How to make Advanced Privacy work with work profiles using Shelter

I’ve just installed /e/OS S 1.7 and I’m really into the Advanced Privacy app.
However, I’ve had to install Shelter to use work-related apps like Teams and MS365 accounts. Now, When turning on the Advanced Privacy tracker blocker, the Microsoft apps inside shelter obviously won’t work anymore.
So inside Shelter, I cloned the Advanced Privacy app to configure stuff inside the work profile, which unfortunately doesn’t seem to work since AP doesn’t even recognize the apps that need to be turned off for tracker blocking.

Does anyone have any experience with using AP combined with Shelter / work profiles?

Thanks a lot in advance!

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

when I looked at this in MS Teams/Outlook/Authenticator inside Shelter there was work to improve the Shelter behaviour -

If you read the gitlab issue on what jacquarg is commenting you’ll get an idea of what the current limitation is… it seems the use-case of “whitelisting a tracker for an app in a work-profile” isn’t accounted for yet

Trackers control: the first Advanced Privacy instance to start is the one which take the control around tracker detection and blocker. It should be the one from Main profile.


(First post, hello forum and please be gentle!)

I’ve been using Shelter on my FP4 for about a month, during which I received the 1.12.3 update. I use it to isolate and freeze a small number of government and state broadcaster apps from the App Lounge because they have lots of background trackers. I’ve learnt a few things:

Recent builds’ Shelter behaviour, general hints

  • Advanced Privacy (AP) is one of the system apps that are cloned to the Work profile when it’s created
  • Right now (1.12.3), the limitations of Advanced Privacy linked to by tcecyk above mean that it’s best to leave AP as [Frozen] in the Work profile:
    • “the first Advanced Privacy instance to start is the one which take the control around tracker detection and blocker”
    • if AP is kept as [Frozen], this ensures it doesn’t start at device reboot
    • Work profile APs currently have confusing and contradictory behaviour for Fake Location and Hide My IP (see the link). I never really want Fake Location, and the apps I keep in my Work profile mostly require real IP to work, so freezing the Work profile’s AP work well for me.
  • I could just delete the Work profile’s Advanced Privacy instead, but it’s possible that its behaviour could improve in a future revision. It serves as a reminder in its current state :wink:

Shelter in 1.12.3, procedure to follow at reboot

The new build’s Advanced Privacy can distinguish between Work profile and Personal profile apps. It displays a little briefcase icon :briefcase: in blue next to the work profile apps, like the rest of the AOSP OS. However there are a couple of oddities:

Bliss Launcher is still very slow to update when an app is un-frozen, and this is confusing.

  • During a session, it’s rare for an unfrozen app’s own icon to appear.
  • They rarely disappear by themselves after an app is frozen, but if you tap one after an app has been frozen, Bliss Launcher will update (crash and restart?) and after that, the icons of recently frozen apps
  • I would really like Bliss to have a refresh button.
  • Bliss doesn’t display the little briefcase marker (see screenshot)

So the Personal profile’s Advanced Privacy can record tracker attempts for apps in the Work profile now! That’s great. However it still seemingly loses track of an app if the app is [Frozen] just before the device restarts. I guess it’s building its little app-tracking database at startup. If you follow the procedure below, however, the Personal profile’s AP can visibly track the autofreeze apps after device restart:

