All, been a while since i visited this.

So the fact that LineageOS and a GAPPS package allows me to create and run my work profile successfully on my Pixel 6 got me hunting around, after some time, I saw this pull request, which I beleive will solve the issue for 'me', i know / am assuming Intune expects playservices to 'already be present / installed', which im told / from what I can read, this code / pull request resolves:-

https://github.com/GrapheneOS/platform_frameworks_base/pull/4

I saw the attempt to merge, but currently has conflicts, just keeping it here for reference as it may help others add weight to this pull who have the same issue.

The owner of the pull advised they need more time to tweak this, reasd documentation etc, so not sure how far away this will end up becoming part of the OS< either way, its nearly there :)

Thanks!

a month later

The PR is currently in good standing and the dev is asking for merge or pointers on how to do it properly in case the approach is not the best.

I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.

  • de0u replied to this.

    Audacity0780 I think it is time we all politely ask the GoS team to review this PR so we can finally use the work profile as work profile.

    Since there was a burst of commits 19 hours ago and the request for developer guidance was 15 hours ago, personally I think it's a little early for a lobbying campaign.

    I think it would make more sense to wait at least a few days just in case the GrapheneOS developer is working on something more pressing.

        Audacity0780 I have not been following closely, and am definitely not competent to review this code. But in terms of when something is ready to ship, more time passing doesn't make something more ready. If the code is done today (which it's not clear to me that it is), then the "Can it ship?" clock would start today, not back in July.

        Meanwhile, the GrapheneOS developers may feel it's more important to work on things that a large fraction of users might benefit from (e.g., a privacy-respecting network-based location service) than on something that a smaller fraction of users would benefit from, even if that smaller user base would benefit substantially.

        One thing that might help would be if the developer of the work-profile Play enhancement published work-in-progress system images that interested parties could install and test. Code structure and code quality are something that the GrapheneOS developers are very concerned about, but I suspect it would also be important for them to believe the code has been thoroughly tested. I am not an expert on this at all, but my sense is that there are at least a couple of different work-profile management apps, and also that companies force a variety of feature selections. So back-and-forth between the developer of this enhancement and users who are trying it might well be productive. By contrast, I am skeptical that the GrapheneOS developers will quickly find time to do thorough testing on their own.

          2 months later

          • Rrosh

            • Post #54

            aerosola

            Pixel 6, Android 15, GrapheneOS Build 2025020200

            Big thanks for the instructions. After trying this method a couple of times with no success I finally got everything to work by giving Company Portal Device admin in my work profile by going to Settings>Security & privacy>More security & privacy > Device admin apps and then toggling the work profile Company Portal to on.

            (Props to dreamland in this thread for pointing me in the right direction https://discuss.grapheneos.org/d/19131-outlook-intune-company-portal)

            So my order of operations was
            -Install Shelter and set up a work profile
            -Install Google Play services in work profile using the Graphene App store
            -Migrate Aurora from Personal to Work profile
            -Install MS Company Portal to work profile from Aurora
            -Give Company profile Device Admin privileges AND turn on exploit protection compatibility mode (App info>Exploit Protection)
            -Log in to Company Portal using your work credentials (I didn't have to follow the Company Access setup after)
            -Install Outlook, Teams, etc from Aurora and log into your MS apps.

            Playing around with it afterwards, it seems like I can then turn off the admin privileges and exploit protection compatibility mode or even disable the Company Portal with no impact on the other MS apps. I expect I might need to toggle these back on if something syncs or updates.

                rosh
                Why are you using Shelter?
                The company portal should install a work profile.
                This is also installed for me, but the setup is not completed.
                When I go to the app settings, I can see the private and business areas.
                I don't see this in the launcher itself.
                A work profile is displayed in the settings under Accounts. However, it says Work profile is not yet available.
                Using Shelter itself is generally not recommended.

                  2 months later

                  rosh
                  Are you doing all of this in the owner's profile? I am trying to set this up in a secondary profile but I am failing miserably.

                      I'm making progress! My job requires Company Portal to be installed, work profile created, and the device registered with Intune. Most of the advice above and elsewhere online does not require the work profile or enrollment in Intune, which was my failure point.

                      I've successfully done the above, but cannot yet install apps in the work profile. More on that below.

                      Do this all from the owner profile. Do not use Shelter. Do not manually create a work profile. Do not create a separate Graphene user.

                      • Install Company Portal (Play Store, Aurora, etc)
                      • Before launching it, enable exploit protection and set it as a device admin app
                      • Now launch Company Portal and sign in
                      • I'll prompt to setup the work profile. Accept, it'll work for a minute, then prompt you to press next, after which it will fail/sit there indefinitely.
                        • At this point, Company Portal disappears from the owner's apps list, but was still listed as installed in the Play Store; it has been moved to the partially-created work profile.
                      • Go to Settings > Apps > All Apps > 'Work Profile' tab
                      • Select 'App Store' (Graphene) and the launch icon in the top right to launch it under the work profile
                      • 'Google Play Services' Install (includes GmsCompatConfig, and Google Play Store dependencies)
                      • Reboot
                      • Go to Settings > Apps > All Apps > Work Profile tab, tap 'Company Portal', enable exploit mode, then the launch icon in the top right to launch it under the work profile
                      • Sign into company portal again.

                      It took a few attempts and a reboot, but I was able to sign in and my company IT confirmed my device was now showing in Intune.

                      So Company portal is installed, work profile created, and device registered in Intune. However, whenever I try to install apps (via Play Store) within the work profile, it immediately fails with 'Blocked by Work Policy'. I'm currently troubleshooting as I have time - updates to follow.

                        tetto it immediately fails with 'Blocked by Work Policy'

                        Have you checked with your IT / security team if the phone was properly registered and is compliant/pulled the correct policies?

                            0xsigsev Yes. Though one oddity to note is that the first time we successfully got it enrolled in Intune, the next day they said it didn't reflect having current policies despite nothing being changed. I unenrolled and undid everything (removed work profile, uninstalled Company Portal), then did it over again (now knowing what steps to take), and it has stuck this time.

                            I attribute it to the first iteration having everything under the sun thrown at it until it worked. It wasn't cleanly done.

                                tetto I managed to have Intune with this steps.

                                When configuring the work profile via intune, after the profile is created you reach a step where you need to press next.

                                At this step, use adb to install all the apps you need, for example Outlook and Teams. Don't forget any, because after you press next you will not be able to install any other app (remember to install keyboard with your language for example).

                                After pressing next, you won't be able to update any app via the play store due to the work policy. I disabled the app to avoid having notifications of failed updates.

                                Have been using this for a week, both Outlook and Teams work. The big downside of this is that the apps will become outdated fast but I think I read somewhere that if the owner profile updates the app, then the other profiles also update it? Is that true?

                                Edit: forgot to mentioned that I did not disabled any exploit protection or activated any option. I also had the apps installed in the owner profile, so while installing via adb, I was installing from an already present app.

                                    imperfect Interesting! Keeping them up-to-date would come a PITA since you would have to remove Company Portal and the work profile each time you wanted to update a work profile app.

                                    I had tried to load apps into the work profile using ADB, but that was after the work profile was fully created and MDM enrolled. I got 'access denied' for the work profile ID, which makes sense. And that was installing from a downloaded APK - I wasn't aware you can install from an existing app.

                                    Mind sharing what commends you used?

                                        imperfect At this step, use adb to install all the apps

                                        And this defeats the ability to use gos as a managed device at least in my eyes/my environment. Once this is solved yeah it would be a nice alternative to the usual Samsung and iPhone crap.

                                          tetto

                                          This seems to be working!

                                          The 'Blocked by Work Policy' error is coming up where GOS normally gives to option for network permissions. If there was a way to change that to always on, for a few minutes, I think we would be home free.

                                          P

                                            aerosola and rosh
                                            Instructions did not work for me (outdated pixel 6a).

                                            tetto
                                            What could be the reason the work profile tab is not shown? But when checking with adb a work profile is there and also the apps are listed in the app list (pixel 6a).

                                                    tetto Mind sharing what commends you used?

