My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
s0l1dsn8k3 said:
My company is now enforcing and managing BYOD with AirWatch. I'm trying to enrol my Magisk-rooted Pixel 2 XL. I've searched around XDA and other sites and I was able to enrol the phone when I use Magisk Hide to hide from the AirWatch agent, aka now the Intelligent Hub. It creates a Work profile and installed several work related apps. The only other app aside from Intelligent Hub I've tested so far is Boxer and it works for the few minutes during my test.
When I say Boxer works for a few minutes, that is because next I attempted to open Workspace One. As it loads, I'm guessing it checks other details about the phone, then it would popup a message saying Work apps and profile removing because the device is "compromised" and uninstall the work apps and Word profile.
I would like to use Magisk Hide and hide from Workspace One app, but Magisk Hide doesn't even list that and other apps in the Work profile. An admin at work checked the AirWatch server and it shows the device compromised detection with the status "Malicious file found - Check files in system or exec folder".
So my question is, outside of troubleshooting step by step from wiping phone and setting up each thing from scratch, anyone else have an insight on what else I can check?
FYI, these are the following setup I have on my phone
- Pixel 2 XL
- Rooted with latest version of Magisk and Manager
- Latest Pie 9.0 Aug 2019 Update
- Magisk Modules Installs: Busybox, Viper4Android
- Apps with Root Access: AdAway, BetterBatteryStats, Franco Kernel Manager, Material Terminal, Titanium Backup
Click to expand...
Click to collapse
The following works but I am not sure if all the steps are crucial and which ones may be superfluous. Those instructions in (parentheses) may be not necessary).
I am not a programmer (Basic on a C-64 doesn't count, I take it), don't know anything about computer architectures etc., just able to follow instructions and wrap my mind around them to tweak my devices.
The main part is to "Hide Magisk Manager" after Boxer is installed (but before it is opened/setup) as that also creates another Magisk app (instance?) with the new name for the work profile where Boxer etc. show up and can be hidden with Magisk Hide.
The other (first) part is to hide anything that would alert and conflict with Hub before or during setting up the work profile - I pretty much hid everything under Magisk Hide...
I don't know BYOD nor Workspace One, so the solution below may not work.
- uninstall Hub (that's the only app remaining after the auto-uninstall, right?)
- if Magisk Manager is already hidden: go to Settings\Restore Magisk Manager "with original package and app names" - that seems to be important, as hiding it later and with another name will then also create a Work Profile where one can see and click and hide the work profile apps such as Boxer (not sure if it works the other way around, i.e. starting off hidden with a different name and then later restoring to original will create a Magisk work profile)
- Magisk Hide: click almost every system app, not just the Google ones, but almost everything, camera, calendar, contacts etc. and your phone maker's versions as well (not sure what is necessary, but only Google system apps didn't seem to do it...), also all root and SU related apps like BusyBox etc. (not sure what Hub looks for)
(- System\Apps > clear storage data for Google Play Store and other Play Apps, also make sure Hub is really uninstalled. If not or having problems at least clear data storage as well)
- reboot (can also go into TWRP and wipe cache/Dalvik, not sure if necessary)
- install Hub, don't open it
- open Magisk, go to Magisk Hide: click Hub
(- close Magisk)
(- reboot)
- open Hub, let setup run its course creating the work profile
- if there are conflicts showing in Hub (and/or on your employer's MDM website for your device), e.g. root certificate not installed, don't install any apps yet such as Boxer etc. and reboot instead
- Are those conflicts resolved after reboot?
- install Boxer and other apps (trough Hub itself, MDM website push (or Google Play)) but don't open/start them
(- reboot)
- open Magisk, go to Settings\Hide Magisk Manager and click on it, pick a name and confirm: this will then change the name of Magisk AND create a another Magisk app (with the new name) for the work profile.
- open that new Magisk work profile and go to Magisk Hide: click Boxer (and other apps controlled by Hub); Hub itself and everything already hidden in the private (= non-work) profile Magisk app should show up here as already hidden. Double and triple check.
(- reboot)
- open Boxer and start set-up
That's it. Stable, even after another reboot.
Did this solution work for you @s0l1dsn8k3?
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.
