MS Intune company portal with work profile not working

I really did want my work apps not on a separate phone but I gave up on this and just asked for a company phone.

memberberryfarms That's the only way since GrapheneOS devs are not keen to enter into the enterprise app support which is a kind of a contradiction since GrapheneOS per it's nature should aim enterprise users... or at the very least is my opinion on the subject.

Having personal and work profiles would be ideal but unfortunately not possible (for the majority) as things stand.

burningfeelings GrapheneOS devs are not keen to enter into the enterprise app support

GrapheneOS developers have never said this, please do not make assumptions. There are zero plans to intentionally remove or block enterprise usage. GrapheneOS is permissively licenced to specifically allow our patches and contributions to be upstreamed, enterprise/corporate usage, etc.

There are various issues on the issue tracker offering support for MDM usage, including Intune, and I even created a patch to support installing sandboxed Google Play in an MDM-provided work profile, such as VMware Intelligent Hub (Airwatch) using Apps (provided global app installation is not disabled), in situations where you can't add your own apps to the work profile: https://github.com/GrapheneOS/platform_frameworks_base/commit/3613c0860815c998d924f09fe5f8bdb1e1a6177f

GrapheneOS has not intentionally stripped out any kind of support for MDM, Intune, work profiles, etc. Most of these things simply rely on privileged Google Play being integrated into the OS which GrapheneOS has removed for obvious reasons.

randomchar42 As @burningfeelings said - no way around that. It's the same restriction that is enforced for the Google Pay app. Depending on your influence in the company, you may try to change the policy - but that really depends on what kind of company you work at...

Schoggi Can't say for sure until you use it. It does seem the company does not enforce certain OS'es (Play Integrity API) - as you already succeeded with LineageOS - so that's a good sign.

aerosola That's what I did but even so with the portal not fully initialized the apps that are normally available will not proceed, behave like you are on your main profile.

r3g_5z I read on one of the dev's replies (unfortunately did a quick search and couldn't find it - if I came across of that reply again will post it here) that supporting enterprise software was not a priority hence why what I wrote.

r3g_5z GrapheneOS developers have never said this, please do not make assumptions.

Here Daniel mention:

This isn't planned since we don't see the work profile feature as having much of a place in GrapheneOS over the long term. It's not meant for how people are using it. We're focused on user profiles.

In other words we are not very keen to put time and effort on work profiles / enterprise software that are for remote management since our focus is on user profiles. In my view GrapheneOS is all about enterprise user since it's my perception the majority using it are nerds... not the common user.

burningfeelings From your quote:

It's not meant for how people are using it.

What that means is that people will often user the work profile with apps like Insular or Shelter to try and isolate their apps to a different profile. For that use case, user profiles are indeed the way to go.

The way you are supposed to use work profiles is for enterprise etc. I don't believe that GrapheneOS intends to neglect the proper usage of work profiles.

Hi guys

Just checking if this has moved on at all.

I'm in the same boat. My employer expects a certified OS via play integrity when trying to create the work profile via the intune app (I'm assuming this based on the detail above as I get the same experience, I just can't seem to get past the creation of a work profile from my main profile.)

Is it looking for a privileged set of Google apps to allow it to meet these specifications? Or does it look / check for other parameters?

It's the only thing missing for me to make a full switch. Absolutely loved the OS but I do really need my work apps to work

Don't want a 2nd device. It's mainly really for teams and outlook

Thanks! ☺️

de0u Your employer could choose to add GrapheneOS to their list of certified OS signers.

Here is the GrapheneOS Attestation Compatibility Guide.

I guess I am lucky in this regard, in that the mere presence of the Intune app is sufficient for me to be able to use the Outlook app with my corporate email. It does require Intune to be installed, but not logged in. It did a check upon first login to Outlook and the device passed all the checks. Intune and Outlook are now resting in a secondary user profile.

de0u just a further query

If I did build this myself using the build guide. Would / Should the verifiedBootKey still match one of the official GrapheneOS verified boot keys, for the selfsigned case?

graphenegrotto If I did build this myself using the build guide. Would / Should the verifiedBootKey still match one of the official GrapheneOS verified boot keys, for the selfsigned case?

To quote the GrapheneOS build guide:

The signing process for release builds is done after completing builds and replaces the dm-verity trees, apk signatures, etc. and can only be reproduced with access to the same private keys

The guide suggests that if you don't generate your own signing keys then the build process will use the public Android test key (I haven't looked). Perhaps your security admin could temporarily enable the public test key as a root for verified boot? Or you could generate your own, which would need to be trusted by your admin.

Please note that I am super not an expert! You may be better off on the Matrix channel. I'd suggest you begin with the goal, something like, "I am trying to convince my employer's security admin to configure MS InTune to trust official GrapheneOS builds, but I'm not confident I know the exact steps to request...".

Also note that if you do sign your own build then you must disable the automatic update client, because the official OTA images it fetches won't match your signing key, so you will uselessly load the update server.

Good luck, and keep us posted!

So I spoke to my lead who looks after MDM / device enrolment, in short, this wont be supported, we are very large organisation, im just one person trying to get my work apps going / playing nicely with Intune and GrapheneOS :)

The response was, that this lies with the OS creators / maintainers to make this work with GMS.
The aim of Graphene is security, the aim of MDM is external control, and both are exclusive.

Our MDM solution is Microsofts Intune. Documentation / guidance on 'byod personally owned devices with a work profile':- is below (it needs GMS)

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#byod-android-enterprise-personally-owned-devices-with-a-work-profile

Guidance is not to use AOSP in this scenario:-

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#android-open-source-project

This is the same case as with Mobileiron being discussed here:-

https://discuss.grapheneos.org/d/4346-grapheneos-and-mobileiron/5

I gave it a shot, so if the devs read this, I hope there is a way of getting this to work with GrapheneOS's play services at some point in the future, it really would be the most complete OS and experience for me to get thids working together, but, if its genuinly exclusive and neither will budge, then its back to me as to what I choose :)

Thanks again