Microsoft recently released the Microsoft Intune App Wrapping Tool for Android that allows you to take your Line of Business (LOB) apps and make them managed. By making an app managed, you add an extra layer of restrictions around the app to restrict operations like cut, copy and paste or open web links in a managed browser. It’s important to know that you cannot simply download an apk file from the Google Play store and wrap that, it has to be an app that was developed for your business or by you.

Overview

  • Prerequisites
  • App requirements
  • Wrapping an app

Prerequisites

Before you can go ahead and wrap your LOB app, there’s a few prerequisites that needs to be taken care of first. First off, I strongly suggest that you use a seperate virtual machine for wrapping apps since Java Runtime Environment is used for wrapping, and you should not install that on your Primary Site server. So spin up a virtual machine with Windows 7 SP1 or later and perform the following tasks:

  • Install the latest available version of Java Runtime Environment
  • Install Intune App Wrapping Tool for Android
Install Java Runtime Environment

This process is pretty straight forward, like installing any other application. On your virtual machine, browse to the following link:

http://www.java.com/en/download

Once you’ve installed Java Runtime Environment, we need to make sure that the installation successfully added a path to your systems environment path. We can check and remediate that by running the following PowerShell script:

$JavaPath = Join-Path -Path $($env:SystemDrive) -ChildPath "ProgramData\Oracle\Java\javapath"
$CurrentEnvironmentPath = Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name PATH | Select-Object -ExpandProperty Path
if (-not($CurrentEnvironmentPath | Select-String -SimpleMatch $JavaPath)) {
    Write-Output -InputObject "Java path not found, adding it"
    $NewEnvironmentPath = $CurrentEnvironmentPath + ";" + $JavaPath
    Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH –Value $NewEnvironmentPath
}
else {
    Write-Output -InputObject "Java path found, no action needed"
}

1. Save the above script as Set-JavaPath.ps1 to e.g. C:\Scripts on your virtual machine where you’ve installed Java Runtime Environment.
2. Open an elevated PowerShell console and browse to C:\Scripts.
3. Run the following command:

.\Set-JavaPath.ps1

If the script outputs Java Path found, no action needed, you’re all set. If the path wasn’t updated successfully,the script will output that it has added the required path.

Install Intune App Wrapping Tool for Android

Download the Intune App Wrapping Tool for Android from the following location:

http://www.microsoft.com/en-us/download/details.aspx?id=47267

1. Run InstallAWT.exe.
2. Accept the license terms and click Next.

147_1

3. Let the tool be installed in the default location and click Install.

147_2

4. Once the installation has completed, click Done.

147_3

App requirements

In order to successfully wrap your App, it needs to fulfill the following:

  • Your input app must be a valid Android application package with the extension .apk file and:
    • Cannot be encrypted
    • Must not have already been wrapped by the app wrapping tool
    • Must be written for Android 4.0 or later
  • The app must be developed by, or for your company. You cannot use this tool to process apps downloaded from the Google Play Store.
  • You’ll need to sign your app in order for it to work on Android (for more information: http://developer.android.com/tools/publishing/app-signing.html#signing-manually)

If your app fulfills all of the above, you can continue with wrapping the app.

App signing

Before we can go ahead and wrap an LOB app, we need to create a keystore with keytool.exe, which is included with Java Runtime Environment.

1. Open an elevated command prompt and browse to the installation directory of Java, e.g:

C:\Program Files (x86)\Java\jre1.8.0_20\bin.

2. Run the following command to create the keystore:

keytool.exe -genkey -v -keystore AWT.keystore -alias AWT -keyalg RSA -keysize 2048 -validity 50000

147_6

3. Follow the interactive prompt by enter a password and supply values when asked.

147_7

Now that the keystore is prepared, we can go ahead and wrap apps.

Wrapping an app

Now that we’ve succesfully installed all prerequisites for wrapping an app, let’s continue with some actual wrapping. For this demonstration I have an app called Notepad 1.4.0.7.

1. On your virtual machine, create the following folder structure:

C:\AWT\AppSource
C:\AWT\AppWrapped

2. Place your apk file in the AppSource folder so that we can reference it later. On my virtual machine it looks like this:

147_4

3. Open an elevated PowerShell console and run the following command:

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"

4. Run the following command:

Invoke-AppWrappingTool -InputPath "C:\AWT\AppSource\Notepad-1.4.0.7.apk" -OutputPath "C:\AWT\AppWrapped\Notepad-1.4.0.7_Wrapped.apk" -KeyStorePath "C:\Program Files (x86)\Java\jre1.8.0_20\bin\AWT.keystore" -KeyAlias AWT -SigAlg SHA1withRSA -Verbose

Note! Remember to change to your own apk file.

147_8

You’re app is now wrapped and can be imported into ConfigMgr 2012 R2 SP1 or Microsoft Intune for distribution.

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(205)

comments
  • Fazar
    Posted at 13:53 June 1, 2015
    Fazar
    Reply
    Author

    What after wrapping your android app. It can be install to your androd?, because i can’t install.

  • Leave a Reply