使用 Intune App Wrapping Tool 準備應用程式保護原則的 Android 應用程式Prepare Android apps for app protection policies with the Intune App Wrapping Tool

適用於︰IntuneApplies to: Intune
本主題適用於 Azure 入口網站和傳統入口網站中的 Intune。This topic applies to Intune in both the Azure portal and the classic portal.

使用 Microsoft Intune App Wrapping Tool for Android 變更內部 Android 應用程式的行為,讓您限制應用程式的功能,而不需變更應用程式本身的程式碼。Use the Microsoft Intune App Wrapping Tool for Android to change the behavior of your in-house Android apps by restricting features of the app without changing the code of the app itself.

此工具是一個 Windows 命令列應用程式,可在 PowerShell 中執行並在您的 Android 應用程式周圍建立包裝函式。The tool is a Windows command-line application that runs in PowerShell and creates a wrapper around your Android app. 包裝好應用程式後,您便可以在 Intune 中設定行動應用程式管理原則,變更應用程式功能。After the app is wrapped, you can change the app’s functionality by configuring mobile application management policies in Intune.

執行此工具之前,請檢閱執行 App Wrapping Tool 的安全性考量Before running the tool, review Security considerations for running the App Wrapping Tool. 若要下載此工具,請前往 GitHub 的 Microsoft Intune App Wrapping Tool for AndroidTo download the tool, go to the Microsoft Intune App Wrapping Tool for Android on GitHub.

滿足使用 App Wrapping Tool 的必要條件Fulfill the prerequisites for using the App Wrapping Tool

  • 您必須在執行 Windows 7 或更新版本的 Windows 電腦上執行 App Wrapping Tool。You must run the App Wrapping Tool on a Windows computer running Windows 7 or later.

  • 您的輸入應用程式必須是副檔名為 .apk 的有效 Android 應用程式套件,而且:Your input app must be a valid Android application package with the file extension .apk and:

    • 它無法加密。It cannot be encrypted.
    • 它之前未使用 Intune App Wrapping Tool 進行包裝。It must not have previously been wrapped by the Intune App Wrapping Tool.
    • 它必須是針對 Android 4.0 或更新版本編寫的。It must be written for Android 4.0 or later.
  • 該應用程式必須是由貴公司所開發,或針對貴公司所開發。The app must be developed by or for your company. 您無法在下載自 Google Play 商店的應用程式使用這個工具。You cannot use this tool on apps downloaded from the Google Play Store.

  • 若要執行 App Wrapping Tool,您必須安裝最新版的 Java Runtime Environment,然後確定已在您的 Windows 環境變數中將 Java 路徑變數設為 C:\ProgramData\Oracle\Java\javapath。To run the App Wrapping Tool, you must install the latest version of the Java Runtime Environment and then ensure that the Java path variable has been set to C:\ProgramData\Oracle\Java\javapath in your Windows environment variables. 如需詳細說明,請參閱 Java 文件For more help, see the Java documentation.


    在某些情況下,Java 32 位元版本可能會導致記憶體問題。In some cases, the 32-bit version of Java may result in memory issues. 您最好安裝 64 位元版本。It's a good idea to install the 64-bit version.

  • Android 要求所有應用程式套件 (.apk) 均已簽署。Android requires all app packages (.apk) to be signed. 若要重複使用現有憑證和整個簽署憑證指引,請參閱重複使用簽署憑證和包裝應用程式For reusing existing certificates and overall signing certificate guidance, see Reusing signing certificates and wrapping apps. 使用 Java 可執行檔 keytool.exe 產生簽署包裝輸出應用程式所需的認證。The Java executable keytool.exe is used to generate new credentials needed to sign the wrapped output app. 任何設定的密碼都必須安全,但請記下密碼,因為執行 App Wrapping Tool 時會需要這些密碼。Any passwords that are set must be secure, but make a note of them because they're needed to run the App Wrapping Tool.

  • (選擇性) 在輸入應用程式內啟用 Multidex。(Optional) Enable Multidex within the input app. 應用程式有時可能會達到 Dalvik 可執行檔 (DEX) 大小限制,因為包裝期間新增 Intune MAM SDK 類別。Sometimes an app may hit the Dalvik Executable (DEX) size limit due to the Intune MAM SDK classes that are added during wrapping. DEX 檔案是 Android 應用程式編譯的一部分。DEX files are a part of the compilation of an Android app. 在此情況下,最佳做法是在應用程式本身內啟用 Multidex。In this scenario, best practice would be to enable Multidex within the app itself. 在某些組織中,這可能需要與編譯應用程式的人員合作 (即應用程式建置小組)。In certain organizations, this may require working with whoever compiles the app (ie. the app build team).

