unfortunately i had to give up root. Then both teams and outlook working but no root
Thanks! with HMA now intune is OK. The problem is with the rest of the work profile apps like outlook or teams...those still don't work even though they are hidden with magisk and intune is OK. The problem is that these work profile apps are not listed, they don't appear or show up in HMA to be able to include them in the black list. Any way?Try HMA(HideMyApp) and It will further hide root detection.
I followed his instruction to setup HMA and got clean root detection. Then I can setup teams/outlook in my Pixel 6 pro successfully.
You ... you are a god amongst men! YOU FIXED MY PROBLEMS! Thank you.Alright, I'm fairly confident now the problem seems to be the new Play Integrity API from Google, and not some nefarious new root tracking method from MS, which makes a lot more sense.
More info on PI API here: https://forum.xda-developers.com/t/...tynet-fix-2-3-1.4217823/page-90#post-87188299
Basically what is happening is that GMS is checking for the highest level of system integrity available on your phone. If your phone fingerprint (model+OS) supports hardware-backed authentication, the check will fail if that isn't returned intact. If your phone only supports software-level integrity checking, that is what gets returned.
It appears Company Portal is now checking for Play Integrity, and many more root-secure apps, like your banking ones, are sure to follow.
@Displax published a USNF mod that injects an old Pixel XL fingerprint into GMS using Zygisk which avoids changing global props and causing issues elsewhere: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517.
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.
This means PI API will sign off on device integrity at the software level, which you can check using the Play Integrity API Checker from @1nikolas: https://forum.xda-developers.com/t/...cussion-thread.3906703/page-130#post-87182459. A more in-depth version that also checks for hardware-backed authentication should be available in the Play Store soon.
On *top* of all this, it seems Company Portal was detecting the zygisk process in memory. Shamiko 0.5.2 seems to block this by also hiding the zygisk process. HMA doesn't seem to be necessary so far but I'm monitoring.
Doing this my phone has been stable on Company Portal 5.0.556.0 for over 24h through reboot and overnight charge.
It's not clear yet how fragile Displax's USNF mod solution will be, hopefully this issue will be incorporated into future USNF releases. But absolute hardware-backed checks may be only a few years down the line and will likely make hiding root near impossible.
Hope this helps some others.
You mean LSposed also not required nor safetynet-fix or Shamiko ?You guys can give the latest Magisk Delta stable a shot. Works for me without using any modules, don't even need to hide the Magisk app. Just enable MagiskHide and check Microsoft apps in the hidelist. Make sure to check all boxes for Intune.
Poco F3 | crDroid 8.9 - 2022-09-13
Intune Version 5.0.5736.0
Teams Version 1416/126.96.36.1992434101
Not at all working!Update 04.01.2023: I've updated/added additional steps to make this tutorial work again.
This question was asked many times and often all the answers did not work:
How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?
With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
- First of all you need the latest Magisk version (24.2 or higher).
After installation select:
- Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
- After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
- uncheck Force Denylist in Magisk settings
- Select 'Configure DenyList'
- Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune).
Important: Expand the view by clicking on the entry. You will see something like this:
View attachment 5536587
- Now, with the expaned view, click the entry. It will look like this:
View attachment 5536595
- Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
Important: If you do not expand the view it will not work!
Now, to make sure that this solution is really working ....
- Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
- Run the SafetyNet Attestation on YASNAC
When it fails is shows something like this:
Fix Basic integrity
- To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
- Download the ZIP and install it as a module in Magisk (24.1 or higher).
- Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.
If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
- Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
- Restart your Phone!
- Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
- Type 'su' (enter) and agree to the root dialog.
- Now type 'props' (enter) ...
... select '1' for Edit device fingerprints
... select 'f' for Pick a certified fingerprint
... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
- After selecting the fingerprint for your device, and when the program ends, reboot your device
After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
- Install Shamiko and make sure that you uncheck Force Denylist in Magisk settings
Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).
If you find this tutorial helpful please leave a like for this post - thanks in advance.
Nope, just Magisk Delta itself is enoughYou mean LSposed also not required nor safetynet-fix or Shamiko ?
SO just have to flash Delta Canary right?Nope, just Magisk Delta itself is enough
From what I remember, only Delta is enough. Not sure if I had SafetyNetFix installed back then, if it doesn't work without, then you can try installing SafetyNetFix. I used the modded 2.3.1 from Displax, not sure if that's needed or the regular SafetyNetFix will do.SO just have to flash Delta Canary right?
Then do we need to install any modules like safetynetfix?
Or just enable Intunue/Outlok/Teams in Denylist or also do it for Playstore/services?
LSPosed and Shamiko are two different things. Shamiko takes over the deny list and handles it. Having it installed doesn't work against anything. Shamiko hides Zygisk, which is part of Magisk.What NOT to install: lsposed, shamiko. Shamiko needs to have 'force denylist' off, but that is actually against what we are trying to do here.
Perhaps editing your post to, "This is how I got it to work on my device and my setup" would be better than how you've presented it, which is clearly written as some kind of authoritative step-by-step tutorial, which as I pointed out, contains factually incorrect information that others may take to be true.I did not say that there is only one good solution.
No one blamed anyone. Run whatever you wish. I pointed it out for the sake of others reading your post because it is the #1 cause of not passing Play Integrity, and by association, possibly affecting Intune and MS apps detecting an unsecure device.I dont know why you blame people for using custom ROMs.
You might be right about this. I was in a great hurry and this is one of my first tutorials. I edited to make it clear that there are many possible scenarios and options. Thank you for the constructive comments.Perhaps editing your post to, "This is how I got it to work on my device and my setup" would be better than how you've presented it, which is clearly written as some kind of authoritative step-by-step tutorial, which as I pointed out, contains factually incorrect information that others may take to be true.
No one blamed anyone. Run whatever you wish. I pointed it out for the sake of others reading your post because it is the #1 cause of not passing Play Integrity, and by association, possibly affecting Intune and MS apps detecting an unsecure device.
Download from Github: https://github.com/LSPosed/LSPosed.github.io/releases - just in case somebody is searching for it as I did...It seems to be resolved with yesterday's update of Shamiko to 0.5.2
After yesterday's update the settings are working fine. Will update in case the issue resurface.