
Xamarin Forms Intune SDK Sample and Step by Step Guide

Primary LanguageC#

Xamarin Forms Intune SDK Sample and Step by Step Guide

Important - here are the links to the official sample apps from Microsoft Intune’s product team:

This sample and guide shows how to :

  • integrate Intune app protection policies support into Xamarin Forms app
  • publish app with Microsoft Intune
  • enable clipboard and screenshot (Android) protection for your mobile app in Intune
  • enjoy as a result that no one can copy text from your app or take screenshot :-)
  1. Visual Studio -> New Project -> Cross-Platform -> Xamarin Forms
  2. .NET Standard as code sharing strategy
  3. Let's add couple of controls to MainPage.xaml to test screenshot and clipboard protection:
    <StackLayout Orientation="Vertical" HorizontalOptions="Center" VerticalOptions="Center">
        <!-- Place new controls here -->
        <Label Text="Confidential Information!" 
           VerticalOptions="Center" />
        <Entry x:Name="txtEntry" Text="Very Sensitive Data" />

Android Implementation

  1. Go to Android project - > Manage NuGet packages
  2. Ensure you have at minimum these versions of Android support packages referenced:
    • Xamarin.Android.Support.Compat (>=
    • Xamarin.Android.Support.v7.AppCompat (>=

Android Support

  1. Add Microsoft.Intune.MAM.Xamarin.Android NuGet package to Android project first.
  2. Then add Microsoft.Intune.MAM.Remapper.Tasks NuGet package to Android project. This remapper will replace standard classes with MAM (Mobile Application Management) classes which supports Intune policies enforcement and management. These MAM-classes will be injected into hierarchy of commonly used Xamarin.Forms classes like FormsAppCompatActivity and FormsApplicationActivity. Now before building solution you need to create MAMApplication class and override MAM implementation of OnMAMCreate function. Also for a lot of cases you will need to use MAM equivalents of number of commonly used functions - full guide here
  3. Create MAMApplication class in your Android Project:
using System;
using Android.App;
using Android.Runtime;
using Microsoft.Intune.Mam.Client.App;

namespace IntuneSDKXFSample.Droid
    public class IntuneMAMFormsSampleApplication : MAMApplication
        /// <summary>
        /// This is necessary because of a leaky abstraction somewhere up the chain:
        /// http://stackoverflow.com/questions/10593022/monodroid-error-when-calling-constructor-of-custom-view-twodscrollview/10603714#10603714
        /// </summary>
        /// <param name="handle">Java reference</param>
        /// <param name="transfer">Ownership transfer</param>
        public IntuneMAMFormsSampleApplication(IntPtr handle, JniHandleOwnership transfer)
            : base(handle, transfer)

        /// <summary>
        /// New abstract method that we need to override
        /// Documentation at https://microsoft.sharepoint.com/teams/Android_SSP/_layouts/15/WopiFrame2.aspx?sourcedoc=%7b56C60010-40D5-4487-BC70-21471C50D1DD%7d&file=Walled%20Garden%20API%20Guide.docx&action=default says:
        /// If your application does not call AuthenticationSettings.setSecretKey (or does not integrate ADAL at all), you may simply return null. 
        /// </summary>
        /// <returns>The ADAL key</returns>
        public override byte[] GetADALSecretKey()
            return null;
  1. Replace OnCreate(Bundle bundle) and other methods in MainActivity.cs with the following overrides:
        protected override void OnMAMCreate(Bundle bundle)
            global::Xamarin.Forms.Forms.Init(this, bundle);
            LoadApplication(new IntuneSDKXFSample.App());

        protected override void OnMAMActivityResult(int i, Result j, Intent intent)
            base.OnMAMActivityResult(i, j, intent);

        protected override void OnMAMDestroy()

        protected override void OnMAMPause()

        protected override void OnMAMResume()

        protected override void OnMAMNewIntent(Intent intent)

        public override void OnMAMPostCreate(Bundle p0)

        public override void OnMAMPostResume()

        public override void OnMAMProvideAssistContent(AssistContent p0)


        public override void OnMAMSaveInstanceState(Bundle p0)

        public override void OnMAMStateNotSaved()

        public override bool OnMAMPrepareOptionsMenu(IMenu p0)
            return base.OnMAMPrepareOptionsMenu(p0);

