配置和部署 Microsoft Intune 控制台中的移动应用程序管理策略Configure and deploy mobile application management policies in the Microsoft Intune console

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

Microsoft Intune 中的移动应用管理 (MAM) 策略让你可以修改你所部署的应用的功能,以帮助它们符合你的公司合规性和安全策略。Mobile application management (MAM) policies in Microsoft Intune let you modify the functionality of apps that you deploy to help align them with your company's compliance and security policies. 例如,你可以限制在托管的应用内进行剪切、复制和粘贴操作,或配置应用以在托管的浏览器内打开所有 Web 链接。For example, you can restrict cut, copy, and paste operations within a managed app, or configure an app to open all web links inside a managed browser.

移动应用管理策略支持:Mobile application management policies support:

  • 运行 Android 4 和更高版本的设备。Devices that run Android 4 and later.

  • 运行 iOS 8.0 及更高版本的设备。Devices that run iOS 8.0 and later.

提示

移动应用程序管理策略支持向 Intune 注册的设备。Mobile application management policies support devices that are enrolled with Intune.

如果你正在查找有关如何为不受 Intune 管理的设备创建应用管理策略的信息,请参阅通过 Microsoft Intune 使用移动应用管理策略保护应用数据If you are looking for information about how to create app management policies for devices that Intune doesn't manage, see Protect app data using mobile app management policies with Microsoft Intune.

与其他 Intune 策略不同,你不会直接部署移动应用程序管理策略。Unlike other Intune policies, you do not deploy a mobile application management policy directly. 而是将该策略与你想要进行限制的应用相关联。Instead, you associate the policy with the app that you want to restrict. 当应用部署并安装在设备上时,你指定的设置将起作用。When the app is deployed and installed on devices, the settings that you specify will take effect.

若要将限制应用到应用,该应用必须包含 Microsoft Intune App SDK。To apply restrictions to an app, the app must incorporate the Microsoft Intune App SDK. 可通过三种方法获取此类应用:There are three methods of obtaining this type of app:

某些托管应用(比如用于 iOS 和 Android 的 Outlook 应用)支持多身份Some managed apps, like the Outlook app for iOS and Android, support multi-identity. 这意味着 Intune 仅对公司帐户或应用中的数据应用管理设置。This means that Intune applies management settings only to corporate accounts or data in the app.

例如,使用 Outlook 应用:For example, using the Outlook app:

  • 如果用户配置公司和个人电子邮件帐户,则 Intune 仅对公司帐户应用管理设置,并不管理个人帐户。If the user configures a corporate email account and a personal email account, Intune applies management settings only to the corporate account and does not manage the personal account.

  • 如果设备已停用或已取消注册,则仅从设备中删除公司的 Outlook 数据。If the device is retired or unenrolled, only the corporate Outlook data is removed from the device.

  • 公司帐户必须与用于向 Intune 注册设备的帐户相同。The corporate account must be the same account that was used to enroll the device with Intune.

提示

如果要将 Intune 与 Configuration Manager 结合使用,请参阅如何使用 Configuration Manager 中的移动应用程序管理策略控制应用If you are using Intune with Configuration Manager, see How to Control Apps Using Mobile Application Management Policies in Configuration Manager.

创建和部署具有移动应用程序管理策略的应用Create and deploy an app with a mobile application management policy

  • 步骤 1:获取指向策略托管应用的链接、创建已包装的应用,或使用 Intune App SDK 编写已启用 MAM 的应用。Step 1: Get the link to a policy managed app, create a wrapped app, or use the Intune App SDK to write a MAM-enabled app.

  • 步骤 2: 将应用发布到你的云存储空间。Step 2: Publish the app to your cloud storage space.

  • 步骤 3: 创建移动应用程序管理策略。Step 3: Create a mobile application management policy.

  • 步骤 4: 将应用与移动应用管理策略相关联,然后部署该应用。Step 4: Associate the app with a mobile application management policy, and then deploy the app.

  • 步骤 5: 监视应用部署。Step 5: Monitor the app deployment.

从应用商店查找并记录你想要部署的策略托管应用的 URL。From the app store, find and note the URL of the policy managed app that you want to deploy. 例如,Microsoft Word for iPad 应用 的 URL 是 https://itunes.apple.com/cn/app/microsoft-word-for-ipad/id586447913?mt=8For example, the URL of the Microsoft Word for iPad app is https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.

