通过 Intune 创建和部署 Windows 信息保护 (WIP) 应用保护策略Create and deploy Windows Information Protection (WIP) app protection policy with Intune

适用于:IntuneApplies to: Intune
本主题适用于 Azure 门户和经典控制台中的 Intune。This topic applies to Intune in both the Azure portal and the classic console.

从 Intune 1704 版本开始,可以在不包含注册方案的移动应用程序管理 (MAM) 中将应用保护策略用于 Windows 10。Beginning with Intune 1704 release, you can use app protection policies with Windows 10 in the mobile application management (MAM) without enrollment scenario.

在开始之前Before you begin

我们来讨论一些添加 WIP 策略的概念。Let’s talk about a few concepts when adding a WIP policy.

允许和豁免应用列表List of Allowed and Exempt apps

  • 允许的应用:这些应用需要符合此策略。Allowed apps: These are the apps that need to adhere to this policy.

  • 豁免应用:这些应用从此策略中豁免,可以无限制地访问公司数据。Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.

重要

Intune 建议将公司门户应用添加到豁免列表,从而支持应用程序正常工作。Intune recommends adding the Company Portal app to the exempt list to allow the app to properly function. 为此,请将以下“应用商店应用”添加到“豁免应用”列表:To do so, add the following Store app to the list of Exempt apps:

  • 名称:公司门户Name: Company Portal
  • 发布者:CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=USPublisher: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • 产品名称:Microsoft.CompanyPortalProduct Name: Microsoft.CompanyPortal”

应用类型Types of apps

  • 推荐的应用:一份预先填写好的应用列表(主要为 Microsoft Office 应用),便于管理员轻松导入策略。Recommended apps: a pre-populated list of (mostly Microsoft Office) apps that allow admins easily import into policy.

  • 应用商店应用:管理员可以将 Windows 应用商店中的任何应用程序添加到策略。Store apps: Admin can add any app from the Windows store to policy.

  • Windows 桌面应用:管理员可以将任何传统 Windows 桌面应用添加到策略(例如,exe、dll 等)Windows desktop apps: Admin can add any traditional Windows desktop apps to the policy (e.g. exe, dll, etc.)

先决条件Pre-requisites

需要先配置 MAM 提供程序,然后才可以创建 WIP 应用保护策略。You need to configure the MAM provider before you can create a WIP app protection policy.

此外,还需要具有以下各项:Additionally, you need to have the following:

重要

WIP 不支持多标识,一次只能存在一个托管标识。WIP does not support multi-identity, only one managed identity can exist at a time.

添加 WIP 策略To add a WIP policy

设置组织中的 Intune 后,可以通过 Azure 门户创建特定于 WIP 的策略。After you set up Intune in your organization, you can create a WIP-specific policy through the Azure portal.

  1. 转到“Intune 移动应用程序管理仪表板”,选择“所有设置”,然后选择“应用策略”。Go to the Intune mobile application management dashboard, choose All settings, and then choose App policy.

  2. 在“应用策略”边栏选项卡中,选择“添加一个策略”,然后输入以下值:In the App policy blade, choose Add a policy, then enter the following values:

    a.a. 名称:键入新策略的名称(必填)。Name: Type a name (required) for your new policy.

    b。b. 说明:键入说明(可选)。Description: Type an optional description.

    c.c. 平台:选择“Windows 10”作为应用保护策略的支持平台。Platform: Choose Windows 10 as the supported platform for your app protection policy.

    d.d. 注册状态:选择“不注册”作为策略的注册状态。Enrollment state: Choose Without enrollment as the enrollment state for your policy.

  3. 选择“创建”。Choose Create. 创建策略并在“应用策略”边栏选项卡的表中显示该策略。The policy is created and appears in the table on the App Policy blade.

  1. 在“应用策略”边栏选项卡中,选择策略的名称,然后从“添加一个策略”边栏选项卡中选择“允许的应用”。From the App policy blade, choose the name of your policy, then choose Allowed apps from the Add a policy blade. 随即打开“允许的应用”边栏选项卡,并显示此应用保护策略的列表中已包含的全部应用。The Allowed apps blade opens, showing you all apps that are already included in the list for this app protection policy.

