应用保护策略概述App protection policies overview

应用保护策略 (APP) 是可确保组织数据在托管应用中保持安全或受到控制的规则。App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. 策略可以是在用户尝试访问或移动“公司”数据时强制执行的规则,或在用户位于应用内时受到禁止或监视的一组操作。A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. 受管理应用是一种自身执行应用保护策略的应用,可由 Intune 管理。A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

借助移动应用管理 (MAM) 应用保护策略,可以管理和保护应用程序内的组织数据。Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. 通过无需注册的 MAM (MAM-WE),可以在几乎任何设备上管理包含敏感数据的工作或学校相关应用,包括自带设备办公 (BYOD) 场景下的个人设备。With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. 许多高效工作型应用,例如 Microsoft Office 应用 ,都可以通过 Intune MAM 进行管理。Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. 请参阅可供公众使用的 Microsoft Intune 保护的应用的官方列表。See the official list of Microsoft Intune protected apps available for public use.

如何保护应用数据How you can protect app data

你的员工使用移动设备进行个人任务和工作任务。Your employees use mobile devices for both personal and work tasks. 你既要确保员工高效工作,又希望防止有意和无意的数据丢失。While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. 你还需要保护他人设备(不由你管理的设备)访问的公司数据。You'll also want to protect company data that is accessed from devices that are not managed by you.

可使用 Intune 应用保护策略,该策略独立于任何移动设备管理 (MDM) 解决方案。You can use Intune app protection policies independent of any mobile-device management (MDM) solution. 无论是否在设备管理解决方案中注册设备,均可借助此独立策略保护公司数据。This independence helps you protect your company's data with or without enrolling devices in a device management solution. 通过实现 应用级别策略,即可限制对公司资源的访问,并让数据处于 IT 部门的监控范围之内。By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

设备上的应用保护策略App protection policies on devices

可对运行在设备上的应用进行配置的应用保护策略包括:App protection policies can be configured for apps that run on devices that are:

  • 已在 Microsoft Intune 中注册: 这些设备通常是公司自有设备。Enrolled in Microsoft Intune: These devices are typically corporate owned.

  • 已在第三方移动设备管理 (MDM) 解决方案中注册: 这些设备通常是公司自有设备。Enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned.


    移动应用管理策略不应与第三方移动应用管理或安全容器解决方案一起使用。Mobile app management policies should not be used with third-party mobile app management or secure container solutions.

  • 未在任何移动设备管理解决方案中注册: 此类设备通常是员工拥有的设备,且未在 Intune 或其他 MDM 解决方案中进行托管或注册。Not enrolled in any mobile device management solution: These devices are typically employee owned devices that aren't managed or enrolled in Intune or other MDM solutions.


可为连接到 Microsoft 365 服务的 Office 移动应用创建移动应用管理策略。You can create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. 此外,还可以通过为启用了混合现代身份验证的 iOS/iPadOS 和 Android 的 Outlook 创建 Intune 应用保护策略来保护对 Exchange 本地邮箱的访问。You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern Authentication. 使用此功能之前,请确保满足适用于 iOS/iPadOS 和 Android 的 Outlook 要求Before using this feature, make sure you meet the Outlook for iOS/iPadOS and Android requirements. 连接到本地 Exchange 或 SharePoint 服务的其他应用不支持应用保护策略。App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services.

使用应用保护策略的优点Benefits of using App protection policies

以下是使用应用保护策略的主要优点:The important benefits of using App protection policies are the following:

  • 在应用级别保护公司数据。Protecting your company data at the app level. 由于移动应用管理不需要设备管理,因此可在受管理和不受管理设备上保护公司数据。Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. 管理以用户标识为中心,因而不再需要设备管理。The management is centered on the user identity, which removes the requirement for device management.

  • 不会影响最终用户工作效率,且在个人环境中使用应用时不会应用策略。End-user productivity isn't affected and policies don't apply when using the app in a personal context. 这些策略仅应用于工作环境,能够在不接触个人数据的情况下保护公司数据。The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

  • 应用保护策略确保应用层保护措施到位。App protection policies makes sure that the app-layer protections are in place. 例如,你能够:For example, you can:

    • 规定在工作环境中打开应用时需使用 PINRequire a PIN to open an app in a work context
    • 控制应用之间的数据共享Control the sharing of data between apps
    • 防止将公司应用数据保存到私人存储位置Prevent the saving of company app data to a personal storage location
  • MDM 和 MAM 确保该设备受到保护MDM, in addition to MAM, makes sure that the device is protected. 例如,你可以要求使用 PIN 以访问设备,或将托管应用部署到设备。For example, you can require a PIN to access the device, or you can deploy managed apps to the device. 还可通过 MDM 解决方案将应用部署到设备,以便更好地控制应用管理。You can also deploy apps to devices through your MDM solution, to give you more control over app management.

将 MDM 与应用保护策略一起使用还有其他优点,公司可以同时使用应用保护策略与 MDM,也可以单独使用应用保护策略。There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. 例如这样一种情况:员工同时使用公司电话和其个人平板电脑。For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. 公司的手机在 MDM 中注册且受应用保护策略保护,而个人设备仅受应用保护策略保护。The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only.

如果在不设置设备状态的情况下将 MAM 策略应用于用户,用户将同时在 BYOD 设备和 Intune 托管设备上获得 MAM 策略。If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. 还可以根据托管状态应用 MAM 策略。You can also apply a MAM policy based on the managed state. 因此,在创建应用保护策略时,应在“面向所有应用类型”旁边选择“否”。So when you create an app protection policy, next to Target to all app types, you'd select No. 然后,执行以下任意操作:Then do any of the following:

  • 将不太严格的 MAM 策略应用于 Intune 托管设备,并将更严格的 MAM 策略应用于未注册 MDM 的设备。Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non MDM-enrolled devices.
  • 将 MAM 策略仅应用于未注册的设备。Apply a MAM policy to unenrolled devices only.

支持应用保护策略的平台Supported platforms for app protection policies

Intune 提供各种功能,用于在设备上获取所需的应用,以便在其中运行。Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on. 有关详细信息,请参阅按平台分类的应用管理功能For more information, see App management capabilities by platform.

Intune 应用保护策略平台支持与适用于 Android 和 iOS/iPadOS 设备的 Office 移动应用程序平台支持保持一致。Intune app protection policies platform support aligns with Office mobile application platform support for Android and iOS/iPadOS devices. 有关详细信息,请参阅 Office 系统要求的“移动应用”部分。For details, see the Mobile apps section of Office System Requirements.


