When an application is wrapped using the Microsoft Intune App Wrapping Tool for iOS, you need to resign the application with a particular certificate and profile. In this blog post, I’m going to walk through how to obtain these files and how to use them to wrap an application so that you can deploy line-of-business (LOB) applications to employees in your organization.
NOTE: If you intend to wrap an app that will be deployed through the App Store, you should not use the Intune App Wrapping Tool. Instead, the app should be integrated with the Intune App SDK which will be made available over the coming months. We will also be making available an Intune App Wrapping Tool for Android soon.
Prerequisites to Run the App Wrapping Tool for iOS
Microsoft Intune App Wrapping Tool for iOS
Apple Enterprise Developer Account
Mac OS X 10.8.5+
Input App (.ipa) 7.0+ (Note: If you have apps that are built pre-iOS 7.0, you’ll need to recompile them in Xcode targeted to a later version of iOS)
- Apple Enterprise Developer Supplied:
In-house distribution provisioning profile
In-house & ad-hoc distribution signing certificate with valid Team Identifier
Client ID (optional – used with AAD integration)
Reply URI (optional – used with AAD integration)
To learn more about Azure Active Directory (AAD) integration, click here.
Steps to Obtain the App Wrapping Tool for iOS
Navigate to the Microsoft Download Center page for the App Wrapping Tool
Select the language you’d like the tool for
Read through the details and system requirements
Click Download to download the tool
After the tool has downloaded, double click the downloaded file and read the EULA
After accepting the EULA, copy the files to a local directory
Steps to Create an Apple Enterprise Developer Account
To distribute wrapped apps to employees, an Enterprise Developer Account is required. You will need a Legal Entity Name, DUNS Number, and payment information to create the account. If you already have an Apple Enterprise Developer Account, you can proceed to the next section on creating a signing certificate.
Navigate to the iOS Developer Enterprise Program site
Click Apply Now
Click New Apple ID (or Existing Apple ID if you already have an organizational Apple ID)
Fill out the Apple ID form and payment info
At this point, you will be contacted by Apple to verify that you are authorized to enroll
After verification, you will be asked to Agree to License
After agreement, finish by purchasing and activating the program
Steps to Create a Signing Certificate
Navigate to the Apple Developer Center
Click Member Center and sign in with your account
![]()
Click Certificates, Identifiers & Profiles
![]()
While under Certificates on the left hand side, click the + button in the top right corner. Choose In-House and Ad Hoc certificate under Production
![]()
Click Next to create a signing request
![]()
Follow the instructions to create a Certificate Signing Request. Keychain Access looks like this (to open click the “Spyglass” in the top right corner and type in Keychain Access):
![]()
Create the signing certificate request as outlined on the developer website
When created, upload the signing certificate request to the developer website and follow the prompts to generate your certificate
Download your certificate and save it to an easy to access location
Steps to Create a Provisioning Profile
Click Member Center
![]()
Click Certificates, Identifiers & Profiles
![]()
While under Provisioning Profiles on the left hand side, click the + button in the top right corner. Choose In-House profile under Distribution
![]()
Click Continue. Link the previously generated certificate to the profile
Follow the steps to download your profile
Save the file. This file will be used for the –p parameter (Provisioning Profile) while using the App Wrapping Tool.
Steps to Obtain the Certificate Hash and Team Identifier
Locate the Certificate that you downloaded and saved
Double click the certificate and click Add
![]()
Open Keychain Access (Click the “Spyglass” in the top right corner and type in Keychain Access)
Locate your certificate by searching in the top right search bar of Keychain Access
![]()
Right click on the certificate and select Get Info
Scroll to the bottom. On the left hand side, under Fingerprints, you’ll see a field labeled SHA1. Copy this string. This will be used for the –c parameter while using the App Wrapping Tool.
![]()
Verify Your Certificate's Team Identifier
Your certificate and provisioning profile must have a team identifier that is compatible with iOS 8. Older certificates may not include this identifier, and you’ll need to make a new certificate request if this is the case. To check if your certificate has a team identifier:
- On the same get info page where you found your SHA1 hash, scroll back to the top.
- There should be a heading titled Subject Name. Under Subject Name, make sure there is a value for Organizational Unit. It should look something like this:
NOTE: If this doesn’t appear for your certificate, refer back to the section titled Create a Signing Certificate
Steps to Run the App Wrapping Tool for iOS
Open Terminal (Click the “Spyglass” in the top right corner and type in Terminal)
Navigate to the directory of the App Wrapping Tool
Provide all of the input parameters. To learn more about what each parameter is, refer to Step 3 in the documentation. You can also pull up the help menu using the –h parameter in the tool. The inputs should look something like this:
![]()
The command looks like this:
./IntuneMAMPackager.app/Contents/MacOS/IntuneMAMPackager
–i /<path of input app>/<app filename>
-o /<path to output folder>/<app filename>
–p /<path to provisioning profile>
–c <SHA1 hash of the certificate>
-a <client ID of input app>
-r <reply URI of input app>
-v true
4. Type Enter. Your app will be wrapped
5. Navigate to your output directory to find your wrapped app. The input files will look like this:
And the output files (including the wrapped app) will look like this:
You now should have everything that you need in order to deploy the wrapped app to your employees using Microsoft Intune. To learn more about how to deploy your wrapped apps, see the technical article on Deploying software to mobile devices in Microsoft Intune.
Additional Resources
For more information on using the App Wrapping Tool, see the technical article on Preparing apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS in the Microsoft Intune Documentation Library. You can also learn more about how to control apps using mobile application management policies with Microsoft Intune by visiting here.
NOTE: At the time of writing this blog post, the steps to obtain the pre-requisites (provided above) are up-to-date, but these steps could change over time. For complete documentation and future updates, visit the Apple Developer Website topic here.
- Phil Getzen, Program Manager