I am in a similar boat. @s0l1dsn8k3 please let me know if you found an alternate solution.
Tab S4 stock cleanup actions
phablet guide fest continues V30->Note9->6T->Mi9->S10->7T->Tab S6->Tab S4, time to provide some thoughts, easy to click links and guides. Goal is to have a clean device after each update, and have a helper script running at boot or on demand. This is a tablet, we want to achieve flat battery graphs when it is unused (picture attached), hopefully charge once a week with slight usage.
Debloat
What the script does:
* choose 8 categories of app removal, in the beginning of the file
for each say 0=skip 1=remove 2=revert back
* use more switch to disable some questionable/helpful stuff
* disable up to 80 apps with possibility to revert back
* remove usage access for google (do manually)
* remove device admin backdoor "Find My Mobile", you won't recover stolen device this way lol, it doesn't work with Secure Startup! it's useful for Govt.
* remove proca (which was slowing down tablet after rooting), if it doesn't work from your shell, edit the file as below
Tested ok on March stock Pie firmware. Samsung has too much bloatware installed, and requires shocking permissions to run some basic services. We will further need to reclaim privacy. As for debloat list, i've cooked the list based on knowledge of each process, its current presence in the Pie firmware, and what would fit the tablet usage. In this case, i'm leaving Samsung account, Galaxy shop and few pen apps and we assume XPrivacy is sending these snitch services bogus personal details.
Download: (file attached)
Installation:
- run in su terminal once or add to any startup script (3C\Device mgr\Scheduler can assign scripts from /storage/emulated/0/Android/data/ccc71.at/scripts), or to magisk
Rooting
We want encryption. There are no ROMs, and TWRP can be used for many other tasks without access to your files.
OEM unlock in dev settings
when turned off and rather plugged it to your PC with drivers installed, hold Power & Vol+ & Vol- til you see download screen, confirm with Vol+
in ODIN, slap TWRP into AP while "Auto reboot" is unchecked
hold Power & Vol- to exit download mode, then Power & Vol+ to enter recovery
in TWRP, slap kernel and Magisk into tablet from SD card or USB (can be usb flash, can be other mobile, can be adb)
in TWRP, say boot to system and wait 5min
check Magisk app status, enable USB debugging in dev settings
kernel: WETA recovery: TWRP 3.3.1 for PIE SM-T83x
watch kernel log for 20sec
Code:
dmesg -Tw|grep proca
if proca messages appear open /vendor/etc/init/pa_daemon_qsee.rc and comment the lines
You should enable "Secure startup" in "Biometrics and security" settings. Recovery should fail reading encrypted drive sda27 because of its crypto flags and logical mapping.
Which plugins to use
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Make a choice SandHook/Yahfa bipolar release, i never found out which one is better.
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) YouTube Vanced black themed -- brings usable YouTube experience. Unfortunately it's now a horror to install (v15), but v14 from Magisk still works.
* (optional) Move certificates -- perhaps
* (impossible) QuickSwitch -- there's no pill but Samsung custom recents... oh how glad i am for it now! Android10 cancelled this fantastic Pie pill already and you can scroll apps in OneUI!
XPosed plugins:
* Xposed Edge Pro -- a must have and best plugin
* XPrivacy -- Screw the big brother. Must have of the century. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit -- so this is our main customization app irrelevant here: ..and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also for Samsungs it forces Restart "recovery"
* (optional) Xposed Dex -- some tweaks
* (optional) afWall -- Problems with this firewall and some VPN clients for years. Using AdGuard now and happy. It can even control DNS, no need one of those paid lausy apps. This plugin should by disabled in Xposed.
* (optional) Exi for Swiftkey -- you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Root apps:
* TitaniumBackup -- a must since Android was born
* Adaway -- a must but with AdGuard not so.. but i use both
* AdGuard -- can filter more and can amend requests.. that's a game changer. You can have a efficient proxy when rooted.
