Hi All,
I have my device SGS2 synchronized with our corporate network. Our corp uses Zenprise for MDM solution which has me running this ****ty app zenprise for employees always running on my device.
Also, when I configured the inbuilt email app - it asked me all sort of privileges and became an admin for my device.
now the question - when I rooted my device, somehow corporate admins knew about it and I got an email from them that it has been detected that I am running rooted device and I should remove the root or take it to the service station.
How do they find THIS out? Is it zenprice MDM that reports rooted device or is it Exchange Security policies???
Now this time - after a flash I did install the zenprise MDM but I have not configured email . I simply used Touchdown and now I dont have to use PIN on my device lock and I doubt how many exchange SPs are enforced anyways. But I really do not know if I should try rooting again.
So, is it the exchange or is it the MDM which detected if the device is rooted? Any ideas?
Check out the web page for Zenprice: http://www.zenprise.com/solutions/android-management
It says "Block jailbroken or rooted devices".
And,
"Maintain hardware inventory, including asset details; report on device statistics"
"Report on service details such as roaming, location, user inactivity, and expenses"
If you own the device, you should hit them up about monitoring this information about your private phone, if it's not in your corporate mobile usage policy.
awojtas said:
Check out the web page for Zenprice: http://www.zenprise.com/solutions/android-management
It says "Block jailbroken or rooted devices".
And,
"Maintain hardware inventory, including asset details; report on device statistics"
"Report on service details such as roaming, location, user inactivity, and expenses"
If you own the device, you should hit them up about monitoring this information about your private phone, if it's not in your corporate mobile usage policy.
Click to expand...
Click to collapse
I know this is an old post but I wanted to add to it.
I'm an MDM administrator and I run Zenprise for MDM. Yes it is the Zenprise agent that detects whether or not a device is rooted. While the device belongs to you, you are connecting it to company resources which requires certain levels of security. In this case they block rooted devices. They can also record your screen and more. By connecting your phone to your company resources you are agreeing to their security policy. Ignorance of the policy is your fault and not theirs.
Hope this helps those of you who hate Zenprise. Being on the other side of it, I love it.
Well, but Zenprise is not differentiating between rooted and unlocked AT ALL. Unless Im misunderstanding something, this is a huge flaw in their detection mechanism which then leads to a false vilification of Android phones. In my case, I purchased a Samsung SIII aka S3 GTi9300 World Phone, so I can travel abroad and use different SIMS, so it is unlocked but NOT ROOTED. I installed the Zenprise aka Citrix Connect for Samsung app, and when it tries to login it quickly fails and reports back that "Connection failed due to a security policy". The Zenprise admins say my device is rooted, and it is not, so they dismiss it and say that well it doesnt matter from a Zenprise perspective it sees unlocked and rooted phones the same. This is so backwards I dont even know where to start. Nevermind Zenprise seems to be Apple-centric (just about every device it manages is an Apple, Androids seem despised), but getting support to care or do something about this difference in phone status (unlocked vs. rooted) is like asking a brick wall to care.
What can be done about this, what is the right setting to get Zenprise to accept a legitimate phone, or how can it be tricked into doing so. Thanks.
There's an app module called XPrivacy for the Xposed Framework, it could possibly help you guys hide your rooted and unlocked status as it is designed to feed bogus information for different permissions like for example you can spoof your mac address, imei bla bla yada yada, a little talk and contribution to the dev will possibly get you any missing features too.
P. S We can also set our desired info too for most relevant permissions or allow any specific information, and I agree with one thing privacy is too underestimated now. Orbot app can be used for connecting your device to the Tor Network thereby hiding your Internet presence to the whole world, the only thing you're admin will see is you being connected to a single IP which is random and could be anybody or anything.
Sent from my GT-I9100 using xda app-developers app
---------- Post added at 12:51 AM ---------- Previous post was at 12:37 AM ----------
goinovr said:
I know this is an old post but I wanted to add to it.
I'm an MDM administrator and I run Zenprise for MDM. Yes it is the Zenprise agent that detects whether or not a device is rooted. While the device belongs to you, you are connecting it to company resources which requires certain levels of security. In this case they block rooted devices. They can also record your screen and more. By connecting your phone to your company resources you are agreeing to their security policy. Ignorance of the policy is your fault and not theirs.
Hope this helps those of you who hate Zenprise. Being on the other side of it, I love it.
Click to expand...
Click to collapse
First of all don't easily and directly specify the root of the problem when you guy's are trying to cause the problem if a little modding and changing the apk is too difficult there will always be workarounds to virtually hide everything, lol you guy's wouldn't even understand when a security issue rises.
Sent from my GT-I9100 using xda app-developers app
We do not allow discussions regarding spoofing IMEI on xda so a few posts have been deleted.
