Anyone managed to get this working?
MS Intune company portal with work profile not working
9 days later
aerosola This is GENIUS! It worked for me even though it wasn't exactly according to the prescription. I got to the point of letting Company Portal initialize, but it never did; just sat there with a spinning wheel. But when in doubt, try something! So I installed Outlook in the work profile and when I connected to my account through Outlook, everything started working. So either Company Portal initialized but didn't know it, or Outlook kicked it in the butt.
22 days later
- Edited
Is there anyway for the developers to have Apps and GooglePlay Store including all prerequisites installed when work profile is created by Intune? I believe this will resolve the issue.
24 days later
Any update on this? Were you able to get an MDM successfully working with GrapheneOS?
- Edited
haval Is there anyway for the developers to have Apps and GooglePlay Store including all prerequisites installed when work profile is created by Intune?
It is possible to imagine a checkbox for "Auto-install Google Play suite in work profile", backed by either a special package-manager invocation or a special launch of Apps.
It's not clear how easy it would be or how much demand there would be for it, so it might be more likely to happen via a pull request from a volunteer contributor.
There is already an issue for this: 1821. Please do not add a comment to the issue along the lines of "I want this too!", because that does not "move the issue forward" -- it just sends annoying mail to the developers, which will result in the issue being locked. It is OK to subscribe to the issue and thumbs-up it -- also OK to submit high-quality code.
Please note that I do not speak for the GrapheneOS project.
a month later
aerosola This worked for me.
Here's what I did to get work profile working with Company Portal:
Steps;
- Install the latest shelter release, just use the raw APK from this link
https://f-droid.org/packages/net.typeblog.shelter/ - Setup shelter
- In the work profile, Go to Apps -> Google Play Services and install it.
- Open Play Store (in the work profile) and install Company Portal
- Open Company Portal and login. Important Note: It might fail to initialize a work profile or just get stuck but it shouldn't matter.
- Open Play Store (in the work profile), install your MS Apps, like Teams, Outlook etc
- Login into your apps and they probably should work.
I think Company Portal just needs a work profile for it to be happy.
9 days later
Unfortunately, this solution is not suitable for me as the Company Portal necessitates the creation and activation of a work profile, which is not compatible with Shelter. The absence of Google Services in the Work Profile by default hinders the Company Portal from performing the necessary actions to establish and activate the work profile. This has been my experience, at least.
3 months later
- Edited
All, been a while since i visited this.
So the fact that LineageOS and a GAPPS package allows me to create and run my work profile successfully on my Pixel 6 got me hunting around, after some time, I saw this pull request, which I beleive will solve the issue for 'me', i know / am assuming Intune expects playservices to 'already be present / installed', which im told / from what I can read, this code / pull request resolves:-
https://github.com/GrapheneOS/platform_frameworks_base/pull/4
I saw the attempt to merge, but currently has conflicts, just keeping it here for reference as it may help others add weight to this pull who have the same issue.
The owner of the pull advised they need more time to tweak this, reasd documentation etc, so not sure how far away this will end up becoming part of the OS< either way, its nearly there :)
Thanks!
a month later
The PR is currently in good standing and the dev is asking for merge or pointers on how to do it properly in case the approach is not the best.
I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.
Audacity0780 I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.
Since there was a burst of commits 19 hours ago and the request for developer guidance was 15 hours ago, personally I think it's a little early for a lobbying campaign.
I think it would make more sense to wait at least a few days just in case the GrapheneOS developer is working on something more pressing.
de0u Agreed but, for context, the dev has been asking for guidance and updating the PR to the last branch since last July : https://github.com/GrapheneOS-Archive/platform_frameworks_base-old/pull/559
- Edited
Audacity0780 I have not been following closely, and am definitely not competent to review this code. But in terms of when something is ready to ship, more time passing doesn't make something more ready. If the code is done today (which it's not clear to me that it is), then the "Can it ship?" clock would start today, not back in July.
Meanwhile, the GrapheneOS developers may feel it's more important to work on things that a large fraction of users might benefit from (e.g., a privacy-respecting network-based location service) than on something that a smaller fraction of users would benefit from, even if that smaller user base would benefit substantially.
