, is marked as compliant, but the sign-in to Teams gets stuck for 5 mins at "verifying a few things..." and eventually says "The system timed out. Wait a moment then try again". The sign in was working fine prior to allowing Intune to enrol these devices. Even more strangely, out of 5 attempts, it will fail like this on approx 4 attempts, but every now and then it will actually sign into Teams successfully. We have a PS ticket open for this.

Brass Contributor

I am thinking that there is a lot more upside to NOT enrolling teams phones into Intune.  I realize that some could use conditional access policies that reference the endpoint and it's compliance but there are other ways to secure the login.  For example, I only want to allow phones to be used on my corporate network.  I can use the Teams Admin center to monitor & upgrade their firmware version.  Neither one of these things require Intune.  I have had so many issues with Teams phones, I am starting to think that Intune could be a contributing factor to issues we have with phones (phone never work, always have to reboot and reset to get them to work).  Eliminating Intune from the equation is probably going to be my next step to see if phone use becomes more reliable in our environment.

Brass Contributor

I agree. I think 99% of the issues I am having with the native phones are intune related. I can't figure out how to excluded them if the user signing into the device has an active intune license. 

 

I have conditional policies setup but they only work half the time. If they do work it takes 10 minutes to sign into the device.

 

Can anyone provide a link to instructions. 

Brass Contributor

Currently I have my Conditional Access policies assigned to users (via group membership).  I think I need to create a dynamic device membership group that captures the teams phones.  Then, change the conditional access policy that makes them enroll in Intune to apply to all Android devices except the Teams Phone group.

This is because the Conditional Access setup says that when you are assigning and excluding groups, you cannot mix user groups and device groups.  So if it is assigned to all android devices except for Teams Phone, I think that will work.

 

Man do I wish everyone would just use a headset.  There is no setup and things just work.  Unfortunately we have users that insist on  using a phone for one reason or another and they are literally nothing but a headache.

Iron Contributor

Yealink have just released new firmware which resolves the issue where the phone gets stuck "verifying a few things" after Intune enrolment, but before Teams sign in. Its now working for me with the new firmware across T56A, MP56, VP59 and CP960.

Copper Contributor

Hi @Mark Licinio , what version are you using now and for which devices (brand / model) to make this work?  I'm still stuck at the "verifying a few things" message on the Yealink T58a where it all works fine for the T55a.

Iron Contributor

I'm using the most recent firmware published by Yealink. I haven't tested the T58A, but the ROM to try is T55(T58V,T56A)-58.15.0.116.rom published on 14 October. The release notes say: "Fixed an issue that the device is stuck in "Verifying a few things" page while signing in."

Copper Contributor

I'm on the Lenovo ThinkSmart View. I may have just figured out a possible workaround for conditional access causing sign in to fail (Verifying a few things) when MFA is enabled on the CA rule. It "might" work for other platforms. I have a rule setup as follows:

 

Cloud apps: All

Conditions:

Platform: Android

Client Apps: Mobile apps and desktop clients

Grant:

Require MFA

Session: Persistent browser session - Never

 That last session control seems to have fixed it for me, but I'm still testing. I guess it was basically not liking cached mfa authorizations. Could someone try verifying if that setting works, or if I'm just seeing a cached result?

 

Update 2020-10-27: it's still working consistently.

Brass Contributor

@Kruthika Ponnusamy Any information on a firmware update for poly ccx phones to get them out of the "verifying a few things..." loop?

@Keith Laudenberger The latest update has a fix for this issue. The update should be available in Teams Admin Center.
https://support.microsoft.com/en-gb/office/what-s-new-in-microsoft-teams-d7092a6d-c896-424c-b362-a47...

 

Brass Contributor

@Kruthika Ponnusamy That is the version on our devices but it still will not work. I have tried multiple settings with intune based on articles I have seen but the phones no longer sign into teams .

 

http://imaucblog.com/archive/2019/11/21/mdm-compliance-policy-exclusion-for-teams-android-devices/

 

Finally got it to work, for some reason the compliance policy was not applying until adding the device serial number as a cooperate device. Scope tags were not enough to get the correct compliance policy to apply to  the device. 

Copper Contributor

@Kruthika Ponnusamy Since today I am unable to enroll the Yealink T55A and Polycom Trio C60 after removing them from our tenant. No configuration change on our end. Is there any recent change in Intune that prevents us to reenroll the devices?

 

Brass Contributor

Are Teams poly phones compatible with Android Work Profile yet?

Android work profile is applicable for devices that contain personal and enterprise data. Teams android devices today contain only enterprise data. Android work profile is not applicable for our devices.

Brass Contributor

From my understanding, Teams IP phones with have a custom Android firmware that is not manageable from Intune.

 

They will enroll to Intune when you sign-inand you can manage them from the the Teams Admin Center

 

Actions like uploading a custom CA are not supported. @Kruthika Ponnusamy, @Hrvoje Kusulja Is this correct?

@Luis Ramos Yes, we have custom Android hardware but I do not understand what you mean by "not manageable from Intune". 

Brass Contributor

@Kruthika Ponnusamy like adding my companies CA to the trusted root CA of the Android?

 

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root

Copper Contributor

Seems this still in flux 2 years later? What is the point in having Teams approved devices if they are not compatible with the recommended M365 security best practices. Let me know if I am missing something. The conditional access logs are nebulous at best and would really appreciate if the integration between endpoint and azure ad were more clear. Intune should be the only thing that manages the registration and enrollment process in my opinion, so that Conditional access rules can be designed with information security in mind.

 

Can recreate issue with enrollment on Yealink 56A, 58A and Poly CCX 400. Implementation guide and advice is very welcome.

Copper Contributor

I am experiencing the same problem. 2 phones so far have worked OK with updating the firmware first. But then the next three are either stuck on the company portal connecting screen or stuck in a login loop.

We are using Yealink MP56. We have intune enabled. But not even sure where to start in intune/microsoft endpoint manager. I can see the devices in there, and they report they are compliant. Does anyone know what else I can check in intune? or how to turn it off?

 

Company portal - connecting. errorCompany portal - connecting. error

Copper Contributor

Hello.

We are trying to find a way to get Teams IP Phone working without:

 

- having them enrolled in Microsoft Intune (to bypass the quagmire of non Teams IP Phone is certified for android enterprise and Microsoft/Google's deprecation of Android Device Admin features and support)

- exclude them from the application of Conditional Access Policies that are applied to the Android Platform (our plan is to use Conditional Policy) device filters currently in public preview

 

The goal is to have these IP phones purely managed and administered from the MS Teams Admin Console.

 

So far, we only were able to get the AudioCodes Teams IP phone working if they are enrolled in Intune (as we have to temporarily exclude the user from Conditional Access policies applied to Android devices). However, if we don't allow them to be enrolled In Intune, they don't seem to be able to simply register in Azure AD.

 

Has anyone been successfull in getting Audio Codes Teams IP phone working without enrolling them in Intune?

 

Please advise.

 

Thank you.

 

Ron

Copper Contributor

@Keliath We are also the same issue this past week with a private technician onsite , We are currently in the process to resolving our Telkom provider will be bringing in a network cisco switch specialist we suspect that the issue might the the VLAN configuration not allow the Android based Yealink VP59 IP phone to get an IP address.  

Personally i think it just be a firmware update or Endpoint intune security policy configuration but we will be trouble shooting on Wednesday next week.

 

Hopefully will get a solution by then.

 

regards 

AM

Version history
Last update:
‎Jun 22 2021 02:32 PM
Updated by: