Microsoft Intune: Wrapping Android Applications

July 24, 2015 at 3:27 pm in Uncategorized by nsienaert


Hi All,

In May Microsoft released the App Wrapping tool for Android ( ) which is another great milestone in the MAM capabilities of Microsoft Intune.

I saw already some blogs where the blogger just executes the Powershell Wrapper script to create a new wrapped APK file. So far so good but that’s not enough that will never work… you know why?

Android wrapped Apps need to be signed and that’s a requirement of Android.

If we talk about signing we need a private key that needs to be created. You can do this by executing the following keytool command, which is part of your Java Installer:

keytool -genkey -v -keystore my-release-key.keystore
-alias alias_name -keyalg RSA -keysize 2048 -validity 10000

More info can be found here:

Once you have generated the private key, it’s time to use the App Wrapper with the following command line:

PS C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool> invoke-appwrappingtool -inputpath <path>\Notepad.apk -outputpath <path>\notepad_wrappedv2.apk -keystorepath "C:\Program Files (x86)\Java\jre1.8.0_45\bin\<keystorename>.keystore" -keyalias <aliasname> –SigAlg SHA1withRSA

If you execute this you will be prompted for the KeyStorePassword and KeyPassword which you have generated during the procedure to create your private key.

If everything goes well you will see after a while (depending on the size of your app) that your app is wrapped successfully.


So now we have a wrapped APK file that we can distribute with Configuration Mananger (CM) or Intune. In this example I use the Hybrid.

You link a MAM policy to your deployment:


You install the App form the SSP and voilà:


Attentive people noticed probably a “strange” switch in the command line: –SigAlg SHA1withRSA

You need this switch if you wrap applications on Android versions earlier than 4.3 Jelly Bean as they do not support apps signed by SHA256 and the App Wrapper is attempting to use the keystore’s default signing which is “SHA256withRSA”.

If you use the parameter “–SigAlg SHA1withRSA” you will be unblocked.


Hope you liked it!

Till next time

Nico Sienaert (@nsienaert)