Intune 中的应用保护策略部署疑难解答Troubleshooting app protection policy deployment in Intune


本文可帮助你了解和排查在 Microsoft Intune 中实施应用保护策略时遇到的问题。This article helps you understand and troubleshoot problems when you apply app protection policies in Microsoft Intune. 按照适合你的情况的部分操作。Follow the sections that apply to your situation.

基本步骤Basic steps

收集初始数据Collect initial data

在开始故障排除之前,应收集一些基本信息,这些信息可帮助你更好地了解问题和更快地找到解决方案。Before you begin troubleshooting, you should collect some basic information that can help you better understand the problem and reduce the time to find a resolution.

收集以下信息:Collect the following information:

  • 未应用哪些策略设置?What policy setting isn't applied? 是否应用了任何策略?Is any policy applied?
  • 用户体验怎么样?What is the user experience? 用户是否安装和启动了目标应用?Have users installed and started the targeted app?
  • 何时开始出现问题?When did the problem start? 应用保护曾经有效吗?Has app protection ever worked?
  • 哪个平台存在问题 - Android 还是 iOS?Which platform (Android or iOS) has the problem?
  • 有多少用户受到影响?How many users are affected? 所有设备还是只有部分设备受到影响?Are all devices or only some devices affected?
  • 有多少设备受到影响?How many devices are affected? 所有设备还是只有部分设备受到影响?Are all devices or only some devices affected?
  • 尽管 Intune 应用保护策略不需要移动设备管理 (MDM) 服务,但受影响的用户是否在使用 Intune 或第三方 EMM?Although Intune app protection policy doesn't require a mobile device management (MDM) service, are affected users using Intune or a third-party EMM?
  • 所有托管应用还是只有特定应用受到影响?Are all managed apps or only specific apps affected? 例如,具有 Intune App SDK 的 LOB 应用受到影响,但应用商店应用不受影响?For example, are LOB apps that have Intune App SDK affected but store apps are not?

现在,你可以开始根据这些问题的答案进行故障排除。Now, you can start troubleshooting based on the answers to these questions.

验证先决条件Verify prerequisites

在故障排除中,接下来是检查是否满足所有先决条件。The next step in troubleshooting is to check whether all prerequisites are met.

尽管可以使用独立于任何 MDM 解决方案的 Intune 应用保护策略,但必须满足以下先决条件:Although you can use Intune app protection policies independent of any MDM solution, the following prerequisites must be met:

  • 用户必须分配有 Intune 许可证。The user must have an Intune license assigned.

  • 用户必须属于应用保护策略所针对的安全组。The user must belong to a security group that is targeted by an app protection policy. 同一应用保护策略必须面向所使用的特定应用。The same app protection policy must target the specific app that's used.

  • 对于 Android 设备,需要使用公司门户应用来接收应用保护策略。For Android devices, the Company Portal app is required to receive app protection policies.

  • 如果使用 Word、Excel 或 PowerPoint 应用,则必须满足以下附加要求:If you use Word, Excel, or PowerPoint apps, the following additional requirements must be met:

    • 用户必须具有链接到其 Azure Active Directory (Azure AD) 帐户的 Microsoft 365 商业或企业应用版许可证。The user must have a license for Microsoft 365 Apps for business or enterprise linked to the user's Azure Active Directory (Azure AD) account. 订阅必须包括移动设备上的 Office 应用,可以包括 OneDrive for Business 云存储帐户。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. 可按照这些说明Microsoft 365 管理中心分配 Microsoft 365 许可证。Microsoft 365 licenses can be assigned in the Microsoft 365 admin center by following these instructions.
    • 用户必须具有使用“另存为”这一精细功能进行配置的托管位置 。The user must have a managed location that's configured by using the granular Save as functionality. 此命令位于“保存组织数据的副本”应用程序保护策略设置下 。This command is located under the Save Copies of Org Data application protection policy setting. 例如,如果托管位置为 OneDrive,则应在用户的 Word、Excel 或 PowerPoint 应用中对 OneDrive 应用进行配置。For example, if the managed location is OneDrive, the OneDrive app should be configured in the user's Word, Excel, or PowerPoint app.
    • 如果托管位置为 OneDrive,则部署到用户的应用保护策略必须针对该应用。If the managed location is OneDrive, the app must be targeted by the app protection policy that's deployed to the user.


    Office 移动应用当前仅支持 SharePoint Online,不支持本地 SharePoint。The Office mobile apps currently support only SharePoint Online and not SharePoint on-premises.

