Hello Guys! I wanted to ask that is there any solution for getting rid of this "Device is not Certified" without/with root? I have flashed Phusson's GSI and then GApps Micro but the first error j get is that on Setup screen, it sticks on Checking for Update no matter how much time I give it to check(Problem 1). The second problem is that I have sent the Android device ID (or whatever) used to certify the device but if no avail. It's still saying not Certified. I can spoof it by Magisk, that it is Certified by a module ummm... I forgot it's name(but it's not PlayStore Visa for sure) but still I can't use Google Play services in my device. Whenever I use an app that requires so, it gives an error that "Google Play Services is having trouble .....". What can I do to resolve this issue and use Google Play Services?
SafetyNet vs. Full Block
This seems to be a chronic problem for GSIs, but there are really two distinct levels of hell here:
Google Play Store -> Settings -> Play Protect certification reads "Device is not certified" and apps requiring SafetyNet won't work
Google Play Services completely blocks your device, and a barrage of noisy alerts are generated as soon as you attempt to log in
Many users won't even notice the first limitation, but the second blocks the setup wizard and makes the device effectively unusable until you register the GSF in on Google's registration page. But can anyone tell me why some custom ROMs trigger the second behavior and others don't?
As a custom ROM developer, some of my builds (usually the ones based on GSIs with an OEM vendor partition) have required device registration to be usable, and I'd really like to avoid that. I've tried spoofing known-good build fingerprints like some Magisk modules, but that hasn't worked so far. Has anyone found a decent workaround?
Or even better, can custom ROM developers just register our build fingerprints with Google? (I realize that this still won't satisfy SafetyNet, but it would allow custom ROM developers to go legit.)
It will never show up as certified if the build is not signed (or signed with public keys), and selinux is disabled. If that's not the case, you can try setting BUILD_SIGNATURE prop from latest OEM stable build and match your device.
baunilla said:
It will never show up as certified if the build is not signed (or signed with public keys), and selinux is disabled.
Click to expand...
Click to collapse
I'm not really interested in getting a "Device is certified" message (a.k.a. SafetyNet certification) with custom ROM development, since having the bootloader unlocked is going to cause it to fail anyway.
One thing I've noticed that seems to cause Google Play Services to block any login is when the GSI is signed with test keys and the OEM vendor partition is signed with release keys. Considering that we probably don't have the OEM's private release keys, is there any way to re-sign the vendor partition with test keys?
And interestingly enough, apps like Netflix are actually more likely to work if selinx is set to permissive. I've used that workaround on my custom ROMs before.
this is a very important topic, it is strange that it attracts so little attention.
One thing that I have discovered is that running "adb shell su 0 /system/bin/phh-securize.sh" to disable root on GSI AOSP builds by @phhusson will copy the required properties to look like stock ROM. This makes Play Protect play nice and you no longer have to register your GSF ID to stop the constant barrage of alerts.
I haven't had the time to figure out how he does it, but his source is shared on GitHub.
Related
Hi all.
I've tried to set up my work profile on lineageos and here is what i came up to:
The process is as follows:
1. I got a gemini (Xiaomi Mi5) device with latest LineageOS nightly and opengapps installed before first boot.
2. To set up a work profile, my organization uses Mobicontrol from SOTI.
3. After authorization in Mobicontrol and creating work profile on device (which goes without issues, i.e. i get second settings app, files, phone, etc with a suitcase icon), i must add Google account to my work profile and here i get stuck.
As i can see, there is no Play Market/Services app with a suitcase icon, thus, no Play Services available in work profile and thus, I am unable to complete my work profile creation.
I guess, the issue is somewhere between opengapps and lineage as play services are not included when work profile gets generated.
Looks like opengapps are not counted as a system (or built-in) application.
Is there any workaround to include gapps to work profile?
I have this same issue. My work uses MobileIron to setup the Work profile. It tries to set it up, but fails complaining that 'Google Play services aren't available', which I believe is the same failure mechanism observed here.
Any updates?
Hi everyone,
Iam running my G981B with Android 11 and One UI 3.1.
- I debloated it using the following post Ultimate Debloat S20.
- I reinstalled "com.samsung.android.knox.containercore" and "com.android.managedprovisioning"
When I try to setup Shelter I get the message "Device cannot be setup. If you need assistance please contact..."
When I try to setup Island I get the message "Setup of the work profile not possible. Security rules of your company..."
