有关 MAM 和应用保护的常见问题Frequently asked questions about MAM and app protection

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本文提供了针对 Intune 移动应用程序管理 (MAM) 和 Intune 应用保护的一些常见问题解答。This article provides answers to some frequently asked questions on Intune mobile application management (MAM) and Intune app protection.

MAM 基础知识MAM Basics

什么是 MAM?What is MAM? Intune 移动应用程序管理指的是 Intune 管理功能套件,通过它能够为用户发布、推送、配置、保护、监视和更新移动应用。Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps for your users.

使用 MAM 应用保护有什么好处?What are the benefits of MAM app protection? MAM 可保护应用程序内组织的数据。MAM protects an organization's data within an application. 通过 MAM-WE,可以在几乎任何设备上管理包含敏感数据的工作或学校相关应用,包括自带设备办公 (BYOD) 场景下的个人设备。With MAM-WE, a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. 许多生产型应用,例如 Microsoft Office 应用,都可以通过 Intune MAM 进行管理。Many productivity apps, such as the Microsoft Office apps, are able to be managed by Intune MAM. 请参阅可供公众使用的 Intune 启用的应用的官方列表。See the official list of Intune-enlightened apps available for public use.

MAM 支持哪些设备配置?What device configurations does MAM support? Intune MAM 支持两种配置:Intune MAM supports two configurations:

  1. Intune MDM + MAM:这是首次启动 MAM 时它所支持的第一个配置。Intune MDM + MAM: This is the first configuration supported by MAM when it first launched. IT 管理员仅可在已进行 Intune 移动设备管理 (MDM) 注册的设备上使用 MAM 和应用保护策略管理应用。IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). 若要使用 MDM + MAM 管理应用,客户应使用 https://manage.microsoft.com 上的 Intune 独立控制台。To manage apps using MDM + MAM, customers should use the Intune standalone console at https://manage.microsoft.com.

  2. 无需设备注册的 MAM:无需设备注册的 MAM 或 MAM-WE 使 IT 管理员可以在未进行 Intune MDM 注册的设备上使用 MAM 和应用保护策略管理应用。MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. 这意味着可以在进行了第三方 EMM 提供程序注册的设备上通过 Intune 管理应用。This means apps can be managed by Intune on devices enrolled with third-party EMM providers. 若要使用 MAM-WE 管理应用,客户应使用 http://portal.azure.com 上的 Azure 门户中的 Intune 控制台。To manage apps using MAM-WE, customers should use the Intune console in the Azure portal at http://portal.azure.com.

应用保护策略App protection policies

什么是应用保护策略?What are app protection policies? 应用保护策略是可确保组织数据在管理的应用中保持安全或受到控制的规则。App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. 策略可以是在用户尝试访问或移动“公司”数据时强制执行的规则,或在用户位于应用内时受到禁止或监视的一组操作。A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

应用保护策略的示例有哪些?What are examples of app protection policies? 请参阅 Android 应用保护策略设置iOS 应用保护策略设置,获取有关每种应用保护策略设置的详细信息。See the Android app protection policy settings and iOS app protection policy settings for detailed information on each app protection policy setting.

可使用应用保护策略进行管理的应用Apps you can manage with app protection policies

可通过应用保护策略管理哪些应用?Which apps can be managed by app protection policies? 已通过 Intune App SDK 启用的或通过 Intune 应用包装工具包装的任何应用都可使用 Intune 应用保护策略进行管理。Any app that has been enlightened by the Intune App SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. 请参阅可供公众使用的 Intune 启用的应用的官方列表。See the official list of Intune-enlightened apps available for public use.

在 Intune 启用的应用上使用应用保护策略的基本要求有哪些?What are the baseline requirements to use app protection policies on an Intune-enlightened app?

  1. 最终用户必须具有 Azure Active Directory (AAD) 帐户。The end-user must have an Azure Active Directory (AAD) account. 请参阅添加用户并授予对 Intune 的管理权限,了解如何在 Azure Active Directory 中创建 Intune 用户。See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.

