Are you also facing this error when trying to enroll your Teams Android Phone in Microsoft Intune, such as a Poly CCX500 or a Teams Yealink Phone.
Enrolling Microsoft Teams Android Phone in Intune and your enrollment fails with Signing Out..couldn’t enroll in Intune, follow the steps in the summary section to know the most common causes of failure and how to fix.
Table of Contents
Introduction
Android device management has come a long way since the release of Android 2.2, which introduced the Android Device Administrator as a way to manage devices. However, with the introduction of Android Enterprise, an improved management functionality is now available. Google is decreasing support for device administrator in new Android releases, making it important for organizations to consider migrating to Android Enterprise. In this blog post, we will see why you are unable to enroll Teams Android phones in Intune when the error message is very generic and doesn’t provide much clue about the issue.
Choose the right enrollment method
Microsoft 395 provides many different Android enrollment methods and “Choosing the right Android enrollment method” is crucial. There are several enrollment methods for Android devices within Microsoft Intune such as :
- Mobile Application Management without Enrollment,
- Android Device Administrator,
- Work Profile,
- Dedicated devices,
- Fully managed devices, and
- Fully Managed Devices with Work Profile
Microsoft recommends customers to use Android Enterprise where/when possible, as it is a newer and advanced method but sometimes it is required for the customers to allow Android Device Administrator alongside Android Enterprise. When you are using a combination of Android Enterprise and Android Device Administrator it becomes difficult and complex to find issues in Intune device enrollments. Tnere are few things you must ensure before you can follow the steps to fix the issue.
Check License Assignment
First, make sure that the user (not the device) is correctly licensed. For this, go to your Microsoft admin portal at https://admin.microsoft.com and login with an account that has adequate rights to check for the licenses. The user must be licensed for Intune (now called Microsoft Endpoint Manager), note that the license is still called Intune as an example below:
If the correct licenses are assigned to the user, the next obvious place to check is, if you are getting any errors in the sign-in logs in your Azure Active Directory. If you have never checked the sign-in logs before here is how you can check them. Again from https://admin.microsoft.com click on “show all” on your left hand rail and look for Azure Active Directory portal.
Once you have the AAD portal click on Users->All Users->Sign in Logs. Then check for any issues or indications there. If you have any interruptions being forced from your Multi Factor Authentication (MFA) or Conditional Access (CA) policies you will get some clue from the sign in logs. Makre sure to check both ineractive and non-interactive sections. You can then see which Conditional Access policy is forcing MFA or any other incompatible policy.
All the compatible policies are provided here for easy reference, make sure to use only compatible CA policy.
Check Endpoint Manager Enrollment Failures
If you still don’t get any clue, this error is most likely coming from the Intune portal specifically from the Android Device platform restrictions. You can check the error in more details, head to your Endpoint Manager portal.
Endpoint Manager-> Devices-> Monitor, an example of such an error is below:
If this matches your issue and what you see in your Endpoint Manager as well, head to:
Endpoint Portal -> Devices-> Enroll Devices -> Enrollment device platform restrictions
Device identified as personal
Here we can see our example Android Device Administrator Policy is blocking personally owned device enrollment
This is evident from our enrollment failures alert, we saw earlier, this device is being identified as a personal device by Android Device Administrator, as below:
Conclusion
You have checked the basics such as the correct license assignment, correct date and time is set on the phone but could not find anything wrong. Finally you have identified this Android phone is being identified as a personal device and it is being blocked by the Android platform restrictions policies. At this point, you can either allow personal devices to be enrolled, which may not be possible due to your security requirements. Otherwise, the better and recommended way is to make sure that your device is correctly identified as a corporate device. An easy way is to identify the device serial number of the Teams Phone and add inside device corporate identifiers, as below:
Two possible causes
You can add serial number or IMEI either manually or import a CSV file if you are dealing with many devices. For more details steps you can also follow the Microsoft article here Add corporate identifiers to Intune | Microsoft Learn
The other possibility is that you have assigned the device restriction policy to a group targeting the phone device but it should be assigned to a group that has the user logging into the phone. The device platform restrictions policy applies to users not devices. So make sure to target the users not devices group(s).
And, yes, most importantly, from personal experience, whenever you change platform restrictions policy it can take up to between few mins to 30 mins before you can try logging in again. Also, if you still see the same error it can take a few minutes, upto 10-15 mins, before you can see new logs in the enrollment failure sections on the Endpoint Manager portal. Hope this saves some time and trouble for someone facing this issue.
Interested to know how Microsoft is tackling the noise suppression in Teams using AI? Read on : Noise Suppression in Teams
