移动应用程序管理故障排除Troubleshoot mobile application management

本主题介绍了在使用 Intune 应用保护(也称为 MAM 或移动应用管理)时遇到的常见问题的解决方案。This topic provides solutions to common problems that have occurred when using Intune App Protection (also referred to as MAM or mobile application management).

如果此信息未解决你的问题,请参阅如何获取对 Microsoft Intune 的支持,了解更多获得帮助的方法。If this information does not solve your problem, see How to get support for Microsoft Intune to find more ways to get help.

IT 管理员常见问题Common IT administrator issues

下面列出了 IT 管理员可能会在使用 Intune 应用保护策略时遇到的常见问题。These are common issues an IT administrator may experience when using Intune app protection policies.

问题Issue DescriptionDescription 解决方法Resolution
策略不适用于 Skype for BusinessPolicy not applied to Skype for Business Azure 门户中制定的无需设备注册的应用保护策略不适用于 iOS/iPadOS 和 Android 设备上的 Skype for Business 应用。App protection policy without device enrollment, made in the Azure portal, is not applying to the Skype for Business app on iOS/iPadOS and Android devices. 必须将 Skype for Business 设置为进行新式验证。Skype for Business must be set up for modern authentication. 请按照为租户启用新式验证中的指示为 Skype 设置新式验证。Please follow instructions in Enable your tenant for modern authentication to set up modern authentication for Skype.
Office 应用策略不适用Office app policy not applied 应用保护策略不适用于任何用户的任何支持的 Office 应用App protection policies are not applying to any supported Office App for any user. 确认用户已获得 Intune 许可,且 Office 应用是某个已部署的应用保护策略的目标对象。Confirm that the user is licensed for Intune and the Office apps are targeted by a deployed app protection policy. 可能需要最多 8 小时来使新部署的应用保护策略生效。It can take up to 8 hours for a newly deployed app protection policy to be applied.
管理员无法在 Azure 门户中配置应用保护策略Admin can't configure app protection policy in Azure portal IT 管理员用户无法在 Azure 门户中配置应用保护策略。IT administrator user is unable to configure app protection policies in Azure portal. 下列用户角色可访问 Azure 门户:The following user roles have access to the Azure portal: 若要获取设置这些角色方面的帮助,请参阅结合使用基于角色的管理控制 (RBAC) 和 Microsoft IntuneRefer to Role-based administration control (RBAC) with Microsoft Intune for help setting up these roles.
应用保护策略报表中缺少用户帐户User accounts missing from app protection policy reports 管理控制台报表不显示最近部署了应用保护策略的用户帐户。Admin console reports do not show user accounts to which app protection policy was recently deployed. 若用户是应用保护策略的新目标用户,则可能要 24 小时后,该用户才会在报表中显示为目标用户。If a user is newly targeted by an app protection policy, it can take up to 24 hours for that user to show up in reports as a targeted user.
策略更改无效Policy changes not working 对应用保护策略的更改和更新可能需要 8 小时才能应用。Changes and updates to app protection policy can take up to 8 hours to apply. 如果适用,最终用户可注销该应用,然后重新登录,强行与服务同步。If applicable, the end-user can log out of the app and log back in to force sync with service.
DEP 中无法使用应用保护策略App protection policy not working with DEP 应用保护策略不适用于 Apple DEP 设备。App protection policy is not applying to Apple DEP devices. 请确保通过 Apple 设备注册计划 (DEP) 使用用户关联。Please ensure you are using User Affinity with Apple Device Enrollment Program (DEP). 对需要在 DEP 下进行用户身份验证的应用而言,用户关联是必须的。User Affinity is required for any app that requires user authentication under DEP.

若要详细了解 iOS/iPadOS DEP 注册,请参阅通过 Apple 设备注册计划自动注册 iOS/iPadOS 设备Refer to Automatically enroll iOS/iPadOS devices with Apple's Device Enrollment Program for more information on iOS/iPadOS DEP enrollment.
iOS/iPadOS 中无法使用数据传输策略Data transfer policy not working with iOS/iPadOS “允许应用向其他应用传输数据” 和“允许应用从其他应用接收数据” 策略未成功管理 iOS/iPadOS 中的数据传输。The Allow app to transfer data to other apps and Allow app to receive data from other apps policies do not successfully manage data transfer in iOS/iPadOS. 请参阅如何在 Microsoft Intune 中管理 iOS/iPadOS 应用之间的数据传输See How to manage data transfer between iOS/iPadOS apps in Microsoft Intune.

