Android 12 Work Profile

[derflasher]

I was using the Android 12 Beta and am using now the first initial release of Android 12 on Google Pixel 4. In both ROMs are the apps from my work profile hidden, even with the checked box in settings -> Experimental -> Dual App Support. I use Shelter from F-Droid to set up my work profile.

[derflasher]

Does anybody else face the same issue?

[Lord-KA]

Yes, same problem here Galaxy Note 10+, LOS 19.0 AfWall+ from F-droid doesn't detect any "work profile" apps with "Dual App Support", but the old trick with setting custom script still functions

[derflasher]

How does that work with the custom script for work apps?

[Lord-KA]

How does that work with the custom script for work apps?

https://github.com/ukanth/afwall/issues/869 You can find the instruction there. It's a workaround from the time of very limited work profile support.

[derflasher]

Thank you very much. I finally got my custom script working.

Sometimes I get a popup message at the bottom of the screen "error applying rules" followed by a success message. Does anybody know why or has the same problem?

[ghost]

Thank you very much. I finally got my custom script working.

Sometimes I get a popup message at the bottom of the screen "error applying rules" followed by a success message. Does anybody know why or has the same problem?

Would you mind please sharing your script with me ? Thanks

[SirTerrific]

Same here? Does someone share the script in wait for an update of afwall?

[derflasher]

Sure, here's my script. Hope that helps you.

# Necessary at the beginning of each script!
OEM_SCRIPT_PATH=/storage/emulated/0/scripts/WhitelistApps.sh
IP4TABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables
# Whitelist by adding appname and | for separation 'app1|app2|app3' etc.
USERIDS=$(dumpsys activity | grep -E "(mStartedUserArray: \[)(.*)(\])" | egrep -o '[0-9]+')

# These apps have access to WiFi and cellular data
MYLIST='this.app'
for USERID in $USERIDS; do
  WHITELIST=$(pm list packages -U --user $USERID | grep -E $MYLIST | cut -f 3 -d ':')
  for APPID in $WHITELIST; do
    # echo "Allowing traffic for UserID: $USERID, AppID: $APPID"
    $IP4TABLES -A afwall-3g-home -m owner --uid-owner $APPID -j RETURN || exit
    $IP4TABLES -A afwall-wifi-wan -m owner --uid-owner $APPID -j RETURN || exit
    $IP6TABLES -A afwall-3g-home -m owner --uid-owner $APPID -j RETURN || exit
    $IP6TABLES -A afwall-wifi-wan -m owner --uid-owner $APPID -j RETURN || exit
  done
done

# These apps have access to WiFi-only
MYLIST='my.app'
for USERID in $USERIDS; do
  WHITELIST=$(pm list packages -U --user $USERID | grep -E $MYLIST | cut -f 3 -d ':')
  for APPID in $WHITELIST; do
    # echo "Allowing traffic for UserID: $USERID, AppID: $APPID"
    $IP4TABLES -A afwall-wifi-wan -m owner --uid-owner $APPID -j RETURN || exit
    $IP6TABLES -A afwall-wifi-wan -m owner --uid-owner $APPID -j RETURN || exit
  done
done

# These apps have access to local-WiFi-only
MYLIST='your.app'
for USERID in $USERIDS; do
  WHITELIST=$(pm list packages -U --user $USERID | grep -E $MYLIST | cut -f 3 -d ':')
  for APPID in $WHITELIST; do
    # echo "Allowing traffic for UserID: $USERID, AppID: $APPID"
    $IP4TABLES -A afwall-wifi-lan -m owner --uid-owner $APPID -j RETURN || exit
    $IP6TABLES -A afwall-wifi-lan -m owner --uid-owner $APPID -j RETURN || exit
  done
done

[zer0def]

Another way could be cloning the AFWall application to work profile(s) and have the main (UID 0) app apply rules from them, like so:

IPTABLES="$(command -v iptables)"
IP6TABLES="$(command -v ip6tables)"
for uid in $(dumpsys activity | grep mStartedUserArray: | grep -Eo '[0-9, ]+' | sed 's/, / /g'); do
  [ "${uid}" != "0" ] || continue