                                                    I used the following commands when the system was waiting for the "next" prompt:

                                                    pm install-existing --user 18 app.grapheneos.gmscompat
                                                    pm install-existing --user 18 app.grapheneos.gmscompat.lib
                                                    pm install-existing --user 18 app.grapheneos.gmscompat.config
                                                    pm install-existing --user 18 com.google.android.gms
                                                    pm install-existing --user 18 com.android.vending
                                                    pm install-existing --user 18 com.microsoft.office.outlook
                                                    pm install-existing --user 18 com.microsoft.office.onenote
                                                    pm install-existing --user 18 com.microsoft.office.excel
                                                    pm install-existing --user 18 com.microsoft.teams
                                                    pm install-existing --user 18 app.vanadium.browser

                                                    Note that the user 18 was my specific user associated with the work profile. I don't recall the command I used to discover the user. I copied part of the instructions from another post and took a while to understand that the user would be different.

                                                    All of the apps were installed in my main profile, this was to avoid having to send an APK from another source.

                                                    In the meantime, I confirmed that the apps are updated in the work profile when the app in the main profile is updated. So that solves that security concern.

                                                    Note that I installed the play store but in the end I disabled it due to the errors of not being allowed due to the work policy. This was really annoying because Intune was trying to install more apps.

                                                    I did not have any issues with having Vanadium installed, don't know if this is due to being managed by the App Store or if I could install any app this way without the Intune policy complaining of unauthorised applications installed.

                                                      Success!

                                                      Shout out to @imperfect for his input! Thanks to that, my device now has Company Portal installed, work profile created, the device registered with Intune, and functioning work apps (Teams, etc). Most of the advice above and elsewhere online does not require the work profile or enrollment in Intune, which was my failure point.

                                                      Do this all from the owner profile. Do not use Shelter. Do not manually create a work profile. Do not create a separate Graphene user.

                                                      • Under the owner profile, install any apps you'll want to use in the work profile later on.
                                                      • Install Company Portal (Play Store, Aurora, etc)
                                                      • Before launching it, enable exploit protection and set it as a device admin app
                                                      • Now launch Company Portal and sign in
                                                      • 'Begin' company setup and 'Continue'
                                                      • "Setting up your work profile" transitions to a "Let's set up your work profile" screen. 'Accept & Continue' then it'll work for a minute, then prompt you to tap 'next', WAIT! Do not yet tap next and leave that screen open.
                                                      • Install apps to the work profile via ADB
                                                        • I did not include gms items or android.vending as imperfect did since I install those differently below
                                                        • pm install-existing --user 10 com.microsoft.office.outlook etc. 10 was my work profile ID as identified by pm list users
                                                      • Go back to the Company Portal app you previously left open and tap 'Next'
                                                      • It spins indefinitely. You'll know it's gone as far as it will go when the Company Portal app disappears from your app drawer (because it was moved to the work profile)
                                                      • Go to Settings > Apps > All Apps > 'Work Profile' tab
                                                      • Select 'App Store' (Graphene) and the launch icon in the top right to launch it under the work profile
                                                      • 'Google Play Services' Install (includes GmsCompatConfig, and Google Play Store dependencies)
                                                      • Reboot
                                                      • Go to Settings > Apps > All Apps > Work Profile tab, tap 'Company Portal', enable exploit mode, then the launch icon in the top right to launch it under the work profile
                                                      • Sign into company portal again.
                                                      • It initially hung on "Setting up your work profile" (red banner with company name up top), then eventually failed with something like "Unable to create work profile. Contact your company IT admin".
                                                      • Reboot
                                                      • Go to Settings > Apps > All Apps > Work Profile tab, tap 'Company Portal', then the launch icon in the top right to launch it under the work profile
                                                      • Sign into company portal again.
                                                      • Repeat. This time, the 'Create Work Profile' step was already checked. It immediately went to "registering" then "finishing setting up your work profile..." and completed!

                                                      I'm able to use apps (Teams, etc) that require the device be registered in Intune. The annoying part is that I can't launch them directly from the owner profile home screen or app drawer. You have to go to Settings > Apps > All Apps > 'Work Profile' tab and launch from there. I'll explore to see if I can create a shortcut for this or launching apps under the work profile.

                                                      I just achieved this about 10 minutes ago. We'll see what type of experience I have using work apps over the next week or so.