通过应用管理策略保护移动设备上的公司数据Protect company data on mobile devices through app management policies

保护公司数据至关重要,而随着更多员工使用其移动设备访问公司资源(包括电子邮件和电子邮件附件),这成为了越来越具有挑战性的任务。Protecting your company's data is vitally important, and is an increasingly challenging task as more employees are using their mobile devices to access company resources, including email and email attachments. 作为 IT 管理员,你要确保即使在那些移动设备不在公司的物理位置范围中时,公司数据也受到保护。As an IT administrator, you want to make sure that company data is protected even when those mobile devices are not within the company’s physical location.

本指南着重于在托管应用程序应用于两个 Intune MDM 部署时对它的启用:This guide will focus on enablement of managed applications as it applies to two Intune MDM deployments:

  • 作为使用 Intune 的云管理解决方案As a cloud management solution using Intune
  • 作为带 Configuration Manager 的集成服务As an integrated service with Configuration Manager

这允许你通过移动应用管理 (MAM) 策略创建和部署应用,以更好地保护公司数据。This allows you to create and deploy apps with mobile app management (MAM) policies to best protect your company data.

本文档着重于最终用户设备在 MDM 的 Intune 中注册时创建基于 MAM 的策略。This document focusses on creation of these MAM based policies when the end-user device is enrolled in Intune for MDM. 请参阅保护未在 Microsoft Intune 中注册的设备上的业务线应用和数据,了解有关设备本身未在 MDM 的 Intune 中注册时配置这些 MAM 策略的信息。See Protect line of business apps and data on devices not enrolled in Microsoft Intune for information about configuring these MAM policies when the device itself is not enrolled in Intune for MDM.

提示

可从 TechNet 库中获取此完整主题的可下载副本。Downloadable a copy of this entire topic from the TechNet Gallery.

简介Introduction

托管应用是应用了 MAM 策略的应用,这些策略使它们符合公司的安全要求。Managed apps are apps that have MAM policies applied to them that make them compliant with your company’s security requirements. 有两个可用于管理移动应用的选项:You have two options for managing mobile apps:

  • 默认功能,如“Apple Managed Open In”,此功能可通过控制允许打开特定文档及电子邮件附件的应用来保护企业数据The default capability, such as Apple Managed Open In, which protects corporate data by controlling the apps that are allowed to open certain documents and email attachments
  • Intune App SDK,它允许你限制功能并限制任何启用了 Intune App SDK 的应用的数据共享。The Intune App SDK, which lets you limit the functionality and restrict sharing of data for any apps that have the Intune App SDK enabled. Intune 应用 SDK 的某些主要功能让你可以:Some of the main features of the Intune App SDK is that it allows you to:

    • 管理另存为功能Manage the save-as function
    • 阻止剪切、复制和粘贴Prevent cut, copy, paste
    • 访问应用时要求进行身份验证Require authentication when an app is accessed
    • 从 Intune 托管应用擦除企业数据Wipe corporate data from an Intune-managed app

    请参阅Intune App SDK 概述,了解所有 SDK 功能的说明。See Intune App SDK Overview for a description of all SDK features.

在开始之前Before you begin

  • 了解如何使用 Microsoft Intune 部署应用: 了解有关 Intune 应用部署的基础知识。Learn about deploying apps using Microsoft Intune: Learn the basics about Intune app deployment.

  • 评估所需实现:面对用于管理移动设备的所有不同设计和配置选项时,难以确定可最好地满足公司需求的组合。Evaluate your desired implementation: With all of the different design and configuration options for managing mobile devices, it’s difficult to determine which combination will best meet the needs of your company. 移动设备管理设计注意事项指南可帮助你了解移动设备管理设计要求,并详细介绍了一系列步骤和任务,你可以遵循这些步骤和任务来设计最符合公司的业务和技术需求的解决方案。The Mobile Device Management Design Considerations Guide helps you understand mobile device management design requirements and details a series of steps and tasks that you can follow to design a solution that best fits the business and technology needs for your company.

  • 了解高级别的最终用户体验:实施解决方案后,将可以保护设备上的数据,无论公司是否对其进行管理。Understand the high level end-user experience: After the solution is implemented, you will be able to protect data on devices whether or not your company manages them. 只需实现应用级别策略,即可限制对公司资源的访问,并让数据处于 IT 部门的监控范围之内。By simply implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

    备注

    有关此解决方案的最终用户体验的更详细描述,请参阅最终用户体验一文。The end-user experience of this solution is described in more details in the End-user Experience article.

  • 了解应用生命周期:就像管理你的设备一样,应用都具有一个生命周期,从做准备到部署、监视、更新,再到最后停用。Understand the app lifecycle: Just like with the management of your devices, apps have a lifecycle that takes you from preparation, to deployment, monitoring, updating, and retiring. Intune 在此生命周期的所有阶段都能为你提供帮助。Intune can help you at all stages of this lifecycle. 有关应用生命周期的详细信息,请参阅应用生命周期概述For detailed information about the app lifecycle, see Overview of the app lifecycle.

  • 了解可与 MAM 策略一起使用的 Microsoft 应用:Microsoft Intune 应用程序合作伙伴页包含有关来自 Microsoft 和其他公司的可用于移动应用管理策略的应用的最新信息。Learn about the Microsoft apps you can use with MAM policies: The Microsoft Intune application partner’s page contains the latest information about apps from Microsoft and other companies that you can use with mobile app management policies.

    你可以使用 Microsoft Intune 应用包装工具修改内部应用的行为,从而允许配置应用的功能,而无需修改应用自身的代码。You can use the Microsoft Intune App Wrapping Tool to modify the behavior of your in-house apps to let you configure features of the app without modifying the code of the app itself. 有关更具体的信息,请参阅以下主题:See the following topics for more specific information:

  • 了解如何解决策略冲突:如果在第一次部署到用户或设备时出现移动应用管理策略冲突,则冲突中指定的设置值将从部署到应用的策略中删除,并且应用将使用内置冲突值(限制性最强为默认值)。Understand how policy conflicts are resolved: When there is a mobile app management policy conflict on the first deployment to the user or device, the specific setting value in conflict will be removed from the policy deployed to the app, and the app will use a built-in conflict value (most restrictive is the default).

    如果在后续部署到应用或用户时出现移动应用管理策略冲突,则冲突的指定设备值将不会更新到部署到应用的移动应用管理策略,并且应用将使用该设置的现有值。When there is a mobile app management policy conflict on later deployments to the app or user, the specific setting value in conflict will not be updated on the mobile app management policy deployed to the app, and the app will use the existing value for that setting.

    如果设备或用户收到两个冲突策略,则适用以下行为:In cases where the device or user receives two conflicting policies, the following behavior applies:

    • 如果策略已经部署到设备,则现有策略设置不会被覆盖。If a policy has already been deployed to the device, the existing policy settings are not overwritten.
    • 如果尚无策略部署到设备,并且两个冲突设置已经部署,则将使用设备内的默认设置。If no policy has already been deployed to the device, and two conflicting settings are deployed, the default setting built into the device is used.

后续步骤Where to go from here

熟悉了 MAM 的整个过程后,就可以开始在 Intune 中使用移动应用管理策略使用 Configuration Manager 中的移动应用管理策略Now that you are familiar with the overall process for MAM, you are ready to use mobile app management policies in Intune or use mobile app management policies in Configuration Manager. 或者可以阅读了解 MAM 策略的最终用户体验Or you can read about the end-user experience of MAM policies.