  1. Ensure you have a Batch-Freeze shortcut in your launcher. This shortcut freezes all apps on Shelter’s Auto-Freeze list. It looks like a green circle with 3 "Z"s in it, inside the white border you get for shortcuts in Bliss. To create this shortcut, launch Shelter and:
    • Tap the “3 dots” icon in the top right of the screen
    • Choose Create Batch Freeze Shortcut
    • Your launcher will now have a batch-freeze shortcut labelled Freeze
  2. Each time before you restart the phone, launch Shelter and Unfreeze each app you want AP to know about. In my case, that’s BBC Sounds, BBC iPlayer, and the NHS App.
    • Tap each app’s row in the Shelter tab, and choose Unfreeze from the menu that appears.
    • You don’t need to launch the app. However, its background
  3. Immediately restart the device
    • Hold down the power button
    • Tap Restart
  4. After the device restarts, start AP and confirm that the Work profile apps from Shelter’s auto-freeze list are visible. See the screenshot: they will have little blue suitcases/briefcase icons next to them
    • Some apps will have tried to contact their tracking services at reboot (nosy. BBC Sounds is bad for this)
    • You’ll see those attempted pings listed in AP at this point.
  5. Finally, tap the batch-Freeze icon in the launcher.
    • You may see the native, non-shortcut launcher for the Work app in the Bliss launcher still, at this point.
    • After all the apps have frozen, tap one of their native launchers (no briefcase…). Bliss will restart, as noted above, and the icons will be hidden normally, as you’d expect for a Frozen app.

You will need to restart the phone following this procedure after installation of any new app, because this AP seemingly never updates itself except at device restart.

General management of apps in Shelter

Just a few general things I do with Shelter to make things a little more private, click to unfold
  • “Work” means “nosy”. I keep my work life on my laptop, not on a personal phone.
  • I keep apps with any trackers set to Auto Freeze in a Shelter profile unless they have significant protection themselves (e.g. like Mull with uBlock0)
  • I delete the nosy apps from my Personal profile, and copy App Lounge over from my Personal profile to Work to keep the nosy apps updated inside the Work Profile.
  • It’s a good idea to create "Unfreeze and/or Launch Shortcut"s for each app, since the native icons are not always visible.
  • I use Skip Foreground Apps, since a couple of those overly nosy apps are media players.
  • I tried to put all the “native” launchers into a Shelterized group folder thingy, to reduce clutter on that screen. However, when they get recreated, they’re just dumped on whichever screen they used to be on, but not in the group folder thingy. That seems to be a limitation of Bliss Launcher.


Before and after screenshots, click to unfold

I’m a new user, so I’m only allowed a single media item. So here’s a combined screenshot, description underneath

The first “before reboot” screenshot shows the Shelter tab of the Shelter app. Apps in the Auto-Freeze list are shown at the bottom with a slightly confusing blue background that’s the same as the tabs’ background. The ones that are currently frozen have [Frozen] in front of the app’s name. Currently Advanced Privacy is frozen, and that’s what I’m recommending. So are the “BBC iPlayer”, “BBC Sounds”, and “NHS App” apps.

The two “after reboot” screenshots show what you’ll see if you’re following the procedure outlined above. Things to note:

  • the Freeze shortcut, which you use to re-freeze apps after restart
  • Bliss Launcher doesn’t show the little briefcase/suitcase icon next to the native icon pf an app in the Work profile
  • The native launchers for Sounds, iPlayer, and NHS appear under their “Unfreeze and/or Launch” shortcuts, due to a bug/limitation of Bliss Launcher. They should go where I out them last, in Shelterized, but…
  • After reboot, all apps in the Work Profile (including the normally Frozen ones) are visible in the Personal profile’s Advanced Privacy. Yay!

Update for v1.13+

You don’t need to perform the fiddly 1.12 reboot procedure any more, thank goodness. However, apps that are Frozen in the Work profile don’t show in Advanced Privacy until that are un-Frozen. At this point, Advanced Privacy will show them, and it will display their attempted and thwarted tracks and leaks, but it doesn’t show an icon for them (much change! :upside_down_face:). I guess the story is now that it rebuilds its database after a new app is installed/unfrozen (good!), but doesn’t keep a history of its details after it’s been uninstalled/unfrozen (mix of bad and good…)

AP still counts attempted and thwarted tracks & leaks from those normally-Frozen Work profile apps on its bar graph timeline regardless. It does seem to maintain a proper history there.

1 Like