将适用于 iOS 和 Android 的 Microsoft Edge 与 Microsoft Intune 结合使用来管理 Web 访问Manage web access by using Edge for iOS and Android with Microsoft Intune

适用于 iOS 和 Android 的 Microsoft Edge 旨在使用户能够浏览 Web 并支持多身份。Edge for iOS and Android is designed to enable users to browse the web and supports multi-identity. 用户可以同时添加工作帐户以及个人帐户以进行浏览。Users can add a work account, as well as a personal account, for browsing. 两个身份完全独立,这类似于其他 Microsoft 移动应用中提供的体验。There is complete separation between the two identities, which is like what is offered in other Microsoft mobile apps.

iOS 12.0 及更高版本支持适用于 iOS 的 Microsoft Edge。Edge for iOS is supported on iOS 12.0 and later. Android 5 及更高版本支持适用于 Android 的 Microsoft Edge。Edge for Android is supported on Android 5 and later.

备注

适用于 iOS 和 Android 的 Microsoft Edge 不会使用用户为设备上的本机浏览器设置的设置,因为适用于 iOS 和 Android 的 Microsoft Edge 无法访问这些设置。Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and Android can't access these settings.

订阅企业移动性 + 安全性套件(包括 Microsoft Intune 和 Azure Active Directory Premium 功能,如条件访问)可获得最丰富和最广泛的 Microsoft 365 数据保护功能。The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. 最基础的层面来说,你需要部署一个条件访问策略,该策略仅允许从移动设备连接到适用于 iOS 和 Android 的 Microsoft Edge,还需要部署 Intune 应用保护策略确保浏览体验受到保护。At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an Intune app protection policy that ensures the browsing experience is protected.

备注

如果需要在受保护的浏览器中打开 iOS 设备上的新 Web 剪辑(固定的 Web 应用),则将在适用于 iOS 和 Android 的 Microsoft Edge(而不是在 Intune Managed Browser 中)打开它们。New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser when required to open in a protected browser. 对于较旧的 iOS Web 剪辑,必须重定向这些 Web 剪辑,以确保它们在适用于 iOS 和 Android 的 Microsoft Edge 而不是 Managed Browser 中打开。For older iOS web clips, you must re-target these web clips to ensure they open in Edge for iOS and Android rather than the Managed Browser.

应用条件访问Apply Conditional Access

组织可以使用 Azure AD 条件访问策略来确保用户只能使用适用于 iOS 和 Android 的 Edge 访问工作或学校内容。Organizations can use Azure AD Conditional Access policies to ensure that users can only access work or school content using Edge for iOS and Android. 为此,你需要一个面向所有潜在用户的条件访问策略。To do this, you will need a conditional access policy that targets all potential users. 有关创建此策略的详细信息,请参阅通过条件访问要求访问云应用时具有应用保护策略Details on creating this policy can be found in Require app protection policy for cloud app access with Conditional Access.

  1. 参照场景 2:浏览器应用要求批准的应用具有应用保护策略,这允许使用适用于 iOS 和 Android 的 Microsoft Edge,但阻止其他移动设备 Web 浏览器连接到 Office 365 终结点。Follow Scenario 2: Browser apps require approved apps with app protection policies, which allows Edge for iOS and Android, but blocks other mobile device web browsers from connecting to Office 365 endpoints.

    备注

    此策略确保移动用户可以从适用于 iOS 和 Android 的 Edge 内访问所有 Microsoft 365 终结点。This policy ensures mobile users can access all Microsoft 365 endpoints from within Edge for iOS and Android. 此策略还会阻止用户使用 InPrivate 访问 Microsoft 365 终结点。This policy also prevents users from using InPrivate to access Microsoft 365 endpoints.

使用条件访问,你还可以针对通过 Azure AD 应用程序代理向外部用户公开的本地站点。With Conditional Access, you can also target on-premises sites that you have exposed to external users via the Azure AD Application Proxy.

创建 Intune 应用保护策略Create Intune app protection policies

应用保护策略 (APP) 定义允许的应用以及这些应用可对组织的数据执行的操作。App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. APP 中可用的选项使组织能够根据特定需求调整保护。The choices available in APP enable organizations to tailor the protection to their specific needs. 对于某些组织而言,实现完整方案所需的策略设置可能并不明显。For some, it may not be obvious which policy settings are required to implement a complete scenario. 为了帮助组织确定移动客户端终结点强化的优先级,Microsoft 为其面向 iOS 和 Android 移动应用管理的 APP 数据保护框架引入了分类法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

APP 数据保护框架分为三个不同的配置级别,每个级别基于上一个级别进行构建:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企业基本数据保护(级别 1)可确保应用受 PIN 保护和经过加密处理,并执行选择性擦除操作。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 对于 Android 设备,此级别验证 Android 设备证明。For Android devices, this level validates Android device attestation. 这是一个入门级配置,可在 Exchange Online 邮箱策略中提供类似的数据保护控制,并将 IT 和用户群引入 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企业增强型数据保护(级别 2)引入了 APP 数据泄露预防机制和最低 OS 要求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此配置适用于访问工作或学校数据的大多数移动用户。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企业高级数据保护(级别 3)引入了高级数据保护机制、增强的PIN 配置和 APP 移动威胁防御。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 此配置适用于访问高风险数据的用户。This configuration is desirable for users that are accessing high risk data.

若要查看每个配置级别的具体建议以及必须受保护的核心应用,请查看使用应用保护策略的数据保护框架To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

无论设备是否已注册统一终结点管理 (UEM) 解决方案,都需要使用如何创建和分配应用保护策略中的步骤来为 iOS 和 Android 应用创建 Intune 应用保护策略。Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. 这些策略必须至少满足以下条件:These policies, at a minimum, must meet the following conditions:

  1. 包括所有 Microsoft 365 移动应用程序(如 Edge、Outlook、OneDrive、Office 或 Teams),因为这样可以确保用户在任何 Microsoft 应用中均能够以安全的方式访问和处理工作或学校数据。They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion.

  2. 它们将分配给所有用户。They are assigned to all users. 这可确保所有用户都受到保护,不管他们使用的是适用于 iOS 还是 Android 的 Microsoft Edge。This ensures that all users are protected, regardless of whether they use Edge for iOS or Android.