  • 如果将 Intune 应用保护策略与本地资源(Microsoft Skype for Business 和 Microsoft Exchange Server)一起使用,则必须启用适用于 Skype for Business 和 Exchange 的混合新式验证 (HMA)If you use Intune app protection policies together with on-premises resources (Microsoft Skype for Business and Microsoft Exchange Server), you must enable Hybrid Modern Authentication (HMA) for Skype for Business and Exchange.

Intune 应用保护策略要求应用与 Intune App SDK 之间的用户标识保持一致。Intune app protection policies require that the identity of the user is consistent between the app and Intune App SDK. 只能通过新式验证才能保证两者一致。The only way to guarantee this consistency is through modern authentication. 在某些情况下,应用可以在本地配置中运行,无需新式验证。There are scenarios in which apps may work in an on-premises configuration without modern authentication. 但是,结果不一致或不能保证。However, the outcomes are not consistent or guaranteed.

要详细了解如何启用适用于 Skype for Business 混合和本地配置的 HMA,请参阅以下文章:For more information about how to enable HMA for Skype for Business hybrid and on-premises configurations, see the following articles:

检查应用保护策略状态Check app protection policy status

要查看应用保护状态,请执行以下步骤:To check your app protection status, follow these steps:

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “监视” > “应用保护状态”,然后选择“分配的用户”磁贴 。Select Apps > Monitor > App protection status, and then select the Assigned users tile.
  3. 在 “应用报告”页上,选择 “选择用户”以显示用户和组的列表。On the App reporting page, select Select user to bring up a list of users and groups.
  4. 搜索并从列表中选择一名受影响的用户,然后勾选“选择用户” 。Search for and select one of the affected users from the list, then select Select user. 在“应用报告”窗格顶部,可以看到用户是否已获得应用保护授权且是否具有 Microsoft 365 许可证。At the top of the App reporting pane, you can see whether the user is licensed for app protection and has a license for Microsoft 365. 还可以查看该用户所有设备的应用状态。You can also see the app status for all the user's devices.
  5. 记下重要信息,例如目标应用、设备类型、策略、设备签入状态和上次同步时间。Make a note of such important information as the targeted apps, device types, policies, device check-in status, and last sync time.


仅当在工作环境中使用应用时,应用保护策略才适用。App protection policies are applied only when apps are used in the work context. 例如,当用户使用工作帐户访问应用时。For example, when the user is accessing apps by using a work account.

有关详细信息,请参阅如何在 Microsoft Intune 中验证应用保护策略设置For more information, see How to validate your app protection policy setup in Microsoft Intune.

验证应用与 Intune App SDK 之间的用户标识是否一致Verify that user identity is consistent between app and Intune App SDK

在大多数情况下,用户使用其用户主体名称 (UPN) 登录到帐户。In most scenarios, users log in to their accounts by using their user principal name (UPN). 但是,在某些环境(例如本地方案)中,用户可能使用其他形式的登录凭据。However, in some environments (such as on-premises scenarios), users might use some other form of sign-in credentials. 在这些情况下,你可能会发现应用中使用的 UPN 与 Azure AD 中的 UPN 对象不一致。In these cases, you might find that the UPN that's used in the app doesn't match the UPN object in Azure AD. 发生此问题时,应用保护策略不会按预期方式进行应用。When this issue occurs, app protection policies aren't applied as expected.

Microsoft 推荐的最佳做法是将 UPN 与主 SMTP 地址相匹配。Microsoft's recommended best practices are to match the UPN to the primary SMTP address. 通过此做法,用户可以通过一致的标识登录到托管应用、Intune 应用保护和其他 Azure AD 资源。This practice enables users to log in to managed apps, Intune app protection, and other Azure AD resources by having a consistent identity. 有关详细信息,请参阅 Azure AD UserPrincipalName 填充For more information, see Azure AD UserPrincipalName population.

如果你的环境需要备用登录方法,请参阅配置备用登录 ID,特别是备用 ID 的混合新式验证If your environment requires alternative sign-in methods, see Configuring Alternate Login ID, specifically Hybrid Modern Authentication with Alternate-ID.

验证是否以用户为目标Verify that the user is targeted

Intune 应用保护策略必须以用户为目标。Intune app protection policies must be targeted to users. 如果某应用保护策略未分配给用户或用户组,则不会应用该策略。If you don't assign an app protection policy to a user or user group, the policy isn't applied.