接收 Android 应用保护策略的设备必须安装有 Intune 公司门户。The Intune Company Portal is required on the device to receive App Protection Policies on Android. 有关详细信息,请参阅 Intune 公司门户访问应用要求For more information, see the Intune Company Portal access apps requirements.

应用保护策略数据保护框架App protection policy data protection framework

应用保护策略 (APP) 中可用的选项使组织能够根据特定需求调整保护。The choices available in app protection policies (APP) enable organizations to tailor the protection to their specific needs. 对于某些组织而言,实现完整方案所需的策略设置可能并不明显。For some, it may not be obvious which policy settings are required to implement a complete scenario. 为了帮助组织确定移动客户端终结点强化的优先级,Microsoft 为其面向 iOS 和 Android 移动应用管理的 APP 数据保护框架引入了分类法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

APP 数据保护框架分为三个不同的配置级别,每个级别基于上一个级别进行构建:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企业基本数据保护(级别 1)可确保应用受 PIN 保护和经过加密处理,并执行选择性擦除操作。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 对于 Android 设备,此级别验证 Android 设备证明。For Android devices, this level validates Android device attestation. 这是一个入门级配置,可在 Exchange Online 邮箱策略中提供类似的数据保护控制,并将 IT 和用户群引入 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企业增强型数据保护(级别 2)引入了 APP 数据泄露预防机制和最低 OS 要求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此配置适用于访问工作或学校数据的大多数移动用户。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企业高级数据保护(级别 3)引入了高级数据保护机制、增强的PIN 配置和 APP 移动威胁防御Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 此配置适用于访问高风险数据的用户。This configuration is desirable for users that are accessing high risk data.

若要查看每个配置级别的具体建议以及必须受保护的核心应用,请查看使用应用保护策略的数据保护框架To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

应用保护策略如何保护应用数据How app protection policies protect app data

不具有应用保护策略的应用Apps without app protection policies

在无限制的情况下使用应用时,公司和个人数据可能混合。When apps are used without restrictions, company and personal data can get intermingled. 公司数据可能最终位于个人存储空间等位置或传输到监控范围外的应用中,导致数据丢失。Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. 下图中的箭头显示了公司应用和个人应用之间以及到存储位置的无限制数据移动。The arrows in the following diagram show unrestricted data movement between both corporate and personal apps, and to storage locations.


采用应用保护策略 (APP) 的数据保护Data protection with app protection policies (APP)

可使用应用保护策略以防将公司数据保存到设备的本地存储中(请参阅下图)。You can use App protection policies to prevent company data from saving to the local storage of the device (see the image below). 还可限制将数据移动到不受应用保护策略保护的其他应用。You can also restrict data movement to other apps that aren't protected by App protection policies. 应用保护策略设置包括:App protection policy settings include:

  • 数据重定位策略,例如“保存原始数据副本”和“限制剪切、复制和粘贴”。Data relocation policies like Save copies of org data, and Restrict cut, copy, and paste.
  • 访问策略设置,例如“需要简单的 PIN 才能访问”、“阻止在已越狱或取得 root 权限的设备上运行受管理的应用” 。Access policy settings like Require simple PIN for access, and Block managed apps from running on jailbroken or rooted devices.


在由 MDM 解决方案管理的设备上,采用 APP 保护数据Data protection with APP on devices managed by an MDM solution

下图显示了 MDM 和应用保护策略共同提供的保护层。The below illustration shows the layers of protection that MDM and App protection policies offer together.

图像显示应用保护策略如何在 BYOD 设备上起作用

MDM 解决方案通过提供以下功能增值:The MDM solution adds value by providing the following:

  • 注册设备Enrolls the device
  • 将应用部署到设备Deploys the apps to the device
  • 提供持续的设备合规性和管理Provides ongoing device compliance and management

应用保护策略通过提供以下功能增值:The App protection policies add value by providing the following:

  • 帮助防止公司数据泄露到使用者应用和服务Help protect company data from leaking to consumer apps and services
  • 将限制(如“另存为”、“剪贴板”或“PIN”)应用到客户端应用Apply restrictions like save-as, clipboard, or PIN, to client apps
  • 必要时,从应用擦除公司数据而不从设备删除这些应用Wipe company data when needed from apps without removing those apps from the device

采用适用于未注册设备的 APP 保护数据Data protection with APP for devices without enrollment

下图显示在未实施 MDM 的情况下数据保护策略在应用级别的工作原理。The following diagram illustrates how the data protection policies work at the app level without MDM.


对于未在任何 MDM 解决方案中注册的 BYOD 设备,应用保护策略可在应用级别帮助保护公司数据。For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. 但是,有一些限制需要注意,如:However, there are some limitations to be aware of, such as:

  • 无法将应用部署到设备。You can't deploy apps to the device. 最终用户必须从应用商店获取应用。The end user has to get the apps from the store.
  • 无法在这些设备上预配证书配置文件。You can't provision certificate profiles on these devices.
  • 无法在这些设备上设置公司 Wi-Fi 和 VPN 设置。You can't provision company Wi-Fi and VPN settings on these devices.

可使用应用保护策略进行管理的应用Apps you can manage with app protection policies

任何已与 Intune SDK 集成或通过 Intune App Wrapping Tool 包装的应用都可使用 Intune 应用保护策略进行管理。Any app that has been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. 请参阅使用以下工具构建并可供公众使用的 Microsoft Intune 保护的应用的官方列表。See the official list of Microsoft Intune protected apps that have been built using these tools and are available for public use.

Intune SDK 开发团队主动测试和维护对使用原生 Android、iOS/iPadOS(Obj-C、Swift)、Xamarin、Xamarin.Forms 平台生成的应用的支持。The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. 虽然某些客户已成功将 Intune SDK 与 React Native 和 NativeScript 等其他平台集成,但我们不会使用受支持平台之外的任何方式为应用开发人员提供明确的指导或插件。While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms.

对于使用应用保护策略的最终用户要求End-user requirements to use app protection policies

下面的列表说明对于在 Intune 托管应用上使用应用保护策略的最终用户要求:The following list provides the end-user requirements to use app protection policies on an Intune-managed app:

  • 最终用户必须具有 Azure Active Directory (Azure AD) 帐户。The end user must have an Azure Active Directory (Azure AD) account. 请参阅添加用户并授予对 Intune 的管理权限,了解如何在 Azure Active Directory 中创建 Intune 用户。See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.

  • 最终用户必须向其 Azure Active Directory 帐户分配 Microsoft Intune 许可证。The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. 请参阅管理 Intune 许可证,以了解如何向最终用户分配 Intune 许可证。See Manage Intune licenses to learn how to assign Intune licenses to end users.

