By Jacob Scott - Support Escalation Engineer | Microsoft Intune
This is the first of a two-part series: (Enrolling Microsoft Teams phones and Microsoft Teams Rooms on Android in Intune), that walks you through setting up and enrolling your Microsoft Teams phones and Teams Rooms on Android in Microsoft Intune.
Microsoft Teams is a useful tool for organizations to help their users stay connected in remote locations and environments. Teams phones and Teams Rooms on Android are useful resources for maximizing the Teams experience. However, before you can plug in your Teams phone or deploy a Teams Room to join a meeting, you’ll need to configure the devices.
This blog walks through important considerations for configuring Teams phones and Teams Rooms on Android and guidance for deploying these devices in Microsoft Intune. Note, we’ll refer to Teams phones and Teams Rooms on Android devices as Intune enrolled Teams phones and Rooms throughout the remainder of this document.
Before you begin, be sure to review Deploy Teams phones, Teams displays, Teams panels, and Microsoft Teams Rooms on Android using Intune or general guidance in setting up your Teams phones and Teams Rooms on Android devices in Intune.
This section provides guidance and things to keep in mind when setting up your Teams phones and Rooms in Intune.
The Teams admin center allows you to view and manage Teams phones, Teams Rooms on Android, displays, and panels enrolled in Teams for your organization, as well as set a few device configurations. Just be aware that device configurations set up through the Teams admin center will override policies set up in Intune. Refer to the Settings considerations section of this document for more information.
Before you begin, be sure to set the mobile device management (MDM) Authority to Microsoft Intune and click the Use device administrator to manage devices checkbox on the Android device administrator page in the Intune admin center.
Device configurations and compliance policies should be considered as you set up Teams in Intune. Some Intune device compliance policies are supported while many aren’t. To learn more about which settings are currently supported, see Supported conditional access and Intune device compliance policies for Microsoft Teams Rooms and Tea....
The Intune admin center allows admins to specify configurations on Teams phones and Teams Rooms on Android devices. However, certain configurations, such as app deployment and protection, aren’t supported. When unsupported settings are used, admins will see the policies listed in an Error state in the Intune admin center. The device may never show compliant for that specific setting, rendering it “Not compliant.” This may cause the device to fail to sign in, depending on policy restrictions, such as Conditional Access.
If Conditional Access policies are configured, they will apply during sign-in, but they may not be supported. When new conditional access policies are turned on, they will take effect on the device the next time it authenticates with Azure. See Conditional Access and Intune compliance for Microsoft Teams Rooms for more information about configuring Conditional Access policies.
Ensure Conditional Access policies targeting these devices don’t have unsupported settings. If a user attempts to sign into Intune enrolled Teams phones and Rooms with an unsupported Conditional Access setting, the sign in will fail. Either the user or the devices will need to be removed from the policy.
Unsupported configurations may still be set up with no visible impact to the device user. However, they can cause issues, such as requiring device users to install security credentials each time the device checks into the Intune service. Refer to the table below to determine which settings are supported.
Policy type |
Supported |
Notes |
Device restrictions |
Partially supported
|
Block camera is supported on Android version 10 or older. All other settings are unsupported, including password configurations. |
Supported |
Support is limited to policy delivery only. |
|
Trusted certificate |
Not supported |
May prompt user to install security credentials |
PKCS certificate |
Not supported |
May prompt user to install security credentials |
PKCS imported certificate |
Not supported |
May prompt user to install security credentials |
SCEP certificate |
Not supported |
May prompt user to install security credentials |
VPN |
Not supported |
|
Wi-Fi |
Partially supported |
Support is limited to the basic Wi-Fi type. Enterprise Wi-Fi isn’t supported. |
It’s also important to be aware that when configuring settings from the device side, they may not immediately apply to Intune enrolled Teams phones and Rooms. Since Google Mobile Services (GMS) isn’t supported on these devices, the device must first check into Intune before the settings can be applied.
Devices are enrolled into Intune using Android device administrator and are considered personal by default. If the device is Android 9 or earlier, it can be added to indicate that it’s corporate-owned during the enrollment process. To manage the user account access and permissions, see Intune enrollment restrictions.
If the user is licensed for Intune, the device will attempt Intune enrollment when signing into Teams phones and Rooms. However, when the user signs out of the device, it will unenroll, or retire, from Intune.
Note that Android Enterprise is unsupported, and that Intune enrolled Teams phones and Microsoft Teams Rooms Android devices don’t have GMS.
Set existing enrollment restrictions to allow the Android device administrator platform and personally owned devices in Intune. Personal devices can be blocked if corporate identifiers are added. Corporate identifiers are only supported on Android 9 or earlier.
There are Conditional Access rules that can impact and exclude Intune enrolled Teams phones and Rooms from evaluation. Some properties evaluated in Conditional Access filters are populated at different rates than others. The following are common scenarios and options for troubleshooting.
Device information is propagated back to Azure Active Directory (Azure AD) from Intune after enrollment completes, which can take time and cause the sign-in attempt to time out. To troubleshoot this issue, consider either updating the device filtering or updating the named location exclusions.
Option 1: Update device filtering
You can add a filter to the unsupported Conditional Access policies to remove devices to prevent timeout during sign in. Navigate to Endpoint security > Conditional access > Policies, select a policy and select Conditions then Filter for devices. Specify the devices to be excluded from the policy by selecting the + Add expression option. Select the device Property type (for example, displayName or model), the Operator (such as in, contains, startswith, endswith, or equals), and then populate the Value (such as the device make and model or its name). Be sure to avoid adding extra spaces or characters when entering a name as it has been known to cause processing issues. The Rule syntax field will display the policy syntax you specify with your selections.
For example, specifying the displayName equal to PolyCCX500 ensures that Intune enrolled ccx500 devices will be excluded from the Conditional Access policy.
Note, when Teams phones and Rooms first register with Azure, they use the displayName format “MakeModel.” Be sure to specify both the device’s displayName and model to ensure that the device is excluded from unsupported Conditional Access policies.
Once all the model information updates to Azure AD, these properties should function as expected.
Option 2: Update named location exclusions
You can add named locations as an exclusion to the policy to help prevent unsupported Conditional Access policies from applying and timing out the sign-in attempt. Both “All trusted locations” and “Selected locations” are valid options.
Note that adding named location exclusions would exclude any device within scope of the policy that is also at the same named location. Be sure to carefully evaluate whether this configuration would meet your goals.
Conditional Access policy settings may impact your Intune enrolled Teams phones and Rooms from checking in and being compliant. The following are tips for troubleshooting potential Conditional Access policy issues.
If you’re experiencing issues not covered in the above topics, refer to the following for additional troubleshooting tips.
Let us know if you have any questions in the comments below or reach out to @IntuneSuppTeam on Twitter. Be sure to catch our second post on: Enrolling Microsoft Teams phones and Microsoft Teams Rooms on Android in Intune.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.