  3. 确定哪一个框架级别满足你的要求。Determine which framework level meets your requirements. 大多数组织应实现企业增强型数据保护(级别 2)中定义的设置,因为这样可以启用数据保护和访问要求控制。Most organizations should implement the settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.

有关可用设置的详细信息,请参阅 Android 应用保护策略设置iOS 应用保护策略设置For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.

重要

若要针对未在 Intune 中注册的 Android 设备上的应用应用 Intune 应用保护策略,用户还必须安装 Intune 公司门户。To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. 有关详细信息,请参阅 Android 应用由应用保护策略托管时会出现的情况For more information, see What to expect when your Android app is managed by app protection policies.

在受策略保护的浏览器中单一登录到 Azure AD 连接的 Web 应用Single sign-on to Azure AD-connected web apps in policy-protected browsers

适用于 iOS 和 Android 的 Microsoft Edge 可以对与 Azure AD 连接的所有 Web 应用(SaaS 和本地)使用单一登录 (SSO)。Edge for iOS and Android can take advantage of single sign-on (SSO) to all web apps (SaaS and on-premises) that are Azure AD-connected. SSO 允许用户通过适用于 iOS 和 Android 的 Microsoft Edge 访问与 Azure AD 连接的 Web 应用,而无需重新输入凭据。SSO allows users to access Azure AD-connected web apps through Edge for iOS and Android, without having to re-enter their credentials.

SSO 要求设备通过 Microsoft Authenticator 应用(iOS 设备)或 Intune 公司门户(Android)进行注册。SSO requires your device to be registered by either the Microsoft Authenticator app for iOS devices, or the Intune Company Portal on Android. 如果用户采用其中一种方式进行注册,当他们在受策略保护的浏览器中转到与 Azure AD 连接的 Web 应用时,系统会提示他们注册设备(仅当设备尚未注册时才会如此)。When users have either of these, they are prompted to register their device when they go to an Azure AD-connected web app in a policy-protected browser (this is only true if their device hasn't already been registered). 使用 Intune 管理的用户帐户注册设备后,该帐户已为 Azure AD 连接的 Web 应用启用 SSO。After the device is registered with the user's account managed by Intune, that account has SSO enabled for Azure AD-connected web apps.

备注

设备注册是 Azure AD 服务的简单签入。Device registration is a simple check-in with the Azure AD service. 不需要完整的设备注册,并且不会向 IT 提供设备上的任何其他权限。It doesn't require full device enrollment, and doesn't give IT any additional privileges on the device.

利用应用配置管理浏览体验Utilize app configuration to manage the browsing experience

适用于 iOS 和 Android 的 Microsoft Edge 支持允许统一终结点管理(例如允许 Microsoft Endpoint Manager 和管理员自定义应用的行为)的应用设置。Edge for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint Manager, administrators to customize the behavior of the app.

可以通过已注册设备上的移动设备管理 (MDM) OS 通道(iOS 上为 Managed App Configuration 通道,Android 上为 Android in the Enterprise 通道)来交付应用配置,也可以通过 Intune 应用保护策略 (APP) 通道来交付应用配置。App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Intune App Protection Policy (APP) channel. 适用于 iOS 和 Android 的 Microsoft Edge 支持以下配置方案:Edge for iOS and Android supports the following configuration scenarios:

  • 仅允许工作或学校帐户Only allow work or school accounts
  • 常规应用配置设置General app configuration settings
  • 数据保护设置Data protection settings

重要

对于需要在 Android 上进行设备注册的配置方案,必须在 Android Enterprise 中注册设备,并且必须通过托管的 Google Play 商店部署适用于 Android 的 Microsoft Edge。For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Edge for Android must be deployed via the Managed Google Play store. 有关详细信息,请参阅设置 Android Enterprise 个人拥有的工作配置文件设备的注册为托管的 Android Enterprise 设备添加应用配置策略For more information, see Set up enrollment of Android Enterprise personally-owned work profile devices and Add app configuration policies for managed Android Enterprise devices.

每个配置方案都强调了其特定要求。Each configuration scenario highlights its specific requirements. 例如,配置方案是否需要进行设备注册以便能够用于任何 UEM 提供程序,或者是否需要 Intune 应用保护策略。For example, whether the configuration scenario requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

备注

使用 Microsoft Endpoint Manager 的情况下,通过 MDM OS 通道交付的应用配置称为托管设备应用配置策略 (ACP);通过应用保护策略通道交付的应用配置称为托管应用应用配置策略 。With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to as a Managed Apps App Configuration Policy.

仅允许工作或学校帐户Only allow work or school accounts

体现 Microsoft 365 价值的关键是遵从最大范围和高度管控客户的数据安全和合规性策略。Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the Microsoft 365 value. 一些公司要求捕获其公司环境内的所有通信信息,并确保设备仅用于公司通信。Some companies have a requirement to capture all communications information within their corporate environment, as well as, ensure the devices are only used for corporate communications. 为了支持这些要求,可以将已注册设备上适用于 iOS 和 Android 的 Microsoft Edge 配置为仅允许在该应用中预配一个公司帐户。To support these requirements, Edge for iOS and Android on enrolled devices can be configured to only allow a single corporate account to be provisioned within the app.

下面的资源详细介绍了如何配置组织允许的帐户模式设置:You can learn more about configuring the org allowed accounts mode setting here:

此配置方案仅适用于已注册的设备。This configuration scenario only works with enrolled devices. 但是,它支持所有 UEM 提供程序。However, any UEM provider is supported. 如果未使用 Microsoft Endpoint Manager,则需要参阅 UEM 文档,了解如何部署这些配置项。If you are not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these configuration keys.

常规应用配置方案General app configuration scenarios

适用于 iOS 和 Android 的 Microsoft Edge 使管理员能够为多个应用内设置自定义默认配置。Edge for iOS and Android offers administrators the ability to customize the default configuration for several in-app settings. 此功能当前仅在以下情况下提供:适用于 iOS 和 Android 的 Microsoft Edge 具有应用于工作或学校帐户(该帐户已登录到应用)的 Intune 应用保护策略,并且策略设置仅通过托管应用的应用配置策略交付。This capability is currently only offered when Edge for iOS and Android has an Intune App Protection Policy applied to the work or school account that is signed into the app and the policy settings are delivered only through a managed apps App Configuration Policy.