E.Cadro said:
We do not allow discussions regarding spoofing IMEI on xda so a few posts have been deleted.
Click to expand...
Click to collapse
Understood, thanks for pointing it out, but anybody who knows a little about Xposed Framework can modify, spoof or do anything related to code level modification.
Sent from my GT-I9100 using xda app-developers app
E.Cadro said:
We do not allow discussions regarding spoofing IMEI on xda so a few posts have been deleted.
Click to expand...
Click to collapse
Yes point taken. Sorry
They check SU binaries. There are serval ways to hide it. Check for hide root on Google play.
Yours,
Amiroslo
Not any more. The new version (Worx) see su even hiden...
Sysadmins & tech support guys know everything. No hiding anything from them (except maybe the lazy ones).
So I've tested around this a good bit. The latest Citrix Worx doesn't only check for su binary. Even when you use hide root on say SuperSu it doesn't work. Even a hide my root won't work. After days of testing and tinkering I found what it does look for. It looks for both su binary AND busybox. So what I did was delete the busybox and all the symlinks to it in xbin. Then used the hide root on SuperSu and it worked. So that seems to be the fix for now. Hope that helps anyone.
Dixit
dixit said:
So I've tested around this a good bit. The latest Citrix Worx doesn't only check for su binary. Even when you use hide root on say SuperSu it doesn't work. Even a hide my root won't work. After days of testing and tinkering I found what it does look for. It looks for both su binary AND busybox. So what I did was delete the busybox and all the symlinks to it in xbin. Then used the hide root on SuperSu and it worked. So that seems to be the fix for now. Hope that helps anyone.
Dixit
Click to expand...
Click to collapse
Do you mind elaborating on this a bit? My company is running the latest version of Citrix Xenmobile (worx) and I'd like to accomplish this so I can use it but also keep root obviously.
cowman4000 said:
Do you mind elaborating on this a bit? My company is running the latest version of Citrix Xenmobile (worx) and I'd like to accomplish this so I can use it but also keep root obviously.
Click to expand...
Click to collapse
I explained it fairly well. You have to delete Busybox, the app itself. Then using file explorer like tool like maybe root explorer you need to go to Xbin and remove all the symlinks that pointed to busybox that may have been left behind. Only delete the ones that pointed to busybox.
Sorry cant be of more help on this as I don't have this device anymore, I have a Note4 which I cannot root so I cant test this further.
Dixit
Love it when old threads like this pop up. These were the good time's on Xda....shame pretty much all my Post's was removed lol.
Good time's... Great people.
Related
I recently responded to a thread in Themes and Apps about the HBO Go app. I mentioned installing the app and readily accepting the su request, considering the legitimacy of the source. A more knowledgeable person than I am cautioned against allowing access without knowing the reason behind that request. This is very sound advice and something I really should've considered. Since the source was legit, I just accepted the request. My question is: is the user able to determine why a su request is needed and/or what the request will be doing to the phone? I have since blocked the app from su and it's working fine.
A superuser request is basically asking for higher privileges than is normally available to the average user. Apps don't usually specify what they need root for...you'd have to go into their source code to find out. Superuser only logs the requests, not what each app did.
If you have Android Terminal Emulator installed, let's pretend to be an app as an example. Go into terminal emulator, and then type "su". You'll see that the prompt becomes a # to signify superuser access. Now, you can do anything, such as mounting /system to make it writeable and then install files as system files.
I am reminded of one time when I wanted to see if NFC worked in our phones. I downloaded an app from the market with only 13 downloads. It asked for superuser access, and I approved it without thinking about it. If my NFC was working, who knows if it scanned my cards and sent them to the author, etc. I'm not even sure why it needed access if NFC is supposed to be a service that is available on an unrooted phone (eventually).
Your app might be running fine since it has probably already finished doing everything it needed superuser for. We have to be careful with superuser because we then basically give the app control over the system.
If an app asks for su permissions comes from a reputable developer, you should be able to contact that developer and that developer should be willing to give full discloser on everything that app is doing. And that developer should have a good reputation with with other good people.
Second once given su permissions an app could do almost anything and could hide its tracks so well that the majority of us average users could never track down every thing it did - if it was coded well enough by a talented hacker (only other talented people wood be able to work out exactly what is going on).
So be very stingy with su, because every time you give those permissions your giving out the keys to the castle - so to speak.
--- edit below added to post ---
I still don't know why that version of HBO go was asking for su permissions, there has since been an update that is no longer asking for su permissions. This is just a guess but it was probably an an attempt to check for whether or not the phone is rooted because the media type companies fear those of us who root our phones, their afraid we can record their streams and cut down on their ability to make more money off of us.
