Are there any technical differences between the two other than the integration with the system? Are work profiles less isolated than Private Spaces, if so, how?
Difference between Work Profile and Private Space?
The big and obvious difference is that Private Spaces doesn't require a privileged device admin app.
Beyond that, I have the same questions.
Probably9857 Main questions would be:
- Do work profiles have seperate encryption keys like Private Spaces do?
- Can apps installed in the owner profile identify what apps are installed in work profiles and vice versa?
- Edited
DeletedUser88 Can apps installed in the owner profile identify what apps are installed in work profiles and vice versa?
Regarding Private Spaces (not work profiles):
When the Private Space is locked: no
When the Private Space is unlocked:
The default launcher an definitely see apps in the Private Space.
An app store might be able to see what is installed in the Private Space.
User-installed apps with special privileges (device admin, for example): unclear
Most user-installed apps: presumably not, per @fid02's testing
I don't have enough knowledge of work profiles to say...and now I realize that was really what you were asking about...
Probably9857 I don't have enough knowledge of work profiles to say...and now I realize that was really what you were asking about...
haha yeah.
Others could come across this thread and learn something new though :)
It's an alternative name just meant to grab users not already using Work or secondary profiles already.
I am behind in the naming schemes though. I still think of other apps aas other users on the system. And profiles were what individual apps used for shared+saved user preferences and settings. i am behind times tho
- Edited
I think what security a work profile provides and not is heavily dependent on what device admin app one uses. A private space has a very specific security configuration, but a work profile is very flexible in how it can be set up. I think the device admin app can disable most security and profile isolation for the work profile. As such I don't think this question can be meaningfully answered, other than that private space will be at least as secure as the most secure work space configuration.
DeletedUser88 Are work profiles less isolated than Private Spaces, if so, how?
Private Space disallows sending of pretty much all intents to apps in owner profile
Telephony intents are routed to the main user and display a notification. All other intents are limited to private profile, and are not redirected.
https://source.android.com/docs/security/features/private-space
The level of isolation if the work space is set by the app which creates the space and then is managed by that app
The profile admin can choose which intents are allowed to cross from one profile to another. Since the IT admin makes this decision, there's no way for you to know in advance which intents are allowed to cross this boundary. The IT admin sets this policy, and is free to change it at any time.
https://developer.android.com/work/managed-profiles
I had a quick look at Shelter and it allows some kinds of intents to cross
- Edited
Carlos-Anso If I install sandboxed google play and banking app in private space, can sandboxed google play communicate with the owner's profile apps and data in any way?
I understood that the clipboard is shared and files can be moved using the file picker, but if the private space dissalows sending almost all intents to apps in owner profile does that mean there is no inter-application communication (IAC) and inter-process communication (IPC) (intents, services , broadcasts, binders) between private space and owner profile?
Asking only to be sure. Thank you.
Work profile has also separate set of contacts. I guess Private Space does not have that.. It can be probably solved with contact scopes.
As for me, I use the work profile mainly to be able to mute a set of apps. If the functionality is similar, i'd probably drop the work profile and the Island app, managing that.
- Edited
Carlos-Anso Do you know if both Work Profile and Private Space have separate encryption keys than the owner profile?
https://xcancel.com/GrapheneOS/status/1773413099518751067#m
You need a management for it. We've largely obsoleted them already beyond the remaining use case for having 2 groups of apps which can't communicate with each other. Apps CAN detect apps within same user between work and non-work profile.
So it seems apps can detect which apps are available between a work and non-work profile but cannot communicate with them through IPC.
- Edited
DeletedUser88 Do you know if both Work Profile and Private Space have separate encryption keys
Private space has separate encryption key and separate weaver slot just like secondary users, as long as you select to use separate credentials when setting up the private space.
For work profiles, it is the device management app that creates the work profile that decides. It can choose to not have any credentials at all if it wants.
DeletedUser88 but cannot communicate with them through IPC.
If the device admin app that created the work profile allows app to communicate cross-profile, they can communicate cross-profile.
Private space prevents all such cross-profile communication. Except for telephony, as @Carlos-Anso described.
andrej567 As for me, I use the work profile mainly to be able to mute a set of apps.
Also a key benefit of the work profile-based compartmentalization (I use Shelter) that is important for me.
Not only is it less distracting to have the invasive apps receive notifications only when I'm actively using them, it's also great for my peace of mind to know that none of the apps in my work profile are running any background processes, as I can "freeze" them whenever I'm done using the apps.
Not sure if this is a feature available in Private Space though.
Vagabond8630 Not sure if this is a feature available in Private Space though.
Yes, it is. If you lock the private space, all apps running in it are entirely shut down and cannot start again until you unlock the private space again.
- Edited
yes for me the big advantage of work profile managed by the usual shelter or island apps is the auto-freeze/unfreeze feature. private space is a nice addition i allow to now run 3 profiles without switching plus you can run a separate user profile on the top of them because the private provide don't seems to count in the 3 profiles running simultaneously limit or maybe they raised it to 4.
That would be nice if the freeze/unfreeze feature was built in the os using the grapheneos app deactivation feature that is already included because no matter what some apps keep starting for whatever reasons without/against the user consent even when force stopped.