graphenegrotto If I did build this myself using the build guide. Would / Should the verifiedBootKey still match one of the official GrapheneOS verified boot keys, for the selfsigned case?

To quote the GrapheneOS build guide:

The signing process for release builds is done after completing builds and replaces the dm-verity trees, apk signatures, etc. and can only be reproduced with access to the same private keys

The guide suggests that if you don't generate your own signing keys then the build process will use the public Android test key (I haven't looked). Perhaps your security admin could temporarily enable the public test key as a root for verified boot? Or you could generate your own, which would need to be trusted by your admin.

Please note that I am super not an expert! You may be better off on the Matrix channel. I'd suggest you begin with the goal, something like, "I am trying to convince my employer's security admin to configure MS InTune to trust official GrapheneOS builds, but I'm not confident I know the exact steps to request...".

Also note that if you do sign your own build then you must disable the automatic update client, because the official OTA images it fetches won't match your signing key, so you will uselessly load the update server.

Good luck, and keep us posted!

    a month later

    So I spoke to my lead who looks after MDM / device enrolment, in short, this wont be supported, we are very large organisation, im just one person trying to get my work apps going / playing nicely with Intune and GrapheneOS :)

    The response was, that this lies with the OS creators / maintainers to make this work with GMS.
    The aim of Graphene is security, the aim of MDM is external control, and both are exclusive.

    Our MDM solution is Microsofts Intune. Documentation / guidance on 'byod personally owned devices with a work profile':- is below (it needs GMS)

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#byod-android-enterprise-personally-owned-devices-with-a-work-profile

    Guidance is not to use AOSP in this scenario:-

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#android-open-source-project

    This is the same case as with Mobileiron being discussed here:-

    https://discuss.grapheneos.org/d/4346-grapheneos-and-mobileiron/5

    I gave it a shot, so if the devs read this, I hope there is a way of getting this to work with GrapheneOS's play services at some point in the future, it really would be the most complete OS and experience for me to get thids working together, but, if its genuinly exclusive and neither will budge, then its back to me as to what I choose :)

    Thanks again

    • de0u replied to this.

      graphenegrotto Thanks for reporting back, and thanks for the links! Too bad it didn't work out.

        4 months later

        aerosola THANK YOU for these instructions! This worked for me in my GrapheneOS Pixel 6 with my organization's O365!

          aerosola

          Worked great on latest GrapheneOS and MS Apps as of 9/14/2033.

          I will miss the calendar widget but will look to find a DavX workaround.

            2 months later

            Hi all
            I finally manage to switch to GrapheneOS on a pixel 6a - all works fine. Except now for corporate purposes I need to install MS Intune.
            I was able to download, install and run it, however, after initiating work profile creation, intunes just does not respond.
            When exiting the app actually disappears from home screen and I need to open it via app list. I can see a workprofile loaded but does not appear to really be activated, so I remove it again and re-tried the process.
            On the admin portal of intune, the device does not appear so it seems that the installation/activation of work profile did not complete.
            I have tried all the andvises given on this forum:

            1. Shelter
            2. Download via Playstore or Aurora
            3. Download APK Intune for Android directly as suggested by Microsoft
            4. Checked that comliance requirements are all set (anyway I dont actually get to the step where intunes checks for non-compliance)
            5. tried all the little adjustments to system, like spawning disbled, native code debugging etc.

            Does anyone have another thought on this? I really want to avoid having to kill my GrapheneOS experiment (note: dont want an additonal/new device, I want to make GrapheneOS work with Intune as intended if possible). It seems that others have made Intune work on their GrapheneOS, but I am not sure how.

            Thank you sooo much for any help

              4 months later
              a month later

              Anyone managed to get this working?

              9 days later

              aerosola This is GENIUS! It worked for me even though it wasn't exactly according to the prescription. I got to the point of letting Company Portal initialize, but it never did; just sat there with a spinning wheel. But when in doubt, try something! So I installed Outlook in the work profile and when I connected to my account through Outlook, everything started working. So either Company Portal initialized but didn't know it, or Outlook kicked it in the butt.

                22 days later

                Is there anyway for the developers to have Apps and GooglePlay Store including all prerequisites installed when work profile is created by Intune? I believe this will resolve the issue.