安裝應用程式包裝工具Install the App Wrapping Tool

  1. GitHub 儲存機制將 Intune App Wrapping Tool for Android 的 InstallAWT.exe 安裝檔案下載至 Windows 電腦。From the GitHub repository, download the installation file InstallAWT.exe for the Intune App Wrapping Tool for Android to a Windows computer. 開啟安裝檔案。Open the installation file.

  2. 接受授權合約,然後完成安裝。Accept the license agreement, then finish the installation.

記下您安裝此工具的資料夾。Note the folder to which you installed the tool. 預設位置為:C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool。The default location is: C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool.

執行應用程式包裝工具Run the App Wrapping Tool

  1. 在您安裝應用程式包裝工具的 Windows 電腦上,開啟 PowerShell 視窗。On the Windows computer where you installed the App Wrapping Tool, open a PowerShell window.

  2. 從安裝此工具的資料夾,匯入 App Wrapping Tool PowerShell 模組:From the folder where you installed the tool, import the App Wrapping Tool PowerShell module:

    Import-Module .\IntuneAppWrappingTool.psm1
  3. 使用 invoke-AppWrappingTool 命令執行工具,其使用語法如下:Run the tool by using the invoke-AppWrappingTool command, which has the following usage syntax:

    Invoke-AppWrappingTool [-InputPath] <String> [-OutputPath] <String> -KeyStorePath <String> -KeyStorePassword <SecureString>
    -KeyAlias <String> -KeyPassword <SecureString> [-SigAlg <String>] [<CommonParameters>]

    下表詳列 invoke-AppWrappingTool 命令的屬性:The following table details the properties of the invoke-AppWrappingTool command:

屬性Property 資訊Information 範例Example
-InputPath<String>-InputPath<String> 來源 Android 應用程式 (.apk) 的路徑。Path of the source Android app (.apk).
-OutputPath<String>-OutputPath<String> 輸出的 Android 應用程式路徑。Path to the output Android app. 如果此路徑與 InputPath 的目錄路徑相同,封裝會失敗。If this is the same directory path as InputPath, the packaging will fail.
-KeyStorePath<String>-KeyStorePath<String> 包含要簽署之公開/私密金鑰組的金鑰儲存區檔案路徑。Path to the keystore file that has the public/private key pair for signing. 根據預設,金鑰儲存區檔案會儲存在 "C:\Program Files (x86)\Java\jreX.X.X_XX\bin"。By default, keystore files are stored in "C:\Program Files (x86)\Java\jreX.X.X_XX\bin."
-KeyStorePassword<SecureString>-KeyStorePassword<SecureString> 用來解密 keystore 的密碼。Password used to decrypt the keystore. Android 要求所有應用程式套件 (.apk) 均已簽署。Android requires all application packages (.apk) to be signed. 使用 Java keytool 來產生 KeyStorePassword。Use Java keytool to generate the KeyStorePassword. 在這裡深入了解 Java 金鑰儲存區Read more about Java KeyStore here.
-KeyAlias<String>-KeyAlias<String> 要用於簽署的金鑰名稱。Name of the key to be used for signing.
-KeyPassword<SecureString>-KeyPassword<SecureString> 用來解密簽署用途之私密金鑰的密碼。Password used to decrypt the private key that will be used for signing.
-SigAlg<SecureString>-SigAlg<SecureString> (選擇性) 要用於簽署的簽章演算法名稱。(Optional) The name of the signature algorithm to be used for signing. 此演算法必須與私密金鑰相容。The algorithm must be compatible with the private key. 範例:SHA256withRSA、SHA1withRSAExamples: SHA256withRSA, SHA1withRSA
<CommonParameters><CommonParameters> (選擇性) 此命令支援 verbose 和 debug 等常用 PowerShell 參數。(Optional) The command supports common PowerShell parameters like verbose and debug.
  • 如需常用參數清單,請參閱 Microsoft 指令碼中心For a list of common parameters, see the Microsoft Script Center.

  • 若要查看工具的詳細使用方式資訊,請輸入命令:To see detailed usage information for the tool, enter the command:

    Help Invoke-AppWrappingTool


匯入 PowerShell 模組。Import the PowerShell module.

