在 Intune 中使用移动应用管理策略Use Mobile App Management Policies in Intune

很多公司使用 Microsoft Intune 的一个主要原因是用它来部署用户完成其工作所需的应用。One of the primary reasons many companies use Microsoft Intune is to deploy apps that users need to get their work done. 在部署应用之前,你需要管理你的设备Before you deploy apps, you'll need to get your devices managed.

例如,如果贵公司使用 Microsoft Word,则提供有 Windows、iOS、Android 等使用的版本。For example, if your company uses Microsoft Word, there are versions available for Windows, iOS, Android and more. 作为 IT 管理员,你面临的挑战是在许多不同的设备和计算机平台上管理多个可用的应用,这样做的目的是允许用户完成其工作的同时仍能确保公司数据的安全性。The challenge you, as an IT admin, face is to manage the multitude of apps available, on many different device and computer platforms, with the aim of allowing users to do their work while still ensuring the security of your company data.

如果要将 Intune 与 Configuration Manager 结合使用,请参阅如何使用 Configuration Manager 中的移动应用程序管理策略控制应用If you are using Intune with Configuration Manager, see How to Control Apps Using Mobile Application Management Policies in Configuration Manager.

移动应用管理 (MAM) 策略支持:Mobile app management (MAM) policies support:

  • 运行 Android 4 和更高版本的设备。Devices that run Android 4 and later.
  • 运行 iOS 7 和更高版本的设备。Devices that run iOS 7 and later.
备注

MAM 策略支持已注册 Intune 的设备。MAM policies support devices that are enrolled with Intune. 有关如何为不受 Intune 管理的设备创建应用管理策略的信息,请参阅通过 Microsoft Intune 使用移动应用管理策略保护应用数据For information about how to create app management policies for devices that are not managed by Intune, see Protect app data using mobile app management policies with Microsoft Intune.

与其他 Intune 策略不同,你不会直接部署 MAM 策略。Unlike other Intune policies, you do not deploy a MAM policy directly. 而是将该策略与你想要进行限制的应用相关联。Instead, you associate the policy with the app that you want to restrict. 当应用部署并安装在设备上时,你指定的设置将起作用。When the app is deployed and installed on devices, the settings you specify will take effect.

若要将限制应用到应用上,该应用必须包含 Microsoft Intune 应用软件开发工具包 (SDK)。To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software Development Kit (SDK). 有两种方式获得此类应用:There are two methods of obtaining this type of app:

某些托管应用(比如用于 iOS 和 Android 的 Outlook 应用)支持多身份Some managed apps, like the Outlook app for iOS and Android, support multi-identity. 这意味着 Intune 仅对公司帐户或应用程序中的数据应用管理设置。This means that Intune only applies management settings to corporate accounts or data in the app.

例如,使用 Outlook 应用:For example, using the Outlook app:

  • 如果用户配置公司和个人电子邮件帐户,则 Intune 仅对公司帐户应用管理设置,并不管理个人帐户。If the user configures a corporate, and a personal email account, Intune only applies management settings to the corporate account and does not manage the personal account.
  • 如果设备已停用或已取消注册,则仅从设备中删除公司的 Outlook 数据。If the device is retired, or unenrolled, only the corporate Outlook data is removed from the device.
  • 使用的公司帐户必须与用于向 Intune 注册设备的帐户相同。The corporate account used must be the same account that was used to enroll the device with Intune.

Word、Excel 和 PowerPoint 也都支持多身份,除了仅在管理和编辑来自 OneDrive 或 SharePoint 等服务的企业身份数据时应用策略限制。Word, Excel, and PowerPoint all support multi-identity as well, except the policy restrictions only apply when managing and editing corporate-identifiable data from a service such as OneDrive or SharePoint.

使用移动应用管理策略在 Intune 中创建和部署应用Create and deploy an app in Intune with a mobile app management policy

  • 步骤 1:获取指向策略托管应用的链接,或创建已包装的应用。Step 1: Get the link to a policy managed app, or create a wrapped app.
  • 步骤 2:将应用发布到你的云存储空间。Step 2: Publish the app to your cloud storage space.
  • 步骤 3:创建移动应用管理策略。Step 3: Create a mobile app management policy.
  • 步骤 4:选择将应用与移动应用管理策略相关联的选项,然后部署该应用。Step 4: Deploy the app, selecting the option to associate the app with a mobile a app management policy.
  • 步骤 5:监视应用部署。Step 5: Monitor the app deployment.

步骤 2:将应用上传到你的云存储空间Step 2: Upload the app to your cloud storage space

发布托管的应用时,过程有所差异,具体取决于你发布的是策略托管的应用,还是使用 Microsoft Intune App Wrapping Tool for iOS 进行处理的应用。When you publish a managed app, the procedures differ depending on whether you are publishing a policy managed app, or an app that was processed using the Microsoft Intune App Wrapping Tool for iOS.

有关将应用上传到云存储空间所需的完整步骤,请参阅在 Microsoft Intune 中为移动设备添加应用See Add apps for mobile devices in Microsoft Intune for the complete steps required to upload an app to your cloud storage space.

