[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk'

Search This thread

baliku

New member
Aug 7, 2018
3
2
  1. Samsung S20U LDU, Android 11
  2. Magisk 24.3
    1. Magisk Modules (latest):
      1. Magiskhide Props Config,
      2. Shamiko,
      3. Universal SafetyNetFix
    2. Zygisk = On,
    3. Enforce DenyList = Off
    4. DenyList ((WITH ALL SUBCOMPONENTS: blue line over app name should be full!) :
      1. Company Portal,
      2. Google Play store,
      3. Google Services Framework (does not have chekmark, because it is known Magisk bug)),
      4. Teams
    5. Magisk itself is renamed: app name changed
  3. App data for Intune and Teams is cleared
  4. YASNAC: BASIC, integrity and CTS passed
  5. Play Integrity checker: MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY passed, MEETS_STRONG_INTEGRITY failed (because its impossible for rooted device)
  6. Intune Company Portal 5.0.5519.0 manually installed from ApkPure
this helps for me. Teams now work
 

undert0w

Member
Aug 10, 2012
42
8
It still does not work for me. I am using Displax' 2.3.1 USFN, I also reset and disabled MagiskHide props. I install company portal from play store, add it to deny list, Shamiko 0.5.2 says it's blocking. I then reboot, try to sign in and I am denied entry. I am using a Oneplus 6 on LOS 19.1. I have read in forums that Oneplus devices had issues when logging company portal with Android 12, something related to their firmware. Could it be related?
Did you disable Enforce DenyList in Magisk settings?
 

Zranz

Member
Mar 25, 2015
14
7
Yes, I did disable Enforce DenyList in Magisk. Shamiko reports it is working as a blacklist mode.

This is the report about the required firmware update that affected OnePlus, Oppo and Realme that I mentioned above. Not sure if such firmware changes should be ported to our devices somehow. My phone never received Android 12 nor receiving updates anymore. I imagine I could try install a lower version of LOS and try again to test this hypothesis.

If there are other people affected with phones from those brands that would be insightful too.
 

dtkent

Member
Apr 4, 2007
22
13
Sigh.... back to MS Apps in my work profile detecting root after months of working well. CP updated last night to 5.0.5616.0.

Current setup:
1. Android 13
2. Magisk 25.2
3. Shamiko 0.5.2
4. USNF 2.3.1-Displax mod

Denylist is off for Shamiko and all MS Apps + usual suspects are hidden.

As before, it exhibits strange behavior where the CP signs off on my phone, but MS Apps immediately detect root.

I tried to install HMA thinking that might help, but the module bootlooped me and I had to dirty flash stock boot and then reinstall Magisk. Not necessarily inclined to try it again without knowing HMA might be a particular solution.

I can't roll back to earlier CP versions as the work profile version of the Play Store blocks turning off auto updates.

Any insights are appreciated...
 

digger16309

Senior Member
Jul 17, 2014
512
212
OnePlus 5
Google Pixel 6 Pro
Sigh.... back to MS Apps in my work profile detecting root after months of working well. CP updated last night to 5.0.5616.0.


Any insights are appreciated...
I don't see this in your setup - is Magisk hidden? That is a key parameter for me with MS Apps.

Others may be running that CP version successfully but that might be the lynchpin. I don't have work profile. Can you / Have you cleared all data in your CP and Work apps, then uninstall all and reboot, reinstall all, check them all off in deny list and reboot, then try?

Are you running a custom ROM or stock ROM?
 

dtkent

Member
Apr 4, 2007
22
13
I don't see this in your setup - is Magisk hidden? That is a key parameter for me with MS Apps.

Others may be running that CP version successfully but that might be the lynchpin. I don't have work profile. Can you / Have you cleared all data in your CP and Work apps, then uninstall all and reboot, reinstall all, check them all off in deny list and reboot, then try?

Are you running a custom ROM or stock ROM?
Yes absolutely, sorry, Magisk is hidden and always has been. Stock ROM. Clearing data (in fact, reinstalling entire work profile) makes no difference.