* 3C toolbox -- too helpful not to pay for the biggest package
* (optional) Root Essentials -- a multitool, have a look
* (optional) MiXplorer -- best file manager, replaces spyware ES File explorer you had before. Edits root files comfortably even when other editors don't
* (optional) FolderSync -- best sync tool
Battery
Battery saving:
- tablet should not be neccessarily always connected, receive notifications, so why not keep it dead when the screen is off
- the key is to disable background network activity:
disable it overall by Medium Power Saving mode
disable background network for individual apps (there's "Allow background data usage" and also nice "Allow background activity" checkbox)
force it with 3C (Device Mgr\Profiler) or Adguard (App Management)
- can't see wifi switch.. to turn wifi off when screen off. no wifi scanning drainer or other "intelligent" bs functions there either. just "Hotspot 2" - turn off.
- nearby scanning should be off, what a useless function of finding unknown devices - once you pair the known, what's the sense? or you keep connection 10 new bt devices each week? just a drain and endless beacon
- location can be off, and again it can be scripted by turning on only when screen is on by 3C
- not installing {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} here
- no signifficant doze functions here {AOD, fp icon, dt2wake, raise2wake} to speak off
- we want battery to remain flat when screen off, last tablet i had could do -1% per week! let's do it here
Other
- i like tender boot screen indicating knox off status, no need to flash boot logos
- no boot keys needed like on Tab s6
- not using multidisabler as i'm on stock and i do want encryption on every device ever
- how to launch camera quickly?? still dind't find out
- don't be afraid to use another device (mobile) as USB drive.. this way you can restore your apps directly via TitaniumBackup without copying it first! also Smart Switch can be used from non-Samsung phones, but it is as weak as Google backup ever was - no data restore
What do you do to run this exactly?
copy the file to storage. open su terminal. Get any root terminal app (ConnectBot, 3C Toolbox, or adb shell) and run as root. I run this script as autostart on each of my devices.
wifi_standby_test: first battery standby test: 37 hours to 91%, i've 'charging protection' so approx 93% that give us 0.19%/hr drain with wifi and bluetooth on. 10x less then a mobile (S10). Good start, nice 3 weeks of standby potential, but let's try medium power saving mode to squeeze it to over month of standby.
Will i loose my data while rooting? Im on Build number PPR1.180610.011.T835DDS4BSL2
doggydog2 said:
Tab S4 stock cleanup actions
phablet guide fest continues V30->Note9->6T->Mi9->S10->7T->Tab S6->Tab S4, time to provide some thoughts, easy to click links and guides. Goal is to have a clean device after each update, and have a helper script running at boot or on demand. This is a tablet, we want to achieve flat battery graphs when it is unused (picture attached), hopefully charge once a week with slight usage.
Debloat
What the script does:
* choose 8 categories of app removal, in the beginning of the file
for each say 0=skip 1=remove 2=revert back
* use more switch to disable some questionable/helpful stuff
* disable up to 80 apps with possibility to revert back
* remove usage access for google (do manually)
* remove device admin backdoor "Find My Mobile", you won't recover stolen device this way lol, it doesn't work with Secure Startup! it's useful for Govt.
* remove proca (which was slowing down tablet after rooting), if it doesn't work from your shell, edit the file as below
Tested ok on March stock Pie firmware. Samsung has too much bloatware installed, and requires shocking permissions to run some basic services. We will further need to reclaim privacy. As for debloat list, i've cooked the list based on knowledge of each process, its current presence in the Pie firmware, and what would fit the tablet usage. In this case, i'm leaving Samsung account, Galaxy shop and few pen apps and we assume XPrivacy is sending these snitch services bogus personal details.
Download: (file attached)
Installation:
- run in su terminal once or add to any startup script (3C\Device mgr\Scheduler can assign scripts from /storage/emulated/0/Android/data/ccc71.at/scripts), or to magisk
Rooting
We want encryption. There are no ROMs, and TWRP can be used for many other tasks without access to your files.
OEM unlock in dev settings
when turned off and rather plugged it to your PC with drivers installed, hold Power & Vol+ & Vol- til you see download screen, confirm with Vol+
in ODIN, slap TWRP into AP while "Auto reboot" is unchecked
hold Power & Vol- to exit download mode, then Power & Vol+ to enter recovery
in TWRP, slap kernel and Magisk into tablet from SD card or USB (can be usb flash, can be other mobile, can be adb)
in TWRP, say boot to system and wait 5min
check Magisk app status, enable USB debugging in dev settings
kernel: WETA recovery: TWRP 3.3.1 for PIE SM-T83x
watch kernel log for 20sec
Code:
dmesg -Tw|grep proca
if proca messages appear open /vendor/etc/init/pa_daemon_qsee.rc and comment the lines
You should enable "Secure startup" in "Biometrics and security" settings. Recovery should fail reading encrypted drive sda27 because of its crypto flags and logical mapping.
