Intune App Wrapping Tool
- Intune App Wrapping Tool Mac
- Intune App Wrapping Tool Ios
- Intune App Wrapping Tool Windows
- Intune App Wrapping Tool Free
- Intune App Wrapping Tool For Mac
In the first blog about the Microsoft Intune App-layer protection, one of the supported features is that you are able to wrap your own applications with the Microsoft Intune App Wrapping Tool for iOS so that you are able to manage those applications with the Mobile Application Management policies. In this second blog in the series, we will have a look at the Microsoft Intune App Wrapping Tool for iOS.
With this blog I want to show two scenarios. One with an application with no policies active and one with the same application that is wrapped with the Microsoft Intune App Wrapping Tool with the mobile application policies active. To be able to do this I have created a very basic application with two “pages” and on each page, there is a text field where I can type text and copy and paste it within the application and beyond.
Start your free week with CBT Nuggets. This video, Anthony Sequeira covers Microsoft Intune and how you can use it to deploy apps.
Meet Notepad 🙂
- First, you need to “wrap” all the required files into an Endpoint Manager (Intune) format. To do so, Microsoft has a tool that will “convert” your application into a.intunewin file at the end of the process. The generated.intunewin file contains all compressed and encrypted source setup files and the encryption information to decrypt it.
- The Intune App Wrapping Tool does not support Google's v2 and upcoming v3 signature schemes for app signing. After you have wrapped the.apk file using the Intune App Wrapping Tool, the recommendation is to use Google's provided Apksigner tool. This will ensure that once your app gets to end user devices, it can be launched properly by Android.
- You don't need the source code to use the tool, but you do need signing credentials. For more about signing credentials, see the Intune blog. For the App Wrapping Tool documentation, see Android App Wrapping Tool and iOS App Wrapping Tool. The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't.
Page 2 of Notepad |
Again it is a very basic and uggly app, but it does its work 🙂 (Okay I will try to make it more fancy 😉 )
That being said, when looking at the Microsoft Intune App Wrapping Tool for iOS, you need to be sure that the following prerequisites are in place:
- You need to have an Apple Developer Account
- You need to have access to a Mac OS X 10.8.5 or later with xcode
- You need to have a Provisioning Profile
- You need to have a distribution certificate
- Your device needs to be based on iOS 7.01 or later
- A developed iOS LOB Application.
Unmanaged Application
So when deploying the standard application via Microsoft Intune, you are able to install it and copy and paste the “Super secret text” between the pages in the Notepad application and for instance the email application within the iOS device.
Create a managed application
So the default created application can be deployed without any problem. What we need to do next is to wrap the Notepad application with the Microsoft Intune App Wrapping Tool to allow management via Microsoft Intune.
You can download the Microsoft Intune App Wrapping Tool for iOS supporting the right language here. Next you need to extract the DMG file to a folder where you are able to access the IntuneMAMPackager tool, TechNet describes to start the command line tool like this ./IntuneMAMPackager.app/Contents/MacOS/IntuneMAMPackager but I also extracted the content from the file to be able to access the IntuneMAMPackager file directly.
The IntuneMAMPackager tool has the following parameters that you may need to add to be able to wrap your application.
| Parameter | Description |
| -i | The path and file name of the source application. (mandatory) |
| -o | The path in which to save the wrapped application. (mandatory) |
| -p | The path of your provisioning profile for iOS applications. (mandatory) |
| -c | The SHA1 hash of the signing certificate (Optional). |
| -a | The Client ID of the input app (in GUID format) if the app uses Azure Active Directory Libraries (Optional). |
| -t | The path to a test mobile application management policy file for testing outside of Intune (Optional). |
| -r | Redirect URI of the input app if the app uses Azure Active Directory Libraries (Optional). |
| -v | Verbose messages while wrapping the application. |
For my Notepad application I need to start the following command line at the console of the Mac OS X device;
./IntuneMAMPackager –i ./Notepad-v1.ipa –p XC_Ad_Hoc_.mobileprovisioning –o ./Notepad- wrapped.ipa –c 679cd10b63499c3f89c6edfb07d2e2b80dfb0d
Application wrapped by the Microsoft Intune App Wrapping Tool
That you cannot wrap every IPA file is true since the wrapping tool cannot wrap the following apps;
- Encrypted apps
- Unsigned apps
- Apps with extended file attributes
Trying to wrap an app that is not signed by Apple
In the next blog we will add the application to Microsoft Intune, deploy it and have a look how the Mobile Application Management Policies can be applied to the managed application.
Till next time.
Comments
-->You can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the Intune App SDK. Use this information to learn about these two methods and when to use them.