步骤 3:创建移动应用管理策略Step 3: Create a mobile app management policy

Azure 门户是用于创建 MAM 策略的推荐管理控制台。The Azure portal is the recommended admin console for creating MAM policies. Azure 门户支持以下 MAM 方案:Azure portal supports the following MAM scenarios:

  • 在 Intune 中注册的设备Devices enrolled in Intune
  • 由第三方 MDM 解决方案管理的设备Devices managed by a third-party MDM solution
  • 不受任何 MDM 解决方案管理的设备 (BYOD)。Devices that are not managed by any MDM solution (BYOD).

有关使用 Azure 门户创建 MAM 策略的详细信息,请参阅使用 Microsoft Intune 创建和部署移动应用管理策略See Create and deploy mobile app management policies with Microsoft Intune for more information about using the Azure portal to create a MAM policy.

如果你当前正在使用 Intune 管理控制台管理你的设备,则可以创建一个 MAM 策略,来支持在 Intune 中使用 Intune 管理控制台注册的设备的应用。If you are currently using the Intune admin console to manage your devices, you can create a MAM policy that supports apps for devices enrolled in Intune by using the Intune admin console.

步骤 4:部署应用,选择将应用与移动应用程序管理策略相关联的选项Step 4: Deploy the app, selecting the option to associate the app with a mobile application management policy

如果你正在使用 Azure 门户,则将 MAM 策略部署到用户If you are using the Azure portal, deploy the MAM policy to users.

如果你正在使用 Intune 门户,则部署该应用,确保你选择“移动应用管理”页面上的移动应用管理策略,以将其与应用关联。If you are using the Intune portal, you deploy the app, ensuring that you select the mobile app management policy on the Mobile App Management page to associate the policy with the app.

如果设备从 Intune 取消注册,策略也不会从应用中删除;任何应用了策略的应用都将保留策略设置,即使卸载应用并重新安装也将如此。If the device is unenrolled from Intune, polices are not removed from the apps; any apps that had policies applied will retain the policy settings even after the app is uninstalled and reinstalled.

应用已部署在设备上时应该如何操作What to do when an app is already deployed on devices

也存在这样一种情况:当你部署应用时,目标用户或设备之一已经安装了非托管版本的应用,例如用户从应用商店安装了 Microsoft Word。There might be situations where you deploy an app and one of the targeted users or devices already has an unmanaged version of the app installed, for example, the user installed Microsoft Word from the app store.

在这种情况下,必须要求用户手动卸载非托管的版本,才能安装所配置的托管版本。In this case, you must ask the user to manually uninstall the unmanaged version so that the managed version you configured can be installed.

但是,对于运行 iOS 9 及更高版本的设备,Intune 将自动要求用户提供许可以接管现有应用。However, for devices that run iOS 9 and later, Intune will automatically ask the user for permission to take over management of the existing app. 如果用户同意,则应用将由 Intune 管理,并将应用你为其关联的任何 MAM 策略。If they agree, then the app will become managed by Intune and any MAM policies you associated with the app will also be applied.

步骤 5:通过 MAM 策略监视应用部署Step 5: Monitor the app deployment with MAM policy

通过 Intune 控制台使用以下程序来监视应用的部署并解决任何策略冲突。Use the following procedures to monitor deployment of the app through the Intune console and resolve any policy conflicts.

  1. Microsoft Intune 管理控制台中,单击“组”。In the Microsoft Intune administration console, click Groups.
  2. 执行以下步骤之一:Perform one of the following steps:
    • 单击“所有用户”,然后双击你想要检查其设备的用户。Click All Users, then double-click on the user whose devices you want to examine. 在“用户属性”页面,单击“设备”,然后双击你想要检查的设备。On the User Properties page, click Devices, then double-click the device you want to examine.
    • 单击“所有设备”>“所有移动设备”。Click All Devices > All Mobile Devices. 在“设备组属性”页面,单击“设备”,然后双击你想要检查的设备。On the Device Group Properties page, click Devices, then double-click the device you want to examine.
  3. 从“移动设备属性”页面,单击“策略”以查看已部署到设备的 MAM 策略列表。From the Mobile Device Properties page, click Policy to see a list of the MAM policies that have been deployed to the device.
  4. 选择你想要查看其状态的 MAM 策略。Select the MAM policy whose status you want to view. 你可以在底部窗格查看策略详细信息,并展开其节点以显示其设置。You can view details of the policy in the bottom pane and expand its node to display its settings.
  5. 在各个 MAM 策略的“状态”列下,将显示“符合”、“符合(待定)”或“错误”。Under the Status column of each of the MAM policies, Conforms, Conforms (Pending), or Error will be displayed. 如果所选择的策略有一项或多项冲突设置,将会在该字段中显示“错误”。If the selected policy has one or more settings in conflict, Error will be displayed in this field.
  6. 发现了冲突后,你可以将冲突策略设置修改为使用相同设置,或对应用和用户仅部署一个策略。Once you have identified a conflict, you can revise conflicting policy settings to use the same setting, or deploy only one policy to the app and user.
备注

你可以通过 Azure 门户Intune 控制台了解有关监视应用的更多常规信息。You can learn more general information about monitoring apps through the Azure portal or by using the Intune console.

后续步骤Where to go from here

创建并部署与 MAM 策略关联的应用后,可以了解有关 MAM 最终用户体验的详细信息。After you have created and deployed an app associated with a MAM policy, you can learn more about the end-user experience of MAM. 这将帮助你为可能出现的任何问题做好准备。This will help prepare you for any issues that might arise.