Version 9.0.0

What’s New

New Functionality

SDK 9.0.0 is the yearly major release that includes support for the new version of Android, Android 13 (API 33). If your app will target API 33, you must upgrade to SDK 9. If your app does not target API 33, it will continue to run properly on Android 13 devices without upgrading to SDK 9.

• Support for API 33 targeting.
• Add build plugin support for missing PackageManager method getPackageInfo(VersionedPackage versionedPackage, int flags)
• The Build Tool CLI now supports accepting a plain-text file for the input and output parameters.
• Include API 33 Photo Picker tool in the PHOTO_LIBRARY location of getIsOpenFromLocationAllowed and getIsSaveToLocationAllowed SDK methods.
• The build plugin will now replace instantiation of CloudMediaProvider with MAMCloudMediaProvider.
• Support predictive back gestures in MAM-owned activities.
• Minor logging improvements to Gradle plugin.
• Add version check to Gradle plugin to prevent mamification when using Android Gradle Plugin 7.2.0/7.2.1 due to https://issuetracker.google.com/issues/232438924. Use AGP 7.1.3 and below or 7.2.2 and above.

Version 8.6.1

What's New

New Functionality

• The build plugin will now automatically replace inheritance/instantiation of SurfaceView, GLSurfaceView and VideoView with MAM-specific replacements. These are used to enforce editor policy restrictions on SurfaceViews.
• Expanded getIsOpenFromLocationAllowed SDK method to include PHOTO_LIBRARY location. Admins can now differentiate sharing policy for both camera and photos; apps that wish to honor this difference will need to take a code change.

Other Improvements

• Add ProGuard rule to SDK to fix R8 optimizations involving interfaces that have a single compile-time implementation. Currently, this is only known to impact scenarios involving MAMBackupAgentHelper.
• Fix synchronization issues arising when MAMServiceAuthenticationCallback instance is registered on a background thread.
• Add tracing and telemetry for monitoring and improving app startup time.
• Fix build plugin issue resulting in a javassist.CannotCompileException in certain projects.
• The MAM SDK will attempt to validate tokens returned from the app's MAMServiceAuthenticationCallback instance, and tokens acquired with the wrong parameters may be rejected.
• Add MAM Strict Mode check: 'UNMANAGED_CONTEXT_FOUND' to validate that MAM found a managed Context to ensure policy enforcement. This would likely indicate a failure in the SDK surface modified by the build plugin or missing MAM SDK surface.

Other Notes

• API 32 / Android 12L targeting is supported and does not require an SDK update beyond API 31 / Android 12 targeting. If your app uses an 8.x series SDK, it can target API 32.

Version 8.3.0

What’s New

New SDK Functionality

• Add new com.microsoft.intune.mam.AllowIsolatedProcesses manifest meta-data item to allow isolated process execution. MAM cannot apply protections to isolated processes. As the app developer, you are responsible for ensuring that your isolated processes cannot expose organization data. Please do not add this manifest item without carefully assessing data usage in your app’s isolated processes.
• The build plugin will now wrap calls to various JobService methods. For multi-identity apps, the MAM SDK will not attempt to infer the identity for a JobService or its individual jobs. Users of JobService should take care to set an identity on the service context or background thread as required by their JobService implementations. Relatedly, users of WorkManager should take care to set a thread identity in Worker.doWork() as required by their Worker implementations. Do not set an identity on the Worker context, because this context is shared across Worker instances.
• Add WIPE_COMPLETED notification type. Apps may register for this to be notified when Intune has finished processing a wipe, at least as far as the current app process is concerned. WIPE_COMPLETED will be delivered after WIPE_USER_DATA or WIPE_USER_AUXILIARY_DATA. If the app reports a failure from its handler for the above notifications, this notification will not be sent. Listening for this notification is optional.

Other Improvements

• Keep MAMAppConfig from being minified at build time.
• Remove GET_ACCOUNTS permissions from the SDK manifest. This permission was removed by Android in API23, which is the minimum supported version for MAM policy.
• Improved error messages for certain data decryption failures.
• Improvements to dialogs prompting the user to install or update the Company Portal in cases when the Play Store is not available.

Version 8.1.1

What’s New

• The build plugin can now handle application usage of custom LayoutInflator.Factory and LayoutInflator.Factory2 instances using the new MAMLayoutInflaterManagement.
• Fix crash discovered in some SDK-integrated apps when deployed to Android Enterprise dedicated devices. Please note, App Protection Policies are not enforced on Intune-managed Android Enterprise dedicated devices.

Version 8.0.0

What’s New

SDK 8.0.0 is the yearly major release that includes support for the new version of Android, Android 12 (API 31). If you app will target API 31, you must upgrade to SDK 8. If your app does not target API 31, it will continue to run properly on Android 12 devices without upgrading to SDK 8.0.0. As a major version release, SDK 8.0.0 includes several breaking changes, which are called out below.

Breaking MAM SDK Changes

• Enable Java 8 language feature support. SDK consumers must specify JavaVersion.VERSION_1_8 in compileOptions if using an Android Gradle Plugin version below 4.2.
• The build plugin now automatically includes all external libraries and the includeExternalLibraries configuration option has been removed. This change was prompted by Android Gradle Plugin 4.2, which no longer exposes library names to the Transform API on which the plugin is built.
• The legacy Android Support Libraries are no longer supported. Apps are expected to be using AndroidX, either directly or through enabling the Jetifier.
• Rename the MAMPolicyManager method getPolicy() to getCurrentThreadPolicy(). getCurrentThreadPolicy() should primarily be used by single-identity apps or multi-identity apps that explicitly set the thread (or process-wide) identity. getPolicy() is marked as deprecated and may be removed in a future SDK release.
• Add MAM handling for the Android S data extraction rules for backup and restore. New meta-data com.microsoft.intune.mam.DataExtractionRules introduced that mimics the android:dataExtractionRules manifest tag. If you are setting the dataExtractionRules attribute, you must set the MAM equivalent as well. See the docs here for more detail.