  2. 最终用户必须具有分配给其 Azure Active Directory 帐户的 Microsoft Intune 许可证。The end-user must have a license for Microsoft Intune assigned to their Azure Active Directory account. 请参阅管理 Intune 许可证,了解如何将 Intune 许可证分配给最终用户。See Manage Intune licenses to learn how to assign Intune licenses to end-users.

  3. 最终用户必须属于应用保护策略所面向的一个安全组。The end-user must belong to a security group that is targeted by an app protection policy. 同一应用保护策略必须面向正在使用的特定应用。The same app protection policy must target the specific app being used. 可以在 Azure 门户的 Intune 控制台中创建和部署应用保护策略。App protection policies can be created and deployed in the Intune console in the Azure portal. 当前可以在 Office 门户中创建安全组。Security groups can currently be created in the Office portal.

  4. 最终用户必须使用其 AAD 帐户登录到应用。The end-user must sign into the app using his or her AAD account.

使用 Outlook 移动应用有什么其他要求?What are the additional requirements to use the Outlook mobile app?

  1. 最终用户必须将 Outlook 移动应用安装到其设备上。The end-user must have the Outlook mobile app installed to their device.

  2. 最终用户必须具有链接到其 Azure Active Directory 帐户的 Office 365 Exchange Online 邮箱和许可证。The end-user must have an Office 365 Exchange Online mailbox and license linked to their Azure Active Directory account.

    备注

    Outlook 移动应用当前仅支持 Microsoft Exchange Online,不支持 Exchange 内部部署或 Office 365 Dedicated 中的 Exchange。The Outlook mobile app currently only supports Microsoft Exchange Online and does not support Exchange on-premises or Exchange in Office 365 Dedicated.

使用 Word、Excel 和 PowerPoint 应用有什么其他要求?What are the additional requirements to use the Word, Excel, & PowerPoint apps?

  1. 最终用户必须具有链接到其 Azure Active Directory 帐户的 Office 365 商业版或企业版许可证。The end-user must have a license for Office 365 Business or Enterprise linked to their Azure Active Directory account. 订阅必须包括移动设备上的 Office 应用,可以包括 OneDrive for Business 云存储帐户。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. 遵循这些说明可在 Office 门户中分配 Office 365 许可证。Office 365 licenses can be assigned in the Office portal following these instructions.

  2. 最终用户必须具有使用粒度另存为功能进行配置的托管的位置(该功能位于“阻止另存为”应用程序保护策略设置下)。The end-user must have a managed location configured using the granular save as functionality under the "Prevent Save As" application protection policy setting. 例如,如果托管的位置为 OneDrive,则应在最终用户的 Word、Excel 或 PowerPoint 应用中对 OneDrive 应用进行配置。For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel or PowerPoint app.

  3. 如果托管的位置为 OneDrive,则部署到最终用户的应用保护策略必须面向该应用。If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end-user.

    备注

    Office 移动应用当前仅支持 SharePoint Online,不支持本地 SharePoint。The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

为什么 Office 需要托管的位置(例如 OneDrive)?Why is a managed location (ie OneDrive) needed for Office? Intune 会将应用中的所有数据标记为“公司”或“个人”。Intune marks all data in the app as either "corporate" or "personal." 数据源于业务位置时会被视为“公司”数据。Data is considered "corporate" when it originates from a business location. 对于 Office 应用,Intune 将以下数据视为业务位置:电子邮件 (Exchange) 或云存储(包含 OneDrive for Business 帐户的 OneDrive 应用)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).

使用 Skype for Business 有什么其他要求?What are the additional requirements to use Skype for Business? 请参阅 Skype for Business 许可证要求。See Skype for Business license requirements.

备注

Skype for Business 移动应用当前仅支持 Skype for Business Online。The Skype for Business mobile app currently only supports Skype for Business Online.