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"

在原生應用程式 HelloWorld.apk 執行 App Wrapping Tool。Run the App Wrapping Tool on the native app HelloWorld.apk.

invoke-AppWrappingTool -InputPath .\app\HelloWorld.apk -OutputPath .\app_wrapped\HelloWorld_wrapped.apk -KeyStorePath "C:\Program Files (x86)\Java\jre1.8.0_91\bin\mykeystorefile" -keyAlias mykeyalias -SigAlg SHA1withRSA -Verbose

系統接著會提示您提供 KeyStorePasswordKeyPasswordYou will then be prompted for KeyStorePassword and KeyPassword. 輸入您用以建立金鑰儲存區檔案的認證。Enter the credentials you used to create the key store file.

隨即會產生已包裝的應用程式和記錄檔,並儲存於您指定的輸出路徑中。The wrapped app and a log file are generated and saved in the output path you specified.

我應該多久一次,用 Intune App Wrapping Tool 來重新包裝我的 Android 應用程式?How often should I rewrap my Android application with the Intune App Wrapping Tool?

會需要重新包裝應用程式的主要案例如下:The main scenarios in which you would need to rewrap your applications are as follows:

  • 應用程式本身發行了新版本。The application itself has released a new version. 舊版的應用程式已包裝並上傳至 Intune 主控台。The previous version of the app was wrapped and uploaded to the Intune console.
  • Intune App Wrapping Tool for Android 發行了新版本,讓關鍵 Bug 獲得修正,或提供新的特定 Intune 應用程式保護原則功能。The Intune App Wrapping Tool for Android has released a new version that enables key bug fixes, or new, specific Intune application protection policy features. 這會透過 Microsoft Intune App Wrapping Tool for Android 的 GitHub 存放庫,每 6-8 週發生一次。This happens every 6-8 weeks through GitHub repo for the Microsoft Intune App Wrapping Tool for Android.

重新包裝的幾種最佳做法包括:Some best practices for rewrapping include:

重複使用簽署憑證和包裝應用程式Reusing signing certificates and wrapping apps

Android 要求所有的應用程式都必須以有效的憑證簽署,才能安裝在 Android 裝置上。Android requires that all apps must be signed by a valid certificate in order to be installed on Android devices.

已包裝的應用程式可簽署為包裝程序的一部分,或在包裝「之後」使用現有的簽署工具簽署 (應用程式在包裝前的任何簽署資訊皆予以捨棄)。Wrapped apps can be signed either as part of the wrapping process or after wrapping using your existing signing tools (any signing information in the app before wrapping is discarded).

可能的話,包裝期間應該使用建置程序期間所用的簽署資訊。If possible, the signing information that was already used during the build process should be used during wrapping. 在某些組織中,這可能需要與擁有金鑰存放區資訊的人合作 (即應用程式建置小組)。In certain organizations, this may require working with whoever owns the keystore information (ie. the app build team).

如果無法使用先前的簽署憑證,或者之前並未部署應用程式,您可以遵循 Android 開發人員指南中的指示建立新的簽署憑證。If the previous signing certificate cannot be used, or the app has not been deployed before, you may create a new signing certificate by following the instructions in the Android Developer Guide.

如果之前已使用不同的簽署憑證來部署應用程式,應用程式在升級之後即無法上傳至 Intune。If the app has been deployed previously with a different signing certificate, the app can't be uploaded to Intune after upgrade. 如果應用程式的簽署憑證和建置時的憑證不同,應用程式升級案例就會中斷。App upgrade scenarios will be broken if your app is signed with a different certificate than the one the app is built with. 因此,應該維持任何新的簽署憑證以用於應用程式升級。As such, any new signing certificates should be maintained for app upgrades.

執行 App Wrapping Tool 的安全性考量Security considerations for running the App Wrapping Tool

若要防止潛在的詐騙、資訊洩漏和權限提升攻擊:To prevent potential spoofing, information disclosure, and elevation of privilege attacks:

  • 請確定輸入的企業營運 (LOB) 應用程式、輸出應用程式及 Java 金鑰儲存區都位於執行 App Wrapping Tool 的同一部 Windows 電腦上。Ensure that the input line-of-business (LOB) application, output application, and Java KeyStore are on the same Windows computer where the App Wrapping Tool is running.

  • 在執行工具所在的同一部電腦上,將輸出應用程式匯入 Intune。Import the output application to Intune on the same machine where the tool is running. 如需 Java keytool 的詳細資訊,請參閱 keytoolSee keytool for more about about Java keytool.