  2. 在“允许的应用”边栏选项卡中,选择“添加应用”。From the Allowed apps blade, choose Add apps. 随即打开“添加应用”边栏选项卡,并显示属于该列表的所有应用。The Add apps blade opens, showing you all apps that are part of this list.

  3. 选择要让其访问公司数据的各个应用,然后选择“确定”。Select each app you want to access your corporate data, and then choose OK. “允许的应用”边栏选项卡会进行更新,并显示已选中的所有应用。The Allowed apps blade gets updated showing you all selected apps.

将“应用商店”应用添加到“允许的应用”列表中Add a Store app to your Allowed apps list

添加“应用商店”应用To add a Store app

  1. 在“应用策略”边栏选项卡中,选择策略的名称,然后从显示此应用保护策略列表中已包含的全部应用的菜单中选择“允许的应用”。From the App policy blade, choose the name of your policy, then choose Allowed apps from the menu that appears showing all apps that are already included in the list for this app protection policy.

  2. 在“允许的应用”边栏选项卡中,选择“添加应用”。From the Allowed apps blade, choose Add apps.

  3. 在“添加应用”边栏选项卡上的下拉列表中选择“应用商店应用”。On the Add apps blade, choose Store apps from the dropdown list. 边栏选项卡改为显示用于添加“发布程序”和应用“名称”的框。The blade changes to show boxes for you to add a publisher and app name.

  4. 键入应用的名称及其发布程序的名称,然后选择“确定”。Type the name of the app and the name of its publisher, and then choose OK.

    提示

    以下应用示例中,“发布程序”是 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US,产品“名称”是 Microsoft.MicrosoftAppForWindowsHere’s an app example, where the Publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and the Product name is Microsoft.MicrosoftAppForWindows.

  5. 将这些信息输入字段后,选择“确定”将此应用添加到“允许的应用”列表中。After you’ve entered the info into the fields, choose OK to add the app to your Allowed apps list.

备注

若要同时添加多个“应用商店”应用,可以单击应用行末尾的菜单“(…)”,然后继续添加更多应用。To add multiple Store apps at the same time, you can click the menu (…) at the end of the app row, then continue to add more apps. 完成后,选择“确定”。Once you’re done, choose OK.

将“桌面”应用添加到“允许的应用”列表中Add a Desktop app to your Allowed apps list

添加“桌面”应用To add a Desktop app

  1. 在“应用策略”边栏选项卡中,选择策略的名称,然后选择“允许的应用”。From the App policy blade, choose the name of your policy, and then choose Allowed apps. 随即打开“允许的应用”边栏选项卡,并显示此应用保护策略列表中已包含的全部应用。The Allowed apps blade opens showing you all apps that are already included in the list for this app protection policy.

  2. 在“允许的应用”边栏选项卡中,选择“添加应用”。From the Allowed apps blade, choose Add apps.

  3. 在“添加应用”边栏选项卡上的下拉列表中选择“桌面应用程序”。On the Add apps blade, choose Desktop apps from the drop-down list.

  4. 将这些信息输入字段后,选择“确定”将此应用添加到“允许的应用”列表中。After you entered the info into the fields, choose OK to add the app to your Allowed apps list.

备注

若要同时添加多个“桌面应用程序”应用,可以单击应用行末尾的菜单“(…)”,然后继续添加更多应用。To add multiple Desktop apps at the same time, you can click the menu (…) at the end of the app row, then continue to add more apps. 完成后,选择“确定”。Once you’re done, choose OK.

Windows Information Protection (WIP) LearningWindows Information Protection (WIP) Learning

添加要使用 WIP 保护的应用后,必须使用“WIP Learning” 应用保护模式。After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP Learning.

在开始之前Before you begin

Windows Information Protection (WIP) Learning 是一份报告,管理员可以通过它监控其 WIP 未知应用。Windows Information Protection (WIP) Learning is a report that allows admins to monitor their WIP unknown apps. 未知应用指不是由组织的 IT 部门部署的应用。The unknown apps are the ones not deployed by your organization’s IT department. 在“隐藏覆盖”模式下强制执行 WIP 前,管理员可以从报告中导出这些应用并将其添加到 WIP 策略,以避免生产力中断。The admin can export these apps from the report and add them to their WIP policies to avoid productivity disruption before they enforce WIP in “Hide Override” mode.

