- Ensure that app always connects to Company Portal if App Config policy is in use.
- MAM SDK API methods that take UPNs to specify identities are deprecated. They will be removed completely at the next major version increment. New methods that specify identities by OID (also known as AAD User ID, AAD ID or Entra ID) should be used instead. See the MAM SDK integration guide and javadocs for details.
- Remove single identity assumptions from implicit wipe behavior.
- Handle
ClassNotFoundException
andBadParcelableException
thrown when un-parceling intent extras in offline mode.
- Fix
NullPointerException
in MAM logger initialization.
- Remove single identity assumptions in the enrolled identity and MAM service URL caches.
- IMPORTANT: this update performs cache migrations that are not compatible for rollback. After updating to 9.7.5 and deploying, your app cannot downgrade to an earlier SDK version in a subsequent release.
- Remove redundant offline enrollment status caching.
- Improve heuristic for primary offline identity.
- Add MAMDiagnosticLogManager and MAMLogCollectionNotification to support M365 log collection feature.
- Support for Android 14 targeting.
- Update Javassist dependency to 3.29.2-GA.
- Update minimum supported MAM SDK version to Android 4.1 (API level 16).
- Fix for MAM error logging.
- Update strings to fix support for accessibility tools.
- Fix behavior for
onQueryDeletedMedia
andonQueryMedia
inMAMCloudMediaProvider
- Miscellaneous code cleanup for obsolete enrollment cache items.
- Fix
ClassNotFoundException
inOfflineActivityBehavior
.
- Error telemetry improvements.
- Add Gradle build cache support for MAM plugin on AGP 7.4+.
- Remove no-longer-necessary ProGuard rules targeting the legacy Android
Support Libraries. SDK support for these was removed in
8.0.0
. - Fix configuration cache and incremental build issues with new build plugin. The new plugin is now fully supported for AGP 8.
- Fix handling of int, float, and short in
MAMAppConfig
when returning config from Android Enterprise (rather than the MAM channel)
- Deprecate ADALConnectionDetails and remove obsolete meta-data authentication configurations.
- Preview build plugin is now part of the main artifact.
Apply
com.microsoft.intune.mam-preview
to use the new behavior with Android Gradle Plugin 7.4. The preview plugin is applied automatically for AGP 8. - Add missing hooks for onActivityDestroyed in ActivityLifecycleCallbacks.
- Add MAMTrustedRootCertsManager and MAMCertTrustWebViewClient APIs for trusted root certificates support.
- Fix SecurityException in isolated processes on devices with API 27 or under.
- Add new preview build plugin to support Android Gradle Plugin 8.0.
This plugin can be applied by adding
-preview
to the sdk version and ensuring the-preview
library is included on the buildscript classpath. - Add a method to MAMUserNotification to get the OID of the user contained in the notification.
- Add an overload to MAMEnrollmentManager.unregisterAccountForMAM() that takes the account's OID in addition to its UPN to more precisely identify the account.
- Internal identity management is changed to favor the OID over the UPN of the identity as the key for storing identities and metadata.
- MAMServiceAuthenticationCallbackExtended interface is added to provide an overload of the acquireToken method that accepts additional parameters for the AAD Tenant Id and the AAD Authority. Apps that need one or more of these additional parameters to correctly acquire tokens should implement this interface, but other apps don't need to.
- Fix build plugin issue applying certain rewrites to super calls in
an invalid way. This could result in invalid bytecode (and then
runtime crashes) in apps which subclasses system services wrapped by
MAM, notably
LayoutInflater
. - The build plugin will now modify subclasses of
LayoutInflater
such that they inherit fromMAMLayoutInflater
.
- Add MAM Strict Mode check: 'UNREGISTER_ACCOUNT_WITHIN_ACQUIRE_TOKEN' to check for calls to the MAMEnrollmentManager's unregisterAccountForMAM() method from within the app-provided MAMServiceAuthenticationCallback's acquireToken() method. This can cause compliance remediation to fail, and will not unregister the account.
- The build plugin will now replace inheritance of
FileBackupHelper
withMAMFileBackupHelper
andSharedPreferencesBackupHelper
withMAMSharedPreferencesBackupHelper
. - Fix incompatibility with
androidx.lifecycle:lifecycle-runtime:2.5.0+
that caused crash due to missing hooks for ActivityLifecycleCallbacks. - Fix ProGuard rule in SDK to keep only MAM classes that implement
@Keep
annotated interfaces.
- Fix offline behavior for
PackageManager
methods added in API 33.
- Support for API 33 targeting.
- Add build plugin support for missing PackageManager method
getPackageInfo(VersionedPackage versionedPackage, int flags)
- The Build Tool CLI now supports accepting a plain-text file for the input and output parameters.
- Include API 33 Photo Picker tool in the
PHOTO_LIBRARY
location ofgetIsOpenFromLocationAllowed
andgetIsSaveToLocationAllowed
SDK methods. - The build plugin will now replace instantiation of
CloudMediaProvider
withMAMCloudMediaProvider
. - Support predictive back gestures in MAM-owned activities.
- Minor logging improvements to Gradle plugin.
- Add version check to Gradle plugin to prevent mamification when using Android Gradle Plugin 7.2.0/7.2.1 due to https://issuetracker.google.com/issues/232438924. Use AGP 7.1.3 and below or 7.2.2 and above.
- Update documentation for SaveLocation.LOCAL.