One thing that might help would be if the developer of the work-profile Play enhancement published work-in-progress system images that interested parties could install and test. Code structure and code quality are something that the GrapheneOS developers are very concerned about, but I suspect it would also be important for them to believe the code has been thoroughly tested. I am not an expert on this at all, but my sense is that there are at least a couple of different work-profile management apps, and also that companies force a variety of feature selections. So back-and-forth between the developer of this enhancement and users who are trying it might well be productive. By contrast, I am skeptical that the GrapheneOS developers will quickly find time to do thorough testing on their own.
2 months later
Pixel 6, Android 15, GrapheneOS Build 2025020200
Big thanks for the instructions. After trying this method a couple of times with no success I finally got everything to work by giving Company Portal Device admin in my work profile by going to Settings>Security & privacy>More security & privacy > Device admin apps and then toggling the work profile Company Portal to on.
(Props to dreamland in this thread for pointing me in the right direction https://discuss.grapheneos.org/d/19131-outlook-intune-company-portal)
So my order of operations was
-Install Shelter and set up a work profile
-Install Google Play services in work profile using the Graphene App store
-Migrate Aurora from Personal to Work profile
-Install MS Company Portal to work profile from Aurora
-Give Company profile Device Admin privileges AND turn on exploit protection compatibility mode (App info>Exploit Protection)
-Log in to Company Portal using your work credentials (I didn't have to follow the Company Access setup after)
-Install Outlook, Teams, etc from Aurora and log into your MS apps.
Playing around with it afterwards, it seems like I can then turn off the admin privileges and exploit protection compatibility mode or even disable the Company Portal with no impact on the other MS apps. I expect I might need to toggle these back on if something syncs or updates.
rosh
Why are you using Shelter?
The company portal should install a work profile.
This is also installed for me, but the setup is not completed.
When I go to the app settings, I can see the private and business areas.
I don't see this in the launcher itself.
A work profile is displayed in the settings under Accounts. However, it says Work profile is not yet available.
Using Shelter itself is generally not recommended.
2 months later
PR in the new branch: https://github.com/GrapheneOS/platform_frameworks_base/pull/147
ray It is not going to work in a secondary profile unfortunately.
I'm making progress! My job requires Company Portal to be installed, work profile created, and the device registered with Intune. Most of the advice above and elsewhere online does not require the work profile or enrollment in Intune, which was my failure point.
I've successfully done the above, but cannot yet install apps in the work profile. More on that below.
Do this all from the owner profile. Do not use Shelter. Do not manually create a work profile. Do not create a separate Graphene user.
- Install Company Portal (Play Store, Aurora, etc)
- Before launching it, enable exploit protection and set it as a device admin app
- Now launch Company Portal and sign in
- I'll prompt to setup the work profile. Accept, it'll work for a minute, then prompt you to press next, after which it will fail/sit there indefinitely.
- At this point, Company Portal disappears from the owner's apps list, but was still listed as installed in the Play Store; it has been moved to the partially-created work profile.
- Go to Settings > Apps > All Apps > 'Work Profile' tab
- Select 'App Store' (Graphene) and the launch icon in the top right to launch it under the work profile
- 'Google Play Services' Install (includes GmsCompatConfig, and Google Play Store dependencies)
- Note that there appears to be a patch in the works for this Google Play requirement in the work profile: https://github.com/GrapheneOS/platform_frameworks_base/pull/147
- Reboot
- Go to Settings > Apps > All Apps > Work Profile tab, tap 'Company Portal', enable exploit mode, then the launch icon in the top right to launch it under the work profile
- Sign into company portal again.
It took a few attempts and a reboot, but I was able to sign in and my company IT confirmed my device was now showing in Intune.
So Company portal is installed, work profile created, and device registered in Intune. However, whenever I try to install apps (via Play Store) within the work profile, it immediately fails with 'Blocked by Work Policy'. I'm currently troubleshooting as I have time - updates to follow.