使用 Microsoft Intune 将应用分配到组Assign apps to groups with Microsoft Intune

向 Microsoft Intune 添加应用后,可将应用分配给用户和设备。After you've added an app to Microsoft Intune, you can assign the app to users and devices. 值得注意的是,无论设备是否由 Intune 管理,都可以将应用分配到设备。It is important to note that you can assign an app to a device whether or not the device is managed by Intune.

备注

仅当面向 Android Enterprise 完全托管设备 (COBO) 和 Android Enterprise 企业所有且支持个人 (COPE) 设备时,设备组才支持可用部署意向 。The Available deployment intent is only supported for device groups when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally-enabled (COPE) devices.

下表列出了用于将应用分配到用户和设备的各种选项:The following table lists the various options for assigning apps to users and devices:

选项Option 已注册到 Intune 的设备Devices enrolled with Intune 未注册到 Intune 的设备Devices not enrolled with Intune
分配到用户Assign to users Yes Yes
分配到设备Assign to devices Yes No
分配包装的应用或整合 Intune SDK 的应用(适用于应用保护策略)Assign wrapped apps or apps that incorporate the Intune SDK (for app protection policies) Yes Yes
将应用分配为“可用”Assign apps as Available Yes Yes
将应用分配为“必需”Assign apps as Required Yes No
卸载应用Uninstall apps Yes No
从 Intune 接收应用更新Receive app updates from Intune Yes No
最终用户从公司门户应用安装可用的应用End users install available apps from the Company Portal app Yes No
最终用户从基于 Web 的公司门户安装可用的应用End users install available apps from the web-based Company Portal Yes Yes

备注

目前,可将(业务线和应用商店购买的)iOS/iPadOS 和 Android 应用分配到未向 Intune 注册的设备。Currently, you can assign iOS/iPadOS and Android apps (line-of-business and store-purchased apps) to devices that aren't enrolled with Intune.

若要在未注册 Intune 的设备上接收应用更新,设备用户必须转至其公司门户并手动安装应用更新。To receive app updates on devices that aren't enrolled with Intune, device users must go to their organization's Company Portal and manually install app updates.

分配应用Assign an app

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“应用” > “所有应用”。Select Apps > All apps.

  3. 在“应用”窗格中,选择你想要分配的应用。In the Apps pane, select the app you want to assign.

  4. 在菜单的“管理”部分中选择“分配” 。In the Manage section of the menu, select Assignments.

  5. 选择“添加组”以打开与该应用相关的“添加组”窗格。Select Add Group to open the Add group pane that is related to the app.

  6. 对于特定应用,请选择“分配类型”:For the specific app, select an assignment type:

    • 适用于已注册的设备:将应用分配给可从公司门户应用或网站安装应用的用户组。Available for enrolled devices: Assign the app to groups of users who can install the app from the Company Portal app or website.

    • 注册与否都可用: 可将此应用分配到未将其设备注册到 Intune 的用户组。Available with or without enrollment: Assign this app to groups of users whose devices are not enrolled with Intune. 必须为用户分配 Intune 许可证,请参阅 Intune 许可证Users must be assigned an Intune license, see Intune Licenses.

    • 必需:应用安装在所选组中的设备上。Required: The app is installed on devices in the selected groups. 在应用安装开始之前,某些平台可能会显示需最终用户确认的其他提示。Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

    • 卸载:如果 Intune 之前已使用相同部署通过“可用于已注册设备”或“必需”分配将应用程序安装到设备上,则会从所选组中的设备卸载该应用。Uninstall: The app is uninstalled from devices in the selected groups if Intune has previously installed the application onto the device via an "Available for enrolled devices" or "Required" assignment using the same deployment. 部署后无法删除 Web 链接。Web links cannot be removed after deployment.

