准备好在 Azure 门户中配置应用保护策略Get ready to configure app protection policies in the Azure portal

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本主题介绍可以在 Azure 门户中创建应用保护策略之前必须完成的先决条件和步骤。This topic describes the prerequisites and the steps you must complete before you can create app protection policies in the Azure portal.

若要了解 Intune 应用保护策略可以如何保护公司数据,请参阅使用应用保护策略保护应用和数据To understand how Intune app protection policies can protect your company data, see Protect apps and data using app protection policies.

什么是 Azure 门户?What is the Azure portal?

Azure 门户是用于创建应用保护策略的新管理控制台。The Azure portal is the new admin console for creating app protection policies. 它支持以下 MAM 方案:It supports the following MAM scenarios:

  • 在 Intune 中注册的设备Devices that are enrolled in Intune
  • 由其他移动设备管理 (MDM) 解决方案管理的设备Devices that are managed by another Mobile Device Management (MDM) solution
  • 不受任何 MDM 解决方案管理的设备 (BYOD)Devices that are not managed by any MDM solution (BYOD)

目前,通过“Intune 管理员控制台”和“Azure 门户”,均可配置应用保护策略。Currently, both the Intune administrator console and the Azure portal enable you to configure app protection policies. 请考虑下列各项:Consider the following:

  • 之前列出的“所有 MAM 方案”均支持在 Azure 门户中创建的策略。The policies that you create on the Azure portal are supported for all MAM scenarios that are listed previously. Intune 管理员控制台 仅支持为“由 Intune 注册和管理的设备”创建策略。The Intune administrator console only supports creating policies for devices that are enrolled and managed by Intune.

  • 可能无法在 Intune 管理员控制台中看到所有应用策略设置,因为“新建设置”只能添加到 Azure 门户。You might not see all app policy settings in the Intune administrator console because new settings can only be added to the Azure portal.

  • 如果同时在 Intune 管理控制台和 Azure 门户中创建了应用保护策略,则“Azure 门户中的策略将应用到应用并部署到用户”。If you create app protection policies in both the Intune admin console and the Azure portal, the policy in the Azure portal is applied to the apps and deployed to users.

    • 在 Intune 管理控制台中创建的应用保护策略不能导入到 Azure 门户中。App protection policies that are created in the Intune admin console cannot be imported into the Azure portal. 在 Azure 门户中,必须重新创建应用保护策略。The app protection policies must be re-created in the Azure portal.
  • 其他应用管理功能(如部署应用和应用配置策略)目前仅在“”Intune 管理员控制台中可用。Other app management features, such as deploying apps and app configuration policies, are currently only available in the Intune administrator console.

如果不熟悉 Azure 门户,请参阅 Microsoft Intune 应用保护策略的 Azure 门户,了解使用 Azure 门户的基础知识。If you are new to the Azure portal, read Azure portal for Microsoft Intune app protection policies to get the basics of using the Azure portal.

有关如何在 Intune 管理控制台创建应用策略的说明,请参阅配置和部署 Microsoft Intune 控制台中的应用保护策略For instructions about how to create an app policy on the Intune admin console, see Configure and deploy app protection policies in the Microsoft Intune console.

受支持的平台Supported platforms

  • iOS 8.1 或更高版本iOS 8.1 or later
  • Android 4 或更高版本Android 4 or later
  • Windows 10Windows 10

备注

从版本 1703 开始,无需注册方案便可在 MAM 中为 Windows 10 设备定义应用保护策略。Beginning with version 1703, app protection policies can be defined for Windows 10 devices in the MAM without enrollment scenario. 有关详细信息,请参阅使用 Windows 信息保护 (WIP) 保护企业数据For details, see Protect your enterprise data using Windows Information Protection (WIP).

受支持的应用Supported apps

  • Microsoft 应用:这些应用内置有 Intune 应用 SDK,且无需进一步处理就可应用应用保护策略。Microsoft apps: These apps have the Intune App SDK built in and require no further processing before you apply app protection policies. 若要查看受支持的 Microsoft 应用的完整列表,请转到 Microsoft Intune 应用程序合作伙伴页上的 Microsoft Intune 移动应用程序库To see the full list of supported Microsoft apps, go to the Microsoft Intune mobile application gallery on the Microsoft Intune application partners page. 单击应用可查看支持的方案和平台以及查看应用是否支持多个标识。Click an app to see the supported scenarios and platforms, and to see whether the app supports multiple identities.

  • 组织的业务线应用:必须准备这些应用以包含 Intune App SDK,才可应用应用保护策略。Your organization's line-of-business apps: You must prepare these apps to include the Intune App SDK before you can apply app protection policies.

先决条件Prerequisites

  • Microsoft Intune 订阅A Microsoft Intune subscription. 用户需要 Intune 许可证才能获取具有应用保护策略的应用。Users need Intune licenses to get apps that have app protection policies. 如果当前使用 Intune 来管理设备,那么你已经具有 Intune 订阅。You already have an Intune subscription if you are currently using Intune to manage your devices. 如果你已购买企业移动性套件 (EMS) 许可证,那么你还具有 Intune 订阅。You also have an Intune subscription if you have purchased an Enterprise Mobility Suite (EMS) license. 如果要试用 Intune 来检查 MAM 功能,可在 Microsoft Intune 页面上获取试用帐户。If you are trying Intune to check out the MAM capabilities, you can get a trial account on the Microsoft Intune page.

    若要验证是否具有 Intune 订阅,请在 Office 门户中转到“帐单”页面。To verify if you have an Intune subscription, in the Office portal, go to the Billing page. 如果拥有订阅,应可以看到在订阅中 Intune 显示为“活动”状态。If you have a subscription, you should see Intune as Active in the subscriptions.

  • 以下事项需要 Office 365 订阅An Office 365 subscription, which is required for the following:

    • 将应用保护策略应用于具有多个标识支持的应用。To apply app protection policies to apps with multiple-identity support.

    • 创建 SharePoint Online 和 Exchange Online 工作帐户。To create SharePoint Online and Exchange Online work accounts. 不支持 Exchange 内部部署和 SharePoint 内部部署。Exchange on-premises and SharePoint on-premises are not supported.

  • 用于新式验证的 Skype for Business Online 设置Skype for Business Online setup for modern authentication. 有关详细信息,请参阅启用新式验证For more information, see Enable modern authentication.

  • Azure Active Directory (Azure AD) 用于创建用户。Azure Active Directory (Azure AD) to create users. 当用户打开应用并输入其凭据时,Azure AD 对用户进行身份验证。Azure AD authenticates users when they open the app and enter their work credentials.

    备注

    必须在 Azure AD 中设置用户组。User groups must be set up in Azure AD. 不能使用 Intune 用户组在 Azure 门户中部署应用保护策略。Intune user groups cannot be used to deploy app protection policies in the Azure portal.

创建用户并分配 Microsoft Intune 许可证Create users and assign Microsoft Intune licenses

  1. 使用管理员凭据登录到 Office 门户Sign in to the Office portal with your admin credentials.

  2. 按照 Intune 评估指南完成 30 天 Intune 评估的步骤部分所述,添加用户,然后分配 Intune 许可证。Add users as described in the Steps to complete a 30-day evaluation of Intune section of the Intune evaluation guide, and then assign Intune licenses. 若要赋予用户访问 Office 门户、Azure AD 门户和 Azure 门户的权限,请将“全局管理员”角色分配给此用户。To give a user the ability to access the Office portal, the Azure AD portal, and the Azure portal, assign the Global administrator role to the user.

  3. 应用保护策略已部署到 Azure Active Directory 中的用户组。App protection policies are deployed to user groups in Azure Active Directory. 若要创建应用保护策略的用户组,请按照创建用于组织评估订阅用户和设备的组创建用户组部分所述,创建用户组。To create user groups for your app protection policies, create a user group as described in the Create a user group section of Create groups to organize evaluation subscription users and devices.

向非全局管理员用户分配角色Assign roles to non-global admin users

全局管理员具有访问 Azure 门户的权限。Global administrators have access to the Azure portal. 如果希望非全局管理员用户能够配置策略和执行其他移动应用管理任务,请参阅使用角色分配管理 Azure 订阅资源的访问文章。If you want users who are not global administrators to be able to configure policies and do other mobile app management tasks, check the Use role assignments to manage access to your Azure subscription resources article.

后续步骤Next steps

使用 Microsoft Intune 创建和部署应用保护策略Create and deploy app protection policies with Microsoft Intune