First published on CloudBlogs on Feb 25, 2015
When an application is wrapped using the
Microsoft Intune App Wrapping Tool for iOS
, you need to resign the application with a particular certificate and profile. In this blog post, I’m going to walk through how to obtain these files and how to use them to wrap an application so that you can deploy line-of-business (LOB) applications to employees in your organization.
NOTE:
If you intend to wrap an app that will be deployed through the App Store, you should not use the Intune App Wrapping Tool. Instead, the app should be integrated with the Intune App SDK which will be made available over the coming months. We will also be making available an Intune App Wrapping Tool for Android soon.
Prerequisites to run the App Wrapping Tool for iOS
-
Microsoft Intune App Wrapping Tool for iOS
-
Apple Enterprise Developer Account
-
Mac OS X 10.8.5+
-
Input App (.ipa) 7.0+ (Note: If you have apps that are built pre-iOS 7.0, you’ll need to recompile them in Xcode targeted to a later version of iOS)
-
Apple Enterprise Developer Supplied:
-
In-house distribution provisioning profile
-
In-house & ad-hoc distribution signing certificate with valid Team Identifier
-
Client ID (optional – used with AAD integration)
-
Reply URI (optional – used with AAD integration)
To learn more about Azure Active Directory (AAD) integration,
click here
.
Steps to obtain the App Wrapping Tool for iOS
-
Navigate to the
Microsoft Download Center page for the App Wrapping Tool
-
Select the language you’d like the tool for
-
Read through the details and system requirements
-
Click
Download
to download the tool
-
After the tool has downloaded, double click the downloaded file and read the EULA
-
After accepting the EULA, copy the files to a local directory
Steps to create an Apple Enterprise Developer Account
To distribute wrapped apps to employees, an Enterprise Developer Account is required. You will need a Legal Entity Name,
DUNS Number
, and payment information to create the account. If you already have an Apple Enterprise Developer Account, you can proceed to the next section on creating a signing certificate.
-
Navigate to the
Apple Developer Enterprise Program site
-
Click
Enroll
-
Read the requirements to enroll in the Apple Developer Enterprise Program. Click
Start Your Enrollment
-
Click
Create Apple ID
(or enter your credentials and click
Sign In
if you already have an organizational Apple ID)
-
Select your entity type and click
Continue
-
Fill out the Apple Developer Enterprise Program Enrollment form and payment info
-
At this point, you will be contacted by Apple to verify that you are authorized to enroll
-
After verification, you will be asked to
Agree to License
-
After agreement, finish by purchasing and activating the program
Steps to create a Signing Certificate
-
Navigate to the
Apple Developer Center
-
Click
Account
and sign in with your account
-
Click
Certificates, IDs & Profiles
-
While under Certificates on the left hand side, click the
+
button in the top right corner. Choose
In-House and Ad Hoc
certificate under
Production
-
Click
Next
to create a signing request
-
Follow the instructions to create a Certificate Signing Request.
Keychain Access
looks like this (to open click the “Spyglass” in the top right corner and type in
Keychain Access
):
-
Create the signing certificate request as outlined on the developer website
-
When created, upload the signing certificate request to the developer website and follow the prompts to generate your certificate
-
Download your certificate and save it to an easy-to-access location
Steps to create a Provisioning Profile
-
Click
Account
and sign in with your account
-
Click
Certificates, IDs & Profiles
-
While under
Provisioning Profiles
on the left hand side, click the
+
button in the top right corner. Choose
In-House
profile under
Distribution
-
Click
Continue.
Link the previously generated certificate to the profile
-
Follow the steps to download your profile
-
Save the file. This file will be used for the –p parameter (Provisioning Profile) while using the App Wrapping Tool.
Steps to obtain the Certificate Hash and Team Identifier
-
Locate the Certificate that you downloaded and saved
-
Double click the certificate and click
Add
-
Open
Keychain Access
(Click the “Spyglass” in the top right corner and type in
Keychain Access
)
-
Locate your certificate by searching in the top right search bar of
Keychain Access
-
Right click on the certificate and select
Get Info
-
Scroll to the bottom. On the left hand side, under
Fingerprints
, you’ll see a field labeled
SHA1
. Copy this string. This will be used for the –c parameter while using the App Wrapping Tool.
Verify your certificate's Team Identifier
Your certificate and provisioning profile must have a team identifier that is compatible with iOS 8. Older certificates may not include this identifier, and you’ll need to make a new certificate request if this is the case. To check if your certificate has a team identifier:
-
On the same get info page where you found your SHA1 hash, scroll back to the top.
-
There should be a heading titled
Subject Name
. Under
Subject Name
, make sure there is a value for
Organizational Unit
. It should look something like this:
NOTE:
If this doesn’t appear for your certificate, refer back to the section titled
Create a Signing Certificate
Steps to run the App Wrapping Tool for iOS
-
Open
Terminal
(Click the “Spyglass” in the top right corner and type in
Terminal
)
-
Navigate to the directory of the App Wrapping Tool
-
Provide all of the input parameters. To learn more about what each parameter is,
refer to Step 3 in the documentation
. You can also pull up the help menu using the –h parameter in the tool. The inputs should look something like this:
The command looks like this:
./IntuneMAMPackager.app/Contents/MacOS/IntuneMAMPackager
–i /<path of input app>/<app filename>
-o /<path to output folder>/<app filename>
–p /<path to provisioning profile>
–c <SHA1 hash of the certificate>
-a <client ID of input app>
-r <reply URI of input app>
-v true
4. Type
Enter
. Your app will be wrapped
5. Navigate to your output directory to find your wrapped app. The input files will look like this:
And the output files (including the wrapped app) will look like this:
You now should have everything that you need in order to deploy the wrapped app to your employees using
Microsoft Intune.
To learn more about how to deploy your wrapped apps, see the technical article on
Deploying software to mobile devices in Microsoft Intune
.
Additional resources
For more information on using the App Wrapping Tool, see the technical article on
Preparing apps for mobile application management with the Microsoft Intune App Wrapping Tool for...
in the Microsoft Intune Documentation Library. You can also learn more about how to control apps using mobile application management policies with Microsoft Intune by visiting
here.
NOTE:
At the time of writing this blog post, the steps to obtain the pre-requisites (provided above) are up-to-date, but these steps could change over time. For complete documentation and future updates, visit the
Apple Developer Website topic here
.
- Phil Getzen, Program Manager