Wrapping Intune for Android on Windows 10 - lancevo/ionic-docs GitHub Wiki
Overview
*Caveats: Intune Android AppWrappingTool ONLY works with Android Signature Scheme V1. Newer Android Signature Scheme V2 & V3 must be signed manually.*
Set up and install
Windows 10 -
Install Java JRE, Android Studio,
Android SDK can be found in C:\Users\{USERNAME}\AppData\Local\Android\Sdk, or in Android Studio menu File->Project Structure includes the path to the SDK.
Set the paths of JRE and SDK in System Properties / Environment Variables , or in Powershell. For SDK, if there are multiple folders for all the versions, you must choose one.
Powershell:
[System.Environment]::SetEnvironmentVariable("JAVA_HOME", "C:\Program Files\Android\Android Studio\jre\")
[System.Environment]::SetEnvironmentVariable("ANDROID_SDK", "C:\Users\{USERNAME}\AppData\Local\Android\Sdk\build-tools\{SDK-VERSION}\")
$env:Path = "$env:Path;$env:JAVA_HOME;$env:ANDROID_SDK;"
Install Intune
Docs: Intune App Wrapping Tool
git clone https://github.com/msintuneappsdk/intune-app-wrapping-tool-android.git
Run InstallAWT.exe in the cloned folder. It will install wrapping tool to C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool.
cd "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool"
Import-Module .\IntuneAppWrappingTool.psm1
Intune Wrapping
1. Build a release APK
In Android Studio, in the menu Build -> Generate signed bundle or APK-> APK -> Release
Provide keystore / keystore password and necessary info, then generate the apk.
2. Intune Wrapping Tool
More about preparing for Android.
Invoke-AppWrappingTool -InputPath {PATH_TO_RELEASE_APK\APP-NAME.apk} -OutputPath {PATH_TO_WRAPPED_APK} -KeyStorePath {PATH_TO_KEYSTORE_FILE} -KeyAlias {APP_ALIAS}
ie:
Invoke-AppWrappingTool -InputPath .\app-release.apk -OutputPath .\app-intune-wrapped.apk -KeyStorePath .\app-keystore -KeyAlias MYAPPNAME
If the Android Signature Scheme version 2 and above, it will generate a wrapped file but unsigned in the output path folder, and you can see a warning similar to below:
The output app was not signed because the input app was signed by Android Signature Scheme V2 or newer. This signing cannot currently be performed by the Intune App Wrapping Tool. Android requires all app packages (.apk) to be signed in order to be installed on the device. Please sign the wrapped app using the same tools used to sign the input app or using Google's apksigner. This can be done after successfully Intune App Wrapping.
zipalign before or after signing?
zipalign is found inside the SDK folder, and is an archive alignment tool that provides important optimization to Android application (APK) files. The purpose is to ensure that all uncompressed data starts with a particular alignment relative to the start of the file. Specifically, it causes all uncompressed data within the APK, such as images or raw files, to be aligned on 4-byte boundarie. Here for more.
Caution: You must use
zipalignat one of two specific points in the app-building process, depending on which app-signing tool you use:If you use
apksigner, zipalign must only be performed before the APK file has been signed. If you sign your APK using apksigner and make further changes to the APK, its signature is invalidated.If you use
jarsigner, zipalign must only be performed after the APK file has been signed.
3. Sign with jarsigner
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -storepass {KEY_STORE_PASSWORD} -keystore {PATH_TO_KEY_STORE} {PATH_TO_WRAPPED_APK} {APP_ALIAS}
ie:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -storepass {KEY_STORE_PASSWORD} -keystore .\app-keystore .\app-intune-wrapped-unsigned.apk MYAPPNAME
** Now app-intune-wrapped-unsigned.apk is signed! **
4. zipalign the app
zipalign -v 4 {SIGNED_PATH_APK} {ZIPPED_OUTPUT_PATH_APK}
ie:
zipalign -v 4 .\app-intune-wrapped-unsigned.apk .\app-intune-wrapped-signed-RELEASE.apk