Using the AppConnect for Android Wrapping Tool

Use the AppConnect for Android Wrapping Tool to:

  • Wrap and sign an app.

    The wrapping tool outputs a wrapped and signed APK file, which is the APK to be uploaded to MobileIron Core or MobileIron Connected Cloud. It also outputs a wrapped but unsigned APK file, which is useful if only specific people in your organization have access to the enterprise private key.

    Only sign the app.

  • This option to only sign the app is typically used in these cases:

    • For signing your wrapped apps when only specific people in your organization have access to the enterprise private key.

    • For re-signing MobileIron-provided apps with the enterprise private key.

Using the wrapping tool involves these high-level tasks:

1. Preparing to use the wrapping tool
2. Downloading and launching the wrapping tool
3. Providing developer settings to the wrapping tool
4. Selecting wrapping options in the wrapping tool
5. Wrapping and signing an app with the wrapping tool
6. Signing an app with the wrapping tool
7. Troubleshooting the wrapping tool

Before you begin 

  1. See Before wrapping an Android app.
  2. See Enterprise private key considerations with AppConnect for Android

Next steps 

After successfully wrapping and signing your apps, do the steps in:

Preparing to use the wrapping tool

Do the following tasks before using the wrapping tool:

  1. Install the Java Development Kit (JDK) on your Windows or macOS computer.

    See http://www.oracle.com/technetwork/java/javase/downloads.

  2. Install Android Studio on your Windows or macOS computer as an easy way to get the Android Software Development Kit (SDK) build-tools that the wrapping tool requires.

    See https://developer.android.com/studio/index.html to download Android Studio. After downloading and installing Android Studio, launch it to install the standard Android SDK component and tools.

    The build-tools must be version 24.0.1 through the most recently released version as supported by MobileIron.

  3. Obtain a private key for signing secure apps.

    You will upload the keystore file to the wrapping tool, and you will upload the matching public certificate to MobileIron Core or MobileIron Connected Cloud.

    Use the Java keytool command to generate the public and private key pair. See https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html.

  4. Get the Secure Apps Manager and any other MobileIron-provided apps that you distribute. You will need to re-sign these apps with your enterprise private key. The apps are available at https://help.mobileiron.com in the Software tab. For example, if you use Web@Work, Docs@Work, or Email+, you must re-sign them.

NOTE: You only re-sign the Secure Apps Manager and MobileIron-provided apps. Do not re-wrap MobileIron-provided apps, including the sample apps.

Downloading and launching the wrapping tool

To use the wrapping tool, download it, launch it, and accept the license agreement.

Procedure 

  1. Download the wrapping tool, a JAR file, to your computer from https://help.mobileiron.com in the Software tab.
  2. Launch the app.
  3. Accept the license agreement.

Providing developer settings to the wrapping tool

Before wrapping or signing an app, provide the necessary developer settings to the wrapping tool.

Procedure 

  1. In Developer Settings, browse to the Android SDK directory or enter its path.

    Examples:

    On Windows: C:\Users\username\AppData\Local\Android\SDK

    On macOS: /Users/username/Library/Android/SDK

    NOTE: If the ANDROID_HOME environment variable is set, filling in this field is unnecessary.

  2. In Developer Settings, if you are using Windows, enter Java VM options if necessary.

    This option is necessary if the Windows computer has less than 8GB of RAM.

    Example: -Xmx5000M

  3. Drag and drop or browse to the keystore file that contains your enterprise private key.

  4. Enter the keystore password, the key alias, and the key password.

  5. Click Save.

    The wrapping tool displays that your keystore has been successfully uploaded.

  6. Click Done.

Selecting wrapping options in the wrapping tool

Before wrapping an app, select the appropriate wrapping options in the wrapping tool. These steps are not necessary when you are signing the app, but not wrapping it.

Procedure 

  1. Select the wrapper version.

    Keep in mind that the wrapped app will require a Secure Apps Manager with at least the same version as the wrapper version.

    NOTE: To wrap an app with an earlier version of the Secure Apps wrapper than the choices given, contact MobileIron Technical Support.

  2. Select either Generation 1 or 2.

  3. Select Calendar Access to allow the app to export data to the device’s calendar database.

    This option allows data export when the app uses the Calendar Provider Android API.