- The MAM SDK will attempt to validate tokens returned from the app's MAMServiceAuthenticationCallback instance, and tokens acquired with the wrong parameters may be rejected.
- Add MAM Strict Mode check: 'UNMANAGED_CONTEXT_FOUND ' to validate that MAM found a managed
Context
to ensure policy enforcement. This would likely indicate a failure in the SDK surface modified by the build plugin or missing MAM SDK surface.
- Expanded
getIsOpenFromLocationAllowed
andgetIsSaveToLocationAllowed
SDK method to includePHOTO_LIBRARY
location. - Fix build plugin issue resuling in a
javassist.CannotCompileException
in certain projects.
- The build plugin will now replace inheritance/instantiation of
SurfaceView
,GLSurfaceView
andVideoView
with MAM-specific replacements. These are used to enforce editor policy restrictions on SurfaceViews. - Add ProGuard rule to SDK to fix R8 optimizations involving interfaces that have a single compile-time implementation. Currently, this is only known to impact scenarios involving MAMBackupAgentHelper.
- Fix synchronization issues arising when MAMServiceAuthenticationCallback instance is registered on a background thread.
- Add tracing and telemetry for monitoring and improving startup time.
- Add new
com.microsoft.intune.mam.AllowIsolatedProcesses
manifest meta-data item to allow isolated process execution. MAM cannot apply protections to isolated processes. As the app developer, it is your responsibility to ensure that your isolated processes cannot expose organization data. - Keep
MAMAppConfig
from being minified at build time. - Remove
GET_ACCOUNTS
permissions from the SDK manifest. This permission was removed by Android in API23, which is the minimum supported version for MAM policy.
- The build plugin will now wrap calls to various
JobService
methods. For multi-identity apps, the MAM SDK will not attempt to infer the identity for aJobService
or its individual jobs. Users ofJobService
should take care to set an identity on the service context or background thread as required by theirJobService
implementations. Relatedly, users ofWorkManager
should take care to set a thread identity inWorker.doWork()
as required by theirWorker
implementations. Avoid setting an identity on theWorker
context, because this context is shared acrossWorker
instances. - Add
MAMUserStatusManager
, which may be used to check whether a user is clocked out. - Add
CLOCK_STATUS_CHANGED
notification type. Apps may register for this to be notified when Intune detects that a user has clocked out or clocked-in again. No notifications will be delivered if policy does not require the user to be clocked in. Handling this notification is only necessary for apps which need to take extra action to present a better user experience. Intune will automatically apply any policies around clock-in regardless of whether the app handles this notification. - Add
WIPE_COMPLETED
notification type. Apps may register for this to be notified when Intune has finished processing a wipe, at least as far as the current app process is concerned. Will be delivered afterWIPE_USER_DATA
orWIPE_USER_AUXILIARY_DATA
. If the app reports a failure from its handler for the above notifications, this notification will not be sent. Listening for this notification is optional. - Improved error messages for certain data decryption failures.
- Improvements to dialogs prompting the user to install or update the Company Portal in cases when the Play Store is not available.
- Ensure MAM component initialization before execution of a
MAMContentProvider
.
- Add the MAMLayoutInflaterManagement with build plugin support to handle application usage of custom LayoutInflator.Factory and LayoutInflator.Factory2 instances.
- Enable Java 8 language feature support. SDK consumers must specify 'JavaVersion.VERSION_1_8' in 'compileOptions' if using an Android Gradle Plugin version below 4.2.
- Rename the
MAMPolicyManager
methodgetPolicy()
togetCurrentThreadPolicy()
to avoid confusion. For a multi-identity app, this is usually not the method you want to use, unless you have set the thread (or process-wide) identity. The old name still exists for now but is marked as deprecated. MAMAppConfig
will only readcom.microsoft.intune.mam.managedbrowser.proxyPacUrl.FailOpenEnabled
from the MAM app config channel and not from Android Enterprise.- The build plugin now automatically includes all external libraries
and the
includeExternalLibraries
configuration option has been removed. This change was prompted by Android Gradle Plugin 4.2, which no longer exposes library names to the Transform API on which our plugin is built. - The legacy Android Support Libraries are no longer supported. Apps are expected to be using AndroidX, either directly or through enabling the Jetifier.
- Fix bug in log pii filtering so null and empty strings are no longer hashed.
- Add MAM Strict Mode check:
CLEAR_PROTECTED_FLAG_SECURE
to ensure FLAG_SECURE isn't cleared when policy restricts screenshots. - The build plugin will now wrap calls to various
AppSearchManager
classes/methods. This allows us to enforce transfer policy on data stored in the new centralized search index on Android 12. - Add MAM Strict Mode check: 'INVALID_MAM_SERVICE_TOKEN' to validate user passed values for aadId & resourceId while acquiring MAMService token.
- Remove
MANAGE_ACCOUNTS
andUSE_CREDENTIALS
permissions from the SDK manifest. These permissions supported ADAL usage for auth policy and default enrollment, but were removed by Android in API23, which is the minimum supported version for MAM policy. - Add MAM handling for the Android S data extraction rules for backup
and restore. New
meta-data com.microsoft.intune.mam.DataExtractionRules
introduced that mimics the android:dataExtractionRules manifest tag.
- Fix build plugin issue with methods which use a more-derived return type than the superclass method.
- Fix authentication callback issue for Microsoft Defender.