重要

适用于 Android 的 Microsoft Edge 不支持托管的 Google Play 中可用的 Chromium 设置。Edge for Android does not support Chromium settings that are available in Managed Google Play.

Microsoft Edge 支持以下配置设置:Edge supports the following settings for configuration:

  • 新标签页体验New Tab Page experiences
  • 书签体验Bookmark experiences
  • 应用行为体验App behavior experiences
  • 展台模式体验Kiosk mode experiences

无论设备注册状态如何,都可以将这些设置部署到应用。These settings can be deployed to the app regardless of device enrollment status.

新标签页体验New Tab Page experiences

适用于 iOS 和 Android 的 Microsoft Edge 为组织提供了多个选项,用于调整新标签页体验。Edge for iOS and Android offers organizations several options for adjusting the New Tab Page experience.

组织徽标和品牌颜色Organization logo and brand color

通过这些设置,可以将适用于 iOS 和 Android 的 Microsoft Edge 的新标签页自定义为:显示组织徽标和品牌颜色作为标签页背景。These settings allow you to customize the New Tab Page for Edge for iOS and Android to display your organization's logo and brand color as the page background.

若要上传组织徽标和品牌颜色,请先完成以下步骤:To upload your organization's logo and color, first complete the following steps:

  1. Microsoft Endpoint Manager 中,导航到“租户管理” -> “自定义” -> “公司标识品牌”。Within Microsoft Endpoint Manager, navigate to Tenant Administration -> Customization -> Company Identity Branding.
  2. 若要设置品牌的徽标,请在“在标头中显示”旁边选择“仅限组织徽标”。To set your brand's logo, next to Show in header, choose "Organization logo only". 建议使用透明背景徽标。Transparent background logos are recommended.
  3. 要设置品牌的背景色,请选择“主题色”。To set your brand's background color, select a Theme color. 适用于 iOS 和 Android 的 Microsoft Edge 在新标签页上应用了较浅的颜色底纹,这可确保页面具有更高的可读性。Edge for iOS and Android applies a lighter shade of the color on the New Tab Page, which ensures the page has high readability.

接下来,使用以下键/值对将组织的品牌纳入到适用于 iOS 和 Android 的 Microsoft Edge 中:Next, utilize the following key/value pairs to pull your organization's branding into Edge for iOS and Android:

KeyKey Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandLogocom.microsoft.intune.mam.managedbrowser.NewTabPage.BrandLogo “true”:显示组织的品牌徽标true shows organization's brand logo
“false”(默认):不显示徽标false (default) will not expose a logo
com.microsoft.intune.mam.managedbrowser.NewTabPage.BrandColorcom.microsoft.intune.mam.managedbrowser.NewTabPage.BrandColor “true”:显示组织的品牌颜色true shows organization's brand color
“false”(默认):不显示颜色false (default) will not expose a color

主页快捷方式Homepage shortcut

你可以使用此设置为适用于 iOS 和 Android 的 Microsoft Edge 配置主页快捷方式。This setting allows you to configure a homepage shortcut for Edge for iOS and Android. 当用户在适用于 iOS 和 Android 的 Microsoft Edge 中打开新标签页时,你配置的主页快捷方式将显示为搜索栏下方的第一个图标。The homepage shortcut you configure appears as the first icon beneath the search bar when the user opens a new tab in Edge for iOS and Android. 用户无法在其托管上下文中编辑或删除此快捷方式。The user can't edit or delete this shortcut in their managed context. 主页快捷方式将显示组织的名称以便进行区分。The homepage shortcut displays your organization's name to distinguish it.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.homepagecom.microsoft.intune.mam.managedbrowser.homepage 指定有效 URL。Specify a valid URL. 将阻止错误的 URL,这是一项安全措施。Incorrect URLs are blocked as a security measure.
例如:https://www.bing.comFor example: https://www.bing.com

多个首要网站快捷方式Multiple top site shortcuts

与配置主页快捷方式类似,你可以在适用于 iOS 和 Android 的 Microsoft Edge 中的新标签页上配置多个首要网站快捷方式。Similarly to configuring a homepage shortcut, you can configure multiple top site shortcuts on new tab pages in Edge for iOS and Android. 用户无法在其托管上下文中编辑或删除此快捷方式。The user can't edit or delete these shortcuts in a managed context. 注意:可以配置总共 8 个快捷方式,包括主页快捷方式。Note: you can configure a total of 8 shortcuts, including a homepage shortcut. 如果已配置主页快捷方式,则该快捷方式会替代配置的第一个首要网站。If you have configured a homepage shortcut, that will override the first top site configured.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.managedTopSitescom.microsoft.intune.mam.managedbrowser.managedTopSites 指定一组 URL 的值。Specify set of value URLs. 每个顶级网站快捷方式都由标题和 URL 组成。Each top site shortcut consists of a title and URL. 用字符 | 分隔标题和 URL。Separate the title and URL with the | character.
例如:GitHub|https://github.com/||LinkedIn|https://www.linkedin.comFor example: GitHub|https://github.com/||LinkedIn|https://www.linkedin.com

行业新闻Industry news

你可以在适用于 iOS 和 Android 的 Microsoft Edge 中配置新标签页体验,显示与组织相关的行业新闻。You can configure the New Tab Page experience within Edge for iOS and Android to display industry news that is relevant to your organization. 启用此功能时,适用于 iOS 和 Android 的 Microsoft Edge 将使用组织域名聚合来自 Web 的有关组织、组织行业和竞争者的新闻,因此用户可以从适用于 iOS 和 Android 的 Microsoft Edge 集中的新选项卡页查找相关外部新闻。When you enable this feature, Edge for iOS and Android uses your organization's domain name to aggregate news from the web about your organization, organization's industry, and competitors, so your users can find relevant external news all from the centralized new tab pages within Edge for iOS and Android. 默认情况下,行业新闻处于关闭状态。Industry News is off by default.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.NewTabPage.IndustryNewscom.microsoft.intune.mam.managedbrowser.NewTabPage.IndustryNews “true”:在新选项卡页上显示行业新闻true shows Industry News on the New Tab Page
“false”(默认):在新选项卡页上隐藏行业新闻false (default) hides Industry News from the New Tab Page

书签体验Bookmark experiences

适用于 iOS 和 Android 的 Microsoft Edge 为组织提供了多个用于管理书签的选项。Edge for iOS and Android offers organizations several options for managing bookmarks.

