How to wrap Android Line of Business apps with Intune App Wrapping Tool

Microsoft recently released the Microsoft Intune App Wrapping Tool for Android that allows you to take your Line of Business (LOB) apps and make them managed. By making an app managed, you add an extra layer of restrictions around the app to restrict operations like cut, copy and paste or open web links in a managed browser. It’s important to know that you cannot simply download an apk file from the Google Play store and wrap that, it has to be an app that was developed for your business or by you.


  • Prerequisites
  • App requirements
  • Wrapping an app


Before you can go ahead and wrap your LOB app, there’s a few prerequisites that needs to be taken care of first. First off, I strongly suggest that you use a seperate virtual machine for wrapping apps since Java Runtime Environment is used for wrapping, and you should not install that on your Primary Site server. So spin up a virtual machine with Windows 7 SP1 or later and perform the following tasks:

  • Install the latest available version of Java Runtime Environment
  • Install Intune App Wrapping Tool for Android

Install Java Runtime Environment

This process is pretty straight forward, like installing any other application. On your virtual machine, browse to the following link:
Once you’ve installed Java Runtime Environment, we need to make sure that the installation successfully added a path to your systems environment path. We can check and remediate that by running the following PowerShell script:

$JavaPath = Join-Path -Path $($env:SystemDrive) -ChildPath "ProgramData\Oracle\Java\javapath"
$CurrentEnvironmentPath = Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name PATH | Select-Object -ExpandProperty Path
if (-not($CurrentEnvironmentPath | Select-String -SimpleMatch $JavaPath)) {
    Write-Output -InputObject "Java path not found, adding it"
    $NewEnvironmentPath = $CurrentEnvironmentPath + ";" + $JavaPath
    Set-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH –Value $NewEnvironmentPath
else {
    Write-Output -InputObject "Java path found, no action needed"

1. Save the above script as Set-JavaPath.ps1 to e.g. C:\Scripts on your virtual machine where you’ve installed Java Runtime Environment.
2. Open an elevated PowerShell console and browse to C:\Scripts.
3. Run the following command:


If the script outputs Java Path found, no action needed, you’re all set. If the path wasn’t updated successfully,the script will output that it has added the required path.

Install Intune App Wrapping Tool for Android

Download the Intune App Wrapping Tool for Android from the following location:
1. Run InstallAWT.exe.
2. Accept the license terms and click Next.
3. Let the tool be installed in the default location and click Install.
4. Once the installation has completed, click Done.

App requirements

In order to successfully wrap your App, it needs to fulfill the following:

  • Your input app must be a valid Android application package with the extension .apk file and:
    • Cannot be encrypted
    • Must not have already been wrapped by the app wrapping tool
    • Must be written for Android 4.0 or later
  • The app must be developed by, or for your company. You cannot use this tool to process apps downloaded from the Google Play Store.
  • You’ll need to sign your app in order for it to work on Android (for more information:

If your app fulfills all of the above, you can continue with wrapping the app.

App signing

Before we can go ahead and wrap an LOB app, we need to create a keystore with keytool.exe, which is included with Java Runtime Environment.
1. Open an elevated command prompt and browse to the installation directory of Java, e.g:
C:\Program Files (x86)\Java\jre1.8.0_20\bin.
2. Run the following command to create the keystore:

keytool.exe -genkey -v -keystore AWT.keystore -alias AWT -keyalg RSA -keysize 2048 -validity 50000

3. Follow the interactive prompt by enter a password and supply values when asked.
Now that the keystore is prepared, we can go ahead and wrap apps.

Wrapping an app

Now that we’ve succesfully installed all prerequisites for wrapping an app, let’s continue with some actual wrapping. For this demonstration I have an app called Notepad
1. On your virtual machine, create the following folder structure:
2. Place your apk file in the AppSource folder so that we can reference it later. On my virtual machine it looks like this:
3. Open an elevated PowerShell console and run the following command:

Import-Module "C:\Program Files (x86)\Microsoft Intune Mobile Application Management\Android\App Wrapping Tool\IntuneAppWrappingTool.psm1"

4. Run the following command:

Invoke-AppWrappingTool -InputPath "C:\AWT\AppSource\Notepad-" -OutputPath "C:\AWT\AppWrapped\Notepad-" -KeyStorePath "C:\Program Files (x86)\Java\jre1.8.0_20\bin\AWT.keystore" -KeyAlias AWT -SigAlg SHA1withRSA -Verbose

Note! Remember to change to your own apk file.

You’re app is now wrapped and can be imported into ConfigMgr 2012 R2 SP1 or Microsoft Intune for distribution.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.


  • @Shyamala – were you able to fix this on a xamarin.forms app apk ? Please help.

  • I have a xamarin android app apk. I’ve wrapped the app as mentioned above.
    But the app is crashing on launch after downloading and installing from Intune Portal.Please help.


Categories use cookies to ensure that we give you the best experience on our website.