  • 最终用户必须属于应用保护策略所针对的安全组。The end user must belong to a security group that is targeted by an app protection policy. 同一应用保护策略必须面向正在使用的特定应用。The same app protection policy must target the specific app being used. 可在 Microsoft Endpoint Manager 管理中心创建和部署应用保护策略。App protection policies can be created and deployed in the Microsoft Endpoint Manager admin center. 当前可以在 Microsoft 365 管理中心创建安全组。Security groups can currently be created in the Microsoft 365 admin center.

  • 最终用户必须使用其 Azure AD 帐户登录到应用。The end user must sign into the app using their Azure AD account.

适用于 Microsoft Office 应用的应用保护策略App protection policies for Microsoft Office apps

将应用保护策略用于 Microsoft Office 应用时,有一些其他需要注意的要求。There are a few additional requirements that you want to be aware of when using App protection policies with Microsoft Office apps.

Outlook 移动应用Outlook mobile app

对于使用 Outlook 移动应用的其他要求包括:The additional requirements to use the Outlook mobile app include the following:

  • 最终用户必须将 Outlook 移动应用安装到其设备上。The end user must have the Outlook mobile app installed to their device.

  • 最终用户必须具有链接到其 Azure Active Directory 帐户的 Microsoft 365 Exchange Online 邮箱和许可证。The end user must have an Microsoft 365 Exchange Online mailbox and license linked to their Azure Active Directory account.


    Outlook 移动应用当前仅支持适用于 Microsoft Exchange Online 的 Intune 应用保护和使用混合新式身份验证的 Exchange Server,不支持 Office 365 Dedicated 中的 Exchange。The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

Word、Excel 和 PowerPointWord, Excel, and PowerPoint

对于使用 Word、Excel 和 PowerPoint 应用的其他要求包括:The additional requirements to use the Word, Excel, and PowerPoint apps include the following:

  • 最终用户必须具有链接到其 Azure Active Directory 帐户的 Microsoft 365 商业或企业应用版许可证。The end user must have a license for Microsoft 365 Apps for business or enterprise linked to their Azure Active Directory account. 订阅必须包括移动设备上的 Office 应用,可以包括 OneDrive for Business 云存储帐户。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. 可按照这些说明Microsoft 365 管理中心分配 Microsoft 365 许可证。Microsoft 365 licenses can be assigned in the Microsoft 365 admin center following these instructions.

  • 最终用户必须具有使用粒度另存为功能进行配置的托管位置(该功能位于“保存组织数据的副本”应用程序保护策略设置下)。The end user must have a managed location configured using the granular save as functionality under the "Save copies of org data" application protection policy setting. 例如,如果托管位置为 OneDrive,则应在最终用户的 Word、Excel 或 PowerPoint 应用中对 OneDrive 应用进行配置。For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.

  • 如果托管的位置为 OneDrive,则部署到最终用户的应用保护策略必须针对该应用。If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end user.


    Office 移动应用当前仅支持 SharePoint Online,不支持本地 SharePoint。The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Office 所需的托管位置Managed location needed for Office

Office 需要一个托管位置(即 OneDrive)。A managed location (i.e. OneDrive) is needed for Office. Intune 会将应用中的所有数据标记为“公司”或“个人”。Intune marks all data in the app as either "corporate" or "personal". 数据源于业务位置时会被视为“公司”数据。Data is considered "corporate" when it originates from a business location. 对于 Office 应用,Intune 将以下数据视为业务位置:电子邮件 (Exchange) 或云存储(包含 OneDrive for Business 帐户的 OneDrive 应用)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).

Skype for BusinessSkype for Business

对于使用 Skype for Business 有其他要求。There are additional requirements to use Skype for Business. 请参阅 Skype for Business 许可证要求。See Skype for Business license requirements. 对于 Skype for Business (SfB) 混合配置和本地配置,请分别参阅正式发布适用于 SfB 和 Exchange 的混合新式身份验证使用 Azure AD 实现适用于 SfB OnPrem 的新式身份验证For Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively.

应用保护全局策略App protection Global policy

如果 OneDrive 管理员浏览到 admin.onedrive.com 并选择“设备”访问权限,则他们可为 OneDrive 和 SharePoint 客户端应用设置移动应用程序管理控件 。If a OneDrive administrator browses to admin.onedrive.com and selects Device access, they can set Mobile application management controls to the OneDrive and SharePoint client apps.

这些设置可供 OneDrive 管理控制台使用,可配置名为全局策略的特殊 Intune 应用保护策略。The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy called the Global policy. 此全局策略适用于租户中的所有用户,且无法控制策略目标设定。This global policy applies to all users in your tenant, and has no way to control the policy targeting.

启用后,默认情况下将使用所选设置保护适用于 iOS/iPadOS 和 Android 的 OneDrive 和 SharePoint 应用。Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are protected with the selected settings by default. IT 专业人员可在 Intune 控制台中编辑此策略,以添加更多目标应用并修改任何策略设置。An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify any policy setting.

默认情况下,每个租户仅有一个全局策略。By default, there can only be one Global policy per tenant. 然而,可使用 Intune 图形 API 来为每个租户创建额外的全局策略,但不推荐这种做法。However, you can use Intune Graph APIs to create extra global policies per tenant, but doing so isn't recommended. 不建议创建额外全局策略,因为对此类策略的实施进行故障排除会变得复杂。Creating extra global policies isn't recommended because troubleshooting the implementation of such a policy can become complicated.

虽然全局策略适用于租户中的所有用户,但任何标准的 Intune 应用保护政策都将覆盖这些设置。While the Global policy applies to all users in your tenant, any standard Intune app protection policy will override these settings.

应用保护功能App protection features


借助多身份支持,应用可以支持多个受众。Multi-identity support allows an app to support multiple audiences. 这些受众既是“公司”用户,也是“个人”用户。These audiences are both "corporate" users and "personal" users. “公司”受众使用工作和学校帐户,而个人帐户用于使用者受众,如 Microsoft Office 用户。Work and school accounts are used by "corporate" audiences, whereas personal accounts would be used for consumer audiences, such as Microsoft Office users. 支持多身份的应用可以公开发布,只有在工作和学校(“公司”)环境中使用应用时应用保护策略才适用。An app that supports multi-identity can be released publicly, where app protection policies apply only when the app is used in the work and school ("corporate") context. 多身份支持使用 Intune SDK 来仅将应用保护策略应用于已登录到应用的工作或学校帐户。Multi-identity support uses the Intune SDK to only apply app protection policies to the work or school account signed into the app. 如果个人帐户登录到应用,数据将保持不变。If a personal account is signed into the app, the data is untouched.

