使用 Intune 管理 Android for Work 设备Manage Android for Work devices with Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Android for Work 是一组 Android 设备功能和服务,它将分隔个人应用和数据与包含工作应用和数据的工作配置文件。Android for Work is a set of Android device features and services that separate personal apps and data from a work profile containing work apps and data. 用户将其 Android 设备用于工作时,Android for Work 将提供额外的管理功能和隐私。Android for Work provides additional management capabilities and privacy when people use their Android devices for work. Intune 可帮助用户将应用和公司资源部署到 Android for Work 设备,确保将工作和个人信息分开。Intune helps you deploy apps and company resources to Android for Work devices to ensure work and personal information is separate. 部署成功后,他们访问的应用和数据仍单独保留在设备上的 Android for Work 环境中。When successfully deployed, apps and the data they access remain exclusively within the Android for Work environment on the device.

支持的设备Supported devices

Android for Work 管理功能依赖于较新 Android 操作系统中的功能。Android for Work management capabilities rely upon features that are part of newer Android operating system. 目前,运行 Android 5.0 Lollipop 及更高版本的设备以及支持工作配置文件的设备支持 Android for Work。Android for Work is currently supported on devices running Android 5.0 Lollipop and later that support a work profile. 对于不支持 Android for Work 的设备,仍可使用传统 Android 管理。For devices that do not support Android for Work, conventional Android management remains available. 详细了解 Android for Work 的要求Learn more about Android for Work requirements.

载入Onboarding

注册 Android for Work 设备前,必须完成一些载入步骤。Before enrolling Android for Work devices, you must complete some onboarding steps. 这些步骤将在 Intune 租户和 Google Play for Work 服务之前建立连接,这是 Android for Work 应用分发和管理过程中不可或缺的一部分。These steps establish a connection between your Intune tenant and Google’s Play for Work service, which is an integral part of the Android for Work app distribution and management process. 详细了解启用 Android for Work 注册Learn more about Enabling Android for Work enrollment.

工作配置文件管理Work profile management

使用 Intune 管理 Android for Work 设备时,不会管理整个设备。When you manage an Android for Work device with Intune, you don’t manage the entire device. 管理功能只会影响设备注册期间创建的工作配置文件。Management capabilities only affect the work profile that is created on the device during enrollment. 使用 Intune 部署到设备的任何应用都会安装到工作配置文件中。Any apps deployed to the device with Intune get installed in the work profile. 工作配置文件中的应用图标将显示橙色公文包,以便区分设备上的工作应用和个人应用。App icons in the work profile display an orange briefcase to differentiate work apps from personal apps on the device. 设备中 Android for Work 部分以外的所有 Android 应用和数据保留为个人,且受最终用户的控制。All Android apps and data outside the Android for Work portion of the device remain personal and under the control of the end user. 用户可将任何所选应用安装到设备的个人端,而管理员可管理和监视限于工作配置文件的应用和操作。Users can install any app they choose to the personal side of the device, while administrators can manage and monitor apps and actions scoped to the work profile.

Intune 提供了一系列内置常规设置,你可以在 Android for Work 设备上进行配置。Intune supplies a range of built-in general settings that you can configure on Android for Work devices. 详细了解 Android for Work 策略设置Learn more about Android for Work policy settings

应用发布和分发App publishing and distribution

Google Play for Work 服务是 Android for Work 应用分发和管理的必要组成部分。The Google Play for Work service is an integral part of Android for Work app distribution and management. 部署到 Android for Work 设备的所有应用,在工作配置文件中都会显示为来自 Play for Work 服务。All apps deployed to Android for Work devices in the work profile come from Play for Work service. 若要在 Play Store 中管理和部署应用,请使用公司用于 Google 管理的管理员凭据登录到 Google Play 网站。To manage and deploy apps in the Play Store, you log in to the Google Play website with your company's administrator credentials for Google management. 可以批准用于 Android for Work 部署的应用,使其显示在设备的工作配置文件中。You can approve apps for Android for Work deployment to have them appear in devices' work profiles. 然后,这些应用将同步到 Intune 控制台中,可在控制台中使用 Intune 进行部署和管理。These apps then sync to the Intune console where they can then be deployed and managed using Intune. 组织开发的业务线 (LOB) 应用必须使用 Google Android 应用发布控制台发布到 Play for Work。Line of business (LOB) apps developed by your organization must be published to Play for Work using Google’s Android app publishing console. 业务线应用必须在 Android 应用发布控制台中进行配置,限制对组织的访问。Line of business apps must be configured in the Android app publishing console to restrict access to your organization.

应用安装无需用户交互,且不要求用户允许从未知源安装Apps can be installed without user interaction and without requiring that the user allow Installation from Unknown Sources. 若要浏览和安装可选或可用应用,用户可在其设备上浏览 Play for Work 应用商店。To browse and install optional or available apps, the user can browse the Play for Work store on their device. 详细了解为 Android for Work 部署应用Learn more about Deploying apps for Android for Work.