常见最终用户问题Common end-user issues

常见最终用户问题细分为以下类别:Common end-user issues are broken down in the following categories:

  • 正常使用场景:最终用户可能会在具有 Intune 应用保护策略的应用上遇到这些情况。Normal usage scenarios: An end-user might experience these scenarios on apps that have an Intune app protection policy. 这些不是实际问题,但可能会被视为 bug 或错误。These are not actual issues, but may be perceived as bugs or errors.

  • 正常使用对话:它们是最终用户可能会在具有 Intune 应用保护策略的应用中看到的使用对话。Normal usage dialogs: These are usage dialogs an end-user might see in apps that have an Intune app protection policy. 这些消息和对话指示错误或 bug。These messages and dialogs do not indicate an error or bug.

  • 错误消息和对话:它们是最终用户可能会在具有 Intune 应用保护策略的应用中看到的错误消息和对话。Error messages and dialogs: These are error messages and dialogs an end-user might see on apps that have an Intune app protection policy. 通常会指示由 IT 管理员造成的错误或 Intune 应用保护的 bug。These often indicate an error was made by the IT administrator or a bug with Intune app protection.

正常使用场景Normal usage scenarios

平台Platform 方案Scenario 说明Explanation
iOSiOS 即使将数据传输策略设置为“仅托管应用” 或“无应用” ,最终用户也可使用 iOS/iPadOS 共享扩展在非托管应用中打开工作或学校数据。The end-user can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to Managed apps only or No apps. 这样不会泄漏数据吗?Doesn't this leak data? 在不管理设备的情况下,Intune 应用保护策略不能控制 iOS/iPadOS 共享扩展。Intune app protection policy cannot control the iOS/iPadOS share extension without managing the device. 因此,Intune 会在应用外共享“企业”数据前先加密数据Therefore, Intune encrypts "corporate" data before sharing it outside the app. 可通过尝试在管理的应用外打开“公司”文件对此进行验证。You can validate this by attempting to open the "corporate" file outside of the managed app. 该文件应该已加密,且无法在管理的应用外打开。The file should be encrypted and unable to be opened outside the managed app.
iOSiOS 为什么最终用户会收到安装 Microsoft Authenticator 应用的提示Why is the end-user prompted to install the Microsoft Authenticator app 在应用基于应用的条件访问时,需要按提示这样做,请参阅需要批准的客户端应用This is needed when App Based Conditional Access is applied, see Require approved client app.
AndroidAndroid 为什么即使使用不需设备注册的 MAM 应用保护,最终用户也需要安装公司门户应用Why does the end-user need to install the Company Portal app, even if I'm using MAM app protection without device enrollment? 在 Android 上,应用保护的许多功能都内置于公司门户应用中。On Android, much of app protection functionality is built into the Company Portal app. 虽然始终需要公司门户应用,但无需设备注册Device enrollment is not required even though the Company Portal app is always required. 对于不需注册的应用保护,最终用户只需在设备上安装公司门户应用即可。For app protection without enrollment, the end-user just needs to have the Company Portal app installed on the device.
iOS/AndroidiOS/Android 应用保护策略不适用于 Outlook 应用中的草稿电子邮件App Protection policy not applied on draft email in the Outlook app 由于 Outlook 同时支持公司和个人环境,因此不会对草稿电子邮件强制执行 MAM。Since Outlook supports both corporate and personal context, it does not enforce MAM on draft email.
iOS/AndroidiOS/Android 应用保护策略不适用于 WXP 中的新文档(Word、Excel、PowerPoint)App Protection policy not applied on new documents in WXP (Word,Excel,PowerPoint) 由于 WXP 同时支持公司和个人环境,因此它不会对新文档执行 MAM,除非这些文档被保存在诸如 OneDrive 之类的已标识公司位置中。Since WXP supports both corporate and personal context, it does not enforce MAM on new documents until they are saved in an identified corporate location like OneDrive.
iOS/AndroidiOS/Android 启用策略后,应用不允许另存为本地存储Apps not allowing Save As to Local Storage when policy is enabled 此设置的应用行为由应用开发人员控制。The App behavior for this setting is controlled by the App Developer.
AndroidAndroid 对于哪些“本机”应用可以访问受 MAM 保护的内容,Android 的限制比 iOS / iPadOS 更大Android has more restrictions than iOS/iPadOS on what "native" apps can access MAM protected content Android 是一个开放平台,最终用户可以将“本机”应用关联更改为潜在的不安全应用程序。Android is an open platform and the "native" app association can be changed by the end-user to potentially unsafe apps. 应用数据传输策略例外情况以豁免特定应用。Apply Data transfer policy exceptions to exempt specific apps.
AndroidAndroid 禁止“另存为”时,Azure 信息保护 (AIP) 可以另存为 PDFAzure Information Protection (AIP) can Save as PDF when Save As is prevented 当使用“另存为 PDF”时,AIP 遵守 MAM 的“禁用打印”策略。AIP honors the MAM policy for 'Disable printing' when Save as PDF is used.
iOSiOS 在 Outlook 应用中打开 PDF 附件失败,显示“操作未允许”Opening PDF attachments in Outlook app fails with "Action Not Allowed 如果用户尚未通过 Intune 对 Acrobat Reader 进行身份验证,或已使用指纹对其组织进行身份验证,则会发生这种情况。This can occur if the user has not authenticated to Acrobat Reader for Intune, or has used thumbprint to authenticate to their organization. 事先打开 Acrobat Reader,并使用 UPN 凭据进行身份验证。Open Acrobat Reader beforehand and authenticate using UPN credentials.

