Microsoft Intune 中的 Android 应用保护策略设置Android app protection policy settings in Microsoft Intune

本文介绍适用于 Android 设备的应用保护策略设置。This article describes the app protection policy settings for Android devices. 可在 Azure 门户的“设置”窗格中为应用保护策略配置所述的策略设置。The policy settings that are described can be configured for an app protection policy on the Settings pane in the Azure portal. 策略设置分为三类:数据保护设置、访问要求和条件启动。There are three categories of policy settings: data protection settings, access requirements, and conditional launch. 在本文中,术语策略托管应用指使用应用保护策略配置的应用。In this article, the term policy-managed apps refers to apps that are configured with app protection policies.

重要

设备上需具备 Intune 公司门户,以接收 Android 设备的应用保护策略。The Intune Company Portal is required on the device to receive App Protection Policies for Android devices. 有关详细信息,请参阅 Intune 公司门户访问应用要求For more information, see the Intune Company Portal access apps requirements.

Intune Managed Browser 已停用。The Intune Managed Browser has been retired. 使用 Microsoft Edge 获取受保护的 Intune 浏览器体验。Use Microsoft Edge for your protected Intune browser experience.

数据保护Data protection

数据传输Data Transfer

设置Setting 如何使用How to use 默认值Default value
将组织数据备份到 Android 备份服务Backup org data to Android backup services 选择“阻止”可阻止此应用将工作或学校数据备份到 Android 备份服务Select Block to prevent this app from backing up work or school data to the Android Backup Service.

选择“允许”可允许此应用备份工作或学校数据。Select Allow to allow this app to back up work or school data.
允许Allow
将组织数据发送到其他应用Send org data to other apps 指定哪些应用可从此应用接收数据:Specify what apps can receive data from this app:
  • 策略托管应用:仅允许传输到其他策略托管应用。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有应用:允许传输到任何应用。All apps: Allow transfer to any app.
  • :不允许将数据传输到任何应用,包括其他策略托管应用。None: Do not allow data transfer to any app, including other policy-managed apps.

默认情况下,Intune 允许向一些豁免应用和服务传输数据。There are some exempt apps and services to which Intune may allow data transfer by default. 此外,如果需要允许将数据传输到不支持 Intune APP 的应用,则可以创建自己的豁免项目。In addition, you can create your own exemptions if you need to allow data to transfer to an app that doesn't support Intune APP. 有关详细信息,请参阅数据传输豁免For more information, see Data transfer exemptions.

此策略也适用于 Android 应用链接。This policy may also apply to Android App Links. 通用 Web 链接由“在 Intune Managed Browser 中打开应用链接”策略设置托管。General web links are managed by the Open app links in Intune Managed Browser policy setting.

备注Note

Intune 目前不支持 Android Instant Apps 功能。Intune doesn't currently support the Android Instant Apps feature. Intune 将阻止进/出该应用的任何数据连接。Intune will block any data connection to or from the app. 有关详细信息,请参阅 Android 开发人员文档中的 Android Instant AppsFor more information, see Android Instant Apps in the Android Developer documentation.

如果“将组织数据发送到其他应用”配置为“所有应用”,则可能仍会通过 OS 共享将文本数据传输到剪贴板 。If Send org data to other apps is configured to All apps, text data may still be transferred via OS sharing to the clipboard.

所有应用All apps
    选择要豁免的应用Select apps to exempt
为上一选项选择“策略托管应用”时,此选项才可用。This option is available when you select Policy managed apps for the previous option.
    保存组织数据的副本Save copies of org data
选择“阻止”,在此应用中禁用使用“另存为”选项。Choose Block to disable the use of the Save As option in this app. 如果想要允许使用“另存为”,则选择“允许”。Choose Allow if you want to allow the use of Save As. 如果设置为“阻止”,可以配置“允许用户将副本保存到所选的服务”设置。When set to Block, you can configure the setting Allow user to save copies to selected services.

注意:Note:
  • Microsoft Excel、OneNote、PowerPoint 和 Word 支持此设置。它也可能受第三方和 LOB 应用支持。This setting is supported for Microsoft Excel, OneNote, PowerPoint, and Word. It may also be supported by third-party and LOB apps.
  • 仅当“将组织数据发送到其他应用”设置设为“策略托管应用”时,此设置才可配置 。This setting is only configurable when the setting Send org data to other apps is set to Policy managed apps.
  • 当“将组织数据发送到其他应用”设置设为“所有应用”时,此设置将为“允许” 。This setting will be "Allow" when the setting Send org data to other apps is set to All apps.
  • 当“将组织数据发送到其他应用”设置设为“无”时,此设置将为“阻止” 。This setting will be "Block" with no allowed service locations when the setting Send org data to other apps is set to None.
允许Allow
      允许用户将副本保存到所选的服务Allow user to save copies to selected services
用户可以保存到所选的服务(OneDrive for Business、SharePoint 和本地存储)中。Users can save to the selected services (OneDrive for Business, SharePoint, and Local Storage). 将阻止所有其他服务。All other services will be blocked. 未选择任何项0 selected
    将电信数据传输到Transfer telecommunications data to
通常,当用户在应用中选择超链接的电话号码时,会打开一个拨号应用,预填充了该电话号码并随时可供拨打。Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. 对于此设置,选择当从策略托管的应用启动电话号码时要如何处理此类型的内容传输:For this setting, choose how to handle this type of content transfer when it is initiated from a policy-managed app:
  • 无,不在应用之间传输此数据:如果检测到电话号码,不传输通信数据。None, do not transfer this data between apps: Do not transfer communication data when a phone number is detected.
  • 特定拨号应用:当检测到电话号码时,允许特定的拨号应用启动联系人。A specific dialer app: Allow a specific dialer app to initiate contact when a phone number is detected.
  • 任何由策略管理的拨号应用:当检测到电话号码时,允许任何任何策略托管的拨号应用启动联系人。Any policy-managed dialer app: Allow any policy managed dialer app to initiate contact when a phone number is detected.
  • 任何拨号应用:当检测到电话号码时,允许使用任何拨号应用启动联系人。Any dialer app: Allow any dialer app to be used to initiate contact when a phone number is detected.
任何拨号应用Any dialer app
      拨号器应用包 IDDialer App Package ID
选择了特定的拨号应用后,必须提供应用包 IDWhen a specific dialer app has been selected, you must provide the app package ID. Blank
      拨号应用名称Dialer App Name
选择了特定的拨号应用后,必须提供拨号应用的名称。When a specific dialer app has been selected, you must provide the name of the dialer app. Blank
从其他应用接收数据Receive data from other apps 指定哪些应用可将数据传输到此应用:Specify what apps can transfer data to this app:
  • 策略托管应用:仅允许从其他策略托管应用进行传输。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有应用:允许从任何应用传输的数据。All apps: Allow data transfer from any app.
  • :不允许从任何应用传输数据,包括其他策略托管应用。None: Do not allow data transfer from any app, including other policy-managed apps.