托管书签Managed bookmarks

为了便于访问,可配置希望用户在使用适用于 iOS 和 Android 的 Microsoft Edge 时可用的书签。For ease of access, you can configure bookmarks that you'd like your users to have available when they are using Edge for iOS and Android.

  • 书签只显示在工作或学校帐户中,不会公开给个人帐户。Bookmarks only appear in the work or school account and are not exposed to personal accounts.
  • 用户无法删除或修改书签。Bookmarks can't be deleted or modified by users.
  • 书签显示在列表顶部。Bookmarks appear at the top of the list. 用户创建的任何书签显示在这些书签下方。Any bookmarks that users create appear below these bookmarks.
  • 如果已启用应用程序代理重定向,可以使用应用程序代理 Web 应用的内部或外部 URL 添加这些 Web 应用。If you have enabled Application Proxy redirection, you can add Application Proxy web apps by using either their internal or external URL.
  • 在将 URL 输入列表时,确保对所有 URL 添加“http://”或“https://”作为前缀。Ensure that you prefix all URLs with http:// or https:// when entering them into the list.
  • 书签是在以 Azure Active Directory 中定义的组织名称命名的文件夹中创建的。Bookmarks are created in a folder named after the organization's name which is defined in Azure Active Directory.
KeyKey Value
com.microsoft.intune.mam.managedbrowser.bookmarkscom.microsoft.intune.mam.managedbrowser.bookmarks 此配置的值是一个书签列表。The value for this configuration is a list of bookmarks. 每个书签都由书签标题和书签 URL 组成。Each bookmark consists of the bookmark title and the bookmark URL. 用字符 | 分隔标题和 URL。Separate the title and URL with the | character.
例如:Microsoft Bing|https://www.bing.comFor example: Microsoft Bing|https://www.bing.com

若要配置多个书签,可使用双字符 || 分隔每对书签。To configure multiple bookmarks, separate each pair with the double character ||.
例如:For example:
Microsoft Bing|https://www.bing.com||Contoso|https://www.contoso.com

“我的应用”书签My Apps bookmark

默认情况下,适用于 iOS 和 Android 的 Microsoft Edge 内的组织文件夹中为用户配置了“我的应用”书签。By default, users have the My Apps bookmark configured within the organization folder inside Edge for iOS and Android.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.MyAppscom.microsoft.intune.mam.managedbrowser.MyApps “true”(默认):在适用于 iOS 和 Android 的 Microsoft Edge 书签中显示“我的应用”true (default) shows My Apps within the Edge for iOS and Android bookmarks
“false”:在适用于 iOS 和 Android 的 Microsoft Edge 中隐藏“我的应用”false hides My Apps within Edge for iOS and Android

应用行为体验App behavior experiences

适用于 iOS 和 Android 的 Microsoft Edge 为组织提供了多个用于应用行为的选项。Edge for iOS and Android offers organizations several options for managing the app's behavior.

默认协议处理程序Default protocol handler

默认情况下,当用户未在 URL 中指定协议时,适用于 iOS 和 Android 的 Microsoft Edge 使用 HTTPS 协议处理程序。By default, Edge for iOS and Android uses the HTTPS protocol handler when the user doesn't specify the protocol in the URL. 通常,这被认为是最佳做法,但你可以禁用它。Generally, this is considered a best practice, but can be disabled.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.defaultHTTPScom.microsoft.intune.mam.managedbrowser.defaultHTTPS “true”(默认):默认协议处理程序为 HTTPStrue (default) default protocol handler is HTTPS
“false”:默认协议处理程序为 HTTPfalse default protocol handler is HTTP

禁用旨在提供个性化体验的数据共享Disable data sharing for personalization

默认情况下,适用于 iOS 和 Android 的 Microsoft Edge 会提示用户允许收集使用情况数据和共享浏览历史记录,以便为他们提供个性化的浏览体验。By default, Edge for iOS and Android prompts users for usage data collection and sharing browsing history to personalize their browsing experience. 组织可以通过阻止向最终用户显示此提示来禁用此数据共享。Organizations can disable this data sharing by preventing this prompt from being shown to end users.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.disableShareUsageDatacom.microsoft.intune.mam.managedbrowser.disableShareUsageData “true”:禁止向最终用户显示此提示true disables this prompt from displaying to end users
“false”(默认):提示用户共享使用情况数据false (default) users are prompted to share usage data
com.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistorycom.microsoft.intune.mam.managedbrowser.disableShareBrowsingHistory “true”:禁止向最终用户显示此提示true disables this prompt from displaying to end users
“false”(默认):提示用户共享浏览历史记录false (default) users are prompted to share browsing history

禁用特定功能Disable specific features

适用于 iOS 和 Android 的 Microsoft Edge 允许组织禁用某些默认启用的功能。Edge for iOS and Android allows organizations to disable certain features that are enabled by default. 要禁用这些功能,请配置以下设置:To disable these features, configure the following setting:

KeyKey Value
com.microsoft.intune.mam.managedbrowser.disabledFeaturescom.microsoft.intune.mam.managedbrowser.disabledFeatures “password”:禁用为最终用户保存密码的提示password disables prompts that offer to save passwords for the end user
“inprivate”:禁用 InPrivate 浏览inprivate disables InPrivate browsing

若要禁用多个功能,请使用 | 分隔各值。To disable multiple features, separate values with |. 例如,inprivate|password 将同时禁用 InPrivate 和密码保存。For example, inprivate|password disables both InPrivate and password storage.

备注

适用于 Android 的 Microsoft Edge 不支持禁用密码管理器。Edge for Android does not support disabling the password manager.