正常使用对话Normal usage dialogs

平台Platform 消息或对话Message or dialog 说明Explanation
iOS、AndroidiOS, Android 登录:为保护其数据,组织需要管理此应用。Sign-in: To protect its data, your organization needs to manage this app. 要完成此操作,请使用工作或学校帐户登录。To complete this action, sign in with your work or school account. 最终用户必须使用工作或学校帐户登录,才能使用需要应用保护策略的此应用。The end-user must sign in with their work or school account in order to use this app, which requires an app protection policy. 用户必须对 Azure Active Directory 进行身份验证,才能应用策略。In order for the policy to apply, the user must authenticate against Azure Active Directory.
iOS、AndroidiOS, Android 需要重启:组织当前正在此应用中保护其数据。Restart Required: Your organization is now protecting its data in this app. 需重启应用才能继续。You need to restart the app to continue. 应用刚收到 Intune 应用保护策略,必须重启才能应用策略。The app has just received an Intune app protection policy and must restart in order for the policy to apply.
iOS、AndroidiOS, Android 操作未允许:组织仅允许在此应用中打开工作或学校数据。Action Not Allowed: Your organization only allows you to open work or school data in this app. IT 管理员已将“允许应用从其他应用接收数据” 设置为“仅托管应用” 。The IT administrator has set the Allow app to receive data from other apps to Managed apps only. 因此,最终用户只能将其他包含应用保护策略的应用中的数据传输到此应用。Therefore, the end-user can only transfer data into this app from other apps that have an app protection policy.
iOS、AndroidiOS, Android 操作未允许:组织仅允许将其数据传输到其他托管应用。Action Not Allowed: Your organization only allows you to transfer its data to other managed apps. IT 管理员已将“允许应用将数据传输到其他应用” 设置为“仅托管应用” 。The IT administrator has set the Allow app to transfer data to other apps to Managed apps only. 因此,最终用户只能将此应用的数据传输到其他包含应用保护策略的应用。Therefore, the end-user can only transfer data out of this app to other apps that have an app protection policy.
iOS、AndroidiOS, Android 擦除警报:组织已删除与此应用关联的组织数据。Wipe Alert: Your organization has removed its data associated with this app. 若要继续,请重启应用。To continue, restart the app. IT 管理员已使用 Intune 应用保护启动了应用擦除。The IT administrator has initiated an app wipe using Intune app protection.
AndroidAndroid 需要公司门户:若要将工作或学校帐户用于此应用,必须安装 Intune 公司门户应用。Company Portal required: To use your work or school account with this app, you must install the Intune Company Portal app. 若要继续操作,请单击“转到商店”。Click "Go to store" to continue. 在 Android 上,应用保护的许多功能都内置于公司门户应用中。On Android, much of app protection functionality is built into the Company Portal app. 虽然始终需要公司门户应用,但无需设备注册Device enrollment is not required even though the Company Portal app is always required. 对于不需注册的应用保护,最终用户只需在设备上安装公司门户应用即可。For app protection without enrollment, the end-user just needs to have the Company Portal app installed on the device.

iOS 上的错误消息和对话Error messages and dialogs on iOS

错误消息和对话Error message or dialog 原因Cause 补救Remediation
应用未设置:此应用未设置,尚无法使用。App Not Set Up: This app has not been set up for you to use. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. 检测不到应用所需的应用保护策略。Failure to detect a required app protection policy for the app. 确保将 iOS 应用保护策略部署到用户的安全组,并以此应用为目标。Make sure an iOS app protection policy is deployed to the user's security group and targets this app.
欢迎使用 Intune Managed Browser:当由 Microsoft Intune 管理时,此应用运行效果最佳。Welcome to the Intune Managed Browser: This app works best when managed by Microsoft Intune. 可始终使用此应用浏览 Web,并且当它由 Microsoft Intune 管理时,可访问附加的数据保护功能。You can always use this app to browse the web, and when it is managed by Microsoft Intune you gain access to additional data protection features. 检测不到 Intune Managed Browser 应用所需的应用保护策略。Failure to detect a required app protection policy for the Intune Managed Browser app.

