使用 Microsoft Intune 创建和部署应用保护策略Create and deploy app protection policies with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

本主题介绍在 Azure 门户中创建应用保护策略的过程。This topic describes the process of creating an app protection policy in the Azure portal. Azure 门户是一款新的管理控制台,用于创建应用保护策略;建议使用此门户来创建应用保护策略。The Azure portal is the new admin console for creating app protection policies, and we recommend that you use this portal to create app protection policies. Azure 门户支持以下 MAM 方案:Azure portal supports the following MAM scenarios:

  • 在 Intune 中注册的设备。Devices enrolled in Intune.
  • 由第三方 MDM 解决方案管理的设备。Devices managed by a third-party MDM solution.
  • 不受任何 MDM 解决方案管理的设备 (BYOD)。Devices that are not managed by any MDM solution (BYOD).
重要

如果正在使用 Intune 管理控制台管理设备,请注意以下事项:Here are a few considerations if you're using the Intune admin console to manage your devices:

  • 可使用 Intune 管理控制台创建支持在 Intune 中注册的设备应用的应用保护策略。You can create an app protection policy that supports apps for devices enrolled in Intune using the Intune admin console.
  • 在 Intune 管理控制台中创建的应用保护策略不能导入到 Azure 门户中。App protection policies created in the Intune admin console cannot be imported into the Azure portal. 在 Azure 门户中,必须重新创建应用保护策略。The app protection policies must be re-created in the Azure portal.

  • 可能无法在 Intune 管理控制台中看到全部应用保护策略设置。You may not see all app protection policy settings in the Intune admin console. Azure 门户是用于创建应用保护策略的新管理控制台。The Azure portal is the new admin console for creating app protection policies.

  • 若要部署托管应用,必须在 Intune 管理控制台中创建应用保护策略。To deploy managed apps, you must create a app protection policy in the Intune admin console. 在此情况下,可能需要在 Intune 管理控制台和 Azure 门户中创建应用保护策略:Intune 管理控制台可确保你能部署托管应用,而选择 Azure 门户是因为它是具有所有应用保护策略设置的新管理控制台。In this case, you may want to create app protection policies in both the Intune admin console and the Azure portal: Intune admin console to make sure you have the ability to deploy managed apps, and the Azure portal because it is the new admin console that has all the app protection policy settings.

  • 如果同时在 Intune 管理控制台和 Azure 门户中创建了应用保护策略,则在 Azure 门户中创建的策略将应用到应用。If you create app protection policies on both Intune admin console and Azure portal, the policy that is created in the Azure portal is applied to the apps.

若要查看 Android 和 iOS 平台支持的策略设置的列表,请选择以下值之一:To see a list of policy settings supported for Android and iOS platforms, select one of the following:

创建应用保护策略Create an app protection policy

应用保护策略需在 Azure 门户中进行创建。App protection policies are created at the Azure Portal. 如果首次使用 Azure 门户,请阅读用于 Microsoft Intune 应用保护策略的 Azure 门户以熟悉 Azure 门户。If this is the first time you are using the Azure portal, read Azure portal for Microsoft Intune app protection policies to get more familiar with the Azure Portal. 在创建应用保护策略之前,请查看先决条件和支持信息。Before creating an app protection policy, review the pre-requisites and support information.

请按照以下步骤来创建应用保护策略:Follow the steps below to create app protection policies:

  1. 转到 Azure 门户,然后输入你的凭据。Go to the Azure portal, and enter your credentials.

  2. 选择“更多服务”,然后键入“Intune”。Choose More Services, and type "Intune".

  3. 选择“Intune 应用保护”。Choose Intune App Protection.

  4. 选择“Intune 移动应用程序管理”>“设置”,以打开“全部设置”边栏选项卡。Choose Intune mobile application management > Settings to open the All Settings blade.

    “Intune 移动应用程序管理”边栏选项卡的屏幕截图

  5. 在“所有设置”边栏选项卡中,选择“应用策略”。In the All Settings blade, choose App policy. 将打开“应用策略”边栏选项卡,你将在此创建新策略和编辑现有策略。This opens the App policy blade, where you'll create new policies and edit existing policies. 选择添加策略Choose Add a policy.