禁用扩展Disable extensions

可在适用于 Android 的 Microsoft Edge 中禁用扩展框架,以防止用户安装任何应用扩展。You can disable the extension framework within Edge for Android to prevent users from installing any app extensions. 为此,请配置以下设置:To do this, configure the following setting:

KeyKey Value
com.microsoft.intune.mam.managedbrowser.disableExtensionFrameworkcom.microsoft.intune.mam.managedbrowser.disableExtensionFramework “true”:禁用扩展框架true disables the extension framework
“false”(默认):启用扩展框架false (default) enables the extension framework

Android 设备上的展台模式体验Kiosk mode experiences on Android devices

可以使用以下设置将适用于 Android 的 Microsoft Edge 启用为展台应用:Edge for Android can be enabled as a kiosk app with the following settings:

KeyKey Value
com.microsoft.intune.mam.managedbrowser.enableKioskModecom.microsoft.intune.mam.managedbrowser.enableKioskMode “true”:为适用于 Android 的 Microsoft Edge 启用展台模式true enables kiosk mode for Edge for Android
“false”(默认):禁用展台模式false (default) disables kiosk mode
com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskModecom.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode “true”:在展台模式下显示地址栏true shows the address bar in kiosk mode
“false”(默认):在启用展台模式时隐藏地址栏false (default) hides the address bar when kiosk mode is enabled
com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskModecom.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode “true”:在展台模式下显示底部操作栏true shows the bottom action bar in kiosk mode
“false”(默认):在启用展台模式时隐藏底部操作栏false (default) hides the bottom bar when kiosk mode is enabled

数据保护应用配置方案Data protection app configuration scenarios

当 Microsoft Endpoint Manager 管理适用于 iOS 和 Android 的 Microsoft Edge,Intune 应用保护策略已应用于已登录该应用的工作或学校帐户,并且策略设置仅通过托管应用的应用配置策略交付时,适用于 iOS 和 Android 的 Microsoft Edge 支持针对以下数据保护设置的应用配置策略:Edge for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied to the work or school account that is signed into the app and the policy settings are delivered only through a managed apps App Configuration Policy:

  • 管理帐户同步Manage account synchronization
  • 管理受限网站Manage restricted web sites
  • 管理代理配置Manage proxy configuration
  • 管理 NTLM 单一登录站点Manage NTLM single sign-on sites

无论设备注册状态如何,都可以将这些设置部署到应用。These settings can be deployed to the app regardless of device enrollment status.

管理帐户同步Manage account synchronization

默认情况下,Microsoft Edge 同步使用户能够跨所有已登录设备访问浏览数据。By default, Microsoft Edge sync enables users to access their browsing data across all their signed-in devices. 同步支持的数据包括:The data supported by sync includes:

  • 收藏夹Favorites
  • 密码Passwords
  • 地址以及更多内容(自动填充表单项)Addresses and more (autofill form entry)

同步功能经用户同意启用,用户可以为上面列出的每种数据类型开启或关闭同步。Sync functionality is enabled via user consent and users can turn sync on or off for each of the data types listed above. 有关详细信息,请参阅 Microsoft Edge 同步For more information see Microsoft Edge Sync.

组织可以在 iOS 和 Android 上禁用 Microsoft Edge 同步。Organizations have the capability to disable Edge sync on iOS and Android.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.account.syncDisabledcom.microsoft.intune.mam.managedbrowser.account.syncDisabled “true”(默认):禁用 Edge 同步true (default) disables Edge sync
“false”:允许 Edge 同步false allows Edge sync

管理受限网站Manage restricted web sites

组织可以在适用于 iOS 和 Android 的 Microsoft Edge 中定义用户可以在工作或学校帐户环境中访问的网站。Organizations can define which sites users can access within the work or school account context in Edge for iOS and Android. 如果使用允许列表,用户将只能访问明确列出的站点。If you use an allow list, your users are only able to access the sites explicitly listed. 如果使用阻止列表,用户可以访问除明确阻止的站点之外的所有站点。If you use a blocked list, users can access all sites except for those explicitly blocked. 应仅使用一个允许列表或一个阻止列表,而不能同时使用两者。You should only impose either an allowed or a blocked list, not both. 如果同时使用两者,则只会遵循允许列表。If you impose both, only the allowed list is honored.

组织还可以定义当用户尝试导航到受限网站时会发生的情况。Organization also define what happens when a user attempts to navigate to a restricted web site. 默认情况下允许过渡。By default, transitions are allowed. 如果组织允许,可以在个人帐户环境、Azure AD 帐户的 InPrivate 环境中打开受限网站,否则请确认是否完全阻止了该网站。If the organization allows it, restricted web sites can be opened in the personal account context, the Azure AD account’s InPrivate context, or whether the site is blocked entirely. 有关支持的各种方案的详细信息,请参阅 Microsoft Edge 移动应用中的受限网站过渡For more information on the various scenarios that are supported, see Restricted website transitions in Microsoft Edge mobile. 通过允许过渡体验,在保持公司资源安全的同时,组织的用户也会一直受到保护。By allowing transitioning experiences, the organization's users stay protected, while keeping corporate resources safe.

备注

适用于 iOS 和 Android 的 Microsoft Edge 仅能在用户直接访问站点时阻止访问。Edge for iOS and Android can block access to sites only when they are accessed directly. 用户使用中间服务(例如翻译服务)访问站点时,该策略则不会阻止访问。It doesn't block access when users use intermediate services (such as a translation service) to access the site.

使用以下键/值对为适用于 iOS 和 Android 的 Microsoft Edge 配置一个允许或阻止站点列表。Use the following key/value pairs to configure either an allowed or blocked site list for Edge for iOS and Android.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.AllowListURLscom.microsoft.intune.mam.managedbrowser.AllowListURLs 键的对应值是 URL 列表。The corresponding value for the key is a list of URLs. 将要允许的所有 URL 作为单个值输入,并用竖线 | 字符分隔。You enter all the URLs you want to allow as a single value, separated by a pipe | character.

示例:Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com

com.microsoft.intune.mam.managedbrowser.BlockListURLscom.microsoft.intune.mam.managedbrowser.BlockListURLs 键的对应值是 URL 列表。The corresponding value for the key is a list of URLs. 将要阻止的所有 URL 作为单个值输入,并用竖线 | 字符分隔。You enter all the URLs you want to block as a single value, separated by a pipe | character.
示例:Examples:
URL1|URL2|URL3
http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com
com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlockcom.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock “true”(默认):允许适用于 iOS 和 Android 的 Microsoft Edge 过渡受限制的站点。true (default) allows Edge for iOS and Android to transition restricted sites. 如果未禁用个人帐户,系统会提示用户切换到个人环境来打开受限站点,或添加个人帐户。When personal accounts are not disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. 如果将 com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked 设置为 true,则用户将能够在 InPrivate 环境中打开受限制的站点。If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.

