To start, graphine + sandboxed google play is a MASTER WORK in software development. Hoping you can help me solve this edge case.
tl;dr: Job requires a work profile to access google apps. This profile requires Android Device Policy google app to provision and setup the work profile. Despite using sandboxed google play services and even granting it endless permissions, I'm unable to successfully setup the work profile.
My job uses google apps for things like email, calendar, drive etc. In order to access them on mobile, when adding your google account to the device, a workflow is kicked off to create a work profile provisioned using the Android Device Policy app. I've set this up successfully on one phone running OxygenOS with a fully stock play services implementation. But with grapheneos I'm hitting some snags. Here's the Repro:
- User has freshly installed graphineos, only 1 owenr profile exists
- User has installed Sandboxed Google Services Framework, Google Play Services and Google Play Store. User has granted google play services the ability to run in the background but made no other changes.
- User has setup their personal Google account on owner profile
- User begins setup for new google account, which will attempt to generate work profile for the Owner, during the process. User is tranfered to 3rd party authentication provider and successfully logged in. User is tranferred back to google play services which now attempts to continue.
ACTUAL: Google Play Services Crashes (Crash Log in spoiler below)
EXPECTED: Google play services continues to setup work profile.
Crash Log (Click Details below)
type: crash
osVersion: google/cheetah/cheetah:13/TD1A.220804.031/2022102800:user/release-keys
package: com.google.android.gms:224113044
process: com.google.android.gms.ui
java.lang.SecurityException: Permission Denial: starting Intent { act=android.app.action.PROVISION_MANAGED_DEVICE_FROM_TRUSTED_SOURCE cmp=com.android.managedprovisioning/.PreProvisioningActivityViaTrustedApp (has extras) } from ProcessRecord{a741114 6636:com.google.android.gms.ui/u0a154} (pid=6636, uid=10154) requires android.permission.DISPATCH_PROVISIONING_MESSAGE
at android.os.Parcel.createExceptionOrNull(Parcel.java:3021)
at android.os.Parcel.createException(Parcel.java:3005)
at android.os.Parcel.readException(Parcel.java:2981)
at android.os.Parcel.readException(Parcel.java:2923)
at android.app.IActivityTaskManager$Stub$Proxy.startActivity(IActivityTaskManager.java:2043)
at android.app.Instrumentation.execStartActivity(Instrumentation.java:1807)
at android.app.Activity.startActivityForResult(Activity.java:5521)
at gwf.platform_startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at gwe.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at com.google.android.chimera.android.Activity.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at haq.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at gwc.support_startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at gwh.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at hbi.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at gwh.public_startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at gwf.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
at android.app.Activity.startActivityForResult(Activity.java:5440)
at gwf.platform_startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at gwe.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at com.google.android.chimera.android.Activity.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at haq.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at gwc.support_startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at gwh.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at hbi.startActivityForResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at com.google.android.gms.auth.managed.ui.EmmChimeraActivity.l(:com.google.android.gms@224113044@22.41.13 (190400-480714934):38)
at ozo.x(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at ozo.c(:com.google.android.gms@224113044@22.41.13 (190400-480714934):5)
at cfn.a(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at ccy.b(:com.google.android.gms@224113044@22.41.13 (190400-480714934):4)
at ccy.f(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at ccy.l(:com.google.android.gms@224113044@22.41.13 (190400-480714934):2)
at cfm.l(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at cfm.onLoadComplete(:com.google.android.gms@224113044@22.41.13 (190400-480714934):1)
at cfx.deliverResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):0)
at yyh.deliverResult(:com.google.android.gms@224113044@22.41.13 (190400-480714934):0)
at cfr.c(:com.google.android.gms@224113044@22.41.13 (190400-480714934):6)
at cga.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
at android.os.Handler.handleCallback(Handler.java:942)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loopOnce(Looper.java:201)
at android.os.Looper.loop(Looper.java:288)
at android.app.ActivityThread.main(ActivityThread.java:7904)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:548)
at com.android.internal.os.ExecInit.main(ExecInit.java:49)
at com.android.internal.os.RuntimeInit.nativeFinishInit(Native Method)
at com.android.internal.os.RuntimeInit.main(RuntimeInit.java:355)
I have been able to get past this by opening up a Google app like Google Calendar which will prompt me to finish my account setup and "Fix the problem", that repro is continued below:
- User has pre-installed Android Device Policy app required by organization.
- User goes into google calendar and clicks "fix the problem" to go back into google play services to continue the account setup process.
- Google play services thinks, then launches then launches Android Device Policy app to setup the work profile
- User cllicks "accept and continue" the app walks through some screens. User clicks next.
ACTUAL: Screen says "work profile setup in progress" followed by "Can't setup work profile". There is no debug report or additional information. "Try again" does nothing and "cancel setup" removes the in-progress work profile from the device. User is signed out from google account.
EXPECTED: User can setup work profile successfully via Android Device Policy app
I've tried granting every permission under the sun (literally enabling everything in the app permissions page) to play services, play store, android device policy, etc. Nothing has solved the problem. Has anyone provisioning work profiles with Android Device Policy been successful? If so, please share tips! If not I'll file a bug.