Taskr - A Microsoft Intune Android MAM SDK Example
This project is a demonstration of the Microsoft Intune SDK for Android. A developer guide to the SDK is available here. This project implements some commonly used features so developers making their own apps have an example to follow. IT administrators who want to create apps with similar functionality can even use this as a template. The current integrated SDK is version 6.3.0.
Taskr allows users to keep a list of to-do items, or tasks. Users can view their open tasks and mark tasks as complete, print them, or save them to their phone. Tasks are kept in a database implemented using the Android Room persistence library. Users' actions are managed by policy, so not all actions may be available.
- A tenant is necessary for the configuration of an Intune subscription. A free trial is sufficient for this demo and can be registered for at Microsoft's demo site.
- Once a tenant is acquired the Intune subscription will need to be properly configured to target the user and the application. Follow the set up steps found here.
- Perform the app registration and configuration steps found here.
- The purpose of registering with ADAL is to acquire a client ID and redirect URI for your application. Once you have registered your app, replace
AuthManager#CLIENT_ID
with the client ID andAuthManager#REDIRECT_URI
with the redirect URI.
- The purpose of registering with ADAL is to acquire a client ID and redirect URI for your application. Once you have registered your app, replace
- You will need to grant your app permissions to the Intune Mobile Application Management (MAM) service.
- When the user first launches the app, before
TaskrApplication#onCreate
is called, the MAM SDK will initialize itself and check if the user is signed in and needs to provide a PIN. If they do, it will open a PIN screen. - Once this process has completed (the user provides a PIN, a PIN is not required, or the user is not signed in),
TaskrApplication#onCreate
registers an AuthenticationCallback with MAM. This will be called by the MAM SDK when it needs to acquire an access token. - Next,
MainActivity#onCreate
will be called. This checks if the user is already authenticated in a recently run state of the app, and signs them in if they are. If not, it will try to silently acquire an access token from ADAL's cache by callingauthentication/AuthManager#signInSilent
. - If a token is still in the cache and valid,
authentication/AuthManager#handleSignInSuccess
will be called. If it is not and there was an error, the error callback provided will be called, which will display an error and the user will have to click the sign in button to try again. If there was no token in the cache but there was no error searching for it, theHandler
provided will be sent a message telling it to try to sign in with a prompt. The prompt will be created and managed by ADAL. The possible outcomes of this action are the same (and will be handled the same) as described in this step. So to progress to the full app,authentication/AuthManager#handleSignInSuccess
must be called. authentication/AuthManager#handleSignInSuccess
registers the user's token with MAM and calls theAuthListener#onSignedIn
callback. It registers with MAM so MAM knows to enforce any policies. It will also notify MAM that it has received a token for the user only if MAM has looked for the token in the past and not found one. If MAM needs this newly acquired token at some point in the future, it will invoke the callback provided inTaskrApplication#onCreate
.
This project demonstrates proper integration with the MAM SDK and the MAM-WE service. However, it does not show how to properly handle multi-identity protection. If your application needs to be multi-identity aware please refer to the implementation documentation.
! NOTE For policy to be applied to the application, the user will need to sign in and authenticate with ADAL.
The following policies require explicit app involvement in order to be properly enforced.
- Prevent Android backups – The app enables managed backups in
AndroidManifest.xml
. More information is available here. - Prevent "Save As":
- To User's Device - To determine if saving to the device is allowed, the app manually checks the user's policy in
fragments/TasksFragment.java
. If allowed, the save button will save a CSV containing all open tasks to the user's device. Otherwise, a notification will be displayed to the user.
- To User's Device - To determine if saving to the device is allowed, the app manually checks the user's policy in
- App configuration policies – The app displays the current configuration as an example on the About page in
fragments/AboutFragment.java
.
The following policies are automatically managed by the SDK without explicit app involvement and require no additional development.
- Require PIN for access – The MAM SDK will prompt the user for a PIN before any UI code is executed, if required by policy.
- Allow fingerprint instead of PIN - See above.
- Require corporate credentials for access – See above.
- Allow app to transfer data to other apps – This policy is demonstrated when the user clicks on the save button, which attempts to export a CSV containing tasks to Excel.
- Disable printing – This policy is demonstrated when the user clicks on the print button, which attempts to open the CSV in Android’s default printing view.
- Allow app to receive data from other apps – This policy is demonstrated when the app receives intents containing the text of a description to create a task.
- Restrict web content to display in the Managed Browser – This policy is demonstrated when a user clicks on a link from the About screen.
- Encrypt app data - This policy is demonstrated when the app attempts to save a CSV file. If enabled, the file will be encrypted on disk.
authentication/AuthManager.java
handles the bulk of ADAL sign in and MAM registration. Every method is highly relevant, and should be used as an example.MainActivity.java
andTaskrApplication.java
handle a lot of mandatory registrations.TaskrApplication
explicitly registers an authentication context with MAM, whileMainActivity
calls methods inAuthManager
that perform relevant actions.MainActivity#onCreate
handles the authentication flow on start-up and instantiates theHandler
that will be used across the file.AndroidManifest.xml
requests the necessary permissions and sets up the MAM SDK's backup manager.fragments/TasksFragment.java
explicitly checks MAM policies to see if saving files to a user's device is allowed.fragments/AboutFragment.java
attempts to retrieve and print the user's Application Configuration JSON object.app/MAMSDK/
contains the MAM SDK binaries.