Teams Android OS Devices Peacefully Coexisting (and Actually Working!) with Microsoft Security and Compliance Policies (Part 2)
Introduction
This is the second article in this series. In the first part, we discussed the need to properly configure your Intune settings and policies for Teams Android devices. Here we will go over a few more items related to settings in Intune. We will also go over configuring Conditional Access Policies for these devices. Finally, we will talk about Teams Configuration profiles and testing your devices.
4. Click on “Device settings.”
5. Note the number of devices in the “Maximum number of devices per user.
6. Switch back to the “Microsoft Endpoint Manager” and click on “Devices.”
7. Click on “Enroll devices.”
8. Click “Enrollment device limit restrictions.”
9. Click on the name of the Device Limit Restriction Policy.
10. If the device limit is less than that of the Azure Active Directory devices, click on “Properties.”
11. Click the “Edit” button.
12. Change the value of the “Device limit” to something that matches or exceeds the Azure Active Directory device limit or the maximum, 15, whichever is greater.
13. Click the “Review + save” button.
14. Click the “Save” button.
4. Click on “Properties.”
5. Click the “Edit” button for the “Apps” section.
6. Set the “Target to apps on all device types” switch to “No.”
7. Click the “Device types” drop-down. Select all the types you want this policy to apply to except for “Android Device Administrator.”
8. Click the “Review + save” button.
9. Click the “Save” button. Repeat for the rest of the policies written for the Android platform.
3. Click on the first policy in the list. (The policies used in the examples were created from the templates provided by Microsoft and are in “Report only” mode. The “Terms of Use” Policy was manually created.)
4. In the “Cloud apps or actions” section, if the value is “All cloud apps,” this section of the policy is not compatible with Teams Phones. The example policy, therefore, is not compatible with Teams Phones. You do not need to perform the additional checks for this policy.
5. The “Conditions” section of the sample policy indicates that there are “0 conditions selected.” The settings in this section are compatible with Teams Phones. Continue checking the other sections of the policy:
6. The “Require multi-factor authentication” control in the “Grant” section of the policy is selected. The settings in this section are compatible. Continue checking the other sections of the policy.
7. The “Session” section of the sample policy indicates that there are “0 controls selected.” The settings in this section are compatible with Teams Phones.
8. This policy has one section that is incompatible. Select and copy the query you used to create the “Teams Phone” filter in step 1 above from the open “Notepad” session. (I told you we would need this later!).
9. Click the “0 conditions selected” button in the “Conditions” section.
10. Click the “Not configured” button in the “Filter for devices” condition
11. Set the “Configure” option to “Yes.”
12. Click “Exclude filtered devices from policy” in the “Devices matching the rule” section.
13. Click the “Edit” button above the “Rule syntax” box.
14. Paste the query into the “Rule syntax” box.
15. Click the “Apply” button above the “Rule Syntax” box.
16. Click the “Done” button.
17. Click the policy’s “Save” button. Continue checking the rest of the Conditional Access Policies.
2. Enter a name for the policy.
3. Click the “0 users or workload identities selected” button in the “Users or workload identities” section.
4. Click “All user” beneath the “Include” tab.
5. Click the “Exclude” tab.
6. Click “Users and groups.”
7. Add your emergency (“break glass”) account.
8. Click “No cloud apps, actions, or authentication contexts selected” in the “Cloud apps or actions” section.
9. Click “Select apps” beneath the “Include” tab.
10. Click the “None” button in the “Select” section.
11. Click the checkbox next to “Office 365.” You could instead choose these applications:
12. Click the “Select” button.
13. Click “0 conditions selected” in the “Conditions” section.
14. Click the “Not configured” button in the “Device platforms” section.
15. Set the “Configure” option to “Yes.”
16. Click on the “Select device platforms” option under the “Include” tab.
17. Click the “Android” checkbox.
18. Click the “Done” button.
19. Click the “Not configured” button in the “Locations”
20. Set the “Configure” option to “Yes.”
21. Click “All trusted locations” (or whatever is appropriate for your deployment) beneath the “Configure” tab.
22. Click the “Not configured” button under the “Filter for devices” section
23. Set the “Configure” option to “Yes.”
24. Click “Include filtered devices in policy” in the “Devices matching the rule” section.
25. Click the “Edit” button to the right above the “Rule syntax” box.
26. Paste the query from before into the “Rule Syntax” box.
27. Click the “Apply” button.
28. Click the “Done” button.
29. Click the “Grant access” option.
30. Click the checkbox for “Require device to be marked as compliant.” Select these options as required by your implementation. Make sure to avoid the unsupported options and Terms of Use requirements.
31. Click the “Select” button.
32. Click “Report-only” under “Enable policy.” Test the policy before turning it on.
33. Click the “Create” button.
Summary
eGroup | Enabling Technologies is available and ready to help you with the integration of your Teams devices into your organizational security and compliance plan. Excluding them from your security and compliance deployment is not advisable. If you need help with your Teams devices or in implementing your overall security infrastructure, please contact us today!
References
Cloud Solutions Architect - eGroup | Enabling Technologies
Last updated on July 26th, 2023 at 02:25 pm