Before beginning, keep in mind the following info:
- If your org doesn't enroll teams android devices in intune, you don't need to create AOSP policies and these settings in intune are not required.
- This new Mobile Device Enrollment (MDM) method replaces legacy Device Administrator enrollment method.
- Once Device Administrator enrollment is deprecated, legacy devices that don't support AOSP will be signed out and unenrolled from Intune, therefore, sign back in without an Intune license assigned to their account.
- These guide is made for only Teams Android devices (let me know if you'd like to see a guide for non-teams devices, and I'll be happy to post it).
- As of today, AOSP doesn't support DEM Accounts, so if any of your teams devices are signed in using an account configured as DEM account, please remove the account as DEM before completing this guide. Stay tuned and keep checking this Microsoft documentation in order to know if AOSP supports DEM accounts in the future.
- Microsoft has said Teams Android Devices will be upgraded automatically in order to migrate them to AOSP. Be careful and make sure you enable this before May 15th, for more info click here. Firmware updates are no pauseable.
- This migration is intended to be completed without any user intervention. However, if your organization conditional access policies require user-interactive multi-factor authentication, after the migration, your device will be signed out and the user needs to sign in their device.
- Device Code Flow aka microsoft.com/devicelogin no longer supports user-interactive MFA. If user-interactive MFA is enforced with conditional access policies, users will need to log in on their device directly not via the web to ensure the MFA prompt appears.
As per as official hardware manufacture's website, after upgrading your systems to certain firmware that supports AOSP, and if AOSP is not enabled, your system will lose sing-in info, and you have to manually sign-in again, however, I already tested and my teams phone didn't and I didn't enable AOSP. However, I tried it with another phone, same account and it lost sign-in lol, therefore, just please be aware that could happen, btw it won't happen at all, if your org doesn't use Intune.
Prerequisites
- Intune licenses assigned to your Teams Android devices (Phone, Panel, Room)
- Teams Android Devices deployed which are enrolled using Device Administrator.
- Teams Android Devices that are supported with AOSP Device Management
Enabling Android Open Source Project (AOSP)
First, go to intune.microsoft.com and click on Devices -> Enrollment -> Android.
Scroll down, look for Android Open Source Project title and under it, you will find "Corporate-owned, user-associated devices", click on it, and then click on Create policy.
Type in the following settings:
- Name: Meaningful name to identify it easily, for instance "Teams devices, Teams Android devices, etc."
- Description: Describe this profile to let others in your org know what this enrollment policy is used for.
- Token expiration date: 65 years is the default, I highly recommend you leave at 65 years to avoid expiration and issues. Keep in mind that an expired enrollment token will prevent any teams devices from completing a successful sign-in and block new devices from enrolling.
Setting the following parameters:
- WiFi: Not Configured
- For Microsoft Teams Devices: Enabled
After setting things up, click on Next.
Note: If your token expiration date is limited to 90 days, no worries, it'll be extended in the future, but in the meantime, you must edit your policy and token expiration to renew it every 90 days. As you can see, mine was already updated and i was able to set it up to 65 years.
Finally, review, make sure everything is set correctly and then select Create.
Everything is set and now your org and you are ready to enroll devices.
AOSP Device Management Configuration and Compliance Policies (if necessary)
If your organization requires device compliance for conditional access to be able to sign in successfully, you must create an AOSP compliance policy with supported compliance conditions, and assign it to ensure your devices are marked compliant after completing the migration.
As of today, supported compliance conditions are as follows:
- Rooted devices
- Minimum OS version.
- Maximum OS version.
- Minimum Security patch level
- Require encryption of data storage on device
If your org doesn't require it, these settings are not mandatory but optional, if you don't set them up, your devices will work well either way, however, they provide additional features, and security measures, so prolly you'd like to enable them.
Note: All certified teams Android devices enrolled in AOSP Management support configuration and compliance policies. Click here to see certified devices.
Compliance Policy
Compliance policies are used for checking supported parameters and make sure the devices meet those requirements and mark them compliant.
In intune, Click on Devices -> Compliance -> Create policy
Under platform, select Android (AOSP), and click on Create
Type in the following info:
- Name: Meaningful name to identify it easily, for instance "Compliance Policy for Teams Android Devices"
- Description: Describe this profile to let others in your org know what this enrollment policy is used for.
After typing in them, click on Next.
To set up those parameters, be aware that companies are different and compliance policies might vary.I highly recommend you take a look at the following parameters:
- Set Rooted devices to Block
- Set Minimum OS version to match devices in your org (in my case, 10).
- Set Require encryption of data storage on device to yes
After that, click on Next.
Add any desired actions to take for non-compliance devices and click on Next.
Under Included Groups, click on Add groups, or add all users, it depends on you, keep in mind you need to select the users and/or groups to assign this policy to.
For instance, click on Add groups, and look for the desire group and select it.
Note: The group must contain your Teams Android devices such as Panels, Phones and/or Rooms.
After adding users/groups, click on Next.
Finally review your policy settings, and if everything is okay, click on Create.
Configuration Policy (optional)
In intune, Click on Devices -> Configuration -> Create -> New Policy
Select Android (AOSP) as platform and Templates as Profile type, then click on Device restrictions and Create.
Note: The only supported configuration policy for Teams Android devices
enrolled in AOSP Management is the "Device Restrictions" profile.
Type in the following info:
- Name: Meaningful name to identify it easily, for instance "Compliance Policy for Teams Android Devices"
- Description: Describe this profile to let others in your org know what this enrollment policy is used for.
After typing in them, click on Next.
Under general, Block Screen Capture is listed, set it to Yes, after that, click on Next.
Note: Only "Block Screen Capture" restriction is supported. Hopefully new restrictions will be supported soon.
Under Included Groups, click on Add groups and select your group.
Select Next buttom.
Review and create finally.
That's all for today! Thanks for reading. If you have any questions, feel free to reach out. Remember to subscribe to this blog, my YT channel, and follow me on my social media.
Connect with me
- LinkedIn: Kevin Urena
- Youtube: Kevin Urena Vlogs
- TikTok: Kevin Ureña
- Facebook: Kevin Ureña Vlogs
- Twitch: Kevin_Urena
- Instagram: Kev.Urena_
If you like my blog, and it's helped you, let me know with a coffee 😃😄
- Buy me a coffee: KevinUrena :)
Comments
Post a Comment