- Add MAM Strict Mode check:
CONTENT_INTENT_WITHOUT_IDENTITY
to check for intents started to transfer content to another app without an identity,while the foreground activity does have an identity set. This would likely indicates a failure to plumb through the identity. - Add MAM Strict Mode check:
CONTENT_RESOLVER_NO_IDENTITY
to check that multi-identity apps using content providers set an identity on the context the resolver was retrieved from or on the thread/process. Failure to do so indicates likelihood that the app is performing app-to-app communication on a background thread without proper consideration of what account the operation is running under. - Add MAM Strict Mode check:
UPDATE_TOKEN_WITHIN_ACQUIRE_TOKEN
to check for calls to the MAMEnrollmentManager's updateToken() method from within the app-provided MAMServiceAuthenticationCallback's acquireToken() method. This is not the intended purpose of updateToken(), and could cause a deadlock. - Add
MAMPolicyManager
methodgetCurrentIdentity
. This is a convience method to consider the process, UI, and thread identities in priority order to allow the app to easily understand what MAM views as the effective identity. - Remove ApplicationUpdateReceiver. This did not have relevance to most apps and its functionality is now accomplished without requiring a manifest-declared broadcast receiver.
- Provide meaningful names to Intune MAM threads.
- Fix build-plugin issue where RC-suffixed Gradle versions would cause build failure.
- Add config mode for Microsoft Defender ATP.
- The build plugin now automatically includes all external libraries
when used with Android Gradle Plugin 4.2 and higher. These versions
no longer expose the library names to the Transform API which our
plugin is built on. The
includeExternalLibraries
configuration option will be removed in MAM SDK 8.0. - Add MAMCertificatePinningManager API for certificate pinning support.
- Fix NullPointerException in Allowed Accounts.
- Fix an intermittent build plugin issue that impacts super calls that target non-parent, non-system classes. We previously failed to rewrite these super calls when the containing class is processed before its ancestor classes.
- Fix bounds-checking in MAMDataProtectionManager (small buffers could previously result in an BufferUnderflowException).
- The Build Tool CLI now supports incremental builds (via a new --processed option) for parity with the Gradle plugin.
- Report functionality is now supported in the command-line BuildTool,
via the
--report
parameter. This functionality has been available in the Gradle plugin for some time. - Add
AppPolicy
methodsdiagnosticHasSaveRestriction
anddiagnosticHasOpenRestriction
which may be used by apps which (for example) wish to warn the user in advance when some operations may be prohibited by policy. They should not be used for enforcement -- please continue to usegetIsSaveToLocationAllowed
andgetIsOpenFromLocationAllowed
for that purpose.
- The build plugin will now replace inheritance/instantiation of
RelativeLayout
withMAMRelativeLayout
. This is used to enforce keyboard restrictions in apps which create input connections from custom layouts.
- Add MAM Strict Mode check:
AUTHENTICATION_CALLBACK_NOT_REGISTERED
to check that the MAMServiceAuthenticationCallback is registered in Application.onCreate(). - Reduce main-thread IO during app initialization.
- Add
AppPolicy
methodgetIsOpenFromContentUriAllowed
to allow an app to test whether data ingress (receive) policy will block receiving data from the given URI. This is intended primarily as a convenience, it is not necessary for enforcement. MAM will continue to automatically block prohibited content provider queries/opens. - Exclude all nested inner classes of classes excluded from mamificiation.
- Add MAMKeyNotAvailableException which is thrown from MAMDataProtectionManager when a buffer cannot be decrypted due to the app no longer being managed.
- Fix build plugin to rewrite all super calls that target a replaced base class at any point in the inheritance chain. In v7.2.1, we introduced a similar fix to correctly rewrite super calls, but that fix only applied to methods that were renamed (e.g. onCreate() -> onMAMCreate()).
- Add
MAMFileProtectionManager.getProtectionInfo
overload which takes a contentUri
. This should be used in preference to the overload taking aParcelFileDescriptor
when it's necessary to check a file's identity before reading it in order to perform the read under the correct identity. - Replace MAM Strict Mode check
SAVE_TO_ODB_MISSING_UPN
withSAVE_TO_LOCATION_MISSING_UPN
to properly reflect that the check covers scenarios beyond ODB and fix spurious error raised on empty UPN for ACCOUNT_DOCUMENT, which is allowed. - Fix bug where we aren't correctly calling MAMBackupAgent.onMAMRestoreFinished() in offline mode.
- The build plugin will now replace inheritance/instantiation of
ViewGroup
withMAMViewGroup
. This is used to enforce editor policy restrictions on ViewGroup.
- Fix build plugin bug that misses super call rewrites when the calls target an ancestor of the rewritten base class.
- Add new
DATA_FROM_INTENT
option toIdentitySwitchOption
. - Improve build plugin classpath computation. This fixes missed project dependencies with Android Gradle Plugin 3.6.1+ as well as an illegal state exception during dependency calculation in Gradle 6.7.
- Fix bug causing repeated prompts to install the Company Portal on Android 11
- Correct enrollment retry logging.
- Add MAMIdentityRunnable as a convenience. Wraps another Runnable to execute under the given identity.
- Updates
MAMAutoCompleteTextView
classes to enforce screenshot blocking policy when a screen recorder is in use.
- Fix build plugin NPE when entites that aren't full-fledged classes end up on the classpath.
- Update certificate pins for connections to Intune services.
- Android Gradle Plugin version 3.6.1 or higher is required.
