• Off Topic
  • VMware Intelligent Hub (Workspace ONE / Device MDM) and VMware Tunnel (VPN)

Has anyone used VMware Intelligent Hub (Workspace ONE) for device MDM to create a work profile, and used VMware Tunnel for corporate VPN access, with a proper installation of sandboxed Google Play?

Asking because it seems like it just creates a work profile, but I just want to know if anyone's used it with sandboxed Google Play before I try it. Don't mind giving it any extra permissions it needs. I downloaded the apps and they don't seem to crash immediately when opening them, but haven't tested them yet.

22 days later

Since I never got my answer, I went ahead and did it anyways.
Long story short: It only works until you're required to login with your corporate Google account. In other words, universally useless.

The work profile gets created, but it has no apps because it's unable to see Play services and Play Store.

12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils: Couldn't get play services version
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils: android.content.pm.PackageManager$NameNotFoundException: com.google.android.gms
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfoAsUser(ApplicationPackageManager.java:256)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:216)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:210)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.utility.AfwUtils.isPlayServicesAboveRequiredLevel(SourceFile:12)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.AndroidForWorkAccount.showProgressMessage(SourceFile:1)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.GoogleAccount.prepareRegistrationImp(SourceFile:16)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.AndroidForWorkAccount.prepareRegistration(SourceFile:69)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.prepareOrUpdateRegistration(SourceFile:90)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.lambda$initializeWorkRegistration$0(Unknown Source:0)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.d(Unknown Source:0)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.k.run(Unknown Source:4)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:463)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at java.util.concurrent.FutureTask.run(FutureTask.java:264)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Handler.handleCallback(Handler.java:942)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Handler.dispatchMessage(Handler.java:99)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Looper.loopOnce(Looper.java:201)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Looper.loop(Looper.java:288)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.HandlerThread.run(HandlerThread.java:67)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils: Couldn't get playstore version
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils: android.content.pm.PackageManager$NameNotFoundException: com.android.vending
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfoAsUser(ApplicationPackageManager.java:256)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:216)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.app.ApplicationPackageManager.getPackageInfo(ApplicationPackageManager.java:210)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.utility.AfwUtils.isPlayStoreAboveRequiredLevel(SourceFile:12)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.AndroidForWorkAccount.showProgressMessage(SourceFile:5)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.GoogleAccount.prepareRegistrationImp(SourceFile:16)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.delegate.afw.AndroidForWorkAccount.prepareRegistration(SourceFile:69)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.prepareOrUpdateRegistration(SourceFile:90)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.lambda$initializeWorkRegistration$0(Unknown Source:0)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.RegisterAndroidWorkAccountWizard.d(Unknown Source:0)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at com.airwatch.agent.ui.enroll.wizard.k.run(Unknown Source:4)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:463)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at java.util.concurrent.FutureTask.run(FutureTask.java:264)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Handler.handleCallback(Handler.java:942)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Handler.dispatchMessage(Handler.java:99)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Looper.loopOnce(Looper.java:201)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.Looper.loop(Looper.java:288)
12-15 15:11:37.394 10637 12828 E AirWatch_AfwUtils:     at android.os.HandlerThread.run(HandlerThread.java:67)

This probably makes more sense knowing Play services has the privileged capability of interacting across profiles on stock OS, but not GrapheneOS.

    r3g_5z This probably makes more sense knowing Play services has the privileged capability of interacting across profiles on stock OS, but not GrapheneOS.

    That makes sense. Maybe the devs working on GmsCompat will find a way to work around this since many users in the community use work profiles on their phones.

    unwat I made that because it seems the Apps app doesn't get added to work profiles and it might be possible for me to install sandboxed Google Play inside the work profile before I login with my company Google account.

      a year later

      r3g_5z Were you able to find a way to install GPS before finishing the setup in the work profile?
      I get to the work profile but when it tries to continue the setup I get:
      "Failed to prepare environment for AFW account registration. Try again? [PLAY_STORE_NOT_FOUND]"

      And even tough I see the "Apps" in the work environment It wont let me install anything as I get:
      "Blocked by work policy"

      I feel that I got to a dead end.

      7 months later

      Hello, I have been tested the Workprofile from our MdM Intelligent Hub (VMWare); Configuration Pixel 4XL, Intelligent Hub. The enrolment goes fine until Intelligent Hub is moved from main profile to the work profile and starts installing application from playstore. It is important that you use the "App Store" from the workprofile to install the the Google Play services (sandboxed) in the middle in the process of the workprofile enrollment process. However, even if you activate all notifications and permission on the Google Play services, the Intelligent Hub (from the workprofile) starts to download application from the main profile to move it to the workprofile and are blocked by the the policy of MdM "saying Blocked by your IT Admin". Even if we update the Google Play services on the workprofile, it is blocked by the Intelligent Hub. It seems that the way the package or any applications that are updated or installed from the google playstore from the workprofile are not following the correct/standard flow (which I am currently investigating). However, even if the Intelligent Hub protect the installation of apps not in the whitelist, I still see that from the App Store of GrapheneOS which is pushed natively during the creation of Work profile, you can install PDF Viewer, Accrescent and Markup apps without any blocking action from the Intelligent Hub and Corporate Policy.

      22 days later

      I found an alternative that would take advantage of deploying all needed workspace applications during the enrolment process (during the workspace creation) and before MdM applies the APK and unknown sources policies.
      The issue is after the deployment and policies are applied, there is no way that applications updates, even from the MdM policies or actions; as applications are downloaded from the user profile and moved to the workprofiles, the MdM policy detect it comes from unknown source or detects at not compliance with IT Policy. It is strange as it is native for other OS; Is it something different (hardening on GrapheneOS) that block or reduce this capability?_

      • de0u replied to this.

        OpenBSD I found an alternative that would take advantage of deploying all needed workspace applications during the enrolment process (during the workspace creation) and before MdM applies the APK and unknown sources policies.

        Out of curiosity, is it possible to say what that solution is?

          14 days later

          de0u during the creation of workprofile, there is a windows (timeframe) that can be used to play with ADB command and before the MDM Policy is pull down on the device. Before the enrolment finishes, you can add as many as applications you want; because the deployment of native package/application are blocked after the policy is applied, you need to install within this period of time all required application of your company in the workprofile. Again, I did it on GrapheneOS on my Pixel 4XL so I do not have the last version of Graphene.