在 Configuration Manager 中管理应用程序的安全和隐私Security and privacy for application management in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

应用程序管理的安全指南Security guidance for application management

使用软件中心,而无需应用程序目录Use the Software Center without the application catalog

从 Current Branch 版本 1806 开始,不支持应用程序目录的 Silverlight 用户体验。The application catalog's Silverlight user experience isn't supported as of current branch version 1806. 此项配置有助于减少向用户交付应用程序所需的服务器基础结构。This configuration helps you reduce the server infrastructure required to deliver applications to users.

自版本 1906 起,更新后的客户端自动使用管理点进行用户可用的应用程序部署。Starting in version 1906, updated clients automatically use the management point for user-available application deployments. 仍然无法安装新的应用程序目录角色。You also can't install new application catalog roles. 版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 减少服务器基础结构还可以减少攻击面。Reducing the server infrastructure also reduces the attack surface.

若要为基于 Internet 的客户端提供一致且安全的应用程序体验,使用 Azure Active Directory 和云管理网关。To deliver a consistent and secure application experience for internet-based clients, use Azure Active Directory and the cloud management gateway.

有关详细信息,请参阅配置软件中心For more information, see Configure Software Center.

在应用程序目录中使用 HTTPSUse HTTPS with the application catalog

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

配置应用程序目录网站点和应用程序目录 Web 服务点以接受 HTTPS 连接。Configure the application catalog website point and the application catalog web service point to accept HTTPS connections. 使用此配置,将向用户对服务器进行身份验证。With this configuration, the server is authenticated to users. 传输数据受到保护,不会遭篡改和查看。The transmitted data is protected from tampering and viewing.

通过让用户只连接受信任的网站来帮助防止社会工程攻击。Help prevent social engineering attacks by educating users to only connect to trusted websites. 帮助用户了解恶意网站的危害。Educate users about the dangers of malicious websites.

如果不使用 HTTPS,则不要使用品牌配置选项。When you don't use HTTPS, don't use the branding configuration options. 这些设置在应用程序目录中显示组织名称,作为身份证明。These settings show the name of your organization in the application catalog as proof of identity.

使用角色分离Use role separation

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

在单独的服务器上安装应用程序目录网站点和应用程序目录 Web 服务点。Install the application catalog website point and the application catalog web service point on separate servers. 如果网站点被泄露,则它将与 Web 服务点分离。If the website point is compromised, it's separate from the web service point. 此设计将有助于保护 Configuration Manager 客户端和基础结构。This design helps to protect the Configuration Manager clients and infrastructure. 如果网站点接受来自 Internet 的客户端连接,则此配置非常重要。This configuration is especially important if the website point accepts client connections from the internet. 它使服务器更易受攻击。It makes the server more vulnerable to attack.

关闭浏览器窗口Close browser windows

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

通知用户在使用完应用程序目录时关闭浏览器窗口。Educate users to close the browser window when they finish using the application catalog. 如果用户在用于应用程序目录的同一浏览器窗口中浏览到外部网站,则浏览器将继续使用适合 Intranet 中的受信任站点的安全设置。If users browse to an external website in the same browser window that they used for the application catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet.

集中指定用户设备相关性Centrally specify user device affinity

手动指定用户设备相关性,而不是让用户确定其主要设备。Manually specify the user device affinity instead of letting users identify their primary device. 不要启用基于使用情况的配置。Don't enable usage-based configuration.

不考虑从用户或从待授权的设备中收集的信息。Don't consider information that's collected from users or from the device to be authoritative. 如果使用信任管理未指定的用户设备相关性来部署软件,则可以在计算机上或者为无权接收该软件的用户安装该软件。If you deploy software by using user device affinity that a trusted administrator doesn't specify, the software might be installed on computers and to users who aren't authorized to receive that software.

不从分发点运行部署Don't run deployments from distribution points

始终将部署配置为从分发点下载内容,而不是从分发点运行。Always configure deployments to download content from distribution points rather than run from distribution points. 将部署配置为从分发点下载内容并在本地运行时,Configuration Manager 客户端会在下载内容后验证包哈希。When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content. 如果该哈希与策略中的哈希不匹配,则客户端会弃用该包。The client discards the package if the hash doesn't match the hash in the policy.