- Update Javassist dependency to 3.27.0-GA.
- Remove
SecureBrowserPolicy
from the SDK. This class was exposed but was not documented. It was previously used by the Intune Managed Browser, which has since been superseded by Microsoft Edge. - Support libraries no longer use AndroidX annotations due to tighter restrictions in the Android build system around Support and AndroidX library coexistence.
- Support for targeting API 30, including new ContentProvider, ContentProviderClient, ContentResolver methods, and allow-list Company Portal against package visibility restrictions.
- Add
onMAMPictureInPictureRequested
toMAMActivity
to ensureonPictureInPictureRequested
is not called if launch if blocked duringonCreate
. StrictScopedDisable
now extends from Closeable as well as AutoCloseable for compatibility with Kotlin'suse
extension method.- The build plugin will now automatically include local AAR files
(i.e. as opposed to AAR dependencies retrieved via artifact
coordinates) for mamification. The Android Gradle Plugin transforms
these files into jars with names which are inconsistent across AGP
versions and often unrecognizable, making inclusion through
includeExternalLibraries
specification difficult. - The build plugin will now replace inheritance/instantiation of
MediaRecorder
with MAM equivalentMAMMediaRecorder
. - The MAMBlobStoreManager replaces the BlobStoreManager with build plugin support, to enable protection of shared data blobs.
- Fix build plugin regression which could lead to bytecode corruption. Backported to 6.7.1.
- Expand
getIsOpenFromLocationAllowed
SDK method to handle a non-null username for identity-tagged files in local storage. For convenience, add an SDK methodgetIsOpenFromLocalStorageAllowed
that accepts aFile
parameter.
- Refine proguard rules to reduce the size impact of the SDK.
- Add
bypassConditionalLaunchChecks
toMAMPolicyManager
interface to allow special-purpose Activities to avoid conditional launch checks. - Suppress class format errors in plugin when
verify
option is enabled. Some classes from the Android 11 build tools are built with the Java 9 class format and cannot be verified when building with Java 8. These classes cannot be verified because they cannot be parsed in a Java 8 JVM. Updating to Java 9+ will allow these classes to be verified. - The build plugin will now replace inheritance/instantiation of
PopupWindow
with MAM equivalentMAMPopupWindow
,ListPopupWindow
with MAM equivalentMAMListPopupWindow
, andPopupMenu
with MAM equivalentMAMPopupMenu
. This is used to enforce screenshot blocking policy when a screen recorder is in use. - If not using the build plugin, the replacements listed above must be made manually. Using the build plugin is very strongly recommended.
- Fix build plugin compile-time error when Android Gradle Plugin 4.0 is used with the Play Services Core library.
- Add
onMAMUserLeaveHint
toMAMActivity
to ensureonUserLeaveHint
is not called if launch is blocked duringonCreate
- When an app throws an exception from an implementation of
MAMNotificationReceiver
that exception is caught and the app is regarded as having failed to handle the notification as if it had returnedfalse
fromonReceive
. One impact of this is that if a wipe handler throws, the default wipe behavior will be applied rather than leaving the app in a crashing-and-not-wiped state. - Fix theming issue in certain policy enforcement dialogs which where shown with a black background instead of a transparent background.
- Extend redirection to the Intune web portal for all app installation scenarios where Google Play Services are not available and links to market:// are not handled.
- Point to per-environment specific FWLinks for Company Portal installation when Google Play Services and links to market:// are not available.
- Use android.R.attr.colorForeground instead of android.R.attr.textColorPrimary to apply textColor on all dialogs successfully when an app theme is given.
- Fix theming issue in "Install Company Portal" dialog which has a black background instead of a transparent background. This regression was introduced in SDK 6.5.0"
MAMAppConfig
will read the following configs from both MAM app config and Android Enterprise.com.microsoft.intune.mam.managedbrowser.bookmarks
com.microsoft.intune.mam.managedbrowser.homepage
MAMAppConfig
will read the following configs from the MAM app config channel and not from Android Enterprise.com.microsoft.intune.mam.managedbrowser.account.syncDisabled
com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar
com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs
com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO
com.microsoft.intune.mam.managedbrowser.disableMvpn
com.microsoft.intune.mam.managedbrowser.proxyPacUrl
- Mark Build Plugin Android Gradle Transform as cacheable for possible performance improvements
- Unconditionally register the Company Portal install receiver in Offline mode. This will reduce user logins during APP-CA sign-ins when Company Portal is not already installed on the device, at the expense of restarting MAM apps if the Company Portal is installed for no reason.
- Add support for the Gallatin / Mooncake Sovereign Cloud.
- Fix build plugin issue where not all libraries with dependencies on
processed libraries were properly included for processing. This fix
is necessary when upgrading to ADAL 3.0.1. Without this fix, if
verify=true
, inintunemam
configuration inbuild.gradle
, the issue would present as a build-time error. If verification is not in use, this issue would present as a runtime error for overriding a final method.
- Build plugin support for Gradle 5.6/Android Gradle Plugin 3.6
- Added support for a MAM Service feature to detect disabled AAD accounts.
- Added support for custom themes. The app may provide a theme to the MAM SDK
using
MAMThemeManager.setAppTheme
which will be applied to all MAM screens and dialogs. - Add MAM Strict Mode check:
APPLICATION_CONTEXT_DISCOVERED
which identifies when an Application context is discovered when an Activity context is expected.