Interestingly, CP has never seemed to have any 'memory' of root with prior fixes, I've noticed. When I've previously found a fix (like Shamiko 0.5.2) CP instantly stopped catching root without the need for memory cleaning, reinstalling work profiles, etc. But I've tried it here just to see, and it's been no help.
 

Olorin92

Senior Member
Nov 11, 2015
55
12
Wondering if anyone might be able to help me here...

I've followed the steps from the more recent posts in an attempt to get CP working. As it stands, I have the Displax USNF, Deny list is disabled, I have the latest Shamiko installed, all Microsoft apps are hidden in the deny list and I'm running Android 12 on a Pixel 6 Pro.

No matter what I do, every time I try and setup the company portal, I get the message that my device is compromised. Magisk is also hidden, and I've removed magisk props too. Any ideas what's going on here? Pulling my hair out trying to get this to work, as everyone else seems to be successful, just refuses to work for me
 

digger16309

Senior Member
Jul 17, 2014
512
212
OnePlus 5
Google Pixel 6 Pro
Do you have Magisk hidden? Are you running the older version of Intune - version 5.0.5541.0? Are you running any ad blockers? Other apps CP may detect? Custom ROM?

I have a P6P and it worked for me on A12 and now A13 but I'm running stock ROM and that specific version of CP.
 

Olorin92

Senior Member
Nov 11, 2015
55
12
Do you have Magisk hidden? Are you running the older version of Intune - version 5.0.5541.0? Are you running any ad blockers? Other apps CP may detect? Custom ROM?

I have a P6P and it worked for me on A12 and now A13 but I'm running stock ROM and that specific version of CP.
Yes to Magisk hidden and running old version, no to ad blocker, apps CP can detect or a custom ROM.

Just have no idea why it refuses to work and how it's continually able to detect that I'm rooted (despite every other app being fine, including banking apps)
 

undert0w

Member
Aug 10, 2012
42
8
Sigh.... back to MS Apps in my work profile detecting root after months of working well. CP updated last night to 5.0.5616.0.

Current setup:
1. Android 13
2. Magisk 25.2
3. Shamiko 0.5.2
4. USNF 2.3.1-Displax mod

Denylist is off for Shamiko and all MS Apps + usual suspects are hidden.

As before, it exhibits strange behavior where the CP signs off on my phone, but MS Apps immediately detect root.

I tried to install HMA thinking that might help, but the module bootlooped me and I had to dirty flash stock boot and then reinstall Magisk. Not necessarily inclined to try it again without knowing HMA might be a particular solution.

I can't roll back to earlier CP versions as the work profile version of the Play Store blocks turning off auto updates.

Any insights are appreciated...
Same here, starting today.
 

digger16309

Senior Member
Jul 17, 2014
512
212
OnePlus 5
Google Pixel 6 Pro
Just have no idea why it refuses to work and how it's continually able to detect that I'm rooted (despite every other app being fine, including banking apps)
Are you running LSPosed?

The thing to do, potentially, if you have the stomach for it, it back up all your apps and data, then flash the current stock ROM with a wipe.

Root, and do your setup with Magisk hide, Shamiko, deny list etc... Bring back the correct (old) version CP and your MS apps, but without restoring data, blocked in Deny List, reboot.

If CP is still detecting root, it's likely something your company has done on their side of CP (and we're all going to get hosed when whatever that is spreads). If it doesn't, then it's probably looking for and detecting an app that has root access.

A dirty way of doing this is to remove/disable/freeze all apps that normally have superuser access rights granted.

Since HMA is no longer supported, that may or may not be an option as well.
 

dtkent

Member
Apr 4, 2007
22
13
Same here, starting today.
What version of CP do you have?

I found out the HMA Magisk module bootloops Android 13. There's a beta version of HMA v3.0 available on Github that works on 13 as it doesn't require the HMA Magisk module, just LSposed. I can install and run it just fine, but unfortunately HMA can no longer access any of the Work profile apps so it doesn't serve me any purpose. I haven't seen a workaround for that yet.

