Teams rooms android intune.Manage collaboration experiences in Teams for iOS and Android with Microsoft Intune
Looking for:
Provisioning Microsoft Teams Android Devices : Jeff Schertz's Blog |
- Teams rooms android intune
This article provides requirements and best practices for Conditional Access and Intune device compliance policies for Microsoft Teams Rooms that are used in shared spaces.
Teams Rooms must already be deployed on the devices you want to assign Conditional Access policies to. If you haven't deployed Teams Rooms yet, see Create resource accounts for rooms and shared Teams devices and Deploy Microsoft Teams Rooms on Android for more information. It's included in the Microsoft Teams Rooms license. Conditional Access policies can secure the sign-in process on devices that are in shared spaces and used by multiple people.
To simplify deployment and management, include all Microsoft room resources accounts associated with Teams Rooms in one user group. Below is a table of device compliance settings and recommendations for their use with Teams Rooms. Below is a table of device compliance settings and recommendations for their use with Teams phones and displays.
Below is a table of device compliance settings and recommendations for their use with Teams panels. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Note Teams Rooms must already be deployed on the devices you want to assign Conditional Access policies to. Note Skype for Business Online is retired and not supported.
Note Microsoft Teams Rooms on Windows must meet the following requirements to support device compliance grant controls: Microsoft Teams Rooms application 4. Require code integrity Supported Code integrity is already a requirement for Teams Rooms. Device Properties -- -- Operating System Version minimum, maximum Not supported Teams Rooms automatically updates to newer versions of Windows and setting values here could prevent successful sign-in after an OS update.
These policies, at a minimum, must meet the following conditions:. They include all Microsoft mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion. They're assigned to all users. This ensures that all users are protected, regardless of whether they use Teams for iOS or Android.
Determine which framework level meets your requirements. Most organizations should implement the settings defined in Enterprise enhanced data protection Level 2 as that enables data protection and access requirements controls. For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings. To apply Intune app protection policies against apps on Android devices that aren't enrolled in Intune, the user must also install the Intune Company Portal.
Teams for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint Manager, administrators to customize the behavior of the app. Teams for iOS and Android supports the following configuration scenarios:. For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Teams for Android must be deployed via the Managed Google Play store.
For more information, see Set up enrollment of Android Enterprise personally-owned work profile devices and Add app configuration policies for managed Android Enterprise devices. Each configuration scenario highlights its specific requirements.
If sign-in frequency is enforced for room accounts, shared devices will sign out until they are signed in again by an admin. Microsoft recommends excluding shared devices from any sign-in frequency policies.
Filters for devices is a feature in Conditional Access that allows you to configure more granular policies for devices based on device properties available in Azure AD.
You can also use your own custom values by setting extension attributes on the device object and then using those. Use filters for devices to identify your common-area devices and enable policies in two key scenarios:. Excluding shared devices from policies applied for personal devices.
For example, requiring device compliance isn't enforced for shared devices used for hot desking, but is enforced for all other devices, based on model number. Enforcing special policies on shared devices that should not be applied to personal devices. Some attributes such as model , manufacturer , and operatingSystemVersion can only be set when devices are managed by Intune. If your devices are not managed by Intune, use extension attributes.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Note Policies for Android mobile devices may not apply to Teams Android devices.
Teams rooms android intune
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. The goals of devices used with Teams make different device management strategies necessary. For example, a personal business tablet used by a single sales person has a different set of needs from an on-call phone shared by many customer service people.
Security administrators and operations teams must plan for the devices that can be used in the organization. They must implement security measures best suited to each purpose. This article's recommendations make some of those decisions easier. Shared Teams devices can't use the same requirements for enrollment and compliance that are used on personal devices.
Applying personal device authentication requirements to shared devices will cause sign in issues. Accounts used on Teams devices have a password-expiration policy. The accounts used with shared devices don't have a specific user to update and restore them to a working state when their passwords expire. If your organization requires passwords to expire and reset occasionally, these accounts will stop working on Teams devices until a Teams administrator resets the password and signs back in.
