6.3.0

What's New

• App developers wishing to use Microsoft Authentication Library (MSAL) should be using this version of the Intune SDK for Android at minimum.
• Added MAM Strict Mode which uses heuristics to detect mistakes in usage of MAM APIs or MAM-restricted platform APIs. Your team is strongly encouraged to use it in internal debug/develop/dogfood builds. The build plugin writes some additional metadata to facilitate MAM Strict Mode.

Other Changes

• Update button label "Go Back" to "Close" to better reflect actual behavior of the conditional launch dialog(s).
• After displaying an offline selective wipe notification, resume launch of the app's activity rather than killing it.
• Changed the header name for the retry interval that controls the enrollment retries for clients without an Intune license, in accordance with a service-side change.
• MAMAppConfig will only read com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock and com.microsoft.intune.useEdge from the MAM app config channel and not from Android Enterprise.
• Improve Company Portal update dialog for devices without the Google Play Store.
• Add MAM Strict Mode check: NON_INTEGRATED_VIEW which verifies that View classes are properly MAM-integrated.
• Added MAMAccountAuthenticatorActivity (MAM version of AccountAuthenticatorActivity).
• Added support for view onCreateInputConnection.
• Allow the Microsoft Intune service to configure retry intervals for users not yet Intune-licensed or Intune policy-targeted.
• The android:testOnly attribute no longer causes apps to automatically connect to the Test Agent instead of the Company Portal. This behavior previously caused confusion for several teams. If you use the Test Agent, it is necessary to set both testOnly and a new meta-data item: <meta-data android:name="com.microsoft.intune.mam.Agent" android:value="test" />

Bug Fixes

• Exclude META-INF classes from processing in the build plugin. This fixes a build-time error encountered by one Intune SDK consumer.
• Fix plugin build error if the excludeClasses specification was empty (regressed in 6.2.0).
• Fix a bug with service URL parsing.

6.0.0

What's New

App developers wishing to target Android Q within their app must integrate this version of the Intune SDK.

Changes

• Add nullability annotations in the Intune SDK. This introduces a dependency on androidx.annotation:annotation:1.0.0.
• Remove DownlevelStubs JAR which was replaced by an AAR in 5.8.0.
• Support for targeting API 29, including new ContentProvider, ContentProviderClient, and ContentResolver methods.
• Add override for notifyAsPackage method introduced in API 29.
• Remove no-longer-necessary Proguard rules.
• Add incremental build support to build plugin. Incremental build support is experimental, and is off by default. To enable it, specify incremental=true in the intunemam configuration block in build.gradle.
• Add notification restriction policy. Apps must check the result of the getNotificationRestriction method in AppPolicy before showing a notification associated with a given user. If this method is not invoked, notifications will be blocked automatically in single-identity apps.
• Only allow IntuneMAMOnly AppConfig keys via the MAM delivery channel.
• Ensure MAM component initialization before execution of a MAMBroadcastReceiver. This is a speculative fix for a rare crash.
• Remove unneeded IPC calls related to identity persistence.
• New build plugin configuration option: verify. This acts as a guard to ensure many types of potential plugin bugs will produce compilation failures instead of runtime failures. To use it, specify verify=true in the intunemam configuration block in build.gradle. Verify defaults to false, though this default may change in the future.
• The build plugin will now replace NotificationManager.notify calls with calls to MAMNotificationManagement, and NotificationManagerCompat.notify calls with calls to MAMNotificationCompatManagement.
• Make build plugin classpath computation more deterministic to avoid intermittent edge-case compilation errors. Build plugin output should not be affected.

Bug Fixes

• Fixed issue where enrollment would fail when apps used domain-specific configurations in network_security_config.xml
• Fix missing info in certain telemetry events.
• Fix a potential issue where install Company Portal dialog may not show on Q devices when user navigates away from the app before authentication completes.
• Fix bug in implicit wipe (primarily when Company Portal is uninstalled unexpectedly) where onStart/onMAMResume may be called without onMAMCreate being called.
• Fix build plugin error related to processing transitive dependencies. If your app builds without issue, it is not affected by this bug.
• Fix build plugin processing of AIDL-generated file
• Fix build plugin error where Jetified libraries with an undeclared support library dependency were not correctly processed.
• Fix crash in MAMPrintHelperManagement. If your app uses PrintHelper from the legacy support libraries, it should take this update.

5.7.1

Changes

• Tested against Azure Active Directory for Android Library v 1.16.1
• Remove unused telemetry events for our internal telemetry framework
• Convert DownlevelStubs from JAR to AAR and include necessary ProGuard rules.

Bug Fixes

• Fixes a compile-time error related to MAMAlertDialogBuilder (no corresponding Company Portal update). If your app’s build succeeds without error, you were not affected by this issue.
• Added missing override of Activity.startActivityIfNeeded.
• Fix build plugin error that could fail compilation through too-aggressive rewriting. If your app builds without issue, it is not affected by this bug.
• Fix build plugin compatibility with the AndroidX Jetifier.
• Do not force app restart on ACTION_PACKAGE_CHANGED for Company Portal.
• Policy database tamper hardening (in Company Portal, no SDK update required).

5.6.0

New Features

Bug Fixes

5.0.2

New Features

• Gradle build plugin format available. It is now supported for production use. If not using the build plugin, the replacements listed below must be made manually. Using the build plugin is very strongly recommended.