Which plugins to use
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Make a choice SandHook/Yahfa bipolar release, i never found out which one is better.
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) YouTube Vanced black themed -- brings usable YouTube experience. Unfortunately it's now a horror to install (v15), but v14 from Magisk still works.
* (optional) Move certificates -- perhaps
* (impossible) QuickSwitch -- there's no pill but Samsung custom recents... oh how glad i am for it now! Android10 cancelled this fantastic Pie pill already and you can scroll apps in OneUI!
XPosed plugins:
* Xposed Edge Pro -- a must have and best plugin
* XPrivacy -- Screw the big brother. Must have of the century. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit -- so this is our main customization app irrelevant here: ..and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also for Samsungs it forces Restart "recovery"
* (optional) Xposed Dex -- some tweaks
* (optional) afWall -- Problems with this firewall and some VPN clients for years. Using AdGuard now and happy. It can even control DNS, no need one of those paid lausy apps. This plugin should by disabled in Xposed.
* (optional) Exi for Swiftkey -- you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Root apps:
* TitaniumBackup -- a must since Android was born
* Adaway -- a must but with AdGuard not so.. but i use both
* AdGuard -- can filter more and can amend requests.. that's a game changer. You can have a efficient proxy when rooted.
* 3C toolbox -- too helpful not to pay for the biggest package
* (optional) Root Essentials -- a multitool, have a look
* (optional) MiXplorer -- best file manager, replaces spyware ES File explorer you had before. Edits root files comfortably even when other editors don't
* (optional) FolderSync -- best sync tool
Battery
Battery saving:
- tablet should not be neccessarily always connected, receive notifications, so why not keep it dead when the screen is off
- the key is to disable background network activity:
disable it overall by Medium Power Saving mode
disable background network for individual apps (there's "Allow background data usage" and also nice "Allow background activity" checkbox)
force it with 3C (Device Mgr\Profiler) or Adguard (App Management)
- can't see wifi switch.. to turn wifi off when screen off. no wifi scanning drainer or other "intelligent" bs functions there either. just "Hotspot 2" - turn off.
- nearby scanning should be off, what a useless function of finding unknown devices - once you pair the known, what's the sense? or you keep connection 10 new bt devices each week? just a drain and endless beacon
- location can be off, and again it can be scripted by turning on only when screen is on by 3C
- not installing {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} here
- no signifficant doze functions here {AOD, fp icon, dt2wake, raise2wake} to speak off
- we want battery to remain flat when screen off, last tablet i had could do -1% per week! let's do it here
Other
- i like tender boot screen indicating knox off status, no need to flash boot logos
- no boot keys needed like on Tab s6
- not using multidisabler as i'm on stock and i do want encryption on every device ever
- how to launch camera quickly?? still dind't find out
- don't be afraid to use another device (mobile) as USB drive.. this way you can restore your apps directly via TitaniumBackup without copying it first! also Smart Switch can be used from non-Samsung phones, but it is as weak as Google backup ever was - no data restore
Click to expand...
Click to collapse
Bro. Is it possible to do this without losing data?
mayank_nigam said:
Will i loose my data while rooting? Im on Build number PPR1.180610.011.T835DDS4BSL2
Click to expand...
Click to collapse
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
doggydog2 said:
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
Click to expand...
Click to collapse
So if we do it without turning oem unlock, will it work?
---------- Post added at 04:41 PM ---------- Previous post was at 04:26 PM ----------
doggydog2 said:
backup, try and let us know the reason why usual root methods wipe data is to remove encryption, we don't need that.
Click to expand...
Click to collapse
Any suggestions on backup method?
mayank_nigam said:
So if we do it without turning oem unlock, will it work?
Click to expand...
Click to collapse
ah i see... you need this checkbox unlocked to flash. this device will wipe itself if you just toggle the checkbox. so in the end, data will be wiped in transition from unrooted state.
and regarding backup, just conventional methods like google backup or deeper cable backup by Helium which can partially substitute TitaniumBackup on unrooted device.