步骤 2:将应用发布到你的云存储空间Step 2: Publish the app to your cloud storage space

发布托管的应用时,过程有所差异,具体取决于你发布的是策略托管的应用,还是使用 Microsoft Intune App Wrapping Tool for iOS 进行处理的应用。When you publish a managed app, the procedures differ depending on whether you are publishing a policy managed app or an app that was processed by using the the Microsoft Intune App Wrapping Tool for iOS.

若要发布策略托管的应用To publish a policy managed app

  1. 当你准备好将应用上传到云存储空间时,请按照在 Microsoft Intune 中为移动设备添加应用中的说明进行操作。When you are ready to upload the app to your cloud storage space, follow the instructions in Add apps for mobile devices in Microsoft Intune.

  2. 对于 iOS 应用,在“选择如何将此软件提供给设备”下选择“应用商店的托管 iOS 应用”。For iOS apps, select Managed iOS App from the App Store under Select how this software is made available to devices.

    对于 Android 应用。选择 “外部链接”For Android apps, select External link.

  3. “指定 URL”下,输入你之前记录的托管应用的 URL。Under Specify the URL, enter the URL to the policy managed app that you noted earlier.

上载完成后,你会看到已上载的应用的“软件属性”页面上的“应用管理策略”为“”。After the upload finishes, you will see Yes for App Management Policies on the Software Properties page for the uploaded app.

验证应用上载成功后,继续步骤 3。After you have verified that the app is uploaded successfully, continue to step 3.

发布通过 Microsoft Intune App Wrapping Tool 处理的应用To publish an app that was processed through the Microsoft Intune App Wrapping Tool

  1. 当你准备好将应用上传到云存储空间时,请按照在 Microsoft Intune 中为移动设备添加应用中的说明进行操作。When you are ready to upload the app to your cloud storage space, follow the instructions in Add apps for mobile devices in Microsoft Intune.

  2. 选择“选择如何将此软件提供给设备”下的“软件安装程序”。Select Software Installer under Select how this software is made available to devices.

  3. 选择“软件安装程序文件类型”下的“iOS 应用包(.ipa 文件)”。Select **App package for iOS (*.ipa file)* under Software installer file type.

上载完成后,你会看到已上载的应用的“软件属性”页面上的“应用管理策略”为“”。After the upload finishes, you will see Yes for App Management Policies on the Software Properties page for the uploaded app.

验证应用上载成功后,继续步骤 3。After you have verified that the app is uploaded successfully, continue to step 3.

步骤 3:创建移动应用程序管理策略Step 3: Create a mobile application management policy

  1. Microsoft Intune 管理控制台,选择“策略”>“概述”>“添加策略”。In the Microsoft Intune administration console, choose Policy > Overview > Add Policy.

  2. 配置并部署以下“软件”策略之一,这取决于你想要为其配置应用的设备类型:Configure and deploy one of the following Software policies, depending on the device type that you want to configure apps for:

    • 移动应用程序管理策略 (Android 4 和更高版本)Mobile Application Management Policy (Android 4 and later)

    • 移动应用程序管理策略(iOS 8.0 及更高版本)Mobile Application Management Policy (iOS 8.0 and later)

    你可以使用建议的设置,或对设置进行自定义。You can use recommended settings or customize the settings. 有关详细信息,请参阅使用 Microsoft Intune 策略管理设备上的设置和功能For details, see Manage settings and features on your devices with Microsoft Intune policies.

  3. 根据需要配置下列设置。Configure the following settings as required. 该选项可能有所差异,这取决于你配置策略的设备类型。The options might differ depending on the device type for which you are configuring the policy.

设置名Setting name 详细信息Details
NameName 为此策略指定名称。Specify a name for this policy.
描述Description (可选)为此策略指定描述。Optionally, specify a description for this policy.
限制显示在企业托管浏览器内的 Web 内容Restrict web content to display in a corporate managed browser 如果启用此设备,应用内的任何链接都将在托管浏览器中打开。When this setting is enabled, any links in the app will be opened in the managed browser. 要使此选项起作用,你必须将此应用部署到设备。For this option to work, you must have deployed this app to devices.
“阻止 Android 备份”“阻止 iTunes 和 iCloud 备份”Prevent Android backups or Prevent iTunes and iCloud backups 此设置禁止从应用备份任何信息。This setting disables the backup of any information from the app.
允许应用向其他应用传送数据Allow app to transfer data to other apps 此设置指定该应用可以发送数据的应用。This setting specifies the apps that this app can send data to. 你可以选择不允许将数据传输到任何应用、仅允许传输到其他托管的应用或允许传输到任何应用。You can choose to not allow data transfer to any app, allow transfer only to other managed apps, or allow transfer to any app.