I'm not even sure MS would invest effort in something as cat-and-mousey as illicit root app detection. My gut is that MS hasn't done anything new (hence this being an isolated issue for only a few users) and that my workplace has implemented requiring Strong Integrity for CP under the Play Integrity API and are willing to blow up older Android phones. But I have no way (I know of) to check that.
 

undert0w

Member
Aug 10, 2012
42
8
What version of CP do you have?

I found out the HMA Magisk module bootloops Android 13. There's a beta version of HMA v3.0 available on Github that works on 13 as it doesn't require the HMA Magisk module, just LSposed. I can install and run it just fine, but unfortunately HMA can no longer access any of the Work profile apps so it doesn't serve me any purpose. I haven't seen a workaround for that yet.

I'm not even sure MS would invest effort in something as cat-and-mousey as illicit root app detection. My gut is that MS hasn't done anything new (hence this being an isolated issue for only a few users) and that my workplace has implemented requiring Strong Integrity for CP under the Play Integrity API and are willing to blow up older Android phones. But I have no way (I know of) to check that.
It's the latest stable from the Play Store, 5.0.5616.0 – Intune force updates the work profile apps. It was installed on 2nd Oct, a week before it started detecting root.

No HMA, no Xposed/LSPosed framework at all. In fact I have barely any modules currently: Systemless Hosts, Busybox, MagiskHide Props Config (the only change is increasing the volume steps), Displax modded USNF, and Shamiko. Worked perfectly fine until today, and there was definitely no change at all on the Magisk side in the past few weeks.
 

dtkent

Member
Apr 4, 2007
22
13
It's the latest stable from the Play Store, 5.0.5616.0 – Intune force updates the work profile apps. It was installed on 2nd Oct, a week before it started detecting root.

No HMA, no Xposed/LSPosed framework at all. In fact I have barely any modules currently: Systemless Hosts, Busybox, MagiskHide Props Config (the only change is increasing the volume steps), Displax modded USNF, and Shamiko. Worked perfectly fine until today, and there was definitely no change at all on the Magisk side in the past few weeks.
Same deal here, more or less. I have a couple root apps but nothing suspect. Not sure what CP is detecting 😩. Would try HMA if it comes back around to be able to detect other user profiles, like the work one.
 

undert0w

Member
Aug 10, 2012
42
8
Same deal here, more or less. I have a couple root apps but nothing suspect. Not sure what CP is detecting 😩. Would try HMA if it comes back around to be able to detect other user profiles, like the work one.
If M$ will keep up this tempo of new root detection tricks then I'll probably have to bite the bullet, cut back on my principles, and just start using a 2nd phone 😔 without root for the work environment. I wonder if I could bring the 5X back to life...
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Here to report that I managed to get the latest Intune and Teams from Play Store working with:
    • Universal SafetyNet Fix v2.3.1
    • Shamiko v0.5.2 (120)
    1. Add Intune and Teams to DenyList (make sure all toggles are turned on)
    2. Turn OFF Enforce DenyList
    3. Reboot
    4. I didn't need to clear the apps' data, but you can give that a try.
    Will update this post again if this suddenly stops working.
    Mate, i just wanted to drop a quick note to say you're an absolute legend. Thank you a million times. This worked for me!
    1
    Here to report that I managed to get the latest Intune and Teams from Play Store working with:
    • Universal SafetyNet Fix v2.3.1
    • Shamiko v0.5.2 (120)
    1. Add Intune and Teams to DenyList (make sure all toggles are turned on)
    2. Turn OFF Enforce DenyList
    3. Reboot
    4. I didn't need to clear the apps' data, but you can give that a try
    5. Hide the Magisk app
    Will update this post again if this suddenly stops working.

