search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
361 stars 21 forks source link

Microsoft Intune doesn't create Work Profile #1938

Closed zarakik closed 1 year ago

zarakik commented 1 year ago

I'm trying to use the Intune company portal application per instructions from my organization to install work profile but it errors out saying unable to install.

A quick adb logcat shows the following errors:

02-03 23:37:11.372 17714 17781 W GooglePlayServicesUtil: com.microsoft.windowsintune.companyportal requires the Google Play Store, but it is missing.                                                                             
      2 02-03 23:37:11.378 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
      1 02-03 23:37:11.380 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
  17462 02-03 23:37:11.382 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
      1 02-03 23:37:11.384 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
      2 02-03 23:37:11.389 17714 17781 I FA      : Collection disabled with firebase_analytics_collection_deactivated=1                                                                                                                   
      3 02-03 23:37:11.396 17714 17781 I FA      : App measurement is starting up, version: 16250                                                                                                                                         
      4 02-03 23:37:11.397 17714 17781 I FA      : To enable debug logging run: adb shell setprop log.tag.FA VERBOSE                                                                                                                      
      5 02-03 23:37:11.397 17714 17781 I FA      : To enable faster debug mode event logging run:                                                                                                                                         
      6 02-03 23:37:11.397 17714 17781 I FA      :   adb shell setprop debug.firebase.analytics.app com.microsoft.windowsintune.companyportal                                                                                             
      7 02-03 23:37:11.398 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
      8 02-03 23:37:11.401 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
      9 02-03 23:37:11.401  6810  6810 D wpa_supplicant: Control interface recv command from: /data/vendor/wifi/wpa/sockets/wpa_ctrl_1287-48\x00                                                                                          
     10 02-03 23:37:11.401  6810  6810 D wpa_supplicant: wlan0: Control interface command 'VENDOR 0x001374 13'                                                                                                                            
     11 02-03 23:37:11.401  6810  6810 D wpa_supplicant: CTRL-DEBUG: ctrl_sock-sendto: sock=14 sndbuf=229376 outq=0 send_len=0                                                                                                            
     12 02-03 23:37:11.404 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
     13 02-03 23:37:11.406 17714 17714 I ApkUtils: Checking signature for package com.microsoft.windowsintune.companyportal with signing cert(s) [5BUeOCtRB4yqLj4McZqV3xdy5MrxlJYmSDOrZh2GEmU=].                                          
     14 02-03 23:37:11.407  6810  6810 D wpa_supplicant: nl80211: Event message available                                                                                                                                                 
     15 02-03 23:37:11.407  1354  6721 D LOWI-8.6.0.75: [LOWI-Scan] wait_event:Wait done with Cmd 103                                                                                                                                     
     16 02-03 23:37:11.407  1354  6721 D LOWI-8.6.0.75: [LOWI-Scan] do_listen_events: Rcvd valid Netlink Cmd 0 Err 0                                                                                                                      
     17 02-03 23:37:11.407   913  6803 I WifiHAL : event received NL80211_CMD_VENDOR, vendor_id = 0x1374, subcmd = 0xd                                                                                                                    
     18 02-03 23:37:11.408  6810  6810 D wpa_supplicant: nl80211: Drv Event 103 (NL80211_CMD_VENDOR) received for wlan0                                                                                                                   
     19 02-03 23:37:11.408  6810  6810 D wpa_supplicant: nl80211: Vendor event: wiphy=0 vendor_id=0x1374 subcmd=13                                                                                                                        
     20 02-03 23:37:11.408  6810  6810 D wpa_supplicant: nl80211: Vendor data - hexdump(len=180): 08 00 04 00 1e 00 00 00 ac 00 03 00 00 00 00 00 57 5c 01 00 25 05 00 00 00 00 00 00 4a b9 01 00 ...                                     
     21 02-03 23:37:11.408  1321  1321 I cnss-daemon: nl80211 response handler invoked                                                                                                                                                    
     22 02-03 23:37:11.408  1321  1321 I cnss-daemon: nl80211_response_handler: cmd 103, vendorID 4980, subcmd 13  received                                                                                                               
     23 02-03 23:37:11.409  6810  6810 D wpa_supplicant: nl80211: Ignore unsupported QCA vendor event 13                                                                                                                                  
     24 02-03 23:37:11.422 17714 17781 W GooglePlayServicesUtil: com.microsoft.windowsintune.companyportal requires the Google Play Store, but it is missing.                                                                             
     25 02-03 23:37:11.422 17714 17781 W FA      : Service invalid                                                                                                                                                                        
     26 02-03 23:37:11.431 13871 13871 I Choreographer: Skipped 106 frames!  The application may be doing too much work on its main thread.                                                                                               
     27 02-03 23:37:11.446 17714 17787 I FirebaseRemoteConfig: Fetch succeeded!                                                                                                                                                           
     28 02-03 23:37:11.452 13871 14752 E OpenGLRenderer: Unable to match the desired swap behavior.                                                                                                                                       
     29 02-03 23:37:11.472 17714 17799 W GooglePlayServicesUtil: com.microsoft.windowsintune.companyportal requires the Google Play Store, but it is missing.

