通过 Microsoft Intune 使用应用保护策略保护应用数据Protect app data using app protection policies with Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

如何保护应用数据How you can protect app data

你的员工使用移动设备进行个人任务和工作任务。Your employees use mobile devices for both personal and work tasks. 既要确保员工高效工作,又希望防止有意和无意的数据丢失。While you're making sure your employees can be productive, you also want to prevent data loss—intentional and unintentional. 此外,还希望能够保护员工通过使用不受管理的设备访问的公司数据。In addition, you want to have the ability to protect company data that employees access by using devices that you don't manage.

可使用 Intune 应用保护策略帮助保护公司数据。You can use Intune app protection policies to help protect your company’s data. 由于 Intune 应用保护策略可以独立于任何移动设备管理 (MDM) 解决方案使用,所以无论是否在设备管理解决方案中注册设备,都可用 MAM 保护公司的数据。Because Intune App protection policies can be used independent of any mobile device management (MDM) solution, you can use MAM to protect your company’s data with or without enrolling devices in a device management solution. 通过实现应用级别策略,即可限制对公司资源的访问,并让数据处于 IT 部门的监控范围之内。By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

可对以下设备上运行的应用配置应用保护策略:You can configure app protection policies for apps running on devices that are:

  • 已在 Microsoft Intune 中注册:此类设备通常是公司自有设备。Enrolled in Microsoft Intune: The devices in this category are typically corporate-owned devices.

  • 已在第三方 MDM 解决方案中注册:此类设备通常是公司自有设备。Enrolled in a third-party MDM solution: The devices in this category are typically corporate-owned devices.


    不建议在第三方移动应用程序管理或安全容器解决方案中使用应用保护策略。We don't recommend using app protection policies with third-party mobile application management or secure container solutions.

  • 未在任何 MDM 解决方案中注册:此类设备通常为员工自有设备,且未在 Intune 或其他 MDM 解决方案中管理或注册。Not enrolled in any MDM solution: The devices in this category are typically employee-owned devices that are not managed or enrolled in Intune or other MDM solutions.


可为连接到 Office 365 服务的 Office 移动应用创建应用保护策略。You can create app protection policies for Office mobile apps that connect to Office 365 services. 连接到本地 Exchange、Skype for Business 或 SharePoint 服务的应用不支持应用保护策略。App protection policies are not supported for apps that connect to on-premises Exchange, Skype for Business, or SharePoint services.

使用应用保护策略的优点Benefits of using app protection policies

  • 在应用级别保护公司数据。They help protect your company data at the app level. 由于移动应用管理不需要设备管理,因此可在受管理和不受管理设备上保护公司数据。Because mobile application management doesn't require device management, you can protect company data on both managed and unmanaged devices. 管理以用户标识为中心,因而不再需要设备管理。The management is centered on the user identity, which removes the requirement for device management.

  • 不会影响最终用户工作效率,且在个人环境中使用应用时不会应用策略。User productivity is not impacted, and the policies aren't applied when you're using the app in a personal context. 这些策略仅应用于工作环境,能够在不接触个人数据的情况下保护公司数据。The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

将 MDM 与应用保护策略一起使用还有其他优点,公司可以同时使用 MAM 与 MDM,也可单独使用二者。There are additional benefits to using MDM with app protection policies, and companies can use MAM with and without MDM at the same time. 例如,员工可能使用公司分发的手机和个人平板电脑。For example, an employee might use a company-issued phone, as well as a personal tablet. 在这种情况下,公司的手机在 MDM 中注册且受应用保护策略保护,而个人设备仅受应用保护策略保护。In this case, the company phone is enrolled in MDM and protected by app protection policies, and the personal device is protected by app protection policies only.

  • MDM 确保设备受到保护。MDM makes sure that the device is protected. 例如,你可以要求使用 PIN 以访问设备,或将托管应用部署到设备。For example, you can require a PIN to access the device, or you can deploy managed apps to the device. 还可通过 MDM 解决方案将应用部署到设备,更好地控制应用管理。You can also deploy apps to devices through your MDM solution to give you more control over app management.

  • 应用保护策略确保应用层保护措施到位。App protection policies make sure that the app-layer protections are in place. 例如,可设置一个策略,要求在工作环境中使用 PIN 打开应用,防止在应用之间共享数据,防止将公司应用数据保存到个人存储位置。For example, you can have a policy that requires a PIN to open an app in a work context, prevents data from being shared between apps, and prevents company app data from being saved to a personal storage location.

