Apps are installed from the Managed Google Play store in the same manner as Android Enterprise personally-owned and corporate-owned work profile devices. Apps are automatically updated on managed devices when the app developer publishes an update to Google Play. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note The Microsoft Intune app will be automatically installed during enrollment of a dedicated device.
Submit and view feedback for This product This page. View all page feedback. In this article. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page.
View all page feedback. In this article. Learn about the Android Enterprise framework deployment methodology. Learn about the Microsoft-recommended methodology for deploying the security configuration framework. Configure device enrollment restrictions for personally owned devices. Apply these restrictions to configure a basic or high security level for devices that are personally owned with work profile.
Disallow personal accounts on Android Enterprise devices. Prevent people on work or school devices from signing into Microsoft apps with a personal account. Configure security settings for personally owned devices. Apply these settings to configure a basic or high security level on devices that are personally owned with work profile. Configure security settings for fully managed devices. Apply these settings to configure a basic, enhanced, or high security level on corporate-owned, fully managed devices.
Create a compliance policy. Get step-by-step guidance on how to create and assign a compliance policy to user and device groups. Add actions for noncompliance.
Choose what happens when devices no longer meet the conditions of your compliance policy. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy.
Create a device-based or app-based Conditional Access policy. Block access to apps that don't use modern authentication. Create an app-based Conditional Access policy to block apps that use authentication methods other than OAuth2. For example, you can block apps that use basic and form-based authentication. Before you block any access, sign in to Azure AD and review the authentication methods activity report to see if users are using basic authentication to access essential things like meeting room calendar kiosks you forgot about or are unaware of.
Manage devices with endpoint security features. Use the Endpoint security settings in Intune to effectively manage device security and remediate issues for devices. Enable the mobile threat defense MTD connector for enrolled devices. If you're not using Microsoft Defender for Endpoint, consider enabling the connector so that you can use another mobile threat defense solution. You can also enable the MTD connector for devices not enrolled in Intune.
Create MTD app protection policy. Create an Intune app protection policy that assesses risks and limits a device's access to work or school apps. Create MTD device compliance policy.
Create an Intune app protection policy that assesses risk and limits a device's corporate access based on the threat level. Add and assign MTD apps. Add and deploy MTD apps in Intune. These apps work with your device compliance and app protection policies to identify and help remediate device threats.
You can also assign MTD apps to devices not enrolled in Intune. Create a device profile in Microsoft Intune. Configure Wi-Fi profile. This profile enables people to find and connect to your organization's Wi-Fi network. Configure VPN profile.
Set up a secure VPN option, such as Microsoft Tunnel, for people connecting to your organization's network. Configure email profile. Configure email settings so that people can connect to a mail server and access their work or school email. For a description of the settings in this area, see Android Enterprise email settings or Android device administrator email settings. Restrict device features. Protect users from unauthorized access and distractions by limiting the device features they can use at work or school.
For a description of the settings in this area, see Android Enterprise device settings or Android device administrator device settings. Configure custom settings for Android device administrator. Add or create custom settings that aren't built in to Intune, such as a per-app VPN profile and web protection with Microsoft Defender for Endpoint.
Configure Samsung Knox apps. Create custom profile for Android Enterprise. Switching the identity may require recreating the activity. In addition to the app's ability to set the identity, a thread, or a context's identity may change based on data ingress from another Intune-managed app that has app protection policy.
If an activity is launched from an Intent sent by another MAM app, the activity's identity will be set based on the effective identity in the other app at the point the Intent was sent. For services, the thread identity will be set similarly for the duration of an onStart or onBind call. Calls into the Binder returned from onBind will also temporarily set the thread identity.
Calls into a ContentProvider will similarly set the thread identity for their duration. Example: A user canceling out of an authorization prompt during Resume will result in an implicit switch to an empty identity. The app is given an opportunity to be made aware of these changes, and, if it must, the app can forbid them.