如果将部署配置为直接从分发点运行,则 Configuration Manager 客户端不验证包哈希。If you configure the deployment to run directly from a distribution point, the Configuration Manager client doesn't verify the package hash. 此行为意味着 Configuration Manager 客户端可能会安装被篡改的软件。This behavior means that the Configuration Manager client can install software that's been tampered with.

如果必须直接从分发点运行部署,请在分发点的包上使用 NTFS 最低权限。If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points. 此外,使用 Internet 协议安全性 (IPsec) 来保护客户端与分发点之间以及分发点与站点服务器之间的通道。Also use internet protocol security (IPsec) to secure the channel between the client and the distribution points, and between the distribution points and the site server.

不允许用户与已提升的进程交互Don't let users interact with elevated processes

如果启用“使用管理权限运行” 或“针对系统安装” 选项,则不要让用户与这些应用程序交互。If you enable the options to Run with administrative rights or Install for system, don't let users interact with those applications. 配置应用程序时,可以将选项设置为“允许用户查看程序安装并与之交互” 。When you configure an application, you can set the option to Allow users to view and interact with the program installation. 此设置允许用户响应用户界面中的任何必要提示。This setting allows users to respond to any required prompts in the user interface. 如果也将应用程序配置为“使用管理权限运行”或“针对系统安装”(从 1802 版开始) ,则以运行该程序的计算机为目标的攻击者可以使用用户界面提升对客户端计算机的权限。If you also configure the application to Run with administrative rights, or starting in version 1802 Install for system, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer.

使用利用 Windows Installer 进行安装并通过每用户提升权限进行软件部署的程序,这些程序需要管理凭据。Use programs that use Windows Installer for setup and per-user elevated privileges for software deployments that require administrative credentials. 必须在不具有管理凭据的用户的上下文中运行安装程序。Setup must be run in the context of a user who doesn't have administrative credentials. Windows Installer 每用户提升权限提供了最安全的方法来部署具有此要求的应用程序。Windows Installer per-user elevated privileges provide the most secure way to deploy applications that have this requirement.

限制用户是否可以交互方式安装软件Restrict whether users can install software interactively

在“计算机代理” 组中配置“安装权限” 客户端设置。Configure the Install permissions client setting in the Computer Agent group. 此设置将限制可以在软件中心安装软件的用户类型。This setting restricts the types of users who can install software in Software Center.

例如,创建一个自定义客户端设置,并将“安装权限” 设置为“仅管理员” 。For example, create a custom client setting with Install permissions set to Only administrators. 将此客户端设置应用到服务器集合。Apply this client setting to a collection of servers. 此配置可防止无管理权限的用户在这些服务器上安装软件。This configuration prevents users without administrative permissions from installing software on those servers.

对于移动设备,请仅部署签名的应用程序For mobile devices, deploy only applications that are signed

只有当移动设备信任的证书颁发机构 (CA) 对移动设备应用程序进行了代码签名后才能部署移动设备应用程序。Deploy mobile device applications only if they're code-signed by a certification authority (CA) that the mobile device trusts.

例如:For example:

  • 由已知 CA(如 VeriSign)签名的供应商应用程序。An application from a vendor, which is signed by a well-known CA like VeriSign.

  • 使用内部 CA 独立于 Configuration Manager 进行签名的内部应用程序。An internal application that you sign independent from Configuration Manager by using your internal CA.

  • 在创建应用程序类型以及使用签名证书时使用 Configuration Manager 签名的内部应用程序。An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.

确保移动设备应用程序签名证书位置的安全性Secure the location of the mobile device application signing certificate

如果通过使用 Configuration Manager 中的“创建应用程序向导” 对移动设备应用程序进行签名,请确保签名证书文件的位置安全以及确保信道的安全。If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel. 为了帮助防止权限提升以及防御中间人攻击,请将签名证书文件存储在受保护的文件夹内。To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder.