  # reads from separate app config directly (you can simply save rules in profile app, without applying)
  for chain in LAN,wifi-lan Wifi,wifi-wan 3G,3g-home Roaming,3g-roam VPN,vpn Tether,tether; do
    for appid in $(grep "AllowedPKG${chain%,*}_UIDS" "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9|-]*' | sed 's/|/ /g'); do
      for cmd in "${IPTABLES}" "${IP6TABLES}"; do
        until "${cmd}" -C "afwall-${chain#*,}" -m owner --uid-owner "${appid}" -j RETURN; do
         "${cmd}" -A "afwall-${chain#*,}" -m owner --uid-owner "${appid}" -j RETURN 
        done
      done
    done
  done
  # tor chain behaves differently
  for appid in $(grep 'AllowedPKGTOR_UIDS' "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9|-]*' | sed 's/|/ /g'); do
    until "${IPTABLES}" -t nat -C afwall-tor-check -m owner --uid-owner "${appid}" -j afwall-tor-filter; do
      "${IPTABLES}" -t nat -A afwall-tor-check -m owner --uid-owner "${appid}" -j afwall-tor-filter
    done
    until "${IP6TABLES}" -C afwall-tor-reject -m owner --uid-owner "${appid}" -j afwall-reject; do
      "${IP6TABLES}" -A afwall-tor-reject -m owner --uid-owner "${appid}" -j afwall-reject
    done
  done
done

[benne-dee]

I had to make a small change to @zer0def's clever script above to get it to work on a somewhat recent Samsung. grep wasn't matching any uids from the AFWallPrefs.xml file(s) so altered the grep,sed regex search a bit. diff:

8c8
<     for appid in $(grep "AllowedPKG${chain%,*}_UIDS" "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9|-]*' | sed 's/|/ /g'); do
---
>     for appid in $(grep "AllowedPKG${chain%,*}_UIDS" "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9]+[|,<]' | sed 's/|/ /g; s/</ /g'); do

The script with these modifications becomes:

IPTABLES="$(command -v iptables)"
IP6TABLES="$(command -v ip6tables)"
for uid in $(dumpsys activity | grep mStartedUserArray: | grep -Eo '[0-9, ]+' | sed 's/, / /g'); do
  [ "${uid}" != "0" ] || continue

  # reads from separate app config directly (you can simply save rules in profile app, without applying)
  for chain in LAN,wifi-lan Wifi,wifi-wan 3G,3g-home Roaming,3g-roam VPN,vpn Tether,tether; do
    for appid in $(grep "AllowedPKG${chain%,*}_UIDS" "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9]+[|,<]' | sed 's/|/ /g; s/</ /g'); do
      for cmd in "${IPTABLES}" "${IP6TABLES}"; do
        until "${cmd}" -C "afwall-${chain#*,}" -m owner --uid-owner "${appid}" -j RETURN; do
         "${cmd}" -A "afwall-${chain#*,}" -m owner --uid-owner "${appid}" -j RETURN 
        done
      done
    done
  done
  # tor chain behaves differently
  for appid in $(grep 'AllowedPKGTOR_UIDS' "$(magisk --path)/.magisk/mirror/data/user/${uid}/dev.ukanth.ufirewall/shared_prefs/AFWallPrefs.xml" | grep -Eo '[0-9|-]*' | sed 's/|/ /g'); do
    until "${IPTABLES}" -t nat -C afwall-tor-check -m owner --uid-owner "${appid}" -j afwall-tor-filter; do
      "${IPTABLES}" -t nat -A afwall-tor-check -m owner --uid-owner "${appid}" -j afwall-tor-filter
    done
    until "${IP6TABLES}" -C afwall-tor-reject -m owner --uid-owner "${appid}" -j afwall-reject; do
      "${IP6TABLES}" -A afwall-tor-reject -m owner --uid-owner "${appid}" -j afwall-reject
    done
  done
done

Note: Even with the modification, I couldn't get it to work by pasting it directly in the custom_scripts text field in the app (AFWall's shell errors out). Instead, save it in a file say multi-user.apply.afwall.sh and then in the custom_scripts text field, simply source it.