    UPDATE: Forgot to mention I already hid the Magisk app. I tried unhiding it and Intune was able to detect it. Added step 5.
    This worked perfectly. Thank you!
    1
    Here to report that I managed to get the latest Intune and Teams from Play Store working with:
    • Universal SafetyNet Fix v2.3.1
    • Shamiko v0.5.2 (120)
    1. Add Intune and Teams to DenyList (make sure all toggles are turned on)
    2. Turn OFF Enforce DenyList
    3. Reboot
    4. Force stop / kill those apps (not sure if this is needed after a reboot, but just to be sure)
    5. I didn't need to clear the apps' data, but you can give that a try
    6. Hide the Magisk app
    Will update this post again if this suddenly stops working.

    UPDATE: Forgot to mention I already hid the Magisk app. I tried unhiding it and Intune was able to detect it. Added an extra step.
    This worked. Thank you!
    1
    Here to report that I managed to get the latest Intune and Teams from Play Store working with:
    • Universal SafetyNet Fix v2.3.1
    • Shamiko v0.5.2 (120)
    1. Add Intune and Teams to DenyList (make sure all toggles are turned on)
    2. Turn OFF Enforce DenyList
    3. Reboot
    4. Force stop / kill those apps (not sure if this is needed after a reboot, but just to be sure)
    5. I didn't need to clear the apps' data, but you can give that a try
    6. Hide the Magisk app
    Will update this post again if this suddenly stops working.

    UPDATE: Forgot to mention I already hid the Magisk app. I tried unhiding it and Intune was able to detect it. Added an extra step.

    You are a lifesaver !! Worked like a charm.

    I would like to gift you with some donation, please PM me with the details.
    1
    You are a lifesaver !! Worked like a charm.

    I would like to gift you with some donation, please PM me with the details.
    Glad it worked for you! Thanks for the donation offer but I'll decline it, maybe donate it to your local charity or something, cheers!
  • 16
    This question was asked many times and often all the answers did not work:
    How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft Outlook etc (protected by Microsoft Intune)?

    With Magisk 24.1 it is finally possible to bypass the protection of Microsoft Intune. Here are the instructions on how to proceed. The solution requires root!
    - First of all you need the latest Magisk version (24.1 or higher).
    - After installation select:
    - Settings -> Hide the Magisk app : Select a new name of your choice (I use 'MM' for 'Magisk Manager')
    - After Magisk has been hidden open 'Settings' and enable 'Zygisk (Beta)'
    - Select 'Enfore DenyList'
    - Select 'Configure DenyList'
    - Use the magnifying glass and search for "Microsoft". You will find "Company Portal" (also known as Microsoft Intune). Important: Expand the view by clicking on the entry. You will see something like this:
    before.png

    - Now, with the expaned view, click the entry. It will look like this:
    after.png

    - Repeat these step (first expand, then clicking the button) on each other Microsoft App - e.g. Microsoft Teams, Microsoft Outlook, ...
    Important: If you do not expand the view it will not work!

    Now, to make sure that this solution is really working ....
    - Install YASNAC - Yet Another SafetyNet Attestation Checker from the Google Play Store.
    - Run the SafetyNet Attestation on YASNAC
    When it fails is shows something like this:
    S-XC-3lnvkR7nblwC2dDZh0uv_Lk2AskoGUgmAS7Ccta5Txk5vC6RSkVbQ3zGXKwCpo=s0

    - To fix the Basic integrity you need to install the latest Universal SafetyNet Fix from Github.
    - Download the ZIP and install it as a module in Magisk (24.1 or higher).
    - Reboot again and restart the YASNAC - Yet Another SafetyNet Attestation Checker. It should now pass (at least) the Basic integration.

