Skip to content

Enterprise Mobility + Security


When an application is wrapped using the Microsoft Intune App Wrapping Tool for iOS, you need to resign the application with a particular certificate and profile. In this blog post, I’m going to walk through how to obtain these files and how to use them to wrap an application so that you can deploy line-of-business (LOB) applications to employees in your organization.

NOTE: If you intend to wrap an app that will be deployed through the App Store, you should not use the Intune App Wrapping Tool. Instead, the app should be integrated with the Intune App SDK which will be made available over the coming months. We will also be making available an Intune App Wrapping Tool for Android soon.

Prerequisites to run the App Wrapping Tool for iOS

  • Microsoft Intune App Wrapping Tool for iOS
  • Apple Enterprise Developer Account
  • Mac OS X 10.8.5+
  • Input App (.ipa) 7.0+ (Note: If you have apps that are built pre-iOS 7.0, you’ll need to recompile them in Xcode targeted to a later version of iOS)
  • Apple Enterprise Developer Supplied:
    • In-house distribution provisioning profile
    • In-house & ad-hoc distribution signing certificate with valid Team Identifier
  • Client ID (optional – used with AAD integration)
  • Reply URI (optional – used with AAD integration)

To learn more about Azure Active Directory (AAD) integration, click here.

Steps to obtain the App Wrapping Tool for iOS

  1. Navigate to the Microsoft Download Center page for the App Wrapping Tool
  2. Select the language you’d like the tool for
  3. Read through the details and system requirements
  4. Click Download to download the tool
  5. After the tool has downloaded, double click the downloaded file and read the EULA
  6. After accepting the EULA, copy the files to a local directory

Steps to create an Apple Enterprise Developer Account

To distribute wrapped apps to employees, an Enterprise Developer Account is required. You will need a Legal Entity Name, DUNS Number, and payment information to create the account. If you already have an Apple Enterprise Developer Account, you can proceed to the next section on creating a signing certificate.

  1. Navigate to the Apple Developer Enterprise Program site
  2. Click Enroll
  3. Read the requirements to enroll in the Apple Developer Enterprise Program. Click Start Your Enrollment
  4. Click Create Apple ID (or enter your credentials and click Sign In if you already have an organizational Apple ID)
  5. Select your entity type and click Continue
  6. Fill out the Apple Developer Enterprise Program Enrollment form and payment info
  7. At this point, you will be contacted by Apple to verify that you are authorized to enroll
  8. After verification, you will be asked to Agree to License
  9. After agreement, finish by purchasing and activating the program

Steps to create a Signing Certificate

  1. Navigate to the Apple Developer Center
  2. Click Account and sign in with your account
  3. Click Certificates, IDs & Profiles
  4. While under Certificates on the left hand side, click the + button in the top right corner. Choose In-House and Ad Hoc certificate under Production
  5. Click Next to create a signing request
  6. Follow the instructions to create a Certificate Signing Request. Keychain Access looks like this (to open click the “Spyglass” in the top right corner and type in Keychain Access):      
  7.   Create the signing certificate request as outlined on the developer website   
  8. When created, upload the signing certificate request to the developer website and follow the prompts to generate your certificate
  9. Download your certificate and save it to an easy-to-access location

Steps to create a Provisioning Profile

  1. Click Account and sign in with your account
  2. Click Certificates, IDs & Profiles
  3. While under Provisioning Profiles on the left hand side, click the + button in the top right corner. Choose In-House profile under Distribution
  4. Click Continue. Link the previously generated certificate to the profile
  5. Follow the steps to download your profile
  6. Save the file. This file will be used for the –p parameter (Provisioning Profile) while using the App Wrapping Tool.

Steps to obtain the Certificate Hash and Team Identifier

  1. Locate the Certificate that you downloaded and saved
  2. Double click the certificate and click Add  
  3. Open Keychain Access (Click the “Spyglass” in the top right corner and type in Keychain Access)
  4. Locate your certificate by searching in the top right search bar of Keychain Access
  5. Right click on the certificate and select Get Info
  6. Scroll to the bottom. On the left hand side, under Fingerprints, you’ll see a field labeled SHA1. Copy this string. This will be used for the –c parameter while using the App Wrapping Tool.

Verify your certificate’s Team Identifier

Your certificate and provisioning profile must have a team identifier that is compatible with iOS 8. Older certificates may not include this identifier, and you’ll need to make a new certificate request if this is the case. To check if your certificate has a team identifier:

  1. On the same get info page where you found your SHA1 hash, scroll back to the top.
  2. There should be a heading titled Subject Name. Under Subject Name, make sure there is a value for Organizational Unit. It should look something like this:

NOTE: If this doesn’t appear for your certificate, refer back to the section titled Create a Signing Certificate 

Steps to run the App Wrapping Tool for iOS

  1. Open Terminal (Click the “Spyglass” in the top right corner and type in Terminal)
  2. Navigate to the directory of the App Wrapping Tool
  3. Provide all of the input parameters. To learn more about what each parameter is, refer to Step 3 in the documentation. You can also pull up the help menu using the –h parameter in the tool. The inputs should look something like this: The command looks like this:

./IntuneMAMPackager.app/Contents/MacOS/IntuneMAMPackager

–i /<path of input app>/<app filename>

-o /<path to output folder>/<app filename>

–p /<path to provisioning profile>

–c <SHA1 hash of the certificate>

-a <client ID of input app>

-r <reply URI of input app>

-v true

4. Type Enter. Your app will be wrapped

5. Navigate to your output directory to find your wrapped app. The input files will look like this:

And the output files (including the wrapped app) will look like this:

You now should have everything that you need in order to deploy the wrapped app to your employees using Microsoft Intune. To learn more about how to deploy your wrapped apps, see the technical article on Deploying software to mobile devices in Microsoft Intune.

Additional resources

For more information on using the App Wrapping Tool, see the technical article on Preparing apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS in the Microsoft Intune Documentation Library. You can also learn more about how to control apps using mobile application management policies with Microsoft Intune by visiting here.

NOTE: At the time of writing this blog post, the steps to obtain the pre-requisites (provided above) are up-to-date, but these steps could change over time. For complete documentation and future updates, visit the Apple Developer Website topic here.

 

– Phil Getzen, Program Manager