 | Formerly known as "Collaboration Bars", Microsoft Teams Room on Android (MTRoA) devices have become widely adopted in both large and small organizations that want a native Teams room experience in their small to medium sized meeting rooms. These devices are simple to setup and manage, and provide a rich Teams meeting experience thanks to many new features introduced since these devices began shipping last year. this blogpost focuses on some of the best practices deploying and managing MTRoA specifically on the Poly Studio X30/50 devices available today. |
As of this writing, the latest firmware version available on the Poly Studio X30/50 is 3.2.3 which contains the Teams Room Update #3 and we can keep track of new MTRoA app releases in this Microsoft webpage. This version hosts many new features such as:
#1. Accounts and licensing for MTRoA
Similar to its cousin the MTR for Windows (MTRoW), MTRoA devices are best licensed using the O365 Teams Room license as this provides the most cost effective solution than other licenses such as O365 E5 and includes all the necessary components such as Teams, Exchange, Skype for Business, Intune and Phone System licenses for PSTN calling. Of course, to make PSTN Calls, either a Calling Plan or Direct Routing has to be configured and enabled for the room account. Fellow MVP Jeff Schertz has an excellent blog post on that provides step-by-step to create Teams Room accounts.
#2. Web Proxies
Web Proxies are generally not recommended for Teams Room devices as mentioned in this Microsoft Docs article However, for some organizations Web Proxies are mandatory and therefore its still supported. However, note that Microsoft Teams Rooms does not support proxy authentication as it may interfere with regular operations of the room. Ensure that Microsoft Teams Rooms have been exempted from proxy authentication before going into production. The good news is that the Poly StudioX series does support Web Proxy configuration via the web admin UI as shown below:
- 3x3 Video Layout (>10 participants)
- Auto-answer on Proximity Meeting Join
- Dual Screen support (X50 only)
- Video Spotlight
- Raise Hand
- “Rate my call” experience
- Large Gallery and Together Mode
#1. Accounts and licensing for MTRoA
Similar to its cousin the MTR for Windows (MTRoW), MTRoA devices are best licensed using the O365 Teams Room license as this provides the most cost effective solution than other licenses such as O365 E5 and includes all the necessary components such as Teams, Exchange, Skype for Business, Intune and Phone System licenses for PSTN calling. Of course, to make PSTN Calls, either a Calling Plan or Direct Routing has to be configured and enabled for the room account. Fellow MVP Jeff Schertz has an excellent blog post on that provides step-by-step to create Teams Room accounts.
#2. Web Proxies
Web Proxies are generally not recommended for Teams Room devices as mentioned in this Microsoft Docs article However, for some organizations Web Proxies are mandatory and therefore its still supported. However, note that Microsoft Teams Rooms does not support proxy authentication as it may interfere with regular operations of the room. Ensure that Microsoft Teams Rooms have been exempted from proxy authentication before going into production. The good news is that the Poly StudioX series does support Web Proxy configuration via the web admin UI as shown below:
In the options shown above, enabling WPAD will allow the StudioX to use DHCP Opt 252 to obtain a URL to automatically download a proxy auto-configuration (PAC) file. When disabled, the system will not use DHCP but we can manually specify a URL for it to download the PAC file. When Automatic Configuration is disabled, then manual proxy configuration can be entered into the system. Its important to note that in Poly firmware versions earlier than 3.2, the system will not download a PAC file without any expiry header and an error message will appear "expired". Upgrading to 3.2 or later will resolve this issue.
