S
strugee

  • In How to set up a proper Google-managed Work Profile if required by your employer

    angela

    angela Are there employers who expect this, but don't provide a cell phone? Amd what happens when people say "I don't have a smart phone"?

    Can't comment on other employers but $work is an early-mid stage startup. It's hard to justify the cost of buying everyone a phone, yes.

    It doesn't matter if someone doesn't have a smart phone (actually, this has already happened!) because they can't really access work data on a dumb phone anyway. The purpose isn't to track employees or anything (though I understand the suspicion and I'm sure there are places that set more invasive policies than we do). It's just to have some amount of control over company data. Especially because we handle people's PII.

    It's also not all about security. A large chunk of it, unfortunately, is for us to be able to check a box for (sometimes not technically sophisticated) auditors who don't care about discussing actual security tradeoffs. They just want to check their checkbox.

    Obviously this is a terrible and frankly irritating way to design systems. But if we refused to work with auditors that thought like this, we'd go out of business.

      • In How to set up a proper Google-managed Work Profile if required by your employer

        DaRon I am aware of Shelter, and in fact until last week used it to manage my work profile (I've been working at my current job since September 2021). Just to give some examples of the practical effects of what @Carlos-Anso is describing:

        • Google apps never worked properly for me in the Shelter profile. They install and open, but get stuck at the "Checking info..." screen so you can never actually use them.
        • Almost certainly related to the above, my Shelter-manged profile does not show up as a managed device in Google Admin, and therefore can't be e.g. remote wiped by IT if I leave the company. (The work profile that is, not the entire device.) The "proper" work profile I set up with these instructions shows up fine.

        At my work we're likely going to start requiring that devices attest that they're enrolled in the MDM when the user logs into work applications on them, so we can ensure sensitive work data is properly wiped when folks leave the company. A Shelter work profile would fail this attestation requirement. If your work ever starts enforcing a similar attestation check with Intune, your Shelter profile would likely start failing that check too.

          • In How to set up a proper Google-managed Work Profile if required by your employer

            Intro/caveats

            I tested these instructions using GrapheneOS 15 (2024120900) and an account issued by my work, which uses Google's "advanced" mobile management level. This level prompted me to install the Google Apps Device Policy app. If your work uses a different management solution, YMMV - but I suspect the steps will be similar. I may be able to provide information about what's configured in my work's Google Admin console, if anyone needs to compare for some reason. It depends on the exact ask.

            I also gave some app "modify system settings" permissions IIRC. Don't know if that was necessary. If you were able to follow these instructions without doing so, please let me know.

            I also am not an Android expert, and certainly not a Android Enterprise expert. YMMV. This seems to be working for me, but I can't comment on how close it is to official setup like you'd get on a stock Pixel device, if or how much it compromises GrapheneOS' privacy/Google sandboxing model, etc.

            Your mileage may vary, for real.

            Prerequisites

            Before beginning, make sure you have Google Play Services installed and configured in your personal profile. You will also need at least one Google app installed - I tested with Google Drive, but my guess is that it will work with any other Google app. (If someone tests with the Google Play Store, that's probably the ideal since it's already required to be installed - so let me know if that works and I'll update the instructions.)

            You will also need to have adb installed on your computer, and your computer connected to your Android device. Make sure that adb devices shows device next to your device's serial number, and that adb shell works. I'm not going to write detailed instructions for setting this stuff up because there's lots of resources out there already, but if someone links good instructions, I'd be happy to edit that link into this post.

            Instructions to set up the work profile

            First, initiate work profile setup by adding your Google Account in your personal profile. Watch out for the "Action required in Play Store" notification asking you to install the device config app - allow the app install, then switch back to the work profile setup screen. At the "Checking info..." screen, it will crash.

            Still in your personal profile, open Google Drive and switch to your work Google Account (it will have a blank icon in the account switcher) to trigger work profile setup again. Tap "Accept and continue" to start setting up the work profile. Wait, then tap "Next" when the process is done.

            Wait some more. You'll see a spinning screen for a while, then "Can't set up work profile".

            In an adb shell, verify that a work profile has been partially created:

            tokay:/ $ pm list users
Users:
	UserInfo{0:John Doe:4c13} running
	UserInfo{10:Work profile:1070} running

            You will need to double-check that the work profile ID is 10, and adjust below commands if not. Notably, deleting a work profile and setting it up again apparently changes the ID.

            The underlying issue is that Play Services is expecting a freshly-provisioned work profile to already have Play Services installed, because normally it comes with the system image. But since this isn't the case with GrapheneOS, we can simply manually intervene in the work profile to install Google Play Services. Once again in an adb shell:

            tokay:/ $ pm install-existing --user 10 com.google.android.gms
Package com.google.android.gms installed for user: 10
tokay:/ $ pm install-existing --user 10 com.android.vending  
Package com.android.vending installed for user: 10

            Go back to work profile setup and tap "Try again". You will see a "Checking info..." screen. Watch out for the GmsCompat notification coming from the work profile to enable notification permissions for Google Play Store/Services.

            You may be asked to sign in again. If you copied your password, pasting it won't work, presumably because the thing is running in the work profile context now. Good luck to the freaks like me who decided they "might as well" generate 100+ character passwords.

            After this, you can proceed through the work profile setup flow. On the screen that prompts you to install work apps, be sure to watch out for the GmsCompat notification telling you to open Google Play Store and allow installations.

            Congrats! You have a (pardon the pun, working) work profile!