SOLVED

Teams IP Phones and Android Device Administrator need on Intune

Iron Contributor

Hey community fellows, 

I wanted to check if anybody else face the same challenge with Teams Android Devices for personal usage in combination with Intune MDM profile for users. We started to face issue on Teams Android IP phones on latest firmware that our users are not able to sign-in and they are looping on screen with the sign-in code. We found out that it is because of missing Android Device Administrator enrollment method in Intune MDM profile. Once we enable this enrollment method for users the sign-in is possible. Audiocodes stated that within latest release of their phone software 1.10 they followed the requirements of Microsoft to meet requirements especially in area of Intune.

As described here the Android Device Administrator enrollment is used and needed for Teams Devices.

https://docs.microsoft.com/en-us/microsoftteams/devices/phones-displays-deploy I see it as highly conflicting with another recommendation and statement of Microsoft in the article about this enrollment method not to use it.

https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll-device-administrator

Anybody else facing same challenge adjusting this policy for users just because of Teams phones? Maybe question to Teams devices product team if there is future strategy to move away from ADA to Android Enterprise? Or is it the choice of IP phone vendors?

11 Replies

@DaveChomi Yes, this has been a common issue for over a year now. You need to enable device administrator in order to get Teams Desk Phones to sign in at all. It's a huge flaw.

Thank you for the response. How do you then deal with configuration of Intune so as the ADA is used only for Teams devices and for mobile phones you use Android Enterprise? Is there some prioritization like if AE is available prefer that one and if not use DA?
I'm so glad you brought this up. I'm experiencing the same issue with a few of my customers and the conflicting information one whether or not to use device administrator (which my customer doesn't want to use). It will be interesting to see what Microsoft suggests.
best response confirmed by Therese_Solimeno (Moderator)
Solution

@JBoslooper_Magenium 

After discussing this topic with Softies I have confirmation that ADA is for now the only way. "For now" is the important part of that statement. So there are already thoughts to change that but currently nothing on roadmap. That means we have to live with ADA still for some time and there is no other way around :( 

Hi @DaveChomi,

Did you allow Android DA in the default enrollment restriction assigned to the "all devices" group so that a normal user can sign in?

I did that but it's still not working. I tried creating a group with DA allowed and assign it to "all users" group but it didn't work either.

Please help! I'm desperate here.

Thanks.

 

To be honest I did not do it by myself but asked my colleague who is responsible for MDM and Endpoint Manager to implement for our specific group of devices. As far as I understood that he needed to put ADA on first place of possibilities to be used as enrollment method for that group.

^^ that would be the method. We also did a large "blocked manufacturer" (why can't it be allowed manufacturer?!?!)  list in future planning to prevent end users from enrolling their personal android devices as we use MAM in that space.

@DaveChomi , The customer ended up using a Device group and finagling the ADA and conditional access to get the phones to log in.  However, they still get issues with logging in these phones (or keeping them logged in).  I hope MS finds a better solution and provides a detailed deployment guide or some sort of template to use for customers who just want to get their Teams phones signed in. 

@JBoslooper_Magenium 

 

In our configuration it was advised that we not only needed to bypass CA on the accounts, but also create a device filter on the policies to exclude them. They had no firm reasoning behind it other than "they act strange if you don't filter them out."

 

Which I can confirm, before we did that I'd have sporadic device accounts just magically sign themselves out.

Curious, how did you construct your filter? We tried to filter by manufacturer and/or model but it didn't seem to see that information and would ignore the filter and still assume they were Android mobile.

@JBoslooper_Magenium 

For our environment we are using this as a exclude: device.model -in ["mp56, uc-p10-c, vp59, crestron-touchpanel-1070-t, crestron-touchpanel-770-t"] (in addition to excluding the device acct's)

 

That was under the guidance of their support engineer that specializes in Teams Android devices in general, she stated without the exclusion they have a habit of acting strange. She stated any CA policy that has either android platform selected, or browser/mobile apps selected in client apps needs to have the devices filtered out. I had been chasing random device account logouts for months and this calmed it down even though it on the surface didn't appear it should have done anything as the accounts already were excluded and we never saw a logged hit on the policies.

1 best response

Accepted Solutions
best response confirmed by Therese_Solimeno (Moderator)
Solution

@JBoslooper_Magenium 

After discussing this topic with Softies I have confirmation that ADA is for now the only way. "For now" is the important part of that statement. So there are already thoughts to change that but currently nothing on roadmap. That means we have to live with ADA still for some time and there is no other way around :( 

View solution in original post