How to prepare your LOB app for Intune?

December 10, 2016


One of the aspects I struggled with Intune is to wrap an LOB app. In the first cut, it feels like just wrapping the app is enough. But, you need to understand some subtle architectural aspects to get your wrapping right. 

App features

To get started, let's start with app features. 


  • App uses Azure AD authentication
  • App is a hybrid and uses Cordova (Supports iOS and Android)
  • App communicates with Sharpoint online (via REST) and set up as a Azure AD native application. Thus, conditional access is involved here. 
  • "Send logs via email" - this feature is important as wrapping the application will restrict the email/data sharing capabilities based on the policy 

Intune Way

You can wrap the application in two ways
  • Using Intune Wrapping Tool
  • Use the Cordova plugin
Please visit the link for more details 

Intune wrapping tool is pretty straightforward. But, I had issues while wrapping Salesforce SDK based application. I could sail through iOS issues and make the application work. I could never get to make Android version work, as there are conflicts. I will share that experience for another post. 


When it came to Intune SDK, the integration experience was better. If you see the feature comparison, SDK has a little more to offer. But, I suggest you weigh your options based on the checklist provided in the article. 

There are two ways you can do this.



  1. Pure MAM (configured in Azure Portal)
  2. MAM with MDM (configured in Intune portal manage.microsoft.com)
Pure MAM is a straight forward thing and your job is done once you wrap the app. Tricky aspect here is to enable brokered authentication because the app access Sharepoint Online data and conditional access is enabled. 

But, the first things first. I need to use https://github.com/AzureAD/azure-activedirectory-library-for-cordova to wrap the application. 

Gotchas!


Your Plist file looks as below. 

Brokered Authentication 

  • Please read https://docs.microsoft.com/en-us/intune/deploy-use/use-apps-with-mam-ca to understand how it actually works. 
  • Android works with Company Portal App. iOS needs Azure Authenticator and Company Portal App to make it work. 
  • Android (app identifier: com.jda.internal.mytestapp)
    1. Microsoft.ADAL.AuthenticationSettings.setUseBroker(true) works only with Android. iOS doesn't need this. iOS works with URISchemes to get things done
    2. Next step is to prepare a redirect URI. Modified full code is @https://gist.github.com/pradeepkumargali/70322dd0270e386f98686674fdbb10af
    3. The above command will give you Base64UrlencodedSignature. But the actual url will look like msauth://com.jda.internal.mytestapp/ga0RGNYHvNM5d0SLGQfpQWAPGJ8=
    4. If your url is not right, please check your js console. An error will see right into you stating which URL should be configured in Azure AD redirect URI. 
  • iOS
    • There is nothing that should be at the app level for iOS. But, make sure you have Azure Authenticator app on the device along with Company Portal App. Otherwise, app will redirect adal to O365 login page and ask you to enroll. Once you click on enroll, it takes you to Company Poratal erroring the app is not setup in Intune Portal. 
    • But, the redirect URI should be configured in Azure AD redirect URI
      • x-msauth-com-jda-internal-mytestapp://com.jda.internal.mytestapp

You Might Also Like

0 comments

Popular Posts

Twitter