      备注

      仅适用于 iOS/iPadOS 应用For iOS/iPadOS apps only:

      • 若要在设备不再受管理时配置托管应用所发生的情况,可以在“删除设备时卸载”下选择所需的设置。To configure what happens to managed apps when devices are no longer managed, you can select the intended setting under Uninstall on device removal. 有关详细信息,请参阅适用于 iOS/iPadOS 托管应用的应用卸载设置For more information, see App uninstall setting for iOS/iPadOS managed apps.
      • 如果已创建包含每个应用的 VPN 设置的 iOS/iPadOS VPN 配置文件,可在“VPN”下选择 VPN 配置文件。If you have created an iOS/iPadOS VPN profile that contains per-app VPN settings, you can select the VPN profile under VPN. 应用运行时,VPN 连接将随之打开。When the app is run, the VPN connection is opened. 有关详细信息,请参阅适用于 iOS/iPadOS 设备的 VPN 设置For more information, see VPN settings for iOS/iPadOS devices.

      仅适用于 Android 应用:如果将 Android 应用部署为“注册与否都可用”,则只能在已注册的设备上获取报告状态 。For Android apps only: If you deploy an Android app as Available with or without enrollment, reporting status will only be available on enrolled devices.

      对于“可用于已注册的设备”:只有当登录到公司门户的用户是注册了设备的主要用户且应用适用于设备时,应用才显示为可用。For Available for enrolled devices: The app is only displayed as available if the user logged into the Company Portal is the primary user who enrolled the device and the app is applicable to the device.

  7. 要选择受此应用分配影响的用户组,请选择“包括的组”。To select the groups of users that are affected by this app assignment, select Included Groups.

  8. 选择要包括的一个或多个组后,请选择“选择”。After you have selected one or more groups to include, select Select.

  9. 在“分配”窗格中选择“确定”,完成包括的组选择 。In the Assign pane, select OK to complete the included groups selection.

  10. 如果想排除受此应用分配影响的任何用户组,请选择“排除组”。If you want to exclude any groups of users from being affected by this app assignment, select Exclude Groups.

  11. 如果已选择排除任何组,请在“选择组”中选择“选择” 。If you have chosen to exclude any groups, in Select groups, select Select.

  12. 在“添加组”窗格中,选择“确定”。In the Add group pane, select OK.

  13. 在应用的“分配”窗格中,选择“保存”。In the app Assignments pane, select Save.

应用现已分配给所选组。The app is now assigned to the groups that you selected. 若要深入了解如何包括和排除应用分配,请参阅包括和排除应用分配For more information about including and excluding app assignments, see Include and exclude app assignments.

如何解决不同应用意图之间的冲突How conflicts between app intents are resolved

已阻止单个组面向多个应用分配的意图,但是,如果某用户或设备是多个组的成员,而每个组都采用不同意图进行分配,则会导致冲突。A single group is prevented from being targeted for multiple app assignment intents, however if a user or a device is a member of multiple groups that are each assigned with different intents it will result in a conflict. 不建议为应用程序创建分配冲突。Creating assignment conflicts for applications is not recommended. 下表中的信息可以帮助了解发生冲突时产生的意图:The information in the following table can help you understand the resulting intent when a conflict occurs:

组 1 意图Group 1 intent 组 2 意图Group 2 intent 生成意图Resulting intent
必需用户User Required 可用用户User Available 必需和可用Required and Available
必需用户User Required 用户卸载User Uninstall 必需Required
可用用户User Available 用户卸载User Uninstall “卸载”Uninstall
必需用户User Required 必需设备Device Required 同时存在,Intune 处理“必需”Both exist, Intune treats Required
必需用户User Required 设备卸载Device Uninstall 同时存在,Intune 解析“必需”Both exist, Intune resolves Required
可用用户User Available 必需设备Device Required 同时存在,Intune 解析“必需”(“必需”和“可用”)Both exist, Intune resolves Required (Required and Available)
可用用户User Available 设备卸载Device Uninstall 同时存在,Intune 解析“可用”。Both exist, Intune resolves Available.

应用将显示在公司门户中。App shows up in the Company Portal.

如果应用已安装(作为前一意图的必需应用),将卸载应用。If the app is already installed (as a required app with previous intent), the app is uninstalled.

如果用户选择“从公司门户安装”,则将安装应用,忽略卸载意图。If the user selects Install from the Company Portal, the app is installed, and the uninstall intent is not honored.
用户卸载User Uninstall 必需设备Device Required 同时存在,Intune 解析“必需”Both exist, Intune resolves Required
用户卸载User Uninstall 设备卸载Device Uninstall 同时存在,Intune 解析“卸载”Both exist, Intune resolves Uninstall
必需设备Device Required 设备卸载Device Uninstall 必需Required
必需和可用的用户User Required and Available 可用用户User Available 必需和可用Required and Available
必需和可用的用户User Required and Available 用户卸载User Uninstall 必需和可用Required and Available
必需和可用的用户User Required and Available 必需设备Device Required 同时存在,必需和可用Both exist, Required and Available
必需和可用的用户User Required and Available 设备卸载Device Uninstall 同时存在,Intune 解析“必需”(“必需”和“可用”)Both exist, Intune resolves Required (Required and Available)
可用用户(未注册)User Available without enrollment 必需和可用的用户User Required and Available 必需和可用Required and Available
可用用户(未注册)User Available without enrollment 必需用户User Required 必需Required
可用用户(未注册)User Available without enrollment 可用用户User Available 可用Available
可用用户(未注册)User Available without enrollment 必需设备Device Required 必需和可用(未注册)Required and Available without enrollment
可用用户(未注册)User Available without enrollment 设备卸载Device Uninstall 卸载和必需(未注册)。Uninstall and Available without enrollment.

如果用户并非从公司门户安装应用,则会执行卸载。If the user didn't install the app from the Company Portal, the uninstall is honored.

如果用户从公司门户安装应用,则安装将优先于卸载。If the user installs the app from the Company Portal, the install is prioritized over the uninstall.

备注

仅针对托管 iOS 应用商店应用:将这些应用添加到 Microsoft Intune 并将其分配为“必需”时,将自动根据“必需”和“可用”意向进行创建 。For managed iOS store apps only, when you add these apps to Microsoft Intune and assign them as Required, the apps are automatically created with both Required and Available intents.

标记为所需意图的 iOS/iPadOS 应用商店应用(不是 iOS VPP 应用)将在设备签入时在设备上执行,并且还会显示在公司门户应用中。iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.

如果“删除设备时卸载”设置中发生冲突,则该设备不再受管理时,不会从设备中删除该应用。When conflicts occur in Uninstall on device removal setting, the app is not removed from the device when the device is no longer managed.

将托管的 Google Play 应用部署到非托管设备Managed Google Play app deployment to unmanaged devices

对于没有注册的 APP-WE(未注册情况下的应用保护策略)部署方案中的 Android 设备,可以使用托管的 Google Play 将应用商店应用和业务线 (LOB) 应用部署到用户。For Android devices in a non-enrolled App Protection Policy Without Enrollment (APP-WE) deployment scenario, you can use Managed Google Play to deploy store apps and line-of-business (LOB) apps to users. 定位为“是否注册均可使用”的托管 Google Play 应用将显示在最终用户的设备上的 Play Store 应用中,而不会显示在公司门户应用中。Managed Google Play apps targeted as Available with or without enrollment will appear in the Play Store app on the end user's device, and not in the Company Portal app. 最终用户将浏览和安装以这种方式从 Play 应用部署的应用。End user will browse and install apps deployed in this manner from the Play app. 因为应用是从托管的 Google Play 安装的,所以最终用户无需将其设备设置更改为允许从未知源安装应用,这意味着设备将更为安全。Because the apps are being installed from managed Google Play, the end user will not need to alter their device settings to allow app installation from unknown sources, which means the devices will be more secure. 如果应用开发人员向 Play 发布了已在用户的设备上安装的应用的新版本,则 Play 将自动更新该应用。If the app developer publishes a new version of an app to Play that was installed on a user's device, the app will be automatically updated by Play.

将托管的 Google Play 应用分配到非托管设备的步骤:Steps to assign a Managed Google Play app to unmanaged devices:

  1. 将 Intune 租户连接到托管的 Google Play。Connect your Intune tenant to managed Google Play. 如果已执行此操作以便管理 Android Enterprise 工作配置文件、公司拥有的完全托管式专用工作配置文件设备,则无需再执行此操作。If you have already done this in order to manage Android Enterprise work profile, dedicated, fully managed, or corporate-owned work profile devices, you do not need to do it again.
  2. 将托管的 Google Play 中的应用添加到 Intune 控制台。Add apps from managed Google Play to your Intune console.
  3. 对托管 Google Play 应用的定位是对于预期用户组“是否注册均可使用”。Target managed Google Play apps as Available with or without enrollment to the desired user group. 非注册的设备不支持“必需”和“卸载”的应用定位。Required and Uninstall app targeting are not supported for non-enrolled devices.
  4. 将应用保护策略分配给用户组。Assign an App Protection Policy to the user group.
  5. 当最终用户下次打开公司门户应用时,他们将看到一条消息,指出在 Play Store 应用中有可供他们使用的应用。The next time the end user opens the Company Portal app, they will see a message indicating that there are apps available for them in the Play Store app. 用户点击此通知后将直接转到 Play 应用以看到公司应用,也可以单独导航到 Play Store 应用。The user can tap this notification to be brought directly to the Play app to see corporate apps, or they can navigate to the Play Store app separately.
  6. 最终用户可以展开 Play Store 应用中的上下文菜单并在其个人 Google 帐户(可以看到其个人应用)和其工作帐户(将看到面向他们的商店和 LOB 应用)之间进行切换。The end user can expand the context menu within the Play Store app and switch between their personal Google account (where they see their personal apps), and their work account (where they will see store and LOB apps targeted to them). 最终用户通过在 Play Store 应用中点击“安装”来安装应用。End users install the apps by tapping Install in the Play Store app.

在 Intune 控制台中发出应用选择性擦除时,工作帐户将从 Play Store 应用中自动删除,且最终用户从那时起将无法再在 Play Store 应用目录中看到工作应用。When an APP selective wipe is issued in the Intune console, the work account will be automatically removed from the Play Store app and the end user will from that point no longer see work apps in the Play Store app catalog. 从设备中删除工作帐户后,从 Play Store 安装的应用将仍然安装在设备上,不会卸载。When the work account is removed from a device, apps installed from the Play Store will remain installed on the device and will not uninstall.

适用于 iOS 托管应用的应用卸载设置App uninstall setting for iOS managed apps

对于 iOS/iPadOS 设备,你可以选择当从 Intune 取消注册设备或使用“删除设备时卸载”设置删除管理配置文件时托管应用所发生的情况。For iOS/iPadOS devices, you can choose what happens to managed apps on unenrolling the device from Intune or removing the management profile using Uninstall on device removal setting. 只有在注册设备并且应用作为托管安装后,此设置才适用于应用。This setting only applies to apps after the device is enrolled and apps are installed as managed. 无法为 Web 应用或 Web 链接配置该设置。The setting cannot be configured for web apps or web links. 只有受移动应用管理 (MAM) 保护的数据在停用后才会被应用选择性擦除删除。Only data protected by Mobile Application Management (MAM) is removed after retirement by an App Selective Wipe.

已经为新分配预填充该设置的默认值,如下所示:Default values for the setting are prepopulated for new assignments as follows:

iOS 应用类型iOS app type “删除设备时卸载”的默认设置Default setting for "Uninstall on device removal"
业务线应用Line-of-business app Yes
应用商店应用Store app No
VPP 应用VPP app No
内置应用Built-in app No

备注

“可用”分配类型: 如果你正在为“可用于已注册的设备”或“不论是否注册均可使用”组更新此设置,则已拥有托管应用的用户在将设备与 Intune 同步且重新安装该应用之前,不会获得更新的设置。"Available" assignment types: If you're updating this setting for "available for enrolled devices" or "available with or without enrollment" groups, users who already have the managed app won't get the updated setting until they sync the device with Intune and re-install the app.

预先存在的分配: 在引入此设置之前已存在的分配是未修改的,并且在从管理中删除设备时将删除所有托管应用。Pre-existing assignments: Assignments that existed prior to the introduction of this setting are unmodified and all managed apps will be removed on device removal from management.

后续步骤Next steps

要了解有关监视应用分配的详细信息,请参阅如何监视应用To learn more about monitoring app assignments, see How to monitor apps.