CAPTOR for Intune is a version of CAPTOR that is integrated with the Microsoft Intune SDK, intended to be deployed and managed by Microsoft Intune
The first step is to understand how to generally add a managed app to InTune. CAPTOR for Intune (Android) is listed for free on the Google Play Store, and requires active license subscriptions from Inkscreen and Microsoft Intune. We recommend you start by reviewing the steps to add an iOS store app to InTune, found here: https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-android
CAPTOR for Intune can be found in the Google Play Store here: https://play.google.com/store/apps/details?id=com.inkscreen.captor.intune
Microsoft Intune supports wildcard variables ("tokens") that can be used as key values, which would then translate to the specific value for each individual user. Supported Microsoft Intune tokens can be found here: https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-managed-app#configuration-values-for-using-tokens
Single Sign-On (SSO): CAPTOR for Intune supports password-based SSO, also known as password vaulting.
The high level steps to add CAPTOR for Intune as a managed app are:
- Add the app (Apps>All Apps>Add>iOS Store App>CAPTOR for Intune) and follow all steps through the Group Assignment.
- Add an App Configuration Policy (Apps>App Configuration Policies>Add>Managed Apps (see tables below for key/value pair options)
- Add an App Protection Policy (Apps>App Protection Policies>Create Policy>iOS/iPadOS) Search for "CAPTOR".
- Assign to users (Apps>CAPTOR for InTune>Manage>Assignments)
- From Entra/AD, the Admin must add the app to Enterprise Applications and grant permissions using the following URL: https://login.microsoftonline.
com/organizations/v2.0/ adminconsent?client_id= 71fa3d56-0bb8-4d03-b8b3- fa6114ee7bb5&redirect_uri= msauth.com.inkscreen.captor. intune://auth&scope=https:// wip.mam.manage.microsoft.us// DeviceManagementManagedApps. ReadWrite - Evaluate Entra/AD Conditional Access policies. CAPTOR will request access to MS Graph, which could trigger a CA block. We recommend applying a CA policy that grants access based on Require Authentication Strength AND Require App Protection Policy. Other combinations will work but these are the optimal policies that will allow CAPTOR to function. CAPTOR will not function if your CA policy includes Require Approved Client App.
- The Intune Company Portal app is required to run CAPTOR for Intune on Android devices.
- CAPTOR for Intune supports MAM and MDM deployments. MAM deployments can include a Work Profile but it is not a requirement.
- Test!
The following are the key/value pair options referred to in step #2 above. The first two keys (licensekey and captoruser) are required for activation.
Key | Type | Description | Default Value |
licensekey | String | REQUIRED KEY. To request a license key please send a request to sales@inkscreen.com Entering a valid license key obtained by Inkscreen allows the application to be deployed, managed, and controlled by Intune. | N/A |
captoruser | String | REQUIRED KEY. Links the username field within the app to either the email address or user ID for that user. The app user will not be able to change the app username once this key-pair is set. Most customers will utilize a token for this value. Please note: the app username can be displayed on the photo or video as a caption, and inserted as metadata. | App user will be able to set their own app username. |
allowspeechrecognition | Boolean | If enabled, audio and video recordings will go through a speech recognition process (typically conducted on the device but may also use external Apple servers) so that content is searchable by speech detected in the recordings. To enable, enter value "True" | false |
emptytrash | Number | Sets a value (in days) to wait before permanently deleting media content that a user has moved to the Trash folder in the app. Value entered should be a whole number 0 - 999. Entering “0” means the Trash folder will be emptied each time the app is launched. | 30 |
filenamebase | String | Sets a base name for captured media. The nomenclature system appends the base with the date and time. Value can be an alpha-numeric string 1-20 characters with no spaces, or utilize a token value. | CAPTOR, which will be editable by users. |
showcaption | Boolean | Enforces the printed caption on the border of photos, and the addition of a final frame to shared videos. The caption includes 1) username of who captured the media, 2) time and date of capture, 3) location where media was captured (lat/long or city/state/country), and a note (up to 255 char). Value entered should be true or false, whereby true dictates the caption will always be included and false removes the caption in all cases. Please note: this feature does not impact Documents or Audio. | true, and users will be able to change in Settings. |
pdfversion | String | Sets the version of PDF that will be created when sharing documents or photos in the PDF file format. Value entered may be: 1.3 1.4 1.5 1.6 1.7 PDF/A-1a PDF/A-1b PDF/A-2a PDF/A-2b PDF/A-2u PDF/A-3a PDF/A-3b PDF/A-3u | 1.3, and user can set to any other value. |
| allowlocation | Determines whether the application will prompt to allow location services and tag media with location information. Values entered may be: user (allows user to decide whether to enable location services) false (completely disables all location services) | User can decide when prompted | |
