将应用与基于应用的 CA 结合使用时的预期行为What to expect when using an app with app-based CA

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

基于应用的 CA 会借助必须在设备上存在的代理应用来验证已批准的应用程序的标识:App-based CA verifies the identity of the approved application by means of a broker app that must be present on the device:

  • iOS 上,Azure Authenticator 应用是代理应用。On iOS, the Azure Authenticator app is the broker app.
  • Android 上,Intune 公司门户应用是代理应用。On Android, the Intune Company Portal app is the broker app.

系统会提示首次登录基于应用的 CA 支持的应用(如 OneDrive 或 Outlook)的最终用户安装代理应用并向 Azure AD 注册设备。End-users signing in for the first time, to an app that is supported by app-based CA, like OneDrive or Outlook, are prompted to install the broker app and register the device with Azure AD. Azure AD 中的设备注册(以前称为工作区加入)会创建针对其颁发令牌的设备记录和证书。Device registration in Azure AD (previously known as Workplace Join) will create a device record and certificate against which tokens are issued. 这与 MDM 注册同。This is not the same as MDM enrollment. 不会应用管理配置文件或应用,并且设备上没有应用的清单。There are no management profiles or policies that are applied, and there is no inventory taken of apps on the device. 安装代理应用并注册设备的过程只在首次使用托管应用时进行。The process of installing the broker app and registering the device will only happen on the first use of a managed app.

下面是直接派生自该设备的属性列表:The following is a list of properties that are directly derived from the device:

  • alternativeSecurityIds(Azure Active Directory 证书指纹和公钥哈希)alternativeSecurityIds (Azure Active Directory Certificate thumbprint and public key hash)
  • deviceOSTypedeviceOSType
  • deviceOSVersiondeviceOSVersion
  • displayNamedisplayName
备注

在 Android 设备上:On Android devices:

  • 必须在设备上安装公司门户应用,但最终用户不必登录到应用。It is required that the Company Portal app is installed on the device, but end-user is not required to log in into app.
  • 必须通过 OneDrive 或 Outlook 应用完成设备注册。Device registration must be done through the OneDrive or Outlook app.

从 Azure AD 注册删除设备。To remove a device from Azure AD registration.

可通过 Azure AD 管理控制台删除设备注册,IT 管理员通常采用此种方式。You can remove the device registration either through the Azure AD admin console which is typically done by the IT admin. 还可由最终用户在设备本身完成删除操作。It can also be done by the end-user on the device itself.

  • Azure AD 管理员控制台:在 Azure AD 管理控制台中,删除想要删除的设备。Azure AD admin console: In the Azure AD admin console, delete the device that you want to remove.
  • iOS 设备:打开 Azure Authenticator 应用,轻扫帐户左侧,然后选择注销。iOS device: Open the Azure Authenticator app, swipe left on the account, and choose unregister.
  • Android 设备:卸载公司门户应用或从“系统设置”删除帐户。Android device: Uninstall the company portal app or remove the account from the System settings.

基于应用的 CA 和基于设备的 CAApp-based CA with Device-based CA

可以在 Intune 管理员控制台Azure AD Premium 管理控制台 上配置基于设备合规性的条件访问设备 CA)。You can configure Conditional access based on device compliance (Device CA) on the Intune administrator console or the Azure AD Premium management console. 设备 CA 要求用户只能通过符合 Intune 设备合规性策略的 Intune 托管设备或已加入域的电脑连接到 Exchange Online。Device CA require users to connect to Exchange Online only through Intune-managed devices that are compliant with the Intune device compliance policy or domain-joined PCs. 如果用户属于针对基于应用的 CA 和设备 CA 策略的一个或多个安全组,则用户必须满足以下两个要求之一:If a user belongs to one or more security groups that are targeted for both app-based CA and Device CA policies, the user must meet one of the two requirements:

  • 用于访问服务的应用是支持的移动应用The app used to access the service is a mobile app that is supported by
  • ,并且运行该应用的设备安装了 iOS 身份验证器(适用于 iOS 设备)公司门户应用(适用于 Android 设备), and the device that the app is running on, has iOS Authenticator (for iOS devices), or the Company Portal app (for Android devices) installed.
  • 用于访问服务的设备是 Intune 托管并符合 Intune 设备合规性策略,或者是已加入域的电脑The device used to access the service is Intune-managed and compliant with the Intune device compliance policy, or it is a domain-joined PC. 下面是一些示例,可帮助说明这一点:Here are some examples to help illustrate this:
    • 如果用户尝试从本机 iOS 电子邮件应用进行连接,则需要位于托管且符合的设备上,因为基于应用的 CA 不支持本机邮件应用。If a user tries to connect from the native iOS email app, he or she will be required to be on a managed and compliant device since the native mail app is not supported by app-based CA.
    • 如果用户尝试从 Windows 家庭电脑进行连接,则设备 CA 策略会进行应用,从而要求用户必须使用已加入域的电脑。If a user tries to connect from a Windows home PC, the Device CA policy will apply, requiring that the he or she must use a domain-joined PC.

后续步骤Next steps

为 MAM 应用创建 Exchange Online 策略Create an Exchange Online Policy for MAM apps

阻止不具有新式验证的应用Block apps that do not have modern authentication

另请参阅See also

使用应用保护策略保护应用数据Protect app data with app protection policies