• The build plugin will now wrap all ClipboardManager calls to query or set the primary clip in calls to MAMClipboard.

• The build plugin will now wrap most PackageManager calls in calls to MAMPackageManagement. PackageManager calls will not be intercepted automatically on Android P.

• The build plugin will now wrap the DownloadManager.enqueue call in a call to MAMDownloadManagement. DownloadManager calls will not be intercepted automatically on Android P.

• The build plugin will now replace inheritance/instantiation of TextView (and derived views, such as EditText) with MAM equivalents (MAMTextView, MAMEditText, etc). This is used on Android P for clipboard policy enforcement and for transfer policy enforcement on text classifier actions

• The build plugin now supports excluding specific variants from processing.

• The build plugin now rewrites all MAM overloads for DocumentsProviders.

• Intune SDK for Android now supports targeting API 28.

• Updated localizations for Allowed Accounts. Allowed Accounts is a feature that lets an app to query whether the set of accounts it is allowed to Sign In is limited.

• Added new telemetry related to new Intune App Protection Policy features (i.e reason for selective wipe)

• Add Sovereign Cloud support via a new registerAccountForMAM that accepts the user's authority - Arlington is supported. New sovereign clouds will be supported via SDK updates but no additional source integrations will be necessary.

Bug Fixes

• Add MAMBackupDataInput to the SDK and signatures of BackupAgent.onMAMRestore and BackupAgentHelper.onMAMRestore for identity backup.
• Add support for new (Android P) BackupAgent.onRestore overload to MAMBackupAgent.
• Fix missing handling of Activity.startActivities.
• Fix build plugin failure if app activity derives a library project activity.
• Build plugin includeExternalLibraries specification no longer requires a version component for artifact notation
• Reduce dependence on runtime-emitted stub classes. MAMDocumentsProvider.findDocumentPathMAM returns an Object to remove the need for DocumentsContract$Path to exist during reflection of MAMDocumentsProvider (it doesn't prior to API 26).
• Improve performance in offline scenario when the Company Portal app is not on device by providing an option to disable MAM offline logging.
• Add static version of MAMContentProvider.isProvideContentAllowed for use with the build plugin.
• Separate MAMActivityIdentityRequirementListener/MAMIdentityRequirementListener interfaces out of MAMActivity/MAMService/MAMContentProvider for use with build plugin.
• Fix isolated process crashes on API 8.0 and up.
• Improve enrollment telemetry by reporting more fine-grained failure causes.
• Restrict MAM-WE enrollment retries to primary process to avoid race conditions.
• Fix portal reinstallation wait loop to be correctly bounded.
• Improve performance in offline scenario when the Company Portal app is not on device.
• Fix SDK 4.4.2 regression in MAMDialogFragment causing application crash.
• Fix NullPointerException if onAttach is not the first MAMFragment method called.
• Fix ArrayIndexOutOfBoundsException for testOnly builds if the process is started by a component with android:isolatedProcess="true" flag.
• Minor fix to MAMApplication.attachBaseContext handling. Always call super.attachBaseContext even if invoked more than once.
• Prevent proguard from marking classes/methods as final/private as this interferes with proxy generation.
• Retry initial enrollment failures more frequently if they did not result in service load.
• Fix MAMAsyncTask so it does not hold onto Context references for longer than needed.
• Allow connecting to Company Portal instead of TestAgent even for apps with the testOnly attribute. This is enabled by adding the boolean meta-data com.microsoft.intune.mam.ForceProductionAgent.
• Properly block activity launch for multiple identities in COMPANY_PORTAL_REQUIRED state.
• Use https for all network calls to support apps which set android:usesCleartextTraffic="false".

4.1.0

New Features

• When the Company Portal is not installed, MAMUserInfo.getPrimaryUser will now return a non-null result only when enrollment has been attempted for a user which is actually targeted with policy, not merely Intune licensed.
• Add MAMAsyncTask as a convenience wrapper around AsyncTask. When used, it ensures that the background thread runs under the same identity as the activity.
• Add MAMMediaMetadataRetriever as a drop-in replacement for MediaMetadataRetriever which allows working with encrypted media files. Apps should replace usage of MediaMetadataRetriever with MAMMediaMetadataRetriever.
• Add Microsoft.Intune.MAM.SDK.DownlevelStubs.jar as an optional separate library which apps can incorporate if they need to perform reflection on classes deriving from MAMActivity. If your app did not previously experience issues around reflection and Intune integration, there is no reason to consume this library.

Bug Fixes

• Bug: onMAMPrepareOptionsMenu could be called before onMAMCreate.

3.1.0

New Features

• Expose file encryption policy status to apps via a diagnostic channel
• Certificate pinning for MAM service interactions
• Initial changes for Android O support
• New policy allowing IT Administrators to exempt private app storage from MAM encryption if MDM policy enforces full device encryption
• File encryption now supports growing memory mapped regions

Bug Fixes

• Improved app startup performance
• Improved logging and docs around Save As locations
• An open Maps app is now an exclusion from transfer restrictions
• Outlook shortcut can show email list without PIN entered
• Multi-identity fixes: race condition in switchMAMIdentity that can cause querying the managed identity to return the incorrect value, apply primary identity to encrypted files which have an unknown identity
• Misc: Talkback doesn’t read PIN screen letters properly, updated Contact Sync policy