要验证是否已将策略应用于目标用户,请按照以下步骤操作:To verify that the policy is applied to the targeted user, follow these steps:

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “监视器” > “应用保护状态”,然后选择“用户状态”磁贴(基于设备操作系统平台) 。Select Apps > Monitor > App protection status, and then select the User status tile (based on device OS platform). 在打开的“应用报表”窗格中,勾选“选择用户”来搜索用户 。On the App reporting pane that opens, select Select user to search for a user.
  3. 从列表中选择一个用户。Select the user from the list. 你可以查看该用户的详细信息。You can see the details for that user.

将策略分配给用户组时,请确保该用户在该用户组中。When you assign the policy to a user group, make sure that the user is in the user group. 为此,请执行以下步骤:To do this, follow these steps:

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“组”>“所有组”,然后搜索并选择用于应用保护策略分配的组 。Select Groups > All groups, and then search for and select the group that's used for your app protection policy assignment.
  3. 在“管理”部分下,选择“成员” 。Under the Manage section, select Members.
  4. 如果受影响的用户未列出,请查看使用 Azure Active Directory 组管理应用和资源访问权限以及你的组成员身份规则。If the affected user isn't listed, review Manage app and resource access using Azure Active Directory groups and your group membership rules. 确保受影响的用户包含在组中。Make sure that the affected user is included in the group.
  5. 确保受影响的用户不在策略的任何排除的组中。Make sure that the affected user isn't in any of the excluded groups for the policy.


  • Intune 应用保护策略必须分配给用户组,而不是设备组。The Intune app protection policy must be assigned to user groups and not device groups.
  • 如果受影响的设备使用 Apple 设备注册计划 (DEP),请确保已启用“用户关联“ 。If the affected device uses Apple Device Enrollment Program (DEP), make sure that User Affinity is enabled. 对需要在 DEP 下进行用户身份验证的应用而言,用户关联是必须的。User Affinity is required for any app that requires user authentication under DEP.
  • 如果受影响的设备使用 Android Enterprise,则只有工作配置文件支持应用保护策略。If the affected device uses Android Enterprise, only work profiles will support app protection policies.

验证是否以托管应用为目标Verify that the managed app is targeted

配置 Intune 应用保护策略时,目标应用必须使用 Intune App SDKWhen you configure Intune app protection policies, the targeted apps must use Intune App SDK. 否则,应用保护策略可能无法正常工作。Otherwise, app protection policies may not work correctly.

请确保 Microsoft Intune 受保护的应用中列出了目标应用。Make sure that the targeted app is listed in Microsoft Intune protected apps. 对于 LOB 或自定义应用,请验证应用是否使用最新版本的 Intune App SDKFor LOB or custom apps, verify that the apps use the latest version of Intune App SDK. 注意以下事项:Note the following:

对于 iOS 来说,该做法非常重要,因为每个版本都包含一些修补程序,这些修补程序会影响这些策略的应用方式及其工作原理。For iOS, this practice is important because each version contains fixes that affect how these policies are applied and how they function. 有关详细信息,请参阅 Intune App SDK iOS 版本For more information, see Intune App SDK iOS releases. 对于 Android,这一做法并不重要。For Android, this practice isn't as important. 但是,用户必须安装最新版本的公司门户应用,因为该应用将充当策略代理。However, users must have the latest version of the Company Portal app installed because the Company Portal app works as the policy broker agent.


从 2019 年 9 月起,Intune 将支持具有 Intune App SDK 8.1.1 及更高版本的 iOS 应用。Starting in September 2019, Intune will move to support iOS apps that have Intune App SDK 8.1.1 and later versions. 使用 8.1.1 之前的 SDK 版本构建的应用将不再受到支持。Apps built by using SDK versions that are earlier than 8.1.1 will no longer be supported.

更多信息More information

Intune MDM 托管设备的特殊要求Special requirements for Intune MDM-managed devices

创建应用保护策略时,可以将其定位到所有应用类型或以下应用类型:When you create an app protection policy, you can target it to all app types or to the following app types:

  • 非托管设备上的应用Apps on unmanaged devices
  • Intune 托管设备上的应用Apps on Intune-managed devices
  • Android 工作配置文件中的应用Apps in the Android Work Profile


若要指定应用类型,请将“针对所有应用类型”设置为“否”,然后从“应用类型”列表中进行选择 。To specify the app types, set Target to all app types to No, and then select from the App types list.

