-->
You can enable your apps to use app protection policies by using either the Intune App Wrapping Tool or the Intune App SDK. Use this information to learn about these two methods and when to use them.
Intune App Wrapping Tool
A tool to wrap Windows Classic App and then it can be uploaded to Intune - microsoft/Intune-Win32-App-Packaging-Tool. However, there are occasions where an application you need is not made by Microsoft, is not in the Mac App Store, and is not supported by the Intune line of business App Wrapping Tool. Before we get into the details, it’s important that you understand the supportability of the process we are about to discuss.
The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps. The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy. When protecting an app provided by an independent software vendor (ISV) it's important to clarify if the ISV will still support the wrapped app.
You don't need the source code to use the tool, but you do need signing credentials. For more about signing credentials, see the Intune blog. For the App Wrapping Tool documentation, see Android App Wrapping Tool and iOS App Wrapping Tool.
The App Wrapping Tool does not support apps in the Apple App Store or Google Play Store. It also doesn't support certain features that require developer integration (see the following feature comparison table).
For more information about the App Wrapping Tool for app protection policies on devices that are not enrolled in Intune, see Protect line-of-business apps and data on devices not enrolled in Microsoft Intune.
Important
Intune regularly releases updates to the Intune App Wrapping Tool. Regularly check the Intune App Wrapping Tool repositories for updates and incorporate into your software development release cycle to ensure your apps support the latest App Protection Policy settings.
Reasons to use the App Wrapping Tool
- Your app does not have built-in data protection features
- Your app is deployed internally
- You don't have access to the app's source code
- You didn't develop the app
- Your app has minimal user authentication experiences
Supported app development platforms
| App Wrapping Tool | Xamarin | Cordova |
|---|---|---|
| iOS | Yes | Yes |
| Android | No - use the Intune App SDK Xamarin Bindings. | Yes |
Intune App SDK
The App SDK is designed mainly for customers who have apps in the Apple App Store or Google Play Store, and want to be able to manage the apps with Intune. However, any app can take advantage of integrating the SDK, even line-of-business apps.
To learn more about the SDK, see the Overview. To get started with the SDK, see Getting Started With the Microsoft Intune App SDK.
Reasons to use the SDK
Intune App Wrapping Tool For Android
- Your app does not have built-in data protection features
- Your app is deployed on a public app store such as Google Play or Apple's App Store
- You are an app developer and have the technical background to use the SDK
- Your app has other SDK integrations
- Your app is frequently updated
Supported app development platforms
| Intune App SDK | Xamarin | Cordova |
|---|---|---|
| iOS | Yes – use the Intune App SDK Xamarin Bindings. | No |
| Android | Yes - use the Intune App SDK Xamarin Bindings. | No |
Not using an app development platform listed above?
The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms.
Feature comparison
This table lists the settings that are enabled if an app uses the App SDK or the App Wrapping Tool. Some features require app developers to apply some logic outside of basic integration with the Intune SDK, and as such, are not enabled if the app uses the App Wrapping Tool.