  • 如果輸出應用程式和工具位於通用命名慣例 (UNC) 路徑上,而您未在同一部電腦上執行工具和輸入檔案,請使用 網際網路通訊協定安全性 (IPsec)伺服器訊息區 (SMB) 簽署,將環境設定為安全的。If the output application and the tool are on a Universal Naming Convention (UNC) path and you are not running the tool and input files on the same computer, set up the environment to be secure by using Internet Protocol Security (IPsec) or Server Message Block (SMB) signing.

  • 確認應用程式來自信任的來源。Ensure that the application is coming from a trusted source.

  • 保護包含已包裝應用程式的輸出目錄。Secure the output directory that has the wrapped app. 考慮針對輸出使用使用者層級目錄。Consider using a user-level directory for the output.

自動的 APP-WE 服務註冊需要有使用者登入提示,需要有 Intune 應用程式保護原則才能使用包裝的 Android LOB 應用程式,以及啟用 ADAL SSO (選擇性)Requiring user login prompt for an automatic APP-WE service enrollment, requiring Intune app protection policies in order to use your wrapped Android LOB app, and enabling ADAL SSO (optional)

以下是針對自動 APP-WE 服務註冊在應用程式啟動時需要有使用者提示的指導方針 (在這一節中稱之為預設註冊),需要有 Intune 應用程式保護原則,才能只允許受 Intune 保護的使用者使用您已包裝的 Android LOB 應用程式。The following is guidance for requiring user prompt on app launch for an automatic APP-WE service enrollment (we call this default enrollment in this section), requiring Intune app protection policies to allow only Intune protected users to use your wrapped Android LOB app. 也包含如何啟用已包裝 Android LOB 應用程式的 SSO 相關內容。It also covers how to enable SSO for your wrapped Android LOB app.


預設註冊的優點包括從 APP-WE 服務為裝置上的應用程式取得原則的簡化方法。The benefits of default enrollment include a simplified method of obtaining policy from APP-WE service for an app on the device.

一般需求General Requirements

  • Intune SDK 小組需要您應用程式的應用程式識別碼。The Intune SDK team will require your app's Application ID. 此項目位在 Azure 入口網站All Applications 下的 [應用程式識別碼] 資料行中。A way to find this is through the Azure Portal, under All Applications, in the column for Application ID. 也可以透過電子郵件 msintuneappsdk@microsoft.com 與 Intune SDK 小組連絡。A good way to reach out to the Intune SDK team is through emailing msintuneappsdk@microsoft.com.

使用 Intune SDKWorking with the Intune SDK

這些指示專門針對所有想要在使用者裝置上使用 Intune 應用程式保護原則的 Android 和 Xamarin 應用程式。These instructions are specific to all Android and Xamarin apps who wish to require Intune app protection policies for use on a end user device.

  1. 使用 Intune SDK for Android 指南中定義的步驟設定 ADAL。Configure ADAL using the steps defined in the Intune SDK for Android guide.


與您應用程式繫結的「用戶端識別碼」一詞,和與您應用程式繫結的 Azure 入口網站「應用程式識別碼」一詞是相同的。The term "client id" tied to your app is the same as the term "application id" from the Azure Portal tied to your app.

  • 若要啟用 SSO,需要「一般 ADAL 設定」#2。To enable SSO, "Common ADAL configuration" #2 is what is needed.
  1. 將下列值放在資訊清單中以啟用預設註冊:xml <meta-data android:name="com.microsoft.intune.mam.DefaultMAMServiceEnrollment" android:value="true" />Enable default enrollment by putting the following value in the manifest: xml <meta-data android:name="com.microsoft.intune.mam.DefaultMAMServiceEnrollment" android:value="true" />


    這必須是應用程式中唯一的 MAM-WE 整合。This must be the only MAM-WE integration in the app. 如有呼叫 MAMEnrollmentManager API 的任何其他嘗試,可能會發生衝突。If there are any other attempts to call MAMEnrollmentManager APIs, conflicts can arise.

  2. 將下列值放在資訊清單中以啟用所需的 MAM:xml <meta-data android:name="com.microsoft.intune.mam.MAMPolicyRequired" android:value="true" />Enable MAM policy required by putting the following value in the manifest: xml <meta-data android:name="com.microsoft.intune.mam.MAMPolicyRequired" android:value="true" />


    這會強制使用者將公司入口網站下載到裝置上,在使用前完成預設註冊流程。This forces the user to download the Company Portal on the device and complete the default enrollment flow before use.

另請參閱See also