在以下计算机之间使用 IPsec:Use IPsec between the following computers:

  • 运行 Configuration Manager 控制台的计算机The computer that runs the Configuration Manager console
  • 存储证书签名文件的计算机The computer that stores the certificate signing file
  • 存储应用程序源文件的计算机The computer that stores the application source files

或者,在运行“创建应用程序向导” 之前,对独立于 Configuration Manager 的应用程序签名。Alternatively, sign the application independent of Configuration Manager and before you run the Create Application Wizard.

实现访问控制Implement access controls

实现访问控制来保护引用计算机。To protect reference computers, implement access controls. 当通过浏览到引用计算机来配置部署类型中的检测方法时,请确保计算机未被泄露。When you configure the detection method in a deployment type by browsing to a reference computer, make sure that the computer isn't compromised.

限制和监视管理用户Restrict and monitor administrative users

限制和监视管理用户,这些用户被授予以下基于应用程序管理角色的安全角色:Restrict and monitor the administrative users who you grant the following application management role-based security roles:

  • 应用程序管理员Application Administrator
  • 应用程序作者Application Author
  • 应用程序部署管理员Application Deployment Manager

即使配置基于角色的管理,创建和部署应用程序的管理用户具有的权限也可能比你获得的权限多。Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. 例如,创建或更改应用程序的管理用户可以选择不在其安全作用域中的相关应用程序。For example, administrative users who create or change an application can select dependent applications that aren't in their security scope.

在使用相同信任级别的虚拟环境中配置 APP-V 应用Configure App-V apps in virtual environments with the same trust level

配置 Microsoft Application Virtualization (App-V) 虚拟环境时,请选择在虚拟环境中具有相同信任级别的应用程序。When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications that have the same trust level in the virtual environment. 由于 App-V 虚拟环境中的应用程序可以共享资源,如剪贴板,因此,请配置虚拟环境,使选择的应用程序具有相同的信任级别。Because applications in an App-V virtual environment can share resources, like the clipboard, configure the virtual environment so that the selected applications have the same trust level.

有关详细信息,请参阅创建 App-V 虚拟环境For more information, see Create App-V virtual environments.

确保 macOS 应用来自可信来源Make sure macOS apps are from a trustworthy source

如果针对 macOS 设备部署应用程序,请确保源文件来自可信来源。If you deploy applications for macOS devices, make sure that the source files are from a trustworthy source. CMAppUtil 工具不会验证源包的签名。The CMAppUtil tool doesn't validate the signature of the source package. 请确保包来自信任的源。Make sure the package comes from a source that you trust. CMAppUtil 工具无法检测文件是否已被篡改。The CMAppUtil tool can't detect whether the files have been tampered with.

保护 macOS 应用的 cmmac 文件Secure the cmmac file for macOS apps

如果为 macOS 计算机部署应用程序,请确保 .cmmac 文件位置的安全。If you deploy applications for macOS computers, secure the location of the .cmmac file. CMAppUtil 工具生成此文件,然后将其导入到 Configuration Manager。The CMAppUtil tool generates this file, and then you import it to Configuration Manager. 此文件未经签名或验证。This file isn't signed or validated.

将此文件导入到 Configuration Manager 时,请确保通信通道的安全。Secure the communication channel when you import this file to Configuration Manager. 为帮助防止篡改此文件,请将其存储在受保护的文件夹中。To help prevent tampering with this file, store it in a secured folder. 在以下计算机之间使用 IPsec:Use IPsec between the following computers:

  • 运行 Configuration Manager 控制台的计算机The computer that runs the Configuration Manager console
  • 存储 .cmmac 文件的计算机The computer that stores the .cmmac file

为 Web 应用程序使用 HTTPSUse HTTPS for web applications

如果配置 Web 应用程序部署类型,请使用 HTTPS 来保护连接的安全。If you configure a web application deployment type, use HTTPS to secure the connection. 如果通过使用 HTTP 链接(而不是 HTTPS 链接)来部署 Web 应用程序,则设备可能会被重定向到恶意服务器。If you deploy a web application by using an HTTP link rather than an HTTPS link, the device could be redirected to a rogue server. 设备和服务器之间传输的数据可能会被篡改。Data that's transferred between the device and server could be tampered with.