| Feature | App SDK | App Wrapping Tool |
|---|---|---|
| Restrict web content to display in a corporate managed browser | X | X |
| Prevent Android, iTunes, or iCloud backups | X | X |
| Allow app to transfer data to other apps | X | X |
| Allow app to receive data from other apps | X | X |
| Restrict cut, copy, and paste with other apps | X | X |
| Specify the number of characters that may be cut or copied from a managed app | X | X |
| Require simple PIN for access | X | X |
| Specify the number of attempts before PIN reset | X | X |
| Allow fingerprint instead of PIN | X | X |
| Allow facial recognition instead of PIN (iOS only) | X | X |
| Require corporate credentials for access | X | X |
| Set a PIN expiry | X | X |
| Block managed apps from running on jailbroken or rooted devices | X | X |
| Encrypt app data | X | X |
| Recheck the access requirements after a specified number of minutes | X | X |
| Specify the offline grace period | X | X |
| Block screen capture (Android only) | X | X |
| Support for MAM without device enrollment | X | X |
| Full Wipe of app data | X | X |
| Selective Wipe of work and school data in Multi-Identity scenarios Note: For iOS/iPadOS, when the management profile is removed, the app is also removed. | X | |
| Prevent 'Save as' | X | |
| Targeted Application Configuration (or app config through the 'MAM channel') | X | X |
| Support for Multi-Identity | X | |
| Customizable Style | X | |
| On-demand application VPN connections with Citrix mVPN | X | X |
| Disable contact sync | X | X |
| Disable printing | X | X |
| Require minimum app version | X | X |
| Require minimum operating system | X | X |
| Require minimum Android security patch version (Android only) | X | X |
| Require minimum Intune SDK for iOS (iOS only) | X | X |
| SafetyNet device attestation (Android only) | X | X |
| Threat scan on apps (Android only) | X | X |
| Require maximum Mobile Threat Defense vendor device risk level | X | |
| Configure app notification content for organization accounts | X | X |
| Require use of approved keyboards (Android only) | X | X |
| Require app protection policy (Conditional Access) | X |
Next steps
To learn more about app protection policies and Intune, see the following topics:
- Android app wrapping tool
- iOS app wrapping tool
Use the information in this article to help you add macOS line-of-business apps to Microsoft Intune. You must download an external tool to pre-process your .pkg files before you can upload your line-of-business file to Microsoft Intune. The pre-processing of your .pkg files must take place on a macOS device.
Note
Starting with the release of macOS Catalina 10.15, prior to adding your apps to Intune, check to make sure your macOS LOB apps are notarized. If the developers of your LOB apps did not notarize their apps, the apps will fail to run on your users' macOS devices. For more information about how to check if an app is notarized, visit Notarize your macOS apps to prepare for macOS Catalina.
macOS LOB apps have a maximum size limit of 2 GB per app.
While users of macOS devices can remove some of the built-in macOS apps like Stocks, and Maps, you cannot use Intune to redeploy those apps. If end users delete these apps, they must go to the app store, and manually re install them.
Before your start
You must download an external tool, mark the downloaded tool as an executable, and pre-process your .pkg files with the tool before you can upload your line-of-business file to Microsoft Intune. The pre-processing of your .pkg files must take place on a macOS device. Use the Intune App Wrapping Tool for Mac to enable Mac apps to be managed by Microsoft Intune.
Important
The .pkg file must be signed using 'Developer ID Installer' certificate, obtained from an Apple Developer account. Only .pkg files may be used to upload macOS LOB apps to Microsoft Intune. However, conversion of other formats, such as .dmg to .pkg is supported. For more information about converting non-pkg application types, see How to deploy DMG or APP-format apps to Intune-managed Macs.
Download the Intune App Wrapping Tool for Mac.
Note
The Intune App Wrapping Tool for Mac must be run on a macOS machine.
Mark the downloaded tool as an executable:
- Start the terminal app.
- Change the directory to the location where
IntuneAppUtilis located. - Run the following command to make the tool executable:
chmod +x IntuneAppUtil
Use the
IntuneAppUtilcommand within the Intune App Wrapping Tool for Mac to wrap .pkg LOB app file from a .intunemac file.Sample commands to use for the Microsoft Intune App Wrapping Tool for macOS:
Important
Ensure that the argument
<source_file>does not contain spaces before running theIntuneAppUtilcommands.IntuneAppUtil -h
This command will show usage information for the tool.IntuneAppUtil -c <source_file> -o <output_directory_path> [-v]
This command will wrap the .pkg LOB app file provided in<source_file>to a .intunemac file of the same name and place it in the folder pointed to by<output_directory_path>.IntuneAppUtil -r <filename.intunemac> [-v]
This command will extract the detected parameters and version for the created .intunemac file.