例如个人环境的情况:用户在 Word 中开始一个新文档,这被视为“个人”环境,因此不会应用 Intune 应用保护策略。For an example of "personal" context, consider a user who starts a new document in Word, this is considered personal context so Intune App Protection policies are not applied. 使用“公司”OneDrive 帐户保存文档后,该文档将被视为“公司”环境,因此会应用 Intune 应用保护策略。Once the document is saved on the "corporate" OneDrive account, then it will be considered "corporate" context and Intune App Protection policies will be applied.

例如工作或“公司”环境的情况:用户使用其工作帐户启动 OneDrive 应用。For an example of work or "corporate" context, consider a user who starts the OneDrive app by using their work account. 在工作环境中,他们无法将文件移动到私人存储位置。In the work context, they can't move files to a personal storage location. 之后当用户通过其个人帐户使用 OneDrive 时,可无限制地从个人 OneDrive 复制和移动数据。Later, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

Outlook 提供“个人”和“公司”电子邮件的电子邮件组合视图。Outlook has a combined email view of both "personal" and "corporate" emails. 在这种情况下,Outlook 应用会在启动时提示输入 Intune PIN。In this situation, the Outlook app prompts for the Intune PIN on launch.


尽管 Edge 在“公司”上下文中,但用户可以有意将 OneDrive“公司”上下文文件移动到未知的个人云存储位置。Although Edge is in "corporate" context, user can intentionally move OneDrive "corporate" context files to an unknown personal cloud storage location. 若要避免这种情况,请参阅管理受限网站,并为 Microsoft Edge 配置允许/阻止的站点列表。To avoid this, see Manage restricted web sites and configure the allowed/blocked site list for Edge.

有关 Intune 中的多身份的详细信息,请参阅 MAM 和多身份For more information about multi-identity in Intune, see MAM and multi-identity.

Intune 应用 PINIntune app PIN

个人标识号 (PIN) 是一种密码,用于验证是否是正确的用户在应用程序中访问组织的数据。The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.

PIN 提示PIN prompt
当用户要访问“公司”数据时,Intune 才会提示输入用户的应用 PIN。Intune prompts for the user's app PIN when the user is about to access "corporate" data. 在诸如 Word、Excel、PowerPoint 等多身份应用中,当用户尝试打开“公司”文档或文件时,会向他们提示输入 PIN。In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file. 在单身份应用中,例如使用 Intune App Wrapping Tool 托管的业务线应用,会在启动时提示输入 PIN,因为 Intune SDK 知道用户在应用中的体验始终是针对“公司”的。In single-identity apps, such as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune SDK knows the user's experience in the app is always "corporate".

PIN 提示或公司凭据提示、频率PIN prompt, or corporate credential prompt, frequency
IT 管理员可在 Intune 管理控制台中定义 Intune 应用保护策略设置“以下时间过后重新检查访问要求(分钟)”。The IT admin can define the Intune app protection policy setting Recheck the access requirements after (minutes) in the Intune admin console. 此设置指定在设备上检测访问要求,并再次显示应用程序 PIN 屏幕或公司凭据提示之前的时长。This setting specifies the amount of time before the access requirements are checked on the device, and the application PIN screen, or corporate credential prompt, is shown again. 但是,请注意以下关于 PIN 的重要详细信息,它们会影响用户收到提示的频率:However, important details about PIN that affect how often the user will be prompted are:

  • 在同一发布者的应用之间共享 PIN 以提高可用性:The PIN is shared among apps of the same publisher to improve usability:
    在 iOS/iPadOS 上,同一应用发布者的所有应用之间共享一个应用 PIN 码。On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher. 例如,所有 Microsoft 应用都共享同一 PIN。For example, all Microsoft apps share the same PIN. 在 Android 上,所有应用共享一个应用 PIN。On Android, one app PIN is shared amongst all apps.
  • 在设备重启后“以下时间过后重新检查访问要求(分钟)”的行为:The Recheck the access requirements after (minutes) behavior after a device reboot:
    计时器跟踪确定何时显示下一个 Intune 应用 PIN 或公司凭据提示的不活动分钟数。A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or corporate credential prompt next. 在 iOS/iPadOS 上,计时器不受设备重启影响。On iOS/iPadOS, the timer is unaffected by device reboot. 因此,设备重启对用户在以 Intune PIN(或公司凭据)策略为目标的 iOS/iPadOS 应用中处于非活动状态的分钟数没有影响。Thus, device reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or corporate credential) policy targeted. 在 Android 上,计时器在设备重启后重置。On Android, the timer is reset on device reboot. 因此,使用 Intune PIN(或公司凭据)策略的 Android 应用可能会提示你输入应用 PIN(或公司凭据),而设备重启后的“以下时间过后重新检查访问要求(分钟)”设置值不受此影响。As such, Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate credential prompt, regardless of the 'Recheck the access requirements after (minutes)' setting value after a device reboot.
  • 与 PIN 关联的计时器的滚动特性:The rolling nature of the timer associated with the PIN:
    输入 PIN 以访问应用(应用 A)后,该应用会离开设备主屏幕(主输入焦点),并且该计时器会进行重置。Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the timer gets reset for that PIN. 共享此 PIN 的任何应用(应用 B)均不会提示用户输入 PIN,因为计时器已重置。Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset. 再次达到“以下时间过后重新检查访问要求(分钟)”值后,就会再次显示该提示。The prompt will show up again once the 'Recheck the access requirements after (minutes)' value is met again.

对于 iOS/iPadOS 设备,当不是主要输入焦点的应用再次满足“在一定时间后重新检查访问要求(分钟)”值时,即使在不同发行商的应用之间共享 PIN,也会再次显示提示。For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. 因此,例如,某一用户具有来自发行商 X 的应用 A 和来自发行商 Y 的应用 B,并且这两个应用共享相同 PIN。So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. 该用户将焦点置于应用 A(前景),并最小化应用 B。The user is focused on app A (foreground), and app B is minimized. 当满足“在一定时间后重新检查访问要求(分钟)”值并且用户切换到应用 B 时,将需要此 PIN。After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required.


为了更频繁地验证用户的访问要求(即 PIN 提示),尤其是针对常用应用的访问,建议减小“以下时间过后重新检查访问要求(分钟)”设置的值。In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.

