gerpi
It seems like a clear security & privacy gain compared to the alternative (everything in one profile).

The tradeoff is inconvenience, switching between profiles, etc.

    gerpi and a few minor bugs in secondary profiles, such as issues with volume control while casting, and with wallpapers and widgets (although the latter supposedly have been solved recently).

      Michiel I just watched his video on this.

      Wondered what the advantage was. Google play services will constantly be running since owner is always running in the background.

      I presume google play services needs to be installed in other profiles if play store apps were pushed from owner profile.

      So unclear what benefits there are to having apps installed in owner and pushed out to other profiles..

          Frostily7047 I presume google play services needs to be installed in other profiles if play store apps were pushed from owner profile.

          It does not.

              Frostily7047 Wondered what the advantage was. Google play services will constantly be running since owner is always running in the background.

              No! That was the reason why I haven't give it a try earlier…
              But since I saw Josh's great YT video and finally have tried this setup (owner profile for install only, with Obtainium and sandboxed Google Play Services, the rest in another user profile), I have realised:
              Google Play Services are not running, while I am using the user profile! :-)

              I also used to think that it would consume far too much energy if I only used the owner profile for installation and then Google Play Services would constantly run in the background when using a user profile.
              But strangely enough, Google Play Services do not (!) run in the background if you install it as Josh shows in his video.

              Short version:
              Install the required apps in the owner profile, but do not give network permission and deactivate them immediately afterwards!
              Then assign the desired apps to the desired profile in the user administration.
              Complete app configuration (incl. permissions) is then only done once in the user profile.
              So: in my owner profile, apart from the 12 GOS apps, only AppVerifier, Bitwarden, LocalSend, Obtainium and Play Store are shown.
              No (!) other third-party app remains activated in the owner profile.

              I also didn't know before, that you can see and assign installed but deactivated apps in the user management.
              Works great with a single user profile.
              Better than using the owner profile 'normally' and one or more user profiles in addition.

                  Frostily7047 So unclear what benefits there are to having apps installed in owner and pushed out to other profiles..

                  Users who want to use a completely Google-free profile and only use apps that work entirely without Google services have the greatest benefit.
                  Anyone who needs to use apps that are unfortunately only available in the Google Play Store, but which actually work without Google Play Services, will welcome this solution.

                    Frostily7047 I presume google play services needs to be installed in other profiles if play store apps were pushed from owner profile.

                    No, as long as you do not use any apps that do not run or run poorly without sandboxed Google Play Services installed, you do not need to install sandboxed Google Play Services in your user profile.
                    If, for example, you rely on a messaging app for work that does not provide reliable notifications without Google's FCM, then you must install sandboxed Google Play Services in this user profile.

                      Eagle_Owl Google Play Services are not running, while I am using the user profile! :-)

                      I also used to think that it would consume far too much energy if I only used the owner profile for installation and then Google Play Services would constantly run in the background when using a user profile.
                      But strangely enough, Google Play Services do not (!) run in the background if you install it as Josh shows in his video.

                      how exactly did you come to this conclusion? You obviously can't see what is running in the owner profile from within user profiles. I'd love to know how you can be sure it's not running.

                          DeletedUser87 May be it is running in some way in the background. But when I try to use apps in my GPS free user profile that require GPS, they are not functioning - so it seems not to be active…

                              gerpi well of course they are not working?! That is with all apps - they can't communicate with other apps outside their user profile. Doesn't mean it's not running in the background still doing its thing and collecting data. I thought this was pretty self explanatory.

                                  Thank you all for the comments. My workflow, after factory reset, is as following (if somebody else wants to try):

                                  • Start the setup of the owner profile using pin code only
                                  • location disabled
                                  • install Accrescent from the GOS app store
                                  • install IVPN from there and activate it (I normally use Proton VPN, so I just activated IVPN for one week - 2$)
                                  • install Google Play Services
                                  • install the apps you want to use, but don't open them (the possibility to disable them I haven't been aware of - thanks @Eagle_Owl)
                                  • change the VPN from IVPN to Proton - or whatever you want to use (must be always on!)
                                  • open a new user profile and install the available apps within the new user settings
                                  • I choose to allow the user to run in the background
                                  • turn on phone calls and SMS
                                  • then I switch to the new user profile and use it as my main profile
                                  • I also open a second user profile, mainly for Android Auto and the apps I use there - with Google Play Services installed, but not logged in - and not allowed to run in the background.
                                  • Some other apps require Google Play Services - I am not sure yet, if I put them into the Android Auto profile or open a third profile - probably depending on how many it is going to be. For now it is only one, beside the map and music app for driving.

                                  There are some issues with the secondary profiles, as @Michiel pointed out. I have discovered the disability to manage the phone setup. I had disabled the data use of the phone in the owner profile and could not switch it on in my user profile. May be something @Graphene can fix?

                                  I will come back later to update with other experiences with this setup.

                                  DeletedUser87
                                  gerpi
                                  As gerpi has mentioned, no GPS support at all in user profiles.
                                  And: I would see it by checking the energy consumption!
                                  Because I have experience with the energy consumption of GPS.

                                  My Pixel 8 Pro needs more energy by running GPS in the same profile.
                                  Since I had changed the setup to the way like Josh showed it on his YT video (by running my P8P daily with one user profile as main profile) it needs the same less energy like without installed GPS!

                                        Eagle_Owl I'm sorry to say this, but relying your information on subjective perception is misleading to other users. Play Services is absolutely running in the background when switching to a different profile, as do other apps. You obviously don't have Play Services available in other profiles, that's how Android is designed. That goes for EVERY app, be it keyboard, your music player, your launcher or whatever else. Seeing anything related to energy consumption is absolutely unreliable data, since you can not check usage from other profiles. It might be less energy consumption, because the scheduler runs at higher intervals (e.g. every 15 minutes instead of every 1) but it runs. Unless you deny Play Services background access, it runs. Just like every other app that is installed in owner. And by my measurement, an active running Play Services makes up around 3-4% of energy consumption from my apps. I hardly believe this will be remotely noticeable with confidence. Meaning: we're talking margin of error here.

                                            DeletedUser87 Would be interesting to see if there is some way when not using playstore, to avoid such background data exchange. Maybe disable google services when not using playstore? Sure it's quite a demanding opsec step.
                                            Any suggestion?

                                                ototufu I guess the only way would be to limit background usage by setting to "don't allow running in the background" in the energy settings, but as far as I know it won't completely stop it from running. The only reliable way is to actually disable it.

                                                    I just redid my setup following this idea.

                                                    Main owner profile is running accrescent, obtainium, app verifier, protonvpn, bitwarden and Google play services.

                                                    Most of my apps are sourced from Play store now. Obtainium was a direct APK download verified by app verifier.

                                                    I use NextDNS system wide and I don't see a lot of Google chatter when using my second profile. (Which isnt running GPS)

                                                    I do see googleapis calls however coming my owner profile (left playstore open)

                                                    I guess the important part is GPS isn't communicating with any of my apps in my second profile when I'm using it.

                                                    24 days later

                                                    Looking through these setup threads.

                                                    Would installing an APK or aurora download on separate user profiles be more secure than having the details of these apps in your owner profile. As when your phone restarts to the owner, all apps can be found.

                                                    2 months later

                                                    • Ggerpi

                                                      • Post #22

                                                      DeletedUser87 I now can confirm that there must be a google play background activity, since my apps get updated even when I am on my user profile only.
                                                      I will try to disable Google Play in the main profile, when not using it…