- Article
- 7 minutes to read
Use the Microsoft Intune App Wrapping Tool for Android to change the behavior of your internal Android apps by restricting app functionality without changing the app's code itself.
The tool is a Windows command-line application that runs in PowerShell and creates a wrapper around your Android app. After the app is wrapped, you can change the functionality of the app by configuring itMobile Application Management Policiesat Intune.
Check before you run the toolSecurity considerations for running the App Wrapping Tool. To download the tool, go toMicrosoft Intune App Wrapping Tool for Androidon GitHub.
note
If you're having trouble using the Intune App Wrapping Tool with your apps, submit anPlease supporton GitHub.
You must run the App Wrapping Tool on a Windows computer running Windows 7 or later.
Your input app must be a valid Android application package with an .apk file extension and:
- It cannot be encrypted.
- It must not have been previously wrapped by the Intune App Wrapping Tool.
- It must be written for Android 9.0 or higher.
note
If your input app is an Android App Bundle (.aab), you must convert it to an APK before using the Intune App Wrapping Tool. For details seeConvert Android App Bundle (AAB) to APK. Ab August 2021,New private apps can still be published as APKs in the Google Play Store.
(Video) How to Wrap a LOB App for MacOS with Microsoft Endpoint Manager (Intune)The app must be developed by or for your company. You cannot use this tool for apps available on Google Play Store. This includes downloading or obtaining the app from the Google Play Store.
To run the App Wrapping Tool, you must install the latest version ofJava Runtime Environmentand then make sure the Java path variable has been set to C:\ProgramData\Oracle\Java\javapath in your Windows environment variables. For more help seeJava Documentation.
note
In some cases, the 32-bit version of Java can cause memory problems. It's a good idea to install the 64-bit version.
For Android, all app packages (.apk) must be signed. ForreuseFor existing certificates and general instructions for signing certificates, seeReuse signing certificates and package apps. After you wrap the .apk file with the Intune App Wrapping Tool, it is recommended to use itThe Apksigner tool provided by Google. This ensures that your app can launch properly by Android standards once it hits end-user devices.
(Optional) Sometimes an app will reach the Dalvik Executable (DEX) size limit due to the Intune MAM SDK classes added during wrapping. DEX files are part of the composition of an Android app. The Intune App Wrapping Tool automatically handles DEX file overflow during wrapping for apps with a minimum API level of 21 or higher (as ofv. 1.0.2501.1). For apps with a minimum API level of < 21, it would be best to increase the minimum API level using the wrapper
-UseMinAPILevelForNativeMultiDexFlag. For customers unable to increase the app's minimum API level, the following DEX overflow workarounds are available. In certain organizations, this may require working with whoever is compiling the app (i.e. the app build team):- Use ProGuard to remove unused class references from the app's primary .dex file.
- For customers using Android Gradle Plugin version 3.1.0 or later, disable theD8 dexer.
Install the App Wrapping Tool
Of theGitHub-Repository, download the InstallAWT.exe installer file for the Intune App Wrapping Tool for Android onto a Windows computer. Open the installation file.
Accept the license agreement and complete the installation.
(Video) #IntuneNugget 24- Basics of Intune SDK Integration and App Wrapping
Make a note of the folder where you installed the tool. The default location is: C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool.
Important
Intune periodically releases updates to the Intune App Wrapping Tool. Check the regularlyIntune App Wrapping Tool for Androidfor updates and integration into your software development release cycle to ensure your apps support the latest app protection policy settings.
On the Windows computer where you installed the App Wrapping Tool, open a PowerShell window.
From the folder where you installed the tool, import the App Wrapping Tool PowerShell module:
Import-Modul .\IntuneAppWrappingTool.psm1Run the tool usinginvoke-AppWrappingToolCommand that has the following usage syntax:
Invoke-AppWrappingTool [-InputPath] <String> [-OutputPath] <String> [<CommonParameters>]The following table lists the properties of theinvoke-AppWrappingToolCommand:
| Property | Information |
|---|---|
| -Input path<string> | Path of Android source app (.apk). |
| -Output path<string> | Path to the output Android app. If this is the same directory path as InputPath, packaging will fail. |
| <CommonParameters> | (Optional) The command supports common PowerShell parameters such as verbose and debug. |
For a list of common parameters, seeMicrosoft Script Center.
Enter the following command to view detailed usage information for the tool:
Hilfe Invoke-AppWrappingTool
Example:
Import the PowerShell module.
Import-Modul „C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1“Run the App Wrapping Tool on the native app HelloWorld.apk.
invoke-AppWrappingTool -InputPath .\app\HelloWorld.apk -OutputPath .\app_wrapped\HelloWorld_wrapped.apk -AusführlichThe wrapped app and a log file are generated and saved to the specified output path.
How often should I rewrap my Android application with the Intune App Wrapping Tool?
The main scenarios where you would need to repackage your applications are as follows:
The application itself has released a new version. The previous version of the app was wrapped and uploaded to the Microsoft Endpoint Manager admin center.
The Intune App Wrapping Tool for Android has released a new version that enables important bug fixes or new Intune-specific features for application protection policies. This happens every 6-8 weeks via the GitHub repo for theMicrosoft Intune App Wrapping Tool for Android.
Some best practices for repackaging are:
- Maintaining signing certificates used during the build process, seeReuse signing certificates and package apps
Reuse signing certificates and package apps
Android requires all apps to be signed with a valid certificate in order to be installed on Android devices.
Wrapped apps can be signedafterWrap with your existing signing tools (all signing information in the app before wrapping is discarded). If possible, the signature information already used during the build process should be used during wrapping. In certain organizations, it may be necessary to work with the owner of the keystore information (i.e. the app build team).
If the previous signing certificate cannot be used or the app has not yet been deployed, you can create a new signing certificate by following the instructions inAndroid developer guide.
If the app was previously deployed with a different signing certificate, the app fails to upload to Intune after the upgrade. App upgrade scenarios will be broken if your app is signed with a different certificate than the one the app was built with. Therefore, any new signing certificates for app upgrades should be retained.
To prevent potential spoofing, information disclosure, and privilege escalation attacks:
Ensure that the input line-of-business (LOB) application and the output application are on the same Windows computer running the App Wrapping Tool.
Import the output application into Intune on the same computer running the tool. Seekey toolfor more about the Java keytool.
If the output application and the tool are in a Universal Naming Convention (UNC) path and you are not running the tool and the input files on the same computer, set up the environment using secureInternet Protocol Security (IPsec)orSMB-Signatur (Server Message Block)..
Make sure the application is from a trusted source.
Backup the output directory with the wrapped app. Consider using a user-level directory for output.
Convert Android App Bundle (AAB) to APK
The Intune App Wrapping Tool currently only supports APK input. Android app bundles must first be converted to an APK to be used with the tool.
An Android app bundle can be converted into an APK withGoogle's command line tool,bundle tool. The latest version ofBundle-Toolcan be downloaded from GoogleBundletool GitHub-Repo.
bundle toolcan be used to create a single universal APK for use with the Intune App Wrapping Tool with the following command:
bundletool build-apks --bundle=input.aab --mode=universal --output=input.apksDie.apksOutput file is a ZIP archive containing a single universal APK file. Unzip the archive and use this APK file as input to the Intune App Wrapping Tool.
See also
Decide how to prepare apps for mobile application management with Microsoft Intune
(Video) How to Wrap Android Apps using the Command Line with CA App Experience AnalyticsMicrosoft Intune App SDK for Android Developer Guide