Community Guides

Deep dive on AOSP and Teams devices

RC
Randy Chapman
Logitech
 · Posted in Community Guides

I’ve lost track of the number of times I have been asked about AOSP for Teams devices so I’m covering it here. It’s also a good time to cover it as Microsoft nears the finish line with the migration.

History

When Microsoft started supporting phones for Microsoft Teams around 7 years ago they decided on Android as the operating system. Since these devices would be authenticating into Microsoft 365 as users they also needed a way to add management and security for these devices. This is so IT can put a layer of control over devices that access company services and data. Regardless of whether it is a smartphone or tablet, or a Teams Android device, this management solution is Intune. The devices have to enroll themselves into Intune. How they get enrolled will differ by device. The important thing to call out is Teams Android devices enrolled themselves using Android Device Administrator (ADA) management. Device Administrator was how it was done in early Android operating system versions and that’s how Microsoft decided on when Teams devices started appearing.

ADA is considered a legacy method for managing Android devices. It provides basic management capabilities and was introduced with Android 2.2. Google deprecated ADA management in 2020. Intune will end support of ADA later this year.

There are other ways to manage Android devices. How they are managed depends on the device and how they are used. 

Smartphones and tablets have access to a Play Store to install apps. This relies on Google Media Services (GMS). 

Microsoft Teams Android devices only have a few apps installed which is by design. All they need is the Teams app, an admin agent and a way to authenticate. The vendor, i.e. Logitech also adds their own admin agent, i.e. Sync. Which means they don’t need access to Google Media Services.

AOSP management is a more modern approach to managing Android devices, especially those without Google Mobile Services (aka NGMS devices). AOSP management offers more advanced features compared to ADA. It includes comprehensive device settings, security policies, app management, and remote management capabilities.

Where to now?

ADA and AOSP are totally different ways to manage devices in Intune. There’s also the authentication aspect. ADA used Company Portal to authenticate. AOSP actually uses Intune to authenticate. Then there’s the policies. In order to enroll a device into Intune, Intune needs to know what the device is and how it should be managed. ADA devices had to be allowed to enroll in Intune. The same applies for AOSP devices. This means you need to create some policies. No you can’t just migrate the ADA policies over and call it a day. You have to do it from scratch.

Creating the AOSP policies

Microsoft’s documentation on creating the policies for AOSP is very good. There are so few steps that anyone can follow it and it should only take you a few minutes to do.

Step 1: Create new enrollment profiles & configuration/compliance policies in Intune.

  1. Open https://intune.microsoft.com/

  2. Go to Devices -> Enrollment -> Android 

  3. Scroll down to Android Open Source Project (AOSP) and click on Corporate-Owned User Associated Devices

  1. Click on Create Policy

  2. Give it a name, e.g. Teams AOSP Devices

  3. Under For For Microsoft Teams Devices (preview) click Enabled

  1. Click Next and Create

Step 2: Create a new Intune Compliance Policy

  1. Go to https://intune.microsoft.com/

  2. Click on Devices -> Compliance

  3. Click on Create Policy

  1. Under Platform select Android (AOSP)

  1. Click Create

  1. Give the Policy a name and click Next

  1. Under compliance settings set the following

    1. Block Rooted Devices

    2. Minimum OS level 10

    3. Require encryption of data storage to YES

    4. Click Next

  1. Under actions for noncompliance add any additional settings you need in your org. It will mark the device as non-compliant immediately anyway. Click Next

  1. Under Assignments click Add groups, find and select the group which includes your Android room and device accounts. You should have one of these groups already if you have Android devices. Click Next

  1. Review and Create

If you also have any Conditional Access policies that lock things down to location, vendor and device model or anything else for that matter. You also need to recreate these. Totally optional though.

That’s it! You can do this now. It won’t hurt anything. The point is you’ll be ready for when you do Step 3.

Step 3: Upgrade to an AOSP Device Management capable firmware

For existing devices, as long as you completed step one and the token is valid, the devices should just update and reboot. As long as the room account is in the group you added to the compliance policy it will sign in and be ready to go as normal. The firmware update will automatically un-enroll the device from Device Administrator and re-enroll the device with AOSP Device Management using the enrollment profile created in Step 1. 

In Intune you’ll see the devices appear as AOSP devices. There will still be an entry for the ADA version of the devices. You can clean these up later on. For new devices, they should just sign in using the Intune authentication and appear as AOSP devices.

If you check the Teams Admin Centre, before the update you will see in TAC that the device has the Company Portal app. 

After it is updated you will see it has Authenticator and Microsoft Intune.

When will you get the update

For Logitech CollabOS devices this will be CollabOS 1.14B which will be released to public Beta in early May 2025. The build will become Generally Available (GA) approximately 2 weeks later around the 15th of May. The GA update will be available from Sync or on the device itself (which comes from Sync) initially. Followed by the Teams Admin Centre (TAC).

For availability in the TAC, Microsoft is keeping a Learn post up to date with all the latest information. Moving Teams Android Devices to AOSP Device Management | Microsoft Community Hub I recommend bookmarking the page and checking it often.

The article states “Please ensure that all prerequisites for AOSP device management migration are completed for your organization to ensure a smooth migration. Your devices may sign out during migration if the prerequisites are not carried out properly.

Please see the table below for the schedule of auto updates for your devices.”


It says that for Logi devices the update will be available in the Teams Admin Centre from May. At which time you can begin manually updating devices from TAC. They go on to say that on 15th June, automatic updates will begin.

Once the auto update phase starts the firmware updates are not pauseable. Devices will simply start automatically updating following one of the three update rings set for each device in Teams Admin Centre:

These are

  • Validation: Validation gets updates starting at day 0 and aims to complete by the end of day 15. Think of this as a test ring.

  • General: General gets updates at day 16 and aims to complete by the end of day 45. This is the default update ring

  • Final: Final gets updates at day 45 and aims to complete by the end of day 60. Microsoft say this ring is for important rooms where more caution is needed on applying updates. Therefore you can build in the most amount of delays before being served the update.

Conclusion and final thoughts

As I said, the prep work is easy. The hardest part for you might just be finding the team with the rights in Intune to do step one. But once you do it is literally just one profile which takes seconds to create. So just go do it so you’re ready.

If you are ready and you want to try out the AOSP build now you can sign up for the AOSP Device Management Migration for Teams Rooms on Android - Early Preview using the Sign Up Form.

AI assisted translation
Menu