Sergey Nivens - Fotolia
How the Intune App Wrapping Tool works for Android
Mobile application wrapping is an effective way to deploy policies that can't normally interact with an app. Learn how IT can use Intune's wrapping tool on Android apps.
IT professionals can use the Microsoft Intune App Wrapping Tool for Google Android to add new functionality to a line-of-business app without changing any code of the app itself.
Like the name suggests, the Intune App Wrapping Tool creates a wrapper around LOB apps, which allows IT to apply app protection policies through Intune. This layer is exclusively for management purposes, and it allows IT to deploy enterprise mobility management policies directly to an app that was not compatible with the EMM tool natively.
The rules and best practices for app wrapping are different for Android and iOS, so Android admins must understand the device-specific guidelines for Microsoft Intune.
When should IT use the Intune App Wrapping Tool on Android?
Before IT can use the App Wrapping Tool, it must ensure that the LOB app is compatible with the desired app protection policies. The ideal method to ensure compatibility would be to integrate the Microsoft Intune App SDK into the LOB app. This method is best suited to the following scenarios:
- The LOB app does not have built-in data or app protection features.
- The LOB app is externally developed, or the source code of the LOB app is not available.
- The LOB app is only deployed internally.
- The LOB app has minimal user authentication experiences.
- The LOB app was created with the Apache Cordova development platform.
IT shouldn't try to perform app wrapping until the following requirements are in place:
- The App Wrapping Tool must run on a computer with Windows 7 or later.
- The App Wrapping Tool requires the Java Runtime Environment.
- The LOB app must be a valid Android app package (APK) that is not encrypted, not previously wrapped and is written for Android 4.0 or later.
- The LOB app must be owned by the company.
- The LOB app must be signed.
Set up the Intune App Wrapping Tool
Once IT ensures that the requirements for the App Wrapping Tool are in place, it can install the tool on a Windows device with the following steps:
- Download the App Wrapping Tool installation file, InstallAWT.exe, from Github.
- Open InstallAWT.exe to open the Microsoft Intune App Wrapping Tool for Android dialog box.
- On the Please read the Microsoft Intune App Wrapping Tool for Android License Agreement page, select I accept the terms of the License Agreement and click Next.
- On the Please choose where you would like to install the Microsoft Intune App Wrapping Tool for Android page, leave the default and click Install.
- On the Thank you for installing the Microsoft Intune App Wrapping Tool for Android page, click
IT must use the following two commands to import the PowerShell module and complete the setup.
First, open Windows PowerShell as an administrator and navigate to the installation directory of the Microsoft Intune App Wrapping Tool for Android.
cd C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool
Next, import the App Wrapping Tool PowerShell module.
Import-Module .\IntuneAppWrappingTool.psm1
Using of the App Wrapping Tool PowerShell module
The imported App Wrapping Tool PowerShell module enables the Invoke-AppWrappingTool command. IT can use that command to wrap an app and deploy the parameters as documented below.
| Property | Value | Status | Description |
| InputPath | String | Required | Path of the input Android app |
| OutputPath | String | Required | Path of the output Android app |
| KeyStorePath | String | Required | Path to the keystore file |
| KeyStorePassword | SecureString | Required | Password to decrypt the keystore |
| KeyAlias | String | Required | Name of the key |
| KeyPassword | SecureString | Required | Password to decrypt the key |
| SigAlg | SecureString | Optional | Name of the signature algorithm |
| UseMinAPILevelForNativeMultiDex | Flag | Optional | Flag to increase the Android app's minimum API level to 21 |
IT can then wrap an app by using the Invoke-AppWrappingTool command with the following steps.
First, open Windows PowerShell as an administrator. Next, run the Invoke-AppWrappingTool command.
Invoke-AppWrappingTool -InputPath "C:\Temp\<YourAppName>.apk" -OutputPath "C:\Temp\<YourWrappedAppName>.apk" -KeyStorePath "C:\Program Files\Java\jre<YourJREVersion>\bin\<YourKeyStoreName>.keystore" -KeyAlias <YourKeyStoreAlias>
Note: When no keystore is available on the Windows device, IT can create a keystore by using keytool.exe that is available in the Java Runtime Environment installation directory.
Then, provide the value for the KeyStorePassword and the KeyPassword parameters, when requested.
