Posted on 04-28-2022 07:02 PM
Hi, First time poster here.
We have a fleet of student iPads that we're managing through Jamf, and that have Microsoft Teams deployed on them for classwork.
The students have learned that, if they tap "+ Add Account" within Teams, they can connect a personal Teams account within the app, and have been using this to send notes in class without oversight.
We've been able to limit the Windows Desktop Teams App so that it'll only allow accounts on a specific Teams "tenant ID" to sign in - and we're hoping that a similar capability is possible in the iOS Teams app via Jamf, but have had trouble finding any information about it.
Is this something that anyone has managed to accomplish, or has advice about? I'm relatively new to Jamf, so step-by-step guides are greatly appreciated.
Posted on 04-30-2022 06:24 PM
I ran into a similar issue and unfortunately, wasn't able to determine how to do this on iOS or macOS.
Also, this is a rabbit hole that will send you spiraling. Even though you block the ability within the app, will you also be preventing them from navigating to teams.microsoft.com, creating a personal Teams account and using the web interface in the same manner? Ultimately, this will have to fall to classroom management to monitor devices while in class and punish "passing notes" when found. For after school hours, you could use your institution filter to prevent access to Teams, thereby blocking both the app and website, so that they could not use it for a chat room.
Posted on 05-01-2022 05:14 PM
It has definitely been a rabbit hole so far.
I've already told the teachers that, even if we get this sorted, the students will still be able to use other Teams accounts, if they ever discover that web browsers exist (/s) - but ours is not to question why, ours just to do or die, it seems.
I'll see if I can make the suggestion of using the "View Student Screen" capability of Apple Classrooms as an added form of supervision - but I doubt that'll go over well.
(Fortunately it's not a boarding school, and the iPads don't leave the premises, so after-hours isn't an issue)
Posted on 12-09-2022 08:44 AM
I was able to limit app logins using an app config. Doing so removed the "Add Account" button and only allows the user assigned to the iPad to log in to the Teams app. I haven't tested this on macOS but I would imagine it works the same.
MS Teams App Config:
<dict> <key>IntuneMAMAllowedAccountsOnly</key> <string>Enabled</string> <key>IntuneMAMUPN</key> <string>$EMAIL</string> </dict>
Posted on 04-26-2023 05:30 AM
In case anyone is referencing this, the solution I posted back in December of 2022 no longer works. The app config has no effect of restricting users to a specific tenant. As of this posting, I am unaware of a method to restrict the tenant without dual-enrolling devices into Jamf AND Intune. Say what you will, but co-managing in 2 MDMs looks and sounds like total chaos.
2 weeks ago
I used the following App Configuration and it was working:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
2 weeks ago
How are you using that app config (as written) with Jamf? The formatting is incorrect and "%EMAIL%" isn't a variable in Jamf.
2 weeks ago
We are using Jamf School. Not sure if this makes a difference.
There is a section under the options area for Show Advanced Options with a check box to add a managed configuration. Then you can add the xml code in the box.
a week ago
@awrightfrhc , I don't mean to be pedantic, but when you deploy the app config you listed earlier via Jamf School, it removes the "Use another account" button at the MS Teams login screen?
I'm asking because I'm currently in week 4 of an open support ticket with Microsoft, and getting them to understand the issue has been challenging. It doesn't help that they have constantly bounced me between their internal teams.
a week ago
It still has the "Use another account" button but it restricts it to a Microsoft account. There is also an "Account Restrictions" button that says Only accounts added by your IT admin are allowed.
a week ago
Ah, so yours isn't working either. Whew!
As long as that "Use another account" button is visible, students can use any Microsoft account, so they aren't restricted to just your tenant, which is the entire point of deploying this app config.
Our goal(which the app config formerly helped with by removing the "Use another account" button) is to prevent kids from signing in with their Xbox Live accounts (or other personal MS accounts) and circumvent all of the MS Teams restrictions we have in place.