Which is better, a Microsoft managed work profile or Microsoft apps directly in my owner profile?

What do you want advice about?
I’m considering downloading Outlook and Teams on my phone again for work in order to stay more in touch during off hours. The Outlook web app inherently doesn’t come with notifications, which would be important, and there is no Teams mobile web app as far as I have found.

What have you considered or looked at already?
One option I’m considering is to just download them directly on my main profile and let Mullvad’s custom DNS take care of as many trackers as it can. It gives me notifications, but otherwise I’m still worried about what Microsoft may be able to get despite the mitigation I have.

The other option I’m thinking is to use Microsoft’s Company Portal app to create a work profile and keep those apps there. The benefit is that I have a work profile now to compartmentalize those apps and keep them from my main profile. The con is that it’s a Microsoft app that I’m using to manage this, so does it matter at the end of the day?

I’m using Exodus to see what the situation seems to be regarding trackers and permissions. Seems like Company Portal is at least better than Outlook and Teams. Might even consider Outlook Lite as it seems more private than regular Outlook. However, it’s all Microsoft at the end of the day.

Another consideration is that I’m already using Microsoft Authenticator on my main profile. So am I already out of luck regardless of which way I go?

Last thing: why not use Shelter? While I personally might be fine with using Shelter, I don’t want to submit my employer to a device admin that they do not know or trust. I don’t know if that’s a big deal, but I would rather keep a third party out of this for my actual work apps.

In brief, tell us about your privacy threat model?
My threat model is primarily focused on avoiding bad actors like scammers, hackers, getting caught up in data breaches, and preserving my privacy from the average person like by avoiding doxxing. Where I can go above and beyond to be private against companies I do what I can.

Using stock Android on a Google Pixel 6.

Why not set up intune inside a new user profile? Keeps it more segmented.

I would like to avoid using a new user profile because then I don’t get the notifications from my owner profile. I’m using stock Android so I don’t get the GrapheneOS feature of getting notifications from all profiles. If I’m going to manually check then I would settle for manually checking the web app.

I think the other options differ a lot based on the company and configuration. Many MDM solutions ha e remote wipe and admin features. Something I wouldn’t want any company to have control over. I wonder why not use the web app and enable notifications there?

Most companies i worked for do not allow login to outlook without some VPN or managed solution.

Also as form someone who also is a workaholic, make sure to take time of and take good care of yourself!

1 Like

Forgot to ask, why not install grapheneOS? Your phone is supported? It’s not like you will have to compromise something. It will solve your issue and give you more control.

Well, today I learned that I can get notifications from web apps! I experimented with the Outlook web app and it does seem to work like how I would want. I’ll try this out for a bit to see how it works out for me. One feature that I like about the native Outlook app is that you can time when you get notifications so that you don’t get any on your phone during office hours (because my work computer will also be notifying me) but then start getting them after 5:00. Still no Teams web app, though, so that’s a tradeoff.

I don’t want to get into too much, but I’m not ready to risk installing Graphene on my only phone. Maybe one day I’ll muster the courage, but not yet. I’m afraid of messing something up.

Inatalling grapheneOS is really easy: Web installer | Install | GrapheneOS I am confident you csn do this. And you can always ask here or in their forms or matrix room for help!

I tbink in android with dnd you should be able to control notifications per website as well. At least from chromium browsers as they all get their own category. But native is easier for sure.

1 Like

in case you haven’t resolved this already, I don’t think it’s an issue to just keep them on main profile. If you turn off the permissions that arent necessary, it likely cant snoop on your other apps or anything. Work profile would use up more battery if it is active all the time

1 Like

This is probably not what you want to hear, but I will tell you anyways: If this is your own personal phone, you simply should not install work apps on it. If your employer is ever in legal trouble for example, this makes your personal devices fair game to be subpoenaed, confiscated as evidence, etc. Personal and work data should never be mixed.

Also: Shelter operates entirely locally (unlike most MDMs like Microsoft Intune’s Company Portal) so there isn’t risk there. Not any more risk than your employer allowing work apps to be installed on a personal device in the first place, anyways.