Outlook 和 OneDrive 的内置应用 PINBuilt-in app PINs for Outlook and OneDrive
Intune PIN 基于非活动状态计时器(“以下时间过后重新检查访问要求(分钟)”的值)执行操作。The Intune PIN works based on an inactivity-based timer (the value of Recheck the access requirements after (minutes)). 因此,Intune PIN 提示与 Outlook 和 OneDrive 的内置应用 PIN 提示(默认情况下与应用启动直接关联)相互独立显示。As such, Intune PIN prompts show up independently from the built-in app PIN prompts for Outlook and OneDrive which often are tied to app launch by default. 如果用户同时收到两个 PIN 提示,预期行为应以 Intune PIN 为准。If the user receives both PIN prompts at the same time, the expected behavior should be that the Intune PIN takes precedence.

Intune PIN 安全性Intune PIN security
PIN 仅允许正确的用户在应用中访问其组织数据。The PIN serves to allow only the correct user to access their organization's data in the app. 因此,最终用户必须使用其工作或学校帐户登录,然后才能设置或重置其 Intune 应用 PIN。Therefore, an end user must sign in with their work or school account before they can set or reset their Intune app PIN. 这种身份验证通过安全的令牌交换由 Azure Active Directory 执行,且不对 Intune SDK 公开。This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune SDK. 从安全性的角度来看,保护工作或学校数据的最佳方法便是对其进行加密。From a security perspective, the best way to protect work or school data is to encrypt it. 加密与应用 PIN 无关,它本身是一项应用保护策略。Encryption is not related to the app PIN but is its own app protection policy.

防止暴力攻击和 Intune PINProtecting against brute force attacks and the Intune PIN
作为应用 PIN 策略的一部分,IT 管理员可以设置在锁定应用之前用户可尝试验证其 PIN 的最大次数。As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. 达到最大尝试次数后,Intune SDK 可以擦除应用中的“公司”数据。After the number of attempts has been met, the Intune SDK can wipe the "corporate" data in the app.

Intune PIN 和选择性擦除Intune PIN and a selective wipe
在 iOS/iPadOS 上,应用程序级 PIN 信息存储在具有同一发布者的应用之间共享的密钥链中,例如所有第一方 Microsoft 应用。On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared between apps with the same publisher, such as all first party Microsoft apps. 此 PIN 信息还与最终用户帐户关联。This PIN information is also tied to an end user account. 一项应用的选择性擦除不应影响到其他应用。A selective wipe of one app shouldn't affect a different app.

例如,为登录用户的 Outlook 设置的 PIN 存储在共享密钥链中。For example, a PIN set for Outlook for the signed in user is stored in a shared keychain. 当用户登录到 OneDrive(也由 Microsoft 发布)时,他们将看到与 Outlook 相同的 PIN,因为它使用相同的共享密钥链。When the user signs into OneDrive (also published by Microsoft), they will see the same PIN as Outlook since it uses the same shared keychain. 当你在 Outlook 中注销 Outlook 或擦除用户数据时,Intune SDK 不会清除密钥链,因为 OneDrive 可能仍在使用该 PIN。When signing out of Outlook or wiping the user data in Outlook, the Intune SDK does not clear that keychain because OneDrive might still be using that PIN. 因此,选择性擦除不会清除共享密钥链(包括 PIN)。Because of this, selective wipes do not clear that shared keychain, including the PIN. 即使设备上只存在一个发布者应用程序,此行为仍保持不变。This behavior remains the same even if only one app by a publisher exists on the device.

由于 PIN 是在具有同一发布者的应用间共享的,因此,如果在单个应用擦除,Intune SDK 不知道设备上是否有该相同发布者的其他应用程序。Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a single app, the Intune SDK does not know if there are any other apps on the device with the same publisher. 因此,Intune SDK 不会清除 PIN,因为它可能仍用于其他应用。Thus, the Intune SDK does not clear the PIN since it might still be used for other apps. 预期是:当来自该发布者的最后一个应用最终将作为某些 OS 清理的一部分被删除时,应删除应用 PIN。The expectation is that the app PIN should be wiped when last app from that publisher will be removed eventually as part of some OS cleanup.

如果观察到某些设备上的 PIN 被擦除,可能会发生以下情况:由于 PIN 绑定到标识,因此,如果用户在擦除后使用其他帐户登录,系统将提示他们输入新 PIN。If you observe the PIN being wiped on some devices, the following is likely happening: Since the PIN is tied to an identity, if the user signed in with a different account after a wipe, they will be prompted to enter a new PIN. 但是,如果用户使用以前存在的帐户登录,则可以使用存储在密钥链中的 PIN 登录。However, if they sign in with a previously existing account, a PIN stored in the keychain already can be used to sign in.

要在来自同一个发布者的应用上设置 PIN 两次?Setting a PIN twice on apps from the same publisher?
目前,MAM(在 iOS/iPadOS 上)允许使用包含字母数字和特殊字符(称为“密码”)的应用程序级 PIN,该功能需要一些应用程序(即 WXP、Outlook、Managed Browser、Yammer)的参与,以便集成 Intune SDK for iOSMAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to integrate the Intune SDK for iOS. 如果没有应用程序的参与,将无法对目标应用程序正确执行密码设置。Without this, the passcode settings are not properly enforced for the targeted applications. 这是在 Intune SDK for iOS 版本 7.1.12 中发布的功能This was a feature released in the Intune SDK for iOS v. 7.1.12.

为了支持此功能,并确保与旧版 Intune SDK for iOS/iPadOS 的后向兼容性,版本 7.1.12 及更高版本中的所有 PIN(数字或密码)都与旧版 SDK 中的数字 PIN 分开处理。In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. 因此,如果设备中同一发布者的应用使用了版本低于和高于 7.1.12 的 Intune SDK for iOS,就需要设置两个 PIN。Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs. 这两个 PIN(对于每个应用)不以任何方式相关(即必须遵守应用到应用的应用保护策略)。The two PINs (for each app) are not related in any way (i.e. they must adhere to the app protection policy that's applied to the app). 这样,只有当应用 A 和 B 都应用了相同的策略(对于 PIN),用户才需要设置相同的 PIN 两次。As such, only if apps A and B have the same policies applied (with respect to PIN), user may set up the same PIN twice.

此行为只针对使用 Intune 移动应用管理 (MAM) 启用的 iOS/iPadOS 应用程序上的 PIN。This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App Management. 日后,随着应用采用更高版本的 Intune SDK for iOS/iPadOS,需要针对同一发布者的应用设置 PIN 两次的问题就会减少。Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. 有关示例,请参阅下面的注意事项。Please see the note below for an example.