For Island there is the possibility to do a manual setup: Island Manual Setup
However, if I execute "pm create-user --profileOf 0 --managed Island" I get the most useless response "Error: couldn’t create User".
fw.max_users is set to 10...
Is that a common problem or do I just oversee anything else which I might have debloated and blocks the process right now ?
Thanks for any help !
Okay... obviously tripped knox prevents the device from creating a work profile.
Seriously...
So is there any viable workaround to get something like Shelter or Island running ?
I'll ask to move your thread to Q&A.
I kind of solved my problem by facilitating Samsungs' Dual Messenger functionality.
If dual messenger gets enabled it sets up a separate user profile which is used with a workprofile in order to run multiple messenger app instances.
The beauty is that you can use this to install any app within that profile using adb. So basically the feature is not limited to those few apps you can tick from the settings menu.
Credit goes to @VincentThacker who is describing the procedure here:
Add non-messenger apps to Samsung Dual Messenger?
So the creation of parallel workspaces is blocked in the Security Policy of 8.0, preventing multiple copies of the same app. However, Samsung's Dual Messenger still successfully copies apps it sees as messenger apps, and allows them to run just...
forum.xda-developers.com
One additional hint from my side:
- If you install aurora through ADB in the work profile all apps you install from this version of aurora automatically get installed on the work profile as well. So no need for installing apks through adb afterwards anymore.
flunkyball said:
Okay... obviously tripped knox prevents the device from creating a work profile.
Seriously...
Click to expand...
Click to collapse
Actually, it doesn't seem to be Knox related: If I setup the phone (Samsung S20) from scratch without FBE encryption (by flashing multidisabler), I can set up Island with the root way and/or by ADB.
If I set up the phone with encryption, Island can't be set up like described here.
gorthon said:
Actually, it doesn't seem to be Knox related: If I setup the phone (Samsung S20) from scratch without FBE encryption (by flashing multidisabler), I can set up Island with the root way and/or by ADB.
If I set up the phone with encryption, Island can't be set up like described here.
Click to expand...
Click to collapse
Good to know. However having the device unecrypted just to use Island is not an option. Currently Iam quite happy with facilitating Samsungs Dual Messenger functionality for it.
I published a script that can automatically resign GrapheneOS OTAs with your own keys, and also optionally apply a few modifications like enabling ADB root (without turning on ro.debuggable), ignoring allowbackup and changing the update URL.
You can use it if you like GrapheneOS (I think it's the Android OS with the best engineering, security and privacy), but would also like to have full control of your device, by controlling the verified boot keys of your device and applying modifications that make the OS do what you want regardless of what upstream OS developers, app developers, or anyone else might want.
Note that, on the other hand, GrapheneOS follows the Google Android security model which says that the OS will not perform an action you want it to perform if it may result in something that "application developers, content producers, service providers, and employers" do not consent to (which means not letting you have root, or ignore app wishes regarding backups and other settings, or send arbitrary responses to app requests, etc.), while this script will let you do what you want with your own device regardless of whether it's in anyone else's interest or not, including things that this script does not itself support since you control the verified boot keys of the device and can thus sign anything; all this while still taking advantage of all the security and privacy features in GrapheneOS, including verified boot.
You can find it at https://github.com/chriswoope/resign-android-image
Currently it's intended for people with good technical knowledge, although once you set it up (if you run Qubes a lot of steps are automated) it should continue working with no or minimal intervention.
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
This solve my problem with my bank app thank you so much...!!!
foobar66 said:
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Click to expand...
Click to collapse
I'm not sure what was wrong but simply doing those steps did not work for me. I had to start from scratch and that's why I wrote all this up.
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
Awesome! This is the only method that worked for me after hours of struggling. Thank you!
Method is not working for me. Followed all steps
Not worked for me. Intune still detecting the root
Harshatxda said:
Not worked for me. Intune still detecting the root
Click to expand...
Click to collapse
Harshatxda said:
Method is not working for me. Followed all steps
Click to expand...
Click to collapse
This seems to be an ongoing evolving issue; especially in light of recent updates/events. There are many threads on the site here discussing it, although I've seen some that have been successful (but in various different device forums). The thread (linked below) seems to be fairly up-to-date recently updated that looks most promising...
[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk' (Update: Q1/2023)
Update 04.01.2023: I've updated/added additional steps to make this tutorial work again. This question was asked many times and often all the answers did not work: How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft...
forum.xda-developers.com
Rooted Pixel 6A, rooted and literally <24H out of box. All I did was:
1. Hide Magisk (obviously)
2. Enable Zygisk
3. Configure DenyList (every Microsoft app I saw)
4. Enforce DenyList
5. Reboot
Portal passes device health test, and Teams works like a charm. Both are installed straight from Play Store.