支持 MAM 的设备Devices that support MAM

当前支持应用保护策略的设备有:App protection policies are currently supported on:

  • iOS 8.1 或更高版本iOS 8.1 or later
  • Android 4 或更高版本Android 4 or later

在无注册方案的情况下,MAM 中不支持 Windows 设备。Windows devices are not supported in the MAM without enrollment scenario. 但是,使用 Intune 注册 Windows 10 设备时,可以使用 Windows 信息保护,它提供了类似功能。However, when you enroll Windows 10 devices with Intune, you can use Windows Information Protection, which offers similar functionality. 有关详细信息,请参阅使用 Windows 信息保护 (WIP) 保护企业数据For details, see Protect your enterprise data using Windows Information Protection (WIP).

应用保护策略如何保护应用数据How app protection policies protect app data

不具有应用保护策略的应用Apps without app protection policies


在无限制的情况下使用应用时,公司和个人数据可能混合。When you use apps without restrictions, company and personal data can get intermingled. 公司数据可能最终位于个人存储空间等位置或传输到监控范围之外的应用中,导致数据丢失。Company data might end up in locations like personal storage or might be transferred to apps outside of your purview, which could result in data loss. 图中的箭头显示了(公司和个人)应用之间和移动到存储位置的无限制数据移动。The arrows in the diagram show unrestricted data movement between apps (corporate and personal) and to storage locations.

采用应用保护策略的数据保护Data protection with app protection policies


可以使用应用保护策略来防止将公司数据保存到设备的本地存储器上,并限制将数据移动到不受应用保护策略保护的其他应用中。You can use app protection policies to prevent company data from saving to the local storage of the device, and to restrict data movement to other apps that aren't protected by app protection policies. 应用保护策略设置包括:App protection policy settings include:

  • 数据重定位策略,例如防止另存为限制剪切、复制和粘贴Data relocation policies like Prevent Save As and Restrict cut, copy, and paste.
  • 访问策略设置,例如需要简单的 PIN 才能访问阻止在已越狱或取得 root 权限的设备上运行受管理的应用Access policy settings like Require simple PIN for access and Block managed apps from running on jailbroken or rooted devices.

在由 MDM 解决方案管理的设备上通过应用保护策略保护数据Data protection with app protection on devices that are managed by a MDM solution

图像显示应用保护策略在自有设备 (BYOD) 上的工作原理

对于在 MDM 解决方案中注册的设备:上图显示 MDM 和应用保护策略一起提供的保护层。For devices enrolled in an MDM solution: The preceding diagram shows the layers of protection that MDM and app protection policies offer together.

MDM 解决方案:The MDM solution:

  • 注册设备。Enrolls the device.

  • 将应用部署到设备。Deploys apps to the device.

  • 提供持续的设备合规性和管理。Provides ongoing device compliance and management.

应用保护策略增加价值的原因:App protection policies add value because they:

  • 帮助防止公司数据泄露到使用者应用和服务。Help protect company data from leaking to consumer apps and services.

  • 将限制(另存为、剪贴板、PIN 等)应用到移动应用。Apply restrictions (save-as, clipboard, PIN, etc.) to mobile apps.

  • 从应用中擦除公司数据,而不从设备中删除这些应用。Wipe company data from apps without removing those apps from the device.

采用上适用于未注册设备的应用保护策略保护数据Data protection with app protection policies for devices without enrollment


上图显示在未实施 MDM 的情况下数据保护策略在应用级别的工作原理。The preceding diagram illustrates how data protection policies work at the app level without MDM.

对于未在任何 MDM 解决方案中注册的 BYOD 设备,应用保护策略可在应用级别帮助保护公司数据。For BYOD devices that aren't enrolled in any MDM solution, app protection policies can help protect company data at the app level.

但是,有一些限制需要注意,如:However, there are some limitations to be aware of:

  • 无法将应用部署到设备。You can't deploy apps to the device. 用户必须从应用商店获取应用。The user has to get the apps from the store.

  • 无法在这些设备上预配证书配置文件。You can't provision certificate profiles on these devices.

  • 无法在这些设备上设置公司 Wi-Fi 和 VPN 设置。You can't set up company Wi-Fi and VPN settings on these devices.


支持多身份的应用允许用户使用不同的帐户(工作和个人)访问相同的应用,但仅当在工作环境中使用这些应用时,才会应用应用保护策略。Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies are applied only when the apps are used in the work context.

例如,当用户使用其工作帐户启动 OneDrive 应用时,无法将文件移到个人存储位置。For example, when a user starts the OneDrive app by using their work account, they can't move the files to a personal storage location. 但是,当用户通过其个人帐户使用 OneDrive 时,可无限制地从个人 OneDrive 复制和移动数据。However, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

后续步骤Next steps

要提交产品反馈,请访问 Intune Feedback