can someone describe easily how work and user profiles work???
(I watched videos but don't get main idea).

  • Hulk replied to this.
    • [deleted]

    • Edited

    User Profile: This means completely different profiles where all the apps are completely reinstalled there will be different wallpapers and almost everything newly.

    Work Profile: This is present inside a user profile and requires an administrator app to function(eg.:shelter). It is very useful to have a work profile(office apps or whatever your job requires you to use) and keep it isolated from your personal profile. The administrator app could be from your office so that your boss/company could tightly control what you have access to. But, this is used in order to enhance security by compartmentalising your activity into two separate things on devices that donot have user profiles.

      [deleted] How is creating another completely different profile better than "simply" using shelter to create a work profile with "malicious" apps in it?
      In my case i use the main profile with daily apps, no google services. And banking apps, or apps requiring GSF (for notifications for example) are into the work profile with sandboxed plays services installed. Is that less safe (from a privacy POV) than having them into a totally different profile?
      Because i think it's really a pain in the *** to use a different profile in your daily usage: not having notifications on your lock screen, you have to change profile (not a 1-click procedure) to access some apps. Instead of simply dragging work profile's apps into the main screen...

        As Hulk outlined with the links it is explained in the documentation for AOSP:

        Work Profiles:

        Profile. A profile has separated app data but shares some system-wide settings (for example, Wi-Fi and Bluetooth). A profile is a subset of, and tied to, the existence of a user. A user can have multiple profiles. Profiles are created through a Device Administration application. A profile always has an immutable association to a parent user, defined by the user that created the profile. Profiles do not exist beyond the lifetime of the creating user.

        Categories of profiles

        Managed profile. Created by an application to contain work data and apps. They are managed exclusively by the profile owner (the app that created the corp profile). Launcher, notifications, and recent tasks are shared by the parent user and the corp profile.

        Users:

        User. Each user is intended to be used by a different physical person. Each user has distinct application data and some unique settings, as well as a user interface to explicitly switch between users. A user can run in the background when another user is active; the system manages shutting down users to conserve resources when appropriate. Secondary users can be created either directly via the user interface or from a Device Administration application.

        Categories of users

        Secondary user. Any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.

        Source: https://source.android.com/docs/devices/admin/multi-user

        Android's user profiles are isolated workspaces with their own instances of apps, app data and profile data (contacts, media store, home directory, etc.). Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile (with mutual consent with the other app). Each user profile has their own encryption keys based on their lock method. They're a great fit for GrapheneOS with a lot of room for improvement.

        Source: https://grapheneos.org/features#improved-user-profiles

        Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it. The owner profile is special and is used to store sensitive system-wide operating system data. This is why the owner profile needs to be logged in after a reboot before other user profiles can be used. The owner profile does not have access to the data in other profiles. Filesystem-based encryption is designed so that files can be deleted without having the keys for their data and file names, which enables the owner profile to delete other profiles without them being active.

        GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest. This can't be done for the owner profile without rebooting due to it encrypting the sensitive system-wide operating system data.

        Using a secondary profile for regular usage allows you to make use of the device without decrypting the data in your regular usage profile. It also allows putting it at rest without rebooting the device. Even if you use the same passphrase for multiple profiles, each of those profiles still ends up with a unique key encryption key and a compromise of the OS while one of them is active won't leak the passphrase. The advantage to using separate passphrases is in case an attacker records you entering it.

        Source: https://grapheneos.org/faq

          • [deleted]

          • Edited

          poubellier

          poubellier How is creating another completely different profile better than "simply" using shelter to create a work profile with "malicious" apps in it?

          I cannot answer this question because I never agree with the opinion that "User Profiles" are better than "Work Profiles".
          They serve different purposes.
          If you have aquired this opinion from my initial reply to your initial question, then it is just a misconception and I never meant it or mention it that way.
          Thanks! Hope this helps.

          Edit: If you need I can suggest a setup based on your needs here.
          But still I recommend you to ask about this in the "GrapheneOS Offtopic Chatroom" in matrix.
          There will be immediate and great response from people who have prior experience.

          Another edit: Also read the documentation that is directed by the links provided by MetropleX and Hulk .

            poubellier the very information I have supplied in this thread explicitly explains that work profiles are not as isolated as user profiles. You also need a device management app that you implicitly trust to control that work profile. Knowing what it does now does not mean you know for certain that a future update won't exploit that trust.

            Please I implore you read the documentation and ask specific questions. What is your desired use case, what is your threat model, etc etc this way we can provide subjective advice based on the objective facts as provided already.

            Help yourself to help us help you.

              MetropleX my work uses M365 and you have to have the Microsoft company portal app installed in order to access resources. Is it possible to have GOS validated if they only have iOS and Android OS approved for use? Is Graphene seen as Android by other applications?

              Will having a work profile change anything?

                grapheine GrapheneOS should just be seen as Android, the only issue that might arise is if the app uses strict SafetyNet or Play Integrity API levels.

                As GrapheneOS is not a whitelisted OS there are elements of both that we cannot and will not pass. The best approach is to just install it and test it. If you have issues raise them here and we can offer possible troubleshooting approaches that might work the above aforementioned issue not withstanding.

                  MetropleX thanks. I just installed Outlook, Teams, and the Office apps. I was able to use my yubikey for mfa on all apps. I installed Intune and tried to install but after trying to install my work profile it said it cannot be installed and to ask IT.

                  [deleted] I don't know if you saw my reply, but could you share your setup?
                  Also in case you didn't see it, here's my first post:
                  Then i don't understand what are the different purposes of each solution...

                  I'm always willing to discover how others optimize their privacy. So feel free to share.

                  (It seems to be somehow a shadow banned post, and I totally understand why so no hard feelings)

                    • [deleted]

                    poubellier If you are having a Pixel device that runs stock android or other Stockish OSs then, you probably have User Profiles. At the same time you must remember that User Profiles are not that seamless to switch like User Profiles. Its ultimately your choice I prefer User profiles over Work Profiles because it is almost like completely 2 different setups for both use cases. I recommend you to do that since there is no trust needed unlike Work Profiles where you have to trust an administrator app like shelter. Also you can create how much ever profiles you like. I recommend Work Profiles to people who don't have User Profiles feature in their android device.
                    THANKS!
                    HOPE THIS HELPS!!!

                    10 months later

                    Does graphene os restrict the installation of any apps from playstore in workspace. I have enrolled my device to a mdm and am not able install few admin apps?

                      a year later

                      Currently, my job is enforcing Android work profiles. I attempted to set up a work profile on my Pixel 6, which has GrapheneOS installed. However, the setup process does not complete. When I tap the "Help & Info" button, it just returns me to the same screen, indicating that the setup was unsuccessful. Additionally, no error code is provided.

                      5 days later

                      @sjreg what i've seen is that the setup will begin but the gplay service is not installed in the work profile so it never completes the setup. The microsoft app will just spin. I tried switching and manually installing the gplay in the profile but the microsoft app doesn't seem to recognize that the profile is setup and wants to start over at which point it never continues.