Intune 可能会允许从一些豁免应用和服务传输数据。There are some exempt apps and services from which Intune may allow data transfer. 有关应用和服务的完整列表,请参阅数据传输豁免See Data transfer exemptions for a full list of apps and services.

所有应用All apps
    在组织文档中打开数据Open data into Org documents
选择“阻止”以禁止使用“打开”选项或其他选项在此应用的帐户之间共享数据。Select Block to disable the use of the Open option or other options to share data between accounts in this app. 如果想要允许使用“打开”,请选择“允许”。Select Allow if you want to allow the use of Open.

设置为“阻止”时,可以配置“允许用户打开来自所选服务的数据”,以指定允许哪些服务使用组织数据位置。When set to Block you can configure the Allow user to open data from selected services to specific which services are allowed for Org data locations.

注意:Note:
  • 仅当“从其他应用接收数据”设置设为“策略托管应用”时,才强制执行此设置。This setting is only enforced if the setting Receive data from other apps is set to Policy managed apps.
  • 以下应用支持此设置:The following apps support this setting:
    • OneDrive 6.14.1 或更高版本。OneDrive 6.14.1 or later.
    • Outlook for Android 4.2039.2 或更高版本。Outlook for Android 4.2039.2 or later.
..


允许Allow
      允许用户从所选服务打开数据Allow users to open data from selected services
选择用户可从中打开数据的应用程序存储服务。Select the application storage services that users can open data from. 将阻止所有其他服务。All other services are blocked. 不选择服务会阻止用户打开数据。Selecting no services will prevent users from opening data.

支持的服务:Supported services:
  • OneDrive for BusinessOneDrive for Business
  • SharePoint OnlineSharePoint Online
  • 照相机Camera
已选择全部All selected
限制在其他应用间进行剪切、复制和粘贴Restrict cut, copy and paste between other apps 指定剪切、复制和粘贴操作何时可用于此应用。Specify when cut, copy, and paste actions can be used with this app. 选择:Choose from:
  • 阻止:不允许在此应用和任何其他应用间进行剪切、复制和粘贴操作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 策略托管应用:允许在此应用和其他策略托管应用间进行剪切、复制和粘贴操作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 带粘贴的策略托管应用:允许在此应用和其他策略托管应用间进行剪切或复制。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允许将任何应用中的数据粘贴到此应用。Allow data from any app to be pasted into this app.
  • 任何应用:不限制从此应用和对此应用进行剪切、复制和粘贴。Any app: No restrictions for cut, copy, and paste to and from this app.
任何应用Any app
    剪切和复制任何应用的字符限制Cut and copy character limit for any app
指定可从组织数据和帐户中剪切或复制的字符数。Specify the number of characters that may be cut or copied from org data and accounts. 这样便可以在其他情况下会受到“限制与其他应用进行剪切、复制和粘贴”设置的限制时,共享指定数量的字符。This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.

默认值 = 0Default Value = 0

注意:需要 Intune 公司门户版本 5.0.4364.0 或更高版本。Note: Requires Intune Company Portal version 5.0.4364.0 or later.

00
屏幕捕获和 Google 助手Screen capture and Google Assistant 选择“阻止”,则使用此应用时,会阻止设备的屏幕捕获和“Google 助手”功能 。Select Block to block screen capture and the Google Assistant capabilities of the device when using this app. 选择“允许”还会在通过工作或学校帐户使用此应用时,导致应用切换器预览图像模糊。Choosing Allow will also blur the App-switcher preview image when using this app with a work or school account. 阻止Block
批准的键盘Approved keyboards 选择“需要”,然后指定此策略的批准的键盘列表。Select Require and then specify a list of approved keyboards for this policy.

未使用批准键盘的用户会收到一条提示,要求下载并安装批准的键盘,然后才能使用受保护的应用。Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. 此设置要求应用拥有适用于 Android 的 Intune SDK 版本 6.2.0 或更高版本。This setting requires the app to have the Intune SDK for Android version 6.2.0 or later.

不需要Not required
    选择待批准的键盘Select keyboards to approve
为上一选项选择“需要”时,此选项才可用。This option is available when you select Require for the previous option. 选择“选择”以管理可用于受此策略保护的应用的键盘和输入法列表。Choose Select to manage the list of keyboards and input methods that can be used with apps protected by this policy. 可以向列表中添加更多键盘,以及删除任何默认选项。You can add additional keyboards to the list, and remove any of the default options. 必须至少有一个批准的键盘才能保存设置。You must have at least one approved keyboard to save the setting. 随着时间推移,Microsoft 可能会在列表中为新的“应用保护策略”添加其他键盘,这将要求管理员根据需要查看和更新现有策略。Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed.

