This is a topic for which I have seen already multiple comments in this community but I decided to leave this post hoping someone can find an alternative solution.
INTRODUCTION
After a complete de-google-ing process of my entire life, having a de-googled mobile phone with /e/OS was a mandatory task which is now fully completed. However, since I have to use this phone (OnePlus 8 Pro) for work I had to install the following two “terribly hated” mobile apps:
MS Outlook Lite (better than the full version as it has a higher privacy score)
MS Teams
I already know that if you do not disable the Mobile Engagement option from Advanced Privacy > Manage apps’ trackers for each one of them, you will NOT be able to execute the login as you will get a message saying that you don’t have Internet connection and even if you disable this option, execute the login, and disable it back again, these two apps will certainly remain logged in (you will continue to receive notifications on your phone with actual previews of - respectively - emails from MS Outlook Lite and messages from MS Teams), however they won’t be able to retrieve any content.
On the other hand, if you DO disable the Mobile Engagement option from Advanced Privacy > Manage apps’ trackers for each one of them, then they WILL start working correctly.
DESCRIPTION OF THE ISSUE
My problem is that once the Mobile Engagement option from Advanced Privacy > Manage apps’ trackers for each one of them is ENABLED, then obviously I started getting leaks (a lot) from both these mobile apps and this is not good at all.
As this was not enough, these gentlemen from Microsoft ensured that you can’t login onto MS Teams for web (https://teams.microsoft.com/) as you get the following message:
Does anyone have any alternative solution for both mobile app which does NOT opt for disabling the Mobile Engagement* option from Advanced Privacy > Manage apps’ trackers for each one of them? This thing really bothers me.
Alternative solution: If work requires you to use certain Apps, they should be prepared to give you a phone for work.
Whatever you configure now, those Microsoft Apps may still fail to work at any given point in time on an OS without the genuine Google services like /e/OS (yes, microG is very good in mimicking Google services, but it has limits).
If it’s not so important that these Apps work all the time, then /e/OS is ok, of course.
Currently, there is no real solution to the problem you’re describing. You simply have to switch on the mobile engagement tracker in order to get these apps work correctly. The mobile engagement tracker ensures that the mobile device has proper connection to the Intune with which it makes a synchronization request of one’s work/school account.
This is simply a way the whole system is designed / setup. And unless you convince Microsoft to develop better designed apps, I doubt someone will come up with an alternative solution.
Also, this gets complicated by your system administrator. They can setup all kinds of different policies when it comes to logging and using mobile apps. They can allow you using browser versions on mobile phone. Or they can deny it. They can also require additional steps for the apps to work (like using Microsoft Authenticator for notifications and approval of login requests). And so on and so forth.
One alternative solution that I can see is that somebody would develop third party apps. This way, you would download some FOSS Outlook app and the app would serve as a sandbox and would just make requests to the API for you. And there would be no data breach (unless there would be a bug in the FOSS Outlook app). But developing a FOSS app for Outlook or other Microsoft365 apps would depend on Microsoft releasing their API. But as of now, their API is kept behind closed doors.
One possible solution as @AnotherElk suggests is to request a work phone from your IT departement. This way, your personal data stays personal and your work data stays in work.
So there is really no choice or alternative to all this. Either, you can use the apps on your personal phone with the tracker enabled but with the danger that some of the data will be breached / leaked. Or you request a work phone from your company.
what you think to be leaks are false positives - the Mobile Engagement tracker itself is inactive at the MS end for some time now - https://gitlab.e.foundation/e/backlog/-/issues/5855#note_368607 - it should be archived/deleted in the etip / exodus repository. There’s no harm in “disabling” the tracker in AP. The whole saga could’ve been over or never started if the etip repository has an archival dimension. I did contact them about it but alas… volunteer run is best effort.
As for MS Teams in the browser - I’d look at it with logcat what messages / errors it features at time of login.
Thanks @tcecyk.
BTW I already have a work phone received by my company but the whole idea was to move to my own one completely degoogled instead of hunging around with two phones.
i have still problems with Microsoft Apps. If i uncheck just the Mobile Engagement it worked so far, but now i have to uncheck Block Tracker completely. Otherwise it mentions the problem with the missing internet connection. The problems stays with Firefox, therefore i don’t want to disable this option completely.
In MS Admin, Lists and Teams, there are no other Trackers detected. Is this possibly a problem of Advanced Privacy?
i tested the scenario with the built in broser. If i uncheck Block Tracker completely, i can login to outlook. If i just uncheck the only found Tracker Mobile Engagement it is not working.
I unchecked this in FireFox and it is not working.
Same problem here!
Disabling ‘Mobile Engagement’ worked for a time, but now only disabling overall Tracking allows the Microsoft Apps to work properly.
You can disable Advanced Privacy Tracker in Total, log to some Microsoft Service, like Outlook and then reactivate the Tracker Control.
then it is working for some time.
not a good solution, but probably a limited workaround and a help to debug.
