iOS 移动应用保护策略设置iOS mobile app protection policy settings

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

可以在 Azure 门户的“所有设置”边栏选项卡上为应用保护策略配置本主题所述的策略设置。The policy settings described in this topic can be configured for an app protection policy on the All Settings blade in the Azure portal.

有两种类别的策略设置:数据重定位设置和访问设置。There are two categories of policy settings: data relocation settings and access settings. 在本主题中,术语_策略托管应用指使用应用保护策略配置的应用。In this topic, the term policy-managed apps_ refers to apps that are configured with app protection policies.

数据重定位设置Data relocation settings

SettingSetting 如何使用How to use 默认值Default value
阻止 iTunes 和 iCloud 备份Prevent iTunes and iCloud backups 选择“是”,阻止此应用将工作或学校的数据备份到 iTunes 和 iCloud。Choose Yes to prevent this app from backing up work or school data to iTunes and iCloud. 选择“否”允许此应用程序将工作或学校的数据备份到 iTunes 和 iCloud。Choose No to allow this app to back up of work or school data to iTunes and iCloud. Yes
允许应用向其他应用传送数据Allow app to transfer data to other apps 指定哪些应用可从此应用接收数据:Specify what apps can receive data from this app:
  • 策略托管应用:仅允许传输到其他策略托管应用。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有应用:允许传输到任何应用。All apps: Allow transfer to any app.
  • :不允许将数据传输到任何应用,包括其他策略托管应用。None: Do not allow data transfer to any app, including other policy-managed apps.
此外,如果将此选项设置为“策略托管应用”或“无”,则将阻止允许 Spotlight Search 在应用内搜索数据的 iOS 9 功能。Additionally, if you set this option to Policy managed apps or None, the iOS 9 feature that allows Spotlight Search to search data within apps will be blocked.

有一些豁免应用和服务,Intune 可能会允许向其传输数据。There are some exempts apps and services to which Intune may allow data transfer. 有关应用和服务的完整列表,请参阅数据传输豁免See Data transfer exemptions for a full list of apps and services.
所有应用All apps
允许应用从其他应用接收数据Allow app to receive data from other apps 指定哪些应用可将数据传输到此应用:Specify what apps can transfer data to this app:
  • 策略托管应用:仅允许从其他策略托管应用传输。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有应用:允许从任何应用传输数据。All apps: Allow data transfer from any app.
  • :不允许从任何应用传输数据,包括其他策略托管应用。None: Do not allow data transfer from any app, including other policy-managed apps.
有一些豁免应用和服务,Intune 可能会允许从其传输数据。There are some exempts apps and services from which Intune may allow data transfer. 有关应用和服务的完整列表,请参阅数据传输豁免See Data transfer exemptions for a full list of apps and services.
所有应用All apps
阻止“另存为”Prevent "Save As" 选择“是”,在此应用中禁用“另存为”选项。Choose Yes to disable the use of the Save As option in this app. 如果你希望允许使用“另存为”,请选择“否”。Choose No if you want to allow the use of Save As. No
限制剪切、复制和粘贴到其他应用程序Restrict cut, copy and paste with other apps 指定剪切、复制和粘贴操作何时可用于此应用。Specify when cut, copy, and paste actions can be used with this app. 选择:Choose from:
  • 阻止:不允许在此应用和任何其他应用间进行剪切、复制和粘贴操作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 策略托管应用:允许在此应用和其他策略托管应用间进行剪切、复制和粘贴操作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 带粘贴的策略托管应用:允许在此应用和其他策略托管应用间进行剪切或复制。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允许将任何应用中的数据粘贴到此应用。Allow data from any app to be pasted into this app.
  • 任何应用:不限制从此应用和对此应用进行剪切、复制和粘贴。Any app: No restrictions for cut, copy, and paste to and from this app.
任何应用Any app
限制显示在 Managed Browser 内的 Web 内容Restrict web content to display in the Managed Browser 选择“是”,强制在 Managed Browser 应用中打开应用中的 Web 链接。Choose Yes to enforce web links in the app to be opened in the Managed Browser app.

对于未在 Intune 中注册的设备,策略托管应用中的 Web 链接将仅可在 Managed Browser 应用中打开。For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.

如果正使用 Intune 管理设备,请参阅使用 Microsoft Intune 的托管浏览器策略管理 Internet 访问If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
No
加密应用数据Encrypt app data 对于策略托管应用,使用 iOS 提供的设备级别的加密方案对数据进行静态加密。For policy-managed apps, data is encrypted at rest using the device-level encryption scheme provided by iOS. 需要 PIN 时,根据应用保护策略中的设置对数据进行加密。When a PIN is required, the data is encrypted according to the settings in the app protection policy.

转到此处官方 Apple 文档,查看哪些 iOS 加密模块由 FIPS 140-2 认证或挂起 FIPS 140-2 证书。Go to the official Apple documentation here to see which iOS encryption modules are FIPS 140-2 certified or pending FIPS 140-2 certification.

指定何时加密应用中工作或学校数据。Specify when work or school data in this app is encrypted. 选择:Choose from:
  • 锁定设备时:锁定设备时,加密与此策略关联的所有应用数据。When device is locked: All app data that is associated with this policy is encrypted while the device is locked.
  • 锁定设备并具有打开的文件时:锁定设备时,对与此策略相关联的所有应用数据进行加密,当前已在应用中打开的文件中的数据除外。When device is locked and there are open files: All app data associated with this policy is encrypted while the device is locked, except for data in the files that are currently open in the app.
  • 设备重启后:设备重启后,对与此策略相关联的所有应用数据进行加密,直到首次解锁设备。After device restart:All app data associated with this policy is encrypted when the device is restarted, until the device is unlocked for the first time.
  • 使用设备设置:基于设备上的默认设置对应用数据进行加密。Use device settings: App data is encrypted based on the default settings on the device.
启用此设置时,用户可能需要设置并使用 PIN 才能访问其设备。When you enable this setting, the user may be required to set up and use a PIN to access their device. 如果没有设备 PIN 且需要加密,则不启动应用,并将通过“公司要求先启用设备 PIN 才能访问此应用”消息提示用户设置 PIN。If there is no device PIN and encryption is required, the apps will not open and the user will be prompted to set a PIN with the message “Your organization has required you to first enable a device PIN to access this app.”
当设备锁定When device is locked
禁用联系人同步Disable contact sync 选择“是”,阻止应用将数据保存到设备上的本机“联系人”应用。Choose Yes to prevent the app from saving data to the native Contacts app on the device. 如果选择“否”,应用可将数据保存到设备上的本机“联系人”应用。If you choose No, the app can save data to the native Contacts app on the device.

执行选择性擦除从应用删除工作或学校数据时,将删除从应用直接同步到本机“联系人”应用的联系人。When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. 无法擦除从本机通讯簿同步到另一个外部源中的任何联系人。Any contacts synced from the native address book to another external source cannot be wiped. 目前仅适用于 Microsoft Outlook 应用。Currently this applies only to the Microsoft Outlook app.
No
禁用打印Disable printing 选择“是”,阻止应用打印工作或学校数据。Choose Yes to prevent the app from printing work or school data. No
选择可保存公司数据的存储服务Select which storage services corporate data can be saved to 用户可以保存到所选的服务(OneDrive for Busines、SharePoint 和本地存储)中。Users are able to save to the selected services (OneDrive for Busines, SharePoint and Local Storage). 将阻止所有其他服务。All other services will be blocked. 未选择任何项0 Selected
备注

无数据重定位设置控制 iOS 设备上由 Apple 托管的打开方式功能。None of the data relocation settings controls the Apple managed open-in feature on iOS devices. 要使用管理 Apple 打开方式,请参阅使用 Microsoft Intune 管理 iOS 应用之间的数据传输To use manage Apple open-in, see Manage data transfer between iOS apps with Microsoft Intune.

数据传输豁免Data transfer exemptions

有一些豁免应用和平台服务,Intune 应用保护策略可能会允许在某些情况下向其或从其传输数据。There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from in certain scenarios. 此列表可能会更改以反映有利于安全工作效率的服务和应用。This list is subject to change and reflects the services and apps considered useful for secure productivity.

应用/服务名称App/service name(s) 描述Description
tel; telprompttel; telprompt 本机电话应用Native phone app
Skypeskype SkypeSkype
app-settingsapp-settings 设备设置Device settings
itms; itmss; itms-apps; itms-appss; itms-servicesitms; itmss; itms-apps; itms-appss; itms-services App StoreApp Store
calshowcalshow 本机日历Native Calendar

访问设置Access settings

SettingSetting 如何使用How to use 默认值Default value
需要 PIN 才能进行访问Require PIN for access 选择“是”,需要 PIN 才可使用此应用。Choose Yes to require a PIN to use this app. 用户首次在工作或学校环境中运行应用时,将提示其设置此 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context. 默认值 = Default value = Yes.

为 PIN 强度配置以下设置:Configure the following settings for PIN strength:
  • PIN 重置前的尝试次数:指定用户重置其 PIN 码前必须成功完成输入的尝试次数。Number of attempts before PIN reset: Specify the number of tries the user has to successfully enter their PIN before they must reset it. 默认值 = 5Default value = 5.
  • 允许简单 PIN:选择“是”,允许用户使用简单的 PIN 序列,如 1234 或 1111。Allow simple PIN: Choose Yes to allow users to use simple PIN sequences like 1234 or 1111. 选择“否”,阻止用户使用简单的序列。Choose No to prevent them from using simple sequences. 默认值 = Default value = Yes.
  • PIN 长度:指定 PIN 序列必须包含的最小位数。PIN length: Specify the minimum number of digits in a PIN sequence. 默认值 = 4Default value = 4.
  • 允许指纹而非 PIN (iOS 8.0+):选择“是”,允许用户使用 Touch ID 而非 PIN 进行应用访问。Allow fingerprint instead of PIN (iOS 8.0+): Choose Yes to allow the user to use Touch ID instead of a PIN for app access. 默认值 = Default value = Yes
在 iOS 设备上,可让用户使用 Touch ID 而非 PIN 来证明其身份。On iOS devices, you can let the user prove their identity by using Touch ID instead of a PIN. 用户尝试通过其工作或学校帐户使用此应用时,会提示他们提供其指纹标识而不是输入 PIN。When the user tries use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. 启用此设置时,如果使用工作或学校帐户,应用切换器的预览图像将模糊显示。When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account.
需要 PIN:是Require PIN: Yes

PIN 重置尝试次数:5PIN reset attempts: 5

允许使用简单 PIN:是Allow simple PIN: Yes

PIN 长度:4PIN length: 4

允许使用指纹:是Allow fingerprint: Yes
访问需要公司凭据Require corporate credentials for access 选择“是”,要求用户使用其工作或学校帐户(而不是输入 PIN)登录进行应用访问。Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. 如果将其设置为“是”,则此设置将替代 PIN 或 Touch ID 的要求。If you set this to Yes, this overrides the requirements for PIN or Touch ID. No
阻止在已越狱或取得 root 权限的设备上运行托管应用Block managed apps from running on jailbroken or rooted devices 选择“是”,阻止在已越狱或取得 root 权限的设备上运行此应用。Choose Yes to prevent this app from running on jailbroken or rooted devices. 用户仍能够将此应用用于个人任务,但必须使用其他设备访问此应用中的工作或学校数据。The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Yes
在一定时间后重新检查访问要求(分钟)Recheck the access requirements after (minutes) 配置下列设置:Configure the following settings:
  • 超时:指重新检查访问要求(在前面的策略中定义)之前的分钟数。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,管理员在策略中启用 PIN,则用户打开 MAM 应用就必须输入 PIN。For example, an admin turns on PIN in the policy, a user opens a MAM app, and must enter a pin. 使用此设置时,用户在 30 分钟(默认值)内无需在任何 MAM 应用上再次输入 PIN。When using this setting, the user would not have to enter a PIN on any MAM app for another 30 minutes (default value)..

    访问要求的超时值是根据任何策略托管应用程序之间的不活动时间进行衡量的。Timeout for access requirements is measured in terms of the time of inactivity between any policy-managed application.

  • 脱机宽限期:指 MAM 应用可脱机运行的分钟数,需在重新检查应用访问要求之前指定该时间(以分钟为单位)。Offline grace period: This is the number of minutes that MAM apps can run offline, specify the time (in minutes) before the access requirements for the app are rechecked. 默认值 = 720 分钟(12 小时)。Default value = 720 minutes (12 hours). 此时间段到期后,应用将要求用户对 AAD 进行身份验证,以便应用可以继续运行。After this period is expired, the app will require user authentication to AAD, so the app can continue to run.
超时:30Timeout: 30

脱机:720Offline: 720
擦除应用数据前的脱机时间间隔(天)Offline interval before app data is wiped (days) 在脱机运行相应天数(由管理员定义)后,应用会自行执行选择性擦除。After this many days (defined by the admin) of running offline, the app itself will do a selective wipe. 此选择性擦除功能与管理员可在 MAM 擦除工作流中启动的擦除相同。This selective wipe is the same wipe as the one that can be initiated by the admin in the MAM wipe work-flow.

90 天90 days
托管设备 PIN 后禁用应用 PINDisable app PIN when device PIN is managed 在已注册设备上检测到设备锁后选择“是”禁用应用 PIN。Choose Yes to disable the app PIN when a device lock is detected on an enrolled device. No
要求最低 iOS 操作系统版本Require minimum iOS operating system 选择“是”将要求要使用此应用需具备的最低 iOS 操作系统版本。Choose Yes to require a minimum iOS operating system to use this app. 如果设备上的 iOS 版本不符合此要求,将阻止用户访问。The user will be blocked from access if the iOS version on the device does not meet the requirement. No
要求最低 iOS 操作系统版本(仅警告)Require minimum iOS operating system (Warning only) 选择“是”将要求要使用此应用需具备的最低 iOS 操作系统版本。Choose Yes to require a minimum iOS operating system to use this app. 如果设备上的 iOS 版本不符合此要求,用户将看到一个通知。The user will see a notification if the iOS version on the device does not meet the requirement. 可忽略此通知。This notification can be dismissed. No
要求最低应用版本Require minimum app version 选择“是”将要求要使用此应用需具备的最低应用版本。Choose Yes to require a minimum app version to use the app. 如果设备上的应用版本不符合此要求,将阻止用户访问。The user will be blocked from access if the app version on the device does not meet the requirement.

选择要作为目标的应用时,请注意应用之间通常具有不同的版本方案。When selecting apps to target, please note that apps often have distinct versioning schemes between them.

No
要求最低应用版本(仅警告)Require minimum app version (Warning only) 选择“是”将建议要使用此应用需具备的最低应用版本。Choose Yes to recommend a minimum app version to use this app. 如果设备上的应用版本不符合此要求,用户将看到一个通知。The user will see a notification if the app version on the device does not meet the requirement. 可忽略此通知。This notification can be dismissed.

选择要作为目标的应用时,请注意应用之间通常具有不同的版本方案。When selecting apps to target, please note that apps often have distinct versioning schemes between them.

No
要求最低 Intune 应用保护策略 SDK 版本Require minimum Intune app protection policy SDK version 选择“是”将要求要使用的应用上的最低 Intune 应用保护策略 SDK 版本。Choose Yes to require a minimum Intune app protection policy SDK version on the app to use. 如果应用的 Intune 应用保护策略 SDK 版本不符合此要求,将阻止用户访问。The user will be blocked from access if the app’s Intune app protection policy SDK version does not meet the requirement.

若要了解有关 Intune 应用保护策略 SDK 的详细信息,请参阅 Intune 应用 SDK 概述To learn more about the Intune app protection policy SDK, see Intune App SDK overview

No

Outlook 应用的加载项Add-ins for Outlook app

Outlook 最近为 Outlook for iOS 引入了加载项,让你可将热门应用集成到电子邮件客户端中。Outlook recently brought add-ins to Outlook for iOS which let you integrate popular apps with the email client. Outlook 的加载项可在 Web、Windows、Mac 和 Outlook for iOS 上使用。Add-ins for Outlook are available on the web, Windows, Mac, and Outlook for iOS. 由于加载项是通过 Microsoft Exchange 管理的,所以用户能够在 Outlook 和非托管加载项应用程序之间共享数据和邮件,除非用户的 Exchange 关闭了加载项。Since add-ins are managed via Microsoft Exchange, users will be able to share data and messages across Outlook and unmanaged add-in applications unless add-ins are turned off for the user by their Exchange.

如果要阻止最终用户访问和安装 Outlook 加载项(这会影响所有 Outlook 客户端),请确保在 Exchange 管理中心中对角色进行以下更改:If you want to stop your end users from accessing and installing Outlook add-ins (this affects all Outlook clients), make sure you have the following changes to roles in the Exchange admin center:

  • 若要防止用户安装 Office 应用商店加载项,请从中删除“我的应用商店”角色。To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
  • 若要防止用户侧向加载加载项,请从中删除“我的自定义应用”角色。To prevent users from side loading add-ins, remove the My Custom Apps role from them.
  • 若要防止用户安装所有加载项,请从中删除“我的自定义应用”和“我的应用商店”角色。To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from them.

这些说明适用于跨 Web、Windows、Mac 和移动版 Outlook 的 Office 365、Exchange 2016、Exchange 2013。These instructions apply to Office 365, Exchange 2016, Exchange 2013 across Outlook on the web, Windows, Mac and mobile.

要提交产品反馈,请访问 Intune Feedback