使用 Microsoft Intune 管理 iOS 应用之间的数据传输Manage data transfer between iOS apps with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

管理 iOS 应用Manage iOS apps

保护公司数据包括确保文件传输仅限于在你所管理的应用中进行。Protecting your company data includes making sure that file transfers are restricted to apps that are managed by you. 可以通过以下方式管理 iOS 应用:You can manage iOS apps in the following ways:

  • 通过为应用配置应用保护策略来防止公司数据丢失,这种应用我们称为“策略托管”应用。Prevent company data loss by configuring an app protection policy for the apps, which we will refer to as policy-managed apps.

  • 你还可以通过“MDM 通道”部署和管理应用。You can also deploy and manage apps through the MDM channel. 这需要设备注册 MDM 解决方案。This requires that the devices are enrolled in the MDM solution. 可以是“策略托管”应用,也可以是其他托管应用。These can be policy-managed apps or other managed apps.

适用于 iOS 设备的“打开方式管理”功能可以将文件传输限制为仅在使用“MDM 通道”部署的应用之间进行。The Open-in management feature for iOS devices can limit file transfers between apps that are deployed through the MDM channel. “打开方式管理”限制在配置设置中设置,并使用 MDM 解决方案进行部署。Open-in management restrictions are set in configuration settings and deployed using your MDM solution. 当用户安装了部署的应用时,会应用你设置的限制。When the user installs the deployed app, the restrictions you set are applied.

管理 iOS 应用之间的数据传输Manage data transfer between iOS apps

应用保护策略可与 iOS 的“打开方式管理”功能结合使用来通过以下方式保护公司数据:App protection policies can be used with the iOS Open in management feature to protect company data in the following ways:

  • 不由任何 MDM 解决方案管理的员工所有的设备:可以将应用保护策略设置设置为“仅允许应用将数据传输到托管应用”。Employee-owned devices not managed by any MDM solution: You can set the app protection policy setting to Allow app to transfer data to only managed apps. 当最终用户在非策略托管应用中打开受保护的文件时,文件不可读。When the end user opens a protected file in an app that is not policy-managed, the file is unreadable.

  • 由 Intune 管理的设备:对于在 Intune 中注册的设备,自动允许在具有应用保护策略的应用与其他通过 Intune 部署的托管 iOS 应用之间进行数据传输。Devices managed by Intune: For devices enrolled in Intune, data transfer between apps with app protection policies and other managed iOS apps deployed through Intune is allowed automatically. 要允许具有应用保护策略的应用之间进行数据传输,请启用“仅允许应用将数据传输到托管应用”设置。To allow data transfer between apps with app protection policies, enable the Allow app to transfer data to only managed apps setting. 可使用“打开方式管理”功能控制在通过 Intune 部署的应用之间进行的数据传输。You can use the Open in management feature to control data transfer between apps that are deployed through Intune.

  • 第三方 MDM 解决方案管理的设备:你可以使用“打开方式管理”功能将数据传输限制为仅在托管应用之间进行。Devices managed by a third party MDM solution: You can restrict data transfer to only managed apps by using the iOS Open in management feature. 若要确保使用第三方 MDM 解决方案部署的应用也与在 Intune 中配置的应用保护策略相关联,必须按照配置用户 UPN 设置演练中所述配置用户 UPN 设置。To make sure that apps that you deploy using your third party MDM solution are also associated with the app protection policies you have configured in Intune, you must configure the user UPN setting as described in the Configure user UPN setting walkthrough. 如果应用是使用用户 UPN 设置部署的,则会在最终用户使用其工作帐户登录时将应用保护策略应用到该应用。When apps are deployed with the user UPN setting, the app protection policies are applied to the app when the end user signs-in using their work account.

重要

只有部署到由第三方 MDM 管理的设备的应用才需使用用户 UPN 设置。The user UPN setting is only required for apps deployed to devices managed by a third-party MDM. Intune 托管设备不需要使用此设置。For Intune-managed devices, this setting is not required.

为第三方 EMM 配置用户 UPN 设置Configure user UPN setting for third-party EMM

对于由第三方 MDM 解决方案管理的设备,配置用户 UPN 设置是必需的。Configuring the user UPN setting is required for devices that are managed by a third-party EMM solution. 下述过程是配置 UPN 设置的一般流程以及该过程所产生的最终用户体验:The procedure described below is a general flow on how to configure the UPN setting and the resulting end user experience:

  1. 在 Azure 门户中,为 iOS 平台配置应用保护策略In the Azure portal, configure an app protection policy for iOS platform. 根据公司要求配置策略设置,并选择应使用此策略的应用。Configure policy settings per your company requirements and select the apps that should have this policy.

  2. 使用下面的常规步骤,部署想要通过第三方 MDM 解决方案管理的应用和电子邮件配置文件。Deploy the apps and the email profile that you want managed through your third-party MDM solution using the generalized steps below. 示例 1 中也涵盖了这一体验。This experience is also covered by Example 1.

    1. 使用以下应用配置设置来部署该应用:Deploy the app with the following app configuration settings:

      = IntuneMAMUPN, = username@company.comkey = IntuneMAMUPN, value = username@company.com

      示例:[‘IntuneMAMUPN’, ‘jondoe@microsoft.com’]Example: [‘IntuneMAMUPN’, ‘jondoe@microsoft.com’]

    2. 使用第三方 MDM 提供程序将“打开方式管理”策略部署到已注册设备。Deploy the Open in management policy using your third-party MDM provider to enrolled devices.

示例 1:第三方 MDM 控制台中的管理体验Example 1: Admin experience in third-party MDM console

  1. 请转到第三方 MDM 提供程序的管理控制台。Go to the admin console of your third-party MDM provider. 转到将应用程序配置设置部署到已注册的 iOS 设备的控制台部分。Go to the section of the console in which you deploy application configuration settings to enrolled iOS devices.

  2. 在“应用程序配置”部分中,输入以下设置:In the Application Configuration section, enter the following setting:

    = IntuneMAMUPN, = username@company.comkey = IntuneMAMUPN, value = username@company.com

    键/值对的确切语法可能会因第三方 MDM 提供程序而异。The exact syntax of the key/value pair may differ based on your third-party MDM provider. 下表显示了第三方 MDM 提供程序和应为键/值对输入的确切值的示例。The table below shows examples of third-party MDM providers and the exact values you should enter for the key/value pair.

第三方 MDM 提供程序Third-party MDM provider Configuration 注册表项Configuration Key 值类型Value Type 配置值Configuration Value
VMware AirWatchVMware AirWatch IntuneMAMUPNIntuneMAMUPN 字符串String {UserPrincipalName}{UserPrincipalName}
MobileIron CoreMobileIron Core IntuneMAMUPNIntuneMAMUPN 字符串String $EMAIL$ $USER_UPN$$EMAIL$ or $USER_UPN$
MobileIron 云MobileIron Cloud IntuneMAMUPNIntuneMAMUPN 字符串String ${userUPN} ${userEmailAddress}${userUPN} or ${userEmailAddress}
ManageEngine 移动设备管理器ManageEngine Mobile Device Manager IntuneMAMUPNIntuneMAMUPN 字符串String %upn%%upn%

示例 2:最终用户体验示例Example 2: End-user experience

  1. 最终用户在设备上安装 Microsoft Word 应用。End user installs Microsoft Word app on the device.

  2. 最终用户启动托管的本机电子邮件应用以访问其电子邮件。End user launches the managed native email app to access their email.

  3. 最终用户尝试在 Microsoft Word 中打开本机邮件中的文档。End user tries to open document from native mail in Microsoft Word.

  4. Word 应用启动时,将提示最终用户使用其工作帐户进行登录。When the Word app launches, the end user is prompted to log in using their work account. 最终用户在出现提示时输入的工作帐户应与你在 Microsoft Word 应用的应用配置设置中指定的帐户匹配。This work account the end user enters when prompted should match account you specified in the configured in the app configuration settings for the Microsoft Word app.

    备注

    在个人环境中使用 Word 应用时,最终用户可以将其他个人帐户添加到 Word 来完成其个人工作,并且该帐户不受应用保护策略的影响。The end user can add other personal accounts to Word to do their personal work and not be affected by the app protection policies when using the Word app in a personal context.

  5. 登录成功后,会将应用保护策略设置应用到 Word 应用。When the login is successful, the app protection policy settings are applied to the Word app.

  6. 现在文件传输已成功,并且已在应用中将该文档标记为企业标识。Now the file transfer has succeeded and the document is tagged as corporate identity in the app. 此外,在工作环境中处理文件并相应地应用策略设置。In addition, the file is treated in a work context and the policy settings are applied accordingly.

为第三方 EMM 验证用户 UPN 设置Validate user UPN setting for third-party EMM

配置用户 UPN 设置后,应验证 iOS 应用接收和遵守 Intune 应用保护策略的能力。After configuring the user UPN setting, you should validate the iOS app's ability to receive and comply to Intune app protection policy.

例如,在设备上对需要应用 PIN 策略设置进行直观测试较为容易。For example, the Require app PIN policy setting is easy to visually test on a device. 如果将策略设置设置为“是”,则最终用户在尝试访问公司数据时应看到一个提示,指示其进行设置或输入 PIN。If the policy setting is set to Yes, the end user should see a prompt to set or enter a PIN when attempting to access company data.

首先,向该 iOS 应用创建和部署应用保护策略First, create and deploy an app protection policy to the iOS app. 有关如何测试应用保护策略的详细信息,请参阅验证应用保护策略See Validate app protection policies for more information on how to test app protection policy.

另请参阅See also

通过 Microsoft Intune 使用应用保护策略保护应用数据Protect app data using app protection policies with Microsoft Intune

要提交产品反馈,请访问 Intune Feedback