应用程序管理的安全问题Security issues for application management

  • 低权限用户可以从客户端计算机上的客户端缓存中复制文件。Low-rights users can copy files from the client cache on the client computer.

    用户可以读取客户端缓存,但无法写入客户端缓存。Users can read the client cache but can't write to it. 用户可以使用读取权限将一台计算机中的应用程序安装文件复制到另一台计算机中。With read permissions, a user can copy application installation files from one computer to another.

  • 低权限用户可以更改在客户端计算机上记录软件部署历史记录的文件。Low-rights users can change files that record software deployment history on the client computer.

    因为应用程序历史记录信息未受到保护,所以用户可以更改用于报告是否安装了应用程序的文件。Because the application history information isn't protected, a user can change files that report whether an application is installed.

  • APP-V 包未签名。App-V packages aren't signed.

    Configuration Manager 中的 APP-V 包不支持签名。App-V packages in Configuration Manager don't support signing. 数字签名验证内容是否来自受信任的源,并且在传输过程中未被更改。Digital signatures verify the content is from a trusted source and wasn't altered in transit. 无法缓解此安全问题。There's no mitigation for this security issue. 请按照最佳安全实践从可靠来源或安全位置下载内容。Follow the security best practice to download the content from a trusted source and from a secure location.

  • 所有用户都可以在计算机上安装发布的 APP-V 应用程序。Published App-V applications can be installed by all users on the computer.

    在计算机上发布 App-V 应用程序后,登录到该计算机的所有用户都可以安装应用程序。When an App-V application is published on a computer, all users who sign in to that computer can install the application. 无法限制在发布应用程序后可以安装该应用程序的用户。You can't restrict the users who can install the application after it's published.

Microsoft Silverlight 5 的证书,以及应用程序目录所需的提升的信任模式Certificates for Microsoft Silverlight 5 and elevated trust mode required for the application catalog

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

Configuration Manager 客户端版本 1710 和早期版本需安装 Microsoft Silverlight 5,必须在提升的信任模式下运行 Microsoft Silverlight 5,用户才能从应用程序目录中安装软件。Configuration Manager clients version 1710 and earlier require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the application catalog. 默认情况下,Silverlight 应用程序在部分信任模式下运行,以防止应用程序访问用户数据。By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. 如果尚未安装 Microsoft Silverlight 5,Configuration Manager 会自动将其安装在客户端上。If it isn't already installed, Configuration Manager automatically installs Microsoft Silverlight 5 on clients. 默认情况下,Configuration Manager 会将计算机代理“允许 Silverlight 应用程序在提升的信任模式下运行” 客户端设置设为“是” 。By default, Configuration Manager sets the Computer Agent Allow Silverlight applications to run in elevated trust mode client setting to Yes. 此设置会让签名和信任的 Silverlight 应用程序请求提升的信任模式。This setting lets signed and trusted Silverlight applications request elevated trust mode.

安装应用程序目录网站点系统角色时,客户端还会在每个 Configuration Manager 客户端计算机上安装受信任的发布者计算机证书存储中的 Microsoft 签名证书。When you install the application catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. 由此证书签名的 Silverlight 应用程序在提升的信任模式下运行,计算机从应用程序目录中安装软件需要此模式。Silverlight applications signed by this certificate run in the elevated trust mode, which computers require to install software from the application catalog. Configuration Manager 将自动管理此签名证书。Configuration Manager automatically manages this signing certificate. 为增加服务连续性,请不要手动删除或移动此 Microsoft 签名证书。To increase service continuity, don't manually delete or move this Microsoft signing certificate.

警告

如果启用“允许 Silverlight 应用程序在提升的信任模式下运行”客户端设置,则它允许计算机存储或用户存储内受信任的发布者证书存储中的证书所签名的所有 Silverlight 应用程序在提升的信任模式下运行 。When enabled, the Allow Silverlight applications to run in elevated trust mode client setting lets all Silverlight applications, which are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user store, run in elevated trust mode. 此客户端设置无法专门为 Configuration Manager 应用程序目录或为计算机存储中受信任的发布者证书存储启用提升的信任模式。The client setting can't enable elevated trust mode specifically for the Configuration Manager application catalog or for the Trusted Publishers certificate store in the computer store. 如果恶意软件在受信任的发布者存储中添加了一个恶意证书,则使用其自己的 Silverlight 应用程序的恶意软件现在也能够在提升的信任模式下运行。If malware adds a rogue certificate in the Trusted Publishers store, malware that uses its own Silverlight application can now also run in elevated trust mode.