对在允许的应用列表上具有相应应用的小组进行验证时,建议从“无提示”或“允许覆盖”开始。We recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your allowed apps list. 完成后,可以更改为最后的强制策略“隐藏覆盖”。After you're done, you can change to your final enforcement policy, Hide Overrides.

什么是保护模式?What the protection modes are?

  • 隐藏覆盖:Hide Overrides:

    • WIP 将查找不正确的数据共享做法并阻止用户完成操作。WIP looks for inappropriate data sharing practices and stops the user from completing the action.
    • 这包括在不受公司保护的所有应用中共享信息,以及在组织外部的其他人员和设备之间共享公司数据。This can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.
  • 允许覆盖:Allow Overrides:

    • WIP 查找不正确的数据共享操作,如果用户执行的操作被认为存在潜在危险,将对用户发出警告。WIP looks for inappropriate data sharing, warning users if they do something deemed potentially unsafe.
    • 但是,用户可以通过此模式覆盖该策略并共享数据,并将操作记录到审核日志中。However, this mode lets the user override the policy and share the data, logging the action to your audit log.
  • 无提示:Silent:
    • WIP 以无提示的方式运行,并记录不正确的数据共享操作,但不阻止在“允许覆盖”模式下收到提示进行员工互动的任何操作。WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode.
    • 仍然阻止不允许的操作,例如应用以不正确的方式尝试访问网络资源或受 WIP 保护的数据。Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
  • 关闭(不推荐):Off (not recommended):
    • 关闭 WIP,并且不帮助保护或审核数据。WIP is turned off and doesn't help to protect or audit your data.
    • 关闭 WIP 后,将尝试在本地连接的驱动器上解密所有带有 WIP 标记的文件。After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. 请注意,如果重新打开 WIP 保护,不会自动重新应用之前的解密和策略信息。Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

添加保护模式To add a protection mode

  1. 在“应用策略”边栏选项卡中,选择策略的名称,然后从“添加策略”边栏选项卡中单击“所需设置”。From the App policy blade, choose the name of your policy, then click Required settings from the Add Policy blade.

    Learning 模式屏幕截图

  2. 选择“保存”。Choose Save.

使用 WIP LearningTo use WIP Learning

  1. 转到“Azure 仪表板”。Go to the Azure Dashboard.

  2. 从左侧菜单中选择“更多服务”,然后在文本框筛选器中键入 IntuneChoose More services from the left menu, then type Intune in the text box filter.

  3. 选择“Intune”后即打开“Intune 仪表板”,选择“移动应用”。Choose Intune, the Intune dashboard opens, choose Mobile Apps.

  4. 在“监视”部分下选择“WIP Learning”。Choose WIP Learning under Monitor section. 将看到 WIP Learning 记录的未知应用。You see the unknown apps logged by the WIP Learning.

重要

WIP Learning 日志报告中显示应用后,可以将这些应用添加到应用保护策略中。Once you have the apps showing up in the WIP Learning logging report, you can them into your app protection policies.

部署 WIP 应用保护策略To deploy your WIP app protection policy

重要

此操作适用于不含注册方案的移动应用程序管理 (MAM) 中的 WIP。This applies for WIP with mobile application management (MAM) without enrollment scenario.

创建 WIP 应用保护策略后,必须使用 MAM 将其部署到组织。After you created your WIP app protection policy, you need to deploy it to your organization using MAM.

  1. 在“应用策略”边栏选项卡上,选择新创建的应用保护策略,选择“用户组”,然后选择“添加用户组”。On the App policy blade, choose your newly-created app protection policy, choose User groups, then choose Add user group.

    由 Azure Active Directory 中的所有安全组组成的用户组列表在“添加用户组”边栏选项卡中打开。A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add user group blade.

  2. 选择要向其应用策略的组,然后单击“选择”部署此策略。Choose the group you want your policy to apply to, then click Select to deploy the policy.

要提交产品反馈,请访问 Intune Feedback