Just installed GOS on my phone, really like it. I want to know how GOS users setup their profiles to learn from them. So far, i found out the followings:
-
everything in Owner
-
leave Owner blank. Put everything in another profile names User.
-
leave Owner blank. Put all Google stuff in user Google. Put all FOSS app in FOSS user. Put all bank stuff under Sensitive user.
-
use Owner as an app repo. So install Google Play, Acrescent, Fdroid. Install apps from there, but dont use them. Instead, when create new user, push those apps from Owner. This is similar to Side of Burritos on Youtube.
anything different?
Everything in Owner and a secondary phone for all proprietary work and communication apps. The secondary phone is powered off or at least disconnected once I leave work. Google stuff and banking through a computer browser whenever possible.
If I were forced to use only one phone, the secondary phone’s contents would be on a secondary profile. This used to be my setup but switching between profiles throughout the day wasn’t my thing.
Everything in owner because I don’t understand the implications well enough to do otherwise (so thanks for the thread).
Same. I need to step my game up! Profiles don’t look that hard, just something to learn 🙂
Default.
Thank you. I can’t inform a response, but your question is very helpful for me with limited / low level ideas and poised to jump to GOS.
One profile on a 6a. If I had a Google account, I would likely have a second profile.
Most apps come from Github through Obtainium, I also use F-Droid, and a few get updated from Aurora Store.
I noticed a month ago that some apps aren’t being updated in Accrescent - Fdroid had a more up-to-date version for a few apps. I heard they have a funding issue which is probably why. Just something to be aware of.
The apps I have on board, that aren’t privacy respecting, either have their network access blocked or are disabled until I need them. These are Amazon Shopping, Roamless (data esim), and Sound Connect (Sony BT headphones).
No Google account but I do run Sandboxed Google Play for the notifications. Only two apps use the notifications through SGP - Signal and Protonmail but of which have taken steps to conceal the contents of the message from Google.
I have a Duress pin set. If being brute forced, the pin I set will likely be entered before my real pin and wipe the phone.
I mostly use a fingerprint for unlock so no one can see my pin while in public spaces. I also avoid unlocking if anyone is too close to me.
Phone stays in airplane mode most of the time to avoid cell tower triangulation. Using a voip phone service makes it possible to make and receive phone calls without cell towers being involved. My voip provider is very kyc but I do plan on switching to JMPChat soon.
Reboot is set for 8 hours.
If I disable the microphone I can never enable it quick enough to answer an incoming call so don’t turn it off system-wide but do deny for apps that don’t need it.
Disabling the camera permission system-wide has forced me to wait a very long time, after enabling the permission, before I can take a photo. I leave this permission on and just deny for apps that don’t need it.
I typically connect to public and home wifi so I leave this on.
My headphones are bluetooth (I can’t stand using a cable) so BT stays on.
Global PS is an incoming signal so I leave this on. GOS is transmitting a ton of data to Google so I don’t see the risk. Doesn’t seem to drain much power. Only really needed for my map app.
I have the main owner profile for my main Foss apps then the work profile for apps that need the play store. I normally leave my work profile paused and unpause it when I need to use an app. None of the apps in the work profile require notifcations so its fine.
I have everything in Owner profile (including Sandboxed Google Play)
deleted by creator
One profile. No Google sandbox stuff. All open source programs.
On my work Pixel tablet I have a home profile as owner with Aurora store just to be able to load it on the other profile. Then a secondary “work” profile with all the bloat
You might also consider the new private space feature depending on your needs: https://www.youtube.com/watch?v=G94V5I2xH1E
Eagerly awaiting multiple private spaces so I can move everything to owner profile.
I have a work profile for my work stuff. All my personal stuff is on Owner.
Currently everything in owner, with banking apps in my private space.
I was tempted by the idea of owner as an app repo but the private space is only available in the owner profile.
Someone else in this thread mentioned they were using another device for their app repo and sideloading from there. That’s an intriguing idea for keeping even sandboxed Google off my owner profile. An idea for the future maybe.
In standard Android yes, but on GrapheneOS has 1 (one) private space per profile.
do you use a different Google account to download the bank app? or no Google at all in private space, and instead push an app downloaded from main?
A different google account in the private space.
This thread is illuminating and makes my GOS use feel very pedestrian. I just use a single profile, I keep everything off my default and only enable what I need when I need it (GPS for instance which is rare) and then disable again, and I have no accounts logged in to anything on my phone.
I do…
Owner - these are the apps I daily drive.
Work - all work stuff lives here.
Google - apps that require the playstore.
I thought about using my owner profile as a hub for app stores and then a 2nd profile as my main profile but I found the 2nd profiles a bit unreliable in terms of receiving calls and texts.
Owner profile for main use, shelter w play services for apps that need them.
I also keep a Duress pin enabled which i have written down inside the phones case, so if Anyone “finds” my phone and tries to unlock it they will just end up wiping it.
The downside of letting someone wipe your phone is they can then sell the phone. It’s a lot harder to pawn a “found” phone if it is locked.
You can always wipe it without the duress pin
Doesn’t a stock android need to unlocked before it can be wiped? I doubt if GOS would remove that security feature.
That is not the case in my experience. At the very least, you can wipe it from recovery without unlocking it.
I suppose its possible it varies between manufacturers, but I would be surprised because they don’t want the hardware to be useless if you forget the pin immediately after you set it.
Factory Reset Protection
"On modern Android phones, there shouldn’t be any problems as long as you choose to factory reset your phone through its settings. This will automatically remove all the associated accounts in a way that “frees” the phone from FRP. If you try to reset a phone through the bootloader, FRP will kick in, and it can’t be set back up without the previous account’s password.
I assume if I tried to reset through the bootloader the phone would become a paperweight as there isn’t a Google account on my phone. No password to enter. I’m just going by what android central says, haven’t tried it myself. Sounds like you have more experience with this.
https://www.androidcentral.com/factory-reset-protection-what-you-need-know
I was unaware of this. I have never run into that issue, but I’ve never used the bootloader to reset a phone that is associated with my google account.
I would assume not having a google account associated with the phone would disable FRP making it a non-issue, but I’m clearly not an expert as I didn’t know this existed
I decided to check grapheneos.org and found out that a gos phone does not have frp.
GrapheneOS doesnt have FRP due to it being exclusively a google service (it requires signing in to the previously used google account that was used before the reset)
Afaik there isnt any equivalent service available to GOS, although it probably could be technically possible.
