为托管的 Android Enterprise 设备添加应用配置策略Add app configuration policies for managed Android Enterprise devices

Microsoft Intune 中的应用配置策略向托管 Android Enterprise 设备上的托管 Google Play 应用提供设置。App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android Enterprise devices. 应用开发人员公开 Android 托管的应用配置设置。The app developer exposes Android-managed app configuration settings. Intune 使用这些公开的设置来使管理员为应用配置功能。Intune uses these exposed setting to let the admin configure features for the app. 应用配置策略已分配给用户组。The app configuration policy is assigned to your user groups. 只要应用检测到策略设置(通常在应用首次运行时),即会使用它们。The policy settings are used when the app checks for them, typically the first time the app runs.

备注

并非所有应用都支持应用配置。Not every app supports app configuration. 请咨询应用开发人员,确定他们的应用是否支持应用配置策略。Check with the app developer to see if their app supports app configuration policies.

电子邮件应用Email apps

Android Enterprise 有多种注册方法。Android Enterprise has several enrollment methods. 注册类型取决于电子邮件在设备上的配置方式:The enrollment type depends on how email is configured on the device:

  • 在 Android Enterprise 公司拥有的完全托管式专用工作配置文件上,使用应用配置策略并按本文中的步骤操作。On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles, use an app configuration policy and the steps in this article. 应用配置策略支持 Gmail 和 Nine Work 电子邮件应用。App configuration policies support Gmail and Nine Work email apps.
  • 在具有工作配置文件的 Android Enterprise 个人拥有的设备上,创建 Android Enterprise 电子邮件设备配置文件On Android Enterprise personally owned devices with a work profile, create an Android Enterprise email device configuration profile. 创建配置文件时,可以为支持应用配置策略的电子邮件客户端配置设置。When you create the profile, you can configure settings for email clients that support app configuration policies. 使用配置设计器时,Intune 包括特定于 Gmail 和 Nine Work 应用的电子邮件设置。When using the configuration designer, Intune includes email settings specific to Gmail and Nine Work apps.
  • 在 Android 设备管理员上,为 Samsung Knox 设备创建 Android 设备管理员电子邮件设备配置文件On Android device administrator, create an Android device administrator email device configuration profile for Samsung Knox devices. 创建配置文件时,可以配置 Exchange 电子邮件设置,例如 outlook.office365.comWhen you create the profile, you can configure Exchange email settings, such as outlook.office365.com.

创建应用配置策略Create an app configuration policy

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“应用” > “应用配置策略” > “添加” > “托管设备”。Choose the Apps > App configuration policies > Add > Managed devices. 请注意,可以在“受管理设备”和“托管应用”之间进行选择。Note that you can choose between Managed devices and Managed apps. 有关详细信息,请参阅支持应用配置的应用For more information see Apps that support app configuration.

  3. 在“基本信息”页上,设置以下详细信息:On the Basics page, set the following details:

    • 名称 - 在 Azure 门户中显示的配置文件名。Name - The name of the profile that appears in the Azure portal.
    • 说明 - 在 Azure 门户中显示的配置文件说明。Description - The description of the profile that appears in the Azure portal.
    • 设备注册类型 - 此设置设为“托管设备”。Device enrollment type - This setting is set to Managed devices.
  4. 选择“Android Enterprise”作为“平台”。Select Android Enterprise as the Platform.

  5. 单击“目标应用”旁边的“选择应用”。Click Select app next to Targeted app. 随即将显示“关联应用”窗格。The Associated app pane is displayed.

  6. 在“关联应用”窗格上,选择要与配置策略关联的托管应用,然后单击“确定”。On the Associated app pane, choose the managed app to associate with the configuration policy and click OK.

  7. 单击“下一步”以显示“设置”页面 。Click Next to display the Settings page.

  8. 单击“添加”以显示“添加权限”窗格。Click Add to display the Add permissions pane.

  9. 选择要覆盖的权限。Click the permissions that you want to override. 授予的权限将覆盖所选应用的“默认应用权限”策略。Permissions granted will override the "Default app permissions" policy for the selected apps.

  10. 为每个权限设置“权限状态”。Set the Permission state for each permission. 可以选择“提示”、“自动授予”或“自动拒绝”。You can choose from Prompt, Auto grant, or Auto deny. 有关权限的详细信息,请参阅使用 Intune 将设备标记为符合或不符合的 Android Enterprise 设置For more information about permissions, see Android Enterprise settings to mark devices as compliant or not compliant using Intune.

  11. 如果托管应用支持配置设置,则会出现“配置设置格式”下拉框。If the managed app supports configuration settings, the Configuration settings format dropdown box is visible. 选择下列方法之一来添加配置信息:Select one of the following methods to add configuration information:

    • 使用配置设计器Use configuration designer
    • 输入 JSON 数据Enter JSON data

    有关使用配置设计器的详细信息,请参阅使用配置设计器For details about using the configuration designer, see Use configuration designer. 有关输入 XML 数据的详细信息,请参阅输入 JSON 数据For details about entering XML data, see Enter JSON data.

