Unfortunately, I'm forced to use Microsoft Intune, which forces me to create a work profile in the main user profile.
Creating work profiles as secondary Android users unfortunately doesn't work yet. (Side note: It seems that Google is working on enabling work profiles in secondary profiles but it doesn't seem to be available yet.)
There is a [workaround](
https://discuss.grapheneos.org/d/1841-ms-intune-company-portal-with-work-profile-not-working/5) but to me it's just a matter of time until this will be blocked by Microsoft somehow (maybe it already doesn't work anymore).
My threat model: I want my company and Microsoft to have as little access to my personal data as possible. I generally don't trust Microsoft Intune.
Idea:
- Main user profile: Mostly empty and generally no personal data in there. Mainly using it for creating additional profiles + letting Microsoft Intune do its job of creating and managing the work profile.
- Secondary Android user: My actual profile with my personal apps and data.
Questions:
- How well would this isolate my personal data from Microsoft Intune?
- What are the risks?
- Is there a risk that my company would (accidentally) wipe my secondary personal profile when sending the command to wipe the work profile in the main user account?