Is it not able to detect the Google Play Services installed in the Graphene OS?

girlbossceo commented 1 year ago

This is an issue I've personally encountered with my company that uses VMware One Intelligent Hub (Airwatch).

Work profiles that depend on Google Play will normally have GSF, GMS, and Play Store automatically installed upon the creation of the work profile like it does on stock OS. Work profiles can't access Google Play from the user profile it's in. Since Google Play apps are not considered components that get automatically installed in the work profile, apps like Intune and Intelligent Hub don't handle a situation where those components are unavailable.

I've partially solved this issue with https://github.com/GrapheneOS/platform_frameworks_base/commit/e5856762e6492fc015859de10b80bf26f9e60239 which allows GrapheneOS Apps app to be added to all work profile creations by default, so you can install sandboxed Google Play once the work profile gets created then finish the (unfortunately, likely broken and half baked) installation of your work profile.

This still doesn't work 100% because the MDM app will likely place restrictions on what apps you can install. Play Store on stock OS is considered a trusted first party source, but on GrapheneOS only the Apps app is a trusted first party source. Play Store on GrapheneOS is a third party source, so even if your work profile gets created and you can install sandboxed Google Play, the MDM app nor you will be able to install your company apps like Duo (MFA), Okta, Microsoft Teams and Outlook, GlobalProtect, VMware Tunnel, etc.

MDM stuff on GrapheneOS is a really complex situation to tackle when we don't want to create special case bypasses for sandboxed Google Play like it does on stock OS, and when we don't have a testing or sandboxed environment to start attempting to add support for MDM that would mimic a production environment.

zarakik commented 1 year ago

Thanks for the detailed explanation!

girlbossceo commented 1 year ago

We can't realistically solve this unless we have a sandbox of Intune or some other MDM provider to attempt to add unprivileged support for stuff like this. A UserManager bypass for Play Store can be considered but would have to be done super carefully and we won't really track that here + super low priority.

tropisch commented 1 year ago

What exactly die you do with the information from "I've partially solved this issue with https://github.com/GrapheneOS/platform_frameworks_base/commit/e5856762e6492fc015859de10b80bf26f9e60239" I have no idea where to put this code from that link

fancybear-dev commented 1 year ago

@girlbossceo Do you have any pointers on how to implement such a feature (A UserManager bypass for Play Store) in line with GOS principles? Or how I could potentially solve this issue by building my own images (perhaps I could app my own apps into the GOS apps app)? I'm currently exactly in this position. I've been able to successfully setup a work profile using Intune Company Portal and it's fully compliant in Azure as well. However, I'm unable to actually use it - as the Play Store is not allowed to install any applications. This is because only the apps app from GOS are seen as a first party source, as you shared - and Azure enforces only first party sources may install apps whilst it tries to use Play Store.

devmsv commented 8 months ago

This is an issue I've personally encountered with my company that uses VMware One Intelligent Hub (Airwatch).

Work profiles that depend on Google Play will normally have GSF, GMS, and Play Store automatically installed upon the creation of the work profile like it does on stock OS. Work profiles can't access Google Play from the user profile it's in. Since Google Play apps are not considered components that get automatically installed in the work profile, apps like Intune and Intelligent Hub don't handle a situation where those components are unavailable.

I've partially solved this issue with GrapheneOS/platform_frameworks_base@e585676 which allows GrapheneOS Apps app to be added to all work profile creations by default, so you can install sandboxed Google Play once the work profile gets created then finish the (unfortunately, likely broken and half baked) installation of your work profile.

This still doesn't work 100% because the MDM app will likely place restrictions on what apps you can install. Play Store on stock OS is considered a trusted first party source, but on GrapheneOS only the Apps app is a trusted first party source. Play Store on GrapheneOS is a third party source, so even if your work profile gets created and you can install sandboxed Google Play, the MDM app nor you will be able to install your company apps like Duo (MFA), Okta, Microsoft Teams and Outlook, GlobalProtect, VMware Tunnel, etc.

MDM stuff on GrapheneOS is a really complex situation to tackle when we don't want to create special case bypasses for sandboxed Google Play like it does on stock OS, and when we don't have a testing or sandboxed environment to start attempting to add support for MDM that would mimic a production environment.

Would it be possible to add google play and services to the list of apps that get copied to work profile? I think that would allow intune to finish configuration of work profile as mentioned here