应用保护功能App protection features

什么是多身份支持?What is multi-identity support? 多身份支持可使 Intune App SDK 仅将应用保护策略应用于已登录到应用的工作或学校帐户。Multi-identity support is the ability for the Intune App SDK to only apply app protection policies to the work or school account signed into the app. 如果个人帐户登录到应用,数据将保持不变。If a personal account is signed into the app, the data is untouched.

多身份支持的用途是什么?What is the purpose of multi-identity support? 多身份支持使得能够公开发布具有“公司”和消费者受众的应用(如 Office 应用),同时让“公司”帐户具有 Intune 应用保护功能。Multi-identity support allows apps with both "corporate" and consumer audiences (ie. the Office apps) to be released publicly with Intune app protection capabilities for the "corporate" accounts.

PIN 屏幕何时出现?When does the PIN screen show up? 仅当用户尝试访问应用中的“公司”数据时,Intune PIN 屏幕才会出现。The Intune PIN screen only appears when the user is trying to access "corporate" data in the app. 例如在 Word/Excel/PowerPoint 应用中,当最终用户尝试从 OneDrive for Business 打开文档(假定已成功部署强制执行 PIN 的应用保护策略)时,它才会出现。For example, in the Word/Excel/PowerPoint apps, it would appear when the end-user attempts to open a document from OneDrive for Business (assuming you successfully deployed an app protection policy enforcing PIN).

Outlook 和多身份呢?What about Outlook and multi-identity? 由于 Outlook 具有个人和“公司”电子邮件的混合电子邮件视图,Outlook 应用会在启动时提示输入 Intune PIN。Because Outlook has a combined email view of both personal and "corporate" emails, the Outlook app prompts for the Intune PIN on launch.

Intune 应用 PIN 是什么?What is the Intune app PIN? 个人标识号 (PIN) 是一种密码,用于验证是否是正确的用户在应用程序中访问组织的数据。The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.

  1. 何时提示用户输入其 PIN?When is the user prompted to enter their PIN? 仅当用户要访问“公司”数据时,Intune 才会提示输入用户的应用 PIN。Intune will only prompt for the user's app PIN when the user is about to access "corporate" data. 在诸如 Word/Excel/PowerPoint 等多身份应用中,当用户尝试打开“公司”文档或文件时,会向他们提示输入 PIN。In multi-identity apps such as Word/Excel/PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file. 在单身份应用中,例如使用 Intune 应用包装工具启用的业务线应用,会在启动时提示输入 PIN,因为 Intune App SDK 知道用户在应用中的体验始终是针对“公司”的。In single-identity apps, such as line-of-business apps enlightened using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune App SDK knows the user's experience in the app is always "corporate."

  2. PIN 安全吗?Is the PIN secure? PIN 仅允许正确的用户在应用中访问其组织数据。The PIN serves to allow only the correct user to access their organization's data in the app. 因此,最终用户必须使用其工作或学校帐户登录,然后才能设置或重置其 Intune 应用 PIN。Therefore, an end-user must sign in with their work or school account before they can set or reset their Intune app PIN. 这种身份验证通过安全的令牌交换由 Azure Active Directory 执行,且不对 Intune App SDK 公开。This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune App SDK. 从安全性的角度来看,保护工作或学校数据的最佳方法便是对其进行加密。From a security perspective, the best way to protect work or school data is to encrypt it. 加密与应用 PIN 无关,它本身是一项应用保护策略。Encryption is not related to the app PIN, but is its own app protection policy.

  3. Intune 如何保护 PIN 免遭暴力破解攻击?How does Intune protect the PIN against brute force attacks? 作为应用 PIN 策略的一部分,IT 管理员可以设置在锁定应用之前用户可尝试验证其 PIN 的最大次数。As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. 达到最大尝试次数后,Intune App SDK 可以擦除应用中的“公司”数据。After the number of attempts has been met, the Intune App SDK can wipe the "corporate" data in the app.

