[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk' (Update: Q1/2023)

[Astatin13]

unfortunately i had to give up root. Then both teams and outlook working but no root

 

[cooldude5500]

Anyone managed to get Intune/teams/outlook working with latest LineageOS? Teams throws access denied no matter what.

Edit: Magisk is hidden, Shamiko 0.6, USNF modded, enforce denylist off and all apps added to denylist, still nothing.

 

[barret95]

tried original solution and the solution posted on page 12 (older versions) and still no luck.

 

[bpham1]

I'm on LineageOS 19 GSI securized build. Gotten the old versions of company profile, Teams and Outlook to work flawlessly. It'll only be a matter of time before the old versions will cease to be able to login. I'll hold out as long as I can on this build, but will probably have to give up root in the future.

 

[Kris Chen]

Try HMA(HideMyApp) and It will further hide root detection.
(Guide: https://forum.xda-developers.com/t/hide-my-applist-a-brief-guide.4519731/)

I followed his instruction to setup HMA and got clean root detection. Then I can setup teams/outlook in my Pixel 6 pro successfully.

 

[reconan1]

Try HMA(HideMyApp) and It will further hide root detection.
(Guide: https://forum.xda-developers.com/t/hide-my-applist-a-brief-guide.4519731/)

I followed his instruction to setup HMA and got clean root detection. Then I can setup teams/outlook in my Pixel 6 pro successfully.

Thanks! with HMA now intune is OK. The problem is with the rest of the work profile apps like outlook or teams...those still don't work even though they are hidden with magisk and intune is OK. The problem is that these work profile apps are not listed, they don't appear or show up in HMA to be able to include them in the black list. Any way?

 

[Kris Chen]

Well, I don't need those work file and I can use Teams and Outlook to access company resources after finishing setup.

 

[nieebel]

What I did to make it work for me:
A. Install Magisk v25.2 following "MAGISK ROOT " from https://forum.xda-developers.com/t/s4-unified-collection-guides.4224933/
B. Follow the mentioned note to prevent root detection: https://forum.xda-developers.com/t/...fety-net-in-android-12.4451857/#post-87127921 - this was enough to make Banking Apps working again. For Intune/Outlook/Teams, I did those additional steps:
C. Then Following the Magisk popups to update to latest org.lsposed.manager 1.8.5 zip zygisk release from Github. Then reboot and ensure that previous steps have not been reverted.
D. Follow lsposed popups to update to latest com.tsng.hidemyapplist 3.0.6 release from Github. Then reboot and ensure that previous steps have not been reverted. Ignore the "parasitary manager" thing.
E. Install icu.nullptr.applistdetector v2.4 based on HideMyApp recommendation
F. Open AppListDetector and see a lot of X
G. Rename Magisk App via Magisk Settings. Reboot.
H. Follow this HideMyApps / Universal SafetyNet Fix guide from https://forum.xda-developers.com/t/...ake-it-work-with-magisk.4402273/post-87849687 - keep "Enforce Deny List toggled OFF". Use this AppListDetector app for testing. After this you should see ticks everywhere except for TWRP.
I. Follow those MagiskHidePropsConf-v6.1.2.zip config https://forum.xda-developers.com/t/...magisks-zygisk-denylist.4392941/post-86308891 (not sure if really required)
J. Deinstall Intune/Teams/Outlook and install those old versions: https://forum.xda-developers.com/t/...e-to-make-it-work-with-magisk.4402273/page-11 and then add them to Magisk (make sure all toggles are turned on) and HideMyApp. If you missed something, just delete Data of Playstore+Intune+Outlook+Teams and retry.

If anybody knows a way to get the latest Outlook/Teams working, I would highly appreciate.

My device: Samsung S4 i9505 with Optimized-LineageOS-18.1-20201215-Version1

 

[foremang]

Alright, I'm fairly confident now the problem seems to be the new Play Integrity API from Google, and not some nefarious new root tracking method from MS, which makes a lot more sense.

More info on PI API here: https://forum.xda-developers.com/t/...tynet-fix-2-3-1.4217823/page-90#post-87188299

Basically what is happening is that GMS is checking for the highest level of system integrity available on your phone. If your phone fingerprint (model+OS) supports hardware-backed authentication, the check will fail if that isn't returned intact. If your phone only supports software-level integrity checking, that is what gets returned.

It appears Company Portal is now checking for Play Integrity, and many more root-secure apps, like your banking ones, are sure to follow.

@Displax published a USNF mod that injects an old Pixel XL fingerprint into GMS using Zygisk which avoids changing global props and causing issues elsewhere: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517.

Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.