- Add a new method
MAMPolicyManager.showDiagnostics
that displays Intune MAM diagnostics information. - Update login authority mapping to supported sovereign cloud endpoints.
- Use
Application.getProcessName
when possible (API 28+) instead ofActivityManager.getRunningAppProcesses
as the latter is primarily intended for debugging. - Add
getIsOpenFromLocationAllowed
SDK method for controlling data ingress. - Add the
MAMUIHelper
class for displaying policy related UI.
- Add MAM Strict Mode check:
NON_INTEGRATED_VIEW
which verifies that View classes are properly MAM-integrated. - Update button label "Go Back" to "Close" to better reflect actual behavior.
- After displaying an offline wipe notification, resume launch of the app's activity rather than killing it.
- Changed the header name for the retry interval that controls the enrollment retries for unlicensed clients, in accordance with a service-side change.
- Fix plugin build error if the
excludeClasses
specification was empty (regressed in 6.2.0)
- Fix missing Javadoc for MAM Strict Mode
- Added MAM Strict Mode which uses heuristics to detect mistakes in usage of MAM APIs or MAM-restricted platform APIs. Your team is strongly encouraged to use it in internal debug/develop/dogfood builds. The build plugin writes some additional metadata to facilitate MAM Strict Mode.
- Added
MAMAccountAuthenticatorActivity
(MAM version ofAccountAuthenticatorActivity
). - Added support for view
onCreateInputConnection
. - Fix a bug with service URL parsing.
- Allow the Intune service to configure retry intervals for users not yet licensed or policy-targeted.
- The
android:testOnly
attribute no longer causes apps to automatically connect to the Test Agent instead of the Company Portal. This behavior previously caused confusion for several teams. If you use the Test Agent, it is necessary to set bothtestOnly
and a new meta-data item:<meta-data android:name="com.microsoft.intune.mam.Agent" android:value="test" />
- Add handling for MSAL-style ids for identity comparisons. Note that this is not full support for the use of MSAL.
- Exclude META-INF classes from processing in the build plugin. This fixes a build-time error encountered by one SDK consumer.
MAMAppConfig
will only readcom.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock
andcom.microsoft.intune.useEdge
from the MAM app config channel and not from Android Enterprise.- Improve Company Portal update dialog for devices without the Play Store.
- For Xamarin apps, correct an issue in the SDK bindings that prevented IntentServices from starting correctly.
- Add nullability annotations in the SDK. This introduces a dependency
on
androidx.annotation:annotation:1.0.0
. - Remove DownlevelStubs JAR which was replaced by an AAR in 5.8.0.
- Support for targeting API 29, including new
ContentProvider
,ContentProviderClient
, andContentResolver
methods. - Add override for
notifyAsPackage
method introduced in API 29. - Remove no-longer-necessary Proguard rules.
- Fixed issue where enrollment would fail when apps used domain-specific
configurations in
network_security_config.xml
- Make build plugin classpath computation more deterministic to avoid intermittent edge-case compilation errors. Build plugin output should not be affected.
- Fix missing info in certain telemetry events.
- Fix a potential issue where install Company Portal dialog may not show on Q devices when user navigates away from the app before authentication completes.
- Add incremental build support to build plugin. Incremental build
support is experimental, and is off by default. To enable it, specify
incremental=true
in theintunemam
configuration block inbuild.gradle
. - Add notification restriction policy. Apps must check the result of the
getNotificationRestriction
method inAppPolicy
before showing a notification associated with a given user. If this method is not invoked, notifications will be blocked automatically in single-identity apps. - Only allow
IntuneMAMOnly
AppConfig keys via the MAM delivery channel.
- Fix bug in implicit wipe (primarily when Company Portal is
uninstalled unexpectedly) where
onStart
/onMAMResume
may be called withoutonMAMCreate
being called.
- Fix build plugin error related to processing transitive dependencies. If your app builds without issue, it is not affected by this bug.
- Fix build plugin processing of AIDL-generated files.
- Ensure MAM component initialization before execution of a
MAMBroadcastReceiver
. This is a speculative fix for a rare crash. - Remove unneeded IPC calls related to identity persistence.
- New build plugin configuration option:
verify
. This acts as a guard to ensure many types of potential plugin bugs will produce compilation failures instead of runtime failures. To use it, specifyverify=true
in theintunemam
configuration block inbuild.gradle
. Verify defaults to false, though this default may change in the future. - Fix build plugin error where Jetified libraries with an undeclared support library dependency were not correctly processed.
- The build plugin will now replace
NotificationManager.notify
calls with calls toMAMNotificationManagement
, andNotificationManagerCompat.notify
calls with calls toMAMNotificationCompatManagement
. - Fix crash in
MAMPrintHelperManagement
. If your app usesPrintHelper
from the legacy support libraries, it should take this update.
- Fix SDK 5.4.0 regression in
MAMAlertDialogBuilder
causing application crash due to build plugin rewrite ofAlertDialog.Builder
.MAMAlertDialogBuilder
is no longer marked asfinal
. Backported to 5.6.2.
- Convert
DownlevelStubs
from JAR to AAR so consumers do not need to specify their own ProGuard rules. - Remove deprecated telemetry events.
- Fix build plugin error that could fail compilation through too-aggressive rewriting. If your app builds without issue, it is not affected by this bug.
- Fix build plugin compatibility with the AndroidX Jetifier. Backported to 5.6.2.