Hello
I installed the Marriott app this morning, and when I go to run it, i get that security message along the bottom third of the screen, and the app shuts down.
What is causing that?
It is detecting root/magisk.
Add Marriott to Zygisk hide list, then clear Marriott storage&cache, force close and reopen.
I downloaded the app and installed it to test. If you don't clear the app cache (and only force close and reopen) it will not work. You must clear that before opening again
Thank you App
I followed your instructions, but I still get that message.
Should I have rebooted after adding to the list??
nabril15 said:
Thank you App
I followed your instructions, but I still get that message.
Should I have rebooted after adding to the list??
Click to expand...
Click to collapse
No. That's not necessary. The following 3 steps is all you need
I cleared storage, force closed, and run it.
I get that initial welcome screen of the app, and before I can press on the SIGN IN button, it closes forcefully.
This happens no matter how many times I repeat the steps.
nabril15 said:
I cleared storage, force closed, and run it.
I get that initial welcome screen of the app, and before I can press on the SIGN IN button, it closes forcefully.
This happens no matter how many times I repeat the steps.
Click to expand...
Click to collapse
What magisk version and modules are you using?
Also, what Android/oos version are you using?
Do you have device certification in play store? Or what's your YASNAC result?
nabril15 said:
I cleared storage, force closed, and run it.
I get that initial welcome screen of the app, and before I can press on the SIGN IN button, it closes forcefully.
This happens no matter how many times I repeat the steps.
Click to expand...
Click to collapse
After some more poking around, that app detects everything. I attempted to monitor the https traffic to see what contacts are made at app-boot. It detects that I'm monitoring traffic. I attempted to use frida to bypass the ssl pinning so I can monitor traffic. It detects that I'm using frida. All of those cause a close condition.
This could mean, if it detects anything abnormal, you're gonna get force closed. The whole toast not showing up is annoying. You might be able to adjust your font/text size for the system in Accessibility, to see the full text.
If you have busybox or anything else you can think of that might be detected, try disabling them or any questionable modules like lsposed, restart, then see if you can open the app.
I looked inside the app and don't see some of the stuff as strings, and existing strings are already using some reflected values in another index. It appears to use some kind of library that is checking for root, certification, ssl certificate pins, frida, probably xposed and so on. Then retrieving the response from an api.
My thought was to repackage the apk without root checks for you but if they're doing that much for security, there's almost no chance I will be able to launch the app with self signing for the apk.
Having the full toast response would be helpful here
Wow App.. How detailed, you are.
Here are my modules plus Universal Safetynet fix. I'm running a13 f.17 build.
I'm not sure how to proceed. I installed it on my wife's phone and used it..
Here's a reddit thread with someone else fighting with the Marriott Bonvoy app.
old.reddit.com/r/Magisk/comments/yf8gyu/help_hotel_app_detecting_root/
Its quite ridiculous that a Hotel app is so restrictive and difficult.
I just (briefly) tried running the app inside Island, but still got the toast nags / close.
Interestingly I get one of two nags "you're on an unsecure network" or "we've detected magisk, etc)
I wish that I had twrp to blame, but I don't have it installed.
Hey there,
I did some looking at older versions of the app (apkpure has them). On my phone (Android 9, Magisk 23) the last version that will run (using MagiskHide with all the 3 boxes ticked for the marriott app), is 10.4.0.
Marriott Bonvoy™ 10.4.0 (Android 9.0+) APK Download by Marriott International - APKMirror
Marriott Bonvoy™ 10.4.0 (Android 9.0+) APK Download by Marriott International - APKMirror Free and safe Android APK downloads
www.apkmirror.com
Version 10.5.0 starts giving me nags.
(Sometimes it is just easier to use an older version of an app, than fighting to get the very latest to work!)
Mine is 10.13.1. not sure what got updated. I usually don't want to get stuck with old version, so I'll just use the website to make reservation and redemption. Yikes
I heard Magisk Delta by HuskyG could hide it from detection. Has anyone been brave enough to try? Well, I tried and it didn't work. I tried the whitelist mode by leaving Marriott out of the SuList and many other banking apps too. But it still detects root. Marriott app version 10.13.1. Older version say 10.12.0 and below should survive.