Intune 应用 PIN 是如何在数字类型和密码类型之间工作的?How does the Intune app PIN work between numeric type and passcode type? MAM 当前允许使用包含字母数字和特殊字符(称为“密码”)的应用程序级 PIN (iOS),它需要应用程序的参与(即,MAM currently allows application-level PIN (iOS) with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e WXP、Outlook、Managed Browser、Yammer)以集成 Intune APP SDK for iOS。WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for iOS. 如果没有应用程序的参与,将无法对目标应用程序正确执行密码设置。Without this, the passcode settings are not properly enforced for the targeted applications. 由于应用循环执行此集成,因此,针对最终用户的密码和数字 PIN 之间的行为将暂时更改并需要进行重要说明。Since apps will follow this integration on a rolling basis, the behavior between passcode and numeric PIN is temporarily changed for the end user and requires an important clarification. 对于 2017 年 10 月发布的 Intune 版本,行为如下所示...For the October 2017 release of Intune, the behaviour is as follows...

具有同一应用发行者的Apps that have

  1. 应用the same app publisher
  2. 面向控制台a passcode PIN targeted through the console and
  3. 且采用了包含此功能的 SDK (v 7.1.12+) 的密码 PIN 将能够在这些应用之间共享密码。adopted the SDK with this feature (v 7.1.12+) will be able to share the passcode between these apps.

具有同一应用发行者的Apps that have

  1. 应用the same app publisher
  2. 面向控制台的数字 PIN 将能够在这些应用之间共享数字 PIN。a numeric PIN targeted through the console will be able to share the numeric PIN between these apps.

加密呢?What about encryption? IT 管理员可以部署要求对应用数据进行加密的应用保护策略。IT administrators can deploy an app protection policy that requires app data to be encrypted. 作为该策略的一部分,IT 管理员还可指定何时加密内容。As part of the policy, the IT administrator can also specify when the content is encrypted.

  1. Intune 如何加密数据?How does Intune encrypt data? 请参阅 Android 应用保护策略设置iOS 应用保护策略设置,获取有关加密应用保护策略设置的详细信息。See the Android app protection policy settings and iOS app protection policy settings for detailed information on the encryption app protection policy setting.

  2. 对哪些内容进行加密?What gets encrypted? 根据 IT 管理员的应用保护策略,仅对标记为“公司”的数据进行加密。Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. 数据源于业务位置时会被视为“公司”数据。Data is considered "corporate" when it originates from a business location. 对于 Office 应用,Intune 将以下数据视为业务位置:电子邮件 (Exchange) 或云存储(包含 OneDrive for Business 帐户的 OneDrive 应用)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account). 对于由 Intune 应用包装工具启用的业务线应用,所有应用数据都会被视为“公司”数据。For line-of-business apps enlightened by the Intune App Wrapping Tool, all app data is considered "corporate."

Intune 如何远程擦除数据?How does Intune remotely wipe data? Intune 能够使用 3 种不同方式擦除应用数据:完全设备擦除、MDM 选择性擦除和 MAM 选择性擦除。Intune can wipe app data in three different ways: full device wipe, selective wipe for MDM, and MAM selective wipe. 有关 MDM 远程擦除的详细信息,请参阅使用 Microsoft Intune 的完全擦除或选择性擦除帮助保护数据For more information about remote wipe for MDM, see Help protect your data with full or selective wipe using Microsoft Intune. 有关使用 MAM 的选择性擦除的详细信息,请参阅使用 Microsoft Intune 擦除托管公司应用数据For more information about selective wipe using MAM, see Wipe managed company app data with Microsoft Intune

  1. 什么是完全擦除?What is full wipe? 完全擦除会通过将设备还原到其出厂默认设置,从设备中删除所有用户数据和设置。Full wipe removes all user data and settings from the device by restoring the device to its factory default settings. 设备从 Intune 删除。The device is removed from Intune.

