Categories
Endpoint Manager Intune MAM Microsoft 365 security

Intune MAM Exemptions – Discovering URL Protocols

In Microsoft Intune you can create a secure container where the data in your apps cannot leak outside of. That is, you can restrict copy/paste outside of the supported apps and restrict opening the data in a different app.

But sometimes you need to open the data in a different app and with the Intune Mobile Application Management (MAM) policy (also known as App Protection Policy, APP) in place you are restricted from doing so.

On Android adding the exception for apps is easy – its part of the URL to the app in the Google Play Store. For example to allow data to be sent to Google Maps you would look up the app URL (https://play.google.com/store/apps/details?id=com.google.android.apps.maps&hl=en&gl=us) and exempt the app in Intune MAM policy by using the ID value, so com.google.android.apps.maps in this case.

On iOS this is next to impossible. Microsoft in their article on this subject at iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Docs and Data transfer policy exceptions for apps – Microsoft Intune | Microsoft Docs suggest this is done by contacting the app developer. I have had no success doing this, as often the app first line support has no idea what you are asking.

So here is how to get the URL Protocol, or more correctly speaking, the URL Scheme for the app. I think the first battle is in working out the correct terminology!

To get the information you need you have to have access to the ipa file that is the app on the iOS device. I use iMazing for this and my steps here are for the PC, but a Mac version is also available. iMazing is available for purchase on a per device basis but everything I describe here works with the trial/free version of the product.

Once iMazing is installed you need to plug in your iPhone/iPad to your PC. Ensure the apps you need are installed on the device.

An iPhone Displayed in the iMazing App

In the middle-right column there is an option called Manage Apps. This lists the library of apps you have on the device and the option to download the app to your PC. I am going to work through the process of getting the URL Scheme for Cisco WebEx Meet, which is the app Microsoft have in their documentation as well, as you can see from my app library below there appears to be two apps called “Webex Meet” – so lets see what is going on.

Viewing apps in iMazing

For each app you need to determine the URL Scheme/URL Protocol for, download the app by clicking the “cloud + down arrow” icon to the right of the app.

Downloading an app in iMazing

You will need to login to the Apple account ID used by the iOS device to complete this step.

Once I have downloaded the app the version number is displayed. I had previously downloaded Webex Meet 41.3.2 and the new download is version 41.3.3. So this is why I see multiple versions. The trashcan icon can be used to clean up your download folder. The arrow icon bottom right will give you an option to update all the downloaded apps to their latest version is new versions are available as well.

Once you have downloaded the app you can export the .ipa file for the app. This is done via the same arrow button bottom right. It will export the .ipa file for the selected app to a folder of your choosing.

Exporting the .ipa file for the selected app

Choose the folder to export to and then open that folder in Windows Explorer

The downloaded .ipa files in Windows Explorer

You can see the exported Webex Meet 41.3.3.ipa file in this folder, and the previously downloaded, and renamed, file as well. This rename is the next step. The .ipa file is just a ZIP compressed file, so add .zip to the end of the file name and open the compressed file. Don’t extract the contents of the file, as we are only looking for a single file in all the contents.

Inside the compressed file, navigate into Payload > AppName.app and find info.plist. Copy this file only out of the compressed file.

Inside the compressed .ipa file looking for info.plist

Once you have the info.plist file outside of the compressed folder, open this file in Notepad.

info.plist in Notepad

Now to search for the URL Scheme in this file. Search for CFBundleURLSchemes, and unfortunately you may see more than one of these. We know from the Microsoft documentation that they say the URL Protocol for WebEx is wbx and we see this value as a <string> under <array> under <dict> where <key> is CFBundleURLSchemes

CFBundleURLSchemes in the info.plist file

The <string> value is the URL Scheme, and so for WebEx is is wbx. The value is found under Key=CFBundleURLName, Key=CFBundleURLSchemes, String=. At this point it is all down to testing on the device. So add the most likely string to Intune MAM policy exceptions and wait for that to sync to the phone (browse to about:intunehelp in Edge Browser on the device) and click View Intune App Status

Then select an app, for example Outlook, from the scroller at the top and scroll down to ProtocolExclusions near the bottom – once your new addition is listed here you can test to see if you can open the new app from a link in the source app:

For example, in the above I have the following URL Schemes added as well as some I am still testing:

  • zoomus = Zoom
  • gmeet = Google Meet
  • bjn (or bjn-intunemam or bjn-a2m) = BlueJeans
  • mobilepassplus = Mobile Pass+ from Thales
  • otpauth = Duo Security
  • com.mimecast.mobile.saml = Mimecast
  • pdfe-callback (or pdfe2int1 or pdfefile) = PDF Expert

It is still a bit hit and miss once you have info.plist, but you have a list of values for the URL Protocol that you can test against now.

7 replies on “Intune MAM Exemptions – Discovering URL Protocols”

Need help getting Calendly URL Protocol ive reached out to their support and they have been pretty useless. Any help would be appreciated.

Hi
Did you manage to get Google Meet working? We cant send invite links from Google Meet via Outlook calendar to the Meet app.
Thanks

What happens when you click a Google Meet URL in Outlook Mobile on your iPhone/Android device and what exemptions do you have in Intune App protection policies please – otherwise I am just guessing as to what your issue is!

Hi Brian
We are using Outlook and Edge via Intune with MAM app protection policies. In our app protection policy, under “Select apps to exempt” we have the following…

Default: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;shoebox;gmeet;zoomus
RSA Secure ID: com.rsa.securid
Google Meet: gmeet
Workday: workday
Pearpay: pearpay
Salesforce: salesforce1
Webex: wbx
Zoom: zoomus
AppleMaps: maps
GoogleMaps: googlemaps

Tried both gmeet in the string with the default apps, then also by naming it in the list.

When we click a Google Meet link (meet.google.com/xxx-xxx-xxx link ) , Edge opens. But rather than opening Meet, there seems to be a redirect to https://apps.google.com/meet where you have a link to download Meet.

So I tried – I have no issues in getting this to work on a MAM protected Android device (it just works), but nothing on iOS. It just opens Edge, and Edge is redirected by Google to a page about installing the app even though Edge knows that this URL is fine. If this was Zoom then the same thing happens, but a “click to join meeting” link appears in the “install app” page in the browser and that link works. Google Meet needs to add the same functionality it would appear.

Thanks Brian. Just what i get too. I feel Google need to an “app already installed” button, like Zoom has.

Leave a Reply to Ryan Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.