  12. 单击“下一步”以显示“分配”页面 。Click Next to display the Assignments page.

  13. 在“分配给”旁边的下拉框中,选择“选定组”、“所有用户”、“所有设备”或“所有用户和所有设备”以分配应用配置策略。In the dropdown box next to Assign to, select either Selected groups, All users, All devices, or All users and all devies to assign the app configuration policy to.

    策略分配“包括”选项卡的屏幕截屏

  14. 在下拉框中选择“所有用户”。Select All users in the dropdown box.

    策略分配“所有用户”下拉列表选项的屏幕截图

  15. 单击“选择要排除的组”以显示相关窗格。Click Select groups to exclude to display the related pane.

    策略分配“选择要排除的组”窗格的屏幕截图

  16. 选择想要排除的组,然后单击“选择”。Choose the groups you want to exclude and then click Select.

    备注

    添加组时,如果给定的分配类型中已包括任何其他组,则在其他包括分配类型中,会预先选定该组且无法更改。When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. 因此,已被使用的组无法用作排除组。Therefore, that group that has been used, cannot be used as an excluded group.

  17. 单击“下一步”以显示“查看 + 创建”页。Click Next to display the Review + create page.

  18. 单击“创建”,将应用配置策略添加到 Intune。Click Create to add the app configuration policy to Intune.

使用配置设计器Use the configuration designer

当托管 Google Play 应用已设计为支持配置设置时,可以对该应用使用配置设计器。You can use the configuration designer for Managed Google Play apps when the app is designed to support configuration settings. 配置适用于在 Intune 中注册的设备。Configuration applies to devices enrolled in Intune. 通过设计器可以为应用公开的设置配置特定的配置值。The designer lets you configure specific configuration values for the settings exposed by the app.

  1. 选择“添加”。Select Add. 选择想为应用输入的配置设置的列表。Choose the list of configuration settings that you want to enter for the app.

    如果使用的是 Gmail 或 Nine Work 电子邮件应用,请参阅用于配置电子邮件的 Android Enterprise 设备设置以了解有关这些特定设置的详细信息。If you're using Gmail or Nine Work email apps, Android Enterprise device settings to configure email has more information on these specific settings.

  2. 对于配置中的每个项和值,请设置以下内容:For each key and value in the configuration, set:

    • 值类型:配置值的数据类型。Value type: The data type of the configuration value. 至于字符串值类型,可以根据需要选择变量或证书配置文件作为值类型。For String value types, you can optionally choose a variable or certificate profile as the value type.
    • 配置值:配置的值。Configuration value: The value for the configuration. 如果选择变量或证书作为值类型,则从变量或证书配置文件的列表中进行选择。If you select variable or certificate for the Value type, choose from a list of variables or certificate profiles. 如果选择证书,则会在运行时填充部署到设备的证书的证书别名。If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime.

可用作配置值的变量Supported variables for configuration values

如果选择变量作为值类型,有以下选项可供选择:You can choose the following options if you choose variable as the value type:

选项Option 示例Example
Azure AD 设备 IDAzure AD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82dc0dc142-11d8-4b12-bfea-cae2a8514c82
帐户 IDAccount ID fc0dc142-71d8-4b12-bbea-bae2a8514c81fc0dc142-71d8-4b12-bbea-bae2a8514c81
Intune 设备 IDIntune Device ID b9841cd9-9843-405f-be28-b2265c59ef97b9841cd9-9843-405f-be28-b2265c59ef97
DomainDomain contoso.comcontoso.com
MailMail john@contoso.com
部分 UPNPartial UPN johnjohn
用户 IDUser ID 3ec2c00f-b125-4519-acf0-302ac37618223ec2c00f-b125-4519-acf0-302ac3761822
用户名User name John DoeJohn Doe
用户主体名称User Principal Name john@contoso.com

仅允许在多身份应用中配置组织帐户Allow only configured organization accounts in multi-identity apps

作为 Microsoft Intune 管理员,你可以控制将哪些工作或学校帐户添加到托管设备上的 Microsoft 应用中。As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. 可以将访问权限限制为仅允许的组织用户帐户,并阻止已注册设备上的个人帐户。You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. 对于 Android 设备,请在托管设备应用配置策略中使用以下键/值对:For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

KeyKey com.microsoft.intune.mam.AllowedAccountUPNscom.microsoft.intune.mam.AllowedAccountUPNs
Values
  • 一个或多个 ; 分隔的 UPN。One or more ; delimited UPNs.
  • 仅允许此键定义的托管用户帐户。Only account(s) allowed are the managed user account(s) defined by this key.
  • 对于已注册 Intune 的设备,{{userprincipalname}} 令牌可用于表示已注册的用户帐户。For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