    <span data-ttu-id="c5130-136">突出显示“添加策略”菜单选项的“应用策略”边栏选项卡的屏幕截图</span><span class="sxs-lookup"><span data-stu-id="c5130-136">Screenshot of the App policy blade with the Add a policy menu option highlighted</span></span>

  6. 为策略键入名称、添加简要说明并选择平台类型,以便为 iOS 或 Android 创建策略。Type a name for the policy, add a brief description, and select the platform type to create a policy for iOS or Android. 可以为每个平台创建多个策略。You can create more than one policy for each platform.

    “添加策略”边栏选项卡的屏幕截图

  7. 选择“应用”以打开“应用”边栏选项卡,其中显示了可用应用的列表。Choose Apps to open the Apps blade, where a list of available apps is displayed. 可从该列表中选择希望与正创建的策略关联的一个或多个应用。Select one or more apps from the list that you want to associate with the policy that you are creating. 选择应用后,选择“应用”边栏选项卡底部的“选择”以保存选择。Once you have selected the apps, choose Select at the bottom of the Apps blade to save your selection.

    重要

    必须至少选择一个应用才能创建策略。You must select at least one app to create a policy.

  8. 在“添加策略”边栏选项卡上,选择“配置所需设置”以打开“策略设置”边栏选项卡。On the Add a policy blade, choose Configure required settings to open the policy settings blade.

    有两种类别的策略设置:“数据重定位”和“访问”。There are two categories of policy settings, Data relocation and Access. 数据重定位策略适用于将数据移入和移出应用,而访问策略将决定最终用户在工作环境中如何访问应用。Data relocation policies are applicable to data movement in and out of the apps, while the access polices determine how the end user accesses the apps in a work context. 为了帮助你入门,策略设置具有默认值。To get you started, the policy settings have default values. 如果默认值满足你的需求,则无须进行任何更改。You do not have to make any changes if the default values meet your requirements.

    提示

    仅在工作环境中使用应用时,才强制执行这些策略设置。These policy settings are enforced only when using apps in the work context. 当最终用户使用应用执行个人任务时,他们将不受这些策略影响。When the end user uses the app to do a personal task, they will not be affected by these policies.

    “设置”边栏选项卡以及“添加策略”边栏选项卡的屏幕截图

  9. 选择“确定”保存此配置。Choose OK to save this configuration. 现将返回“添加策略” 边栏选项卡。You are now back in the Add a policy blade. 选择“创建”以创建策略并保存设置。Choose Create to create the policy and save your settings.

    显示已配置“应用”和“设置”的“添加策略”边栏选项卡的屏幕截图

按上述流程创建策略后,它未部署到任何用户。When you finish creating a policy as described in the previous procedure, it is not deployed to any users. 若要部署策略,请参阅下面的部分,即“将策略部署到用户”。To deploy a policy, see the following section, "Deploy a policy to users."

重要

对于使用 Intune 管理控制台为应用创建的应用保护策略以及使用 Azure 门户创建的应用保护策略,使用 Azure 门户创建的策略优先。If you create an app protection policy for an app using the Intune admin console and an app protection policy using the Azure portal, the policy you created using the Azure portal takes precedence. 但是,Intune 或 Configuration Manager 控制台中的报告将报告从 Intune 管理控制台创建的策略设置。However, the reporting in the Intune or Configuration Manager console will report the policy settings created from the Intune admin console. 例如:For example:

  • 在 Intune 管理控制台中创建了阻止从应用进行复制的应用保护策略。You created an app protection policy in the Intune admin console that blocks copy from an app.
  • 在 Azure 控制台中创建了允许从应用进行复制的应用保护策略。You created an app protection policy in the Azure console that allows copy from an app.
  • 你将这两个策略关联到了同一应用。You associate both of these policies to the same app.
  • 从 Azure 控制台中创建的策略为优先策略,且允许复制。The policy you created from the Azure console takes precedence, and copy is allowed.
  • 但是,Intune 控制台中的状态和报告将错误地指示已阻止复制。However, status and reports in the Intune console will incorrectly indicate that copy is blocked.