Build Plugin improvements

• The build plugin will now wrap calls to various AppSearchManager classes/methods. This allows the SDK to enforce transfer policy on data stored in the new centralized search index on Android 12.

MAM Strict Mode improvements

• Add MAM Strict Mode check: CLEAR_PROTECTED_FLAG_SECURE to ensure FLAG_SECURE isn't cleared when policy restricts screenshots.
• Add MAM Strict Mode check: INVALID_MAM_SERVICE_TOKEN to validate user passed values for aadId & resourceId while acquiring MAMService token.

Version 7.6.0

What’s New

New API surface

• Add optional AppPolicy method getIsOpenFromContentUriAllowed to allow an app to test whether receiving data from the given URI will be blocked by data ingress (receive) policy. This is method is not necessary for enforcement; MAM will continue to automatically block prohibited content provider queries/opens.
• Add optional AppPolicy methods diagnosticHasSaveRestriction and diagnosticHasOpenRestriction to allow an app to test whether save and open operations will be blocked by policy, which may be used by apps which (for example) wish to warn the user in advance of blocked operations. These methods should not be used for enforcement; please continue to use getIsSaveToLocationAllowed and getIsOpenFromLocationAllowed.
• Add MAMFileProtectionManager.getProtectionInfo overload which takes a content Uri. This should be used in preference to the overload taking a ParcelFileDescriptor when checking the identity of a file that will be read from a ContentResolver, like when reading from external storage.
• New exception MAMKeyNotAvailableException will be thrown when decryption fails because the app no longer managed; this helps differentiate from other decryption failures.
• Add optional MAMPolicyManager method getCurrentIdentity. This is a convenience method for Multi-Identity apps only to more easily understand the MAM’s view of the current effective identity given the process, UI, and thread identities in priority order.

Build Plugin improvements

• The build plugin now automatically excludes all nested inner classes of classes excluded from mamificiation.
• The build plugin now automatically includes all external libraries when used with Android Gradle Plugin 4.2 and higher. These versions no longer expose the library names to the Transform API which our plugin is built on. The includeExternalLibraries configuration option will be removed in future MAM SDK 8.0.

MAM Strict Mode improvements – patterned after Android’s Strict Mode, MAM Strict Mode looks for potential errors and is strongly encouraged for develop, debug, and/or dogfood builds.

• Add MAM Strict Mode check: AUTHENTICATION_CALLBACK_NOT_REGISTERED to check that the MAMServiceAuthenticationCallback is registered in Application.onCreate().
• Replace MAM Strict Mode check SAVE_TO_ODB_MISSING_UPN with SAVE_TO_LOCATION_MISSING_UPN to properly reflect that the check covers scenarios beyond ODB and fix spurious error raised on empty UPN for ACCOUNT_DOCUMENT, which is allowed.
• Add MAM Strict Mode check: CONTENT_INTENT_WITHOUT_IDENTITY to check for intents started to transfer content to another app without an identity, while the foreground activity does have an identity set. This would likely indicates a failure to plumb through the identity.
• Add MAM Strict Mode check: CONTENT_RESOLVER_NO_IDENTITY to check that multi-identity apps using content providers set an identity of the context the resolver was retrieved from or on the thread/process. Failure to do so indicates likelihood that the app is performing app-to-app communication on a background thread without proper consideration of what account the operation is running under.
• Add MAM Strict Mode check: UPDATE_TOKEN_WITHIN_ACQUIRE_TOKEN to check for calls to the MAMEnrollmentManager's updateToken() method from within the app-provided MAMServiceAuthenticationCallback's acquireToken() method. This is not the intended purpose of updateToken(), and could cause a deadlock.

Other improvements

• Report functionality is now supported in the command-line BuildTool, via the --report parameter. This functionality is already available in the Gradle plugin.
• The Build Tool CLI now supports incremental builds (via a new --processed option) for parity with the Gradle plugin.

Version 7.2.2

SDK 7.2.2

Version 7.0.1

Version 7.0.1

• Fix build plugin NPE when entites that aren't full-fledged classes end up on the classpath.
• Update certificate pins for connections to Intune services.

7.0.0

7.0.0

6.7.0

MAM SDK

• Refine R8/Proguard rules to reduce the size impact of the SDK.
• The build plugin will now replace inheritance/instantiation of PopupWindow with MAMPopupWindow, ListPopupWindow with MAMListPopupWindow, and PopupMenu with MAMPopupMenu. This is done to enforce screenshot policy on these views when a screen recorder is in use.
• Suppress class format errors in plugin when the verify option is enabled. Some classes from the Android 11 platform jars are built with the Java 9 class format and cannot be verified when building with Java 8. These classes cannot be verified because they cannot be parsed in a Java 8 JVM. Updating to Java 9+ will allow these classes to be verified.

Misc.

• SDK documentation improvements.
• Tested against ADAL 1.16.3 and 2.0 as well as MSAL 1.0.