Intune MAM Exemptions – Discovering URL Protocols


In Microsoft Intune you can create a secure container where the data in your apps cannot leak outside of. That is, you can restrict copy/paste outside of the supported apps and restrict opening the data in a different app.

But sometimes you need to open the data in a different app and with the Intune Mobile Application Management (MAM) policy (also known as App Protection Policy, APP) in place you are restricted from doing so.

On Android adding the exception for apps is easy – its part of the URL to the app in the Google Play Store. For example to allow data to be sent to Google Maps you would look up the app URL (https://play.google.com/store/apps/details?id=com.google.android.apps.maps&hl=en&gl=us) and exempt the app in Intune MAM policy by using the ID value, so com.google.android.apps.maps in this case.

On iOS this is next to impossible. Microsoft in their article on this subject at iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Docs and Data transfer policy exceptions for apps – Microsoft Intune | Microsoft Docs suggest this is done by contacting the app developer. I have had no success doing this, as often the app first line support has no idea what you are asking.

So here is how to get the URL Protocol, or more correctly speaking, the URL Scheme for the app. I think the first battle is in working out the correct terminology!

To get the information you need you have to have access to the ipa file that is the app on the iOS device. I use iMazing for this and my steps here are for the PC, but a Mac version is also available. iMazing is available for purchase on a per device basis but everything I describe here works with the trial/free version of the product.

Once iMazing is installed you need to plug in your iPhone/iPad to your PC. Ensure the apps you need are installed on the device.

An iPhone Displayed in the iMazing App

In the middle-right column there is an option called Manage Apps. This lists the library of apps you have on the device and the option to download the app to your PC. I am going to work through the process of getting the URL Scheme for Cisco WebEx Meet, which is the app Microsoft have in their documentation as well, as you can see from my app library below there appears to be two apps called “Webex Meet” – so lets see what is going on.

Viewing apps in iMazing

For each app you need to determine the URL Scheme/URL Protocol for, download the app by clicking the “cloud + down arrow” icon to the right of the app.

Downloading an app in iMazing

You will need to login to the Apple account ID used by the iOS device to complete this step.

Once I have downloaded the app the version number is displayed. I had previously downloaded Webex Meet 41.3.2 and the new download is version 41.3.3. So this is why I see multiple versions. The trashcan icon can be used to clean up your download folder. The arrow icon bottom right will give you an option to update all the downloaded apps to their latest version is new versions are available as well.

Once you have downloaded the app you can export the .ipa file for the app. This is done via the same arrow button bottom right. It will export the .ipa file for the selected app to a folder of your choosing.

Exporting the .ipa file for the selected app

Choose the folder to export to and then open that folder in Windows Explorer

The downloaded .ipa files in Windows Explorer

You can see the exported Webex Meet 41.3.3.ipa file in this folder, and the previously downloaded, and renamed, file as well. This rename is the next step. The .ipa file is just a ZIP compressed file, so add .zip to the end of the file name and open the compressed file. Don’t extract the contents of the file, as we are only looking for a single file in all the contents.

If you have downloaded lots of .ipa files then you can rename with in the command prompt in bulk with ren *.ipa *.ipa.zip

Inside the compressed file, navigate into Payload > AppName.app and find info.plist. Copy this file only out of the compressed file.

Inside the compressed .ipa file looking for info.plist

Once you have the info.plist file outside of the compressed folder, open this file in Notepad.

info.plist in Notepad

Now to search for the URL Scheme in this file. Search for CFBundleURLSchemes, and unfortunately you may see more than one of these. We know from the Microsoft documentation that they say the URL Protocol for WebEx is wbx and we see this value as a <string> under <array> under <dict> where <key> is CFBundleURLSchemes

CFBundleURLSchemes in the info.plist file

The <string> value is the URL Scheme, and so for WebEx is is wbx. The value is found under Key=CFBundleURLName, Key=CFBundleURLSchemes, String=. At this point it is all down to testing on the device. So add the most likely string to Intune MAM policy exceptions and wait for that to sync to the phone (browse to about:intunehelp in Edge Browser on the device) and click View Intune App Status

Then select an app, for example Outlook, from the scroller at the top and scroll down to ProtocolExclusions near the bottom – once your new addition is listed here you can test to see if you can open the new app from a link in the source app:

For example, in the above I have the following URL Schemes added as well as some I am still testing:

  • zoomus = Zoom
  • us.zoom.videomeetings4intune = Zoom For Intune
  • gmeet = Google Meet
  • bjn (or bjn-intunemam or bjn-a2m) = BlueJeans
  • mobilepassplus = Mobile Pass+ from Thales
  • otpauth = Duo Security
  • com.mimecast.mobile.saml = Mimecast
  • pdfe-callback (or pdfe2int1 or pdfefile) = PDF Expert
  • Editor (or msauth.com.adobe.Adobe-Reader) = Adobe Reader
  • com.microsoft.azureauthenticator = Microsoft Authenticator
  • com.google.chrome.ios = Google Chrome
  • com.microsoft.companyportal = Intune Company Portal
  • com.microsoft.msedge = Microsoft Edge
  • com.microsoft.onedrive = Microsoft OneDrive
  • com.microsoft.launch.officemobile = Microsoft 365 (Office)
  • com.microsoft.launch.outlook = Microsoft Outlook
  • com.slack.slackintune = Slack for Intune
  • com.tinyspeck.chatlyio = Slack
  • com.dealcloud.mobileapp = Deal Cloud

It is still a bit hit and miss once you have info.plist, but you have a list of values for the URL Protocol that you can test against now.

Note that I have added some Microsoft apps to the above list. This is because it is also possible, via Device Configuration Profiles for iOS in Intune, on a managed device (supervised, via Apple Business Manager) to control the notification prompts that an app presents at first use as well as the “Device Features > Single Sign On App Extension” feature. The above URL Schemes are used for these settings as well.


Posted

in

, , , ,

by

Tags:

Comments

32 responses to “Intune MAM Exemptions – Discovering URL Protocols”

  1. Ryan avatar
    Ryan

    Need help getting Calendly URL Protocol ive reached out to their support and they have been pretty useless. Any help would be appreciated.

    1. Brian Reid avatar

      Hi – have you tried installing iMazing and following the steps in this article to get the URLScheme for yourself?

  2. Rich avatar
    Rich

    Hi
    Did you manage to get Google Meet working? We cant send invite links from Google Meet via Outlook calendar to the Meet app.
    Thanks

    1. Brian Reid avatar

      What happens when you click a Google Meet URL in Outlook Mobile on your iPhone/Android device and what exemptions do you have in Intune App protection policies please – otherwise I am just guessing as to what your issue is!

      1. Rich avatar
        Rich

        Hi Brian
        We are using Outlook and Edge via Intune with MAM app protection policies. In our app protection policy, under “Select apps to exempt” we have the following…

        Default: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;shoebox;gmeet;zoomus
        RSA Secure ID: com.rsa.securid
        Google Meet: gmeet
        Workday: workday
        Pearpay: pearpay
        Salesforce: salesforce1
        Webex: wbx
        Zoom: zoomus
        AppleMaps: maps
        GoogleMaps: googlemaps

        Tried both gmeet in the string with the default apps, then also by naming it in the list.

        When we click a Google Meet link (meet.google.com/xxx-xxx-xxx link ) , Edge opens. But rather than opening Meet, there seems to be a redirect to https://apps.google.com/meet where you have a link to download Meet.

        1. Brian Reid avatar

          So I tried – I have no issues in getting this to work on a MAM protected Android device (it just works), but nothing on iOS. It just opens Edge, and Edge is redirected by Google to a page about installing the app even though Edge knows that this URL is fine. If this was Zoom then the same thing happens, but a “click to join meeting” link appears in the “install app” page in the browser and that link works. Google Meet needs to add the same functionality it would appear.

          1. Rich avatar
            Rich

            Thanks Brian. Just what i get too. I feel Google need to an “app already installed” button, like Zoom has.

        2. Jess avatar
          Jess

          Hi, is this RSA Secure ID: com.rsa.securid working?
          Thanks.

          1. Brian Reid avatar

            Sorry, but you have to test each one to work out if it is working, and especially for the MFA apps as they often send a unique code to the app to start the registration process. I’ve not had need to do RSA SecureID for years now and so have not tried it with App Protection Policies.

  3. DIngerhoffen avatar
    DIngerhoffen

    Hi Brian,
    Just wanted to thank you for this incredibly useful article.
    Unfortunately it didn’t work for the Dropbox app that I was trying to configure, but I suspect that has more to do with the app. I’m sure this process will come in handy more and more further down the line.

  4. Joshua Bines avatar
    Joshua Bines

    Thanks Brian! I feel like we should create a wiki or github page anyone can update with the app codes?