例如,如果应用 A 使用版本低于 7.1.12 的 SDK 生成,同一发布者的应用 B 使用版本不低于 7.1.12 的 SDK 生成,且这两个应用都安装在 iOS/iPadOS 设备上,那么最终用户需要为应用 A 和 B 单独设置 PIN。For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to 7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an iOS/iPadOS device. 如果在此设备上安装了包含 SDK 版本 7.1.9 的应用 C,那么它与应用 A 共用同一 PIN。使用 7.1.14 构建的应用 D 将与应用 B 共享同一个 PIN。If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A. An app D built with 7.1.14 will share the same PIN as app B.
如果仅在设备上安装了应用 A 和 C,需要设置一个 PIN。If only apps A and C are installed on a device, then one PIN will need to be set. 如果仅在设备上安装了应用 B 和 D,情况也是如此,即需要设置一个 PIN。The same applies to if only apps B and D are installed on a device.

应用数据加密App data encryption

IT 管理员可以部署要求对应用数据进行加密的应用保护策略。IT administrators can deploy an app protection policy that requires app data to be encrypted. 作为该策略的一部分,IT 管理员还可指定何时加密内容。As part of the policy, the IT administrator can also specify when the content is encrypted.

Intune 数据加密过程How does Intune data encryption process
请参阅 Android 应用保护策略设置iOS/iPadOS 应用保护策略设置,获取有关加密应用保护策略设置的详细信息。See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed information on the encryption app protection policy setting.

加密的数据Data that is encrypted
根据 IT 管理员的应用保护策略,仅对标记为“公司”的数据进行加密。Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. 数据源于业务位置时会被视为“公司”数据。Data is considered "corporate" when it originates from a business location. 对于 Office 应用,Intune 将以下内容视为业务位置:For the Office apps, Intune considers the following as business locations:

  • 电子邮件 (Exchange)Email (Exchange)
  • 云存储(有 OneDrive for Business 帐户的 OneDrive 应用)Cloud storage (OneDrive app with a OneDrive for Business account)

对于由 Intune 应用包装工具托管的业务线应用,所有应用数据都会被视为“公司”数据。For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate".

选择性擦除Selective wipe

远程擦除数据Remotely wipe data
Intune 可以通过以下三种不同方式擦除应用数据:Intune can wipe app data in three different ways:

  • 完全设备擦除Full device wipe
  • MDM 选择性擦除Selective wipe for MDM
  • MAM 选择性擦除MAM selective wipe

有关 MDM 远程擦除的详细信息,请参阅使用“擦除”或“停用”操作删除设备For more information about remote wipe for MDM, see Remove devices by using wipe or retire. 有关使用 MAM 进行选择性擦除的详细信息,请参阅“停用”操作如何仅擦除应用中的公司数据For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.

完全设备擦除会通过将设备还原到其出厂默认设置,从“设备”中删除所有用户数据和设置。Full device wipe removes all user data and settings from the device by restoring the device to its factory default settings. 设备从 Intune 删除。The device is removed from Intune.


完全擦除设备和选择性擦除 MDM 只有在注册了 Intune 移动设备管理 (MDM) 的设备上才能实现。Full device wipe, and selective wipe for MDM can only be achieved on devices enrolled with Intune mobile device management (MDM).

MDM 选择性擦除Selective wipe for MDM
请参阅删除设备 - 停用,了解删除公司数据的相关信息。See Remove devices - retire to read about removing company data.

MAM 选择性擦除Selective wipe for MAM
MAM 选择性擦除仅删除应用中的公司应用数据。Selective wipe for MAM simply removes company app data from an app. 使用 Intune Azure 门户启动该请求。The request is initiated using the Intune Azure portal. 若要了解如何启动擦除请求,请参阅如何仅擦除应用中的公司数据To learn how to initiate a wipe request, see How to wipe only corporate data from apps.

如果用户在启用了选择性擦除的情况下使用应用,那么 Intune SDK 会每 30 分钟检查一次来自 Intune MAM 服务的选择性擦除请求。If the user is using the app when selective wipe is initiated, the Intune SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. 它还会在用户第一次启动应用并使用其工作或学校帐户登录时检查选择性擦除。It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.

本地服务不适用于 Intune 保护的应用时When On-Premises (on-prem) services don't work with Intune protected apps
Intune 应用保护要求用户的身份在应用程序与 Intune SDK 之间保持一致。Intune app protection depends on the identity of the user to be consistent between the application and the Intune SDK. 保证此种一致的唯一方法是通过新式身份验证。The only way to guarantee that is through modern authentication. 在某些情况下应用可能适用于本地配置,但它们既不一致也无法得到保证。There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.

从托管应用中打开 Web 链接的安全方法Secure way to open web links from managed apps
IT 管理员可为 Microsoft Edge(可使用 Intune 轻松管理的 Web 浏览器)部署和设置应用保护策略。The IT administrator can deploy and set app protection policy for Microsoft Edge, a web browser that can be managed easily with Intune. IT 管理员可要求 Intune 托管的应用中的所有 Web 链接均使用托管浏览器打开。The IT administrator can require all web links in Intune-managed apps to be opened using a managed browser.

适用于 iOS 设备的应用保护体验App protection experience for iOS devices

设备指纹或 Face IDDevice fingerprint or face IDs

Intune 应用保护策略允许将应用访问权限控制在仅限 Intune 许可用户访问。Intune app protection policies allow control over app access to only the Intune licensed user. 控制对应用的访问权限的方法之一是支持的设备上需要具有 Apple 的 Touch ID 或 Face ID。One of the ways to control access to the app is to require either Apple's Touch ID or Face ID on supported devices. Intune 执行某个行为后,如果对设备的生物识别数据库有任何更改,则在满足下一个非活动超时值时,Intune 会提示用户输入 PIN。Intune implements a behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. 对生物识别数据的更改包括添加或删除指纹或人脸。Changes to biometric data include the addition or removal of a fingerprint, or face. 如果 Intune 用户未设置 PIN,则会引导他们设置 Intune PIN。If the Intune user does not have a PIN set, they are led to set up an Intune PIN.