watermark | String | Adds a semi-transparent alpha/numeric string (up to 30 characters) across photos and pages of document. | “Captured by CAPTOR” |
| disableappanalytics | String | Turns off the app's anonymous events reporting service. Inkscreen uses this data to understand the general popularity of certain features. The data collected contains no identifiable information, is only viewed in bulk aggregate form, and is only retained for 90 days. To disable this feature, enter value True. | Events will be logged. |
| disablecrashreporting | String | Turns off the app's crash reporting service. Inkscreen uses this data to improve the stability of the application. Crash reports do not contain identifying information. A crash report would typically include the device model, version of CAPTOR, and the line of code where the event occurred. To disable this feature, enter value True. | Crashes will be reported. |
| compliance | Boolean | CAPTOR Compliance is a system intended to log potential container violations and report them to a company contact. The goal is to provide awareness of end user actions that may result in data leakage or attempted data leakage (Insider Threats). The end user will not be aware of this service, and enabling Compliance will not alter the existing container policy (Open In, Copy/Paste, etc). The initial release will include alerts for the following event:
To enable CAPTOR Compliance, please follow these two steps: FIRST: Add the key “compliance” with value “True” in the CAPTOR Configuration. SECOND: Contact Inkscreen to request the reporting service to be enabled. Send an email to support@inkscreen.com and include the full name and email address where the reports should be sent. Also please indicate the frequency of the report. Reporting intervals can be immediate (an email will be generated each time an event is logged), daily, weekly, or monthly. | False |
Secure Content Copy Backup Service
Secure Content Copy is an optional service enabling the backup of CAPTOR content to a network drive or cloud storage. Before setting up the service, you must establish a server on your network or a destination to receive the content. Additionally, the server must be configured to include folders for each CAPTOR user which can be mapped to. If you utilize the key “captoruser” with a token value for example, the folders on your backup server should be named the same way.
Here is an overview of the process to set up the backup service:
- Select the best data transfer protocol. CAPTOR currently supports SMB2, SMB3, SFTP, Microsoft OneDrive and WebDAV. **The SMB protocol requires the use of a VPN.
- Establish a server on your network to receive the content. Create folders for each user, named to match the CAPTOR usernames.
- Establish the key/value pairs in your EMM system to enable and configure the service.
- Launch CAPTOR on a test device and review the configuration by going to Settings>Backup Config. Depending on your configuration you may have to complete the settings for the selected transfer protocol and/or Advanced Config options. There is a Test Configuration button in the app settings.
The following key/value pairs can be added to the App Configuration.
Key | Type | Description | Default if not configured |
enablebackup | String | This is the master switch to turn on the backup service. The value entered identifies which transfer protocol will be used. Only one protocol can be established at a time, so the remaining protocols will be disabled. Values entered may be: webdav sftp smb onedrive user *Entering the value "user" will enable the service and allow the app user to determine which protocol to use. | If key pair is not configured, backup service will be disabled. |
backupmethod | String | The backup process can be automated, or allowed to be conducted by the user on demand. Values entered may be: auto manual | If key pair is not configured and enable backup is configured, the default will be manual. |
automatebackupafter | Number | If you intend the backup process to be automated, this key is required. The value entered indicates how long the system will wait before backing up content. For example, setting a value “7” means that the system will backup content that was captured at least 7 days prior. Entering a value “0” will backup content in the next user session. Values entered may be 0-30. | If key pair is not configured and backupmethod is set to “auto”, the default will be 1. |
deletebackedupafter | Number | When configured this will move backed-up content to the CAPTOR Trash folder after a specified number of days after it was backed up. For example, a value “3” would instruct the system to trash an item three days after it was backedup. A value “0” instructs the system to trash items immediately after backup. Values entered can be 0-30. | If key pair is not configured, the default is set to never delete content after it is backedup. |
contentquality | String | Sets the quality of the content that is backed up. The system uses the same quality standards as the normal sharing options . Values entered maybe: low med high | If key pair is not configured, the default is high. |
Backup Protocol Key/Value Pairs
The next step is to set the key pairs related to the backup transfer protocol that you selected. You may only use one protocol for any specific label. Please select one protocol (WebDAV, SMB, OneDrive, or SFTP) and then enter the corresponding key/value pairs into the configuration.