Select the app type
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Apps > All apps > Add.
- In the Select app type pane, under the Other app types, select Line-of-business app.
- Click Select. The Add app steps are displayed.
Step 1 - App information
Select the app package file
- In the Add app pane, click Select app package file.
- In the App package file pane, select the browse button. Then, select an macOS installation file with the extension .intunemac.The app details will be displayed.
- When you're finished, select OK on the App package file pane to add the app.
Set app information
- In the App information page, add the details for your app. Depending on the app that you chose, some of the values in this pane might be automatically filled in.
- Name: Enter the name of the app as it appears in the company portal. Make sure all app names that you use are unique. If the same app name exists twice, only one of the apps appears in the company portal.
- Description: Enter the description of the app. The description appears in the company portal.
- Publisher: Enter the name of the publisher of the app.
- Minimum Operating System: From the list, choose the minimum operating system version on which the app can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
- Ignore app version: Select Yes to install the app if the app is not already installed on the device. Select No to only install the app when it is not already installed on the device, or if the deploying app's version number does not match the version that's already installed on the device.
- Install as managed: Select Yes to install the Mac LOB app as a managed app on supported devices (macOS 11 and higher). A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the /Applications directory. Managed line-of-business apps will be able to be removed using the uninstall assignment type on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device. The default value is No.
- Category: Select one or more of the built-in app categories, or select a category that you created. Categories make it easier for users to find the app when they browse through the company portal.
- Show this as a featured app in the Company Portal: Display the app prominently on the main page of the company portal when users browse for apps.
- Information URL: Optionally, enter the URL of a website that contains information about this app. The URL appears in the company portal.
- Privacy URL: Optionally, enter the URL of a website that contains privacy information for this app. The URL appears in the company portal.
- Developer: Optionally, enter the name of the app developer.
- Owner: Optionally, enter a name for the owner of this app. An example is HR department.
- Notes: Enter any notes that you want to associate with this app.
- Logo: Upload an icon that is associated with the app. This icon is displayed with the app when users browse through the company portal.
- Click Next to display the Scope tags page.
Step 2 - Select scope tags (optional)
You can use scope tags to determine who can see client app information in Intune. For full details about scope tags, see Use role-based access control and scope tags for distributed IT.
- Click Select scope tags to optionally add scope tags for the app.
- Click Next to display the Assignments page.
Step 3 - Assignments
- Select the Required, Available for enrolled devices, or Uninstall group assignments for the app. For more information, see Add groups to organize users and devices and Assign apps to groups with Microsoft Intune.
- Click Next to display the Review + create page.
Intune App Wrapping Tool Ios
Step 4 - Review + create
Review the values and settings you entered for the app.
When you are done, click Create to add the app to Intune.
The Overview blade for the line-of-business app is displayed.
The app you have created appears in the apps list where you can assign it to the groups you choose. For help, see How to assign apps to groups.
Note
If the .pkg file contains multiple apps or app installers, then Microsoft Intune will only report that the app is successfully installed when all installed apps are detected on the device.
Update a line-of-business app
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Apps > All apps.
- Find and select your app from the list of apps.
- Select Properties under Manage from the app pane.
- Select Edit next to App information.
- Click on the listed file next to Select file to update. The App package file pane is displayed.
- Select the folder icon and browse to the location of your updated app file. Select Open. The app information is updated with the package information.
- Verify that App version reflects the updated app package.
Note
For the Intune service to successfully deploy a new .pkg file to the device you must increment the package version and CFBundleVersion string in the packageinfo file in your .pkg package.
Next steps
Microsoft Intune App Wrapping Tool
The app you have created is displayed in the apps list. You can now assign it to the groups you choose. For help, see How to assign apps to groups.
Learn more about the ways in which you can monitor the properties and assignment of your app. For more information, see How to monitor app information and assignments.
Learn more about the context of your app in Intune. For more information, see Overview of device and app lifecycles