MS Intune company portal with work profile not working

B0b3r

wild
I think your guess was right. I checked when the first person reported it as not working ( @Yoga5841 on 11.04.2025) and went through the commits of the release 6 days earlier. Found this commit:
https://github.com/GrapheneOS/platform_frameworks_base/commit/7d9c83bc9a5b09a8e982f375a7a4a17a0f32de8f

Based on the comment (and my understanding of it), adb debugging is being disabled by default since this build and thus installing apks via adb is not working anymore (which is also explicitly mentioned).
https://github.com/GrapheneOS/platform_frameworks_base/blob/7d9c83bc9a5b09a8e982f375a7a4a17a0f32de8f/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java#L10412

As far as my understanding goes, downgrading is not possible as this would go against the security model.
The only possibility would be re-installing with an older image, the problem now is that the official GrapheneOS Servers do not store the images that long... The oldest version I was able to access was 2025041100 which already has this patch, so we are 1 week too late.

I saw that there is a 42GB file for this version on archive.org, but I have not yet checked if it contains compiled builds and if they are also signed. Do not install GrapheneOS images from 3rd parties which are not signed by the official key! :-)

wild

B0b3r damn, great detective work. Good thing I didn't remove my work profile to do more testing.

I guess the only hope now is this: https://github.com/GrapheneOS/platform_frameworks_base/pull/147

Luckily I was able to add HeliBoard in my work profile, because I'm not a fan of the default keyboard. This won't be possible in the future even if that pull request gets merged.

But Yoga5841 also reported that shelter itself wasn't able to add applications to its own work profile. Shouldn't that have nothing to do with ADB?

Yoga5841

wild But Yoga5841 also reported that shelter itself wasn't able to add applications to its own work profile.

My bad, I meant that I was unable to use adb to add apps to the shelter profile. The shelter app is able to add new apps.

binarymelon

wild I guess the only hope now is this: https://github.com/GrapheneOS/platform_frameworks_base/pull/147

It's a shame it wasn't implemented prior to locking down ADB, but at least it looks like it's being worked on. I definitely picked the wrong time to attempt de-googling.

B0b3r

binarymelon I digged a bit more and the locking down of ADB actually comes from Google:
https://android.googlesource.com/platform/frameworks/base/+/2095d130b4d7f2ba1a3284abb58ca894817f5f4a

The signature of the image I tested from archive.org is valid according to the command from the CLI installer. I still would not trust it myself and would prefer the direct source. As it is no real solution in the end anyway (it will require a re-install), it seems like we have to wait for the merge of that pending pull-request.

ray

B0b3r
Thank you for digging into this, I guess we will wait until this issue is resolved by GOS Devs for our further testing.

Felttie

Hi all. I am also in situation where company requires a work profile to get teams and work email working. I hope in close future there is "easy" way to get it running somehow. I was planning to move from Apple to Grapheneos, and i already bought PIxel9 Pro, but i noticed this microsoft intune issue, so i need to stay with apple still some time.

drewdatrip

Felttie this too was my plan. Wish I had found this thread prior my purchase. Really hoping this issue can be sorted as I was looking forward to attempting to migrate from Apple for work and personal.

imcyberpunked

@wild As for installing apps after successfully getting company portal working, you mentioned it wouldn't work until addressed here https://github.com/GrapheneOS/platform_frameworks_base/pull/147 Would this also cause apps to not update? I'm currently running into an issue whereby all the apps added via adb work profile creation, these apps will not update for me in the Google Play Store, I keep getting a "Blocked by IT Admin" message.

imperfect

imcyberpunked disable the app store (to avoig getting erros) and keep the apps installed in another profile (have them in my main). If you have an app specific for you company (as in not public), I guess you are out of luck.

wild

imcyberpunked I just disabled auto update in my work profile play store. The aurora store in my main profile will update the apps. For example, I have outlook on my main profile, this gets updated by aurora which will also update the outlook in the work profile. So you need to keep two copies of apps installed.