This means PI API will sign off on device integrity at the software level, which you can check using the Play Integrity API Checker from @1nikolas: https://forum.xda-developers.com/t/...cussion-thread.3906703/page-130#post-87182459. A more in-depth version that also checks for hardware-backed authentication should be available in the Play Store soon.

On *top* of all this, it seems Company Portal was detecting the zygisk process in memory. Shamiko 0.5.2 seems to block this by also hiding the zygisk process. HMA doesn't seem to be necessary so far but I'm monitoring.

Doing this my phone has been stable on Company Portal 5.0.556.0 for over 24h through reboot and overnight charge.

It's not clear yet how fragile Displax's USNF mod solution will be, hopefully this issue will be incorporated into future USNF releases. But absolute hardware-backed checks may be only a few years down the line and will likely make hiding root near impossible.

Hope this helps some others.

You ... you are a god amongst men! YOU FIXED MY PROBLEMS! Thank you.

 

[GoodSoul]

I've updated the tutorial to make it work again (at least on my 2 phones, 1 tablet, and 2 android-VMs)

 

[ykjae]

@GoodSoul maybe you will have a answer to my kinda related to problem.

I'm using a device to access company's data by using intune. This has now happened twice.

If I'm spoofing location or using invisible which connects to tor/i2p or VPN my company see's. How do I hide this? I was assuming maybe app opps but I just want to be 100%. This is the email I received.

 

[Binary Assault]

I may have accidentally stumbled on to a fix for this. I'm using the latest version of InTune (company policy). Do everything in the OP (no need for LSposed for this method).

If InTune has already detected root, clear cache from all Microsoft apps and force stop them. If you can't FS them, clear cache then reboot the phone.

On your normal (non-work) profile, install the Intune App (I use shelter for my work profile, so I just cloned the app in shelter). Login to the Intune app with work credentials. Open up your Microsoft apps and verify access.

Haven't fully tested this, but previously I would get flagged within a few seconds of opening any Microsoft apps.

Additionally I tried to freeze InTune on my main profile, which seemed to have worked for the time being.

I'm guessing freezing might not survive a reboot but that's a minor concern for me.

 

[CharlieMHz]

You guys can give the latest Magisk Delta stable a shot. Works for me without using any modules, don't even need to hide the Magisk app. Just enable MagiskHide and check Microsoft apps in the hidelist. Make sure to check all boxes for Intune.

Poco F3 | crDroid 8.9 - 2022-09-13
Intune Version 5.0.5736.0
Teams Version 1416/1.0.0.2022434101

 

[Binary Assault]

Update - the method I posted is still functional with the latest in-tune. In my case, it seems that Magisk is a little sketchy with deny/hide in work profiles.

 

[teddysx3]

I tried everything, and finally worked!!! I have forgot to install Shamiko, this did it for me.

 

[nri_tech1183]

You guys can give the latest Magisk Delta stable a shot. Works for me without using any modules, don't even need to hide the Magisk app. Just enable MagiskHide and check Microsoft apps in the hidelist. Make sure to check all boxes for Intune.

Poco F3 | crDroid 8.9 - 2022-09-13
Intune Version 5.0.5736.0
Teams Version 1416/1.0.0.2022434101

You mean LSposed also not required nor safetynet-fix or Shamiko ?

 

[nri_tech1183]

Update 04.01.2023: I've updated/added additional steps to make this tutorial work again.

This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.2 or higher).

After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- uncheck Force Denylist in Magisk settings
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune).
Important: Expand the view by clicking on the entry. You will see something like this:
View attachment 5536587
- Now, with the expaned view, click the entry. It will look like this:
View attachment 5536595
- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!

Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:

Fix Basic integrity
- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device

After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:

Update 04.01.2023:
- Install Shamiko and make sure that you uncheck Force Denylist in Magisk settings

Important:
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).



If you find this tutorial helpful please leave a like for this post - thanks in advance.

Not at all working!

 

[CharlieMHz]

You mean LSposed also not required nor safetynet-fix or Shamiko ?

Nope, just Magisk Delta itself is enough

 

[nri_tech1183]

Nope, just Magisk Delta itself is enough

SO just have to flash Delta Canary right?
Then do we need to install any modules like safetynetfix?
Or just enable Intunue/Outlok/Teams in Denylist or also do it for Playstore/services?

 

[CharlieMHz]

SO just have to flash Delta Canary right?
Then do we need to install any modules like safetynetfix?
Or just enable Intunue/Outlok/Teams in Denylist or also do it for Playstore/services?

From what I remember, only Delta is enough. Not sure if I had SafetyNetFix installed back then, if it doesn't work without, then you can try installing SafetyNetFix. I used the modded 2.3.1 from Displax, not sure if that's needed or the regular SafetyNetFix will do.

Only add Microsoft apps into denylist, no need to add Google apps.