使用自定义策略创建适用于 Android 设备的 per-app VPN 配置文件Use a custom policy to create a per-app VPN profile for Android devices

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

可为由 Intune 管理的 Android 5.0 及更高版本设备创建每应用 VPN 配置文件。You can create a per-app VPN profile for Android 5.0 and later devices that are managed by Intune. 首先,创建使用 Pulse Secure 或 Citrix 连接类型的 VPN 配置文件。First, create a VPN profile that uses the Pulse Secure or Citrix connection type. 然后,创建将 VPN 配置文件与特定应用关联的自定义配置策略。Then, create a custom configuration policy that associates the VPN profile with specific apps.

将策略部署到 Android 设备或用户组后,用户应启动 Pulse Secure 或 Citrix VPN。After you deploy the policy to your Android device or user groups, users should start the Pulse Secure or Citrix VPN. 然后,该连接会仅允许来自指定应用的通信使用打开的 VPN 连接。The connection will then allow traffic only from the specified apps to use the open VPN connection.

备注

此配置文件仅支持 Pulse Secure 和 Citrix 连接类型。Only the Pulse Secure and Citrix connection types are supported for this profile.

步骤 1:创建 VPN 配置文件Step 1: Create a VPN profile

  1. Microsoft Intune 管理控制台中,选择“策略” > “添加策略”。In the Microsoft Intune administration console, choose Policy > Add Policy.
  2. 若要为新策略选择模板,展开“Android”,然后选择“VPN 配置文件(Android 4 及更高版本)”。To select a template for the new policy, expand Android, and then choose VPN Profile (Android 4 and later).
  3. 在模板中,对于“连接类型”,请选择“Pulse Secure”或“Citrix”。In the template, for Connection type, choose Pulse Secure or Citrix.
  4. 完成并保存 VPN 配置文件。Finish and save the VPN profile. 有关 VPN 配置文件的更多详细信息,请参阅 VPN 连接For more details about VPN profiles, see VPN connections.

备注

记录 VPN 连接名称(向用户显示):创建 VPN 配置文件时指定的值。Take note of the VPN Connection name (displayed to users): value you specify when creating the VPN profile. 在下一步中将会用到此名称。This will be needed in the next step. 例如MyAppVpnProfileFor example, MyAppVpnProfile.

步骤 2:创建自定义配置策略Step 2: Create a custom configuration policy

  1. 在 Intune 管理控制台中,选择“策略” > “添加策略” > “Android” > “自定义配置” > “创建策略”。In the Intune admin console, choose Policy > Add Policy > Android > Custom configuration > Create Policy.
  2. 输入策略的名称。Enter a name for the policy.
  3. 在“OMA-URI 设置”下,选择“添加”。Under OMA-URI settings, choose Add.
  4. 输入设置名称。Enter a setting name.
  5. 为“数据类型”,指定“字符串”。For Data type, specify String.
  6. OMA-URI 指定以下字符串:./Vendor/MSFT/VPN/Profile/Name/PackageList,其中 Name 是步骤 1 中记下的 VPN 配置文件名称。For OMA-URI, specify this string: ./Vendor/MSFT/VPN/Profile/Name/PackageList, where Name is the VPN profile name you noted in Step 1. 本示例中,字符串为 ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageListIn our example, the string would be ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList.
  7. 对于与配置文件相关联的包列表,其中此列表以分号进行分隔。For Value, create a semicolon-separated list of packages to associate with the profile. 例如,如果你希望 Excel 和 Google Chrome 浏览器使用 VPN 连接,输入 com.microsoft.office.excel;com.android.chromeFor example, if you want Excel and the Google Chrome browser to use the VPN connection, enter com.microsoft.office.excel;com.android.chrome.

Android per-app VPN 自定义策略示例

将应用列表设置为方块列表或允许列表(可选)Set your app list to blacklist or whitelist (optional)

通过使用方块列表值,可指定列表中的应用将不能使用 VPN 连接。You can specify a list of apps that cannot use the VPN connection by using the BLACKLIST value. 所有其他应用将通过 VPN 连接。All other apps will connect through the VPN. 或者,你可使用 WHITELIST 值来指定可以使用 VPN 连接的应用列表。Alternatively, you can use the WHITELIST value to specify a list of apps that can use the VPN connection. 不在列表中的应用将不会通过 VPN 连接。Apps that are not on the list will not connect through the VPN.

  1. 在“OMA-URI 设置”下,选择“添加”。Under OMA-URI settings, choose Add.
  2. 输入设置名称。Enter a setting name.
  3. 为“数据类型”,指定“字符串”。For Data type, specify String.
  4. 对于 OMA-URI,使用以下字符串:./Vendor/MSFT/VPN/Profile/Name/Mode,其中 Name 是步骤 1 中记下的 VPN 配置文件名称。For OMA-URI, use this string: ./Vendor/MSFT/VPN/Profile/Name/Mode, where Name is the VPN profile name you noted in Step 1. 本示例中,字符串为./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/ModeIn our example, the string would be ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode.
  5. 对于,输入 BLACKLISTWHITELISTFor Value, enter BLACKLIST or WHITELIST.

步骤 3:部署两个策略Step 3: Deploy both policies

必须向相同Intune 组部署这两个策略。You must deploy both policies to the same Intune groups.

  1. 在“策略”工作区中,选择想要部署的策略,然后选择“管理部署”。In the Policy workspace, select the policy that you want to deploy, and then choose Manage Deployment.
  2. 在“管理部署”对话框中:In the Manage Deployment dialog box:
    • 若要部署策略,选择要部署策略的一个组或多个组,然后选择“添加” > “确定”。To deploy the policy, select one or more groups to deploy the policy to, then choose Add > OK.
    • 若要关闭对话框而不部署策略,选择“取消”。To close the dialog box without deploying the policy, choose Cancel.

“策略”工作区“概述”页的状态摘要和警报可识别需要关注的策略问题。A status summary and alerts on the Overview page of the Policy workspace identify issues with the policy that require your attention. 状态摘要也出现在“仪表板”工作区中。A status summary also appears in the Dashboard workspace.