此过程旨在继续确保应用中的组织数据安全并在应用级别受保护。The intent of this process is to continue keeping your organization's data within the app secure and protected at the app level. 此功能仅适用于 iOS/iPadOS,并且需要集成了 Intune SDK for iOS/iPadOS 版本 9.0.1 或更高版本的应用程序参与。This feature is only available for iOS/iPadOS, and requires the participation of applications that integrate the Intune SDK for iOS/iPadOS, version 9.0.1 or later. 必须集成 SDK,以便可以在目标应用程序上强制执行行为。Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. 此集成陆续进行,取决于特定应用程序团队。This integration happens on a rolling basis and is dependent on the specific application teams. 参与的一些应用包括 WXP、Outlook、Managed Browser 和 Yammer。Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.

iOS 共享扩展iOS share extension

即使将数据传输策略设置为“仅托管应用”或“无应用”,也可使用 iOS/iPadOS 共享扩展在非托管应用中打开工作或学校数据 。You can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to managed apps only or no apps. 在不管理设备的情况下,Intune 应用保护策略不能控制 iOS/iPadOS 共享扩展。Intune app protection policy cannot control the iOS/iPadOS share extension without managing the device. 因此,Intune 会在对“公司”数据进行应用外共享之前对其进行加密Therefore, Intune encrypts "corporate" data before it is shared outside the app. 可以通过在托管应用外部打开“公司”文件来验证此加密行为。You can validate this encryption behavior by attempting to open a "corporate" file outside of the managed app. 该文件应进行加密,且无法在托管应用外打开。The file should be encrypted and unable to be opened outside the managed app.

默认情况下,Intune 应用保护策略将阻止访问未经授权的应用程序内容。By default, Intune app protection policies will prevent access to unauthorized application content. iOS/iPadOS 中提供了使用通用链接打开特定内容或应用程序的功能。In iOS/iPadOS, there is functionality to open specific content or applications using Universal Links.

用户可在 Safari 中访问应用的通用链接并选择“在新选项卡中打开”或“打开”,通过这种方式来禁用这些链接: 。Users can disable an app's Universal Links by visiting them in Safari and selecting Open in New Tab or Open. 若要通过 Intune 应用保护策略使用通用链接,需要重新启用通用链接。In order to user Universal Links with Intune app protection policies, it's important to re-enable the universal links. 最终用户在长按相应链接后,需要在 Safari 中执行“ <*应用名称 _> 中打开”操作。The end user would need to do an Open in <*app name _> in Safari after long pressing a corresponding link. 这会提示任何其他受保护的应用将所有通用链接路由到设备上受保护的应用程序。This should prompt any additional protected app to route all Universal Links to the protected application on the device.

适用于同一组应用和用户的多个 Intune 应用保护访问设置Multiple Intune app protection access settings for same set of apps and users

当用户尝试从公司帐户访问目标应用时,系统将在最终用户设备上按特定顺序应用 Intune 应用访问保护策略。Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. 通常先访问擦除,然后是块,再是可取消的警告。In general, a wipe would take precedence, followed by a block, then a dismissible warning. 例如,如果适用于特定用户/应用,则先应用阻止用户访问的最低 iOS/iPadOS 操作系统设置,再应用警告用户更新其 iOS/iPadOS 版本的最低 iOS/iPadOS 操作系统设置。For example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system setting that warns a user to update their iOS/iPadOS version will be applied after the minimum iOS/iPadOS operating system setting that blocks the user from access. 因此,如果 IT 管理员将最低 iOS 操作系统配置为 并将最低 iOS 操作系统(仅限警告)配置为,则当尝试访问该应用的设备具有 iOS 10 时,系统将基于更严格的最低 iOS 操作系统版本设置阻止最终用户的访问。So, in the scenario where the IT admin configures the min iOS operating system to and the min iOS operating system (Warning only) to, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access.

处理不同类型的设置时,先处理 Intune SDK 版本要求,其次处理应用版本要求,再处理 iOS/iPadOS 操作系统版本要求。When dealing with different types of settings, an Intune SDK version requirement would take precedence, then an app version requirement, followed by the iOS/iPadOS operating system version requirement. 然后,按相同顺序检查各类型设置的所有警告。Then, any warnings for all types of settings in the same order are checked. 建议仅根据 Intune 产品团队针对关键阻止方案提供的指导配置 Intune SDK 版本要求。We recommend the Intune SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

适用于 Android 设备的应用保护体验App protection experience for Android devices

设备生物识别身份验证Device biometric authentication

对于支持生物识别身份验证的 Android 设备,你可以允许最终用户使用指纹或人脸解锁,具体取决于其 Android 设备支持的条件。For Android devices that support biometric authentication, you can allow end users to use fingerprint or Face Unlock, depending on what their Android device supports. 你可以配置是否可以使用指纹之外的所有生物特征类型来进行身份验证。You can configure whether all biometric types beyond fingerprint can be used to authenticate. 请注意,指纹和人脸解锁仅适用于支持这些生物识别类型且运行正确 Android 版本的设备。Note that fingerprint and Face Unlock are only available for devices manufactured to support these biometric types and are running the correct version of Android. 指纹需要 Android 6 及更高版本,而人脸解锁需要 Android 10 及更高版本。Android 6 and higher is required for fingerprint, and Android 10 and higher is required for Face Unlock.

公司门户应用和 Intune 应用保护Company Portal app and Intune app protection

应用保护的许多功能都内置于公司门户应用中。Much of app protection functionality is built into the Company Portal app. 虽然始终需要公司门户应用,但设备注册是不必要的。Device enrollment is not required even though the Company Portal app is always required. 对于无需注册的移动应用管理 (MAM-WE),最终用户只需在设备上安装公司门户应用即可。For mobile application management without enrollment (MAM-WE), the end user just needs to have the Company Portal app installed on the device.

适用于同一组应用和用户的多个 Intune 应用保护访问设置Multiple Intune app protection access settings for same set of apps and users

当用户尝试从公司帐户访问目标应用时,系统将在最终用户设备上按特定顺序应用 Intune 应用访问保护策略。Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. 通常是先访问块,再访问可取消的警告。In general, a block would take precedence, then a dismissible warning. 例如,如果适用于特定用户/应用,则先应用阻止用户访问的 Android 修补程序最低版本设置,再应用警告用户进行修补程序升级的 Android 修补程序最低版本设置。For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. 因此,如果 IT 管理员将 Android 修补程序最低版本配置为 2018-03-01,并将 Android 修补程序最低版本(仅限警告)配置为 2018-02-01,则当尝试访问该应用的设备具有 2018-01-01 版修补程序时,系统将基于更严格的 Android 修补程序最低版本设置阻止最终用户的访问。So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access.

处理不同类型的设置时,先处理应用版本要求,其次是 Android 操作系统版本要求,再是 Android 修补程序版本要求。When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. 然后,按相同顺序检查各类型设置的所有警告。Then, any warnings for all types of settings in the same order are checked.