imcyberpunked

wild Ahh I see and understand now, perfect! I got my apps updating this way... Would this mean I also need the sandboxed Google play services installed on my personal Owner profile as well to keep it updated on the work profile? Would the work profile require this to be updated? If so I'd imagine it would be defined by an Intune policy that has this requirement but hopefully not. imperfect Thanks for the tip, I have this disabled now to avoid the conflicting issues.

imperfect

imcyberpunked the graphene app store has permissions to update it's apps in the work profile. So you do not have that issue with the sandboxed google apps.

wild

imcyberpunked like imperfect said, anything installed by the graphene app store doesn't have that issue. So after the initial set up, you can remove the sandboxed play store/services from your personal profile. The graphene app store in the work profile will update those. For the other things, you can use aurora from your personal profile.

imcyberpunked

@wild @imperfect Thanks!

g0mml

Any news on the relevant commit on github?

oogieboogie

Hey all. New Graphene user here (as of two days ago). Hit my head against the wall until something worked –– solution is only possible due to this thread, specifically @wild's method.

Note: the below solution is just working as of now (6/30/25), and the solution was for Android Device Manager (not Intune), though it might still work.
Problem: As laid out previously in this thread, Android Device Manager can't access GMS / Play Services / Play Store, which is needed for authentication. In the past, you could just use adb to install-existing on the new user profile, but google updated android to prevent that. If you get through these problems, a new one is presented where the new profile Play Store is seen as an unknown app, and if your org's policy requires it to install profile apps, it might not be allowed to.
Solution:

1.) Make sure you delete any existing work profile, as well as the Android Device Policy application
2.) Reboot your phone
3.) Install the Android Device Policy (you don't need to grant any extra permissions) AND any Google Apps you wish to use from the Play Store / Aurora (not tested) –– this doesn't have to come after rebooting your phone / you don't need to reinstall anything if it already exists
4.) On your comp, setup this shell file

_#!/bin/bash

INTERVAL=0.5

PACKAGES=(
com.google.android.gms #needed
com.android.vending #needed
com.google.android.gm #gmail
com.google.android.calendar #calendar
com.google.android.apps.docs #docs
com.google.android.apps.docs.editors.sheets #sheets
com.google.android.apps.docs.editors.slides #slides
com.google.android.keep #keep
com.google.android.contacts #contracts
com.google.android.apps.nbu.files #files
com.google.android.apps.chrome #chrome
com.google.android.apps.tachyon #meet
)

echo "⏳ Watching for Work profile creation..."

while true; do
USERS=$(adb shell pm list users 2>/dev/null)

WORK_LINE=$(echo "$USERS" | grep -i "Work profile")
if [[ -n "$WORK_LINE" ]]; then
USER_ID=$(echo "$WORK_LINE" | sed -n 's/UserInfo{([0-9]):./\1/p')

if [[ -n "$USER_ID" ]]; then
  echo "✅ Work profile detected with user ID: $USER_ID"
  echo "🚀 Injecting ${#PACKAGES[@]} apps into the work profile..."

  for pkg in "${PACKAGES[@]}"; do
    echo "📦 Installing: $pkg"
    adb shell cmd package install-existing --user "$USER_ID" "$pkg" >/dev/null 2>&1
    if [[ $? -eq 0 ]]; then
      echo "✅ $pkg installed successfully"
    else
      echo "⚠️  Failed to install $pkg (may not exist in owner profile)"
    fi
  done

  echo "🎉 Injection complete. You can now return to your phone and continue provisioning."
  exit 0
fi

sleep "$INTERVAL"
done_

2.1) Only the first two packages are needed –– the rest you can add or delete based on your needs. Note: my org requires a number of google apps to be installed, but this method still worked without installing all of them
2.2) if you're new to shell scripts, then just create a file with that script (vi or nano) in your platform-tools directory, go to the directory, run _chmod +x filename, and later run ./filename
3.) Go to Settings -> Passwords, passkeys & accounts -> add your org account
4.) After going through login and all, the app will crash
5.) run the shell script
6.) Go to a GSuite app, switch to your org account, click manage account, proceed with login
7.) After the user is provisioned, but before it's completed, you should be successfully able to install both the play app / services, and clone the gsuite apps to your new work profile
8.) profit

basically @wild was right, it was just tricky timing. the script allows everything to be injected after the user is provisioned but after it's finalized, which prevents the new adb system error. it's working now –– i'll keep y'all updated!

