Project Awesome project awesome

Persona

Launch Persona inquiry flows on iOS and Android.

Package 2 stars GitHub

@capgo/capacitor-intune

Capgo - Instant updates for capacitor

Capacitor plugin for Microsoft Intune MAM enrollment, app protection policies, app config, and MSAL authentication.

What it covers

  • Interactive and silent Microsoft sign-in with MSAL
  • Intune account registration, enrollment, logout, and selective wipe helpers
  • Native Intune app configuration and app protection policy access
  • Native change listeners for policy and app config refresh events
  • iOS and Android native Intune SDK integration from one Capacitor API

Platform requirements

  • Capacitor 8+
  • Android with the Microsoft Intune Android SDK 12.0.3
  • iOS with the Microsoft Intune iOS SDK 21.5.1
  • iOS deployment target 17.0+

Ionic's Intune docs currently note that, starting January 19, 2026, apps built with Xcode 26 must use Intune iOS SDK 21.1.0 or later. This plugin bundles 21.5.1 for that reason.

Install

bun add @capgo/capacitor-intune
bunx cap sync

Native setup

This plugin wraps the native Intune SDKs, but your app still needs the host-project configuration Microsoft and Ionic require.

Android

  1. Add the Intune Gradle plugin to your app project's android/build.gradle buildscript classpath.
  2. Add the Duo Maven feed Ionic calls out for current Intune Android SDK builds.
  3. Apply com.microsoft.intune.mam in your app module.
  4. Add the Intune SDK AAR and keep android.enableResourceOptimizations=false.
  5. Add android:name="app.capgo.intune.IntuneApplication" to your <application> tag if you do not already use a custom Application.
  6. If you do use a custom Application, extend MAMApplication and register IntuneMamServiceAuthenticationCallback in onMAMCreate().
  7. Add broker/auth queries plus the BrowserTabActivity intent filter for your msauth:// redirect URI.
  8. Create android/app/src/main/res/raw/auth_config.json with your MSAL app registration details.

Minimal auth_config.json example:

{
  "client_id": "YOUR_CLIENT_ID",
  "authorization_user_agent": "BROWSER",
  "redirect_uri": "msauth://YOUR_PACKAGE/YOUR_SIGNATURE_HASH",
  "broker_redirect_uri_registered": true,
  "account_mode": "MULTIPLE",
  "authorities": [
    {
      "type": "AAD",
      "audience": {
        "type": "AzureADMyOrg"
      }
    }
  ]
}

If you target Android 16+, Ionic's docs also recommend android:enableOnBackInvokedCallback="false" on the <application> tag until the Intune SDK updates its back navigation support.

iOS

  1. Add your Intune and MSAL settings under IntuneMAMSettings in Info.plist.
  2. Configure your URL scheme / redirect URI for MSAL.
  3. Forward the auth callback URL to MSALPublicClientApplication.handleMSALResponse(...) from AppDelegate.
  4. Run Microsoft's IntuneMAMConfigurator against your app's Info.plist and entitlements.
  5. Keep the iOS deployment target at 17.0+.

Minimal Info.plist configuration:

<key>IntuneMAMSettings</key>
<dict>
  <key>ADALClientId</key>
  <string>YOUR_CLIENT_ID</string>
  <key>ADALRedirectUri</key>
  <string>msauth.com.example.app://auth</string>
  <key>ADALAuthority</key>
  <string>https://login.microsoftonline.com/common</string>
</dict>

AppDelegate.swift example:

import MSAL

func application(
  _ app: UIApplication,
  open url: URL,
  options: [UIApplication.OpenURLOptionsKey: Any] = [:]
) -> Bool {
  return MSALPublicClientApplication.handleMSALResponse(
    url,
    sourceApplication: options[.sourceApplication] as? String
  )
}

Usage

import { IntuneMAM } from '@capgo/capacitor-intune';

await IntuneMAM.addListener('appConfigChange', (result) => {
  console.log('Intune app config changed', result.accountId);
});

await IntuneMAM.addListener('policyChange', (result) => {
  console.log('Intune policy changed', result.accountId);
});

const auth = await IntuneMAM.acquireToken({
  scopes: ['https://graph.microsoft.com/.default'],
  loginHint: 'alex@example.com',
});

await IntuneMAM.registerAndEnrollAccount({ accountId: auth.accountId });

const user = await IntuneMAM.enrolledAccount();
const appConfig = await IntuneMAM.appConfig({ accountId: auth.accountId });
const policy = await IntuneMAM.getPolicy({ accountId: auth.accountId });
const versions = await IntuneMAM.sdkVersion();

console.log({ user, appConfig, policy, versions });

Notes

  • Web is not supported; the web implementation throws an unavailable error.
  • The plugin does not create your Azure app registration, Intune policies, auth_config.json, or iOS entitlements for you.
  • For iOS, follow Microsoft's latest Intune MAM configurator and entitlement guidance in addition to the plugin setup above.

API

acquireToken(...)

acquireToken(options: AcquireTokenOptions) => Promise<IntuneMAMAcquireToken>

Present the Microsoft sign-in flow and return an access token plus the account metadata.