如果将“允许 Silverlight 应用程序在提升的信任模式下运行”设置设为“否”,则客户端不会删除 Microsoft 签名证书 。If you set the Allow Silverlight applications to run in elevated trust mode setting to No, clients don't remove the Microsoft signing certificate.

若要深入了解 Silverlight 中受信任的应用程序,请参阅受信任的应用程序For more about trusted applications in Silverlight, see Trusted Applications.

应用程序管理的隐私信息Privacy information for application management

应用程序管理允许在层次结构中的任何客户端上运行任何应用程序、程序或脚本。Application management lets you run any application, program, or script on any client in the hierarchy. Configuration Manager 无法控制运行的应用程序、程序或脚本的类型或它们传输的信息类型。Configuration Manager has no control over the types of applications, programs, or scripts that you run or the type of information that they transmit. 在应用程序部署过程中,Configuration Manager 可能会在客户端和服务器之间传输标识设备和登录帐户的信息。During the application deployment process, Configuration Manager might transmit information that identifies the device and sign-in accounts between clients and servers.

Configuration Manager 会维护有关软件部署过程的状态信息。Configuration Manager maintains status information about the software deployment process. 除非客户端使用 HTTPS 进行通信,否则,在传输过程中不会对软件部署状态信息加密。Software deployment status information isn't encrypted during transmission unless the client communicates by using HTTPS. 状态信息并未以加密形式存储在数据库中。The status information isn't stored in encrypted form in the database.

使用 Configuration Manager 应用程序安装在客户端上以远程、交互或无提示方式安装软件时,可能要遵守该软件的软件许可条款。The use of Configuration Manager application installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software. 这不同于 Configuration Manager 的软件许可条款。This use is separate from the Software License Terms for Configuration Manager. 使用 Configuration Manager 部署软件之前,请务必查看并同意软件许可条款。Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager.

Configuration Manager 收集有关应用程序的诊断和使用情况数据,Microsoft 使用这些数据来改进将来版本。Configuration Manager collects diagnostics and usage data about applications, which is used by Microsoft to improve future releases. 有关详细信息,请参阅诊断和使用情况数据For more information, see Diagnostics and usage data.

默情况下不会进行应用程序部署,并需要几个配置步骤。Application deployment doesn't happen by default and requires several configuration steps.

下列功能可帮助有效地进行软件部署:The following features help efficient software deployment:

  • 用户设备相关性 将用户映射到设备。User device affinity maps a user to devices. Configuration Manager 管理员向用户部署软件。A Configuration Manager administrator deploys software to a user. 客户端自动在用户最常使用的一个或多个计算机上安装软件。The client automatically installs the software on one or more computers that the user uses most often.

  • 安装 Configuration Manager 客户端时,还会在设备上自动安装软件中心 。Software Center is installed automatically on a device when you install the Configuration Manager client. 用户从软件中心更改设置、浏览和安装软件。Users change settings, browse for and install software from Software Center.

  • 应用程序目录 是一个网站,用户可在其中请求要安装的软件。The application catalog is a website that lets users request software to install.

    重要

    版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

用户设备相关性隐私信息User device affinity privacy information

  • Configuration Manager 可能会在客户端和管理点站点系统之间传输信息。Configuration Manager might transmit information between clients and management point site systems. 该信息可能会标识计算机和登录帐户,以及登录帐户的使用情况汇总。The information might identify the computer and sign-in account and the summarized usage for sign-in accounts.

  • 除非将管理点配置为要求客户端通过 HTTPS 进行通信,否则,在客户端和服务器之间传输的信息并未加密。The information that's transmitted between the client and server isn't encrypted, unless the management point is configured to require clients to communicate by using HTTPS.