- Do not force app restart on
ACTION_PACKAGE_CHANGED
for Company Portal. - Throttle severe messages logged to telemetry by unique message and stacktrace.
- Add missing override of
Activity.startActivityIfNeeded
.
- Handle
CertificateException
thrown during Company Portal signature verification in automated testing.
- The build plugin will now replace inheritance/instantiation of
WebView
withMAMWebView
. This is used on Android O+ for transfer policy enforcement on text classifier actions - The build plugin now bypasses jar verification. Jars with invalid signatures will not cause it to fail.
- Fix
MAMResolverActivity
breaks multi-process activity stack. - Reduce telemetry noise by downgrading a severe message from an expected AAD change.
- The interval for enrollment retries for accounts that are not licensed or targeted with policy is reduced to 12 hours.
- The build plugin will automatically include external libraries which depend on an included external library.
- The build plugin will rerun if the
build.gradle
file changes (because theintunemam
block may have changed). - Increase enrollment retry backoff on network failures.
- The build plugin will now wrap calls to
View.startDragAndDrop
andDragEvent.getClipData
. This allows us to enforce transfer policy on drag and drop without relying on Android internals. - Fix isolated process crashes when call into
MAM*Management
methods. - Introduce options for UI identity switches. New overrides have been added for
switchMAMIdentity
andsetUIPolicyIdentity
that take a set ofIdentitySwitchOption
values. - Improve offline performance when Company Portal is not on device.
MAMComplianceBlockActivity
is no longer exported.- The default behavior of
MAMActivity.onSwitchMAMIdentityComplete
has changed. If the identity switch failed, the default behavior is now to finish the activity. The previous default of taking no action made data leaks easy if the app did not pay close attention to the asynchronous completion result of the switch. There is no change in behavior for activities which do overrideonSwitchMAMIdentityComplete
. If your app expects identity switches to be cancellable within the same activity, you must overrideonSwitchMAMIdentityComplete
and take appropriate action.
- Build plugin no longer tries to rewrite non-existent
Fragment.onCreateDialog
method. - Blocking UI is not shown until all offline wipes are complete to avoid race conditions.
- Added an
areIntentActivitiesAllowed
method toAppPolicy
, allowing an app to determine whether all apps able to handle a given intent would be blocked by policy. - Build plugin rewrite rule for the
AlertDialog.Builder
has been corrected.
- Ensure
MAMComponents
initialized inMAMActivity
. This is a speculative fix for crashes occurring in Launcher. - Remove reference to the ADAL
StringUtil
class. This was causing consistent crashes in Launcher, because ADAL is not included as a dependency in the SDK.
- Append MAM service URL queries with device and MAM app information
- The build plugin can write a report of the changes it makes. Specify
"report = true"
in the intunemam configuration block. Logs will be written to outputs/logs in the build directory. - Wipe on Company Portal uninstall is now robust to the app being unable to start completely without access to encrypted files
- After an implicit wipe completes, the MAM enrollment status cache is cleared and the appropriate wipe notice flag is set in a single transaction.
- Fix issues when a
Service
is created (by Android) before theApplication
. - Return
NOT_LICENSED
for Blackforest and Gallatin enrollments. - Add additional telemetry data for SSL pinning failures.
- Only support TLS 1.2 protocol above Jelly Bean
- Update MAM AppConfig to support Android Enterprise AppRestrictions.
- The build plugin will now wrap calls to
ContentResolver
andContentProviderClient
. This allows us to enforce parts of transfer/receive policy without relying on Android internals. - Fix an NPE in the build plugin if
JavaCompile.getOptions()
returns null - Fix a bug where a wipe could occur if the app was started while the Company Portal required a version update.
- The build plugin now works around a Gradle 4.8+ bug in decoration of signed plugins causing configure failure. See gradle issue 6860
- Add the
MAMComplianceManager
interface with new API to support the MAM-CA compliance flow. - Added
MAMAlertDialogBuilder
to create managedAlertDialog
(with a support class version). - Fixed bug where multi-process apps didn't use the registered data wipe handlers in secondary processes.
- Added tracked occurrence telemetry for SSL certificate pinning failures.
- Fixed bug in accessing uninitialized components during service start.
- The build plugin will now wrap calls to
PrintManager
andPrintHelper
. This allows us to enforce print policy without relying on Android internals.
- The build plugin now supports negation patterns in the
includeExternalLibraries
configuration to exclude libs which would otherwise be included by a wildcard pattern. - Fix build plugin bugs:
- No longer use the JRE system classpath at all. Doing so was incorrect and unnecessary. There is no expected impact to any apps from this.
- Fix incorrect rewriting of new-array expressions
- Fix a bug blocking use of Instant Run. We believe Instant Run will work as expected now, but please let us know your experience.
- Correctly process app classes placed under the android. package
- Correctly find inner classes of Kotlin classes.
- Added
AllowedAccounts.unregisterListener
method. Note that it is generally recommended to leave a listener live for the process lifetime.
- Fixed NPE in build plugin when some subprojects do not use the Android plugin.
- Fix a bug with build plugin support for
BackupAgent
andBackupAgentHelper
.
