Work app store

[fynngodau]

Supersedes and contains #2500. Supersedes and contains #2521.

Allows users to download apps to their work profile using the special vending component "Work app store". This component is disabled, and enabled only when a work profile is added (which in turn can only be done by a device or profile admin).

Yet to do:

• rewrite download code for components (Implement SplitInstallService #2500 (comment))
  • don't allocate RAM for the entire download
  • download directly to installer session
• add meaningful progress information
  • to store app
  • while downloading in the background through store app
  • while splitinstalling
• determine and verify meaning of policy field in /getEnterpriseClientPolicy
• test additional dpc services
• show Work app store only after adding work account
• automatic dependency installation (i.e. installing Google Chrome), see https://gitlab.com/AuroraOSS/AuroraStore/-/issues/346)
• acquire user consent before provisioning work account → new settings screen in microG UI, is shared across accounts (note that custom ROM vendors are expected to grant microG the INTERACT_ACROSS_USERS permission for this)
• automatically install / remove apps on demand of dpc controller → for future investigations

Mostly up-to-date screenshot:

[mar-v-in]

lgtm

[agentorange96]

/e/OS 3.1.1/3.1.2 finally include this fix. I am not sure how to access the "Work App Store" though. I am only sent to the MicroG settings.

I can now set up my work profile, but I don't see how to install work apps.

Am I missing something here? Or is that not implemented yet?

Thank you everyone who made this possible and for any help!

[fynngodau]

@agentorange96 Is your work profile set up completely such that you have a managed work account showing up under Accounts in the settings, under the Work section? If not, ensure it is allowed to set up a work account in the microG settings and do the work setup from scratch.

For /e/OS' stock launcher, it is additionally necessary to restart the device after setting up due to https://gitlab.e.foundation/e/backlog/-/issues/8275.

[agentorange96]

@fynngodau Thank you for the response!
It is in the accounts section under work. I did enable that setting in MicroG before any of this, including uninstalling Intune Company Portal and removing my work profile.

I am using Nova Launcher, but also I don't seem to have that issue. If I try and launch MicroG Companion it goes to MicroG settings and gives me a toast about how there's no activity for MicroG Companion itself. (I don't remember exact text)

I do have an issue where I get stuck at "Adding your device to Company Portal" and it seems MicroG Companion is trying to launch something but fails and instantly goes back to Intune company Portal to the screen it says that at. I gave this a lot more time this time before leaving this comment, but it's still stuck.

If I close Company Portal and restart it, it's logged in. I can tap my device and register it with my org and then everything seems to be set up fine. But no way to install apps. I do get a banner at the bottom saying to use the company version of the play store, and tapping it attempts to load MicroG Companion but again it redirects to MicroG settings.

Thank you again for your help!

[fynngodau]

@agentorange96 Intune is not supposed to get stuck during setup; are you positive that the Google kind of Work account is being added to your accounts screen as well, not just Intune? I.e. I think there should be two accounts, not just one. (Of course you can send a screenshot for me to check.) Because it sounds like it is stuck at creating this account, that would explain this behavior: Intune will never retry this if it fails so you can end up correctly set up but without a work Google account configured. And you need a work Google account for the Work app store to show up in the first place!

In any case: To anaylze what went wrong a log of what is happening would be most helpful. However beware that it can contain personal data, feel free to email me at the address from fynngodau.de/imprint

[agentorange96]

@fynngodau It only shows one account and it is labeled "Work account" of the type that shows a blue and white icon depicting an ID on a lanyard. So not Google. My company does not use Google accounts. Would this be a blocker? I think given this you are on the right track. Am I supposed to set up a work profile prior to adding my work account? I was letting Intune's setup do that for me. Also I'm not sure where to find the wanted log, but I can send it if needed. Thanks!

[fynngodau]

@agentorange96 Sorry for the delay.

My company does not use Google accounts. Would this be a blocker?

Despite this being mostly invisible to the user during normal use, there is (from what I have seen) always a pseudonymous Google account associated with your Microsoft account for Intune that microG would sign in to automatically. This account is the one that will later allow you to install apps

Am I supposed to set up a work profile prior to adding my work account? I was letting Intune's setup do that for me.

Your behavior is correct – it is not possible / compatible to do this manually / in some other way.

Also I'm not sure where to find the wanted log, but I can send it if needed.

Please trigger the setup of the work profile again (including waiting the delay), then go to Developer Options → Bug report. The bug report will then be generated and you can send it to my email address or inspect it manually.

[agentorange96]

@fynngodau No problem! I'd intended to email you directly, but hadn't gotten around to it. Although I'm finding it harder to remember meetings without my phone reminders, so perhaps it's something I should put some priority on. Thank you for the explanation! I'll get those logs, give them a look over both in case it makes anything obvious to me and to remove anything sensitive and then send them your way if needed. Thank you again!