要添加键盘,请指定:To add a keyboard, specify:

  • 名称:标识键盘且对用户可见的易记名称。Name: A friendly name that that identifies the keyboard, and is visible to the user.
  • 包 ID:Google Play 商店中的应用的包 ID。Package ID: The Package ID of the app in the Google Play store. 例如,如果 Play 商店中应用的 URL 为 https://play.google.com/store/details?id=com.contoskeyboard.android.prod,则包 ID 为com.contosokeyboard.android.prodFor example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contoskeyboard.android.prod, then the Package ID is com.contosokeyboard.android.prod. 此包 ID 以简单链接的形式提供给用户,以便用户可以从 Google Play 下载键盘。This package ID is presented to the user as a simple link to download the keyboard from Google Play.

注意: 被分配了多个应用保护策略的用户只能使用所有策略通用的批准键盘。Note: A user assigned multiple App Protection Policies will be allowed to use only the approved keyboards common to all policies.

加密Encryption

设置Setting 如何使用How to use 默认值Default value
对组织数据进行加密Encrypt org data 选择“需要”,在此应用中启用工作或学校数据加密。Choose Require to enable encryption of work or school data in this app. Intune 使用 OpenSSL 256 位 AES 加密方案和 Android Keystore 系统安全加密应用数据。Intune uses an OpenSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. 数据在文件 I/O 任务期间同步加密。Data is encrypted synchronously during file I/O tasks. 设备存储中的内容始终处于加密状态。Content on the device storage is always encrypted. 新文件将使用 256 位密钥进行加密。New files will be encrypted with 256-bit keys. 现有的 128 位加密文件将尝试迁移到 256 位密钥,但无法保证该过程。Existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. 使用 128 位密钥加密的文件将仍然可读。Files encrypted with 128-bit keys will remain readable.

加密方法已经过 FIPS 140-2 验证;有关详细信息,请参阅 OpenSSL FIPS 库和 Android 指南The encryption method is FIPS 140-2 validated; for more information, see OpenSSL FIPS Library and Android Guide.
需要Require
    对已注册设备上的组织数据进行加密Encrypt org data on enrolled devices
选择“需要”,以使用 Intune 应用层加密对所有设备上的组织数据强制执行加密。Select Require to enforce encrypting org data with Intune app layer encryption on all devices. 选择“不需要”,不使用 Intune 应用层加密对已注册设备上的组织数据强制执行加密。Select Not required to not enforce encrypting org data with Intune app layer encryption on enrolled devices. 需要Require

功能Functionality

设置Setting 如何使用How to use 默认值Default value
将策略托管应用数据与本机应用同步Sync policy managed app data with native apps 选择“阻止”,阻止策略托管应用将数据保存到设备上的本机“联系人”和“日历”应用。Choose Block to prevent the policy managed apps from saving data to the native Contacts and Calendar apps on the device. 如果选择“允许”,则当在策略托管应用中启用这些功能时,应用可以将数据保存到设备上的本机“联系人”和“日历”应用。If you choose Allow, the app can save data to the native Contacts and Calendar apps on the device, when those features are enabled within the policy managed app.

执行选择性擦除以从应用删除工作或学校数据时,将删除从应用直接同步到本机“联系人”和“日历”应用的联系人和日历数据。When you perform a selective wipe to remove work, or school data from the app, contacts and calendar data synced directly from the app to the native Contacts and Calendar apps are removed. 无法擦除从本机“联系人”或“日历”应用同步到另一个外部源的任何联系人或日历数据。Any contacts or calendar data synced from the native Contacts or Calendar apps to another external source can't be wiped. 目前,这仅适用于 Outlook for iOS 和 Outlook for Android 应用;有关详细信息,请参阅部署 Outlook for iOS 和 Outlook for Android 应用配置设置Currently, this applies only to Outlook for iOS and Android app; for more information, see Deploying Outlook for iOS and Android app configuration settings.
允许Allow
打印组织数据Printing Org data 选择“阻止”,阻止应用打印工作或学校数据。Choose Block to prevent the app from printing work or school data. 如果将此设置保留为“允许”(默认值),用户将能够导出和打印所有组织数据。If you leave this setting to Allow, the default value, users will be able to export and print all Org data. 允许Allow
限制使用其他应用传输 Web 内容Restrict web content transfer with other apps 指定如何从策略管理的应用中打开 Web 内容(http/https 链接)。Specify how web content (http/https links) are opened from policy-managed applications. 选择:Choose from:
  • 任何应用:允许在任何应用中使用 Web 链接。Any app: Allow web links in any app.
  • Intune Managed Browser:仅允许在 Intune Managed Browser 中打开 Web 内容。Intune Managed Browser: Allow web content to open only in the Intune Managed Browser. 此浏览器是策略托管的浏览器。This browser is a policy-managed browser.
  • Microsoft Edge:仅允许在 Microsoft Edge 中打开 Web 内容。Microsoft Edge: Allow web content to open only in the Microsoft Edge. 此浏览器是策略托管的浏览器。This browser is a policy-managed browser.
  • 非托管浏览器:允许 Web 内容仅在“非托管浏览器协议”设置定义的非托管浏览器中打开。Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. Web 内容在目标浏览器中处于非托管状态。The web content will be unmanaged in the target browser.
    注意:需要 Intune 公司门户版本 5.0.4415.0 或更高版本。Note: Requires Intune Company Portal version 5.0.4415.0 or later.


  • 策略托管的浏览器Policy-managed browsers
    在 Android 上,如果未安装 Intune Managed Browser 和 Microsoft Edge,最终用户可以从支持 http/https 链接的其他策略托管应用中进行选择。On Android, your end users can choose from other policy-managed apps that support http/https links if neither Intune Managed Browser nor Microsoft Edge are installed.