用户仍可使用该应用浏览 Web,但该应用不由 Intune 托管。The user can still use the app to browse the web, but the app is not managed by Intune.
确保将 iOS 应用保护策略部署到用户的安全组,并以 Intune Managed Browser 应用为目标。Make sure an iOS app protection policy is deployed to the user's security group and targets the Intune Managed Browser app.
登录失败:目前无法登录。Sign-in Failed: We can't sign you in right now. 请稍后重试。Please try again later. 未能在用户尝试使用其工作或学校帐户登录后,向 MAM 服务注册该用户。Failure to enroll the user with the MAM service after the user attempts to sign in with their work or school account. 确保将 iOS 应用保护策略部署到用户的安全组,并以此应用为目标。Make sure an iOS app protection policy is deployed to the user's security group and targets this app.
帐户未设置:组织未设置你的帐户来访问工作或学校数据。Account Not Set Up: Your organization has not set up your account to access work or school data. 请联系 IT 管理员寻求帮助。Please contact your IT administrator for help. 用户帐户没有 Intune A Direct 许可证。The user account does not have an Intune A Direct license. 确保用户的帐户在 Microsoft 365 管理中心中分配有 Intune 许可证。Make sure the user's account has an Intune license assigned in the Microsoft 365 admin center.
设备不合规:无法使用此应用,因为正在使用越狱的设备。Device Non-Compliant: This app cannot be used because you are using a jailbroken device. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. Intune 检测到用户正在使用越狱的设备。Intune detected the user is on a jailbroken device. 将设备重置为默认出厂设置。Reset the device to default factory settings. 按照 Apple 支持站点中的这些说明操作。Follow these instructions from the Apple support site.
需要 Internet 连接:必须连接到 Internet 才可验证是否可使用此应用。Internet Connection Required: You must be connected to the Internet to verify that you can use this app. 设备未连接到 Internet。The device is not connected to the Internet. 将设备连接到 WiFi 或数据网络。Connect the device to a WiFi or Data network.
未知故障:尝试重启此应用。Unknown Failure: Try restarting this app. 如果问题仍然存在,请与 IT 管理员联系以寻求帮助。If the problem persists, contact your IT administrator for help. 发生未知故障。An unknown failure occurred. 请稍后重试。Wait a while and try again. 如果错误一直存在,请向 Intune 创建支持票证If the error persists, create a support ticket with Intune.
访问组织数据:指定的工作或学校帐户无权访问此应用。Accessing Your Organization's Data: The work or school account you specified does not have access to this app. 可能必须使用其他帐户登录。You may have to sign in with a different account. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. Intune 检测到用户尝试使用另一个工作或学校帐户(不同于已注册 MAM 的设备帐户)登录。Intune detects the user attempted to sign in with second work or school account that is different from the MAM enrolled account for the device. 对于每个设备,MAM 一次只能管理一个工作或学校帐户。Only one work or school account can be managed by MAM at a time per device. 让用户使用具有通过登录屏幕预填充的用户名的相应帐户登录。Have the user sign in with the account whose username is pre-populated by the sign-in screen. 可能需要为 Intune 配置用户 UPN 设置You may need to configure the user UPN setting for Intune.

或让用户使用新的工作或学校帐户登录,并删除已注册 MAM 的现有帐户。Or, have the user sign in with the new work or school account and remove the existing MAM enrolled account.
连接问题:出现意外的连接问题。Connection Issue: An unexpected connection issue occurred. 检查连接,然后重试。Check your connection and try again. 意外故障。Unexpected failure. 请稍后重试。Wait a while and try again. 如果错误一直存在,请向 Intune 创建支持票证If the error persists, create a support ticket with Intune.
警报:此应用无法再进行使用。Alert: This app can no longer be used. 有关详细信息,请与 IT 管理员联系。Contact your IT administrator for more information. 验证应用证书失败。Failure to validate the app's certificate. 确保应用版本为最新。Make sure the app version is up-to-date.

重新安装应用。Reinstall the app.
错误:此应用遇到问题,必须关闭。Error: This app has encountered a problem and must close. 如果此错误仍然存在,请与 IT 管理员联系。If this error persists, please contact your IT administrator. 未能从 Apple iOS Keychain 读取 MAM 应用 PIN。Failure to read the MAM app PIN from the Apple iOS Keychain. 重启设备。Restart the device. 确保应用版本为最新。Make sure the app version is up-to-date.

