ms-intune-app-sdk-android icon indicating copy to clipboard operation
ms-intune-app-sdk-android copied to clipboard

Published 20 hours ago verified publisher icon microsoftconnect

`intune_mam_manifest.xml` Resource Obfuscation in Release Builds Beginning in AGP 4.2 Prevents Accurate "MAM Enabled" Status in Endpoint Manager

Open dtarnawsky opened this issue 2 years ago • 6 comments

Describe the bug: When uploading an APK to Microsoft Endpoint Manager Admin Center if the build is debug it will report as "MAM Enabled: Yes" but if built as release it will report as "MAM Enabled: No"

To Reproduce Steps to reproduce the behavior with a release build APK:

  1. Go to All Services -> Apps -> Add App -> Line of Business App - Choose APK
  2. Notice that MAM Enabled: No

Expected behavior: Release builds can be uploaded as MAM Enabled.

Screenshots and logs: Debug: debug

Release: release

Intune App SDK for Android (please complete the following information):

  • What version of the Intune SDK are you using? Are you using the latest version?

  • 8.3.0

  • What platform is your app based in (Java, Xamarin based, Cordova, etc)? Capacitor

Additional context: In testing the signature of the APK the MAM Enabled flag isn't affected by the signature used in the androidmanifest.xml. It seems to be specifically that release android builds report MAM Enabled = no while the debug build reports yes.

dtarnawsky avatar Jul 20 '22 19:07 dtarnawsky

We are seeing this issue as well. It seems the portal is looking for a file in the apk /res/raw/intune_mam_manifest.xml. That file is in that location for debug builds, but not release builds. The file is in the apk on release builds, but you need to decode the apk using a tool like apktool, instead of just unzipping it.

We also opened a ticket with Microsoft for this issue.

Innova133 avatar Jul 21 '22 18:07 Innova133

Hello, Did you try to add android.enableResourceOptimizations=false to the file gradle.properties ? For me, after doing this, the file /res/raw/intune_mam_manifest.xml is back in the apk in release mode and MAM is now enabled on Microsoft Endpoint Manager Admin Center in release mode

Acouvreur97 avatar Jul 25 '22 13:07 Acouvreur97

Thanks @Acouvreur97, that seems to be the trick to getting the Endpoint Manager to recognize that the APK is MAM Enabled!!!!

dtarnawsky avatar Jul 25 '22 13:07 dtarnawsky

@dtarnawsky Thank you for reporting this issue and thank you @Acouvreur97 for the helpful workaround.

It appears the obfuscation of resources for Release builds began in AGP 4.2, when android.enableResourceOptimizations=true was introduced.

Unfortunately, it appears on newer AGP version this setting is deprecated and slated for removal:

"The option setting 'android.enableResourceOptimizations=false' is deprecated. The current default is 'true'. It will be removed in version 8.0 of the Android Gradle plugin."

As such, we are internally investigating how better for the MAM SDK to preserve the /res/raw/intune_mam_manifest.xml resource so that the "MAM Enabled" status is accurate regardless of build.

We are tracking this internally with Bug 15134657.

meghandaly avatar Aug 03 '22 16:08 meghandaly

@meghandaly is there any update on this issue? Do you know if there is a workaround. I was thinking of first building and uploading a debuggable APK to Microsoft Endpoint Manager Admin Center, then replacing that with a non debuggable APK.

jonssonth avatar Nov 03 '22 13:11 jonssonth

Hi @jonssonth, sorry, no updates to share at this time. For a workaround, have you tried the android.enableResourceOptimizations=false suggestion above?

bannus avatar Jan 17 '23 23:01 bannus