Hello guys, I work with a company that requires a work profile to access corporate data. This as far as I understood cannot work on GrapheneOs because when you configure the company portal it will guide you to create a work profile signed with a cert obtained by you logging in with you work credentials. Company portal doesn't have the permission to create a new user /profile.
Even you manually create a new profile and then configure the company portal this installation will fail.

Anyone has an idea how to fix/bypass this issue?

    21 days later

    Same issue, Intune Company Portal needs to create the work profile but is unable to do so completely, by that I mean you can see under accounts the work profile settings / remove work profile but Intune cannot conclude the process successfully.

    As you I think this is due to GrapheneOS nature since Intune is in fact a glorified keylogger that require admin perms yet I also felt the need to install it in order to avoid using 2 phones or set to workarounds like Sync2 (that use Google services....), the usual debacle between convenience and privacy...

    So I'm still deciding what to do...

    Hi,
    I have the same issue as well. I've tried as an expirement to add the company portal as a "Device admin app" but to no avail.
    It still cannot create a work profile.

    I hear you! The only options you have are workarounds:

    1. use PWA for Outlook (it will alert you for email but events still not implemented) and Teams
    2. to complement the events you can use a sync for your calendar / tasks / contacts from your desktop to your phone using something like Sync2 or Android-Sync, if your company allow you can even do this:

    Info - Outlook 2 Google Calendar

    The inconvenience I found was that you get logged out after x time from the PWA (expected of course) yet the alerts on the email still continue but you need to log on to check on them which become a hassle pretty quickly.

    In conclusion is the same old convenience vs privacy and even security because you are introducing new apps into the mix... I abolish any type of tracking on the apps I use even if I cannot avoid it 100% (bank apps are glorified trackers for example). So I think I will settle with:

    GrapheneOS (these guys are legends)
    PWA for Outlook and Teams
    Sharing my calendar with my Google Account and import it to my Proton calendar (yeah it sucks but thats how it goes).

      These are instructions I wrote for internal use at the company I work for. Note that there still could be issues, depending on the policies of your organisation.

      These are only instructions, please consider the cost of security and privacy by doing this. Also be aware that the company will not be able to manage the device (for some people a benefit) as the company portal will never be able to fully initialize.


      For GrapheneOS (likely also works with other AOSP based ROMs like LineageOS);
      You are required to meet the following criteria;

      • You are required to set this up in your main profile. Work profiles are not supported in sub profiles.
      • You are required to use Google Play Services, Google Play Store, Google Services Framework and Company Portal
      • MicroG also works for the LineageOS/other AOSP ROM users, but this is a GrapheneOS guide - so yeah.

      Steps;

      • Install the latest shelter release
      • Use shelter to setup your work profile
      • Migrate the following apps from your OS to work profile;
        • GrapheneOS Apps
        • Company Portal
        • Aurora Store
      • Once migrated, install the following from the GrapheneOS Apps;
        • Google Play Services
        • Google Services Framework
        • Google Play Store
          • Is is somehow required for Play Services to initialize correctly - you will get errors in Microsoft apps if you don’t do this.
      • Configure your Google Play Services
        • You may login using your company account
      • Open Company Portal in your work profile, let it initialize and login with your company account - but do NOT proceed with the apps instructions. Instead skip them all.
      • Now install the apps you want in your work profile using Aurora store, like;
        • Teams
        • Outlook
        • Sharepoint
        • 1Password
        • WireGuard
        • Microsoft Authenticator
          • Make sure this is backed up properly.

      Important note; the company portal well never be fully initialized - it may seem broken visually. However, the full initialization is not required for you to login in e.g. Teams by installing via Aurora store. So even though it seems company portal is broken, you can still use the apps you need.

        aerosola

        If this works you are a legend! the problem many have is the fact company portal wants to create the work profile in order to proceed but I will certainly give your steps a try!

        aerosola

        Tried your walkthrough, got to the end of it but still when launching an app through work profile on shelter it complains is not on the work profile because company portal didn't create it...

        When you try to create the work profile through the company portal it expects to add play store and google services and because of its absence it fails...

        So yeah no easy way out, pwa, 2nd phone or you byte the bullet and eat stock android.

          burningfeelings
          I probably go for the option with a second old stock android phone without SIM (shared WiFi) from GOS phone and only used when needed to participate in meetings or check email when I have limited access to computer.

            7 days later

            I managed to make Outlook+Teams working with the mandatory InTunes app and more or less the same setup as explained using Shelter and work profile but on LineageOS with gApp.
            How high are the chances that it will work if I migrate to GrapheneOS and replicate the same?
            Company might pay for the phone so I must be sure it Outlook and Teams works otherwise I willbe forced to use the Pixel with stock or with LineageOS (would be a bummer).

              TrustExecutor frankly, I am surprised by the number of users in this thread whose employers expect them to use their personal phones for corporate email.

              In my opinion (and experience), it is the employer's responsibility to provide end users with corporate devices. There should be a clearer separation between home and office.

                mythodical
                I get a corporate phone if I want to, but it is neat to have two SIMs in the same phone not to carry around two phones. Before I could separate everything with a separate user profile but now the company set up new policy to make usage of a work profile app mandatory. I think this is the most common explanation for why people want to use their private phone for work, not that the company demand it.

                I really did want my work apps not on a separate phone but I gave up on this and just asked for a company phone.

                  memberberryfarms That's the only way since GrapheneOS devs are not keen to enter into the enterprise app support which is a kind of a contradiction since GrapheneOS per it's nature should aim enterprise users... or at the very least is my opinion on the subject.

                  Having personal and work profiles would be ideal but unfortunately not possible (for the majority) as things stand.

                    burningfeelings GrapheneOS devs are not keen to enter into the enterprise app support

                    GrapheneOS developers have never said this, please do not make assumptions. There are zero plans to intentionally remove or block enterprise usage. GrapheneOS is permissively licenced to specifically allow our patches and contributions to be upstreamed, enterprise/corporate usage, etc.

                    There are various issues on the issue tracker offering support for MDM usage, including Intune, and I even created a patch to support installing sandboxed Google Play in an MDM-provided work profile, such as VMware Intelligent Hub (Airwatch) using Apps (provided global app installation is not disabled), in situations where you can't add your own apps to the work profile: https://github.com/GrapheneOS/platform_frameworks_base/commit/3613c0860815c998d924f09fe5f8bdb1e1a6177f

                    GrapheneOS has not intentionally stripped out any kind of support for MDM, Intune, work profiles, etc. Most of these things simply rely on privileged Google Play being integrated into the OS which GrapheneOS has removed for obvious reasons.

                      randomchar42 As @burningfeelings said - no way around that. It's the same restriction that is enforced for the Google Pay app. Depending on your influence in the company, you may try to change the policy - but that really depends on what kind of company you work at...

                      burningfeelings Not sure I follow your response. You shouldn't create the work profile via the company portal. You create the work profile using Shelter, you copy the company portal app from your main profile to your work profile (you can also install it using aurora directly into your work profile). You install apps like Google Play + services + framework - as they are always requried using GrapheneOS apps. Only then, you start the company portal app from your work profile.