- The build plugin will now wrap all
ClipboardManager
calls to query or set the primary clip in calls toMAMClipboard
. - The build plugin will now wrap most
PackageManager
calls in calls toMAMPackageManagement
.PackageManager
calls will not be intercepted automatically on Android P. - The build plugin will now wrap the
DownloadManager.enqueue
call in a call toMAMDownloadManagement
.DownloadManager
calls will not be intercepted automatically on Android P. - The build plugin will now replace inheritance/instantiation of
TextView
(and derived views, such asEditText
) with MAM equivalents (MAMTextView
,MAMEditText
, etc). This is used on Android P for clipboard policy enforcement and for transfer policy enforcement on text classifier actions - If not using the build plugin, the replacements listed above must be made manually. Using the build plugin is very strongly recommended.
- Add
MAMBackupDataInput
to the SDK and signatures ofBackupAgent.onMAMRestore
andBackupAgentHelper.onMAMRestore
for identity backup. - Add support for new (Android P)
BackupAgent.onRestore
overload toMAMBackupAgent
. - Fix missing handling of
Activity.startActivities
. - Build plugin bug fixes.
- The build plugin now supports exluding specific variants from processing.
- The build plugin now rewrites all MAM overloads for
DocumentsProviders
. - Fix build plugin failure if app activity derives a library project activity.
- Build plugin
includeExternalLibraries
specification no longer requires a version component for artifact notation - Do not log to logcat in production builds.
- Reduce dependence on runtime-emitted stub
classes.
MAMDocumentsProvider.findDocumentPathMAM
returns anObject
to remove the need for DocumentsContract$Path to exist during reflection ofMAMDocumentsProvider
(it doesn't prior to API26).
- Improve performance in offline scenario when the Company Portal app is not on device by providing an option to disable MAM offline logging.
- Improvements to the Build Plugin. It is now supported for production use.
- Add static version of
MAMContentProvider.isProvideContentAllowed
for use with the build plugin. - Separate
MAMActivityIdentityRequirementListener
/MAMIdentityRequirementListener
interfaces out ofMAMActivity
/MAMService
/MAMContentProvider
for use with build plugin. - Fix isolated process crashes on API 8.0 and up.
- Improve enrollment telemetry by reporting more fine-grained failure causes.
- Restrict MAM-WE enrollment retries to primary process to avoid race conditions.
- Add wipe reason to selective wipe telemetry.
- Fix portal reinstallation wait loop to be correctly bounded.
- Improve performance in offline scenario when the Company Portal app is not on device.
- Add Sovereign Cloud support via a new
registerAccountForMAM
that accepts the user's authority - Arlington is supported. New sovereign clouds will be supported via SDK updates but no additional source integrations will be necessary. - Fix SDK 4.4.2 regression in
MAMDialogFragment
causing application crash.
- Fix
NullPointerException
ifonAttach
is not the firstMAMFragment
method called. - Fix
ArrayIndexOutOfBoundsException
fortestOnly
builds if the process is started by a component withandroid:isolatedProcess="true"
flag.
- Minor fix to
MAMApplication.attachBaseContext
handling. Always callsuper.attachBaseContext
even if invoked more than once.
- SDK now supports targeting API 27
- Fix crash in conditional launch dialog on API 26 devices for apps that target API 27.
- Prevent proguard from marking classes/methods as
final
/private
as this interferes with proxy generation - Various improvements to Aria telemetry.
- Retry initial enrollment failures more frequently if they did not result in service load
- Fix
MAMAsyncTask
so it does not hold onto Context references for longer than needed. - Send tracked occurrence and service request telemetry to Aria.
- Stop sending error event telemetry to Asimov.
- Allow connecting to Company Portal instead of TestAgent even for
apps with the
testOnly
attribute. This is enabled by adding the booleanmeta-data com.microsoft.intune.mam.ForceProductionAgent
.
- Fix PII logging leak of user UPN.
- Properly block activity launch for multiple identities in
COMPANY_PORTAL_REQUIRED
state - Updated localizations for Allowed Accounts
- Send SLA telemetry to Aria, with new mechanism for tracking duration.
- Add
AllowedAccounts
, allowing an app to query whether the set of accounts it is allowed to sign in is limited. - Use https for all network calls to support apps which set
android:usesCleartextTraffic="false"
- When the Company Portal is not installed,
MAMUserInfo.getPrimaryUser
will now return a non-null result only when enrollment has been attempted for a user which is actually targeted with policy, not merely Intune licensed. - Add
MAMAsyncTask
as a convenience wrapper aroundAsyncTask
. When used, it ensures that the background thread runs under the same identity as the activity. - Add
MAMMediaMetadataRetriever
as a drop-in replacement forMediaMetadataRetriever
which allows working with encrypted media files. Apps should replace usage ofMediaMetadataRetriever
withMAMMediaMetadataRetriever
. - Add
Microsoft.Intune.MAM.SDK.DownlevelStubs.jar
as an optional separate library which apps can incorporate if they need to perform reflection on classes deriving fromMAMActivity
. If your app did not previously experience issues around reflection and Intune integration, there is no reason to consume this library. - Fix issue where
onMAMPrepareOptionsMenu
could be called beforeonMAMCreate
.
- Add new, API26 functions to
MAMContentProvider
,MAMDocumentsProvider
,MAMFileProvider
,MAMPendingIntent
andMAMMediaPlayer
. - Add new, API26 class
MAMJobIntentService
. - Remove
MAMActionBarActivity
fromMicrosoft.Intune.MAM.SDK.Support.v7.jar
because it was removed from the Android support libs with version 26.0.0. - Add
MAMBackgroundJobService
to the SDK to comply with API26 background execution requirements. This is a MAM internal only change and no partner interaction is required. - Send severe telemetry to new telemetry pipeline (Aria). Add selective wipe event.
