top of page

Mobile application management policies with Microsoft Intune: Android

Microsoft Intune's mobile application management policies enable you to modify the functionality of apps that you deploy to adhere to your company's compliance and security policies. Managed apps can be configured to restrict cut, copy, and paste, or to open all web links in a managed browser.

An Intune mobile application management policy is not deployed directly. The policy is associated with the app you want to restrict. App settings are incorporated when the app is deployed and installed on devices.

Software Development Kit (SDK) of Microsoft Intune is required for an app to be restricted. Apps of this type can be obtained via two methods:

  • Policy managed appApps support the Core Intune App Protection Policy settings and are also capable of supporting advanced App Protection Policy

  • Wrapped app - By using the Microsoft Intune App Wrapping Tool, apps can be repackaged to include the App SDK. In-house company applications are typically processed using this tool. Downloaded apps from the App Store cannot be processed using it

Intune MAM can be enabled by wrapping applications with the tools below

Microsoft Intune App Wrapping Tool for Android lets you customize the behavior of your in-house Android apps without modifying the code.

An application running in PowerShell and creating a 'wrapper' around your app is the tool. After the app has been processed, you can then modify its functionality with an Intune policy for mobile applications

Before you can go ahead and wrap your LOB app, there’s a few prerequisites that needs to be taken care of first.

  • You must run the app wrapping tool on a Windows computer running Windows 7 or later.

  • Your input app must be a valid Android application package with the extension .apk file and:

  • Cannot be encrypted

  • Must not have already been wrapped by the app wrapping tool

  • Must be written for Android 4.0 or later

  • The app must be developed by, or for your company. You cannot use this tool to process apps downloaded from the Google Play Store.

To run the app wrapping tool, you must install the latest version of the Java Runtime Environment and then ensure that the Java path variable has been set to C:\ProgramData (x86)\Java\jre”xxxx” in your Windows environment variables.

Install the app wrapping tool

  • Download the Intune App Wrapping Tool for Android

  • You will find an option to accept the license terms when you install the application.

  • Click Install and let the tool be installed in its default location.

Note the folder to which you installed the tool. The default location is: C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool.

App signing - In case your app is not initially signed by developer

Android requires all app packages (.apk) to be signed. For reusing existing certificates and overall signing certificate guidance, see Reusing signing certificates and wrapping apps. The Java executable keytool.exe is used to generate new credentials needed to sign the wrapped output app. Any passwords that are set must be secure but make a note of them because they're needed to run the App Wrapping Tool.

Copy Zipalign.exe file

1. After download and install android SDK Tool.

2. Go to folder Android sdk: “C:\Program Files (x86)\Android\android-sdk\build-tools\29.0.3”.

3. Copy file Zipalign.exe

4. Paste to folder “C:\Program Files\Java\jre1.8.0_301\bin”.

Launch command prompt in Admin mode

You can generate the keystore by running the below command, then specify the password and its validity by running the following command.

keytool.exe -genkey -v -keystore Test.keystore -alias Test -keyalg RSA -keysize 2048 -validity 50000

**Always remember the password you have set during the above command

Import the app wrapping tool PowerShell module by running the following command

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"

Run below command to start wrapping process, please change the path mentioned in bold as per your location

1) If your apk file is already signed or you received from developer a signed version, directly start the wrapping process

Invoke-AppWrappingTool -InputPath "C:\Users\Sumit\Desktop\Wrapping\Source\Test.apk" -OutputPath "C:\Users\Sumit\Desktop\Wrapping\Target\Test_wrapped.apk"

2) In case your apk needs a signing version then run below command

Invoke-AppWrappingTool -InputPath "C:\Users\Sumit\Desktop\Wrapping\Source\Test.apk" -OutputPath "C:\Users\Sumit\Desktop\Wrapping\Target\Test_wrapped1.apk" -KeyStorePath "C:\Program Files\Java\jre1.8.0_301\bin\Test.keystore" -KeyAlias Test -SigAlg SHA1withRSA -Verbose

Run Below command in case you encountered any error for zip align alignment

zipalign -v 4 Test_Wrapped1.apk Test_Wrapped1-Signed.apk”



bottom of page