    Now your Microsoft Apps should work. :cool:

    If this is not the case you might also need to fix your CTS profile match. You can resolve this by doing the following steps:
    - Download and install the latest release of MagiskHide Props Config from Github in Magisk as a Module.
    - Restart your Phone!
    - Launch a Terminal of your choice (e.g. Termux, Android Terminal Emulator, ...).
    - Type 'su' (enter) and agree to the root dialog.
    - Now type 'props' (enter) ...
    ... select '1' for Edit device fingerprints
    ... select 'f' for Pick a certified fingerprint
    ... select a vendor of your phone (e.g. Xiaomi, Poco, Google, Samsung, Oneplus ...)
    ... select your phone (if available) or a phone which is next to your phone with your installed Android version (for example 9,10,11).
    - After selecting the fingerprint for your device, and when the program ends, reboot your device

    After reboot another check of YASNAC - Yet Another SafetyNet Attestation Checker should the look like this:
    ufTYzRDcL2yWF46hikmY4FirIxP4ZsDENWO3Tokb9pEIEDAV7iS4xh6De9wfk4fWzA=w1837-h977-rw


    Important:
    Once YASNAC shows Pass on Basic integrity and CTS profile match you can use any Banking App (e.g. Google Pay, N26, DKB, Sparkasse, Revolut, bunq, <whatever>) by repeating the inital steps for each of these Apps and it should not detect root. You might need to clear the data before the app stops complaining about a rooted device (example Google Pay).

    If you find this tutorial helpful please leave a like for this post - thanks in advance.

    BTW: @skuppej did the same steps in another post before my post with success. You can read it here.
    5
    Alright, I'm fairly confident now the problem seems to be the new Play Integrity API from Google, and not some nefarious new root tracking method from MS, which makes a lot more sense.

    More info on PI API here: https://forum.xda-developers.com/t/...tynet-fix-2-3-1.4217823/page-90#post-87188299

    Basically what is happening is that GMS is checking for the highest level of system integrity available on your phone. If your phone fingerprint (model+OS) supports hardware-backed authentication, the check will fail if that isn't returned intact. If your phone only supports software-level integrity checking, that is what gets returned.

    It appears Company Portal is now checking for Play Integrity, and many more root-secure apps, like your banking ones, are sure to follow.

    @Displax published a USNF mod that injects an old Pixel XL fingerprint into GMS using Zygisk which avoids changing global props and causing issues elsewhere: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517.

    Usage:
    1. Delete/disable/reset MagiskHidePropsConfig (if installed).
    2. Just install it over old Universal SafetyNet Fix and reboot device.

    This means PI API will sign off on device integrity at the software level, which you can check using the Play Integrity API Checker from @1nikolas: https://forum.xda-developers.com/t/...cussion-thread.3906703/page-130#post-87182459. A more in-depth version that also checks for hardware-backed authentication should be available in the Play Store soon.

    On *top* of all this, it seems Company Portal was detecting the zygisk process in memory. Shamiko 0.5.2 seems to block this by also hiding the zygisk process. HMA doesn't seem to be necessary so far but I'm monitoring.

    Doing this my phone has been stable on Company Portal 5.0.556.0 for over 24h through reboot and overnight charge.

    It's not clear yet how fragile Displax's USNF mod solution will be, hopefully this issue will be incorporated into future USNF releases. But absolute hardware-backed checks may be only a few years down the line and will likely make hiding root near impossible.

    Hope this helps some others.
    5
    It seems to be resolved with yesterday's update of Shamiko to 0.5.2
    After yesterday's update the settings are working fine. Will update in case the issue resurface.
    Download from Github: https://github.com/LSPosed/LSPosed.github.io/releases - just in case somebody is searching for it as I did... :cool:
    5
    Here to report that I managed to get the latest Intune and Teams from Play Store working with:
    • Universal SafetyNet Fix v2.3.1
    • Shamiko v0.5.2 (120)
    1. Add Intune and Teams to DenyList (make sure all toggles are turned on)
    2. Turn OFF Enforce DenyList
    3. Reboot
    4. Force stop / kill those apps (not sure if this is needed after a reboot, but just to be sure)
    5. I didn't need to clear the apps' data, but you can give that a try
    6. Hide the Magisk app in Magisk's settings
    Will update this post again if this suddenly stops working.
    4
    It seems to be resolved with yesterday's update of Shamiko to 0.5.2
    After yesterday's update the settings are working fine. Will update in case the issue resurface.