Microsoft Intune 中的 Android 应用保护策略设置Android app protection policy settings in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

可以在 Azure 门户的“设置”边栏选项卡上配置本主题所述的应用策略设置。The app policy settings that are described in this topic can be configured on the Settings blade in the Azure portal. 有两种类别的策略设置:数据重定位设置和访问设置。There are two categories of policy settings: data relocation settings and access settings. 在本主题中,术语_策略托管应用指使用应用保护策略配置的应用。In this topic, the term policy-managed apps_ refers to apps that are configured with app protection policies.

数据重定位设置Data relocation settings

SettingSetting 如何使用How to use 默认值Default value(s)
阻止 Android 备份Prevent Android backups 选择“是”,阻止此应用将工作或学校数据备份到 Android 备份服务。选择“否”,允许此应用备份工作或学校数据。Choose Yes to prevent this app from backing up work or school data to the Android Backup Service Choose No to allow this app to back up work or school data. Yes
允许应用向其他应用传送数据Allow app to transfer data to other apps 指定哪些应用可从此应用接收数据:Specify what apps can receive data from this app:
  • 策略托管应用:仅允许传输到其他策略托管应用。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有应用:允许传输到任何应用。All apps: Allow transfer to any app.
  • :不允许将数据传输到任何应用,包括其他策略托管应用。None: Do not allow data transfer to any app, including other policy-managed apps.

有一些豁免应用和服务,Intune 可能会允许向其传输数据。There are some exempts apps and services to which Intune may allow data transfer. 有关应用和服务的完整列表,请参阅数据传输豁免See Data transfer exemptions for a full list of apps and services.

所有应用All apps
允许应用从其他应用接收数据Allow app to receive data from other apps 指定哪些应用可将数据传输到此应用:Specify what apps can transfer data to this app:
  • 策略托管应用:仅允许从其他策略托管应用传输。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有应用:允许从任何应用传输数据。All apps: Allow data transfer from any app.
  • :不允许从任何应用传输数据,包括其他策略托管应用。None: Do not allow data transfer from any app, including other policy-managed apps.

有一些豁免应用和服务,Intune 可能会允许从其传输数据。There are some exempts apps and services from which Intune may allow data transfer. 有关应用和服务的完整列表,请参阅数据传输豁免See Data transfer exemptions for a full list of apps and services.

所有应用All apps
阻止“另存为”Prevent "Save As" 选择“是”,在此应用中禁用“另存为”选项。Choose Yes to disable the use of the Save As option in this app. 如果你希望允许使用“另存为”,请选择“否”。Choose No if you want to allow the use of Save As.


选择可保存公司数据的存储服务Select which storage services corporate data can be saved to
用户可以保存到所选的服务(OneDrive for Busines、SharePoint 和本地存储)中。Users are able to save to the selected services (OneDrive for Busines, SharePoint and Local Storage). 将阻止所有其他服务。All other services will be blocked.

No

未选择任何项0 selected
限制剪切、复制和粘贴到其他应用程序Restrict cut, copy and paste with other apps 指定剪切、复制和粘贴操作何时可用于此应用。Specify when cut, copy, and paste actions can be used with this app. 选择:Choose from:
  • 阻止:不允许在此应用和任何其他应用间进行剪切、复制和粘贴操作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 策略托管应用:允许在此应用和其他策略托管应用间进行剪切、复制和粘贴操作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 带粘贴的策略托管应用:允许在此应用和其他策略托管应用间进行剪切或复制。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允许将任何应用中的数据粘贴到此应用。Allow data from any app to be pasted into this app.
  • 任何应用:不限制从此应用和对此应用进行剪切、复制和粘贴。Any app: No restrictions for cut, copy, and paste to and from this app.
任何应用Any app
限制显示在 Managed Browser 内的 Web 内容Restrict web content to display in the Managed Browser 选择“是”,强制在 Managed Browser 应用中打开应用中的 Web 链接。Choose Yes to enforce web links in the app to be opened in the Managed Browser app.

对于未在 Intune 中注册的设备,策略托管应用中的 Web 链接将仅可在 Managed Browser 应用中打开。For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.

如果正使用 Intune 管理设备,请参阅使用 Microsoft Intune 的托管浏览器策略管理 Internet 访问If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
No
加密应用数据Encrypt app data 选择“是”,在此应用中启用工作或学校数据加密。Choose Yes to enable encryption of work or school data in this app. Intune 使用 OpenSSL 128 位 AES 加密方案和 Android Keystore 系统安全加密应用数据。Intune uses an OpenSSL, 128-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. 数据在文件 I/O 任务期间同步加密。Data is encrypted synchronously during file I/O tasks. 始终加密设备存储中的内容。Content on the device storage is always encrypted.