#3 Implementing 802.1x Network Access Control
The StudioX devices supports implemtation of 802.1x Network Access Control for high security requirements. To begin the Root CA certificate must first be loaded using the "Install Certificate" button in the network settings screen as shown below:
#3 Implementing 802.1x Network Access Control
The StudioX devices supports implemtation of 802.1x Network Access Control for high security requirements. To begin the Root CA certificate must first be loaded using the "Install Certificate" button in the network settings screen as shown below:
The file being used to install the Root CA should be in DER format and not Base64. Next, use the "Create Certificate Signing Request (CSR)" button to create a new CSR request to submit to the CA. Make sure that the Common Name (CN) matches the DNS A record of StudioX device. Once the certificate is issued by the CA, install using the same steps earlier, making sure to use DER format for the certificate file. Once the certs are ready, then navigate to the 802.1x settings and configure as necessary as shown:
#4 Upgrading Firmware
Its always best practice to keep the StudioX firmware updated and there are several ways this can be done. The easiest is via the Teams Admin Center (TAC) where multiple devices can be upgraded within a schedule time or manually initiated by the TAC administrator as shown below:
Its always best practice to keep the StudioX firmware updated and there are several ways this can be done. The easiest is via the Teams Admin Center (TAC) where multiple devices can be upgraded within a schedule time or manually initiated by the TAC administrator as shown below:
To use the TAC for firmware updates, the StudioX must first be signed into Teams before it will appear in the TAC. Another method of upgrading the firmware without signing into Teams first is to use the device's Web Admin UI. First the firmware must be downloaded from the Poly Support website and thereafter, we can use the Web Admin UI and choose "Download Update From" = "Polycom Support Site" as shown below:
The device will automatically check for firmware updates and allow a manual initiation of the upgrade process. Note that this method cannot be scheduled. Using either of the above methods will update the firmware of both the StudioX and the TC8 if one is paired. Lastly, the firmware of the StudioX can also be updated by downloading the file from the Poly Support website and loading it into the root of a USB stick. Simply plug the USB device into the USB-A port of the Studio to initiate the update process.
#5. Company Portal Issues during Sign-in
There may be cases where during Teams sign-in, the device gets stuck at the Company Portal page or the system gets thrown back to the login page after clicking on the "Sign-in" button. When this happens, there are several things to check. Firstly, check the the system is able to contact a NTP server over UDP to get the correct time. There's no way to manually set the clock on the StudioX. Second, make sure that the necessary firewall rules are allowed for the device and the list of ports and addresses are provided by Microsoft in the Office 365 URLs and IP address ranges webpage. Make sure all ports and addresses stated as "Required" are allowed for the StudioX. Thirdly, make sure Intune is disabled or bypassed for accounts used by the StudioX. A good blogpost by fellow MVP Adam Jacobs shows how to create a dynamic group in AzureAD that can be used to bypass Intune policies that are implemented for regular user accounts. Fourthly, make sure that the accounts used to sign in on the StudioX are exempted from Azure AD Conditional Access policies as these are not supported for MTRoA devices. Finally, if Multi-factor Authentication (MFA) is enabled for the StudioX accounts, then the web sign-in method should be used to login to Teams as shown below:
#5. Company Portal Issues during Sign-in
There may be cases where during Teams sign-in, the device gets stuck at the Company Portal page or the system gets thrown back to the login page after clicking on the "Sign-in" button. When this happens, there are several things to check. Firstly, check the the system is able to contact a NTP server over UDP to get the correct time. There's no way to manually set the clock on the StudioX. Second, make sure that the necessary firewall rules are allowed for the device and the list of ports and addresses are provided by Microsoft in the Office 365 URLs and IP address ranges webpage. Make sure all ports and addresses stated as "Required" are allowed for the StudioX. Thirdly, make sure Intune is disabled or bypassed for accounts used by the StudioX. A good blogpost by fellow MVP Adam Jacobs shows how to create a dynamic group in AzureAD that can be used to bypass Intune policies that are implemented for regular user accounts. Fourthly, make sure that the accounts used to sign in on the StudioX are exempted from Azure AD Conditional Access policies as these are not supported for MTRoA devices. Finally, if Multi-factor Authentication (MFA) is enabled for the StudioX accounts, then the web sign-in method should be used to login to Teams as shown below:
That concludes this blog post on some of the best practices deploying and managing Poly StudioX devices. Hopefully, the 5 tips above are helpful for anyone hoping to successfully deploy and manage these MTRoA solutions in their O365 tenants.
RSS Feed