 | Microsoft Teams Android devices are transitioning to Intune Android Open Source Project (AOSP) device management. This migration aims to enhance reliability, improve deployment experiences for admins, and pave the way for future innovations in managing Teams devices. Additionally, there are important updates regarding device code flow (DCF) authentication policies to further secure your tenants. Read this blog post to get up to speed on all the latest updates and changes within the last two months. |
1. Migrating Microsoft Teams Android Devices to AOSP Device Management
Microsoft Teams Android devices are transitioning to Intune Android Open Source Project (AOSP) device management. This migration aims to enhance reliability, improve deployment experiences for admins, and pave the way for future innovations in managing Teams devices.The migration will occur in phases:
For example, if the auto-update starts on May 15th, devices in the Validation phase will update first, followed by the General phase starting May 30th, and finally the Final phase starting June 28th.Do note that this update is mandatory and cannot be postponed indefinitely.
Prerequisites for Migration
To ensure a smooth migration, complete the following prerequisites:
Step-by-Step Migration Process
Step 1: Create Enrollment Profiles
Create new enrollment profiles and configuration/compliance policies in Intune. This step must be completed before the firmware updates is completed. Please note that only few policies are supported at this time. Failure to create enrollment profiles will result in devices failing to enroll properly in Intune. Ensure the AOSP Device Management enrollment profile is created with an extended enrollment token and the Teams Devices option enabled. For step-by-step guidance, refer to the earlier blog post on AOSP device management Preparing for AOSP Enrollment on Teams Android Devices - UCPrimer
Step 2: Install Firmware Updates
When the AOSP-compatible firmware is released, install the updates for each Teams device.
The firmware update will automatically unenroll the device from Device Administrator and re-enroll it with AOSP Device Management.
HP Poly has released the latest firmware 4.5.x supporting AOSP Device Management and recommends all owners of Poly Teams Room Android devices to update to this latest version.
Microsoft Teams Android devices are transitioning to Intune Android Open Source Project (AOSP) device management. This migration aims to enhance reliability, improve deployment experiences for admins, and pave the way for future innovations in managing Teams devices.The migration will occur in phases:
- Validation Phase: 0-15 days
- General Phase: 16-45 days
- Final Phase: 45-60 days
For example, if the auto-update starts on May 15th, devices in the Validation phase will update first, followed by the General phase starting May 30th, and finally the Final phase starting June 28th.Do note that this update is mandatory and cannot be postponed indefinitely.
Prerequisites for Migration
To ensure a smooth migration, complete the following prerequisites:
- Create Enrollment Profiles: Set up new enrollment profiles and configuration/compliance policies in Intune.
- Install Firmware Updates: Once the AOSP-compatible firmware is available, install updates for each supported Teams device.
Step-by-Step Migration Process
Step 1: Create Enrollment Profiles
Create new enrollment profiles and configuration/compliance policies in Intune. This step must be completed before the firmware updates is completed. Please note that only few policies are supported at this time. Failure to create enrollment profiles will result in devices failing to enroll properly in Intune. Ensure the AOSP Device Management enrollment profile is created with an extended enrollment token and the Teams Devices option enabled. For step-by-step guidance, refer to the earlier blog post on AOSP device management Preparing for AOSP Enrollment on Teams Android Devices - UCPrimer
Step 2: Install Firmware Updates
When the AOSP-compatible firmware is released, install the updates for each Teams device.
The firmware update will automatically unenroll the device from Device Administrator and re-enroll it with AOSP Device Management.
HP Poly has released the latest firmware 4.5.x supporting AOSP Device Management and recommends all owners of Poly Teams Room Android devices to update to this latest version.
Best Practices for Conditional Access Policies
To avoid issues during migration, follow these recommendations:
Important Update for Teams Phones with MFA
Teams Phones updated to AOSP ready firmware, such as PVOS 9.1.x, do not supported device code authentication when MFA is enabled. Users must login on the device itself in order to be able to trigger the MFA process. Please see this link for more information Some Poly phones may sign out after migration to Microsoft AOSP | HP® Support
For further guidance on AOSP migration, please refer to this Microsoft post Moving Teams Android Devices to AOSP Device Management | Microsoft Community Hub
To avoid issues during migration, follow these recommendations:
- Device Compliance Requirement: Ensure enrollment profiles are created in Intune.
- Multi-factor Authentication (MFA): Not supported for shared devices.
- App Protection Policies: Not supported.
- Terms of Use (ToU): Not supported for shared devices.
- Sign-in Frequency: Avoid using "1 hour" or "Every time" for Teams devices undergoing migration.
Important Update for Teams Phones with MFA
Teams Phones updated to AOSP ready firmware, such as PVOS 9.1.x, do not supported device code authentication when MFA is enabled. Users must login on the device itself in order to be able to trigger the MFA process. Please see this link for more information Some Poly phones may sign out after migration to Microsoft AOSP | HP® Support
For further guidance on AOSP migration, please refer to this Microsoft post Moving Teams Android Devices to AOSP Device Management | Microsoft Community Hub
 |  |  |
For HP Poly specific video and phones, the following table shows the update timings:
2. Policy Changes for Microsoft Teams Devices Using Device Code Flow Authentication
Microsoft has introduced new policies to enhance the security of Microsoft Teams devices using Device Code Flow (DCF) authentication. This section will guide you through the recent policy changes, their implications, and how to manage these policies effectively. Device Code Flow (DCF) authentication is a method used by devices to authenticate without requiring user interaction on the device itself. This is particularly useful for shared devices like Microsoft Teams Rooms, IP phones, and other Android-based Teams devices.
Policy Changes Overview
First announced in February 2025, Microsoft is rolling out new policies to secure tenants against potential threats to accounts using DCF authentication. The rollout began in February and will continue until May. These policies will initially be in report-only mode, allowing administrators to review their impact before enforcement.
Key Points of the New Policies:
- Report-Only Mode: Policies are initially created in report-only mode, giving administrators at least 45 days to evaluate and configure them before they are automatically enforced.
- Exclusion Lists: Administrators can create exclusion lists for accounts that sign in on Android-based shared Teams devices. This ensures that these devices can re-authenticate with DCF after sign-out.
- Impact on Shared Devices: Without exclusions, devices cannot re-authenticate with DCF, leading to a loss of remote sign-in and management capabilities.
Steps to Manage the New Policies
- Evaluate the Policies: Use the report-only mode to understand the impact of the new policies on your organization.
- Create Exclusion Lists: Identify and exclude accounts that need to sign in on shared devices. This can be done in the Microsoft Entra admin center.
- Configure Policies: Customize the Microsoft-managed policies according to your organization's specific needs.
The exclusion lists for this policy should be created by tenants that have deployed Android-based Teams devices in shared spaces like:
- Microsoft Teams Rooms on Android front-of-room displays and consoles
- IP Phones (licensed as Teams Shared Devices)
- Panels
- Displays
Conclusion
Migrating to AOSP Device Management will bring a more reliable and improved experience for managing Microsoft Teams Android devices. Follow the steps and best practices outlined to ensure a smooth transition. DCF enhances security for device authentication using code flow
Migrating to AOSP Device Management will bring a more reliable and improved experience for managing Microsoft Teams Android devices. Follow the steps and best practices outlined to ensure a smooth transition. DCF enhances security for device authentication using code flow
RSS Feed