    如果需要策略托管的浏览器,但未安装,系统将提示最终用户安装 Microsoft Edge。If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge.

    如果需要使用策略托管的浏览器,则将由“允许应用向其他应用传送数据”策略设置管理 Android 应用链接。If a policy-managed browser is required, Android App Links are managed by the Allow app to transfer data to other apps policy setting.

    Intune 设备注册Intune device enrollment
    如果正使用 Intune 管理设备,请参阅使用 Microsoft Intune 的托管浏览器策略管理 Internet 访问If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.

    策略托管的 Microsoft EdgePolicy-managed Microsoft Edge
    移动设备(iOS/iPadOS 和 Android)的 Microsoft Edge 浏览器支持 Intune 应用保护策略。The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. 在 Microsoft Edge 浏览器应用程序中使用其企业 Azure AD 帐户登录的用户将受 Intune 保护。Users who sign in with their corporate Azure AD accounts in the Microsoft Edge browser application will be protected by Intune. Microsoft Edge 浏览器集成了 APP SDK 并支持其除阻止以外的所有数据保护策略:The Microsoft Edge browser integrates the APP SDK and supports all of its data protection policies, with the exception of preventing:

    • 另存为:Microsoft Edge 浏览器不允许用户向云存储提供商(如 OneDrive)添加直接的应用内连接。Save-as: The Microsoft Edge browser does not allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive).
    • 联系人同步:Microsoft Edge 浏览器不会保存到本地联系人列表。Contact sync: The Microsoft Edge browser does not save to native contact lists.
    注意: APP SDK 无法确定目标应用是否为浏览器。在 Android 设备上,允许使用支持 http/https 意向的其他托管浏览器应用。Note: The APP SDK cannot determine if a target app is a browser. On Android devices, other managed browser apps that support the http/https intent are allowed.
未配置Not configured
    非托管浏览器 IDUnmanaged Browser ID
输入单个浏览器的应用程序 ID。Enter the application ID for a single browser. 策略托管应用程序的 Web 内容(http/https 链接)将在指定的浏览器中打开。Web content (http/https links) from policy managed applications will open in the specified browser. Web 内容在目标浏览器中处于非托管状态。The web content will be unmanaged in the target browser. Blank
    非托管浏览器名称Unmanaged Browser Name
输入与“非托管浏览器 ID” 关联的浏览器的应用程序名称。Enter the application name for browser associated with the Unmanaged Browser ID. 如果未安装指定的浏览器,将向用户显示此名称。This name will be displayed to users if the specified browser is not installed. Blank
组织数据通知Org data notifications 指定针对组织帐户通过 OS 通知共享的组织数据量。Specify how much org data is shared via OS notifications for org accounts. 此策略设置将影响本地设备和任何连接的设备,如可穿戴设备和智能扬声器。This policy setting will impact the local device and any connected devices such as wearables and smart speakers. 应用可能会提供其他控件来自定义通知行为,或者可以选择不接受所有值。Apps may provide additional controls to customize notification behavior or may choose to not honor all values. 选择:Select from:
  • 阻止:不共享通知。Block: Do not share notifications.
    • 如果应用程序不支持,则将允许通知。If not supported by the application, notifications will be allowed.
  • 阻止组织数据:不要在通知中共享组织数据。Block org data: Do not share org data in notifications. 例如“你有新邮件”,“你有个会议”。For example, "You have new mail"; "You have a meeting".
    • 如果应用程序不支持,通知将被阻止。If not supported by the application, notifications will be blocked.
  • 允许:在通知中共享组织数据Allow: Shares org data in the notifications

注意:此设置需要以下应用支持:

  • 适用于 Android 4.0.95 的 Outlook 或更高版本
  • 适用于 Android 1416/1.0.0.2020092202 的 Teams 或更高版本。Note: This setting requires app support:
    • Outlook for Android 4.0.95 or later
    • Teams for Android 1416/1.0.0.2020092202 or later.
允许Allow

数据传输豁免Data transfer exemptions

有一些豁免应用和平台服务,Intune 应用保护策略会允许向其或从其传输数据。There are some exempt apps and platform services that Intune app protection policies allow data transfer to and from. 例如,Android 上所有 Intune 托管的应用都必须能够将数据传输至 Google 文本到语音转换或从中接收数据,这样使移动设备屏幕上的文本可以被朗读出来。For example, all Intune-managed apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. 此列表可能会更改以反映有利于安全工作效率的服务和应用。This list is subject to change and reflects the services and apps considered useful for secure productivity.

完全豁免Full exemptions

完全允许这些应用和服务向 Intune 托管应用传输数据或从其接收数据。These apps and services are fully allowed for data transfer to and from Intune-managed apps.

应用/服务名称App/service name 说明Description
com.android.phonecom.android.phone 本机电话应用Native phone app
com.android.vendingcom.android.vending Google Play StoreGoogle Play Store
com.android.documentsuicom.android.documentsui Android 文档选取器Android Document Picker
com.google.android.webviewcom.google.android.webview WebView,这是包括 Outlook 在内的许多应用所必需的。WebView, which is necessary for many apps including Outlook.
com.android.webviewcom.android.webview Webview,这是包括 Outlook 在内的许多应用所必需的。Webview, which is necessary for many apps including Outlook.
com.google.android.ttscom.google.android.tts Google 文本到语音转换Google Text-to-speech
com.android.providers.settingscom.android.providers.settings Android 系统设置Android system settings
com.android.settingscom.android.settings Android 系统设置Android system settings
com.azure.authenticatorcom.azure.authenticator Azure 验证器应用,这是在许多情况下成功进行身份验证所必需的。Azure Authenticator app, which is required for successful authentication in many scenarios.
com.microsoft.windowsintune.companyportalcom.microsoft.windowsintune.companyportal Intune 公司门户Intune Company Portal

有条件的豁免Conditional exemptions

只有在某些条件下,才允许这些应用和服务向 Intune 托管应用传输数据或从其接收数据。These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.