        public override bool OnMAMSearchRequested(SearchEvent p0)
            return base.OnMAMSearchRequested(p0);

        public override Android.Net.Uri OnMAMProvideReferrer()

            return base.OnMAMProvideReferrer();
  1. Reference two namespaces to fix unresolved methods :
using Android.Content;
using Android.App.Assist;
  1. Build the project to ensure everything compiles successfully.
  2. Publish the app with Microsoft Intune with app protection policy for screenshot and clipboard applied.
  3. Install the app to the target device through Company Portal App, run it.
  4. Check that you are not able to copy text from the app to the other unprotected app (for instance built-in notes apps).

iOS Implementation

  1. Go to iOS project - > Manage NuGet packages
  2. Add Microsoft.Intune.MAM.Xamarin.iOS NuGet package.
  3. Enable keychain sharing in iOS project - Open Entitlements.plist file, go to "Keychain" section and check "Enable Keychain" option.
  4. Add 3 keychain groups here with $(AppIdentifierPrefix) prefix (if you use XCode it adds prefix automatically):
    1. first is your bundle id - same as specified in Info.plist file: Info.plist
    2. second is com.microsoft.intune.mam
    3. third is com.microsoft.adalcache


  1. Go to iOS project properties and ensure this Entitlements.plist is specified in the "Custom Entitlements" field of the project's "iOS Bundle Signing" options for all the appropriate Configuration/Platform combinations:

Bundle Signing

  1. To begin receiving app protection policies, we need to explicitly enroll in the Intune MAM service by calling LoginAndEnrollAccount and provide user alias(email) as parameter:
IntuneMAMEnrollmentManager.Instance.LoginAndEnrollAccount(string UPN)

Note: In the documentation you can see the recomendation to use the different method of IntuneMAMEnrollmentManager.Instance.RegisterAndEnrollAccount(string identity) in case your app already uses the Azure Active Directory Authentication Library (ADAL) to authenticate users. Currently this implementation has a limitation - if you use ADAL for .NET it doesn't support token sharing with native Objective-C ADAL library (which Intune iOS SDK actually uses). So RegisterAndEnrollAccount just doesn't work in Xamarin Forms - when you call it no exception is thrown but nothing happens and app protection policy doesn't work. Until this issue is resolved and ADAL has a shared cache across ADAL for .NET and native Objective-C you have two options:

  • use LoginAndEnrollAccount as advised above. If you are only using ADAL to authenticate users and your app doesn’t need to access Azure Active Directory resources, this is the simplest solution
  • create Xamarin bindings for version 2.5.4 of ADAL for Objective-C and use them to acquire an access token and call IntuneMAMEnrollmentManager.Instance.RegisterAndEnrollAccount(string identity);

Additional Note: there is no remapper for iOS. Integrating into a Xamarin.Forms app should be the same as for a regular Xamarin.iOS project.

  1. To do this platform-specific call we use Dependency Service in Xamarin Forms. Define IEnroll interface in common project:
public interface IEnroll
    void Enroll(string UPN);
  1. Provide iOS specific implementation in iOS project with Dependency assembly attribute (first line after using statements):
using System;
using Xamarin.Forms;
using Microsoft.Intune.MAM;
using System.Diagnostics;

[assembly: Dependency(typeof(IntuneSDKXFSample.iOS.Enroll))]
namespace IntuneSDKXFSample.iOS
    class Enroll : IEnroll
        void IEnroll.Enroll(string UPN)
  1. From the common project call Enroll method with user alias as parameter:
        private async void btnEnroll_Clicked(object sender, EventArgs e)
            if (Device.RuntimePlatform == Device.iOS)
                    var enroller = DependencyService.Get<IEnroll>();
                catch (Exception ex)
                    await DisplayAlert("Error", ex.Message, "Ok");
            else await DisplayAlert("Warning", "For Android you don't need to call LoginAndEnrollAccount", "OK");
  1. Build the project to ensure everything compiles successfully.
  2. Publish the app with Microsoft Intune with app protection policy for clipboard applied.
  3. Install the app to the target device through Company Portal App, run it.
  4. Check that you are not able to copy text from the app to the other unprotected app (for instance built-in notes apps).

Full guide is here.