加密方法没有获得 FIPS 140-2 认证。The encryption method is not FIPS 140-2 certified.
Yes
禁用联系人同步Disable contact sync 选择“是”,阻止应用将数据保存到设备上的本机“联系人”应用。Choose Yes to prevent the app from saving data to the native Contacts app on the device. 如果选择“否”,应用可将数据保存到设备上的本机“联系人”应用。If you choose No, the app can save data to the native Contacts app on the device.

执行选择性擦除从应用删除工作或学校数据时,将删除从应用直接同步到本机“联系人”应用的联系人。When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. 无法擦除从本机通讯簿同步到另一个外部源中的任何联系人。Any contacts synced from the native address book to another external source cannot be wiped. 目前仅适用于 Microsoft Outlook 应用。Currently this applies only to the Microsoft Outlook app.
No
禁用打印Disable printing 选择“是”,阻止应用打印工作或学校数据。Choose Yes to prevent the app from printing work or school data. No

备注

加密应用数据设置的加密方法没有获得 FIPS 140-2 认证。The encryption method for the Encrypt app data setting is not FIPS 140-2 certified.

数据传输豁免Data transfer exemptions

有一些豁免应用和平台服务,Intune 应用保护策略可能会允许向其或从其传输数据。There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from. 例如,Android 上所有支持 Intune 的应用都必须能够将数据传至 Google 文本到语音转换或从其接收数据,以便可以朗读移动设备屏幕上的文本。For example, all Intune-enlightened apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. 此列表可能会更改以反映有利于安全工作效率的服务和应用。This list is subject to change and reflects the services and apps considered useful for secure productivity.

完全豁免Full exemptions

完全允许这些应用和服务向 Intune 托管应用传输数据或从其接收数据。These apps and services are fully allowed for data transfer to and from Intune-managed apps.

应用/服务名称App/service name 描述Description
com.android.phonecom.android.phone 本机电话应用Native phone app
com.android.vendingcom.android.vending Google Play StoreGoogle Play Store
com.android.documentsuicom.android.documentsui Android 文档选取器Android Document Picker
com.google.android.webviewcom.google.android.webview WebView,这是包括 Outlook 在内的许多应用所必需的。WebView, which is necessary for many apps including Outlook.
com.android.webviewcom.android.webview Webview,这是包括 Outlook 在内的许多应用所必需的。Webview, which is necessary for many apps including Outlook.
com.google.android.ttscom.google.android.tts Google 文本到语音转换Google Text-to-speech
com.android.providers.settingscom.android.providers.settings Android 系统设置Android system settings
com.azure.authenticatorcom.azure.authenticator Azure 验证器应用,这是在许多情况下成功进行身份验证所必需的。Azure Authenticator app, which is required for successful authentication in many scenarios.
com.microsoft.windowsintune.companyportalcom.microsoft.windowsintune.companyportal Intune 公司门户Intune Company Portal

有条件的豁免Conditional exemptions

只有在某些条件下,才允许这些应用和服务向 Intune 托管应用传输数据或从其接收数据。These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.

应用/服务名称App/service name 描述Description 豁免条件Exemption condition
com.android.chromecom.android.chrome Google Chrome 浏览器Google Chrome Browser Chrome 用于 Android 7.0 及更高版本上的某些 WebView 组件,并且永远不会从视图中隐藏。Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. 但是,该应用发出和收到的数据流始终受限。Data flow to and from the app, however, is always restricted.
com.skype.raidercom.skype.raider SkypeSkype Skype 应用仅允许执行引发电话呼叫的某些操作。The Skype app is allowed only for certain actions that result in a phone call.
com.android.providers.mediacom.android.providers.media Android 媒体内容提供程序Android media content provider 媒体内容提供程序仅允许铃声选择操作。The media content provider allowed only for the ringtone selection action.
com.google.android.gms;com.google.android.gsfcom.google.android.gms; com.google.android.gsf Google Play Services 包Google Play Services packages 这些包允许 Google Cloud Messaging 操作,例如推送通知。These packages are allowed for Google Cloud Messaging actions, such as push notifications.

访问设置Access settings

SettingSetting 如何使用How to use 默认值Default value(s)
需要 PIN 才能进行访问Require PIN for access 选择“是”,需要 PIN 才可使用此应用。Choose Yes to require a PIN to use this app. 用户首次在工作或学校环境中运行应用时,将提示其设置此 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context. 默认值 = Default value = Yes.