应用/服务名称App/service name 说明Description 豁免条件Exemption condition
com.android.chromecom.android.chrome Google Chrome 浏览器Google Chrome Browser Chrome 用于 Android 7.0 及更高版本上的某些 WebView 组件,并且永远不会从视图中隐藏。Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. 但是,该应用发出和收到的数据流始终受限。Data flow to and from the app, however, is always restricted.
com.skype.raidercom.skype.raider SkypeSkype Skype 应用仅允许执行引发电话呼叫的某些操作。The Skype app is allowed only for certain actions that result in a phone call.
com.android.providers.mediacom.android.providers.media Android 媒体内容提供程序Android media content provider 媒体内容提供程序仅允许铃声选择操作。The media content provider allowed only for the ringtone selection action.
com.google.android.gms;com.google.android.gsfcom.google.android.gms; com.google.android.gsf Google Play Services 包Google Play Services packages 这些包允许 Google Cloud Messaging 操作,例如推送通知。These packages are allowed for Google Cloud Messaging actions, such as push notifications.
com.google.android.apps.mapscom.google.android.apps.maps Google 地图Google Maps 允许使用地址进行导航Addresses are allowed for navigation

有关详细信息,请参阅应用的数据传输策略例外情况For more information, see Data transfer policy exceptions for apps.

访问要求Access requirements

设置Setting 如何使用How to use
需要 PIN 才能进行访问PIN for access 选择“需要”,要求使用 PIN 才能使用此应用。Select Require to require a PIN to use this app. 用户首次在工作或学校环境中运行应用时,将提示其设置此 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context.

默认值 = 需要Default value = Require

可以使用“需要 PIN 才能进行访问”部分下提供的设置配置 PIN 强度。You can configure the PIN strength using the settings available under the PIN for access section.
    PIN 类型PIN type
在访问应用了应用保护策略的应用之前,为数值或密码类型 PIN 设置要求。Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. 数值要求只涉及数字,而密码则可采用至少 1 个字母或至少 1 个特殊字符进行定义。Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.

默认值 = 数值Default value = Numeric

注意: 允许的特殊字符包括 Android 英语键盘上的特殊字符和符号。Note: Special characters allowed include the special characters and symbols on the Android English language keyboard.
    简单 PIN Simple PIN
选择“允许”,允许用户使用 1234、1111、abcd 或 aaaa 等简单的 PIN 序列 。Select Allow to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa. 选择“阻止”,阻止用户使用简单的序列。Select Blocks to prevent them from using simple sequences. 在 3 个字符滑动窗口中检查简单的序列。Simple sequences are checked in 3 character sliding windows. 如果配置了“阻止”,则不会接受 1235 或 1112 作为由最终用户设置的 PIN,但允许采用 1122。If Block is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed.

默认值 = 允许Default value = Allow

注意: 如果配置了密码类型 PIN,并且“简单 PIN”设置为“允许”,用户在其 PIN 中则需要使用至少 1 个字母或至少 1 个特殊字符。Note: If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter or at least one special character in their PIN. 如果配置了密码类型 PIN,并且“简单 PIN”设置为“阻止”,用户在其 PIN 中则需要使用至少 1 个数字和 1 个字母以及至少 1 个特殊字符 。If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number and one letter and at least one special character in their PIN.
    选择最小 PIN 长度 Select minimum PIN length
指定 PIN 序列必须包含的最小位数。Specify the minimum number of digits in a PIN sequence.

默认值 = 4Default value = 4
    用于访问的指纹而非 PIN (Android 6.0+) Fingerprint instead of PIN for access (Android 6.0+)
选择“允许”,允许用户使用指纹身份验证而非 PIN 进行应用访问。Select Allow to allow the user to use fingerprint authentication instead of a PIN for app access.

默认值 = 允许Default value = Allow

注意: 此功能支持 Android 设备上的通用生物识别控件。Note: This feature supports generic controls for biometric on Android devices. 不支持特定于 OEM 的生物识别设置,如 Samsung Pass。OEM-specific biometric settings, like Samsung Pass, are not supported.

在 Android 设备上,可让用户通过 Android 指纹身份验证而非 PIN 证明其身份。On Android, you can let the user prove their identity by using Android fingerprint authentication instead of a PIN. 用户尝试通过其工作或学校帐户使用此应用时,系统会提示他们提供其指纹标识,而不是输入 PIN。When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN.

Android 个人拥有的工作配置文件注册设备要求为强制执行的“访问时使用指纹替代 PIN”策略注册单独的指纹。Android personally-owned work profile enrolled devices require registering a separate fingerprint for the Fingerprint instead of PIN for access policy to be enforced. 此策略仅对在 Android 个人拥有的工作配置文件中安装的策略托管应用有效。This policy takes effect only for policy-managed apps installed in the Android personally-owned work profile. 在公司门户注册以创建 Android 个人拥有的工作配置文件后,必须在设备中注册单独的指纹。The separate fingerprint must be registered with the device after the Android personally-owned work profile is created by enrolling in the Company Portal. 有关使用 Android 个人拥有的工作配置文件的个人拥有的工作配置文件指纹的详细信息,请参阅锁定工作配置文件For more information about personally-owned work profile fingerprints using Android personally-owned work profiles, see Lock your work profile.
    超时后使用 PIN 替代指纹Override fingerprint with PIN after timeout
要使用此设置,请选择“需要”,然后配置非活动超时。To use this setting, select Require and then configure an inactivity timeout.

默认值 = 需要Default value = Require
      超时(非活动状态的分钟数) Timeout (minutes of inactivity)
指定密码或数值 PIN(如配置所示)将覆盖指纹的使用的时间(以分钟为单位)。Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. 此超时值应大于“在(非活动状态的分钟数)后重新检查访问要求”下的指定值。This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.

默认值 = 30Default value = 30
    PIN 重置间隔的天数PIN reset after number of days
选择“是”,要求用户在一段时间(以天为单位)后更改其应用 PIN。Select Yes to require users to change their app PIN after a set period of time, in days.

如果设置为“是”,然后配置 PIN 重置所需的间隔天数。When set to Yes, you then configure the number of days before the PIN reset is required.

默认值 = 否Default value = No
      天数 Number of days
配置 PIN 重置所需的间隔天数。Configure the number of days before the PIN reset is required.

默认值 = 90Default value = 90
    选择要保留的以前的 PIN 值的数目Select number of previous PIN values to maintain
此设置指定 Intune 要保留的以前的 PIN 的数量。This setting specifies the number of previous PINs that Intune will maintain. 新的 PIN 须不同于 Intune 所保留的。Any new PINs must be different from those that Intune is maintaining.

默认值 = 0Default value = 0
    设置设备 PIN 时的应用 PINApp PIN when device PIN is set
选择“不需要”,如果在已配置公司门户的已注册设备上检测到设备锁,则禁用应用 PIN。Select Not required to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

默认值 = 需要Default value = Require.
用于访问的工作或学校帐户凭据Work or school account credentials for access 选择“需要”,要求用户使用其工作或学校帐户而非输入 PIN 进行登录以访问应用。Choose Require to require the user to sign in with their work or school account instead of entering a PIN for app access. 设置为“需要”并且 PIN 或生物识别提示已打开时,将同时显示公司凭据以及 PIN 或生物识别提示。When set to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.

默认值 = 不需要Default value = Not required
在(非活动状态的分钟数)后重新检查访问要求Recheck the access requirements after (minutes of inactivity) 配置下列设置:Configure the following setting:
  • 超时:这是重新检查访问要求(在前面的策略中定义)之前的分钟数。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,如果管理员在策略中启用 PIN 并阻止取得 root 权限的设备,用户打开 Intune 托管应用时,则必须输入 PIN,并且必须在未取得 root 权限的设备上使用此应用。For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. 使用此设置时,用户在与配置值相等的一段时间内无需在任何 Intune 托管应用上再次输入 PIN 或再次经历 root 检测检查。When using this setting, the user won't have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value.

    此策略设置格式支持正整数。This policy setting format supports a positive whole number.

    默认值 = 30 分钟Default value = 30 minutes

    注意: 在 Android 上,所有 Intune 托管应用均共享此 PIN。Note: On Android, the PIN is shared with all Intune-managed apps. 应用离开设备主屏幕后,就会重置 PIN 计时器。The PIN timer is reset once the app leaves the foreground on the device. 在此设置中定义的超时期限内,用户无需在共享 PIN 的任何 Intune 托管应用上输入此 PIN。The user won't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting.

备注

要详细了解在“访问权限”部分配置给同一组应用和用户的多个 Intune 应用保护设置如何在 Android 上运行,请参阅 Intune MAM 常见问题在 Intune 中使用应用保护策略访问操作选择性地擦除数据To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.

条件启动Conditional launch

配置条件启动设置以设置应用保护策略的登录安全要求。Configure conditional launch settings to set sign-in security requirements for your app protection policy.

默认情况下,向多个设置提供已预配置的值和操作。By default, several settings are provided with pre-configured values and actions. 可以删除“最小 OS 版本”等某些设置。You can delete some settings, like the Min OS version. 此外,还可以从“选择一个”下拉列表中选择其他设置。You can also select additional settings from the Select one dropdown.

设置Setting 如何使用How to use
最大 PIN 尝试次数Max PIN attempts 指定用户在执行配置操作之前必须成功输入其 PIN 的尝试次数。Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. 如果用户在最大 PIN 尝试次数后未能成功输入其 PIN,则用户必须在成功登录到帐户并完成多重身份验证 (MFA) 质询后重置其 PIN(如果需要)。If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a Multi-Factor authentication (MFA) challenge if required. 此策略设置格式支持正整数。This policy setting format supports a positive whole number. 操作 包括:Actions include:
  • 重置 PIN - 用户必须重置其 PIN。Reset PIN - The user must reset their PIN.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
默认值 = 5Default value = 5
脱机宽限期Offline grace period MAM 应用可以脱机运行的分钟数。The number of minutes that MAM apps can run offline. 指定重新检查应用访问要求之前的时间(以分钟为单位)。Specify the time (in minutes) before the access requirements for the app are rechecked. 操作 包括:Actions include:
  • 阻止访问(分钟数) - MAM 应用可以脱机运行的分钟数。Block access (minutes) - The number of minutes that MAM apps can run offline. 指定重新检查应用访问要求之前的时间(以分钟为单位)。Specify the time (in minutes) before the access requirements for the app are rechecked. 此期限到期后,该应用需要对 Azure Active Directory (Azure AD) 进行用户身份验证,以便该应用可以继续运行。After this period expires, the app requires user authentication to Azure Active Directory (Azure AD) so that the app can continue to run.

    此策略设置格式支持正整数。This policy setting format supports a positive whole number.