“false”:阻止适用于 iOS 和 Android 的 Microsoft Edge 过渡用户。false prevents Edge for iOS and Android from transitioning users. 只会向用户显示一条消息,指示已阻止他们尝试访问的网站。Users are simply shown a message stating that the site they are trying to access is blocked.

com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlockedcom.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked “true”:允许在 Azure AD 帐户的 InPrivate 环境中打开受限制的站点。true allows restricted sites to be opened in the Azure AD account's InPrivate context. 如果 Azure AD 帐户是在适用于 iOS 和 Android 的 Microsoft Edge 中配置的唯一帐户,则会在 InPrivate 环境中自动打开受限制的站点。If the Azure AD account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. 如果用户已配置个人帐户,则系统会提示用户在打开 InPrivate 或切换到个人帐户之间进行选择。If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.

“false”(默认):要求在用户的个人帐户中打开受限制的站点。false (default) requires the restricted site to be opened in the user's personal account. 如果个人帐户处于禁用状态,则阻止站点。If personal accounts are disabled, then the site is blocked.

为了使此设置生效,com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock 必须设置为“true”。In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true.

com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBarcom.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar 输入用户将看到 Snack bar 通知“以 InPrivate 模式打开链接。Enter the number of seconds that users will see the snack bar notification "Link opened with InPrivate mode. 你的组织要求为此内容使用 InPrivate模式”的秒数。Your organization requires the use of InPrivate mode for this content." 默认情况下,Snack bar 通知显示 7 秒。By default, the snack bar notification is shown for 7 seconds.

无论定义的允许列表或阻止列表设置如何,都始终允许以下站点:The following sites are always allowed regardless of the defined allow list or block list settings:

  • https://*.microsoft.com/*
  • http://*.microsoft.com/*
  • https://microsoft.com/*
  • http://microsoft.com/*
  • https://*.windowsazure.com/*
  • https://*.microsoftonline.com/*
  • https://*.microsoftonline-p.com/*

允许的和阻止的站点列表的 URL 格式URL formats for allowed and blocked site list

可使用多种 URL 格式来构建允许/阻止的站点列表。You can use various URL formats to build your allowed/blocked sites lists. 下表详细介绍了这些允许的模式。These permitted patterns are detailed in the following table.

  • 在将 URL 输入列表时,确保对所有 URL 添加“http://”或“https://”作为前缀。Ensure that you prefix all URLs with http:// or https:// when entering them into the list.

  • 可以根据以下允许模式列表中的规则使用通配符 (*)。You can use the wildcard symbol (*) according to the rules in the following permitted patterns list.

  • 通配符只能匹配主机名中的一部分(例如 news-contoso.com)或整体部分(例如 host.contoso.com)或者由正斜杠分隔的路径的整体部分 (www.contoso.com/images)。A wildcard can only match a portion (e.g., news-contoso.com) or entire component of the hostname (e.g., host.contoso.com) or entire parts of the path when separated by forward slashes (www.contoso.com/images).

  • 可以在地址中指定端口号。You can specify port numbers in the address. 如果未指定端口号,则使用以下值:If you do not specify a port number, the values used are:

    • 对于 http,使用端口 80Port 80 for http
    • 对于 https,使用端口 443Port 443 for https
  • 不支持对端口号使用通配符。Using wildcards for the port number is not supported. 例如,不支持 http://www.contoso.com:*http://www.contoso.com:*/For example, http://www.contoso.com:* and http://www.contoso.com:*/ are not supported.

    URLURL 详细信息Details 匹配Matches 不匹配Does not match
    http://www.contoso.com 匹配单个页面Matches a single page www.contoso.com host.contoso.com
    www.contoso.com/images
    contoso.com/
    http://contoso.com 匹配单个页面Matches a single page contoso.com/ host.contoso.com
    www.contoso.com/images
    www.contoso.com
    http://www.contoso.com/* 匹配以 www.contoso.com 开头的所有 URLMatches all URLs that begin with www.contoso.com www.contoso.com
    www.contoso.com/images
    www.contoso.com/videos/tvshows
    host.contoso.com
    host.contoso.com/images
    http://*.contoso.com/* 匹配 contoso.com 下的所有子域Matches all subdomains under contoso.com developer.contoso.com/resources
    news.contoso.com/images
    news.contoso.com/videos
    contoso.host.com
    news-contoso.com
    http://*contoso.com/* 匹配以 contoso.com/ 结尾的所有子域Matches all subdomains ending with contoso.com/ news-contoso.com
    news-contoso.com.com/daily
    news-contoso.host.com
    news.contoso.com
    http://www.contoso.com/images 匹配单个文件夹Matches a single folder www.contoso.com/images www.contoso.com/images/dogs
    http://www.contoso.com:80 匹配单个页面(使用端口号)Matches a single page, by using a port number www.contoso.com:80
    https://www.contoso.com 匹配单个安全页面Matches a single, secure page www.contoso.com www.contoso.com
    http://www.contoso.com/images/* 匹配单个文件夹和所有子文件夹Matches a single folder and all subfolders www.contoso.com/images/dogs
    www.contoso.com/images/cats
    www.contoso.com/videos
  • 以下是一些不能指定的输入的示例:The following are examples of some of the inputs that you can't specify:

    • *.com
    • *.contoso/*
    • www.contoso.com/*images
    • www.contoso.com/*images*pigs
    • www.contoso.com/page*
    • IP 地址IP addresses
    • https://*
    • http://*
    • http://www.contoso.com:*
    • http://www.contoso.com: /*

管理代理配置Manage proxy configuration

可以将适用于 iOS 和 Android 的 Microsoft Edge 和 Azure AD 应用程序代理一起使用,使用户能够在其移动设备上访问 Intranet 站点。You can use Edge for iOS and Android and Azure AD Application Proxy together to give users access to intranet sites on their mobile devices. 例如:For example:

  • 一个用户使用受 Intune 保护的 Outlook 移动应用。A user is using the Outlook mobile app, which is protected by Intune. 然后,该用户单击电子邮件中一个指向 Intranet 站点的链接,适用于 iOS 和 Android 的 Microsoft Edge 识别出该站点已通过应用程序代理向用户公开。They then click a link to an intranet site in an email, and Edge for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. 将通过应用程序代理对用户进行自动路由,以便在进入 Intranet 站点前进行任何适用的多重身份验证和条件性访问。The user is automatically routed through Application Proxy, to authenticate with any applicable multi-factor authentication and Conditional Access, before reaching the intranet site. 该用户现在甚至可以在其移动设备上访问内部网站,而 Outlook 中的链接也如预期一样正常运行。The user is now able to access internal sites, even on their mobile devices, and the link in Outlook works as expected.
  • 用户在其 iOS 或 Android 设备上打开适用于 iOS 和 Android 的 Microsoft Edge。A user opens Edge for iOS and Android on their iOS or Android device. 如果适用于 iOS 和 Android 的 Microsoft Edge 受 Intune 保护,并且应用程序代理已启用,则用户可使用其习惯使用的内部 URL 转到 Intranet 站点。If Edge for iOS and Android is protected with Intune, and Application Proxy is enabled, the user can go to an intranet site by using the internal URL they are used to. 适用于 iOS 和 Android 的 Microsoft Edge 识别出这个 Intranet 站点已通过应用程序代理向用户公开。Edge for iOS and Android recognizes that this intranet site has been exposed to the user through Application Proxy. 通过应用程序代理自动对用户进行路由,以便在访问 Intranet 站点前进行身份验证。The user is automatically routed through Application Proxy, to authenticate before reaching the intranet site.

开始之前:Before you start:

  • 通过 Azure AD 应用程序代理设置内部应用程序。Set up your internal applications through Azure AD Application Proxy.
    • 要配置应用程序代理和发布应用程序,请参阅设置文档To configure Application Proxy and publish applications, see the setup documentation.
    • 请确保用户已被分配到 Azure AD 应用程序代理应用,即使应用配置的是直通预身份验证类型。Ensure that the user is assigned to the Azure AD Application Proxy app, even if the app is configured with Passthrough pre-authentication type.
  • 适用于 iOS 和 Android 的 Microsoft Edge 应用用户必须分配有 Intune 应用保护策略The Edge for iOS and Android app must have an Intune app protection policy assigned.
  • Microsoft 应用必须具有以下应用保护策略:数据传输设置“限制与其他应用的 Web 内容传输”设置为“Microsoft Edge” 。Microsoft apps must have an app protection policy that has Restrict web content transfer with other apps data transfer setting set to Microsoft Edge.

备注

适用于 iOS 和 Android 的 Edge 会根据上一次成功刷新事件更新应用程序代理重定向数据。Edge for iOS and Android updates the Application Proxy redirection data based on the last successful refresh event. 每当上一次成功刷新事件超过一小时,就将尝试进行更新。Updates are attempted whenever the last successful refresh event is greater than one hour.

使用以下键/值对将适用于 iOS 的 Microsoft Edge 作为目标,启用应用程序代理:Target Edge for iOS with the following key/value pair, to enable Application Proxy:

KeyKey Value
com.microsoft.intune.mam.managedbrowser.AppProxyRedirectioncom.microsoft.intune.mam.managedbrowser.AppProxyRedirection “true”:启用 Azure AD 应用代理重定向方案true enables Azure AD App Proxy redirection scenarios
“false”(默认):阻止 Azure AD 应用代理方案false (default) prevents Azure AD App Proxy scenarios

备注

适用于 Android 的 Microsoft Edge 不使用此键。Edge for Android does not consume this key. 相反,只要已登录的 Azure AD 帐户应用了应用保护策略,适用于 Android 的 Microsoft Edge 就会自动使用 Azure AD 应用程序代理配置。Instead, Edge for Android consumes Azure AD Application Proxy configuration automatically as long as the signed-in Azure AD account has an App Protection Policy applied.

若要深入了解适用于 iOS 和 Android 的 Microsoft Edge 和 Azure AD 应用程序代理如何相继配合使用,以实现本地 Web 应用的无缝(和受保护)访问,请参阅更好地协作:配合使用 Intune 和 Azure Active Directory,改善用户访问For more information about how to use Edge for iOS and Android and Azure AD Application Proxy in tandem for seamless (and protected) access to on-premises web apps, see Better together: Intune and Azure Active Directory team up to improve user access. 此博客文章提到了 Intune Managed Browser,但该内容也适用于适用于 iOS 和 Android 的 Microsoft Edge。This blog post references the Intune Managed Browser, but the content applies to Edge for iOS and Android as well.

管理 NTLM 单一登录站点Manage NTLM single sign-on sites

组织可能要求用户使用 NTLM 进行身份验证,以访问 Intranet 网站。Organizations may require users to authenticate with NTLM to access intranet web sites. 默认情况下,每次用户访问需要 NTLM 身份验证的网站时,系统都会提示用户输入凭据,因为 NTLM 凭据缓存已禁用。By default, users are prompted to enter credentials each time they access a web site that requires NTLM authentication as NTLM credential caching is disabled.

组织可以为特定网站启用 NTLM 凭据缓存。Organizations can enable NTLM credential caching for particular web sites. 对于这些站点,在用户输入凭据并成功进行身份验证之后,凭据会默认缓存 30 天。For these sites, after the user enters credentials and successfully authenticates, the credentials are cached by default for 30 days.

KeyKey Value
com.microsoft.intune.mam.managedbrowser.NTLMSSOURLscom.microsoft.intune.mam.managedbrowser.NTLMSSOURLs 键的对应值是 URL 列表。The corresponding value for the key is a list of URLs. 将要允许的所有 URL 作为单个值输入,并用竖线 | 字符分隔。You enter all the URLs you want to allow as a single value, separated by a pipe | character.