source /path/to/multi-user.apply.afwall.sh

[GMariton]

Hi there, I made the big mistake of updating to Android 12 too fast, and I have now to fix all my apps and settings that gives me trouble on my OnePlus 8 Pro with OOS 12. That includes AFWall+. I am having the same issue with work profiles app not being able to access internet. I saw several technical suggestions in several threads about this issue but no update so far :(

Yesterday, I thought I had found a solution by installing AFWall to the work profile and allow apps specific to work profiles but my noob brain didn't think that rules applied in the work profile would override the rules from the main profile. This results on having the apps to access internet only on the profile where I last applied the AFWall rules, meaning I cannot use both at the same time. Interestingly, when I enable AFWall in the main profile, I still receive emails on Outlook and calls on my SIP app, but I cannot reply sent emails out or take the calls.

For the time being, I tried to follow the recommendation above by using the last modified script multi-user.apply.afwall (which I named multiuser-afwall to make it quicker to type) in order to apply rules from AFWall in my work profile but the I get an error while applying iptables rules.

Did I miss something? I simply copy and pasted the script above and pasted it into a file named multiuser-afwall.sh, then I set a custom script ". /storage/emulated/scripts/multiuser-afwall.sh" but this doesn't work.

Was I supposed to modify/add something in the script? I am a total noob at coding, so I may have missed something. Any other alternative to get my work profiles app to access internet (I just have 4-5 apps, nothing much).

Any help would be very appreciated while waiting for an update of AFWall.

Thank you

[SirTerrific]

I abandoned the working profile on A12. I prefer to clone my app with Clone App https://forum.xda-developers.com/t/app-4-0-clone-app-multi-account-fake-gps-location-free-premium-code-2022-4-18update.4134925/ . They are visible on AF+ and I'm able to restrict them. Also I'm using Storage isolation ...

[derflasher]

Did I miss something? I simply copy and pasted the script above and pasted it into a file named multiuser-afwall.sh, then I set a custom script ". /storage/emulated/scripts/multiuser-afwall.sh" but this doesn't work. Was I supposed to modify/add something in the script? I am a total noob at coding, so I may have missed something. Any other alternative to get my work profiles app to access internet (I just have 4-5 apps, nothing much).

You may check the path to the script. In my case it's a ZERO after /storage/emulated/ -> /storage/emulated/0/scripts/multiuser-afwall.sh.

[GMariton]

Thanks for your replies. Unfortunately, CloneApp would not really be a good option in my case...

Mine is also zero

Any other idea?

[derflasher]

Any other idea?

Shelter: https://f-droid.org/packages/net.typeblog.shelter/

[zer0def]

Or Insular, if you require any sort of GSF in your work profile: https://f-droid.org/en/packages/com.oasisfeng.island.fdroid/

[ukanth]

Latest compiled APK (BETA2) Removed Link. Use latest version from Playstore/F-Droid

[GMariton]

Hello,

Thanks for the different comments and suggestions.

I tried the 3.5.3 beta2 version, unfortunately it didn't recognize my donate version and I couldn't use the import settings. I still checked how this version would work with the personal and work profile. I can see the apps from the personal profile listed twice, the first line would show "normally" while the second line would show with (M) after the app name. This reminds me of a previous OnePlus smartphone under Android 8 or 9 with "Parallel apps" (a feature from OOS that creates a profile to use 2 instances of some compatible apps). Unfortunately, I still couldn't see the apps from the work profile on my Android 12 with AFWall 3.5.3 beta2 :( So I restored a backup of my AFWall 3.5.2 with all the settings and I am now back to square one.

The script didn't work, is there any way to check what's wrong and/or what could possibly be adjusted in order to make it work? Or is there any other script that would work for the few apps I need to give internet access in my work profile?

Alternatively, any other firewall apps that works with Android 12 with work profiles? This situation is really giving me a hard time...

Thank you

[paulmueller]

For me the latest afwall version 3.5.3 from FDroid works on Android 12.

[ukanth]

Use latest version 3.5.3 for Android 12 work profile.