@capgo/capacitor-intune

Capacitor plugin for Microsoft Intune MAM enrollment, app protection policies, app config, and MSAL authentication.

What it covers

• Interactive and silent Microsoft sign-in with MSAL
• Intune account registration, enrollment, logout, and selective wipe helpers
• Native Intune app configuration and app protection policy access
• Native change listeners for policy and app config refresh events
• iOS and Android native Intune SDK integration from one Capacitor API

Platform requirements

• Capacitor 8+
• Android with the Microsoft Intune Android SDK 12.0.3
• iOS with the Microsoft Intune iOS SDK 21.5.1
• iOS deployment target 17.0+

Ionic's Intune docs currently note that, starting January 19, 2026, apps built with Xcode 26 must use Intune iOS SDK 21.1.0 or later. This plugin bundles 21.5.1 for that reason.

Install

You can use our AI-Assisted Setup to install the plugin. Add the Capgo skills to your AI tool using the following command:

npx skills add https://github.com/cap-go/capacitor-skills --skill capacitor-plugins

Then use the following prompt:

Use the `capacitor-plugins` skill from `cap-go/capacitor-skills` to install the `@capgo/capacitor-intune` plugin in my project.

If you prefer Manual Setup, install the plugin by running the following commands and follow the platform-specific instructions below:

bun add @capgo/capacitor-intune
bunx cap sync

Native setup

This plugin wraps the native Intune SDKs, but your app still needs the host-project configuration Microsoft and Ionic require.

Android

1. Add the Intune Gradle plugin to your app project's android/build.gradle buildscript classpath.
2. Add the Duo Maven feed Ionic calls out for current Intune Android SDK builds.
3. Apply com.microsoft.intune.mam in your app module.
4. Add the Intune SDK AAR and keep android.enableResourceOptimizations=false.
5. Add android:name="app.capgo.intune.IntuneApplication" to your <application> tag if you do not already use a custom Application.
6. If you do use a custom Application, extend MAMApplication and register IntuneMamServiceAuthenticationCallback in onMAMCreate().
7. Add broker/auth queries plus the BrowserTabActivity intent filter for your msauth:// redirect URI.
8. Create android/app/src/main/res/raw/auth_config.json with your MSAL app registration details.

Minimal auth_config.json example:

{
  "client_id": "YOUR_CLIENT_ID",
  "authorization_user_agent": "BROWSER",
  "redirect_uri": "msauth://YOUR_PACKAGE/YOUR_SIGNATURE_HASH",
  "broker_redirect_uri_registered": true,
  "account_mode": "MULTIPLE",
  "authorities": [
    {
      "type": "AAD",
      "audience": {
        "type": "AzureADMyOrg"
      }
    }
  ]
}

If you target Android 16+, Ionic's docs also recommend android:enableOnBackInvokedCallback="false" on the <application> tag until the Intune SDK updates its back navigation support.

iOS

1. Add your Intune and MSAL settings under IntuneMAMSettings in Info.plist.
2. Configure your URL scheme / redirect URI for MSAL.
3. Forward the auth callback URL to MSALPublicClientApplication.handleMSALResponse(...) from AppDelegate.
4. Run Microsoft's IntuneMAMConfigurator against your app's Info.plist and entitlements.
5. Keep the iOS deployment target at 17.0+.

Minimal Info.plist configuration:

<key>IntuneMAMSettings</key>
<dict>
  <key>ADALClientId</key>
  <string>YOUR_CLIENT_ID</string>
  <key>ADALRedirectUri</key>
  <string>msauth.com.example.app://auth</string>
  <key>ADALAuthority</key>
  <string>https://login.microsoftonline.com/common</string>
</dict>

AppDelegate.swift example:

import MSAL

func application(
  _ app: UIApplication,
  open url: URL,
  options: [UIApplication.OpenURLOptionsKey: Any] = [:]
) -> Bool {
  return MSALPublicClientApplication.handleMSALResponse(
    url,
    sourceApplication: options[.sourceApplication] as? String
  )
}

Usage

import { IntuneMAM } from '@capgo/capacitor-intune';

await IntuneMAM.addListener('appConfigChange', (result) => {
  console.log('Intune app config changed', result.accountId);
});

await IntuneMAM.addListener('policyChange', (result) => {
  console.log('Intune policy changed', result.accountId);
});

const auth = await IntuneMAM.acquireToken({
  scopes: ['https://graph.microsoft.com/.default'],
  loginHint: 'alex@example.com',
});

await IntuneMAM.registerAndEnrollAccount({ accountId: auth.accountId });

const user = await IntuneMAM.enrolledAccount();
const appConfig = await IntuneMAM.appConfig({ accountId: auth.accountId });
const policy = await IntuneMAM.getPolicy({ accountId: auth.accountId });
const versions = await IntuneMAM.sdkVersion();

console.log({ user, appConfig, policy, versions });

Notes

• Web is not supported; the web implementation throws an unavailable error.
• The plugin does not create your Azure app registration, Intune policies, auth_config.json, or iOS entitlements for you.
• For iOS, follow Microsoft's latest Intune MAM configurator and entitlement guidance in addition to the plugin setup above.

API

acquireToken(options: AcquireTokenOptions) => Promise<IntuneMAMAcquireToken>

acquireTokenSilent(options: AcquireTokenSilentOptions) => Promise<IntuneMAMAcquireToken>

registerAndEnrollAccount(options: RegisterAndEnrollAccountOptions) => Promise<void>

loginAndEnrollAccount() => Promise<void>

enrolledAccount() => Promise<IntuneMAMUser | undefined>

deRegisterAndUnenrollAccount(user: IntuneMAMUser) => Promise<void>

logoutOfAccount(user: IntuneMAMUser) => Promise<void>

appConfig(user: IntuneMAMUser) => Promise<IntuneMAMAppConfig>

getPolicy(user: IntuneMAMUser) => Promise<IntuneMAMPolicy>

groupName(user: IntuneMAMUser) => Promise<IntuneMAMGroupName>

sdkVersion() => Promise<IntuneMAMVersionInfo>

displayDiagnosticConsole() => Promise<void>

addListener(eventName: 'appConfigChange', listenerFunc: (info: IntuneMAMChangeEvent) => void) => Promise<PluginListenerHandle>

addListener(eventName: 'policyChange', listenerFunc: (info: IntuneMAMChangeEvent) => void) => Promise<PluginListenerHandle>

removeAllListeners() => Promise<void>