MS Intune company portal with work profile not working

drewdatrip

Thanks to all that have continued to try. Checking in again to see if any improvements have been made to allow this to work without adb command workarounds. I really want to ditch the stock google build and move to GOS, however its looking more and more like I may have to settle with LOS + microg or backtrack to iOS.. =(

Euforises

Hi,

thanks for the script provided, I was able to use it with some tweaks.

However, I'm faced a dilemma, there is a single app that I need, which is installed after the enrollment automatically from private play store. There is no way to get that, right? Because I simply can't download that app on main account any way and then inject to the work profile.

Euforises

Euforises However, I'm faced a dilemma, there is a single app that I need, which is installed after the enrollment automatically from private play store. There is no way to get that, right? Because I simply can't download that app on main account any way and then inject to the work profile.

okay I solved this by enrolling an another device to MDM and pulling the needed apk from that first

Euforises

modu The only thing currently missing is easy access to the work profile apps.

So with third party launchers at least (I'm using nova, yeah I know..) you get them automatically upon install in app drawer, like any apps.

burningfeelings

I changed the script to run on Alpine (ash)

`#!/bin/ash
INTERVAL=0.05
WORK_PROFILE_NAME="Work profile"

echo "⏳ Watching for $WORK_PROFILE_NAME creation..."
while true; do
USERS=$(adb shell pm list users 2>/dev/null)

    WORK_LINE=$(echo "$USERS" | grep -i "$WORK_PROFILE_NAME")
    if [ -n "$WORK_LINE" ]; then
            USER_ID=$(echo "$WORK_LINE" | sed -n 's/UserInfo{\([0-9]\+\):.*/\1/p')

            if [ -n "$USER_ID" ]; then
                    echo "Installing"
                    adb shell pm install-existing --user $USER_ID com.android.vending &
                    adb shell pm install-existing --user $USER_ID com.google.android.gms &
                    adb shell pm install-existing --user $USER_ID com.microsoft.office.outlook &
                    adb shell pm install-existing --user $USER_ID com.microsoft.teams &
                    adb shell pm install-existing --user $USER_ID com.microsoft.office.excel &
                    adb shell pm install-existing --user $USER_ID com.microsoft.office.word &
                    adb shell pm install-existing --user $USER_ID com.microsoft.office.powerpoint &
                    adb shell pm install-existing --user $USER_ID com.microsoft.skydrive &
                    adb shell pm install-existing --user $USER_ID com.microsoft.teams &
                    adb shell pm install-existing --user $USER_ID com.microsoft.emmx &
                    adb shell pm install-existing --user $USER_ID com.azure.authenticator &
                    wait
                    echo "🎉 Injection complete. You can now return to your phone and continue provisioning."
                    exit 0
            fi
    fi

    sleep "$INTERVAL"

done`

everything went ok but when getting to compliance it says my device has been compromised (device its rooted), we couldn't certify your device... c'mon... disable exploit compatibility and turn off USB debug and no go...

boris

burningfeelings It looks like your company has some strict compliance policies which are in conflict with grapheneOS

I believe best bet at this point would be to ask your IT department for help.

burningfeelings

in ash:

#!/bin/ash
INTERVAL=0.05
WORK_PROFILE_NAME="Work profile"

echo "⏳ Watching for $WORK_PROFILE_NAME creation..."
while true; do
        USERS=$(adb shell pm list users 2>/dev/null)

        WORK_LINE=$(echo "$USERS" | grep -i "$WORK_PROFILE_NAME")
        if [ -n "$WORK_LINE" ]; then
                USER_ID=$(echo "$WORK_LINE" | sed -n 's/UserInfo{\([0-9]\+\):.*/\1/p')

                if [ -n "$USER_ID" ]; then
                        echo "Installing"
                        adb shell pm install-existing --user $USER_ID com.android.vending &
                        adb shell pm install-existing --user $USER_ID com.google.android.gms &
                        adb shell pm install-existing --user $USER_ID com.microsoft.office.outlook &
                        adb shell pm install-existing --user $USER_ID com.microsoft.teams &
                        adb shell pm install-existing --user $USER_ID com.microsoft.office.excel &
                        adb shell pm install-existing --user $USER_ID com.microsoft.office.word &
                        adb shell pm install-existing --user $USER_ID com.microsoft.office.powerpoint &
                        adb shell pm install-existing --user $USER_ID com.microsoft.skydrive &
                        adb shell pm install-existing --user $USER_ID com.microsoft.teams &
                        adb shell pm install-existing --user $USER_ID com.microsoft.emmx &
                        adb shell pm install-existing --user $USER_ID com.azure.authenticator &
                        wait
                        echo "🎉 Injection complete. You can now return to your phone and continue provisioning."
                        exit 0
                fi
        fi

        sleep "$INTERVAL"
done

localgh0st

As of today, after trying a couple of times, I have tryed the method and seems I am unable to do the injection.

My steps:

Start the script.
Install the Intune portal
Intune launches the work user creation screen and Work user gets created
Script fails to inject the dependencies with the following error: Exception occurred while executing 'install-existing': java.lang.SecurityException: Shell does not have permission to access user 14

Any hints?
Thanks for the script!

Reunite1590

localgh0st You need to inject apps in before the "last phase". Running it too late will not work, because android gives profile ownership to intune and unless you root your phone, no account will be above that.

temp89649681 Following the steps given by wild but before hitting "Accept & Continue" I connect the device over ADB and start the script to detect when the profile is created.

drewdatrip

Checking in once again to see if this has been resolved in an OS update or with a simple patch or workaround? I really grow tired of using stock Android garbage on my work phone but essentially require company portal for all my work applications.

boris

drewdatrip

Sadly best bet if you want to use graphene is doing the script setup (or asking your company IT - atleast temporary - for some wild exemptions - I believe the main one is to be allowed to install apps from third party sources atleast during setup - since sandboxed playstore is treated as third party app source)

Reunite1590

modu Google play won't work because it's not installed with full privileges, but as 3rd party app store (same as Fdroid or Accrescent). The top level app store is App Store (cube shaped icon). Note down list of apps you need, install them on owner profile and add them into the script. You can then disable them in owner profile. When you update apps in owner profile, they will also update in work profile, so you don't really need google play on work profile. I still installed it to make intune happy, but disabled it later.

alpham1ke

There's a chance it's my ineptitude but script approach failed for me, same as localgh0st.

Script is running and waiting for Intune to create the Work profile. Zero apps transferred.

« Previous Page