Google (Workspace) apps are not working in work profile

c3023

Dear all,

I have looked at existing discussions about GrapheneOS and work profile and learned that at the end, "some things won't work as expected", either due to sandboxed Google Services framework or the device policy app which is required for advanced MDM.

I'm totally fine with "some things not working out" (like password policies, pushing apps, etc) while using Graphene OS as long as I can use some of those Google apps at all (E.g. read my emails, upload files to Google drive, or having a call through meet etc)

I'm using Pixel 6a with latest Android 15 (patched just a few days ago). I have created a work profile through shelter and other (non Google apps) work flawlessly. I installed sandboxed Google Play Framework trough the "apps" app in the work profile (I tried to clone them from my owner profile, but this didn't work out)

As soon as the Google Play apps are installed in the work profile, I can add my work google account in the work profile. But then, none of the google apps can connect to my work account (I get a "check your network and try again" in e.g. Drive). Also the enrollment process never finishes (independent whether I'm in basic MDM or advanced MDM in Google Workspace). In Google's "manage my account" I see a "Finish signing in to continue". I click "sign in", the "big moving circle" opens, but closes after some seconds and I'm where I was before.

Looking at the logs of (e.g. Google drive), I see a lot of "Auth error getting auth" or "failed to resolve name" (while other apps in the work profile can use the internet).

All Google apps evidently have network permissions and all kinds of other permissions I thought might solve the issue. I also tried giving the sandboxed Play store app and the Play services app all kinds of permissions (including "modify system setting", etc) but nothing resolves this problem. I tried installing microG via F-Droid in the work profile, but this fails as well (also some other apps fail to install in the work profile via F-Droid, while others work).

Is this supposed to work? I already removed and re-created the work profile through shelter once and that didn't change anything. I can access my work account data when I install drive, gmail, etc in my "main" profile.

I know there is the Private space function in Android 15, but I would rather like to try to get the work profile running, as I've configured all other apps there.

thanks,

DeletedUser87

I think the type of work profile you're looking for, is the one you would find on Stock Android. Shelter and similar solutions just emulate that (proprietary) functionality, but obviously can't replicate it. I know that for setting up a work profile on Stock Android you actually need provisioning from a Google Workspace admin. If you just installed the according apps in a Shelter work profile, it might be that your organization doesn't allow just logging in - which would explain the auth error messages.This might happen if your Google account requires additional policies or resources from your organizations MDM.
From what I gather, it might not be possible to use those apps with your work account at all. I hope somebody else has more experience in that regard though.

c3023

Hello,
Thank you for your reply. I tried basic MDM ( which doesn't require the device policy app nor a work profile), but still enforces some settings like passwords: my device password fulfil those requirements). Yet it didn't work.

What puzzles me and makes me think it is the work profile to blame (and not specific requirements by Google workspace device settings), is that drive, gmail, etc just work when I add the account to my "personal/main" profile.

DeletedUser87

c3023 yes, because it can't enroll the account through the enterprise APIs, which are only available on Stock Android and are not part of AOSP, which GOS is based on. If these apps work with a simple account login, I wouldn't bother to troubleshoot any further because of the aforementioned reasons.

c3023

Sorry I think I don't follow: why does my workspace google account work with the google apps in my "main/personal" profile and not in the work profile, but this is caused by the enterprise API not available in AOSP? Because the API calls will be different if a google app identifies it is in the work profile?

What would be the best approach to get this to work on GrapheneOS? I'm mostly looking at google meet to attend meetings, mails or drive would be less important.

I will try to share my sanitized logs today.

Thank you for your support

DeletedUser87

c3023 oh sorry, I misread. It should also work in the work profile if you can simply log in to Google. Unless something like Play Services has missing permissions. If you are logged in on the main profile (owner), try logging out and only log in on the work profile.

c3023

OK, so I tried again, and it works now (with some initial quirks).

I think what went wrong initially is that I didn't exactly follow the following sequence:
1) install the play services in the work profile with the GrapheneOS apps
2) ensure yourself that MDM for you is set to basic (Maybe wait some time now).
3) add your google workspace account to your work profile (I did this through the google play store in the work profile)
4) give permission to the Google play service in the work profile to install unknown apps
5) fix some notification issue in Google play services

Before all that, I completely removed google play services from the work profile, just to be sure (might not be needed).

Some apps fail(ed) to install tough:
1) Google chrome: this is pushed from the admin (I think pushing shouldn't happen basic MDM, but it still is). But in GrapheneOS I think you first need to install the trichrome app which is not pushed. So after a lot of cleaning storage, force-stop Google play, i managed to get the option to install the Trichrome app first, then chrome went through. I have the same issue in my main/personal profile (at the time of installing chrome in my work profile, I did not have chrome installed in my main/personal profile).
2) there was also a strange thing with a PDF app (muPDF mini): it failed to install and I got the same error message as with chrome. after uninstalling it in my personal profile, I could install it in the work profile, just to fail to install in my personal profile (no biggie, I just installed the muPDF Viewer in my personal profile).

I also seem to have some strange caching issue. An old workspace account, which I used in the work profile before, still showed up to be "verified" by Google, after I deleted it (that made me completely remove and reinstall the google play services to make sure any caching is gone).

so, everything works now - location service (both GrapheneOS and Google), camera, microphone, ... I just did not do things in the correct order.