    默认值 = 720 分钟(12 小时)Default value = 720 minutes (12 hours)
  • 擦除数据(天数) - 经过数天(由管理员定义)的脱机运行后,应用会要求用户连接到网络并重新进行身份验证。Wipe data (days) - After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. 如果用户身份验证成功,则可继续访问其数据,且将重置脱机时间间隔。If the user successfully authenticates, they can continue to access their data and the offline interval will reset. 如果用户未能通过身份验证,则应用会对用户帐户和数据执行选择性擦除。If the user fails to authenticate, the app will perform a selective wipe of the users account and data. 有关详细信息,请参阅如何仅擦除 Intune 托管应用中的企业数据For more information, see How to wipe only corporate data from Intune-managed apps.
此策略设置格式支持正整数。This policy setting format supports a positive whole number.

默认值 = 90 天Default value = 90 days

此项可以出现多次,每个实例支持不同的操作。This entry can appear multiple times, with each instance supporting a different action.
已越狱/获得 root 权限的设备Jailbroken/rooted devices 此设置没有可设置的值。There is no value to set for this setting. 操作 包括:Actions include:
  • 阻止访问 - 阻止在已越狱或已取得 root 权限的设备上运行此应用。Block access - Prevent this app from running on jailbroken or rooted devices. 用户仍能够将此应用用于个人任务,但必须使用其他设备才能访问此应用中的工作或学校数据。The user continues to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
已禁用帐户Disabled account 此设置没有可设置的值。There is no value to set for this setting. 操作 包括:Actions include:
  • 阻止访问 - 确认用户已在 Azure Active Directory 中禁用后,该应用会阻止访问工作数据或学校数据。Block access - When we have confirmed the user has been disabled in Azure Active Directory, the app blocks access to work or school data.
  • 擦除数据 - 确认用户已在 Azure Active Directory 中禁用后,该应用将执行用户帐户和数据的选择性擦除。Wipe data - When we have confirmed the user has been disabled in Azure Active Directory, the app will perform a selective wipe of the users' account and data.
最低 OS 版本Min OS version 指定要使用此应用所需的最低 Android 操作系统版本。Specify a minimum Android operating system that is required to use this app. 操作 包括:Actions include:
  • 警告 - 如果设备上的 Android 版本不符合此要求,用户将看到一个通知。Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. 可忽略此通知。This notification can be dismissed.
  • 阻止访问 - 如果设备上的 Android 版本不符合此要求,将阻止用户访问。Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
此策略设置格式支持 major.minor、major.minor.build 或 major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.
最低应用版本Min app version 指定最低应用程序版本值的值。Specify a value for the minimum application version value. 操作 包括:Actions include:
  • 警告 - 如果设备上的应用版本不符合此要求,用户将会看到一个通知。Warn - The user sees a notification if the app version on the device doesn't meet the requirement. 可忽略此通知。This notification can be dismissed.
  • 阻止访问 - 如果设备上的应用版本不符合此要求,用户将会看到一个通知。Block access - The user is blocked from access if the app version on the device does not meet the requirement.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
由于应用之间通常拥有不同的版本控制方案,因此,请创建针对一个应用的一个最低应用版本策略(例如 Outlook 版本策略)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, Outlook version policy).

此项可以出现多次,每个实例支持不同的操作。This entry can appear multiple times, with each instance supporting a different action.

此策略设置格式支持 major.minor、major.minor.build 或 major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

