As I observe more and more problems with apps containing root detection (which is a pitty, it’s my phone) and refuse to work (banking apps etc.) I consider locking the bootloader and doing a fresh CalyxOS installation (currently on 5.11.3).
My guess is that I should do this via Install on Fairphone 4, correct? Does the device-flasher contain a re-locking step? Do I have to remove magisk before doing a re-flash?
Will a D2D-backup via SeedVault work (does the flasher touch my SD-Card; not formated as internal storage)?
Yes, it will check get_unlock_ability and offer to relock it afterwards.
The installer wipes the whole phone so that shouldn’t be necessary.
Depends on the apps you have installed, something like Signal for example won’t get backed up that way. You can create a work profile and try to restore your backup there to check if everything works.
No, external storage doesn’t get wiped. But since you can easily take it out and create a backup (or adb pull it) I’d always do that before a potentially destructive operation, one can’t have too many backups
One last note regarding that part if you haven’t tried it yet. For me installing those apps in a work profile without the Magisk app + enabling Zygisk/DenyList was enough, but depending on the app it might not be.
That’s to be expected, the first boot into proper Android resets the value to 0. Which is why some people like to enable OEM unlocking in the settings again after locking the bootloader so you don’t lock yourself out (but the devices can then also be reflashed if it gets stolen).
You don’t need to reflash stock, installing CalyxOS (or any full factory images) will also get it back to 1 again, it’s the frp partition that’s responsible for that iirc.
The Calyx installer will also not let you continue locking if it’s still 0 so you are on the safe side. Just don’t boot into full Android and don’t lock it manually.
Sure. You have to enable the work profile in the settings, enable Aurora Store and microG for it but don’t select the Magisk app (don’t forget to turn on Google device registration and Google Safety net in the microG settings in your work profile). Then install the apps you need from your work profile Aurora Store.
Before you start any of them open the Magisk app in your regular profile, enable Zygisk and Enforce DenyList in the settings and mark those apps as enabled under Configure DenyList.
That’s a shame Worked for my government ID app and my health insurance, but some other apps still detect it, it’s a trial-and-error solution…
If you don’t need a specific DNS server / specific filter list (I do sadly) you can just set dns.adguard-dns.com or one of the other adblocking DNS as your private DNS server. That gets you a similar blocking level as a default AdAway installation.
Yeah, sorry, it’s been a while since I had to activate mine, it’s not in the settings. You just need to open the app called Work Profile from your app launcher.
CalyxOS has a built in work profile feature, I wouldn’t recommend using a 3rd party app in this case.
.
Worked for my government ID app and my health insurance, but some other apps still detect it, it’s a trial-and-error solution…