1.I am interested in getting Mysudo in either a work profile or as a separate profile. Is there a pro or a con to using a work profile versus creating a new profile ?
it would seem there similar except that you only have one work profile whereas you can create as many separate profiles as you want I suppose.....

  1. When it says I need to sideload Mysudo app how is that different than say downloading it from the Aurora store? Is there a reason why I would side load it from f Droid as opposed to download it from aurora?

  2. What is side loading? Is it simply the term used for downloading apks from android? Is it complicated? How do I do it?

Thanks in advance for any help that is provided.......

    d9780 1. Separate user profiles are recommended over work profiles because they provide better isolation and don't require you to trust profile management apps like Shelter

    1. F-Droid is bad for security, do not use. You can get MySudo from Play Store, Aurora or download from developer's website if they provide such an option.

    2. Sideloading basically means getting an app not from app store. Like downloading an apk file in a web browsers and installing it.

      Thanks very much! It's answers like that which make it so people like me can move forward confidence instead of getting stuck.

      This seems like a great community! I was nervous about there not being traditional support for Graphene, but it looks like the Graphene folks take care of their own pretty well. Glad to be here and thanks again 😃

      a month later

      Can anyone confirm what evalda said is true about separate users on the main phone profile providing better isolation than a work profile? That doesn't make a lot of sense to me so I'd love an explanation from someone who knows.

        aiVe yes @evalda is right and it is explained in the documentation for AOSP:

        Work Profiles:

        Profile. A profile has separated app data but shares some system-wide settings (for example, Wi-Fi and Bluetooth). A profile is a subset of, and tied to, the existence of a user. A user can have multiple profiles. Profiles are created through a Device Administration application. A profile always has an immutable association to a parent user, defined by the user that created the profile. Profiles do not exist beyond the lifetime of the creating user.

        Categories of profiles

        Managed profile. Created by an application to contain work data and apps. They are managed exclusively by the profile owner (the app that created the corp profile). Launcher, notifications, and recent tasks are shared by the parent user and the corp profile.

        Users:

        User. Each user is intended to be used by a different physical person. Each user has distinct application data and some unique settings, as well as a user interface to explicitly switch between users. A user can run in the background when another user is active; the system manages shutting down users to conserve resources when appropriate. Secondary users can be created either directly via the user interface or from a Device Administration application.

        Categories of users

        Secondary user. Any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.

        Source: https://source.android.com/docs/devices/admin/multi-user

        Android's user profiles are isolated workspaces with their own instances of apps, app data and profile data (contacts, media store, home directory, etc.). Apps can't see the apps in other user profiles and can only communicate with apps within the same user profile (with mutual consent with the other app). Each user profile has their own encryption keys based on their lock method. They're a great fit for GrapheneOS with a lot of room for improvement.

        Source: https://grapheneos.org/features#improved-user-profiles

        Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it. The owner profile is special and is used to store sensitive system-wide operating system data. This is why the owner profile needs to be logged in after a reboot before other user profiles can be used. The owner profile does not have access to the data in other profiles. Filesystem-based encryption is designed so that files can be deleted without having the keys for their data and file names, which enables the owner profile to delete other profiles without them being active.

        GrapheneOS enables support for ending secondary user profile sessions after logging into them. It adds an end session button to the lockscreen and in the global action menu accessed by holding the power button. This fully purges the encryption keys and puts the profiles back at rest. This can't be done for the owner profile without rebooting due to it encrypting the sensitive system-wide operating system data.

        Using a secondary profile for regular usage allows you to make use of the device without decrypting the data in your regular usage profile. It also allows putting it at rest without rebooting the device. Even if you use the same passphrase for multiple profiles, each of those profiles still ends up with a unique key encryption key and a compromise of the OS while one of them is active won't leak the passphrase. The advantage to using separate passphrases is in case an attacker records you entering it.

        Source: https://grapheneos.org/faq

          evalda if an essential app required me to have play store installed, then Do I then have no use for aurora?

          When searching for app alternatives I thought the practice was to try fdroid first because anything there won't require play store. What's a better approach to finding selecting apps?

          Is there an app that will inventory my sideloaded apps and prompt me to update them?

          I'm apt to add apps to the GOS "Apps" app if applicable.

            Snowmonk If you don't wish to sign up for a Google account or use a personal one, then having the sandboxed play services and Aurora together works best for that.

            F-Droid has it's issues give this article a read: https://privsec.dev/apps/f-droid-security-issues/

            If you add apps direct from GitHub you can use an RSS Reader app to alert you to new releases:
            https://www.privacyguides.org/android/#manually-with-rss-notifications