It is not expected that most apps will need to block or delay an identity switch in a different manner, but if an app needs to do so, the following points must be considered:. If an identity switch is blocked, the result is the same as if Receive sharing settings had prohibited the data ingress. If a Service is running on the main thread, reportIdentitySwitchResult must be called synchronously or the UI thread stops responding.
If the app must show UI to determine whether to allow the identity switch, that UI must be shown using a different activity. If this is not possible, the app should refuse the switch, and the user will be asked again to comply with policy for the resuming identity for example, by being presented with the app PIN entry screen. A multi-identity app will always receive incoming data from both managed and unmanaged apps. It is the responsibility of the app to treat data from managed identities in a managed manner.
The default behavior for MAMActivity. Similarly, if you need to override MAMActivity. It is common for operations on the UI thread to dispatch background tasks to another thread. A multi-identity app will want to make sure that these background tasks operate with the appropriate identity, which is often the same identity used by the activity that dispatched them. These must be used if the asynchronous operation could write corporate data to a file or could communicate with other apps. For example.
Every file has an identity associated with it at the time of creation, based on thread and process identity. This identity will be used for both file encryption and selective wipe. Only files whose identity is managed and has policy requiring encryption will be encrypted. The SDK's default selective functionality wipe will only wipe files associated with the managed identity for which a wipe has been requested.
MAM cannot automatically infer a relationship between files being read and data being displayed in an Activity. Apps must set the UI identity appropriately before displaying corporate data. This includes data read from files. If a file comes from outside the app either from a ContentProvider or read from a publicly writable location , the app must attempt to determine the file identity using the correct MAMFileProtectionManager.
If the identity switch fails, data from the file must not be displayed. When reading from a content URI, it may be necessary to first read the identity via the getProtectionInfo overload taking a Uri , then set the context or thread identity appropriately before opening a file descriptor or input stream on the ContentResolver will succeed.
During the open flow, prior to reading data from disk, the app confirms the identity that should be used to display the content:. If an app uses the Android DownloadManager to download files, the MAM SDK will attempt to protect these files automatically using the identity priority described previously.
The context used to retrieve the DownloadManager will be used if the thread identity is unset. If the downloaded files contain corporate data, it is the app's responsibility to call protect if the files are moved or recreated after download. If an app which previously released with single-identity Intune integration later integrates multi-identity, previously installed apps will experience a transition not visible to the user, there is no associated UX.
The app is not required to do anything explicit to handle this transition. All files created before the transition will continue being regarded as managed so they will stay encrypted if encryption policy is on. File identity tagging is sensitive to offline mode.
The following points should be taken into account:. If the Company Portal is installed, but the app does not have Intune MAM policy, files cannot be reliably tagged with identity. Directories may be protected using the same protect method used to protect files.
Directory protection applies recursively to all files and subdirectories contained in the directory, and to new files created within the directory. Because directory protection is applied recursively, the protect call can take some time to complete for large directories. For that reason, apps applying protection to a directory that contains a large number of files might wish to run protect asynchronously on a background thread.
It is not possible to tag a file as belonging to multiple identities. Apps that must store data belonging to different users in the same file can do so manually, using the features provided by MAMDataProtectionManager.
This allows the app to encrypt data and tie it to a particular user. The encrypted data is suitable for storing to disk in a file. You can query the data associated with the identity and the data can be unencrypted later.
After this notification completes, buffers that were protected via this class will no longer be readable if file encryption was enabled when the buffers were protected. It is also safe to call protect during this notification if it is desired to preserve identity information -- encryption is guaranteed to be disabled during the notification.
If this function returns false, the content must not be returned to the caller. File descriptors returned through a content provider are handled automatically based on the file identity. If the app removes user data from a file but wishes to leave other data in the file, it must change the identity of the file via MAMFileProtectionManager.