重新安装应用。Reinstall the app.

Android 上的错误消息和对话Error messages and dialogs on Android

对话框/错误消息Dialog/Error message 原因Cause 补救Remediation
应用未设置:此应用未设置,尚无法使用。App not set up: This app has not been set up for you to use. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. 检测不到应用所需的应用保护策略。Failure to detect a required app protection policy for the app. 确保将 Android 应用保护策略部署到用户的安全组,并以此应用为目标。Make sure an Android app protection policy is deployed to the user's security group and targets this app.
应用启动失败:启动应用时出现问题。Failed app launch: There was an issue launching your app. 请尝试更新该应用或 Intune 公司门户应用。Try updating the app or the Intune Company Portal app. 如果需要帮助,请与你的 IT 管理员联系。If you need help, contact your IT administrator. Intune 检测到应用适用的有效应用保护策略,但应用在 MAM 初始化过程中崩溃。Intune detected valid app protection policy for the app, but the app is crashing during MAM initialization. 确保应用版本为最新。Make sure the app version is up-to-date.

确保 Intune 公司门户应用已安装且在设备上为最新。Make sure the Intune Company Portal app is installed and up-to-date on the device.

如果错误一直存在,请使用公司门户应用将日志发送到 Intune,或创建支持票证If the error persists, use the Company Portal app to send logs to Intune or create a support ticket.
未找到应用:组织不允许使用此设备上的任何应用来打开此内容。No apps found: There are no apps on this device that your organization allows to open this content. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. 用户尝试使用另一个应用打开工作或学校数据,但 Intune 找不到任何其他有权打开该数据的托管应用。The user tried to open work or school data with another app, but Intune cannot find any other managed apps that are allowed to open the data. 确保将 Android 应用保护策略部署到用户的安全组,并至少再以另一个启用了 MAM 且可打开相关数据的应用为目标。Make sure an Android app protection policy is deployed to the user's security group and targets at least one other MAM-enabled app that can open the data in question.
登录失败:重试登录。Sign-in failed: Try to sign in again. 如果此问题仍然存在,请与 IT 管理员联系以寻求帮助。If this problem persists, contact your IT administrator for help. 未能验证用户登录时尝试使用的帐户。Failure to authenticate the account with which the user attempted to sign in. 确保用户使用已注册 Intune MAM 服务的工作或学校帐户(第一个成功登录到此应用的工作或学校帐户)登录。Make sure the user signs in with the work or school account that is already enrolled with the Intune MAM service (the first work or school account that was successfully signed into in this app).

清除应用数据。Clear the app's data.

确保应用版本为最新。Make sure the app version is up-to-date.

确保公司门户版本为最新版。Make sure the Company Portal version is up-to-date.
需要 Internet 连接:必须连接到 Internet 才可验证是否可使用此应用。Internet connection required: You must be connected to the Internet to verify that you can use this app. 设备未连接到 Internet。The device is not connected to the Internet. 将设备连接到 WiFi 或数据网络。Connect the device to a WiFi or Data network.
设备不符合:无法使用此应用,因为正在使用具有 root 权限的设备。Device noncompliant: This app can't be used because you are using a rooted device. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. Intune 检测到用户正在使用已取得 root 权限的设备。Intune detected the user is on a rooted device. 将设备重置为默认出厂设置。Reset the device to default factory settings.
帐户未设置:此应用必须由 Microsoft Intune 托管,但帐户尚未设置。Account not set up: This app must be managed by Microsoft Intune, but your account has not been set up. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. 用户帐户没有 Intune A Direct 许可证。The user account does not have an Intune A Direct license. 确保用户的帐户在 Microsoft 365 管理中心中分配有 Intune 许可证。Make sure the user's account has an Intune license assigned in the Microsoft 365 admin center.
无法注册应用:此应用必须由 Microsoft Intune 托管,但目前无法注册此应用。Unable to register the app: This app must be managed by Microsoft Intune, but we were unable to register this app at this time. 请联系你的 IT 管理员获取帮助。Contact your IT administrator for help. 需要应用保护策略时,未能自动向 MAM 服务注册该应用。Failure to automatically enroll the app with the MAM service when app protection policy is required. 清除应用数据。Clear the app's data.

通过公司门户应用将日志发送到 Intune,或提交支持票证。Send logs to Intune through the Company Portal app or file a support ticket. 有关详细信息,请参阅如何获取对 Microsoft Intune 的支持For more information, see How to get support for Microsoft Intune.

后续步骤Next steps