Question Company portal/work profile on A12

Search This thread

zzattack

Senior Member
May 24, 2009
87
2
I want to use a work profile and enroll my device using company portal to access my work email/teams while my phone is rooted.
I have burned a lot of time attempting to achieve this, thus far without success, so I'm hoping for some community help. My attempts can be categorized as performed on official FW (+root) and on a custom ROM (BeyondROM).

Using official samsung firmware
I have ODIN-flashed the latest BULF firmware on my SM-998B with a full wipe. Using original AP package, so no magisk yet. Company Portal then fails me with a somewhat generic "Cannot create a work profile - The security policy prevents the creation of a managed device because a custom has been installed on this device". At this point, device is not rooted and there are no signs of magisk lingering, so either this is a bug, or it queries Knox for the tripped efuse.
Next I attempted to create a work profile using Shelter, Island and SecureFolder. Each of them seem to run into the exact same error (worded slightly differently).
My gut feeling is that there is an issue with the underlying work profile functionality within Android itself, and I'm not being held back by simply the Knox bit -- surely Island doesn't mind a custom OS.

I then proceeded to root the official firmware with magisk (23016 canary, and since yesterday 24000 beta). Attempted every combination of denylist, zygisk, shamiko and USNF. None of it makes any difference: every attempt to instantiate a work profile immediately fails.

Using custom ROM
Custom ROM specifically mentions that Samsung's SecureFolder *works* with it, so while I generally prefer to customize the OS myself, I figured flashing this was worth a shot. So I did, and indeed, work profile functionality is not borked anymore. Even before installing the Magisk romdisk, both Shelter and Island manage to create a work profile, and I can install apps inside it. No need for root hiding at all, it seems.
Then I moved on to Company Portal. The enrollment procedure now actually appears to start and after ~3 seconds I am told: we need to encrypt the device. It's definitely getting further than it did on official firmware. I'm okay with encrypting the device. At full battery/charger inserted I can seemingly start this procedure, but it then hangs at a black screen with centered android picture. At this point my buttons and statusbar are made inaccessible. After an hour of nothing happening I restarted - no data was lost, I'm sure it never even started to encrypt.
Enabling encryption from the Biometric & Security menu is not presented as an option either.



If anyone has insights as to why work profile creation completely fails on stock firmware (and how to fix that), or if anyone knows the we can enable encryption while running a custom ROM, please reply.
 

zzattack

Senior Member
May 24, 2009
87
2
By using MagiskHidePropsConf I was able to set `ro.crypto.state` from `unencrypted` to `encrypted`. This allowed me to create a full work profile, without it asking me to encrypt first.
Next a bunch of "rooted" issues came up, but Shamiko and USNF solved that.
I could then access the apps within the work profile, but the device is still not in compliance because it insists I should enable 'secure startup', i.e. ask a full password/pin after reboot -- this actually does happen on reboots, but I cannot find any corresponding menu entry for it.
That said, I can access the apps inside the portal now, which is the main thing. Perhaps I can even trick it into thinking the device is in compliance.
 

zzattack

Senior Member
May 24, 2009
87
2
Yes, it has been unlocked for over a year. I did not re-lock before trying official firmware though.
 
Intune is supposed to work only on unmodified devices
see here https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

according to microsoft it won't work on
  • Devices that fail basic integrity
  • Devices with an unlocked bootloader
  • Devices with a custom system image/ROM
  • Devices for which the manufacturer didn't apply for, or pass, Google certification
  • Devices with a system image built directly from the Android Open Source Program source files
  • Devices with a beta/developer preview system image
 

adixtx

Member
Sep 23, 2013
8
1
Hi @zzattack ,

I am in the exact point like you, but I am on S9+ NOBLEROM (based on stock).
With crDroid ROM, all is working ok with Company Portal (encryption working, and I used Magisk to hide root).
But I would like to use NOBLEROM. I also set build prop ro.crypto.state to encrypted. For me 'Secure startup' is not showing in Biometrics and security, an no password required on boot. It is up only for Lock screen.
Did you managed to overcome secure startup ? Maybe it is a posibility to trick 'secure startup' is enabled, even it is not.

Obs. In my case, I can not run apps from work profile, even it is created and apps visible.

Thanks
 
Last edited: