使用 Microsoft Intune 的 Managed Browser 策略管理 Internet 访问Manage Internet access using managed browser policies with Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

托管浏览器是一个 Web 浏览应用程序,可以使用 Microsoft Intune 在组织中进行部署。The managed browser is a web browsing application that you can deploy in your organization by using Microsoft Intune. 托管浏览器策略可配置允许列表或阻止列表,限制托管浏览器的用户可以访问的网站。A managed browser policy configures an allow list or a block list that restricts the websites that users of the managed browser can visit.

由于此应用已与 Intune SDK 集成,因此也可以向其应用应用保护策略。Because this app has integration with the Intune SDK, you can also apply app protection policies to it. 这些策略可能包括控制剪切、复制和粘贴的使用,阻止屏幕捕获,以及确保用户选择的内容链接仅在其他托管应用中打开。These policies might include controlling the use of cut, copy, and paste, preventing screen captures, and ensuring that links to content that users select open only in other managed apps. 有关详细信息,请参阅在 Microsoft Intune 控制台中配置和部署移动应用程序管理策略For details, see Configure and deploy mobile application management policies in the Microsoft Intune console.


Managed Browser 应用仅在设备上的其他应用已检索应用保护策略后检索和应用 Intune 应用保护策略。The Managed Browser app only retrieves and applies Intune app protection policies when another app on the device has retrieved an app protection policy.

此外,如果用户从应用商店安装托管浏览器且该浏览器不由 Intune 管理,则以下行为适用:Additionally, if users install the managed browser from the app store and Intune does not manage it, the following behavior applies:

iOS – 托管浏览器应用可以被用作基础 Web 浏览器,但一些功能将不可用,且它将不能访问其他 Intune 管理的应用中的数据。 iOS – The managed browser app can be used as a basic web browser, but some features will not be available, and it will not be able to access data from other Intune-managed apps.
Android – 无法使用托管浏览器应用。 Android – The managed browser app cannot be used.

如果用户自己在版本早于 iOS 9 的 iOS 设备上安装托管浏览器,那么你创建的任何策略都不能对该浏览器进行管理。If users install the managed browser themselves on an iOS device with a version earlier than iOS 9, no policies that you create will manage the browser. 若要确保浏览器由 Intune 管理,则用户必须先卸载该应用,然后你才能将其作为托管应用部署给这些用户。To ensure that Intune manages the browser, users must uninstall the app before you can deploy it to them as a managed app. 在 iOS 9 及更高版本中,如果用户自己安装托管浏览器,系统将提示他们允许托管浏览器由策略管理。On iOS 9 and later, if users install the managed browser themselves, they will be prompted to allow it to become managed by policy.

可以针对以下设备类型创建 Managed Browser 策略:You can create managed browser policies for the following device types:

  • 运行 Android 4 和更高版本的设备Devices that run Android 4 and later

  • 运行 iOS 8.0 及更高版本的设备Devices that run iOS 8.0 and later

Intune Managed Browser 支持从 Microsoft Intune 应用程序合作伙伴打开 Web 内容。The Intune managed browser supports opening web content from Microsoft Intune application partners.

创建托管浏览器策略Create a managed browser policy

  1. Microsoft Intune 管理控制台中,选择“策略”>“添加策略”。In the Microsoft Intune administration console, choose Policy > Add Policy.

  2. 配置以下 “软件” 策略类型之一:Configure one of the following Software policy types:

    • Managed Browser(Android 4 和更高版本)Managed Browser (Android 4 and later)

    • Managed Browser(iOS 8.0 及更高版)Managed Browser (iOS 8.0 and later)

    有关如何创建和部署策略的详细信息,请参阅 Manage settings and features on your devices with Microsoft Intune Policies(使用 Microsoft Intune 策略管理设备的设置和功能)主题。For more information about how to create and deploy policies, see the Manage settings and features on your devices with Microsoft Intune Policies topic.

  3. 使用以下内容来帮助你配置托管浏览器策略设置:Use the following to help you configure the managed browser policy settings:

    • 名称Name. 输入托管浏览器策略的唯一名称,以帮助你在 Intune 控制台中识别它。Enter a unique name for the managed browser policy to help you identify it in the Intune console.
    • 说明Description. 提供对托管浏览器策略的概述以及可帮助你查找策略的其他相关信息。Provide a description that gives an overview of the managed browser policy and other relevant information that helps you to locate it.
    • “启用允许列表或阻止列表,以限制托管浏览器可以打开的 URL”。Enable an allow list or block list to restrict the URLs the Managed Browser can open. 选择下列选项之一:Select one of the following options:
      • “允许托管的浏览器仅打开下面列出的 URL”。Allow the managed browser to open only the URLs listed below. 指定托管浏览器可以打开的 URL 列表。Specify a list of URLs that the managed browser can open.
      • “阻止托管浏览器打开下面列出的 URL”。Block the managed browser from opening the URLs listed below. 指定将阻止托管浏览器打开的 URL 列表。Specify a list of URLs that the managed browser will be blocked from opening. 注意:不能在相同的托管浏览器策略中同时包括允许的 URL 和阻止的 URL。Note: You cannot include both allowed and blocked URLs in the same managed browser policy. 有关可以指定的 URL 格式的详细信息,请参阅本主题中的允许的和阻止的 URL 的 URL 格式For more information about the URL formats you can specify, see URL format for allowed and blocked URLs in this topic.
  4. 完成后,请选择“保存策略”When you are finished, choose Save Policy.

新的策略将在“策略”工作区的“配置策略”节点处显示。The new policy appears in the Configuration Policies node of the Policy workspace.

创建托管浏览器应用的部署Create a deployment for the managed browser app

在创建托管浏览器策略后,可以创建托管浏览器应用的软件部署,并将它与所创建的托管浏览器策略相关联。After you have created the managed browser policy, you can then create a software deployment for the managed browser app, and associate it with the managed browser policy that you created.


托管浏览器策略的部署方式不同于其他 Intune 策略。Managed browser policies are not deployed in the same way as other Intune polices. 这种类型的策略必须与托管浏览器软件包相关联。This type of policy must be associated with the managed browser software package.

部署该应用,确保在 “移动应用管理” 页上选择托管浏览器策略,以使策略与应用相关联。Deploy the app, ensuring that you select the managed browser policy on the Mobile App Management page to associate the policy with the app.

有关如何部署应用的详细信息,请参阅在 Microsoft Intune 中部署应用For more information about how to deploy apps, see Deploy apps in Microsoft Intune.

Managed Browser 的安全和隐私Security and privacy for the managed browser

  • 在 iOS 设备上,如果用户访问的网站的证书已过期或不受信任,则无法打开该网站。On iOS devices, websites that users visit that have an expired or untrusted certificate cannot be opened.

  • Managed Browser 不使用用户在设备上对内置浏览器进行的设置。The managed browser does not use settings that users make for the built-in browser on their devices. 这是因为 Managed Browser 无权访问这些设置。This is because the managed browser does not have access to these settings.

  • 如果你在与 Managed Browser 关联的移动应用程序管理策略中配置了“访问需要简单 PIN”或“访问需要公司凭据”选项,且用户选择了“身份验证”页上的帮助链接,则他们可以浏览任何 Internet 站点,而无需考虑这些网站是否已添加到 Managed Browser 策略中的阻止列表。If you configure the option Require simple PIN for access or Require corporate credentials for access in a mobile application management policy associated with the managed browser, and a user selects the help link on the authentication page, they can then browse any Internet sites regardless of whether they were added to a block list in the managed browser policy.

  • Managed Browser 仅能在直接访问站点时阻止访问。The managed browser can block access to sites only when they are accessed directly. 使用中间服务(例如翻译服务)访问站点时,该策略则无法阻止访问。It cannot block access when intermediate services (such as a translation service) are used to access the site.

  • 若要允许身份验证并确保可以访问 Intune 文档,请从允许或阻止列表设置中移除 *.microsoft.comTo allow authentication, and to ensure that the Intune documentation can be accessed,*.microsoft.com is exempt from the allow or block list settings. 始终允许。It is always allowed.

关闭用法数据Turn off usage data

Microsoft 会自动收集有关性能和 Managed Browser 使用情况的匿名数据,以改进 Microsoft 产品和服务。Microsoft automatically collects anonymous data about the performance and use of the managed browser to improve Microsoft products and services. 用户可通过使用设备上的“使用情况数据”设置关闭数据收集。Users can turn off data collection by using the Usage Data setting on their devices. 不具有对此数据的收集的控制。You have no control over the collection of this data.

参考信息Reference information

允许的 URL 和阻止的 URL 的格式URL format for allowed and blocked URLs

使用以下信息来了解有关指定允许和阻止列表中的 URL 时允许使用的格式和通配符:Use the following information to learn about the allowed formats and wildcards that you can use when specifying URLs in the allowed and blocked lists:

  • 可以根据以下允许模式列表中的规则使用通配符 (*)。You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.

  • 在将 URL 输入列表时,确保对所有 URL 添加 “http”“https” 作为前缀。Ensure that you prefix all URLs with http or https when entering them into the list.

  • 可以在地址中指定端口号。You can specify port numbers in the address. 如果未指定端口号,将使用以下值:If you do not specify a port number, the values used will be:

    • 对于 http,使用端口 80Port 80 for http

    • 对于 https,使用端口 443Port 443 for https

    不支持对端口号使用通配符。Using wildcards for the port number is not supported. 例如,http://www.contoso.com:*;http://www.contoso.com: /*; 不受支持。For example, http://www.contoso.com:*; and http://www.contoso.com: /*; are not supported.

  • 使用下表了解指定 URL 时可以使用的允许模式:Use the following table to learn about the permitted patterns that you can use when you specify URLs:

URLURL 详细信息Details 匹配Matches 不匹配Does not match
http://www.contoso.comhttp://www.contoso.com 匹配单个页面Matches a single page www.contoso.comwww.contoso.com host.contoso.comhost.contoso.com


http://contoso.comhttp://contoso.com 匹配单个页面Matches a single page contoso.com/contoso.com/ host.contoso.comhost.contoso.com


http://www.contoso.com/*;http://www.contoso.com/*; 匹配以 www.contoso.com 开头的所有 URLMatches all URLs that begin with www.contoso.com www.contoso.comwww.contoso.com



http://*.contoso.com/*http://*.contoso.com/* 匹配 contoso.com 下的所有子域Matches all subdomains under contoso.com developer.contoso.com/resourcesdeveloper.contoso.com/resources


http://www.contoso.com/imageshttp://www.contoso.com/images 匹配单个文件夹Matches a single folder www.contoso.com/imageswww.contoso.com/images www.contoso.com/images/dogswww.contoso.com/images/dogs
http://www.contoso.com:80http://www.contoso.com:80 匹配单个页面(使用端口号)Matches a single page, by using a port number http://www.contoso.com:80http://www.contoso.com:80
https://www.contoso.comhttps://www.contoso.com 匹配单个安全页面Matches a single, secure page https://www.contoso.comhttps://www.contoso.com http://www.contoso.comhttp://www.contoso.com
http://www.contoso.com/images/*;http://www.contoso.com/images/*; 匹配单个文件夹和所有子文件夹Matches a single folder and all subfolders www.contoso.com/images/dogswww.contoso.com/images/dogs

  • 以下是一些你不能指定的输入的示例:The following are examples of some of the inputs that you cannot specify:

    • *.com*.com

    • *.contoso/**.contoso/*

    • www.contoso.com/*imageswww.contoso.com/*images

    • www.contoso.com/*images*pigswww.contoso.com/*images*pigs

    • www.contoso.com/page*www.contoso.com/page*

    • IP 地址IP addresses

    • https://*https://*

    • http://*http://*

    • http://www.contoso.com:*http://www.contoso.com:*

    • http://www.contoso.com: /*http://www.contoso.com: /*

允许和阻止列表之间的冲突的解决方式How conflicts between the allow and block list are resolved

如果向一个设备部署多个托管浏览器策略,并且出现设置冲突,则将评估模式(允许或阻止)以及 URL 列表中的冲突。If multiple managed browser policies are deployed to a device and the settings conflict, both the mode (allow or block) and the URL lists are evaluated for conflicts. 发生冲突时,以下行为适用:In case of a conflict, the following behavior applies:

  • 如果每个策略中的模式相同但 URL 列表不同,则不会在设备上强制执行 URL。If the modes in each policy are the same, but the URL lists are different, the URLs will not be enforced on the device.

  • 如果每个策略中的模式不同但 URL 列表相同,则不会在设备上强制执行 URL。If the modes in each policy are different, but the URL lists are the same, the URLs will not be enforced on the device.

  • 如果设备是首次接收托管浏览器策略而两个策略发生冲突,则不会在设备上强制执行 URL。If a device is receiving managed browser policies for the first time and two policies conflict, the URLs will not be enforced on the device. 使用 “策略” 工作区的 “策略冲突” 节点查看这些冲突。Use the Policy Conflicts node of the Policy workspace to view the conflicts.

  • 如果设备已接收托管浏览器策略而部署的第二个策略具有冲突的设置,则将在设备上保留原始设置。If a device has already received a managed browser policy and a second policy is deployed with conflicting settings, the original settings remain on the device. 使用 “策略” 工作区的 “策略冲突” 节点查看这些冲突。Use the Policy Conflicts node of the Policy workspace to view the conflicts.