例如,不允许数据传输时,即把数据传输限制为短信发送、分配图片到联系人以及发布到 Facebook 或 Twitter 等服务。For example, when you do not allow data transfer, you restrict data transfer to services like SMS messaging, assigning images to contacts, and posting to Facebook or Twitter.

对于 iOS 设备,若要防止在托管和非托管应用之间传输文档,你也必须配置并部署禁用 “允许在其他非托管应用中使用托管文档”设置的移动设备安全策略。For iOS devices, to prevent document transfer between managed and unmanaged apps, you must also configure and deploy a mobile device security policy that disables the setting Allow managed documents in other unmanaged apps. 如果你选择仅允许传输到其他托管的应用,则 Intune PDF 和图像查看器(如果已部署)将用于打开各自类型的内容。If you choose to allow transfer only to other managed apps, the Intune PDF and image viewers (if deployed) will be used to open content of the respective types.

此外,如果你将此选项设置为“策略托管应用”或“无”,则将阻止允许 Spotlight Search 在应用内搜索数据的 iOS 9 功能。Additionally, if you set this option to Policy Managed Apps or None, the iOS 9 feature that allows Spotlight Search to search data within apps will be blocked.

此设置不控制移动设备上的“打开方式”功能的使用。This setting does not control the use of the Open In feature on mobile devices. 要管理“打开方式”,请参阅使用 Microsoft Intune 管理 iOS 应用之间的数据传输To manage Open In, see Manage data transfer between iOS apps with Microsoft Intune.
允许应用从其他应用接收数据Allow app to receive data from other apps 此设置指定此应用可以接收其数据的应用。This setting specifies the apps that this app can receive data from. 你可以选择不允许从任何应用进行数据传输,仅允许从其他托管应用进行传输或允许从任何应用进行传输。You can choose to not allow data transfer from any app, allow transfer only from other managed apps, or allow transfer from any app.

当用户从不受移动应用管理策略管理的应用访问数据时,数据将被视为公司数据并受策略保护。When a user accesses data from an app that is not managed by a mobile application management policy, the data will be treated as corporate data and protected by the policy. 这适用于支持多身份的 iOS 应用(其中 Intune 仅将管理设置应用于公司帐户或应用中的数据)。This applies to iOS apps that support multi-identity (where Intune applies management settings only to corporate accounts or data in the app). 或者,这适用于已应用移动应用管理策略的已注册设备。Or, this applies to an enrolled device with a mobile application management policy applied.
防止“另存为”Prevent “Save As” 此设置禁止使用“另存为”选项将数据保存到使用此策略的任何应用中的个人云存储位置(例如 OneDrive 或 Dropbox)。This setting disables use of the Save As option to save data to personal cloud storage locations (such as OneDrive or Dropbox) in any app that uses this policy.
限制剪切、复制和粘贴到其他应用程序Restrict cut, copy and paste with other apps 此设置指定应用使用剪切、复制和粘贴操作的方法。This setting specifies how cut, copy, and paste operations can be used with the app. 选择:Choose from:

已阻止Blocked. 不允许在此应用和其他应用间进行剪切、复制和粘贴操作。Do not allow cut, copy, and paste operations between this app and other apps.

策略托管应用Policy Managed Apps. 仅允许在此应用和其他托管的应用之间进行剪切、复制和粘贴操作。Allow cut, copy, and paste operations only between this app and other managed apps.

带粘贴的策略托管应用Policy Managed Apps with Paste In. 仅允许从此应用剪切或复制的数据粘贴到其他托管应用。Allow data cut or copied from this app to be pasted only into other managed apps. 允许将剪切或复制自任何应用的数据粘贴至此应用。Allow data cut or copied from any app to be pasted into this app.

任何应用Any App. 不限制针对此应用执行的剪切、复制和粘贴操作。Put no restrictions on cutting, copying, and pasting operations to or from this app.