Intune App Wrapping Tool
Intune App Wrapping Tool Mac
The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy. When protecting an app provided by an independent software vendor (ISV) it's important to clarify if the ISV will still support the wrapped app.
You don't need the source code to use the tool, but you do need signing credentials. For more about signing credentials, see the Intune blog. For the App Wrapping Tool documentation, see Android App Wrapping Tool and iOS App Wrapping Tool.
The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't support certain features that require developer integration (see the following feature comparison table).
For more information about the App Wrapping Tool for app protection policies on devices that are not enrolled in Intune, see Protect line-of-business apps and data on devices not enrolled in Microsoft Intune.
Important
Intune regularly releases updates to the Intune App Wrapping Tool. Regularly check the Intune App Wrapping Tool repositories for updates and incorporate into your software development release cycle to ensure your apps support the latest App Protection Policy settings.
Reasons to use the App Wrapping Tool
- Your app does not have built-in data protection features
- Your app is deployed internally
- You don't have access to the app's source code
- You didn't develop the app
- Your app has minimal user authentication experiences
Supported app development platforms
| App Wrapping Tool | Xamarin | Cordova |
|---|---|---|
| iOS | Yes | Yes |
| Android | No - use the Intune App SDK Xamarin Bindings. | Yes |
Intune App SDK
The App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK, even line-of-business apps.
To learn more about the SDK, see the Overview. To get started with the SDK, see Getting Started With the Microsoft Intune App SDK.
Reasons to use the SDK
- Your app does not have built-in data protection features
- Your app is deployed on a public app store such as Google Play or Apple's App Store
- You are an app developer and have the technical background to use the SDK
- Your app has other SDK integrations
- Your app is frequently updated
Intune App Wrapping Tool Ios
Supported app development platforms
| Intune App SDK | Xamarin | Cordova |
|---|---|---|
| iOS | Yes – use the Intune App SDK Xamarin Bindings. | No |
| Android | Yes - use the Intune App SDK Xamarin Bindings. | No |
Not using an app development platform listed above?
Intune App Wrapping Tool Windows
The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms.
Feature comparison
This table lists the settings that are enabled if an app uses the App SDK or the App Wrapping Tool. Some features require app developers to apply some logic outside of basic integration with the Intune SDK, and as such, are not enabled if the app uses the App Wrapping Tool.
| Feature | App SDK | App Wrapping Tool |
|---|---|---|
| Restrict web content to display in a corporate managed browser | X | X |
| Prevent Android, iTunes, or iCloud backups | X | X |
| Allow app to transfer data to other apps | X | X |
| Allow app to receive data from other apps | X | X |
| Restrict cut, copy, and paste with other apps | X | X |
| Specify the number of characters that may be cut or copied from a managed app | X | X |
| Require simple PIN for access | X | X |
| Specify the number of attempts before PIN reset | X | X |
| Allow fingerprint instead of PIN | X | X |
| Allow facial recognition instead of PIN (iOS only) | X | X |
| Require corporate credentials for access | X | X |
| Set a PIN expiry | X | X |
| Block managed apps from running on jailbroken or rooted devices | X | X |
| Encrypt app data | X | X |
| Recheck the access requirements after a specified number of minutes | X | X |
| Specify the offline grace period | X | X |
| Block screen capture (Android only) | X | X |
| Support for MAM without device enrollment | X | X |
| Full Wipe of app data | X | X |
| Selective Wipe of work and school data in Multi-Identity scenarios Note: For iOS/iPadOS, when the management profile is removed, the app is also removed. | X | |
| Prevent 'Save as' | X | |
| Targeted Application Configuration (or app config through the 'MAM channel') | X | X |
| Support for Multi-Identity | X | |
| Customizable Style | X | |
| On-demand application VPN connections with Citrix mVPN | X | X |
| Disable contact sync | X | X |
| Disable printing | X | X |
| Require minimum app version | X | X |
| Require minimum operating system | X | X |
| Require minimum Android security patch version (Android only) | X | X |
| Require minimum Intune SDK for iOS (iOS only) | X | X |
| SafetyNet device attestation (Android only) | X | X |
| Threat scan on apps (Android only) | X | X |
| Require maximum Mobile Threat Defense vendor device risk level | X | |
| Configure app notification content for organization accounts | X | X |
| Require use of approved keyboards (Android only) | X | X |
| Require app protection policy (Conditional Access) | X |
Next steps
Intune App Wrapping Tool Free
To learn more about app protection policies and Intune, see the following topics:
Intune App Wrapping Tool For Mac
- Android app wrapping tool
- iOS app wrapping tool