Sent from my SAMSUNG-SGH-I777 using XDA App
Dayv, thanks for your advice. If a developer wants to check for root access, won't there be some type of traceable commuication between the app and the developer? I did install the updates and no su requests on HBO, MAX, or SHO.
dayv said:
If an app asks for su permissions comes from a reputable developer, you should be able to contact that developer and that developer should be willing to give full discloser on everything that app is doing. And that developer should have a good reputation with with other good people.
Second once given su permissions an app could do almost anything and could hide its tracks so well that the majority of us average users could never track down every thing it did - if it was coded well enough by a talented hacker (only other talented people wood be able to work out exactly what is going on).
So be very stingy with su, because every time you give those permissions your giving out the keys to the castle - so to speak.
--- edit below added to post ---
I still don't know why that version of HBO go was asking for su permissions, there has since been an update that is no longer asking for su permissions. This is just a guess but it was probably an an attempt to check for whether or not the phone is rooted because the media type companies fear those of us who root our phones, their afraid we can record their streams and cut down on their ability to make more money off of us.
Sent from my SAMSUNG-SGH-I777 using XDA App
Click to expand...
Click to collapse
mcann said:
Dayv, thanks for your advice. If a developer wants to check for root access, won't there be some type of traceable commuication between the app and the developer? I did install the updates and no su requests on HBO, MAX, or SHO.
Click to expand...
Click to collapse
Su permission does not necessarily mean the app would send data back to the developer, but if a dev was good enough they could write it into the app to steal data, send it to them, then have the app coded to go back and erase any and all evidence that data was sent, even reset data counters.
making so that you have to catch the app right in the act - which could be very hard cause these things could be done so fast you would not be capable.
then the only way to catch wood require access to logs from some router the information was sent through which you are probably not going to have access to.
A malicious app would do damage until a talented enough white hat with the sophistication (both in intelligence and hardware) capable of catching the bad actor gets ahold of the app.
If you or I get a hold of a bad app and give it su permission days or Weeks before a good white hat analyzes the app we could literally get robbed blind before the news hits as to what the app is up to.
Sent from my SAMSUNG-SGH-I777 using XDA App
I would like to think that a developer working at someplace like HBO isn't writing malicious code into their apps. I would also like to think that they are screened by someone either at the company or Google before being posted in the Market. Either way, I guess the safest way to go would be to know the source and even then deny su access and see if the app runs. If it does, great. If not, then decide if you really want or need that particular app. Obviously apps like TiBu need root access, but HBO? Hmmm...
dayv said:
Su permission does not necessarily mean the app would send data back to the developer, but if a dev was good enough they could write it into the app to steal data, send it to them, then have the app coded to go back and erase any and all evidence that data was sent, even reset data counters.
making so that you have to catch the app right in the act - which could be very hard cause these things could be done so fast you would not be capable.
then the only way to catch wood require access to logs from some router the information was sent through which you are probably not going to have access to.
A malicious app would do damage until a talented enough white hat with the sophistication (both in intelligence and hardware) capable of catching the bad actor gets ahold of the app.
If you or I get a hold of a bad app and give it su permission days or Weeks before a good white hat analyzes the app we could literally get robbed blind before the news hits as to what the app is up to.
Click to expand...
Click to collapse
mcann said:
I would like to think that a developer working at someplace like HBO isn't writing malicious code into their apps. I would also like to think that they are screened by someone either at the company or Google before being posted in the Market. Either way, I guess the safest way to go would be to know the source and even then deny su access and see if the app runs. If it does, great. If not, then decide if you really want or need that particular app. Obviously apps like TiBu need root access, but HBO? Hmmm...
Click to expand...
Click to collapse
What I think HBO may have been doing, and this is just a guess, is trying to see who is rooted and not. Then they could control or cut off what is sent to rooted phones.
I doubt they were trying to steal any other info, but they may have been for controlling advertising you receive.
even though this is not as bad as what someone evil would be up to, it is still bad and they should not have done it with out disclosing their intentions.
I think the fact that they are still refusing to explain what that su request in that version was is quite telling that it was not likely something that would go over as a positive if it gets out.
And they probably will never tell us unless enough people make enough of a complaint about it.
But that won't happen because there were not enough people affected for it to become big news.
Sent from my SAMSUNG-SGH-I777 using XDA App
While we are kind of picking on HBO here, I think the lesson to noobs and olds (is there even a title for those more experienced??) is to be cautious about allowing su access to app requests. I am going to stick with my idea of denying su requests if it doesn't make sense to allow it. I can always allow access, if necessary. But I'll see if it works without it first. Hopefully others will follow this advice. Similar to running Windows 7 as a standard user, never admin.
dayv said:
What I think HBO may have been doing, and this is just a guess, is trying to see who is rooted and not. Then they could control or cut off what is sent to rooted phones.
I think the fact that they are still refusing to explain what that su request in that version was is quite telling that it was not likely something that would go over as a positive if it gets out.
But that won't happen because there were not enough people affected for it to become big news.
