Intune MAM Exemptions – Discovering URL Protocols


In Microsoft Intune you can create a secure container where the data in your apps cannot leak outside of. That is, you can restrict copy/paste outside of the supported apps and restrict opening the data in a different app.

But sometimes you need to open the data in a different app and with the Intune Mobile Application Management (MAM) policy (also known as App Protection Policy, APP) in place you are restricted from doing so.

On Android adding the exception for apps is easy – its part of the URL to the app in the Google Play Store. For example to allow data to be sent to Google Maps you would look up the app URL (https://play.google.com/store/apps/details?id=com.google.android.apps.maps&hl=en&gl=us) and exempt the app in Intune MAM policy by using the ID value, so com.google.android.apps.maps in this case.

On iOS this is next to impossible. Microsoft in their article on this subject at iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Docs and Data transfer policy exceptions for apps – Microsoft Intune | Microsoft Docs suggest this is done by contacting the app developer. I have had no success doing this, as often the app first line support has no idea what you are asking.

So here is how to get the URL Protocol, or more correctly speaking, the URL Scheme for the app. I think the first battle is in working out the correct terminology!

To get the information you need you have to have access to the ipa file that is the app on the iOS device. I use iMazing for this and my steps here are for the PC, but a Mac version is also available. iMazing is available for purchase on a per device basis but everything I describe here works with the trial/free version of the product.

Once iMazing is installed you need to plug in your iPhone/iPad to your PC. Ensure the apps you need are installed on the device.

An iPhone Displayed in the iMazing App

In the middle-right column there is an option called Manage Apps. This lists the library of apps you have on the device and the option to download the app to your PC. I am going to work through the process of getting the URL Scheme for Cisco WebEx Meet, which is the app Microsoft have in their documentation as well, as you can see from my app library below there appears to be two apps called “Webex Meet” – so lets see what is going on.

Viewing apps in iMazing

For each app you need to determine the URL Scheme/URL Protocol for, download the app by clicking the “cloud + down arrow” icon to the right of the app.

Downloading an app in iMazing

You will need to login to the Apple account ID used by the iOS device to complete this step.

Once I have downloaded the app the version number is displayed. I had previously downloaded Webex Meet 41.3.2 and the new download is version 41.3.3. So this is why I see multiple versions. The trashcan icon can be used to clean up your download folder. The arrow icon bottom right will give you an option to update all the downloaded apps to their latest version is new versions are available as well.

Once you have downloaded the app you can export the .ipa file for the app. This is done via the same arrow button bottom right. It will export the .ipa file for the selected app to a folder of your choosing.

Exporting the .ipa file for the selected app

Choose the folder to export to and then open that folder in Windows Explorer

The downloaded .ipa files in Windows Explorer

You can see the exported Webex Meet 41.3.3.ipa file in this folder, and the previously downloaded, and renamed, file as well. This rename is the next step. The .ipa file is just a ZIP compressed file, so add .zip to the end of the file name and open the compressed file. Don’t extract the contents of the file, as we are only looking for a single file in all the contents.

If you have downloaded lots of .ipa files then you can rename with in the command prompt in bulk with ren *.ipa *.ipa.zip

Inside the compressed file, navigate into Payload > AppName.app and find info.plist. Copy this file only out of the compressed file.

Inside the compressed .ipa file looking for info.plist

Once you have the info.plist file outside of the compressed folder, open this file in Notepad.

info.plist in Notepad

Now to search for the URL Scheme in this file. Search for CFBundleURLSchemes, and unfortunately you may see more than one of these. We know from the Microsoft documentation that they say the URL Protocol for WebEx is wbx and we see this value as a <string> under <array> under <dict> where <key> is CFBundleURLSchemes

CFBundleURLSchemes in the info.plist file

The <string> value is the URL Scheme, and so for WebEx is is wbx. The value is found under Key=CFBundleURLName, Key=CFBundleURLSchemes, String=. At this point it is all down to testing on the device. So add the most likely string to Intune MAM policy exceptions and wait for that to sync to the phone (browse to about:intunehelp in Edge Browser on the device) and click View Intune App Status

Then select an app, for example Outlook, from the scroller at the top and scroll down to ProtocolExclusions near the bottom – once your new addition is listed here you can test to see if you can open the new app from a link in the source app:

For example, in the above I have the following URL Schemes added as well as some I am still testing:

  • zoomus = Zoom
  • us.zoom.videomeetings4intune = Zoom For Intune
  • gmeet = Google Meet
  • bjn (or bjn-intunemam or bjn-a2m) = BlueJeans
  • mobilepassplus = Mobile Pass+ from Thales
  • otpauth = Duo Security
  • com.mimecast.mobile.saml = Mimecast
  • pdfe-callback (or pdfe2int1 or pdfefile) = PDF Expert
  • Editor (or msauth.com.adobe.Adobe-Reader) = Adobe Reader
  • com.microsoft.azureauthenticator = Microsoft Authenticator
  • com.google.chrome.ios = Google Chrome
  • com.microsoft.companyportal = Intune Company Portal
  • com.microsoft.msedge = Microsoft Edge
  • com.microsoft.onedrive = Microsoft OneDrive
  • com.microsoft.launch.officemobile = Microsoft 365 (Office)
  • com.microsoft.launch.outlook = Microsoft Outlook

It is still a bit hit and miss once you have info.plist, but you have a list of values for the URL Protocol that you can test against now.

Note that I have added some Microsoft apps to the above list. This is because it is also possible, via Device Configuration Profiles for iOS in Intune, on a managed device (supervised, via Apple Business Manager) to control the notification prompts that an app presents at first use as well as the “Device Features > Single Sign On App Extension” feature. The above URL Schemes are used for these settings as well.

, , , ,

26 responses to “Intune MAM Exemptions – Discovering URL Protocols”

  1. Need help getting Calendly URL Protocol ive reached out to their support and they have been pretty useless. Any help would be appreciated.

  2. Hi
    Did you manage to get Google Meet working? We cant send invite links from Google Meet via Outlook calendar to the Meet app.
    Thanks

    • What happens when you click a Google Meet URL in Outlook Mobile on your iPhone/Android device and what exemptions do you have in Intune App protection policies please – otherwise I am just guessing as to what your issue is!

      • Hi Brian
        We are using Outlook and Edge via Intune with MAM app protection policies. In our app protection policy, under “Select apps to exempt” we have the following…

        Default: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;shoebox;gmeet;zoomus
        RSA Secure ID: com.rsa.securid
        Google Meet: gmeet
        Workday: workday
        Pearpay: pearpay
        Salesforce: salesforce1
        Webex: wbx
        Zoom: zoomus
        AppleMaps: maps
        GoogleMaps: googlemaps

        Tried both gmeet in the string with the default apps, then also by naming it in the list.

        When we click a Google Meet link (meet.google.com/xxx-xxx-xxx link ) , Edge opens. But rather than opening Meet, there seems to be a redirect to https://apps.google.com/meet where you have a link to download Meet.

        • So I tried – I have no issues in getting this to work on a MAM protected Android device (it just works), but nothing on iOS. It just opens Edge, and Edge is redirected by Google to a page about installing the app even though Edge knows that this URL is fine. If this was Zoom then the same thing happens, but a “click to join meeting” link appears in the “install app” page in the browser and that link works. Google Meet needs to add the same functionality it would appear.

          • Thanks Brian. Just what i get too. I feel Google need to an “app already installed” button, like Zoom has.

          • Sorry, but you have to test each one to work out if it is working, and especially for the MFA apps as they often send a unique code to the app to start the registration process. I’ve not had need to do RSA SecureID for years now and so have not tried it with App Protection Policies.

  3. Hi Brian,
    Just wanted to thank you for this incredibly useful article.
    Unfortunately it didn’t work for the Dropbox app that I was trying to configure, but I suspect that has more to do with the app. I’m sure this process will come in handy more and more further down the line.

  4. Hi Brian,

    Thank you for the article, Really very helpful but i tried to test for RSA SecurID IOS and it didn’t work at all.

  5. Hi Brian,

    Great article thank you for sharing this.

    I’m having a strange issue when using app protection policy on iOS devices. As soon as activate the app protection policy the Settings app on iOS where you have the configuration for Mail, Contacts, etc of your Microsoft Account starts to ask for reentering the password and when i try to do that, i got and error saying that you cant reach from here because of Apple Internet Accounts its not exempt from app protection policy. I’ve tried a lot of different approaches, talked with Microsoft support multiple times and also with Apple support but they are pointing out to each other with no reals solutions. Did you have seen this issue ?? Thank you so much

      • You mean in the Apple Internet Accounts Security permissions ?

        We have Admin consent and User Consent and i’ve grant admin consent on both already. Or you are talking about a different setting ?

        Thank you so much.

        • No, that’s what I am talking about. It’s also known as ‘iOS Accounts’ if it’s been in your tenant for over a number of years and permissions on it have changed over time. Maybe remove it and reconsent

  6. Hello Brian,

    This is great! Any chance you know how to do it for iOS native apps? Like Books, Calendar etc.?

  7. I have added docusign-v1,docusignit and appx in the app protection exempted apps list however docusign links from the outlook is still redirecting to edge browser.Do i need to add these in the url exemption?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.