  5. Lekh avatar
    Lekh

    Hi Brian,

    Thank you for the article, Really very helpful but i tried to test for RSA SecurID IOS and it didn’t work at all.

  6. Lekh avatar
    Lekh

    Hi All,

    I found the URL Scheme for RSA, RSA : com.rsa.securid.iphone.SecurID.sdtid

    1. JG avatar
      JG

      Is that working?

  7. Mario avatar
    Mario

    Anyone have shoebox (for apple wallet) working in their environment?

  8. Joao avatar

    Hi Brian,

    Great article thank you for sharing this.

    I’m having a strange issue when using app protection policy on iOS devices. As soon as activate the app protection policy the Settings app on iOS where you have the configuration for Mail, Contacts, etc of your Microsoft Account starts to ask for reentering the password and when i try to do that, i got and error saying that you cant reach from here because of Apple Internet Accounts its not exempt from app protection policy. I’ve tried a lot of different approaches, talked with Microsoft support multiple times and also with Apple support but they are pointing out to each other with no reals solutions. Did you have seen this issue ?? Thank you so much

    1. Brian Reid avatar

      Just checking, you have consented this app as an admin for all users first?

      1. Joao Ferreira avatar

        You mean in the Apple Internet Accounts Security permissions ?

        We have Admin consent and User Consent and i’ve grant admin consent on both already. Or you are talking about a different setting ?

        Thank you so much.

        1. Brian Reid avatar

          No, that’s what I am talking about. It’s also known as ‘iOS Accounts’ if it’s been in your tenant for over a number of years and permissions on it have changed over time. Maybe remove it and reconsent

  9. Darren avatar
    Darren

    Anybody find a way to allow users add boarding passes/tickets to Apple Wallet from managed apps like Edge?

    1. Mario avatar
      Mario

      No. Anyone here have this working in their environment?

      1. Tab avatar
        Tab

        Hi ,Did you ever get this to work>

  10. Pawel avatar
    Pawel

    Hello Brian,

    This is great! Any chance you know how to do it for iOS native apps? Like Books, Calendar etc.?

    1. Brian Reid avatar

      You would do it exactly the same way – there is no difference between Apple apps and other apps

  11. Mahiroux avatar
    Mahiroux

    I have added docusign-v1,docusignit and appx in the app protection exempted apps list however docusign links from the outlook is still redirecting to edge browser.Do i need to add these in the url exemption?

    1. Yeswanth Kumar avatar
      Yeswanth Kumar

      Have you found any solution on this?

  12. Kevin Miller avatar
    Kevin Miller

    Interesting article. I would like to see if the same methodology would work for allowing Copy/Paste from an Intune managed application like Outlook to a MAM app like Bloomberg IB Chat.

    1. Brian Reid avatar

      So these values do not impact copy/paste restrictions. The apps need to be MAM apps, written to the Intune SDK. Therefore if Outlook Mobile has MAM settings applied and so does Bloomberg IB Chat (as you say that is a MAM app) then this copy/paste should just work.

  13. Marius Baumann avatar
    Marius Baumann

    I have to make an exclusion for Goodnotes 6. Then I remembered that if you like to open an app from Safari, you can write appname:// and then the rest of the URL gets sent to that app. But if you just leave it blank safari asks if you want to open the app. Now I was wondering if this name before :// is the same as this URL-Sceme identifier. If yes you at least have an easy way to trial and error this. Maybe some of you can test this and prove if this is true. In my case, this worked with goodnotes6:// but nothing else I’ve tried. I Tried it with the identifiers listed in this thread, seemed to work with all the apps I have installed but only those without dots in the identifier. So for example zoomus:// googlemaps:// works. com.google.chrome.ios:// doesn’t work.

  14. Tom avatar
    Tom

    Hello – Nice post!

    Two questions: 1. is it correct that this procedure does not enable cut/copy/paste from managed to non-managed apps? Rather, it enables open in functionality?
    2. If I find multiple string values for an app, do they all need to be added as exclusions? For example, looking at Google Maps I see 10 string values including:
    comgooglemaps
    com.google.sso.441360573637-klc27fjjtkann0lv9nvnmig41smaa49v

    and others… do they all need to be added?

    1. Brian Reid avatar

      1. Correct
      2. No – just the one that works, but its trial and error to get the correct one (apply setting, give it time to reach phone [one day] and then test, and repeat). Then when it works, add a comment here so others can benefit from your research. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.