Sent from my SAMSUNG-SGH-I777 using XDA App
Click to expand...
Click to collapse
Just purchased SGS3 and SGN10.1, havent downloaded any apps as of yet because I am not comfortable with the permissions issue.
I also have not rooted as I am waiting for my sandisk extreme pro sd cards, but i have some clarity i need in moving forward.
How can i best protect my phone and the info in it - mostly for the protection of my clients contact info and just the general fact that nobody needs to know my info without my knowing why.
I have been online for the last 5 days trying to understand what i need to worry about and what i dont.
I have a copy of whispercore 0.5.2 and would like to know if i can use it on my sgs3
Do i need to root my device to give optinal protection PROS/CONS
How is the avast protection
And most importantly - are these protections necessary or have i been sidewiped by chicken little?
How can i determine the best app for me - preferrably with no permissions
I really need a good mail app, document editing app, pdf app, and possibly a CAD app
I have been overwhelmed with info over the last 5 days and need some help with clarification and facts.
Thank you in advance for your help,
Confus-ed:silly:
An app with no permissions has the ability to access nothing so in essence will be of little use. Contacts are synced with Google unless you opt out that decreases security. Personally if your clients details are that sensitive use a dumb phone for work and keep your S3 for less sensitive tasks.
Sent from my GT-I9300 using Tapatalk 2
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
confus-ed said:
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
Click to expand...
Click to collapse
What?
He answered your question, an app that asks for no permissions can't do much, apps need to have permissions to do various tasks.
If you're that paranoid about safety don't root and just use reputable apps from Google play store.
Edit: in fact the more I read you reply to him the more I see that you have a terrible attitude.
Good luck finding help when you act like that.
Sent from my GT-I9300 using xda premium
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
confus-ed said:
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
Click to expand...
Click to collapse
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Sent from my GT-I9300 using xda premium
nodstuff said:
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Click to expand...
Click to collapse
From the perspective of data mining, you're basically just as vulnerable with a non-root app, then only difference being that the non-root app will specifically ask for permissions to use your contacts.
At the end of the day, if you want decent integration between your personal data and your apps, you're going to need to accept some risk and allow someone elses code to run through your data. If you have sensitive client data, you'll most likely be safe if you stick to mainstream, popular apps, and keep a close eye on comments to make sure no one else has had issues with security. If you're really paranoid though, I would recommend you don't keep sensitive information on any device with internet access.
I would recommend LBE privacy guard it will prompt when an app is trying to access something and you decide to allow it or not, you can manage wich permissions you allow for each app, even cut it from any Internet access.
The app does require root to work
Sent from my GT-I9300 using xda app-developers app
Thank you
I rooted my S9+ SM-G965F/DS (Pie version) with TWRP recovery.
I was wondering if there was an easy way to change my android ID(that could possibly be repeatable in the future) so I can bypass a ban on Uber that stops me from using it. Or if anyone knows of a simpler way to bypass that ban it would be helpful as well. I already created a new account for Uber on a new device and can use it normally, I just want to be able to use it on this one instead (S9+) and I heard changing android ID would do the trick.
Thank you in advance.
Pamperz said:
I rooted my S9+ SM-G965F/DS (Pie version) with TWRP recovery.
I was wondering if there was an easy way to change my android ID(that could possibly be repeatable in the future) so I can bypass a ban on Uber that stops me from using it. Or if anyone knows of a simpler way to bypass that ban it would be helpful as well. I already created a new account for Uber on a new device and can use it normally, I just want to be able to use it on this one instead (S9+) and I heard changing android ID would do the trick.
Thank you in advance.
Click to expand...
Click to collapse
You might try Magisk hiding the app, but I have had S9+ for some time and rooted thru all of it and never had an issue with Uber - use it all the time.
Sent from my [device_name] using XDA-Developers Legacy app
gaww said:
You might try Magisk hiding the app, but I have had S9+ for some time and rooted thru all of it and never had an issue with Uber - use it all the time.
Sent from my [device_name] using XDA-Developers Legacy app
Click to expand...
Click to collapse
My issue isn't with the root, I rooted specifically to fix the issue but I still don't know how I just know it's the first step. I'm just trying to bypass a device ban by changing android ID which Idk how to do.
How to change Android ID ? ^^
try running uber app inside secure folder. its a container with, in theory, a different ID.
Also, did you try to factory reset?
create a different gmail account? many apps let you choose which gmail account you want to associate with it if you have more than one on your phone. Not sure if itll work, but worth a try. Also not sure is this topic is kosher as its specifically trying to circumvent a ban that was placed on the user, probably for a reason or 2
Forget about Uber, how do I change android ID for my device ? I cant use secure folder as its not available once you root your device. Also I need to repeat the process in the future so even in that case secure folder would only allow one different ID.