How did you get Weta running on the March firmware when it isn't supported?
NM, I see you just used the kernel part.
Running this script did very little for me - no options were given, just a few packages disabled before it errored out
Thank you for the script! It made a great difference on my tab s4, I was able to enable back Chrome and Google.
My device was lagging before... Thanks again for the write up...
Any suggestions on installing apps to sd card? The option under dev options, to force install apps to sd card is not really good.
I just purchased a refurb Tab S4, it should be arriving over the weekend. The seller notes that the S4 is on Oreo.
I noticed references to Pie here. Should boot and I let the tablet update to the latest release from Samsung, and then root / debloat as described in this thread after the Pie update?
¿GotJazz? said:
I just purchased a refurb Tab S4, it should be arriving over the weekend. The seller notes that the S4 is on Oreo.
I noticed references to Pie here. Should boot and I let the tablet update to the latest release from Samsung, and then root / debloat as described in this thread after the Pie update?
Click to expand...
Click to collapse
My Tab S4 arrived today. Should I allow any updates from Samsung be installed before I run through the rooting process described here, or should I do the rooting before getting the Samsung updates?
¿GotJazz? said:
My Tab S4 arrived today. Should I allow any updates from Samsung be installed before I run through the rooting process described here, or should I do the rooting before getting the Samsung updates?
Click to expand...
Click to collapse
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
doggydog2 said:
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
Click to expand...
Click to collapse
Thanks!
But, as it turns out ... I won't be able to root or debloat anyways. I purchased a refurb Tab S4 that appears to be in excellent like-new shape, but it was also mislabeled on Amazon.
Instead of getting a SM-T830, I received a SM-T837T (T-Mobile version). I plan on getting it unlocked so that I can use it on AT&T, but from what I understand, it's unrootable.
Thanks, tho!
¿GJ?
doggydog2 said:
yes..why rooting an old version.. no OTAs later so you'd have to update manually again.
Click to expand...
Click to collapse
I was wondering about this. So there is no way to update once rooted, other than a full clean flash and start again?
ghoulie said:
I was wondering about this. So there is no way to update once rooted, other than a full clean flash and start again?
Click to expand...
Click to collapse
later use Frija to get new firmware and update. cleaning is only on first root as we can't avoid it when switching the OEM lock.
This thread is really one of the best thread for tab S4
Thanks for that
Sent from my SM-T830 using Tapatalk
Question, now that 10 is out will you update the OP, some things change.
I am not sure things like exposed can be update? Tried and get some reboot.
Proca not present and other things.
Thank you for your work
Sent from my SM-T830 using Tapatalk
Looks like it is not working anymore on Android 10:
https://forum.xda-developers.com/galaxy-tab-s4/development/rom-t4137013
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
This solve my problem with my bank app thank you so much...!!!
foobar66 said:
For me it works without props config and with the latest version of MS Teams and the Intune portal app. Use Shamiko (latest), configure denylist but don't enable denylist in Magisk. Magisk is hidden (some banking app which I use checks the Magisk package name).
Click to expand...
Click to collapse
I'm not sure what was wrong but simply doing those steps did not work for me. I had to start from scratch and that's why I wrote all this up.
Guzzlor said:
HI all. Keep in mind that I did my first root and install of Magisk this week for some gaming desires. I am a bit of a noob, but I had a blast learning about rooting. I was also encouraged because everything went pretty well and only took me around an hour.
Then I ran into a wall.
I use my Pixel 6 Pro to attend work meetings and track work form home or in my car. I had really grown to need this feature so I was a bit worried that I would have to reverse the root. So for the last 2-3 days I have been using trial and error and guides on how to hide banking apps. I saw so many threads that never resolved the teams issue or missed steps that I thought I would write up a detailed guide for what worked for me.
Keep in mind this is for Android 13 and a Google Pixel 6 Pro. This assumes you Rooted your phone and have latest Magisk installed as well.
Prep:
1. Go to Google Play Store settings and turn off automatic updating. I'm sure most people who use magisk do this anyway.
2. Go here https://en.uptodown.com/android/browsing and download older versions of Teams and Company portal. Not too old. You want something from just 2-3 months ago. If it is too old the phone won't let you install it but will put files on your phone that already know you're rooted.