业务线 (LOB) 应用(可选)Line of Business (LOB) apps (optional)

从 Intune 1703 版本开始,当你在创建新的应用保护策略时通常可以选择将 LOB 应用添加到 Intune。Beginning with Intune 1703 version, you have the option to generally add LOB apps into Intune when creating a new app protection policy. 这样,你就可以选择使用 MAM SDK 定义 LOB 应用的应用保护策略,而不需要完整的应用部署权限。This gives you the option to define app protection policies for LOB apps using the MAM SDK without requiring full app deployment permissions. /intune/app-sdk-get-started/intune/app-sdk-get-started

提示

在进入 Intune App SDK 工作流时,你还可以将 LOB 应用添加到 Intune。You can also add LOB apps into Intune when going through the Intune App SDK work-flow.

重要

如果用户仅具有部署 MAM 应用的特定权限,而不具有完整的应用部署权限,则他们可以在 Intune 中部署任何应用,虽然他们无法进入 Intune SDK 工作流,但仍可以通过 MAM 应用保护策略创建工作流添加其 LOB 应用。If users only have specific permissions for deploying MAM apps and not full app deployment permissions, which would allow them to deploy any apps in Intune, they won’t be able to go through the Intune SDK work-flow, but they can still add their LOB apps through the MAM app protection policy creation work-flow.

添加 LOB 应用(iOS 和 Android)To add LOB apps (iOS and Android)

  1. 在“添加一个策略”边栏选项卡上,选择“配置应用”打开“应用”边栏选项卡。On the Add a policy blade, choose Configure Apps to open the Apps blade.

    MAM“添加一个策略”边栏选项卡

  2. 单击“更多应用”,然后输入“捆绑 ID”(适用于 iOS)或“包 ID”(适用于 Android),然后单击“选择”添加你的 LOB 应用。Click More apps, then enter the Bundle ID (for iOS), package ID (for Android), then click Select to add your LOB apps.

    MAM“更多应用”边栏选项卡

添加 LOB 应用 (Windows)To add LOB apps (Windows)

重要

创建新的应用保护策略时,需要从平台下拉列表中选择 Windows 10。You need to select Windows 10 from the platform drop-down list when creating a new app protection policy.

  1. 在“添加一个策略”边栏选项卡上,选择“允许的应用”或“豁免应用”以打开“允许或豁免应用”边栏选项卡。On the Add a policy blade, choose Allowed apps or Exempt apps to open the Allowed or Exempt apps blade.

    备注
    • 允许的应用:这些应用需要符合此策略。Allowed apps: These are the apps that need to adhere to this policy.
    • 豁免应用:这些应用从此策略中豁免,可以无限制地访问公司数据。Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.
  2. 在“允许或豁免应用”边栏选项卡上,单击“添加应用”。On Allowed or Exempt apps blade, click Add apps. 你可以添加推荐的 Microsoft 应用、应用商店或桌面应用。You can add recommended Microsoft apps, add store or desktop apps.

    a.a. 推荐的应用:一份预先填写好的应用列表(主要为 Office 应用),便于管理员轻松导入策略。Recommended apps: a pre-populated list of (mostly Office) apps that we let admins easily import into policy.

    b。b. 应用商店应用:管理员可以将 Windows 应用商店中的任何应用程序添加到策略。Store apps: Admin can add any app from the Windows store to policy.

    c.c. Windows 桌面应用:管理员可以将任何传统 Windows 桌面应用添加到策略(例如,exe、dll 等)Windows desktop apps: Admin can add any traditional Windows desktop apps to the policy (e.g. exe, dll, etc.)

将策略部署到用户Deploy a policy to users

  1. 在“策略”边栏选项卡中,选择“用户组”,随即将打开“用户组”边栏选项卡。In the Policy blade, choose User groups, which opens the User groups blade. 选择“用户组”边栏选项卡中的“添加用户组”,以打开“添加用户组”边栏选项卡。Choose Add user group in the User groups blade to open the Add user group blade.

    突出显示“添加用户组”菜单选项的“用户组”边栏选项卡的屏幕截图

  2. 用户组列表将显示在“添加用户组” 边栏选项卡上。A list of user groups is displayed on the Add user group blade. 这是你“Azure Active Directory” 中所有安全组的列表。This is a list of all the security groups in your Azure Active Directory. 可选择希望将此策略应用于的用户组,然后选择“选择”。Select the user groups you want this policy to apply to, and then choose Select. 选择“选择”会将策略部署到用户。Choosing Select, deploys the policy to users.

    显示 Azure Active Directory 用户列表的“添加用户组”边栏选项卡的屏幕截图

    你现已创建策略并将其部署到用户。You have now created a policy and deployed it to users.