Pamperz said:
Forget about Uber, how do I change android ID for my device ? I cant use secure folder as its not available once you root your device. Also I need to repeat the process in the future so even in that case secure folder would only allow one different ID.
Click to expand...
Click to collapse
not related to your post, but why is your device id banned?
Hangoverr said:
not related to your post, but why is your device id banned?
Click to expand...
Click to collapse
To be clear this isn't related to the question/thread in any way, but since you asked.
I'm not sure, I bought some vouchers(Promotions to be exact) online for very very cheap and was using them for my trips. One time I decided to give them to an Uber driver who I thought was incredibly nice and thought he'd needed them more than me. So I gave him around 40$ of trips divided into multiple trips so I had to re-order him after each trip consecutively in a short period of time. I'm not sure if that's what did It but it sure stopped my ability to pay Cash on that account, I created a support ticket and after reviewing the ticket they just banned the account for "Fraudulent Activity". I believe they thought I was the driver somehow and was ordering them for my self, I know this because the driver contacted me a few days later (we exchanged numbers) and told me he received a warning(nothing more) for suspicious activity. And If that's not what did it then maybe it was because I was sharing my account with my sister and she would regularly cancel orders or not end up finding the driver (Poor gps routes in my country).
Did you try VPN or modifying build. prop?
dedq said:
Did you try VPN or modifying build. prop?
Click to expand...
Click to collapse
VPN doesn't do it as it's not related.
Any free apps you can recommend that change build prop?
If you tried VPN then ok.
You can find them on Google Play Store or edit it yourself by finding its location which I do not know by heart.
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
questions should be posted in q/a Thread moved please review the rules ( located below)
rhythm_dx said:
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
Click to expand...
Click to collapse
Thank you for your help. I had a rooted phone, but a friend did it for me. Now I have a S8 active on Pie and from my research the bootloader I have (V5) is not rootable. I'm definitely not well versed in Android though and could be wrong. That's why I was wondering if there was a device that offered full control without the need and rick of rooting. If there's not, could you suggest one that is perhaps the simplest and least risky to root? I don't need top of the line, I don't game or anything and would be fine with getting something used. thanks again!
Luckily, there is a way in stock Android to control permissions! I forgot about it when I was typing my previous response. Here's an overview: https://www.howtogeek.com/355257/can-you-control-specific-permissions-on-android/ Hope that does what you're looking for.
If you want to do more with a rooted phone like block ads, there are some that are easily rootable, like the Google Pixel series. Here are a few options: https://www.androidcentral.com/best-phone-rooting-and-modding I liked the Pixel 2XL I used through my previous job, and I've heard good things about the other Pixels, for what that's worth. I haven't tried the other phones in that link, but the OnePlus phones have an excellent reputation.
There are many other phones that have varying degrees of difficulty for rooting, but I'm not aware of any relatively recent ones not on that list that I'd consider easy to root. I've found that the best approach to finding a new phone is going to GSM Arena's Phone Finder to put on my criteria, then coming back to XDA and searching through the forums to find out whether my prospective phone of choice has root yet. As you've discovered with your S8, some phones just never get there, which is pretty frustrating.
I hope that helps! Holler if you have any other questions.
Well, that's my main issue, you can only control certain permissions there. When I click "all permissions" I can see them all, but not turn them off. It's just a bummer that one has to go thru all this rigmarole to control a device they supposedly own. I was hoping maybe someone made a device that you could control stock, but I guess that was wishful thinking. Thanks again.
SteveJustSteve said:
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Click to expand...
Click to collapse
You must distinguish between Android OS itself and the apps that run on it: Android OS has no permissions you can invoke/revoke, only hardware/OS specific settings can be made there, but permissions can be granted/withdrawn from an app - if its developer has allowed the latter. To change the permissions of an app basically no rooted Android is required, this is done either via Android->Settings or via a 3rd-party APK editor.
BTW: It exist 3rd-party apps that can show you what apps are sending/receiving data over Internet.
Hint: Use your Android phone without Google.
Is root required to disable hardware?
SteveJustSteve said:
Is root required to disable hardware?
Click to expand...
Click to collapse
No, only a hammer. :laugh:
Hi,
Just joined a new company that requires Company Portal to access Outlook email and other apps on my phone.
Evidently even if you manage to hide root from Company Portal, a major requirement is having an encrypted device with Company Portal.
In order to get rooted 2 years ago, I ran Disable_Dm-Verity_ForceEncrypt during the TWRP setup process so my rooted V30 is not encrypted.
Is there any way to restore encryption now without losing my current stock rom settings and data and maintain root?
I see in LG Settings there is an option to Encrypt Phone and SD Card. Will this suffice so I can maintain root?
If not, is there a way to root and install a TWRP LG Pie Rom zip without disabling encryption via Disable_Dm-Verity_ForceEncrypt?
