I want to use a work profile and enroll my device using company portal to access my work email/teams while my phone is rooted.
I have burned a lot of time attempting to achieve this, thus far without success, so I'm hoping for some community help. My attempts can be categorized as performed on official FW (+root) and on a custom ROM (BeyondROM).
Using official samsung firmware
I have ODIN-flashed the latest BULF firmware on my SM-998B with a full wipe. Using original AP package, so no magisk yet. Company Portal then fails me with a somewhat generic "Cannot create a work profile - The security policy prevents the creation of a managed device because a custom has been installed on this device". At this point, device is not rooted and there are no signs of magisk lingering, so either this is a bug, or it queries Knox for the tripped efuse.
Next I attempted to create a work profile using Shelter, Island and SecureFolder. Each of them seem to run into the exact same error (worded slightly differently).
My gut feeling is that there is an issue with the underlying work profile functionality within Android itself, and I'm not being held back by simply the Knox bit -- surely Island doesn't mind a custom OS.
I then proceeded to root the official firmware with magisk (23016 canary, and since yesterday 24000 beta). Attempted every combination of denylist, zygisk, shamiko and USNF. None of it makes any difference: every attempt to instantiate a work profile immediately fails.
Using custom ROM
Custom ROM specifically mentions that Samsung's SecureFolder *works* with it, so while I generally prefer to customize the OS myself, I figured flashing this was worth a shot. So I did, and indeed, work profile functionality is not borked anymore. Even before installing the Magisk romdisk, both Shelter and Island manage to create a work profile, and I can install apps inside it. No need for root hiding at all, it seems.
Then I moved on to Company Portal. The enrollment procedure now actually appears to start and after ~3 seconds I am told: we need to encrypt the device. It's definitely getting further than it did on official firmware. I'm okay with encrypting the device. At full battery/charger inserted I can seemingly start this procedure, but it then hangs at a black screen with centered android picture. At this point my buttons and statusbar are made inaccessible. After an hour of nothing happening I restarted - no data was lost, I'm sure it never even started to encrypt.
Enabling encryption from the Biometric & Security menu is not presented as an option either.
If anyone has insights as to why work profile creation completely fails on stock firmware (and how to fix that), or if anyone knows the we can enable encryption while running a custom ROM, please reply.
I have burned a lot of time attempting to achieve this, thus far without success, so I'm hoping for some community help. My attempts can be categorized as performed on official FW (+root) and on a custom ROM (BeyondROM).
Using official samsung firmware
I have ODIN-flashed the latest BULF firmware on my SM-998B with a full wipe. Using original AP package, so no magisk yet. Company Portal then fails me with a somewhat generic "Cannot create a work profile - The security policy prevents the creation of a managed device because a custom has been installed on this device". At this point, device is not rooted and there are no signs of magisk lingering, so either this is a bug, or it queries Knox for the tripped efuse.
Next I attempted to create a work profile using Shelter, Island and SecureFolder. Each of them seem to run into the exact same error (worded slightly differently).
My gut feeling is that there is an issue with the underlying work profile functionality within Android itself, and I'm not being held back by simply the Knox bit -- surely Island doesn't mind a custom OS.
I then proceeded to root the official firmware with magisk (23016 canary, and since yesterday 24000 beta). Attempted every combination of denylist, zygisk, shamiko and USNF. None of it makes any difference: every attempt to instantiate a work profile immediately fails.
Using custom ROM
Custom ROM specifically mentions that Samsung's SecureFolder *works* with it, so while I generally prefer to customize the OS myself, I figured flashing this was worth a shot. So I did, and indeed, work profile functionality is not borked anymore. Even before installing the Magisk romdisk, both Shelter and Island manage to create a work profile, and I can install apps inside it. No need for root hiding at all, it seems.
Then I moved on to Company Portal. The enrollment procedure now actually appears to start and after ~3 seconds I am told: we need to encrypt the device. It's definitely getting further than it did on official firmware. I'm okay with encrypting the device. At full battery/charger inserted I can seemingly start this procedure, but it then hangs at a black screen with centered android picture. At this point my buttons and statusbar are made inaccessible. After an hour of nothing happening I restarted - no data was lost, I'm sure it never even started to encrypt.
Enabling encryption from the Biometric & Security menu is not presented as an option either.
If anyone has insights as to why work profile creation completely fails on stock firmware (and how to fix that), or if anyone knows the we can enable encryption while running a custom ROM, please reply.