此外,还可以配置最终用户可获取更新业务线 (LOB) 应用版本的位置。Additionally, you can configure where your end users can get an updated version of a line-of-business (LOB) app. 最终用户将在“最低应用版本”条件启动对话框中看到此项,系统将提示最终用户更新到 LOB 应用的最低版本。End users will see this in the min app version conditional launch dialog, which will prompt end users to update to a minimum version of the LOB app. 在 Android 上,此功能使用公司门户。On Android, this feature uses the Company Portal. 若要配置最终用户应更新 LOB 应用的位置,应用需要使用键 com.microsoft.intune.myappstore 发送给它的托管应用配置策略To configure where an end user should update a LOB app, the app needs a managed app configuration policy sent to it with the key, com.microsoft.intune.myappstore. 发送的值将定义最终用户从哪个应用商店中下载应用。The value sent will define which store the end user will download the app from. 如果应用是通过公司门户部署的,则值必须为 CompanyPortalIf the app is deployed via the Company Portal, the value must be CompanyPortal. 对于任何其他应用商店,必须输入完整的 URL。For any other store, you must enter a complete URL.
最低修补程序版本Min patch version 要求设备具有由 Google 发布的最低 Android 安全修补程序。Require devices have a minimum Android security patch released by Google.
  • 警告 - 如果设备上的 Android 版本不符合此要求,用户将看到一个通知。Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. 可忽略此通知。This notification can be dismissed.
  • 阻止访问 - 如果设备上的 Android 版本不符合此要求,将阻止用户访问。Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
此策略设置支持日期格式 YYYY-MM-DD。This policy setting supports the date format of YYYY-MM-DD.
设备制造商Device manufacturer(s) 指定以分号分隔的制造商列表。Specify a semicolon separated list of manufacturer(s). 这些值不区分大小写。These values are not case sensitive. 操作 包括:Actions include:
  • 允许指定项(阻止非指定项) - 仅与指定制造商匹配的设备才能使用该应用。Allow specified (Block non-specified) - Only devices that match the specified manufacturer can use the app. 所有其他设备将被阻止。All other devices are blocked.
  • 允许指定项(擦除非指定项) - 从设备中擦除与应用程序关联的用户帐户。Allow specified (Wipe non-specified) - The user account that is associated with the application is wiped from the device.
若要详细了解如何使用此设置,请参阅条件启动操作For more information on using this setting, see Conditional Launch actions.
SafetyNet 设备证明SafetyNet device attestation 应用保护策略支持 Google Play Protect 的某些 API。App protection policies support some of Google Play Protect's APIs. 具体而言,此设置在最终用户设备上配置 Google 的 SafetyNet 证明。This setting in particular configures Google's SafetyNet Attestation on end user devices. 指定“基本完整性”或“基本完整性和认证设备” 。Specify either Basic integrity or Basic integrity and certified devices. “基本完整性”描述设备的总体完整性。Basic integrity tells you about the general integrity of the device. 已取得根权限的设备、模拟器、虚拟设备以及具有篡改迹象的设备无法通过基本完整性检查。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. “基本完整性和认证设备”描述设备与 Google 服务的兼容性。Basic integrity & certified devices tells you about the compatibility of the device with Google's services. 只有经过 Google 认证的未修改的设备才能通过此检查。Only unmodified devices that have been certified by Google can pass this check. 操作 包括:Actions include:
  • 警告 - 如果基于配置的值,设备未通过 Google 的 SafetyNet 证明扫描检查,用户会看到一条通知。Warn - The user sees a notification if the device does not meet Google's SafetyNet Attestation scan based on the value configured. 可忽略此通知。This notification can be dismissed.
  • 阻止访问 - 如果基于配置的值,设备未通过 Google 的 SafetyNet 证明扫描检查,会阻止用户访问。Block access - The user is blocked from access if the device does not meet Google's SafetyNet Attestation scan based on the value configured.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
有关此设置的常见问题,请参阅有关 MAM 和应用保护的常见问题解答For commonly asked questions related to this setting, see Frequently asked questions about MAM and app protection.
要求对应用进行威胁扫描Require threat scan on apps 应用保护策略支持 Google Play Protect 的某些 API。App protection policies support some of Google Play Protect's APIs. 具体而言,此设置确保为最终用户设备启用 Google 的“验证应用”扫描。This setting in particular ensures that Google's Verify Apps scan is turned on for end user devices. 如果配置了此设置,将阻止最终用户访问,直至他们在其 Android 设备上启用 Google 的应用扫描设置。If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device. 操作 包括:Actions include:
  • 警告 - 如果未在设备上启用 Google 的验证应用扫描,用户会看到一条通知。Warn - The user sees a notification if Google's Verify Apps scan on the device is not turned on. 可忽略此通知。This notification can be dismissed.
  • 阻止访问 - 如果未在设备上启用 Google 的验证应用扫描,会阻止用户访问。Block access - The user is blocked from access if Google's Verify Apps scan on the device is not turned on.
Google 的验证应用扫描结果显示在控制台的“可能有害的应用”报告中。Results from Google's Verify Apps scan are surfaced in the Potentially Harmful Apps report in the console.
最小公司门户版本Min Company Portal version 通过使用最小公司门户版本,可以指定在最终用户设备上强制执行的公司门户的特定最低定义版本。By using the Min Company Portal version, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. 使用此条件启动设置,可以在不满足每个值时将值设置为“阻止访问”、“擦除数据”和“警告”作为可能的操作 。This conditional launch setting allows you to set values to Block access, Wipe data, and Warn as possible actions when each value is not met. 此值的可能格式遵循 [主版本].[次版本]、[主版本].[次版本].[内部版本] 或 [主版本].[次版本].[内部版本].[修订版本] 。The possible formats for this value follows the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. 假设某些最终用户可能不希望立即强制更新应用,则在配置此设置时,“警告”选项可能是理想的选择。Given that some end users may not prefer a forced update of apps on the spot, the 'warn' option may be ideal when configuring this setting. Google Play 商店能够很好地仅为应用更新发送增量字节,但在更新数据时,仍可能有大量数据是用户不想使用的。The Google Play Store does a good job of only sending the delta bytes for app updates, but this can still be a large amount of data that the user may not want to utilize if they are on data at the time of the update. 强制执行更新并下载更新的应用可能会导致更新时产生意外的数据费用。Forcing an update and thereby downloading an updated app could result in unexpected data charges at the time of the update. 有关详细信息,请参阅 Android 策略设置For more information, see Android policy settings.
最大公司门户版本使用期限(天数)Max Company Portal version age (days) 你可以为 Android 设备的公司门户 (CP) 版本的使用期限设置最大天数。You can set a maximum number of days as the age of the Company Portal (CP) version for Android devices. 此设置可确保最终用户使用特定范围内的 CP 版本(以天为单位)。This setting ensures that end users are within a certain range of CP releases (in days). 该值必须介于 0 到 365 天之间。The value must be between 0 and 365 days. 如果未满足设备的设置,则会触发针对此设置的操作。When the setting for the devices is not met, the action for this setting is triggered. 操作包括“块访问”、“擦除数据”或“警告” 。Actions include Block access, Wipe data, or Warn. 有关详细信息,请参阅 Android 策略设置For related information, see Android policy settings.
允许的最大设备威胁级别Max allowed device threat level 应用保护策略可以利用 Intune-MTD 连接器。App protection policies can take advantage of the Intune-MTD connector. 指定使用此应用可接受的最高威胁级别。Specify a maximum threat level acceptable to use this app. 威胁由最终用户设备上选择的移动威胁防御 (MTD) 供应商应用确定。Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. 指定安全、低、中或高 。Specify either Secured, Low, Medium, or High. “安全”要求设备上没有任何威胁,是可配置的限制性最强的值,而“高”实质上要求存在 Intune 到 MTD 的活动连接 。Secured requires no threats on the device and is the most restrictive configurable value, while High essentially requires an active Intune-to-MTD connection. 操作 包括:Actions include:
  • 阻止访问 - 如果你选择的移动威胁防御 (MTD) 供应商应用确定最终用户设备上的威胁级别不满足此要求,则将阻止用户访问。Block access - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
  • 擦除数据 - 从设备中擦除与应用程序关联的用户帐户。Wipe data - The user account that is associated with the application is wiped from the device.
有关使用此设置的详细信息,请参阅在 Intune 中为未注册的设备启用移动威胁防御连接器For more information on using this setting, see Enable the Mobile Threat Defense connector in Intune for unenrolled devices.