Or is it impossible to root and use Company Portal with the LG V30?
Thanks in advance!
Drew
drewcu said:
Hi,
Just joined a new company that requires Company Portal to access Outlook email and other apps on my phone.
Evidently even if you manage to hide root from Company Portal, a major requirement is having an encrypted device with Company Portal.
In order to get rooted 2 years ago, I ran Disable_Dm-Verity_ForceEncrypt during the TWRP setup process so my rooted V30 is not encrypted.
Is there any way to restore encryption now without losing my current stock rom settings and data and maintain root?
I see in LG Settings there is an option to Encrypt Phone and SD Card. Will this suffice so I can maintain root?
If not, is there a way to root and install a TWRP LG Pie Rom zip without disabling encryption via Disable_Dm-Verity_ForceEncrypt?
Or is it impossible to root and use Company Portal with the LG V30?
Thanks in advance!
Drew
Click to expand...
Click to collapse
My only solution to this problem was to always use webaccess for my Office365 account. They required the portal to use Outlook, and part of that requirement allowed them to wipe my phone whenever they wanted. It's my phone, so I guess I won't use their email on my phone.
Sounds like your company has yet another behind-the-times IT department (like mine). Although mine is also exceptionally incompetent. They left the IMAP server open and available to anyone, so I simply used that with my GMail account instead. It did require me to allow them admin access to the phone to wipe the device (though I think they can only wipe the email) but it worked. They finally got modern and are using 365 so now it doesn't need these extra things. You might want to see if you can wait until they wake up and/or see if there is a server you can connect to. I found mine because, due to their incompetence, they let iPhones use the native mail app via the IMAP server, but forced Android to use some garbage 3rd party software for it instead of GMail. In both cases, the IMAP server was easily seen and setup.
I also have a company phone, so I don't really care if they can wipe it. Again, if I was going to take data from them, I'd do it before I announced I was leaving like any reasonably-intelligent person... so wiping accomplishes nothing. But, again, these IT departments are really dumb and incompetent...
To answer your initial question, I don't know if there's a way to re-enable encryption... but I also don't think that this is something that they can detect anyway. I'm thinking it may be something else they're tripping over. You may consider installing Magisk, and then using it's HIDE feature to see if you can hide the typical "signs" of rooting/etc. It may be good enough to get you working. If it doesn't you simply remove Magisk again (or just stop using it)?
Thanks @ldeveraux and @schwinn8 for the replies!
I know we use Office 365 but I'll have to ask about web access to see if that is possible. It's my phone and supposedly it's "not required" that I install Company Portal/Outlook/Teams on my phone, but I would be the only one at the firm not doing that and I am a new hire so... kind of a bad look so soon. I am not really comfortable with them being able to wipe my phone either, but that wasn't mentioned to me... yet.
Also would have to ask about IMAP, but I doubt it. No company phones either which is fine.
Pretty sure it is the encryption (or lack thereof in my case) that is the issue. I already use Magisk v22 and Hide all signs of Company Portal and pass Safetynet. On another XDA thread where Company Portal is discussed, I followed the suggested steps to no avail:
1) Install Company Portal V5.0.5067.0
2) Magisk Hide ALL of Company Portal checkboxes
3) Reboot
4) Still pass SafetyNet
5) Launch Company Portal
While the app doesn't specify the encryption as to why it cannot get me to the login screen, that's the only conclusion I can reach at the moment.
Did either of you try or look into encryption built into the LG/Android Settings menu? I don't want to do that unless I know of someone with success with it, but am curious if that would allow root via Magisk Hide, encryption, and Company Portal.
Thanks!
Drew
No I stopped carrying when they wanted permission to wipe. If the company was paying for the phone, that's one thing. If I'm using my personal phone for company use, that doesn't fly.
I realize this doesn't answer your question at all, but it's food for thought!
ldeveraux said:
No I stopped carrying when they wanted permission to wipe. If the company was paying for the phone, that's one thing. If I'm using my personal phone for company use, that doesn't fly.
I realize this doesn't answer your question at all, but it's food for thought!
Click to expand...
Click to collapse
Carrying? Or did you mean caring?
drewcu said:
Carrying? Or did you mean caring?
Click to expand...
Click to collapse
Caring. I don't own a firearm.
ldeveraux said:
Caring. I don't own a firearm.
Click to expand...
Click to collapse
Lol got it. Just making sure I understood what you meant.
Assume you didn't look into the LG rom based encryption then?
drewcu said:
Lol got it. Just making sure I understood what you meant.
Assume you didn't look into the LG rom based encryption then?
Click to expand...
Click to collapse
No at that point I gave up
Hopefully you'll get some help here, because I'd still like to be able to actually use Outlook on my phone!
