Teams Android OS Devices
Peacefully Coexisting (and Actually Working!) with
Microsoft Security and Compliance Policies (Part 1)
At eGroup | Enabling Technologies, we define as a best practice the implementation of Microsoft Intune to provide device management used by authenticated users in Microsoft 365 tenants. The Intune component enrolls these devices and applies device compliance policies. We also define the configuration and use of Microsoft Entra ID (formerly known as Azure AD) conditional access policies as a critical best practice for applying access controls during user authentication. This guidance is based on our recommendation that our clients adopt the Zero Trust security model for their organization. The broad definition of the model that we use is “Trust no one and harden everything.”
When configuring Intune profiles/policies and Microsoft Entra ID (formerly known as Azure AD) conditional access policies, care must be taken to prevent problems for Teams (Android OS) phone and Teams Rooms on Android devices (“Teams devices” herein). Organizations usually configure these profiles/policies to control, protect, and manage their desktops, and both company and personally owned mobile devices. While documentation exists on how to treat Teams devices when creating these policies, it can be easily missed. If the policies are not correctly “tweaked” they will cause significant problems when they are applied to Teams devices; and they usually do end up getting applied automatically!
In this two-part series (Part 2 found here), we will describe how to configure these policies to peacefully coexist with your Teams devices. In this first part we will cover how to configure the Intune components and policies. In the second part , we will go over two additional Intune tasks and configuring your conditional access policies to prevent problems with your Teams devices. We will also touch on testing and Teams configuration profiles. This guidance should fix or prevent these problems from occurring on your Teams devices while not compromising the objective of Zero Trust.
What are the Policies Used For?
This article is not going to dive deeply into Intune Enrollment, Device Compliance, Configuration Profiles, Application Protection Policies and Microsoft Entra ID (formerly known as Azure AD) Conditional Access Policies. All five of these are components of Microsoft Intune; Conditional Access Policies really fall under Microsoft Entra ID (formerly known as Azure AD), but they can be accessed from Intune. These topics are covered extensively by Microsoft and other parties. A user must have an Intune license to have their device enrolled into Intune.
All five policies fall under the heading of Device Management. They collectively allow an organization to manage the devices that their users sign into their tenant with. These are a critical component for the implementation of a Zero Trust security model for an organization. Devices fall into two major categories:
Android Device Platforms
Configuring the Policies for Teams Phones
5. Type a name for the rule in the “Filter name” field.
6. Select “Android Device Administrator” from the “Platform” drop-down menu.
7. Click the “Next” button.
8. Add rules for the manufacturers of your Teams Phones. Use the “Contains” operator, the “Equal” operator can give unexpected results. You can expand these rules to include criteria for specific phone models.
9. Highlight and copy the rule in the “Rule Syntax” box. Create a text file and paste in the rule; you will use it later.
10. Click the “Next” button.
11. Click the “Create” button.
3. Click on “Android enrollment.”
4. Scroll down to the “Android Device Administrator” section.
5. Click on “Personal and corporate-owned devices with device administrator privileges.”
6. Make sure the checkbox next to “Use device administrator to manage devices….” is checked.
7. If it is, click the “X” to close the window.
8. If not, check the box and click the “OK” button.
3. Click “Enrollment device platform restrictions.”
4. Click the “Android restrictions” tab.
5. Click on “All User” in the “Default” Policy.
6. Click “Properties.”
7. Click the “Edit” button in the “Platform settings” section.
8. Click the “Allow” button in the “Platform” column of the “Android Device Administrator” row.
9. Click the “Block” button in the “Personally owned” column.
10. Click the “Review + save” button.
11. Click the “Save” button.
3. Click “Corporate device identifiers.”
4. Click the drop-down arrow next to “+ Add.”
5. Click “Enter manually.”
6. Choose “Serial number” (or IMEI as required) from the “Select identifier type” drop-down box.
7. Type in the serial number or IMEI in the “Identifier” text box.
8. Enter information in the “Details” text box.
9. Add additional rows as needed then click the “Add” button. Corporate Identifiers in a comma-separated value (.csv) files can also be imported.
3. Click “Compliance policy settings.”
4. Set “Mark devices with no compliance policy assigned as” to “Compliant.” This is a temporary setting. Switch it back to “Not-compliant” once all policies have been defined and tested.
5. Click the “Save” button.
5. Type a name for the policy in the “Name” field.
6. Add a description in the “Description” field.
7. Click the “Next” button.
8. Based on the current Compliance Policy supportability for Android Device Administrator, expand each of the policy subjects and follow the guidance below. The guidance is based on the information on the previously mentioned web page published on September 14, 2022.
9. Click the “Next” button once you’ve completed your settings.
10. On the line with the “Mark device noncompliant” action type a “1” into the “Schedule (days after noncompliance) column. If a device is not compliant, it will be allowed to be signed into and function for one (1) day. This allows time for administrators to remediate the device to bring it into compliance. If you are applying this policy to a large number of devices, increase the length of this “grace” period.
11. Click the “Next” button.
12. Click “Add all devices.”
13. Click “Edit filter.”
14. Click “Include filtered devices in assignment.”
15. Search for and select the previously created Intune filter, “Teams Phones.”
16. Click the “Select” button.
17. Click the “Next” button.
18. Click the “Save” button.
19. Click the “Create” button.
3. Click on the first policy that is not based on the “Android Device Administrator” platform. In this example, “IOS.”
4. Click on “Properties.”
5. Scroll down to “Included groups.”
6. If the groups are device groups or appear to be device groups, click the “Edit” button adjacent to the “Assignments” label.
7. If the groups are user groups, click the “X” in the upper right-hand corner and proceed to the next policy.
8. Click the “Edit filter” button.
9. Click “Include filtered devices in assignment.”
10. Search for and select the previously created Intune filter, “Teams Phones.”
11. Click the “Select” button.
12. Click the “Review + Save” button.
13. Click the “Save” button.
14. Repeat these steps for the rest of the device Compliance Policies.
4. Scroll down until you can see the “Assignments” label in the Profile’s properties.
5. Click the “Edit” button.
6. Click on “Edit filter”
7. Click “Include filtered devices in assignment.”
8. Search for and select the previously created Intune filter, “Teams Phones.”
9. Click the “Select” button.
10. Click the “Review + Save” button.
In this first article, we have covered how to configure most of the settings in Intune and its policies to accommodate Teams devices. In the second part, we will finish up the Intune configuration and dive into the setup of Conditional Access policies that will provide security and prevent problems for your Teams devices.