Challenge : When it comes to accessing. Teams from a device, a person's account has a password-expiration policy. When the password is going to expire, they simply change it. But accounts used on shared devices Resource accounts may not be connected to a single person who can change a password as required.
This means a password can expire and leave workers on the spot, not knowing how to resume their work. When your organization requires a password reset or enforces password expiration, be sure a Teams administrator is prepared to reset the password so these shared accounts can sign back in. Challenge : Shared devices can't comply to Azure AD Conditional Access policies for user accounts or personal devices.
If shared devices are grouped with user accounts or personal devices for a Conditional Access policy, the sign-in will fail. For example, if multi-factor authentication is required for accessing Teams, user entry of a code is needed to complete that authentication. Shared devices don't generally have a single user that can configure and complete multi-factor authentication.
Also, if the account must reauthenticate every X days, a shared device can't resolve the challenge without a user's intervention. Multi-factor authentication isn't supported with shared devices. The methods to use instead are outlined below. Teams shared devices should use an Exchange resource mailbox. Creating these mailboxes generates an account automatically. Any password expiration policies for users will also apply to accounts used on Teams shared devices, therefore, to avoid disruptions caused by password expiration polices, set the password expiration policy for shared devices to never expire.
Instead of sharing passwords with technicians to set up devices, Tenant administrators should use remote sign-in to issue verification codes. Sign in can be done for these devices from the Teams admin center. For more information, see Remote provisioning and sign in for Teams Android devices. Azure AD Conditional Access sets additional requirements that devices must meet in order to sign in.
For Teams devices, review the guidance that follows to determine if you have authored the policies that will allow shared device users to do their work. Accounts for shared devices are linked to a room or physical space, rather than to an end user account.
Because shared devices don't support multi-factor authentication, exclude shared devices from any multi-factor authentication policies. Use either named location or require compliant device to secure shared devices.
If shared devices are provisioned in a well-defined location that can be identified with a range of IP addresses, you can configure Conditional Access using named locations for these devices. This conditional will allow these devices to access your corporate resources only when they are within your network. If you're enrolling shared devices into Intune, you can configure device compliance as a control in Conditional Access so that only compliant devices can access your corporate resources.
Teams devices can be configured for Conditional Access policies based on device compliance. To set compliance setting for your devices using Intune, see Use compliance policies to set rules for devices you manage with Intune. Shared devices being used for hot desking should be excluded from compliance policies. Compliance polices prevent the devices from enrolling into the hot desk user account.
Instead, use named locations to secure these devices. In Conditional Access, you can configure sign-in frequency to require users to sign in again to access a resource after a specified time period. If sign-in frequency is enforced for room accounts, shared devices will sign out until they are signed in again by an admin. Microsoft recommends excluding shared devices from any sign-in frequency policies. Filters for devices is a feature in Conditional Access that allows you to configure more granular policies for devices based on device properties available in Azure AD.
You can also use your own custom values by setting extension attributes on the device object and then using those. Use filters for devices to identify your common-area devices and enable policies in two key scenarios:. Excluding shared devices from policies applied for personal devices. For example, requiring device compliance isn't enforced for shared devices used for hot desking, but is enforced for all other devices, based on model number. Enforcing special policies on shared devices that should not be applied to personal devices.
Some attributes such as model , manufacturer , and operatingSystemVersion can only be set when devices are managed by Intune. If your devices are not managed by Intune, use extension attributes. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Table of contents Exit focus mode. Table of contents. Note Policies for Android mobile devices may not apply to Teams Android devices. Tip Use either named location or require compliant device to secure shared devices.
Note Shared devices being used for hot desking should be excluded from compliance policies. Note Some attributes such as model , manufacturer , and operatingSystemVersion can only be set when devices are managed by Intune. Submit and view feedback for This product This page.
View all page feedback. In this article.
Comments
Post a Comment