My name is Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel ‘EverythingAboutIntune’ and you can subscribe to the same to learn more about Microsoft Intune.
Background and Need of SDK Integration:
- In today’s digital era, mobile device that accesses corporate resources, utilizes information that is sensitive both to the organization and the user. As an organization, we would always want to prevent data loss from potentially unsecure applications. Should the mobile device be lost, stolen, or compromised, it presents a serious risk of data breach for both.
- Mobile Application Management refers to the suite of Intune that lets us publish, push, configure, secure, monitor, and update mobile apps for the users. It allows you to manage and protect your organization’s data within an application.
- There are 2 methodologies of making a LOB app- MAM aware so as to apply MAM policy onto the same, viz App Wrapping and Intune sdk integration.
- Read more about the differences here
- In this article we are going to see how we can integrate Intune sdk into a LOB application using a 3rd party tool called Appdome.
Introduction to Appdome and the Value Add:
- Appdome is a No-Code Solution and provides the ability to integrate any SDK to an application within few seconds without needing any access to the source-code or having any development background.
- Using Appdome, organizations can bring Android and iOS apps built in any environment into the Intune environment quickly and easily.
- The app can be built via Native framework like Android Studio, Xcode or Non-native framework including, Cordova, React Native, Xamarin, Ionic, Flutter Apps and more.
- More information on Appdome is available here
As per MS documentation here, if an app is developed in Xamarin for Android, then it cannot be wrapped via Microsoft’s wrapping utility. In such scenarios, since SDK integration is the only way forward, Appdome can be definitely utilized.
Integrating Intune sdk using Appdome:
- Below is flow that we would follow while getting our lob application MAM ready for Intune using Appdome
Now lets understand each of the steps in detail:
Creating the sample app and building\compiling it:
- We have to make sure that the application we wish to integrate with Intune sdk is functional when it is stand alone. Meaning, we should be able to build the application successfully to ensure that there are no errors.
Running it an an Emulator to test the behavior:
- Once the application has been built, its always a good idea to run it once on an emulator. This ensures the behavior of the application (when its not Intune sdk integrated) is as expected and that there are no crashes\hangs.
Extracting the .apk and signing the application:
- Now we will extract the .apk from the app which will be utilized further later. If we are using Android Studio then-
- Go to Build>Generate Signed Bundle/APK>Select ‘APK’.
- Now we will create a new keystore to sign the application.
- To do the same- Click on ‘Create New’ under ‘Keystore Path’
Now we can browse to any location, wherein we wish to save the .jks file. We have to provide the password which is to be used by the keystore and an alias
We will now click on Debug\Release and select the Signature version we wish to use and Click on Finish
We will get a prompt with an hyperlink to the location wherein the extracted .apk would be saved. Also we can find the .jks file (to be used later) in the location specified by us earlier.
Uploading the app to Appdome and Intune-sdk integrating it
- Now we would have to upload the app to Appdome platform, so as to integrate it with the Intune sdk. We need to go here and login. We might need to sign up if we are using this for the first time. Once logged in, in the extreme left we can see out Workspace which would contain all the apps uploaded by us to Appdome.
- We can add new apps by clicking on “Add App
Add App>Browse>Point to the .apk or .ipa we wish to integrate with Intune sdk.
Note: The option to “Add” the app in the workspace is not available by default. We might have to-
Either purchase the Upgraded plan to make use of this feature OR
Work with the Appdome team and request for a trial (which is usually for a week)
We would see that the app would get validated and uploaded to our Workspace
Click on Next>Under the “Build” category click on “Management”>Select “EMM Services”>Here we select the sdk we wish to integrate with the app. In this case we will type and select “Microsoft Intune sdk”
Now the Appdome platform uses its fusion technology to integrate the sdk into the application’s binary
Click on Next>Now we will sign the application using the same .jks file we created earlier.
Under “Keystore” browse to the .jks>Enter the relevant password and the alias
Click on Next>Download My Built App>This will download the Intune sdk Integrated version of the application
We can see that the Intune sdk version of the app is larger in size as compared to the vanilla application
Now we have the application ready which can be deployed and targeted via MAM policy!
Uploading the sdk version of the app to Intune
- Now we will go to the MEM portal>Go to Apps>Upload the application.
- Note: Under the ‘MAM Enabled’, the application shows as “YES“. This suggests that the Intune sdk integration was done successfully and the app can be potentially targeted via MAM policy (however this is not conclusive just yet)
Deploying MAM policy to the application:
- Now since the application has been pushed to a user group, we can target a MAM policy to the same apps (and deploy it to the same user group). We will go to “Select Custom apps”>Select the application we have deployed.
In the settings of the MAM policy we can set the MAM control which defines the app’s behavior (like PIN\Timeout\Data leakage etc)
Now we are all set to test the app on a device. Moment of truth 🙂
Enrolling a device to test the behavior:
- We are now going to enroll the device as below. The device can be enrolled as Android Device Admin or Android Enterprise (if android) or normal iOS enrollment\DEP enrollment (if iOS). The kind of enrollment does NOT play a role here!
Since this is a LOB app and its from an untrusted source, we might have to “Allow unknown apps” in Company Portal.
If the app is blocked by Play protect, we would have to allow the installation
The app would now be installed and we should be able to see the launch icons of both the apps in the homescreen
Behavior of the app upon launch:
- Once the app launches, we see the “Get Access” prompt which states that the app is managed and protected by the Organization. Click on Continue>We are prompted to set a PIN as per the MAM policy.
- The “Get Access” screen and the PIN prompt further substantiates that the MAM policy kicked in as expected.
Transferring the data b/w the SDK integrated app and unmanaged app:
- Now if we copy any data from the application and paste it to a native app(like messenger) which is not MAM protected, the data movement should be blocked (as per the restriction in the MAM policy). As seen below, we see the same thing happening and the data when attempted to be pasted outside the app, gives an error – “Your Organization’s data cannot be pasted here”
Transferring the data b/w 2 SDK integrated apps:
- If we try to move the data b/w the 2 MAM managed applications (App 1 and App 2, both targeted via the same MAM policy) the data movement is allowed which again is in accordance with the set MAM policy
- As observed, the MAM policy works absolutely fine on the LOB app which was Intune sdk integrated via Appdome. The LOB app is now protected by PIN as well as the other MAM controls in the policy.
- In the entire process, we did not need to access or make use of the application’s source code (we just needed the .apk.ipa and .jks file) and the entire process was very seamless.
- There was no coding that was needed(which usually is, during sdk integration activity) and we did not have to add any methods\functions manually to the source-code.
- As per Appdome’s documentation, this entire process does NOT wrap the app(like we would conventionally with a wrapper) but it integrates the Intune sdk into the app.
- Please refer to the Appdome’s documentation here which talks about the differences and provides more insights into the background process.