备注

上述应用配置由以下应用进行处理,它们仅允许组织帐户:The following apps process the above app configuration and only allow organization accounts:

  • Android 版 Microsoft Edge(42.0.4.4048 及更高版本)Edge for Android (42.0.4.4048 and later)
  • Android 版 Office、Word、Excel、PowerPoint(16.0.9327.1000 及更高版本)Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
  • Android 版 OneDrive(5.28 及更高版本)OneDrive for Android (5.28 and later)
  • Android 版 OneNote(16.0.13231.20222 或更高版本)OneNote for Android (16.0.13231.20222 or later)
  • Android 版 Outlook(2.2.222 及更高版本)Outlook for Android (2.2.222 and later)
  • Android 版 Teams(1416/1.0.0.2020073101 及更高版本)Teams for Android (1416/1.0.0.2020073101 and later)

输入 JSON 数据Enter JSON data

无法使用配置设计器在应用上(例如捆绑型的应用)配置某些配置设置。Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration designer. 使用 JSON 编辑器配置这些值。Use the JSON editor for those values. 在安装应用时,自动向应用提供设置。Settings are supplied to apps automatically when the app is installed.

  1. 对于“配置设置格式”,请选择“输入 JSON 编辑器”。For Configuration settings format, select Enter JSON editor.
  2. 在编辑器中,可定义配置设置的 JSON 值。In the editor, you can define JSON values for configuration settings. 你可以选择“下载 JSON 模板”,下载随后可配置的示例文件。You can choose Download JSON template to download a sample file that you can then configure.
  3. 选择“确定”,然后选择“添加” 。Choose OK, and then choose Add.

此时,策略创建完成,并出现在列表中。The policy is created and shown in the list.

当分配的应用在设备上运行时,将使用你在应用配置策略中配置的设置运行。When the assigned app is run on a device, it runs with the settings that you configured in the app configuration policy.

为应用预配置权限授予状态Preconfigure the permissions grant state for apps

你还可以预配置应用权限以访问 Android 设备功能。You can also preconfigure app permissions to access Android device features. 默认情况下,对于需要设备权限(如访问位置或设备相机等)的 Android 应用,系统会提示用户接受或拒绝权限。By default, Android apps that require device permissions, such as access to location or the device camera, prompt users to accept or deny permissions.

例如,应用使用设备的麦克风。For example, an app uses the device's microphone. 系统会提示用户授予应用权限以使用麦克风。The user is prompted to grant the app permission to use the microphone.

  1. Microsoft 终结点管理器管理中心中,选择“应用” > “应用配置策略” > “添加” > “托管设备”。In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed devices.
  2. 添加以下属性:Add the following properties:
    • 名称:输入策略的描述性名称。Name: Enter a descriptive name for the policy. 为策略命名,以便稍后可以轻松地识别它们。Name your policies so you can easily identify them later. 例如,策略名称最好是“适用于整个公司的 Android Enterprise 提示权限应用策略”。For example, a good policy name is Android Enterprise prompt permissions app policy for entire company.
    • 说明Description. 输入配置文件的说明。Enter a description for the profile. 此设置是可选的,但建议进行。This setting is optional, but recommended.
    • 设备注册类型:此设置设为“托管设备”。Device enrollment type: This setting is set to Managed devices.
    • 平台:选择“Android Enterprise” 。Platform: Select Android Enterprise.
  3. 选择“配置文件类型”:Select Profile Type:
  4. 选择“目标应用”。Select Targeted App. 选择要与之关联配置策略的应用。Choose the app that you want to associate a configuration policy with. 从已批准并与 Intune 同步的 Android Enterprise 完全托管工作配置文件应用列表中选择。Select from the list of Android Enterprise fully managed work profile apps that you've approved and synchronized with Intune.
  5. 选择“权限” > “添加”。Select Permissions > Add. 从列表中,选择可用的应用权限 >“确定”。From the list, select the available app permissions > OK.
  6. 为各权限选择选项以授予此策略:Select an option for each permission to grant with this policy:
    • “提示”。Prompt. 提示用户接受或拒绝。Prompt the user to accept or deny.
    • “自动授予”Auto grant. 无需通知用户即自动批准。Automatically approve without notifying the user.
    • “自动拒绝”。Auto deny. 无需通知用户即自动拒绝。Automatically deny without notifying the user.
  7. 要分配应用配置策略,请依次选择“应用配置策略”>“分配” > “选择组”。To assign the app configuration policy, select the app configuration policy > Assignment > Select groups. 选择要分配的用户组 >“选择”。Choose the user groups to assign > Select.
  8. 选择“保存”以分配策略。Choose Save to assign the policy.

其他信息Additional information

后续步骤Next steps

继续分配监视应用。Continue to assign and monitor the app.