So, a quick search says that there are modules available and other things that need to be tried. One further thing is to hide root from various Google modules. I remember hearing that for some other apps... that you had to hide root from Google services. I also remember hearing that, in some cases, you have to clear data for apps after the hide, because they apparently save the rooted-status in their own data.
Basically, I doubt encryption is the issue... root is usually the problem and can be a bit tricky to hide properly. You just have to try things. I have never seen any app fail to work because encryption is not available... it's always a root-detection issue.
As for the IMAP thing, the point there is to use the settings you find elsewhere to access email. You're not asking IT for permission or info... you just need to find it. Most Microsoft-based IT places I have worked with have zero clue that this is open and offered, so once you find it it's just a matter of plugging in the right info.
As for the web-interface, again, my company (for example) doesn't tell us that we can use the Outlook app, but it works with no tricks whatsoever. Plug in your company account info and it figures out how to connect.
FYI, the module I mentioned above is referenced here: https://forum.xda-developers.com/t/...ne-company-portal-hider-intune-hider.3780451/ - no idea if this is necessary or even the latest version...
schwinn8 said:
So, a quick search says that there are modules available and other things that need to be tried. One further thing is to hide root from various Google modules. I remember hearing that for some other apps... that you had to hide root from Google services. I also remember hearing that, in some cases, you have to clear data for apps after the hide, because they apparently save the rooted-status in their own data.
Basically, I doubt encryption is the issue... root is usually the problem and can be a bit tricky to hide properly. You just have to try things. I have never seen any app fail to work because encryption is not available... it's always a root-detection issue.
As for the IMAP thing, the point there is to use the settings you find elsewhere to access email. You're not asking IT for permission or info... you just need to find it. Most Microsoft-based IT places I have worked with have zero clue that this is open and offered, so once you find it it's just a matter of plugging in the right info.
As for the web-interface, again, my company (for example) doesn't tell us that we can use the Outlook app, but it works with no tricks whatsoever. Plug in your company account info and it figures out how to connect.
FYI, the module I mentioned above is referenced here: https://forum.xda-developers.com/t/...ne-company-portal-hider-intune-hider.3780451/ - no idea if this is necessary or even the latest version...
Click to expand...
Click to collapse
Thanks for the suggestions! I actually have tried different modules without success both for EdXposed (Security Bypass for Company Portal with CP version 5.0.3013.0 and Bypass Exchange Policies). The closest I got was with CP 5.0.3013.0 where I could enter my credentials but then wasn't able to agree to the Terms and Conditions which is a prerequisite and got denied. The module you linked is no longer needed if using Magisk v22 with Magisk Hide according to people in the thread.
Have also tried the Outlook app, Outlook web access, Gmail, IMAP, POP3 -- all smartly locked down tight for compliance reasons by our IT. Just says to enroll with Company Portal after entering credentials.
Pretty sure the Magisk Hide route would work with V5.0.5067.0 if my device was encrypted. Company Portal checks whether your device is encrypted supposedly, so either you have to actually be encrypted or find a way around that. I am willing to be encrypted if I can still be rooted...
Not sure where to go from here to get it working without an encrypted device... but thanks for the post.
As I recall, Xposed is not really working or functional these days. The module I linked to is a Magisk module. Did you follow those directions, because it sounds like you didn't.
It sounds like you don't want to believe me... that's fine. I believe the answers are out there and it's just a root issue. You probably just need to do more reading and searching. I'm going to give up since you don't seem to want to hear it from me, so good luck...
If you find a solution, do let people know on this thread so the matter can be closed/completed.
I remember the other reason I stopped trying to use the Company Portal. They need permission to wipe my phone, which obviously I'm not cool with. Whenever I disable the Company Portal, mail stops working. That's reason enough!
schwinn8 said:
As I recall, Xposed is not really working or functional these days. The module I linked to is a Magisk module. Did you follow those directions, because it sounds like you didn't.
It sounds like you don't want to believe me... that's fine. I believe the answers are out there and it's just a root issue. You probably just need to do more reading and searching. I'm going to give up since you don't seem to want to hear it from me, so good luck...
If you find a solution, do let people know on this thread so the matter can be closed/completed.
Click to expand...
Click to collapse
Yes I am aware that the module you linked is for Magisk. If you go to the OP, all the text is struck through because the module is no longer necessary as I stated previously.
[MODULE] Microsoft Intune Company Portal Hider (Intune Hider)
Introduction: Simple Module To Hide The Root From Microsoft Intune Company Portal. - After The Installation & 1st Reboot, It Hides The Rooting & Disables Itself [P.S. Disabling Itself For Some Versions] - Enabling This Module From Magisk Manager...
forum.xda-developers.com
kb8no said:
It is easy to be confused. The "module" from the OP was needed before but is now obsolete since Magisk has gained the necessary functionality alone without the "module". There is no "module" in Magisk. Now go back and read the past posts over 2 months. First you hide Magisk so it passes safety net. Then you go into superuser MagiskHide, go into the app (eg Portal) and check everything. You need to understand that they updated Portal so you need to downgrade it so Portal will work again. You need to understand to use latest Magisk and Magisk changed. Not surprising you are confused. Now perhaps you have figured out the basics and the details will make sense.