  • 用于将用户映射到设备的计算机和登录帐户的使用情况信息存储在客户端计算机上,并发送给管理点,然后存储在 Configuration Manager 数据库中。The computer and sign-in account usage information, which is used to map a user to a device, is stored on client computers, sent to management points, and then stored in the Configuration Manager database. 默认情况下,在 90 天后将从数据库中删除旧的信息。The old information is deleted from the database by default after 90 days. 通过设置“删除过期的用户设备相关性数据” 站点维护任务,可以配置删除行为。The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task.

  • Configuration Manager 会维护有关用户设备相关性的状态信息。Configuration Manager maintains status information about user device affinity. 除非将客户端配置为使用 HTTPS 与管理点进行通信,否则,在传输过程中不会对状态信息加密。Status information isn't encrypted during transmission, unless clients are configured to communicate with management points by using HTTPS. 状态信息并未以加密形式存储在数据库中。Status information isn't stored in encrypted form in the database.

  • 用于建立用户及设备相关性的计算机和登录帐户使用情况信息始终都是启用的。Computer and sign-in usage information that's used to establish user and device affinity is always enabled. 普通用户和管理用户也可以提供用户设备相关性信息。Users and administrative users can supply user device affinity information.

软件中心隐私信息Software Center privacy information

  • 软件中心允许 Configuration Manager 管理员发布任何应用程序或程序或脚本,以供用户运行。Software Center lets the Configuration Manager admin publish any application or program or script for users to run. Configuration Manager 无法控制在目录中发布的程序或脚本的类型以及它们传输的信息类型。Configuration Manager has no control over the types of programs or scripts that are published in the catalog or the type of information that they transmit.

  • Configuration Manager 可能会在客户端和管理点之间传输信息。Configuration Manager might transmit information between clients and the management point. 该信息可能会标识计算机和登录帐户。The information might identify the computer and sign-in accounts. 除非将管理点配置为要求客户端使用 HTTPS 进行通信,否则,在客户端和服务器之间传输的信息并未加密。The information that's transmitted between the client and servers isn't encrypted, unless you configure the management point to require clients connect by using HTTPS.

  • 有关应用程序批准请求的信息存储在 Configuration Manager 数据库中。The information about the application approval request is stored in the Configuration Manager database. 默认情况下,将在 30 天后删除那些被取消或拒绝的请求以及对应的请求历史记录条目。Requests that are canceled or denied and the corresponding request history entries are deleted by default after 30 days. 通过设置“删除过期的应用程序请求数据” 站点维护任务,可以配置删除行为。The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. 绝不会删除处于已批准状态和挂起状态的应用程序批准请求。Application approval requests that are in approved and pending states are never deleted.

  • 在设备安装 Configuration Manager 客户端时,还会自动安装软件中心。Software Center is installed automatically when you install the Configuration Manager client on a device.

应用程序目录隐私信息Application catalog privacy information

重要

版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910. 有关详细信息,请参阅删除应用程序目录For more information, see Remove the application catalog.

  • 默认情况下,不会安装应用程序目录。The application catalog isn't installed by default. 此安装需要执行几个配置步骤。This installation requires several configuration steps.

  • 应用程序目录允许 Configuration Manager 管理员发布任何应用程序或程序或脚本,以供用户运行。The application catalog lets the Configuration Manager admin publish any application or program or script for users to run. Configuration Manager 无法控制在目录中发布的程序或脚本的类型以及它们传输的信息类型。Configuration Manager has no control over the types of programs or scripts that are published in the catalog or the type of information that they transmit.

  • Configuration Manager 可能会在客户端和应用程序目录站点系统角色之间传输信息。Configuration Manager might transmit information between clients and the application catalog site system roles. 该信息可能会标识计算机和登录帐户。The information might identify the computer and sign-in accounts. 除非将这些站点系统角色配置为要求客户端使用 HTTPS 进行通信,否则,在客户端和服务器之间传输的信息并未加密。The information that's transmitted between the client and servers isn't encrypted, unless these site system roles are configured to require clients connect by using HTTPS.