若要在托管的应用之间复制和粘贴数据,那么两个应用必须都配置了“策略托管的应用”或“带粘贴的策略托管应用”设置。To copy and paste data between managed apps, both apps must have either the Policy Managed Apps or Policy Managed Apps with Paste In setting configured.
访问需要简单 PINRequire simple PIN for access 此设置要求用户输入他们指定 PIN 以使用此应用。This setting requires the user to enter a PIN that they specify to use this app. 将会要求用户在首次运行该应用时进行设置。The user will be asked to set this up the first time they run the app.
重置 PIN 前的尝试次数Number of attempts before PIN reset 指定输入 PIN 码的尝试次数,达到该次数后用户必须重置 PIN。Specify the number of PIN entry attempts that can be made before the user must reset the PIN.
访问需要公司凭据Require corporate credentials for access 此设置要求用户在访问应用前必须输入他们的公司登录信息。This setting requires the user to enter their corporate logon information before they can access the app.
访问要求设备符合公司策略Require device compliance with corporate policy for access 此设置仅允许设备在未越狱或获取根权限时使用此应用。This setting allows the app to be used only when the device is not jailbroken or rooted.
在一定时间后重新检查访问要求(分钟)Recheck the access requirements after (minutes) 在“超时”字段中,指定应用打开后重新检查应用访问要求前的时间段。In the Timeout field, specify the time period before the access requirements for the app are rechecked after the app is opened.
脱机宽限期Offline grace period 如果设备离线,指定应用重新检查访问要求前的时间段。If the device is offline, specify the time period before the access requirements for the app are rechecked.
加密应用数据Encrypt app data 此设置指定与此应用相关的所有数据均将加密。This setting specifies that all data associated with this app will be encrypted. 这包括外部存储的数据,如在 SD 卡中的数据。This includes data stored externally, such as in SD cards.

适用于 iOS 的加密Encryption for iOS

对于与 Intune 移动应用管理策略关联的应用,通过 OS 提供的设备级加密对静态数据进行加密。For apps that are associated with an Intune mobile application management policy, data is encrypted at rest through device-level encryption that the OS provides. 通过由 IT 管理员设置的设备 PIN 策略启用。This is enabled through a device PIN policy that the IT admin sets. 需要 PIN 时,数据将根据移动应用管理策略的设置进行加密。When a PIN is required, the data will be encrypted according to the settings in the mobile application management policy. 正如 Apple 文档所述,iOS 所使用的模块经过了 FIPS 140-2 的认证As stated in Apple documentation, the modules that iOS uses are FIPS 140-2 certified.

适用于 Android 的加官Encryption for Android

对于与 Intune 移动应用管理策略关联的应用,加密由 Microsoft 提供。For apps that are associated with an Intune mobile application management policy, Microsoft provides encryption. 数据在文件 I/O 操作期间同步加密。Data is encrypted synchronously during file I/O operations. 设备存储中的内容将始终被加密。Content on the device storage will always be encrypted. 加密方法是 FIPS 140-2,仅与 Samsung KNOX 设备兼容。The encryption method is FIPS 140-2 compliant for Samsung KNOX devices only.
“阻止屏幕捕捉” (仅限于 Android 设备)Block screen capture (Android devices only) 此设置指定在使用该应用时,阻止设备的屏幕捕捉功能。This setting specifies that the screen capture capabilities of the device are blocked when someone is using this app.
  1. 完成后,请选择“保存策略”。When you are finished, choose Save Policy.

新的策略将在“策略”工作区的“配置策略”节点处显示。The new policy appears in the Configuration Policies node of the Policy workspace.

步骤 4:将应用与移动应用管理策略相关联,然后部署该应用Step 4: Associate the app with a mobile application management policy, and then deploy the app

确保你选择“管理部署”对话框的“移动应用管理”页面上的移动应用管理策略,以关联策略和应用。Ensure that you select the mobile application management policy on the Mobile App Management page of the Manage Deployment dialog box to associate the policy with the app.

有关详细信息,请参阅在 Microsoft Intune 中部署应用For details, see Deploy apps in Microsoft Intune.

重要

如果从 Intune 取消注册设备,则策略不会从应用中删除。If the device is unenrolled from Intune, polices are not removed from the apps. 在卸载并重新安装了该应用后,应用了策略的任何应用均将保留策略设置。Any apps that had policies applied will retain the policy settings after the app is uninstalled and reinstalled.

应用已部署在设备上时应该如何操作What to do when an app is already deployed on devices

也存在这样一种情况:当你部署应用时,目标用户或设备之一已经安装了非托管版本的应用。There might be situations where you deploy an app and one of the targeted users or devices already has an unmanaged version of the app installed. 例如,用户从应用商店安装了 Microsoft Word。For example, the user might have installed Microsoft Word from the app store.