示例:Examples:
URL1|URL2
http://app.contoso.com/|https://expenses.contoso.com

有关支持的 URL 格式类型的详细信息,请参阅允许和阻止的站点列表的 URL 格式For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list.

com.microsoft.intune.mam.managedbrowser.durationOfNTLMSSOcom.microsoft.intune.mam.managedbrowser.durationOfNTLMSSO 缓存凭据的小时数,默认为 720 小时Number of hours to cache credentials, default is 720 hours

使用 Microsoft Endpoint Manager 部署应用配置方案Deploy app configuration scenarios with Microsoft Endpoint Manager

如果你将 Microsoft Endpoint Manager 用作移动应用管理提供程序,则可通过以下步骤创建托管应用应用程序配置策略。If you are using Microsoft Endpoint Manager as your mobile app management provider, the following steps allow you to create a managed apps app configuration policy. 创建配置后,可以将其设置分配给用户组。After the configuration is created, you can assign its settings to groups of users.

  1. 登录 Microsoft Endpoint ManagerSign into Microsoft Endpoint Manager.

  2. 选择“应用”,然后选择“应用配置策略” 。Select Apps and then select App configuration policies.

  3. 在“应用配置策略”边栏选项卡上,选择“添加”,然后选择“托管应用” 。On the App Configuration policies blade, choose Add and select Managed apps.

  4. 在“基本信息”部分,输入应用配置设置的“名称”和可选填的“描述” 。On the Basics section, enter a Name, and optional Description for the app configuration settings.

  5. 对于“公共应用”,选择“选择公共应用”,然后在“目标应用”边栏选项卡上,通过同时选择“iOS”和“Android”平台应用,选择“适用于 iOS 和 Android 的 Microsoft Edge”。For Public apps, choose Select public apps, and then, on the Targeted apps blade, choose Edge for iOS and Android by selecting both the iOS and Android platform apps. 单击“选择”以保存所选的公共应用。Click Select to save the selected public apps.

  6. 单击“下一步”即可完成应用配置策略的基本设置。Click Next to complete the basic settings of the app configuration policy.

  7. 在“设置”部分,展开“Microsoft Edge 配置设置”。On the Settings section, expand the Edge configuration settings.

  8. 如果需要管理数据保护设置,请相应地配置所需的设置:If you want to manage the data protection settings, configure the desired settings accordingly:

    • 对于“应用程序代理重定向”,请从以下可用选项中进行选择:“启用”“禁用”(默认)。For Application proxy redirection, choose from the available options: Enable, Disable (default).

    • 对于“主页快捷方式 URL”,请指定一个有效的 URL,该 URL 需包括以下前缀之一:“http://”或“https://” 。For Homepage shortcut URL, specify a valid URL that includes the prefix of either http:// or https://. 将阻止错误的 URL,这是一项安全措施。Incorrect URLs are blocked as a security measure.

    • 对于“托管书签”,请指定一个标题和一个有效的 URL,该 URL 需包括以下前缀之一:“http://”或“https://” 。For Managed bookmarks, specify the title and a valid URL that includes the prefix of either http:// or https://.

    • 对于“允许的 URL”,请指定一个有效的 URL(仅允许这些 URL;其他站点将无法访问)。For Allowed URLs, specify a valid URL (only these URLs are allowed; no other sites can be accessed). 有关支持的 URL 格式类型的详细信息,请参阅允许和阻止的站点列表的 URL 格式For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list.

    • 对于“阻止的 URL”,请指定一个有效的 URL(仅阻止这些 URL)。For Blocked URLs, specify a valid URL (only these URLs are blocked). 有关支持的 URL 格式类型的详细信息,请参阅允许和阻止的站点列表的 URL 格式For more information on the types of URL formats that are supported, see URL formats for allowed and blocked site list.

    • 对于“重定向到个人环境”,请从以下可用选项中进行选择:“启用”(默认)、“禁用” 。For Redirect restricted sites to personal context, choose from the available options: Enable (default), Disable.

    备注

    当策略中同时定义了允许的 URL 和阻止的 URL 时,仅会遵循允许列表。When both Allowed URLs and Blocked URLs are defined in the policy, only the allowed list is honored.

  9. 如果要添加上述策略未提供的应用配置设置,请展开“常规配置设置”节点,并相应地输入键值对。If you want to additional app configuration settings not exposed in the above policy, expand the General configuration settings node and enter in the key value pairs accordingly.

  10. 完成配置设置后,请单击“下一步”。When you are finished configuring the settings, choose Next.

  11. 在“分配”部分,选择“选择要包含的组” 。On the Assignments section, choose Select groups to include. 选择要将应用配置策略分配到的 Azure AD 组,然后选择“选择”。Select the Azure AD group to which you want to assign the app configuration policy, and then choose Select.

  12. 完成分配后,选择“下一步”。When you are finished with the assignments, choose Next.

  13. 在“创建应用配置策略审阅+创建”边栏选项卡上,查看配置的设置,然后选择“创建”。On the Create app configuration policy Review + Create blade, review the settings configured and choose Create.

新创建的配置策略显示在“应用配置”边栏选项卡上。The newly created configuration policy is displayed on the App configuration blade.

使用适用于 iOS 和 Android 的 Microsoft Edge 访问托管的应用日志Use Edge for iOS and Android to access managed app logs

在 iOS 或 Android 设备上安装了适用于 iOS 和 Android 的 Microsoft Edge 的用户可查看所有 Microsoft 已发布应用的管理状态。Users with Edge for iOS and Android installed on their iOS or Android device can view the management status of all Microsoft published apps. 他们可以使用以下步骤发送日志,以便排查托管的 iOS 或 Android 应用的故障:They can send logs for troubleshooting their managed iOS or Android apps by using the following steps:

  1. 在设备上打开适用于 iOS 和 Android 的 Microsoft Edge。Open Edge for iOS and Android on your device.
  2. 在地址框中键入 about:intunehelpType about:intunehelp in the address box.
  3. 适用于 iOS 和 Android 的 Microsoft Edge 会启动故障排除模式。Edge for iOS and Android launches troubleshooting mode.

对于应用日志中存储的设置列表,请参阅查看客户端应用保护日志For a list of the settings stored in the app logs, see Review client app protection logs.

若要了解如何在 Android 设备上查看日志,请参阅通过电子邮件将日志发送给 IT 管理员To see how to view logs on Android devices, see Send logs to your IT admin by email.

后续步骤Next steps