If encryption policy is in use, any remaining files belonging to the user being wiped will not be decrypted and will become inaccessible to the app after wipe. For multi-identity aware apps, this loss may be more significant since MAM default selective wipe will wipe only files whose identity is targeted by a wipe. The default selective wipe will close the app gracefully, finishing activities and killing the app process. If your app overrides the default selective wipe, you may want to consider closing your app manually to prevent the user from accessing in-memory data after a wipe occurs.
These key-value pairs are not interpreted by Intune at all, but are passed on to the app. If multiple policies are targeted at the same app, there may be multiple conflicting values available for the same key.
If there is no MAM-registered user, but your app would still like to retrieve Android Enterprise configuration which will not be targeted at a specific user , you can pass a null or empty string. A value set in MAM app config will override a value with the same key set in Android Enterprise config. If an admin configures conflicting values for the same key e.
For more information about how to create a MAM targeted app configuration policy in Android, see the section on MAM targeted app config in How to use Microsoft Intune app configuration policies for Android. App config can also be configured using the Graph API.
If a theme is not provided, a default MAM theme will be used. To provide a theme, you need to add the following line of code in the Application. In the above example, you need to replace R. AppTheme with the style theme that you want the SDK to apply. You can customize primary, secondary, and background colors, as well as the size of the app logo. This style customization is optional and defaults will be used if no custom style is configured. Below is an example of the format this file needs to follow.
You must reuse resources that already exist within your app. For example, you must define the color green in the colors. You cannot use the Hex color code " ff". The maximum size for the app logo is dip dp. You may use a smaller logo image, but adhering to the maximum size will yield the best looking results. If you exceed the dip limit, the image will scale down and possibly cause blurring. Below is the complete list of allowed style attributes, the UI elements they control, their XML attribute item names, and the type of resource expected for each.
The following is guidance for requiring user prompt on app launch for an automatic APP-WE service enrollment we call this default enrollment in this section , requiring Intune app protection policies to allow only Intune protected users to use your SDK-integrated Android LOB app.
This is not supported for store apps that can be used by non-Intune users. The benefits of default enrollment include a simplified method of obtaining policy from APP-WE service for an app on the device. If not, you may skip this step. This forces the user to download the Company Portal on the device and complete the default enrollment flow before use. Using Content Resolvers : The "transfer or receive" Intune policy may block or partially block the use of a content resolver to access the content provider in another app.
This will cause ContentResolver methods to return null or throw a failure value for example, openOutputStream will throw FileNotFoundException if blocked. The app can determine whether a failure to write data through a content resolver was caused by policy or would be caused by policy by making the call:.
In this second case, multi-identity apps must take care to set the thread identity appropriately or pass an explicit identity to a getPolicyForIdentity call.
The AndroidManifest. The service checks the caller to ensure that only the Company Portal is allowed to send notifications. For this reason, it may not always be possible to use reflection to enumerate all methods of app components. This restriction is not limited to MAM, it is the same restriction that would apply if the app itself implemented these methods from the Android base classes.
There are known issues running the MAM SDK under Robolectric due to behaviors present under Robolectric that do not accurately mimic those on real devices or emulators. If you need to test your application under Robolectric, the recommended workaround is to move your application class logic to a helper and produce your unit-testing apk with an application class that does not inherit from MAMApplication. The Intune SDK maintains the contract provided by the Android API, though failure conditions may be triggered more frequently as a result of policy enforcement.
These Android best practices will reduce the likelihood of failure:. Android SDK functions that may return null have a higher likelihood of being null now.
To minimize issues, ensure that null checks are in the right places. Avoid use of any API in an ambiguous way. For example, using Activity.
Policy enforcement may affect service interactions. Methods that establish a bound service connection such as Context. Interacting with an established bound service may throw a SecurityException due to policy enforcement in Binder.
The Company Portal application logs system-generated data by default. This data is sent to Microsoft Intune. As per Microsoft Policy, we do not collect any personal data.
If end users choose not to send this data, they must turn off telemetry under Settings on the Company Portal app. To learn more, see Turn off Microsoft usage data collection. All library projects should share the same android:package where possible.