WebDAV
Key | Type | Description | Default if not configured |
webdavuser | String | Assigns the username for authentication of backup server. For most customers the value entered will match the captoruser value. | If key pair is not configured, the user will be allowed to set the username within the app. |
webdavpassword | String | Assigns the password for authentication of backup server. | If key pair is not configured, the user will be allowed to set the password within the app. |
webdavurl | String | Assigns the URL to the backup server. Value entered should be a valid url; for example “https://23-22.companynet.com" | If key pair is not configured, the user will be allowed to set the URL within the app. |
webdavpath | String | Assigns the directory path for the user’s folder on the backup server. *Please note, the user folders must be created on the server by the IT Admin prior to setting this configuration. For example, you might enter: /{{token}}/ | If key pair is not configured, the user will be allowed to set the path within the app. |
SMB
**SMB requires a VPN for all situations except transferring files over a local network. Supports SMB2 and SMB3 ***For more detailed instructions on setting up SMB backups please visit the following knowledge base article: https://inkscreen.freshdesk.com/support/solutions/articles/1000316184-captor-smb-backup-configuration-guide | |||
Key | Type | Description | Default if not configured |
smbhost | String | Assigns the URL or IP address for the backup server. | If key pair is not configured, the user will be allowed to set the host within the app. |
smbuser | String | Assigns the username for authentication of backup server. For most customers the value entered will match the value for captoruser. | If key pair is not configured, the user will be allowed to set the username within the app. |
smbpassword | String | Assigns the password for authentication of backup server. | If key pair is not configured, the user will be allowed to set the password within the app. |
smbshare | String | Assigns the SMB share name. This field may not be required for all implementations. | If key pair is not configured, the user will be allowed to set the share within the app. |
smbpath | String | Assigns the directory path for the user’s folder on the backup server. *Please note, the user folders must be created on the server by the IT Admin prior to setting this configuration. | If key pair is not configured, the user will be allowed to set the path within the app. |
SFTP
Key | Type | Description | Default if not configured |
sftphost | String | Assigns the IP address or URL for the backup server. | If key pair is not configured, the user will be allowed to set the host within the app. |
sftpuser | String | Assigns the username for authentication of backup server. For most customers the value entered will match the value used for captoruser. | If key pair is not configured, the user will be allowed to set the username within the app. |
sftppassword | String | Assigns the password for authentication of backup server. | If key pair is not configured, the user will be allowed to set the password within the app. |
sftpport | String | Assigns the network port. Value entered should be numeric (for example: 22). | If key pair is not configured, the user will be allowed to set the port within the app. |
sftpsshpassphrase | String | Only for implementations utilizing SSH2/RSA keys. This field assigns the SSH Key Passphrase. Not all SSH Key implementations will require this key. | If key pair is not configured, the user will be allowed to enter the value within the app. |
sftpsshkey | String | Only for implementations utilizing private SSH2/RSA keys. This field would contain the actual text of the key. Most situations require the end user to copy and paste the key into the app. Ensure line breaks are preserved. | If key pair is not configured, the user will be allowed to enter the value within the app. |
sftppath | String | Assigns the directory path for the user’s folder on the backup server. *Please note, the user folders must be created on the server by the IT Admin prior to setting this configuration. | If key pair is not configured, the user will be allowed to set the path within the app. |
Microsoft OneDrive
**Implemented with MSAL and requires ADFS 2019 | ||
Key | Description | Default if not configured |
onedrivepath | Assigns the directory path for the user’s folder. *Please note, the user folders must be created on the server by the IT Admin prior to setting this configuration. | If key pair is not configured, the user will be allowed to set the path within the app. |