Intune 应用保护策略和 Google 的适用于 Android 设备的 SafetyNet 认证Intune app protection policies and Google's SafetyNet Attestation for Android devices

凭借 Intune 应用保护策略,管理员能够要求最终用户设备通过 Google 的适用于 Android 设备的 SafetyNet 认证。Intune app protection policies provide the capability for admins to require end-user devices to pass Google's SafetyNet Attestation for Android devices. 新的 Google Play 服务决定将按照 Intune 服务确定的时间间隔报告给 IT 管理员。A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. 由于负载原因,服务调用频率受限,因此该值在内部维护,并且不可配置。How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. IT 管理员针对 Google SafetyNet 认证设置配置的任何操作都将在条件启动时根据最后报告的结果发送到 Intune 服务。Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. 如果没有数据,若无其他条件启动检查失败,则允许访问,用于确定认证结果的 Google Play 服务“往返”将在后端开始,并在设备失败时以异步方式提示用户。If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. 如果数据过时,将根据最后报告的结果阻止或允许访问,同样,用于确定认证结果的 Google Play 服务“往返”将开始,并在设备失败时以异步方式提示用户。If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously if the device has failed.

Intune 应用保护策略和 Google 的适用于 Android 设备的 Verify Apps APIIntune app protection policies and Google's Verify Apps API for Android devices

凭借 Intune 应用保护策略,管理员能够要求最终用户设备通过 Google 的适用于 Android 设备的 Verify Apps API 发送信号。Intune App Protection Policies provide the capability for admins to require end-user devices to send signals via Google's Verify Apps API for Android devices. 如何执行此操作的说明根据设备略有不同。The instructions on how to do this vary slightly by device. 常规流程包括转到 Google Play 商店,然后单击“_*我的应用和游戏**”,单击最后一次应用扫描的结果,然后您会转到“Play 保护”菜单。The general process involves going to the Google Play Store, then clicking on _*My apps & games**, clicking on the result of the last app scan which will take you into the Play Protect menu. 确保“扫描设备以检测安全隐患”开关为开启状态。Ensure the toggle for Scan device for security threats is switched to on.

Google 的 SafetyNet 认证 APIGoogle's SafetyNet Attestation API

Intune 利用 Google Play 保护 SafetyNet API 添加到我们对未注册设备的现有 root 权限检测检查。Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled devices. Google 开发并维护此 API 集,当它们不希望应用在已取得 root 权限的设备上运行时,Android 应用可以采用这些 API。Google has developed and maintained this API set for Android apps to adopt if they do not want their apps to run on rooted devices. 例如,Android Pay 应用已将此合并。The Android Pay app has incorporated this, for example. 尽管 Google 不公开共享所进行的全部 root 权限检测检查,但是我们希望这些 API 能够检测出已取得其设备 root 权限的用户。While Google does not share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices. 然后,可以阻止这些用户访问,或者可以从启用策略的应用中擦除其公司帐户。These users can then be blocked from accessing, or their corporate accounts wiped from their policy enabled apps. “检查基本完整性”描述设备的总体完整性。Check basic integrity tells you about the general integrity of the device. 已取得根权限的设备、模拟器、虚拟设备以及具有篡改迹象的设备无法通过基本完整性检查。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. “检查基本完整性和认证设备”描述设备与 Google 服务的兼容性。Check basic integrity & certified devices tells you about the compatibility of the device with Google's services. 只有经过 Google 认证的未修改的设备才能通过此检查。Only unmodified devices that have been certified by Google can pass this check. 以下设备将无法通过检查:Devices that will fail include the following:

  • 基本完整性检查未通过的设备Devices that fail basic integrity
  • 具有未锁定引导装入程序的设备Devices with an unlocked bootloader
  • 具有自定义系统映像/ROM 的设备Devices with a custom system image/ROM
  • 制造商未申请或未通过 Google 认证的设备Devices for which the manufacturer didn't apply for, or pass, Google certification
  • 系统映像直接通过 Android 开源程序源文件生成的设备Devices with a system image built directly from the Android Open Source Program source files
  • 具有 beta 版本/开发者预览版系统映像的设备Devices with a beta/developer preview system image

请参阅 Google 的 SafetyNet 认证文档,获取技术详细信息。See Google's documentation on the SafetyNet Attestation for technical details.

“SafetyNet 设备认证”设置和“已越狱/已获得 root 权限的设备”设置SafetyNet device attestation setting and the 'jailbroken/rooted devices' setting

Google Play 保护的 SafetyNet API 检查要求最终用户保持在线状态,至少是在执行“往返”以确定认证结果期间。Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time when the "roundtrip" for determining attestation results executes. 如果最终用户为离线状态,IT 管理员仍可通过“已越狱/已获得 root 权限的设备”设置强制执行结果。If end user is offline, IT admin can still expect a result to be enforced from the jailbroken/rooted devices setting. 不过,如果最终用户长时间离线,“脱机宽限期”值就会发挥作用,在达到计时器值后将阻止所有对工作或学校数据的访问,直至网络访问可用。That being said, if the end user has been offline too long, the Offline grace period value comes into play, and all access to work or school data is blocked once that timer value is reached, until network access is available. 同时开启这两个设置就可以通过分层方法来保持最终用户设备正常运行,这在最终用户通过移动设备访问工作或学校数据时非常重要。Turning on both settings allows for a layered approach to keeping end-user devices healthy which is important when end-users access work or school data on mobile.

Google Play 保护 API 和 Google Play ServicesGoogle Play Protect APIs and Google Play Services

利用 Google Play 保护 API 的应用保护策略设置需要 Google Play Services 才能运行。The app protection policy settings that leverage Google Play Protect APIs require Google Play Services to function. “SafetyNet 设备认证”和“应用威胁扫描”设置都需要 Google 确定的 Google Play Services 版本才能正常运行。Both the SafetyNet device attestation, and Threat scan on apps settings require Google determined version of Google Play Services to function correctly. 由于这些设置属于安全领域,如果最终用户是这些设置的目标,并且未使用适当版本的 Google Play Services,或者没有 Google Play Services 的访问权限,则将被阻止。Since these are settings that fall in the area of security, the end user will be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google Play Services or have no access to Google Play Services.

后续步骤Next steps

如何使用 Microsoft Intune 创建和部署应用保护策略How to create and deploy app protection policies with Microsoft Intune

Microsoft Intune 中提供的 Android 应用保护策略设置Available Android app protection policy settings with Microsoft Intune

Microsoft Intune 中提供的 iOS/iPadOS 应用保护策略设置Available iOS/iPadOS app protection policy settings with Microsoft Intune

另请参阅See also

第三方应用(例如 Salesforce 移动应用)与 Intune 一起以特定的方式来保护公司数据。Third-party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data. 若要详细了解 Salesforce 应用专门与 Intune 合作的方式(包括 MDM 应用配置设置),请参阅 Salesforce 应用和 Microsoft IntuneTo learn more about how the Salesforce app in particular works with Intune (including MDM app configurations settings), see Salesforce App and Microsoft Intune.