    备注

    完全擦除只有在注册了 Intune 移动设备管理 (MDM) 的设备上才能实现。Full wipe can only be achieved on devices enrolled with Intune mobile device management (MDM).

  2. 什么是 MDM 选择性擦除?What is selective wipe for MDM? 请参阅使用 Microsoft Intune 的完全擦除或选择性擦除帮助保护数据,以了解选择性擦除。See Help protect your data with full or selective wipe using Microsoft Intune to read about selective wipe.

  3. 什么是 MAM 选择性擦除?What is selective wipe for MAM? MAM 选择性擦除仅删除应用中的公司应用数据。Selective wipe for MAM simply removes company app data from an app. 使用 Intune Azure 门户启动该请求。The request is initiated using the Intune Azure portal. 若要了解如何启动擦除请求,请参阅使用 Microsoft Intune 擦除托管公司应用数据To learn how to initiate a wipe request, see Wipe managed company app data with Microsoft Intune

  4. MAM 选择性擦除多久发生一次?How quickly does selective wipe for MAM happen? 如果用户在启用了选择性擦除的情况下使用应用,那么 Intune App SDK 会每 30 分钟检查一次来自 Intune MAM 服务的选择性擦除请求。If the user is using the app when selective wipe is initiated, the Intune App SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. 它还会在用户第一次启动应用并使用其工作或学校帐户登录时检查选择性擦除。It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.

为什么本地服务不适用于 Intune 保护的应用?Why don't On-Premises (on-prem) services work with Intune protected apps? Intune 应用保护要求用户的身份在应用程序与 Intune App SDK 之间保持一致。Intune app protection depends on the identity of the user to be consistent between the application and the Intune App SDK. 保证此种一致的唯一方法是通过新式身份验证。The only way to guarantee that is through modern authentication. 在某些情况下应用可能适用于本地配置,但它们既不一致也无法得到保证。There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.

是否有一种安全的方法可以从管理的应用中打开 Web 链接?Is there a secure way to open web links from managed apps? 可以!Yes! IT 管理员可以为 Intune Managed Browser 应用(一种由 Microsoft Intune 开发的可使用 Intune 轻松管理的 Web 浏览器)部署和设置应用保护策略。The IT administrator can deploy and set app protection policy for the Intune Managed Browser app, a web browser developed by Microsoft Intune that can be managed easily with Intune. IT 管理员可以要求 Intune 启用的应用中所有 Web 链接均使用 Managed Browser 应用打开。The IT administrator can require all web links in Intune-enlightened apps to be opened using the Managed Browser app.

Android 上的应用体验App experience on Android

为什么在 Android 设备上使用 Intune 应用保护需要公司门户应用?Why is the Company Portal app needed for Intune app protection to work on Android devices? 应用保护的许多功能都内置于公司门户应用中。Much of app protection functionality is built into the Company Portal app. 虽然始终需要公司门户应用,但设备注册是不必要的。Device enrollment is not required even though the Company Portal app is always required. 对于 MAM-WE,最终用户只需在设备上安装有公司门户应用即可。For MAM-WE, the end-user just needs to have the Company Portal app installed on the device.

iOS 上的应用体验App experience on iOS

即使将数据传输策略设置为“仅管理的应用”或“无应用”,我也可以使用 iOS 共享扩展在非管理应用中打开工作或学校数据。这样不会泄漏数据吗?I am able to use the iOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to "managed apps only" or "no apps." Doesn't this leak data? 在不管理设备的情况下,Intune 应用保护策略不能控制 iOS 共享扩展。Intune app protection policy cannot control the iOS share extension without managing the device. 因此,Intune 会在对“公司”数据进行应用外共享之前对其进行加密Therefore, Intune encrypts "corporate" data before it is shared outside the app. 可通过尝试在管理的应用外打开“公司”文件对此进行验证。You can validate this by attempting to open the "corporate" file outside of the managed app. 该文件应该已加密,且无法在托管应用外打开。The file should be encrypted and unable to be opened outside the managed app.

另请参阅See also