These are instructions I wrote for internal use at the company I work for. Note that there still could be issues, depending on the policies of your organisation.

These are only instructions, please consider the cost of security and privacy by doing this. Also be aware that the company will not be able to manage the device (for some people a benefit) as the company portal will never be able to fully initialize.

For GrapheneOS (likely also works with other AOSP based ROMs like LineageOS);
You are required to meet the following criteria;

  • You are required to set this up in your main profile. Work profiles are not supported in sub profiles.
  • You are required to use Google Play Services, Google Play Store, Google Services Framework and Company Portal
  • MicroG also works for the LineageOS/other AOSP ROM users, but this is a GrapheneOS guide - so yeah.

Steps;

  • Install the latest shelter release
  • Use shelter to setup your work profile
  • Migrate the following apps from your OS to work profile;
    • GrapheneOS Apps
    • Company Portal
    • Aurora Store
  • Once migrated, install the following from the GrapheneOS Apps;
    • Google Play Services
    • Google Services Framework
    • Google Play Store
      • Is is somehow required for Play Services to initialize correctly - you will get errors in Microsoft apps if you don’t do this.
  • Configure your Google Play Services
    • You may login using your company account
  • Open Company Portal in your work profile, let it initialize and login with your company account - but do NOT proceed with the apps instructions. Instead skip them all.
  • Now install the apps you want in your work profile using Aurora store, like;
    • Teams
    • Outlook
    • Sharepoint
    • 1Password
    • WireGuard
    • Microsoft Authenticator
      • Make sure this is backed up properly.

Important note; the company portal well never be fully initialized - it may seem broken visually. However, the full initialization is not required for you to login in e.g. Teams by installing via Aurora store. So even though it seems company portal is broken, you can still use the apps you need.

    aerosola

    If this works you are a legend! the problem many have is the fact company portal wants to create the work profile in order to proceed but I will certainly give your steps a try!

      aerosola

      Tried your walkthrough, got to the end of it but still when launching an app through work profile on shelter it complains is not on the work profile because company portal didn't create it...

      When you try to create the work profile through the company portal it expects to add play store and google services and because of its absence it fails...

      So yeah no easy way out, pwa, 2nd phone or you byte the bullet and eat stock android.

          burningfeelings
          I probably go for the option with a second old stock android phone without SIM (shared WiFi) from GOS phone and only used when needed to participate in meetings or check email when I have limited access to computer.

              7 days later

              I managed to make Outlook+Teams working with the mandatory InTunes app and more or less the same setup as explained using Shelter and work profile but on LineageOS with gApp.
              How high are the chances that it will work if I migrate to GrapheneOS and replicate the same?
              Company might pay for the phone so I must be sure it Outlook and Teams works otherwise I willbe forced to use the Pixel with stock or with LineageOS (would be a bummer).

                TrustExecutor frankly, I am surprised by the number of users in this thread whose employers expect them to use their personal phones for corporate email.

                In my opinion (and experience), it is the employer's responsibility to provide end users with corporate devices. There should be a clearer separation between home and office.

                    mythodical
                    I get a corporate phone if I want to, but it is neat to have two SIMs in the same phone not to carry around two phones. Before I could separate everything with a separate user profile but now the company set up new policy to make usage of a work profile app mandatory. I think this is the most common explanation for why people want to use their private phone for work, not that the company demand it.

                      I really did want my work apps not on a separate phone but I gave up on this and just asked for a company phone.

                        memberberryfarms That's the only way since GrapheneOS devs are not keen to enter into the enterprise app support which is a kind of a contradiction since GrapheneOS per it's nature should aim enterprise users... or at the very least is my opinion on the subject.

                        Having personal and work profiles would be ideal but unfortunately not possible (for the majority) as things stand.

                            burningfeelings GrapheneOS devs are not keen to enter into the enterprise app support

                            GrapheneOS developers have never said this, please do not make assumptions. There are zero plans to intentionally remove or block enterprise usage. GrapheneOS is permissively licenced to specifically allow our patches and contributions to be upstreamed, enterprise/corporate usage, etc.

                            There are various issues on the issue tracker offering support for MDM usage, including Intune, and I even created a patch to support installing sandboxed Google Play in an MDM-provided work profile, such as VMware Intelligent Hub (Airwatch) using Apps (provided global app installation is not disabled), in situations where you can't add your own apps to the work profile: https://github.com/GrapheneOS/platform_frameworks_base/commit/3613c0860815c998d924f09fe5f8bdb1e1a6177f

                            GrapheneOS has not intentionally stripped out any kind of support for MDM, Intune, work profiles, etc. Most of these things simply rely on privileged Google Play being integrated into the OS which GrapheneOS has removed for obvious reasons.

                                randomchar42 As @burningfeelings said - no way around that. It's the same restriction that is enforced for the Google Pay app. Depending on your influence in the company, you may try to change the policy - but that really depends on what kind of company you work at...

                                  burningfeelings Not sure I follow your response. You shouldn't create the work profile via the company portal. You create the work profile using Shelter, you copy the company portal app from your main profile to your work profile (you can also install it using aurora directly into your work profile). You install apps like Google Play + services + framework - as they are always requried using GrapheneOS apps. Only then, you start the company portal app from your work profile.

                                      Schoggi Can't say for sure until you use it. It does seem the company does not enforce certain OS'es (Play Integrity API) - as you already succeeded with LineageOS - so that's a good sign.

                                        aerosola That's what I did but even so with the portal not fully initialized the apps that are normally available will not proceed, behave like you are on your main profile.

                                          r3g_5z I read on one of the dev's replies (unfortunately did a quick search and couldn't find it - if I came across of that reply again will post it here) that supporting enterprise software was not a priority hence why what I wrote.

                                            r3g_5z GrapheneOS developers have never said this, please do not make assumptions.

                                            Here Daniel mention:

                                            This isn't planned since we don't see the work profile feature as having much of a place in GrapheneOS over the long term. It's not meant for how people are using it. We're focused on user profiles.

                                            In other words we are not very keen to put time and effort on work profiles / enterprise software that are for remote management since our focus is on user profiles. In my view GrapheneOS is all about enterprise user since it's my perception the majority using it are nerds... not the common user.