Click to expand...
Click to collapse
So I followed the steps on page 23 of that thread using Intune Company Portal V5.0.5067.0:
[MODULE] Microsoft Intune Company Portal Hider (Intune Hider)
Introduction: Simple Module To Hide The Root From Microsoft Intune Company Portal. - After The Installation & 1st Reboot, It Hides The Rooting & Disables Itself [P.S. Disabling Itself For Some Versions] - Enabling This Module From Magisk Manager...
forum.xda-developers.com
IlyaKol said:
Good call on the GitHub ticket.
For anyone reading, this is the process I followed:
1) Uninstall the existing Intune Company Portal
2) Reboot
3) Install the APK listed above or from another source (I used APK Pure). DO NOT LAUNCH INTUNE!
4) Before launching, go into Magisk and make sure to hide ALL of it as well as all of Outlook, OneNote, OneDrive, Teams, etc. (whatever uses your company credentails)
5) Launch InTune and set it up.
6) Disable auto-updates of the app as he stated in Google Play Store.
7) Profit.
Click to expand...
Click to collapse
The result is I am still stuck on the "Open the Intune App" screen... No other error messages related to rooting, but cannot even get to log in or download Outlook or Teams. Have tried downloading the Intune App from the Play Store and that tells me to open Company Portal... so going in circles... I'm told I need to only use Company Portal from our IT firm.
I went through the same Magisk module thread and found others talking about not having encryption, and they are in the same position as I am -- following the steps or using the Magisk module (before Magisk v22) and still not getting CP to work.
Thus I am 99.9% sure I cannot use CP because I don't have encryption. You don't have to believe me, but I have tried everything I can think of save for using LG's Encrypt Phone feature... Would do it if I got confirmation I could stay rooted, not lose my data/settings, and then use Company Portal.
But yes, I absolutely would post the solution here if I find it!
Thanks anyway.
I'm rooted and have long had corporate email (two different companies) on a paid app called "Nine". First company was Fortune 100 global media company, and 2nd (past 3 years) is smaller but still has aggressive IT policies. Neither paid for my phone. I specifically remember with the first having to agree they could wipe the phone if it was lost -- but I think due to me being rooted they wouldn't be able to.
Nine - Email & Calendar - Apps on Google Play
Nine is a full-fledged and intuitive email app which supports Exchange and IMAP
play.google.com
ChazzMatt said:
I'm rooted and have long had corporate email (two different companies) on a paid app called "Nine". First company was Fortune 100 global media company, and 2nd (past 3 years) is smaller but still has aggressive IT policies. Neither paid for my phone. I specifically remember with the first having to agree they could wipe the phone if it was lost -- but I think due to me being rooted they wouldn't be able to.
Nine - Email & Calendar - Apps on Google Play
Nine is a full-fledged and intuitive email app which supports Exchange and IMAP
play.google.com
Click to expand...
Click to collapse
Just tried Nine and it also tells me after entering my credentials that I need to use Company Portal (just like Outlook and Web Access).
Do these two companies you worked for use Intune Company Portal to manage policies?
drewcu said:
Just tried Nine and it also tells me after entering my credentials that I need to use Company Portal (just like Outlook and Web Access).
Do these two companies you worked for use Intune Company Portal to manage policies?
Click to expand...
Click to collapse
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
ldeveraux said:
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
Click to expand...
Click to collapse
For Nine I only needed the email server name.
For the previous Fortune 100 company I worked for, it was almost 4 years ago so I don't remember all the details but I remember granting them the privilege but I don't remember adding them as an admin.
ldeveraux said:
I just installed portal and outlook, added both as admin or whatever it's called, and have a fully functioning inbox. I don't know if I'll leave it like this for the reasons I mentioned, but it works. I have the latest twrp, latest magisk, and adguard installed. I have no clue if I'm encrypted or not, how would I check? But I was trying to use the older version of Portal and it kept looping, so I installed the latest from the play store and we're up and running.
@ChazzMatt do you really think they can't wipe if they so desire? How could we confirm that? I surely don't want to give them that ability considering if you disable their permissions it stops working completely.
Click to expand...
Click to collapse
Company Portal didn't used to work for you, correct? What changed? Can you please list your steps this time?
I think to check encryption you use Termux and enter 'getprop ro.crypto.state' -- mine says unencrypted.
One other question is what version of Twrp are you using? I'm using one from 2 years ago -- 3.2.3 and never wanted to bother with the Pie one 3.3 or whatever is latest... Might have something to do with it...