- Version 1 of the MAM-WE enrollment API is now completely removed.
- Provide a default implementation for
getAdalSecretKey()
. Apps using Version 2 of the MAM-WE enrollment API no longer need to override this method. - Add MAM dialog UI update that was removed in SDK 3.1.2.
- Remove MAM dialog UI update introduced in SDK 3.1.1. This change resulted in broken UI under some circumstances. It will be reinstated in a forthcoming SDK update. Any app which updated to SDK 3.1.1 should immediately update to 3.1.2
- Fix logging of some exceptions
- Update MAM dialogs to match the Material design guidelines on API 21 and above.
- Display a non-blocking "You need to update your Android device" deprecation warning, which is a one-time dialog, shown at managed app launch, similar to "Managed by your organization" message.
- Allow Company Portal installation detection to close the app on Android O
- Certificate pinning for the MAM services.
MAMFileProtectionManager
now provides an overload of the protect method which allows set an identity on aParcelFileDescriptor
. This is intended for use when storage volumes are accessed through the Storage Access Framework. It cannot be used to set an identity on files provided by other applications.- Add
AppPolicy
methoddiagnosticIsFileEncryptionInUse
which allows an app to find out whether MAM file encryption is being used. This is intended for diagnostic purposes only.
- Set
android:multiprocess=true
forMAMStartupActivity
and other similar activities. This addresses issues that occur when a multi-process app tries to start a MAM-integrated activity from a process other than the main process. - Improve MAM telemetry via logging modifications
- Reduce telemetry noise by downgrading a severe message from an expected error.
- Fix
onMAMPrepareOptionsMenu
not being called when Company Portal not installed.
- Version 1 of the MAM-WE enrollment API is now deprecated. It will be removed completely at the next major version increment.
- Mark
onPrepareOptionsMenu
asfinal
. Activities which previously implementedonPrepareOptionsMenu
must overrideonMAMPrepareOptionsMenu
instead - Mark
MAMFileProvider.call
asfinal
. Apps which previously implemented call must overridecallMAM
instead. - Prevent erroneously logging a severe message.
- Improve locking in log handling.
- Add
MANAGEMENT_REMOVED
notification. This can be registered for in the same manner asWIPE_USER_DATA
orREFRESH_POLICY
. It is sent immediately before the app becomes unmanaged. Data protected withMAMDataProtectionManager
should be unprotected as it will become inacessible once this notification returns. - The MAM SDK is verified to work correctly with Android Support Library version 25.1.0.
- Handle
MessageFormat
logging more robustly. - Add DNS lookup times to network operation telemetry data.
- Add notification dialog if Selective Wipe was triggered implicitly.
- Update telemetry to include the mechanism used to acquire MAM service token.
- Add a guard to
attachBaseContext()
inMAMApplication
to ensure that initialization is only done once. This is needed to support a new partner team's use case and doesn't affect typical usages.
- Added new MAM-WE account registration API, which should replace the existing enrollment API. The existing enrollment API will be deprecated at the next major version increment.
- Distribute proguard.txt in the MAMSDK AAR file and alongside the jar. Note that the rule
-keepattributes Exceptions
is a newly discovered requirement
- Fix race condition in offline MAM-WE cache that was causing JSON deserialization failures.
- Clear the setting for showing the "Your organization protects data in this app" dialog after a selective wipe.
- Fixed the hardware back button does not dismiss the "Go to Store" dialog.
- Fixed bug where app is incorrectly restarted following MAM enrollment.
Now all Activities will be finished, not just
MAMActivity
.
- Handle
COMPANY_PORTAL_REQUIRED
ingetIsIdentityManaged
.
- Update telemetry events to more precisely track enrollment duration.
- Clear enrollment cache tracking upon offline wipe. This clears any
potential PII. Also update cache for consistency and register a
receiver in the
COMPANY_PORTAL_REQUIRED
throttled case, to avoid users getting in possibly irreconcilable state.
- Added the device network info to the data collected by telemetry.
- New method
AppPolicy.getAreScreenshotsAllowed
. This method will return false if the policy restricts taking screenshots - Add missing override for the call method to
MAMFileProvider
. Apps should overridecallMAM
instead. The call method will be marked asfinal
in the next major release of the MAM SDK - Updated translations for some strings
- Added the AAD ID of the user's tenant to the data collected by telemetry during app enrollment.
- Beginning of new release cadence
- Added delayed loading of MAM internal. MAM internal libraries are not loaded unless MAM policy is deployed to an app on the device.
- Added crash handling to MAM initialization 3 consecutive crashes in MAM initialization will result in MAM no longer loading, and instead blocking the app if policy is deployed.
- MAM version of
onPrepareOptionsMenu
. Applications are encouraged to overrideonMAMPrepareOptionsMenu
instead ofonPrepareContextMenu
. This will be enforced in the next major release. - Changed Policy Required string from "This app requires your device to be enrolled using Microsoft Intune and to be compliant with your company's policies. Contact your IT department for help." to "This app requires management by Microsoft Intune. Contact your IT department for help."
- Added
MAMAppConfigManager
to Interface to facilitate passing of Application Configuration data from the MAM Service This includes an offline implementation ofMAMAppConfigManager
for use when Application Configuration data cannot be accessed.