Sergey Nivens - Fotolia

Tip

How the Intune App Wrapping Tool works for Android

Mobile application wrapping is an effective way to deploy policies that can't normally interact with an app. Learn how IT can use Intune's wrapping tool on Android apps.

IT professionals can use the Microsoft Intune App Wrapping Tool for Google Android to add new functionality to a line-of-business app without changing any code of the app itself.

Like the name suggests, the Intune App Wrapping Tool creates a wrapper around LOB apps, which allows IT to apply app protection policies through Intune. This layer is exclusively for management purposes, and it allows IT to deploy enterprise mobility management policies directly to an app that was not compatible with the EMM tool natively.

The rules and best practices for app wrapping are different for Android and iOS, so Android admins must understand the device-specific guidelines for Microsoft Intune.

When should IT use the Intune App Wrapping Tool on Android?

Before IT can use the App Wrapping Tool, it must ensure that the LOB app is compatible with the desired app protection policies. The ideal method to ensure compatibility would be to integrate the Microsoft Intune App SDK into the LOB app. This method is best suited to the following scenarios:

  • The LOB app does not have built-in data or app protection features.
  • The LOB app is externally developed, or the source code of the LOB app is not available.
  • The LOB app is only deployed internally.
  • The LOB app has minimal user authentication experiences.
  • The LOB app was created with the Apache Cordova development platform.

IT shouldn't try to perform app wrapping until the following requirements are in place:

  • The App Wrapping Tool must run on a computer with Windows 7 or later.
  • The App Wrapping Tool requires the Java Runtime Environment.
  • The LOB app must be a valid Android app package (APK) that is not encrypted, not previously wrapped and is written for Android 4.0 or later.
  • The LOB app must be owned by the company.
  • The LOB app must be signed.

Set up the Intune App Wrapping Tool

Once IT ensures that the requirements for the App Wrapping Tool are in place, it can install the tool on a Windows device with the following steps:

  1. Download the App Wrapping Tool installation file, InstallAWT.exe, from Github.
  2. Open InstallAWT.exe to open the Microsoft Intune App Wrapping Tool for Android dialog box.
  3. On the Please read the Microsoft Intune App Wrapping Tool for Android License Agreement page, select I accept the terms of the License Agreement and click Next.
  4. On the Please choose where you would like to install the Microsoft Intune App Wrapping Tool for Android page, leave the default and click Install.
  5. On the Thank you for installing the Microsoft Intune App Wrapping Tool for Android page, click

IT must use the following two commands to import the PowerShell module and complete the setup.

First, open Windows PowerShell as an administrator and navigate to the installation directory of the Microsoft Intune App Wrapping Tool for Android.

cd C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool

Next, import the App Wrapping Tool PowerShell module.

Import-Module .\IntuneAppWrappingTool.psm1

Using of the App Wrapping Tool PowerShell module

The imported App Wrapping Tool PowerShell module enables the Invoke-AppWrappingTool command. IT can use that command to wrap an app and deploy the parameters as documented below.

Property Value Status Description
InputPath String Required Path of the input Android app
OutputPath String Required Path of the output Android app
KeyStorePath String Required Path to the keystore file
KeyStorePassword SecureString Required Password to decrypt the keystore
KeyAlias String Required Name of the key
KeyPassword SecureString Required Password to decrypt the key
SigAlg SecureString Optional Name of the signature algorithm
UseMinAPILevelForNativeMultiDex Flag Optional Flag to increase the Android app's minimum API level to 21

IT can then wrap an app by using the Invoke-AppWrappingTool command with the following steps.

First, open Windows PowerShell as an administrator. Next, run the Invoke-AppWrappingTool command.

Invoke-AppWrappingTool -InputPath "C:\Temp\<YourAppName>.apk" -OutputPath "C:\Temp\<YourWrappedAppName>.apk" -KeyStorePath "C:\Program Files\Java\jre<YourJREVersion>\bin\<YourKeyStoreName>.keystore" -KeyAlias <YourKeyStoreAlias>

Note: When no keystore is available on the Windows device, IT can create a keystore by using keytool.exe that is available in the Java Runtime Environment installation directory.

Then, provide the value for the KeyStorePassword and the KeyPassword parameters, when requested.

Next Steps

Everything IT needs to know for the end of Hybrid Intune MDM

Deploy apps with Intune for Android and iOS

Dig Deeper on Mobile management

Networking
Unified Communications
Security
Close