Does this still work as of today? I've tried everything and can't get this to work.
- I'm on Android 13, using MIUI.eu
- SafetyNet passes perfectly
- Using Zygisk without denylist enforced, but configured correctly for Teams and Company Portal. All the submenu items are ticked. Have also done this for Google Play Store, Google Play Services, Google Services Framework, etc
- Magisk app hidden
- Using Shamiko
- Using Hide my Applist and configured it correctly, so that the Applist Detector shows everything as passed. Applied the template to Company Portal and Teams
- Removed work profile created by Company Portal and re-tried again
I'm able to get Company Portal to create the work profile, but when it reaches the stage to add my device to AAD, that's where it fails. Typically, it wouldn't let you even create a work profile if it has detected root on your device.
I've tried with the latest versions of Company Portal and Teams from Play Store, as well as older versions.
UPDATE:
OK so I got it working.
1. Uninstall Teams and Company Portal
2. Install LSPosed zygisk module
3. Install Shamiko Magisk module and make sure Denylist is not enforced
4. Install Hide My Applist
5. Install Teams and Company Portal but do NOT run them yet
6. Go to the denylist in Magisk and add Play Store, Google Play Services, Google Services Framework, Company Portal and Teams and tick all the sub-menu options for all of them. Note that if you reinstall Company Portal and Teams, the sub-menu items will need to be re-ticked in the denylist again
7. Enable Hide My Applist module in LSPosed. Configure the Hide My AppList to use a blacklist to hide root from the above mentioned apps. Alternatively, you can use my config. Just create a file called "HMA_Config.json" and add the contents from this link (https://pastebin.com/Sq4mm0AR) into the file. Once you're done, just restore that file in Hide My Applist.
8. Reboot phone. This is required in order for the LSPosed module to take effect.
9. Do NOT sign into Company Portal. Just sign into Teams. Check the Hide My Applist logs and it should show logs for Company Portal and Teams. Teams will call the Company Portal app in the background to do the root check.
10. If you did all the above correctly, then Teams should be working fine
Remember, do NOT sign into Company Portal app, there's no need. Just sign into the actual apps you want to use, like Teams, Outlook, etc.
I recommend installing Edge, because when you try to open links in Teams, it'll need to use Edge. It doesn't seem to use Chrome for some reason. Remember to apply the above steps to hide root from Edge.
If you need to use Outlook, I recommend installing Outlook Lite, because this doesn't require you to set up Outlook as device administrator and you won't need to worry about your IT admin potentially pushing Intune policies to your device.
If you do need to install the full version of Outlook, then you may be prompted to add it as a Device Administrator. This is dangerous, because it means your company could potentially issue a wipe command from InTune and Outlook will wipe your device. Read the permissions granted by Device Administrator carefully, those are all dangerous. To prevent this, you can use MacroDroid or Tasker to automate the adding and removing of device admin, by using ADB shell commands.
Is it possible to activate Device Administrator via ADB command instead of tapping "Setting -> Security -> Device Administrators --> Select App --> Activate" on handheld? If it's possible, how?
android.stackexchange.com
I'm trying to uninstall an application from shell, however this application is running as a device administrator and thus shell> adb uninstall com.example.test did not work. How can I disable a
stackoverflow.com
enable:
adb shell dpm set-active-admin --user current com.microsoft.office.outlook/com.acompli.accore.receivers.OutlookDeviceAdminReceiver
disable:
adb shell pm disable-user com.microsoft.office.outlook
You can run shell scripts in both Tasker and MacroDroid, so a lot of this can be automated.
I also recommend using Tasker / MacroDroid to disable (freeze) and enable apps as required. I use MacroDroid and I have shortcuts for enable and disable respectively. When I run Teams, I click on "Teams (En)" and it'll enable the Company Portal app and Teams app and launch it for me, as well as use UI interaction to enter my PIN unlock code for Teams. When I click "Teams (Dis)", it'll disable the Company Portal and Teams app for me, so they never run in the background and never apply any policies to my phone (if any).
Here's something funny and interesting that I found. Let's say you have Teams installed and it is hidden from root and let's say you have Edge installed and it's not hidden from root. When you open links in Teams, it'll open with Edge and you'll be shown the error about root being detected on your device. But you can still go back to Teams and use it without issue, because it doesn't know about root. It seems like root detection is not shared among the Office apps, it's per app. Once I've hidden root from Edge, it works fine. I didn't have to uninstall it. It's not the same for Teams though. If your Teams detects root, you'll need to uninstall it and repeat the steps outlined above.
What's also interesting is that on some of my devices, especially ones running AOSP custom rom, it'll prompt to create a work profile. But on other devices, it doesn't create a work profile. Furthermore, on the devices that have a work profile, you can delete the work profile and Teams will continue to function.
I found that if you delete the work profile AND the work account, Teams is somehow still logged in and functions just fine. In some cases, it may even remove the PIN requirement/policy. What I mean by this is that your company IT admin may use InTune to enforce password policies for Teams. For me, I need to set a PIN number for Teams and then when I launch it, I need to enter the pin. This is NOT the same as the PIN used on your phone's lockscreen, this is specific to Teams only. By removing the work profile and work account, this sometimes bypasses the PIN setup process and therefore removes the need to enter a PIN.
Anyway, the conclusion is that apps like Teams, Edge and Outlook don't actually require a work profile to function. If you already have an existing work profile created by another app, then that's fine and it shouldn't interfere with Teams. If you don't want the Company Portal app to create a work profile for you, then try to create one yourself using apps like Shelter -
https://f-droid.org/en/packages/net.typeblog.shelter/
Once you've got a work profile created, it will not be overwritten by other apps, even if they prompt you to create a work profile. By using Shelter to create a work profile, you prevent Company Portal from creating one (if it prompts you to anyway).
)