wild

oogieboogie did you test this on the latest grapheneos or an older build?

rawDawg

oogieboogie

The shell script worked for Intune using @wild's method to get started. Only a few apks were able to be cloned before the permission error:

Error: java.lang.SecurityException: Shell does not have permission to access user 10

was getting this message when running the script:

sed: -e expression #1, char 25: invalid reference \1 on s' command's RHS

so i changed this line and then it worked for me

USER_ID=$(echo "$WORK_LINE" | sed -n 's/UserInfo{$[0-9]\+$:.*/\1/p')

⏳ Watching for Work profile creation... ✅ Work profile detected with user ID: 10 🚀 Injecting 7 apps into the work profile... 📦 Installing: com.google.android.gms ✅ com.google.android.gms installed successfully 📦 Installing: com.android.vending ✅ com.android.vending installed successfully 📦 Installing: com.microsoft.office.outlook ✅ com.microsoft.office.outlook installed successfully 📦 Installing: com.microsoft.teams ✅ com.microsoft.teams installed successfully 📦 Installing: com.onepassword.android ✅ com.onepassword.android installed successfully 📦 Installing: com.azure.authenticator ⚠️ Failed to install com.azure.authenticator (may not exist in owner profile) 📦 Installing: com.duosecurity.duomobile ⚠️ Failed to install com.duosecurity.duomobile (may not exist in owner profile) 🎉 Injection complete. You can now return to your phone and continue provisioning.

The window is very short when using Company Portal to create the work profile. I am going to tweak the Interval to see if I can get another apk or two on my next try.

The google play store tried to update the apks that I missed, but they were "Blocked by work policy" One other thing I noticed is the google play store was removed from my work profile overnight. I reinstalled the sandboxed google apks from the work profile Graphene App Store, and my auto generated work google account was gone. I think Intune must have wiped it out. Outlook and Teams are working for now! :)

Is there anything we can do to temporarily hold up the process that locks it down?

Gonna delete the profile and try it again here later on

Bryinn

Hello!
I have a pretty fresh install on a Pixel 9.
The latest method was the most promising, and I did manage to pre-install some applications using the script given in the sections above by oogieboogie . However, the method itself given by tetto did not work in my case.
After the reboot and when signing into the company portal again, the step of creating the work profile was not checked, and it wanted me to do it again.
Thus I am blocked from the applications that were successfully downloaded because the device was never successfully onboarded.
Is there a known fix for this?

oogieboogie

wild I think latest –– build number is 2025062700

wild

rawDawg
If it's a matter of timing, the script can definitely be optimized to get all your 7 apps in there.

Shorten the interval
Assume the user id will be the same as last time and hard code it
Hard code the entire adb shell command instead of substituting the package names
Remove the echo lines or save the output and print it out later

There's definitely more optimization you can do but this much should hopefully get 2 more in there..

Unfortunately I've got a lot more work apps.. Like 30 of them including office apps and stuff.. So I'm hesitant to remove my current setup and try this method

oogieboogie

rawDawg if still a problem, might check if any of the permissions in Intune can be disabled (like Modify system settings) or the work profile version of play store permissions can be disabled (like Install unknown apps). unsure –– haven't had the same problem for the Android Device Policy / GSuite apps.

boris

rawDawg after some tedious (ai-assisted) powershell scripting I managed to successfully inject 9 out of 11 apps I was trying to get in the work profile, and I believe I'll be able to push the limits even further, right now I'll be doing some further testing, I'll share the PS code used latter.

« Previous Page Next Page »