为 PIN 强度配置以下设置:Configure the following settings for PIN strength:
  • PIN 重置前的尝试次数:指定用户重置其 PIN 码前必须成功完成输入的尝试次数。Number of attempts before PIN reset: Specify the number of tries the user has to successfully enter their PIN before they must reset it. 默认值 = 5Default value = 5.
  • 允许简单 PIN:选择“是”,允许用户使用简单的 PIN 序列,如 1234 或 1111。Allow simple PIN: Choose Yes to allow users to use simple PIN sequences like 1234 or 1111. 选择“否”,阻止用户使用简单的序列。Choose No to prevent them from using simple sequences. 默认值 = Default value = Yes.
  • PIN 长度:指定 PIN 序列必须包含的最小位数。PIN length: Specify the minimum number of digits in a PIN sequence. 默认值 = 4Default value = 4.
  • 允许指纹而非 PIN (Android 6.0+):选择“是”,允许用户使用指纹身份验证而非 PIN 进行应用访问。Allow fingerprint instead of PIN (Android 6.0+): Choose Yes to allow the user to use fingerprint authentication instead of a PIN for app access. 默认值 = Default value = Yes.
在 Android 设备上,可允许用户通过 Android 指纹身份验证而非 PIN 证明其身份。On Android devices, you can let the user prove their identity by using Android fingerprint authentication instead of a PIN. 用户尝试通过其工作或学校帐户使用此应用时,会提示他们提供其指纹标识而不是输入 PIN。When the user tries use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN.
需要 PIN:是Require PIN: Yes

PIN 重置尝试次数:5PIN reset attempts: 5

允许使用简单 PIN:是Allow simple PIN: Yes

PIN 长度:4PIN length: 4

允许使用指纹:是Allow fingerprint: Yes
访问需要公司凭据Require corporate credentials for access 选择“是”,要求用户使用其工作或学校帐户(而不是输入 PIN)登录进行应用访问。Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. 如果将其设置为“是”,则此设置将替代 PIN 或 Touch ID 的要求。If you set this to Yes, this overrides the requirements for PIN or Touch ID. No
阻止在已越狱或取得 root 权限的设备上运行托管应用Block managed apps from running on jailbroken or rooted devices 选择“是”,阻止在已越狱或取得 root 权限的设备上运行此应用。Choose Yes to prevent this app from running on jailbroken or rooted devices. 用户仍能够将此应用用于个人任务,但必须使用其他设备访问此应用中的工作或学校数据。The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Yes
在一定时间后重新检查访问要求(分钟)Recheck the access requirements after (minutes) 配置下列设置:Configure the following settings:
  • 超时:指重新检查访问要求(在前面的策略中定义)之前的分钟数。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,管理员在策略中启用 PIN,则用户打开 MAM 应用就必须输入 PIN。For example, an admin turns on PIN in the policy, a user opens a MAM app, and must enter a pin. 使用此设置时,用户在 30 分钟(默认值)内无需在任何 MAM 应用上再次输入 PIN。When using this setting, the user would not have to enter a PIN on any MAM app for another 30 minutes (default value).
  • 脱机宽限期:指 MAM 应用可脱机运行的分钟数,需在重新检查应用访问要求之前指定该时间(以分钟为单位)。Offline grace period: This is the number of minutes that MAM apps can run offline, specify the time (in minutes) before the access requirements for the app are rechecked. 默认值 = 720 分钟(12 小时)。Default value = 720 minutes (12 hours). 此时间段到期后,应用将要求用户对 AAD 进行身份验证,以便应用可以继续运行。After this period is expired, the app will require user authentication to AAD, so the app can continue to run.
超时:30Timeout: 30

脱机:720Offline: 720
擦除应用数据前的脱机时间间隔(天)Offline interval before app data is wiped (days) 在脱机运行相应天数(由管理员定义)后,应用会自行执行选择性擦除。After this many days (defined by the admin) of running offline, the app itself will do a selective wipe. 此选择性擦除功能与管理员可在 MAM 擦除工作流中启动的擦除相同。This selective wipe is the same wipe as the one that can be initiated by the admin in the MAM wipe work-flow.

90 天90 days
阻止屏幕捕获和 Android 助手 (Android 6.0+)Block screen capture and Android Assistant (Android 6.0+) 选择“是”,则在使用此应用时,阻止设备的屏幕捕获和“Android 助手”功能。Choose Yes to block screen capture and the Android Assistant capabilities of the device when using this app. 选择“是”还会在通过工作或学校帐户使用此应用时,导致应用切换器预览图像模糊。Choosing Yes will also blur the App-switcher preview image when using this app with a work or school account. No
托管设备 PIN 后禁用应用 PINDisable app PIN when device PIN is managed 在已注册设备上检测到设备锁后选择“是”禁用应用 PIN。Choose Yes to disable the app PIN when a device lock is detected on an enrolled device. No