3. Make sure you have the latest Universal Safty fix. You can run a scan to show if you meet the safety fix standard. Again I think the problem isn't safty fix so much as Company portal looks for an unlocked boot loader.
4. install Mgiskhide Props Config module and Android terminal from the play store. (You do this to put a legit looking device ID, or non unlocked bootloader ID - just encase your phone doesn't work, or has been previously detected). Its a simple process where you input some number options through android terminal to set the ID. Just follow the steps. AND MAKE SURE YOU DELETE TERMINAL AFTER YOU'RE DONE. They look for that.
GitHub - Magisk-Modules-Repo/MagiskHidePropsConf: This tool is now dead...
This tool is now dead... Contribute to Magisk-Modules-Repo/MagiskHidePropsConf development by creating an account on GitHub.
github.com
5. Use Magisk hide and rename Magisk to MYJOBSUCKS
Action:
1. install Shamiko https://github.com/LSPosed/LSPosed.github.io/releases/tag/shamiko-120
2. Reboot.
3. Make sure Zygisk is enabled.
4. Make sure Enforce Denylist is OFF (This seems nonsensical but Shamiko handles the enforcement now that it's installed. The Zygisk enforcement is a conflict.)
5. Go back and install Company portal and Teams. Don't do anything in either. Don't sign in. Don't configure. Don't open the apps.
6. Go back to Zygisk and open Configure Denylist. This, I feel, is the MOST important step that makes or breaks this process. Do the following in Denylist:
MAKE SURE YOU TOGGLE EVERYTHING not just the default hides. Each hide has a submenu and for sub processes to hide.
This is everything I had to deny to make it work:
Authenticator.
Carrier OMADM
Carrier provision service
Carrier services
Certificate installer
Com.andorid.angle
Companion device manager
device health service adaptor
device policy
Gpay
OemDMTrigger
Permission controller
TEAMS
Work setup
Company portal
Google play protect services
Google Play Store
*** I Believes the bottom 5 are the main ones - the rest I just guessed and may or may not impact things 100% *****
7. Sign into Teams.
8. This will force you to sign into Company portal. If it works - not much will happen because it will look like a legit non-rooted phone.
If it fails you'll have to setup your profile in Company portal and it always fails after a 5 step process and says DEVICE NOT HEALTHY) This means you didn't deny something or you didn't reboot or something. You also need to go into your google accounts and look for your work profile and delete it and uninstall teams and company portal - I think company portal leaves files that you want off so you have to start from scratch)
9. You should be able to join your work meetings and use teams.
Ongoing:
Make sure you never update teams or Company Portal.
I don't know if this works for other MS mobile apps because I don't check my mail on my phone - but I assume just adding them to the deny list would be the only step extra you need to take.
Thanks!!
Click to expand...
Click to collapse
Awesome! This is the only method that worked for me after hours of struggling. Thank you!
Method is not working for me. Followed all steps
Not worked for me. Intune still detecting the root
Harshatxda said:
Not worked for me. Intune still detecting the root
Click to expand...
Click to collapse
Harshatxda said:
Method is not working for me. Followed all steps
Click to expand...
Click to collapse
This seems to be an ongoing evolving issue; especially in light of recent updates/events. There are many threads on the site here discussing it, although I've seen some that have been successful (but in various different device forums). The thread (linked below) seems to be fairly up-to-date recently updated that looks most promising...
[Tutorial] [Root] How to configure 'Microsoft Intune' to make it work with 'Magisk' (Update: Q1/2023)
Update 04.01.2023: I've updated/added additional steps to make this tutorial work again. This question was asked many times and often all the answers did not work: How do I get Magisk to work with Microsoft Apps like Microsoft Teams, Microsoft...
forum.xda-developers.com
Rooted Pixel 6A, rooted and literally <24H out of box. All I did was:
1. Hide Magisk (obviously)
2. Enable Zygisk
3. Configure DenyList (every Microsoft app I saw)
4. Enforce DenyList
5. Reboot
Portal passes device health test, and Teams works like a charm. Both are installed straight from Play Store.