This will not sporadically fail in run-time; this is purely a build-time problem. Skip to main content. This browser is no longer supported.
Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note You might want to first read the Intune App SDK overview , which covers the current features of the SDK and describes how to prepare for integration on each supported platform.
Note When the Company Portal app is not on the device, an Intune-managed app behaves the same as a normal app that does not support Intune app protection policies. Note It is fine to run the tools against a project which has already performed partial or complete source integration of the MAM SDK through manual replacements. Note You must be using version 3. Note On Unix-like systems semi-colon is a command separator.
Note The build tool does not currently support aar files. Note Apps should integrate with the SDK build tooling , which will perform all of these replacements automatically except for manifest replacements.
Note If your app is integrating with SDK build tooling , the following class and method replacements are performed automatically. Note Do not set this field if your application is sovereign cloud aware. Note All apps are required to support app protection policy without device enrollment. Note The call may initiate a wipe to completely remove corporate data for the user. Note Ensure that your app utilizes the resourceId and the aadId parameters passed to acquireToken so that the correct token is acquired.
Note Do not call updateToken from within your implementation of acquireToken. Note Support for sovereign cloud registration requires version 1. Note Do not set the com. Note Silent token acquisition will still be possible in acquireToken because the user will have already been guided to install the broker and register the device before the MsalIntuneAppProtectionPolicyRequiredException exception is received.
Note The notification receiver must be registered before calling remediateCompliance to avoid a race condition that could result in the notification being missed. Note If you want to show a custom blocking UX during the remediation attempt, you should pass false for the showUX parameter to remediateCompliance. Note remediateCompliance will register the account and attempt enrollment. Note A lack of the correct app participation can result in data leaks and other security issues.
Note Currently, only one Intune managed identity is supported per device. Note You can clear the identity of the app by setting it to null. The empty string may be used as an identity that will never have app protection policy. Note Switching the identity may require recreating the activity.
Note A multi-identity app will always receive incoming data from both managed and unmanaged apps. Note The benefits of default enrollment include a simplified method of obtaining policy from APP-WE service for an app on the device.
Note This forces the user to download the Company Portal on the device and complete the default enrollment flow before use. Note If end users choose not to send this data, they must turn off telemetry under Settings on the Company Portal app. Submit and view feedback for This product This page. View all page feedback. In this article. A semi-colon delimited list of jar files and directories of class files to modify. A semi-colon delimited list of jar files and directories to store the modified classes to.
There should be one output entry per input entry, and they should be listed in order. A semi-colon delimited list of jar files and directories containing classes which have already been been processed by a previous invocation of the build tool. A semi-colon delimited list containing the names of the classes that should be excluded from rewriting.
Directory to write an HTML report about modified classes to. If not specified, no report is written. This result indicates that a token was not provided by the app's registered [MAMServiceAuthenticationCallback] instance, or the provided token was invalid. The app should acquire a valid token and call updateToken if possible. The app should continue in an unmanaged normal state and the user should not be blocked.
Enrollments will be retried periodically in case the user becomes licensed in the future. The enrollment attempt succeeded, or the user is already enrolled. Access to corporate data should be allowed. The enrollment attempt failed. Further details can be found in the device logs. The app should not allow access to corporate data in this state, since it was previously determined that the user is licensed for Intune.
Only one user per device can enroll an app with the MAM service. This result indicates that the user for whom this result was delivered the second user is targeted with MAM policy, but a different user is already enrolled. If the human user answers in the affirmative, it will indeed be possible to enroll the second user a short time later. As long as the second user remains registered, MAM will retry enrollment periodically. The unenrollment request failed. In general, this will not occur as long as the app passes a valid neither null nor empty UPN.
There is no direct, reliable remediation the app can take. The initial enrollment attempt for the user is in progress. The app can block access to corporate data until the enrollment result is known, but is not required to do so. The user is licensed for Intune, but the app cannot be enrolled until the Company Portal app is installed on the device.
0コメント