With vendors now starting to release the latest AOSP managment enabled firmware for their devices, I wanted to play!
Currently devices are managed by Device Administrator for Teams Devices and this has been depricated.
I have a couple of devices from AudioCodes (thanks to Andy Smith and Craig Robertson!), to which I am going to enroll into inTune AOSP.
In this post I am going to show you how I configured an AudioCodes C455HD with the new firmware of 2.3.480 and its enrollment into inTune, utilising Android Open Source Project (AOSP) to create a configuration policy configure some settigns on the device.
Pre-Requisites
In order for this to work, I needed a couple of bits from AudioCodes. Currently the only firmware available in the Teams Admin Centre (TAC) is for the C470HD. I needed the firmware for the C455HD, shout out to the team at Audiocodes for sending it over! When it becomes generally availble, you will be able to download it from the AudioCodes firmware repository here.
You will need a way to update the phone, there are two main options with AudioCodes, OVOC Device Manager or the Android Device Utility. I have both in my environment, and I have tested both methods. I updated the device before I had configured inTune, which was a bit backwards and caused a couple of issues!
You can also use the Teams Admin Centre to update the firmware when it becomes available.
If you are using OVOC Device Manager to manage your devices and have disabled SSH and want to use the Device Utility, you will need to enable SSH in the device configuration on OVOC. The Device Utility uses SSH to connect to the devices.
In regards to inTune, make sure you have the correct level of permissions assigned for you to be able to create and Enrollment Policy and Configuration Policy.
To automatically assign the devices to the policy, I created a Dynamic Device Security group which captures the OS (AndroidAOSP) and the Manufacturer (Audiocodes) attributes and adds them to the group.
After some additional testing, I noticed that if I hadn’t updated the Teams Application on the device first, it failed to sign back in following the update. The version I have an issue with is 1449/1.0.94.2024092304. If I updated the application first to the 1449/1.0.94.2024121004 version, the firmware works and signs in automatically, as expected.
Creating Enrollment Policy
In Intune, there are a couple of thing we need to do to be able to manage the device. First thing is to create an Enrollment Policy. This creates a Token that will be used for the enrollment process.
To do this, I signed into inTune and under device “Device onboardin” select “Enrollment” and then “Android”, located on the top of the page.
Under “Android Open Source Project (AOSP)” selected “Corporate-owned, user associated-devices”.
Created a new policy. Giving it a meaning full name and selected “enabled” for “Microsoft Teams Devices (preview). Note that the Token Expiration date is set 65 years into the future!
Continued to the next page and pressed “create” to create the policy.
Now I could enroll devices into inTune!
Create Configuration Policy
Now I have created the Enrollment Policy, I wanted to be able to add some configuration to my devices. in my example, I wanted to disable Bluetooth and Wifi features on the device.
I Created a new policy by selecting “Configuration” on the Devices page, which is located under “manage devices” and created a new Policy.
I Created a new policy and for Platform, ensure I selected “Android (AOSP)”, and not Android device managed or Android Enterprise. I wanted to disable the wifi and bluetooth, these come under “Device Restrictions” policy.
I gave the Policy a name a description if required and press Next.
I then was presented with the configuration options. I have left the password configuration as “Device Default” as I want OVOC to continue to manage this setting.
I selected the options I wanted to configure and press Next.
I needed to assign the policy to a group, as previously mentioned I use a Dynamic Device group to capture the devices when they appear in EntraID. I added the device group and pressed next.
Confirmed I was happy with the configuration and settings chosen and press “create”.
As with anything M365, it took take a while for the changes to take effect.
Confirming the Enrollment
Once the device firmware had applied, you can confirm by looking at some of object configuration. For example in Entra, you can see that the device name has changed and added “AOSP”. The OS also now is AndroidAOSP.
On the device itself, if you look at the “about” section.
The first obvious sign, is that the firmware matches what was deployed. In this instance, 2.3.480
You will also notice that Company Portal is now missing and replaced with Authenticator and inTune.
Once the inTune changes had replicated and the device rebooted, I could see that the C455HD had taken the policy I wanted.
Below is a screenshot of the wifi configuration screen before the policy in place. You will notice that you can configure wifi settings.
Below is a screenshot of the wifi configuration screen when the policy is in place. Now I cannot configure the wifi configuration.
Summary
So, I updated a C455HD Teams Device to the new AOSP enabled version of the firmware and enrolled the device into inTune and apply a configuration policy to the device.
This was a quick and dirty way of “migrating” a device in a lab environment. When doing this on production devices that are already rolled out… well that will be a different ball game! However, once inTune and EntraID configurations are in place, there will be no reason why you cant do a phased update to device accross your estate.
Just make sure you have the recent version of the Teams Application on the device and have created the enrollement policy and your configation policies before you updated your device.
Shout out again to Andy Smith and Craig Robertson from AudioCodes for their support!
Thanks for reading!