在这种情况下,必须要求用户手动卸载非托管的版本,才能安装所配置的托管版本。In this case, you must ask the user to manually uninstall the unmanaged version so that the managed version that you configured can be installed.

但是,对于运行 iOS 9 及更高版本的设备,Intune 将自动要求用户提供许可以接管现有应用。However, for devices that run iOS 9 and later, Intune will automatically ask the user for permission to take over management of the existing app. 如果用户同意,则应用将由 Intune 管理,并将应用与该应用关联的任何移动应用管理策略。If they agree, then the app will become managed by Intune and any mobile application management policies that you associated with the app will also be applied.

提示

如果设备处于监督模式,则 Intune 无需要求用户提供许可即可接管现有应用。If the device is in supervised mode, Intune will take over management of the existing app without asking the user's permission.

步骤 5:监视应用部署Step 5: Monitor the app deployment

创建并部署与某移动应用管理策略关联的应用后,使用以下步骤监视应用并解决任何策略冲突的问题。After you have created and deployed an app that's associated with a mobile application management policy, use the following procedure to monitor the app and resolve any policy conflicts.

若要查看订阅的状态To view the status of the deployment

  1. Microsoft Intune 管理控制台中,选择“组”>“概述”。In the Microsoft Intune administration console, choose Groups > Overview.

  2. 执行以下步骤之一:Perform one of the following steps:

    • 选择“所有用户”,然后双击你想要检查其设备的用户。Choose All Users, and then double-click the user whose device you want to examine. 在“用户属性”页面上,选择“设备”,然后双击你想要检查的设备。One the User Properties page, choose Devices, and then double-click the device that you want to examine.

    • 选择“所有设备”>“所有移动设备”。Choose All Devices > All Mobile Devices. 在“设备组属性”页面上,选择“设备”,然后双击你想要检查的设备。On the Device Group Properties page, choose Devices, and then double-click the device that you want to examine.

  3. 在“移动设备属性”页中选择“策略”以查看已部署至设备的移动应用程序管理策略列表。From the Mobile Device Properties page, choose Policy to see a list of the mobile application management policies that have been deployed to the device.

  4. 选择你想要查看的移动应用程序管理策略的状态。Select the mobile application management policy whose status you want to view. 你可以在底部窗格查看策略详细信息,并展开其节点以显示其设置。You can view details of the policy in the bottom pane and expand its node to display its settings.

  5. 在各个移动应用管理策略的“状态”列下,将显示“符合”、“符合(待定)”或“错误”。Under the Status column of each of the mobile application management policies, Conforms, Conforms (Pending), or Error will appear. 如果所选择的策略有一项或多项冲突设置,将会在该字段中显示“错误”。If the selected policy has one or more settings in conflict, Error will appear in this field.

  6. 发现了冲突后,你可以将冲突策略设置修改为使用相同设置,或对应用和用户仅部署一个策略。After you have identified a conflict, you can revise conflicting policy settings to use the same setting, or you can deploy only one policy to the app and user.

如何解决策略冲突How policy conflicts are resolved

如果在第一次部署到用户或设备时出现移动应用管理策略冲突,则冲突中指定的设置值将从部署到应用的策略中删除。When there is a mobile application management policy conflict on the first deployment to the user or device, the specific setting value in conflict will be removed from the policy deployed to the app. 应用将使用内置冲突值。The app will use a built-in conflict value.

如果在后续部署到应用或用户时出现移动应用管理策略冲突,则冲突的指定设备值将不会更新到部署到应用的移动应用管理策略。When there is a mobile app management policy conflict on later deployments to the app or user, the specific setting value in conflict will not be updated on the mobile app management policy deployed to the app. 应用将使用该设置的现有值。The app will use the existing value for that setting.

如果设备或用户收到两个冲突策略,则适用以下行为:In cases where the device or user receives two conflicting policies, the following behavior applies:

  • 如果策略已经部署到设备,则现有策略设置不会被覆盖。If a policy has already been deployed to the device, the existing policy settings are not overwritten.

  • 如果尚无策略部署到设备,并且两个冲突设置已经部署,则将使用设备内的默认设置。If no policy has already been deployed to the device, and two conflicting settings are deployed, the default setting built into the device is used.

要提交产品反馈,请访问 Intune Feedback