对于 iOS,需要以下附加应用配置设置才能将应用保护策略 (APP) 设置定位到 Intune 注册设备上的应用:For iOS, the following additional app configuration settings are required to target app protection policy (APP) settings to apps on Intune-enrolled devices:

  • 必须为所有 MDM(Intune 或第三方 EMM)托管应用程序配置“IntuneMAMUPN” 。IntuneMAMUPN must be configured for all MDM (Intune or a third-party EMM)-managed applications. 有关详细信息,请参阅“为 Microsoft Intune 或第三方 EMM 配置用户 UPN 设置”。For more information, see Configure user UPN setting for Microsoft Intune or third-party EMM.
  • 必须为所有第三方和 LOB MDM 托管应用程序配置“IntuneMAMDeviceID” 。IntuneMAMDeviceID must be configured for all third-party and LOB MDM-managed applications.
  • 必须将“IntuneMAMDeviceID”配置为设备 ID 令牌 。IntuneMAMDeviceID must be configured as the device ID token. 例如 key=IntuneMAMDeviceID,value={{deviceID}}。For example, key=IntuneMAMDeviceID, value={{deviceID}}. 有关详细信息,请参阅为受管理 iOS 设备添加应用配置策略For more information, see Add app configuration policies for managed iOS devices.
  • 如果仅配置了“IntuneMAMDeviceID”值,则 Intune 应用会将设备视为非托管设备 。If only the IntuneMAMDeviceID value is configured, Intune APP will consider the device as unmanaged.

方案:策略更改无效Scenario: Policy changes are not working

Intune App SDK 会定期检查是否出现策略更改。The Intune App SDK checks regularly for policy changes. 但是,此过程可能会因以下原因而延迟:However, this process may be delayed for any of the following reasons:

  • 该应用尚未通过服务签入。The app hasn't checked in with the service.
  • 已从设备中删除公司门户应用。The Company Portal app has been removed from the device.

Intune 应用保护策略依赖于用户标识。Intune app protection policy relies on user identity. 因此,需要使用工作或学校帐户登录到应用的有效登录以及与服务的一致连接。Therefore, a valid login that uses a work or school account to the app and a consistent connection to the service are required. 如果用户尚未登录到应用,或已从设备中删除公司门户应用,则不会应用策略更新。If the user hasn't signed in to the app, or the Company Portal app has been removed from the device, policies updates won't apply.

此外,对应用保护策略的更改和更新可能需要 8 个小时才能应用。Additionally, changes and updates to app protection policy can take up to 8 hours to apply. 如果适用,则关闭所有应用并重启设备通常会强制尽快应用策略更新。If applicable, closing all apps and restarting the device usually forces the policy update to apply sooner.

要查看应用保护状态,请执行以下步骤:To check app protection status, follow these steps:

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “监视” > “应用保护状态”,然后选择“分配的用户”磁贴 。Select Apps > Monitor > App protection status, and then select the Assigned users tile.
  3. 在“应用报表”页面上,勾选“选择用户”以打开用户和组的列表 。On the App reporting page, select Select user to open a list of users and groups.
  4. 搜索并从列表中选择一名受影响的用户,然后勾选“选择用户” 。Search for and select one of the affected users from the list, then select Select user.
  5. 查看当前应用的策略,包括状态和上次同步时间。Review the policies that are currently applied, including the status and last sync time.
  6. 如果状态为“未签入”,或者显示表明最近没有同步,请检查用户是否具有一致的网络连接 。If the status is Not checked in, or if the display indicates that there has not been a recent sync, check whether the user has a consistent network connection. 对于 Android 用户,请确保已安装最新版本的公司门户应用。For Android users, make sure that they have the latest version of the Company Portal app installed.


Intune App SDK 每 30 分钟检查一次选择性擦除。The Intune App SDK checks every 30 minutes for selective wipe. 但是,对已登录用户的现有策略进行的更改可能 8 个小时都不会显示。However, changes to existing policy for users who are already signed in may not appear for up to 8 hours. 要加快此过程,请让用户注销应用,然后再重新登录或重启设备。To speed up this process, have the user log out of the app and then log back in or restart their devices.

Intune 应用保护策略包括多标识支持。Intune app protection policy includes multi-identity support. Intune 可以将应用保护策略仅应用于已登录到应用的工作或学校帐户。Intune can apply app protection policies to only the work or school account that's signed in to the app. 但是,每台设备仅支持一个工作或学校帐户。However, only one work or school account per device is supported.

方案:应用策略后,iOS 用户仍可将工作文件传输到非托管应用Scenario: The policy is applied, but iOS users can still transfer work files to unmanaged apps

适用于 iOS 设备的“打开方式管理”(打开方式按钮) 功能可将文件传输限制为仅在使用 MDM 通道部署的应用之间进行 。The Open-in management ( Open-in button ) feature for iOS devices can limit file transfers between apps that are deployed through the MDM channel. 用户可能能够将工作文件从 OneDrive 和 Exchange 等托管位置传输到非托管应用或位置,具体取决于配置。The user may be able to transfer work files from managed locations such as OneDrive and Exchange to unmanaged apps or locations, depending on the configuration. iOS 的“打开方式管理”功能可在其他数据传输方法之外使用 。The iOS Open-in management feature works outside other data transfer methods. 因此,它不受“另存为”和“复制/粘贴”设置的影响 。Therefore, it isn't affected by Save as and Copy/Paste settings.

可将 Intune 应用保护策略与 iOS 的“打开方式管理”功能结合使用,从而通过以下方式保护公司数据 :You can use Intune app protection policies together with the iOS Open-in management feature to protect company data in the following manner:

  • 不由 MDM 解决方案管理的员工自带设备:可以将应用保护策略设置设置为“仅允许应用将数据传输到策略托管应用” 。Employee-owned devices that are not managed by an MDM solution: You can set the app protection policy settings to Allow app to transfer data to only Policy Managed apps. 通过这种方式配置,策略托管应用中的“打开方式”行为只会将其他策略托管应用作为共享选项提供 。Configured in this way, the Open-in behavior in a policy-managed app provides only other policy-managed apps as options for sharing. 例如,如果用户尝试在本机邮件应用中,通过 OneDrive 以附件形式发送受保护的文件,则该文件将无法阅读。For example, if a user tries to send a protected file as an attachment from OneDrive in the native mail app, that file is unreadable.

  • 由 MDM 解决方案管理的设备:对于在 Intune 或第三方 MDM 解决方案中注册的设备,使用应用保护策略的应用和通过 MDM 部署的其他托管 iOS 应用之间的数据共享由 Intune 应用和 iOS 的“打开方式管理”功能控制 。Devices that are managed by MDM solutions: For devices that are enrolled in Intune or third-party MDM solutions, data sharing between apps by using app protection policies and other managed iOS apps that are deployed through MDM is controlled by Intune APP and by the iOS Open-in management feature.

    若要确保使用 MDM 解决方案部署的应用也与 Intune 应用保护策略相关联,请按照配置用户 UPN 设置中的说明来配置用户 UPN 设置。To make sure that apps you deploy by using an MDM solution are also associated with your Intune app protection policies, configure the user UPN setting as described in Configure user UPN setting.

    若要指定数据传输到其他应用的方式,请启用“将组织数据发送到其他应用”,然后选择首选的共享级别 。To specify how you want to allow data transfer to other apps, enable Send Org data to other apps, and then select your preferred level of sharing.

    若要指定应用从其他应用接收数据的方式,请启用“从其他应用接收数据”,然后选择首选的数据接收级别 。To specify how you want to allow an app to receive data from other apps, enable Receive data from other apps, and then select your preferred level of receiving data.

要详细了解如何接收和共享应用数据,请参阅数据重定位设置For more information about how to receive and share app data, see Data relocation settings.

有关详细信息,请参阅如何在 Microsoft Intune 中管理 iOS 应用之间的数据传输For more information, see How to manage data transfer between iOS apps in Microsoft Intune.


如果仍在寻找相关问题的解决方案,或者想要详细了解 Intune,请在 Microsoft Intune 论坛中发布问题。If you're still looking for a solution to a related problem, or for more information about Intune, post a question in our Microsoft Intune forum. 许多支持工程师、MVP 和开发团队成员会访问该论坛。Many support engineers, MVPs, and members of our development team visit the forums. 因此,这是找到具备你所需信息的人员的好机会。So, there's a good chance that you can find someone who has the information that you need.

要打开针对 Microsoft Intune 产品支持团队的支持请求,请参阅如何获取 Microsoft Intune 支持To open a support request for the Microsoft Intune product support team, see How to get support for Microsoft Intune.

要详细了解 Intune 应用保护策略,请参阅以下文章:For more information about Intune app protection policy, see the following articles:

要了解所有最新资讯、信息和技术提示,请访问我们的官方博客:For all the latest news, information, and tech tips, go to our official blogs:

后续步骤Next steps