仅分配有 Intune 许可证的用户会受该策略影响。Only users with Intune licenses assigned to them are affected by the policy. 所选安全组中未分配有 Intune 许可证的用户不会受到影响。Users who are in the security group that you selected who don’t have a Intune license assigned to them are not affected.

重要

如果你使用 Intune 与配置管理器来管理 iOS 和 Android 设备,则该策略将仅应用于直接位于所选组中的用户。If you are using Intune with Configuration Manager to manage your iOS and Android devices, the policy is only applied to the users directly in the group that you selected. 所选组中嵌套子组的成员不会受影响。Members of child groups nested within the group you selected are not affected.

最终用户可以从 App Store 或 Google Play 下载应用。End users can download the apps from the App store or Google Play. 有关详情,请参阅:For more information, see:

更改现有策略Change existing policies

你可以编辑现有策略并将其应用于目标用户。You can edit an existing policy and apply it to the targeted users. 但是,当你更改现有策略时,已登录到应用的用户在 8 小时内将看不到更改。However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an 8-hour period.

若要立即看到更改的效果,最终用户必须注销应用,然后重新登录。To see the effect of the changes immediately, the end user will have to log out of the app, and sign back in.

更改与策略关联的应用列表的步骤To change the list of apps associated with the policy

  1. 在“应用策略”边栏选项卡中,选择你想要更改的策略。In the App policy blade, choose the policy you want to change. 将打开特定于刚才所选策略的边栏选项卡。This opens a blade specific to the policy you just selected.

    在单独的边栏选项卡中打开的现有策略的屏幕截图

  2. 在该策略边栏选项卡中,选择“目标应用”以打开应用列表。In the policy blade, choose Targeted apps to open the list of apps.

  3. 在列表中删除或添加应用,然后选择“保存”图标以保存所做的更改。Remove or add apps from the list and choose the Save icon to save your changes.

更改用户组列表的步骤To change the list of user groups

  1. 在“应用策略”边栏选项卡中,选择你想要更改的策略。In the App policy blade, choose the policy you want to change. 将打开特定于所选策略的边栏选项卡。This opens the blade specific to the policy you selected.

  2. 在该策略边栏选项卡中,选择“用户组”以打开“用户组”边栏选项卡,其中显示了具有此策略的当前用户组的列表。In the policy blade, choose User groups to open the User group blade that shows the list of current user groups who have this policy.

  3. 若要向策略添加新用户组,请选择“添加用户组”,然后选择用户组。To add a new user group to the policy, choose Add user group, and select the user group. 选择“选择”以将策略部署到所选组。Choose Select to deploy the policy to the group you selected.

    选中了两个用户组的“添加用户组”边栏选项卡的屏幕截图

  4. 若要删除用户组,请突出显示要删除的用户组。To delete a user group, highlight the user group you want to remove. 然后选择省略号 (…),并选择“删除”以删除该用户组。Then choose the ellipses (…), and choose Delete to remove the user group.

    <span data-ttu-id="c5130-227">显示“删除”选项的屏幕截图</span><span class="sxs-lookup"><span data-stu-id="c5130-227">Screenshot showing Delete option</span></span>

更改策略设置的步骤To change policy settings

  1. 在“应用策略”边栏选项卡中,选择你想要更改的策略。In the App policy blade, choose the policy you want to change. 将打开特定于刚才所选策略的边栏选项卡。This opens a blade specific to the policy you just selected.

    <span data-ttu-id="c5130-231">在单独的边栏选项卡中打开的现有策略的屏幕截图</span><span class="sxs-lookup"><span data-stu-id="c5130-231">Screenshot of an existing policy open in a separate blade</span></span>

  2. 选择“策略设置”以打开“策略设置”边栏选项卡。Choose Policy settings to open the Policy settings blade.

  3. 更改设置,然后选择“保存”图标以保存所做的更改。Change the settings, and choose the Save icon to save your changes.

    在顶部显示“保存”菜单选项的“策略设置”边栏选项卡的屏幕截图

策略设置Policy settings

若要查看 iOS 和 Android 的策略设置的完整列表,请选择以下值之一:To see a full list of the policy settings for iOS and Android, select one of the following:

后续步骤Next steps

监视合规性和用户状态Monitor compliance and user status

另请参阅See also

要提交产品反馈,请访问 Intune Feedback