Intune

App Wrapping VS Intune SDK Integration: Making The Smarter Choice

My name is Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel ‘EverythingAboutIntune’ and you can subscribe to the same to learn more about Microsoft Intune.


The entire demonstration of this post which illustrates the comparison between Intune SDK Integration and App Wrapping can be found below-

In this post we are going to understand the various approaches of making an LOB app MAM aware and compare both the approaches i.e. Intune SDK Integration and App Wrapping


The Need:

  • People regularly use their mobile devices for both personal and work tasks.
  • Mobile device that accesses corporate resources, utilizes information that is sensitive both to the organization and the user.
  • While making sure staff can be productive, organizations also want to prevent data loss from potentially unsecure applications.
  • Should the mobile device be lost, stolen, or compromised, it presents a serious risk of data breach for both.
  • To help minimize this risk, we implement MAM policy onto an application via Intune.


MAM background:

Mobile Application Management refers to the suite of Intune that lets us publish, push, configure, secure, monitor, and update mobile apps for the users. It allows you to manage and protect your organization’s data within an application.
MAM differs from Mobile Device Management (MDM), which administers the entire device. MAM focuses only on corporate-owned data in applications


MAM Benefits:

  • Protecting the company data at the app level. Because mobile app management doesn’t require device management, we can protect company data on both managed and unmanaged devices.
  • End-user productivity isn’t affected, and policies don’t apply when using the app in a personal context.
  • The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.


What we can do using MAM:

  • Restrict copy-and-paste and save-as functions
  • Configure web links to open inside the secure Microsoft browser
  • Enable multi-identity use and app-level Conditional Access
  • Apply data loss prevention policies without managing the user’s device
  • Enable app protection without requiring enrollment
  • Setup security(PIN), storage location etc.
  • Enable app protection on devices managed with 3rd party EMM tools
  • Remotely wiping corporate data from the application in the device
  • Require users to sign in with their work\school accounts to access a specific application
  • Enforcing encryption the corporate data saved by the application


MAM Enlightened Apps:

  • As we can see above there are a lot of applications which are MAM enlightened-> Meaning they understand and comprehend the Intune MAM policy
  • This list is ever growing and app developers are increasingly integrating more and more applications with the Intune sdk while developing their application and publishing it to the store



The Caveat:

  • A very important thing to notice above is- All the MAM enlightened apps for Android and iOS are – store apps
  • Now this would bring up a major concern to all the security folks of all the organizations- “How do we protect the org data and implement MAM policies to LOB apps”(custom apps made by the org)
  • In this article we are going to explore the methodologies of making a LOB app- MAM aware so as to apply MAM policy onto the same.

Note- While developing a LOB application, we can always inculcate some DLP functionality onto the same in the app’s code. However that would not make the application MAM aware and enable it to understand Intune’s App protection policies.



SDK Integration and App Wrapping:

There are 2 ways by which we can make our LOB app, MAM aware so that it can comprehend the Intune MAM policies, viz- App Wrapping and Intune SDK integration.
The end goal in both the cases is the same i.e. applying Intune MAM policy to the app.
Which one to choose- that would depend on a lot of factors which we will try to clarify in this post.


SDK Integration

  • Software development toolkits allow developers to add functionality to their applications and enable them to build the standard components of their apps easier and faster.
  • The Intune App SDK, available for both iOS and Android, enables our app to support Intune app protection policies.
  • In this approach we have to add some Intune specific libraries and Methods and functions into the source code of the application
  • For more details on Intune SDK Integration, refer to the official documentation- https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started


App wrapping

  • App wrapping lets the mobile enterprise add multiple layers of protection to any app without making any changes to the app itself.
  • The App Wrapping Tool is used primarily for internal line-of-business (LOB) apps.
  • The tool is a command-line application that creates a wrapper around the app, which then allows the app to be managed by an Intune app protection policy.
  • For more details on App Wrapping, refer to the official documentation- https://docs.microsoft.com/en-us/mem/intune/developer/app-wrapper-prepare-android


SDK Vs App Wrapping- Comparison

Below is a detailed comparison between both the approaches that should help us understand which one to choose and when.

App WrappingSDK Integration
No access to the source code is neededAccess to the application’s source code is needed
Quicker and can be done by a non-developerNeeds a developer and usage of developer tool\programming language
Meets most of the use case of MAMMeets all (additional) use case for MAM
App based CA cannot be implementedApp based CA policy can be used
Cannot implement SS0(Single Sign On) in an application which has been wrapped by the wrapperWe can implement SSO in an application which has been integrated with the Intune SDK
App config policy cannot be used as the app is not aware on how to handle the configurationApp configuration policy can be used
Used if the application supports only 1(corporate) identityCan be used if the app supports multi-identity.
Want to manage someone else’s app, app wrapping is the solutionCreating our own apps, SDK’s the answer 
Cannot specify when the MAM would\would not be applicableCan control when we want to use MAM policy 
Ex: We have an app- That has General section> It is not protected.
After the user signs in>now MAM kicks in>Now he sees the dashboard and it is protected.
App wrapping tool is more like a script file which tries to inject the MAM functionality into the application.SDK integration handles all the scenarios and has methods for each (like if the policy is downloaded, if the app needs to be restarted etc..)

Microsoft Office applications are manually Intune SDK integrated (and not wrapped)


Wrapping VS SDK Integration: Making The Smarter Choice

Rule of thumb-

  • If we have access to the source code of the application then the recommendation would be- doing the Intune sdk integration into the app.
  • It takes a development background to make sure that all the methods\functions have been integrated successfully while we run the build\compile the code after the integration.
  • Using this approach is recommended as we can do more with the app like making the application understand app configuration policy\Conditional Access policy along with other customization

However, on the contrary-

  • If we dont have access to the source code and\or donot have a developer who can assist us with the integration of the sdk and the app in picture is NOT already encrypted- we can follow the App Wrapping approach.
  • This is way simpler and can be done by any admin.
  • Following this approach helps us make the app MAM Enlighted and we can apply Intune MAM policy onto the application


Important Considerations:

  • App wrapping works in most of the cases, however in my personal opinion i have seen few instances wherein even after the app is wrapped with the wrapper successfully- the application does not comprehend the Intune MAM policy- this is not a foolproof method but definitely worth a try
  • We cannot download any application(.apk\.ipa) from the store and App wrap it. This does not work.
  • It is so because the app which we download from the public app store is already signed by the developer hence the app wrapping fails. The app needs to be a LOB app for the app wrapping process to work successfully.

Its very important and worth re-iterating here that the app we wish to wrap via the App Wrapping tool must not be already encrypted. We encrypt the app as a part of the App Wrapping process using a keystore which we would generate. If the app was already encrypted by the developer before App Wrapping it(which would be the case if the .apk\.ipa was downloaded from the public store) the wrapping would fail.


Conclusion:

I hope that this post has been helpful in understanding the significance of applying a MAM policy to a LOB application via Intune, and the way to make the application MAM aware via both the approaches. In the posts to follow, we will take a closer look into both the techniques and do a deep dive on the respective methodologies.