  4. Select Contacts Access to allow the app to export data to the device’s contact database.

    This option allows data export when the app uses the Contact Provider Android API.s

  5. Select Show next to Advanced Settings field, scroll down to Custom Options, and enter the flag
    -addInternetPermission if both of the following are true:

    • Your app uses the android.media.MediaPlayer or android.media.MediaMetaDataRetriever APIs.

    • Your app does not include android.permission.INTERNET in its AndroidManifest.xml file

    If you turn on Custom Options, the default custom options are:

    • -allowAccessGoogle, which allows the app to use Google Play services

    • -allowNativeCode, which allows the app to use native libraries

IMPORTANT: Do not select any other Advanced Settings or make other modifications to Custom Options unless MobileIron Technical Support has instructed you to do so. The following flags are available:
Table 1. Available flags

Flag

Description

-ignoreSqlCipher

See Encryption of the SQLCipher database.

-allowIntentAction

See Receiving information from outside the AppConnect container.

-enableCrashlytics

Enables Crashlytics library.

-disableArm64

See 64-bit support.

-keepJavaNativesLazyLinking

See Linking native Java methods

Related topics 

Determining the wrapping mode

Wrapping and signing an app with the wrapping tool

After selecting developer settings and wrapping options in the wrapping tool, you can wrap and sign an app.

Procedure 

  1. Drag and drop or browse to the unwrapped app’s APK file.

    The wrapping and signing process begins.

  2. If wrapping and signing succeed, the wrapping tool displays that wrapping and signing was successful.

    It provides a link to the same directory as the unwrapped APK file, and places the following files in the directory:

    • the wrapped and signed APK file, named <file name>.wrapped.signed.apk

      You will upload this file to the MobileIron server as an in-house app for distribution to devices.

    • the wrapped and unsigned file, named <file name>.wrapped.apk
      asdf

    • a log file about wrapping, named <file name>.apk.result.json

  3. If wrapping or signing fail, the wrapping tool displays that it failed. It provides a link to the same directory as the unwrapped APK file, and places the following files in the directory:

    • a log file about wrapping, named <file name>.apk.result.json

    • a signing error file, named <file name>.apksigner.errors

Related topics 

Troubleshooting the wrapping tool.

Signing an app with the wrapping tool

After selecting developer settings in the wrapping tool, you can sign a wrapped app with your enterprise private key. The app can be unsigned or already signed. You can also re-sign the Secure Apps Manager. Use this procedure to:

  • Sign your own wrapped apps.
  • Re-sign MobileIron-provided apps with your enterprise private key. Re-sign the apps each time you get a new release of the app from MobileIron.
  • Re-sign your own apps and MobileIron-provided apps with a new enterprise private key when, for example, the previous enterprise private key had been compromised.

Procedure 

  1. Select Sign Only in the wrapping tool where you drag and drop your app. It can be unsigned or already signed.

  2. Drag and drop or browse to the app’s APK file.

    The signing process begins.

  3. If signing succeeds, the wrapping tool displays that signing was successful.

    It places the wrapped and signed file in the same directory as the submitted APK file, and provides a link to that directory. The file is named:

    The file is named:

    <file name>.signed.apk

  4. If signing fails, the wrapping tool displays that signing failed. It provides a link to the same directory as the unwrapped APK file, and places in the directory a signing error file named <file name>.apksigner.errors.

Related topics 

Troubleshooting the wrapping tool

When you run the wrapping tool to both wrap and sign an app, or to only sign an app the tool places the following files in the same directory as the APK file you are wrapping and signing:

  • <file name>.wrapped.signed.apk

    The wrapped and signed APK file. It is available only when you use the tool for both wrapping and signing, and both actions succeed. You will upload this file to the MobileIron server as an in-house app for distribution to devices.

  • <file name>.wrapped.apk

    The wrapped but unsigned APK file. It is available only when you use the tool for both wrapping and signing, and wrapping succeeds. This file is useful when someone else in your organization signs the apps.

  • <file name>.signed.apk

    The signed APK file. Available only when you use the tool for signing only, having provided it a wrapped app, and signing succeeds. You will upload this file to the MobileIron server as an in-house app for distribution to devices.

  • <file name>.wrapped.result.json

    The log file about the wrapping process.

    If wrapping fails, open this file and scroll to the end to see the error.

  • <file name>.apksigning.errors

    The log file about the signing process.

    If signing fails, open this file to see the error.