Param Type
options AcquireTokenOptions

Returns: Promise<IntuneMAMAcquireToken>

acquireTokenSilent(...)

acquireTokenSilent(options: AcquireTokenSilentOptions) => Promise<IntuneMAMAcquireToken>

Acquire a token from the MSAL cache for a previously signed-in user.

Param Type
options AcquireTokenSilentOptions

Returns: Promise<IntuneMAMAcquireToken>

registerAndEnrollAccount(...)

registerAndEnrollAccount(options: RegisterAndEnrollAccountOptions) => Promise<void>

Register a previously authenticated account with Intune and start enrollment.

Param Type
options RegisterAndEnrollAccountOptions

loginAndEnrollAccount()

loginAndEnrollAccount() => Promise<void>

Ask Intune to authenticate and enroll a user without first requesting an app token.

enrolledAccount()

enrolledAccount() => Promise<IntuneMAMUser | undefined>

Return the currently enrolled Intune account, if one is available.

Returns: Promise<IntuneMAMUser>

deRegisterAndUnenrollAccount(...)

deRegisterAndUnenrollAccount(user: IntuneMAMUser) => Promise<void>

Deregister the account from Intune and trigger selective wipe when applicable.

Param Type
user IntuneMAMUser

logoutOfAccount(...)

logoutOfAccount(user: IntuneMAMUser) => Promise<void>

Sign the user out of MSAL without unenrolling the Intune account.

Param Type
user IntuneMAMUser

appConfig(...)

appConfig(user: IntuneMAMUser) => Promise<IntuneMAMAppConfig>

Fetch the remote Intune app configuration for a managed account.

Param Type
user IntuneMAMUser

Returns: Promise<IntuneMAMAppConfig>

getPolicy(...)

getPolicy(user: IntuneMAMUser) => Promise<IntuneMAMPolicy>

Fetch the currently effective Intune app protection policy for a managed account.

Param Type
user IntuneMAMUser

Returns: Promise<IntuneMAMPolicy>

groupName(...)

groupName(user: IntuneMAMUser) => Promise<IntuneMAMGroupName>

Convenience helper that resolves the GroupName app configuration value when present.

Param Type
user IntuneMAMUser

Returns: Promise<IntuneMAMGroupName>

sdkVersion()

sdkVersion() => Promise<IntuneMAMVersionInfo>

Return the native Intune and MSAL SDK versions bundled by this plugin.

Returns: Promise<IntuneMAMVersionInfo>

displayDiagnosticConsole()

displayDiagnosticConsole() => Promise<void>

Show the native Intune diagnostics UI.

addListener('appConfigChange', ...)

addListener(eventName: 'appConfigChange', listenerFunc: (info: IntuneMAMChangeEvent) => void) => Promise<PluginListenerHandle>

Listen for remote app configuration refreshes.

Param Type
eventName 'appConfigChange'
listenerFunc (info: IntuneMAMChangeEvent) => void

Returns: Promise<PluginListenerHandle>

addListener('policyChange', ...)

addListener(eventName: 'policyChange', listenerFunc: (info: IntuneMAMChangeEvent) => void) => Promise<PluginListenerHandle>

Listen for remote app protection policy refreshes.

Param Type
eventName 'policyChange'
listenerFunc (info: IntuneMAMChangeEvent) => void

Returns: Promise<PluginListenerHandle>

removeAllListeners()

removeAllListeners() => Promise<void>

Remove all registered listeners for this plugin instance.

Interfaces

IntuneMAMAcquireToken

Prop Type
accountId string
accessToken string
accountIdentifier string
idToken string
username string
tenantId string
authority string

AcquireTokenOptions

Interactive token acquisition options.

Prop Type Description Default
scopes string[] Scopes to request, for example https://graph.microsoft.com/.default.
forcePrompt boolean When true, always show the Microsoft account picker or sign-in UI. false
loginHint string Optional login hint for the interactive sign-in flow.

AcquireTokenSilentOptions

Silent token acquisition options.

Prop Type Description Default
scopes string[] Scopes to request, for example https://graph.microsoft.com/.default.
accountId string Microsoft Entra object ID returned by acquireToken or enrolledAccount.
forceRefresh boolean When true, bypass the cached access token and request a fresh one. false

RegisterAndEnrollAccountOptions

Prop Type Description
accountId string Microsoft Entra object ID returned by acquireToken.

IntuneMAMUser

Prop Type
accountId string
accountIdentifier string
username string
tenantId string
authority string

IntuneMAMAppConfig

Prop Type
accountId string
fullData Record<string, string>[]
values Record<string, string>
conflicts string[]

IntuneMAMPolicy

Prop Type
accountId string
isPinRequired boolean
isManagedBrowserRequired boolean
isScreenCaptureAllowed boolean
isContactSyncAllowed boolean
isAppSharingAllowed boolean
isFileEncryptionRequired boolean
notificationPolicy string

IntuneMAMGroupName

Prop Type
accountId string
groupName string

IntuneMAMVersionInfo

Prop Type
platform 'ios' | 'android'
intuneSdkVersion string
msalVersion string

PluginListenerHandle

Prop Type
remove () => Promise<void>

IntuneMAMChangeEvent

Prop Type
accountId string

Type Aliases

Record

Construct a type with a set of properties K of type T

{ [P in K]: T; }

Back to Capacitor