应用配置App configuration

Android for Work 提供基础结构,用于将应用配置值部署到支持它们的应用。Android for Work provides infrastructure for deploying app configuration values to apps that support them. 通过为工作应用指定配置值,确保在用户首次启动该应用时已正确对其进行设置。By specifying configuration values for work apps, you ensure they are properly set when users launch the app for the first time. 要支持应用配置,需要应用开发人员创建自己的 Android 应用,专门支持托管的配置值。Support for app configuration requires that app developers create their Android apps specifically to support managed configuration values. 完成此操作后,可使用 Intune 指定和应用这些配置设置。If they do, then you can use Intune to specify and apply these configuration settings. 详细了解 Android for Work 应用配置设置Learn more about Android for Work app configuration settings.

电子邮件配置Email configuration

Android for Work 不提供默认电子邮件应用或如 iOS 提供的本机电子邮件配置文件对象。Android for Work doesn’t provide a default email app or native email profile object like that which is provided by iOS. 而可以通过将应用配置设置应用到支持它们的电子邮件应用中,来设置电子邮件配置。Instead, email configurations can be set by applying app configuration settings to email apps that support them. Gmail 和 Nine Work 是 Play Store 中的两种 Exchange ActiveSync (EAS) 客户端应用,它们支持使用 Android for Work 应用配置进行配置。Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that support configuration with Android for Work app configuration.

在 Gmail 和 Nine Work 应用作为工作应用管理时,Intune 为其提供配置模板。Intune provides configuration templates for Gmail and Nine Work apps when managed as work apps. 其他支持应用配置的配置文件的电子邮件应用可使用移动应用配置策略进行配置。Other email apps that supports app configuration profiles can be configured with mobile app configuration policies.

如果对 Android for Work 设备使用的是 Exchange ActiveSync 条件访问,则必须使用 Gmail 或 Nine Work 电子邮件应用。If you are using Exchange ActiveSync conditional access for an Android for Work devices, you must use either the Gmail or Nine Work email app. 同样支持 Microsoft Outlook for Android 应用,以及任何通过 ADAL 使用新式验证的其他电子邮件应用。The Microsoft Outlook for Android app, or any other email app that uses modern authentication via ADAL, is also supported. 详细了解公司电子邮件的电子邮件配置文件Learn more about Email profiles for company email.

应用保护策略App protection policies

工作配置文件和个人配置文件完全支持所应用的应用保护策略。App protection policies applied are fully supported in the work profile and in the personal profile. 可在 Android 应用发布控制台中发布业务线应用,地址为 https://play.google.com/apps/publish。You can publish line-of-business apps in the Android app publishing console at https://play.google.com/apps/publish. 此控制台包含让应用专用于组织的选项。This console includes an option to make apps private to your organization. 详细了解 Android for Work 合规性策略设置Learn more about Android for Work compliance policy settings. 有关应用防护策略的常规信息,请参阅应用策略For general information about app protectino policies, see app policies.

VPN 配置文件VPN profiles

VPN 支持类似于 Android VPN 配置文件。VPN support is similar to Android VPN profiles. 可使用相同的 VPN 提供商和基本配置选项管理 Android for Work,只有两点差别:The same VPN providers and basic configuration options are available for Android for Work management with two differences:

  • 限于工作配置文件的 VPN - VPN 连接仅限于部署到工作配置文件的应用。Work profile-scoped VPN – VPN connections are limited to just the apps deployed to the work profile. 仅 Android for Work 托管应用可使用 VPN 连接。Only Android for Work-managed apps can use the VPN connection. 设备上的个人应用无法使用托管 VPN 连接。Personal apps on the device cannot use a managed VPN connection.

  • 特定于应用的 VPN - 如果 VPN 提供商支持特定于应用的 VPN 配置,并提供通过 Android for Work 应用配置的配置文件配置 per-app VPN 的功能,则可在 Intune 中配置特定于应用的 VPN。App-specific VPN – If a VPN provider supports configuration for app-specific VPN and provides the capability to configure per-app VPN via the Android for Work app configuration profile, then a app-specific VPN can be configured in Intune. 请咨询 VPN 提供商,确定他们是否支持此功能。Check with the VPN provider to see if they support this capability. 详细了解 VPN 连接配置文件Learn more about VPN connection profiles.

证书配置文件Certificate profiles

适用于 Android 管理的证书配置文件配置选项在 Android for Work 设备也适用。The same certificate profile configuration options that are available to Android management are available on Android for Work devices. Android for Work 提供增强的证书管理 API。Android for Work provides enhanced certificate management APIs. 增强的证书管理提供以下功能:Enhanced certificate management provides the following functionality:

  • 确保用户的证书部署静默且无缝。Ensures that cert deployment is silent and seamless for the user.
  • 设备从 Intune 停用并删除了工作配置文件时,确保已完全删除部署的证书。Ensures that deployed certs are completely removed when a device is retired from Intune and the work profile is removed.
  • 提供改进的消息传送功能,通知用户 IT 部门通过管理服务部署和配置证书。Provides improved messaging that informs users that the certificate was deployed and configured by their IT department via their management service.

详细了解证书配置文件Learn more about Certificate profiles.

Wi-Fi 配置文件Wi-Fi profiles

设备从 Intune 中停用且删除了工作配置文件时,将删除 Android for Work 管理的 Wi-Fi 配置文件。Wi-Fi profiles managed by Android for Work are removed when the device is retired from Intune and the work profile is deleted. 详细了解 Wi-Fi 配置文件Learn more about Wi-Fi profiles.

后续步骤Next steps

启用 Android for Work 注册Enabling Android for Work enrollment

为 Android for Work 部署应用Deploying apps for Android for Work