                • de0u replied to this.
                  24 days later

                  Any update on this? Were you able to get an MDM successfully working with GrapheneOS?

                  haval Is there anyway for the developers to have Apps and GooglePlay Store including all prerequisites installed when work profile is created by Intune?

                  It is possible to imagine a checkbox for "Auto-install Google Play suite in work profile", backed by either a special package-manager invocation or a special launch of Apps.

                  It's not clear how easy it would be or how much demand there would be for it, so it might be more likely to happen via a pull request from a volunteer contributor.

                  There is already an issue for this: 1821. Please do not add a comment to the issue along the lines of "I want this too!", because that does not "move the issue forward" -- it just sends annoying mail to the developers, which will result in the issue being locked. It is OK to subscribe to the issue and thumbs-up it -- also OK to submit high-quality code.

                  Please note that I do not speak for the GrapheneOS project.

                    a month later

                    aerosola This worked for me.

                    Here's what I did to get work profile working with Company Portal:

                    Steps;

                    • Install the latest shelter release, just use the raw APK from this link
                      https://f-droid.org/packages/net.typeblog.shelter/
                    • Setup shelter
                    • In the work profile, Go to Apps -> Google Play Services and install it.
                    • Open Play Store (in the work profile) and install Company Portal
                    • Open Company Portal and login. Important Note: It might fail to initialize a work profile or just get stuck but it shouldn't matter.
                    • Open Play Store (in the work profile), install your MS Apps, like Teams, Outlook etc
                    • Login into your apps and they probably should work.

                    I think Company Portal just needs a work profile for it to be happy.

                        9 days later

                        niteshbalusu

                        Unfortunately, this solution is not suitable for me as the Company Portal necessitates the creation and activation of a work profile, which is not compatible with Shelter. The absence of Google Services in the Work Profile by default hinders the Company Portal from performing the necessary actions to establish and activate the work profile. This has been my experience, at least.

                          3 months later

                          All, been a while since i visited this.

                          So the fact that LineageOS and a GAPPS package allows me to create and run my work profile successfully on my Pixel 6 got me hunting around, after some time, I saw this pull request, which I beleive will solve the issue for 'me', i know / am assuming Intune expects playservices to 'already be present / installed', which im told / from what I can read, this code / pull request resolves:-

                          https://github.com/GrapheneOS/platform_frameworks_base/pull/4

                          I saw the attempt to merge, but currently has conflicts, just keeping it here for reference as it may help others add weight to this pull who have the same issue.

                          The owner of the pull advised they need more time to tweak this, reasd documentation etc, so not sure how far away this will end up becoming part of the OS< either way, its nearly there :)

                          Thanks!

                          a month later

                          The PR is currently in good standing and the dev is asking for merge or pointers on how to do it properly in case the approach is not the best.

                          I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.

                          • de0u replied to this.

                            Audacity0780 I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.

                            Since there was a burst of commits 19 hours ago and the request for developer guidance was 15 hours ago, personally I think it's a little early for a lobbying campaign.

                            I think it would make more sense to wait at least a few days just in case the GrapheneOS developer is working on something more pressing.

                                Audacity0780 I have not been following closely, and am definitely not competent to review this code. But in terms of when something is ready to ship, more time passing doesn't make something more ready. If the code is done today (which it's not clear to me that it is), then the "Can it ship?" clock would start today, not back in July.

                                Meanwhile, the GrapheneOS developers may feel it's more important to work on things that a large fraction of users might benefit from (e.g., a privacy-respecting network-based location service) than on something that a smaller fraction of users would benefit from, even if that smaller user base would benefit substantially.

                                One thing that might help would be if the developer of the work-profile Play enhancement published work-in-progress system images that interested parties could install and test. Code structure and code quality are something that the GrapheneOS developers are very concerned about, but I suspect it would also be important for them to believe the code has been thoroughly tested. I am not an expert on this at all, but my sense is that there are at least a couple of different work-profile management apps, and also that companies force a variety of feature selections. So back-and-forth between the developer of this enhancement and users who are trying it might well be productive. By contrast, I am skeptical that the GrapheneOS developers will quickly find time to do thorough testing on their own.