通过 Intune 创建和部署 Windows 信息保护 (WIP) 策略Create and deploy Windows Information Protection (WIP) policy with Intune

可将 Windows 信息保护 (WIP) 用于 Windows 10 应用,以在未注册设备的情况下保护应用。You can use Windows Information Protection (WIP) policies with Windows 10 apps to protect apps without device enrollment.

在开始之前Before you begin

添加 WIP 策略时,须了解一些相关概念:You must understand a few concepts when adding a WIP policy:

允许和豁免应用列表List of allowed and exempt apps

  • 受保护的应用: 这些应用需要符合此策略。Protected apps: These apps are the apps that need to adhere to this policy.

  • 豁免应用: 这些应用从此策略中豁免,可以无限制地访问公司数据。Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.

应用类型Types of apps

  • 推荐的应用: 一份预先填写好的应用列表(主要为 Microsoft Office 应用),便于轻松导入策略。Recommended apps: A pre-populated list of (mostly Microsoft Office) apps that allow you easily import into policy.
  • 应用商店应用: 可将 Windows 应用商店中的任何应用添加到策略。Store apps: You can add any app from the Windows store to the policy.
  • Windows 桌面应用: 可将任何传统 Windows 桌面应用添加到策略(例如,.exe、.dll)Windows desktop apps: You can add any traditional Windows desktop apps to the policy (for example, .exe, .dll)

必备条件Prerequisites

必须先配置 MAM 提供程序,然后才可以创建 WIP 策略。You must configure the MAM provider before you can create a WIP policy. 详细了解如何通过 Intune 配置 MAM 提供程序Learn more about how to configure your MAM provider with Intune.

重要

WIP 不支持多标识,一次只能存在一个托管标识。WIP does not support multi-identity, only one managed identity can exist at a time. 有关 WIP 功能和限制的详细信息,请参阅使用 Windows 信息保护 (WIP) 保护企业数据For more information about the capabilities and limitations of WIP, see Protect your enterprise data using Windows Information Protection (WIP).

此外,还需要具有以下许可证和更新:Additionally, you need to have the following license and update:

添加 WIP 策略To add a WIP policy

设置组织中的 Intune 后,可以创建特定于 WIP 的策略。After you set up Intune in your organization, you can create a WIP-specific policy.

提示

有关为 Intune 创建 WIP 策略的相关信息,包括可用设置及其配置方式,请参阅 Windows 安全文档库中的使用 Microsoft Intune 的 Azure 门户创建具有 MAM 的 Windows 信息保护 (WIP) 策略For related information about creating WIP policies for Intune, including available settings and how to configure them, see Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune in the Windows Security documentation library.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “应用保护策略” > “创建策略” 。Select Apps > App protection policies > Create policy.
  3. 添加下列值:Add the following values:
    • 名称: 键入新策略的名称(必填)。Name: Type a name (required) for your new policy.
    • 描述: (可选)键入说明。Description: (Optional) Type a description.
    • 平台: 选择“Windows 10”作为 WIP 策略的支持平台 。Platform: Choose Windows 10 as the supported platform for your WIP policy.
    • 注册状态: 选择“无需注册”作为策略的注册状态 。Enrollment state: Choose Without enrollment as the enrollment state for your policy.
  4. 选择“创建” 。Choose Create. 创建策略并在“应用保护策略”窗格的表中显示该策略 。The policy is created and appears in the table on the App protection policies pane.
  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “应用保护策略” 。Select Apps > App protection policies.
  3. 在“应用保护策略”窗格中,选择要修改的策略 。On the App protection policies pane, choose the policy you want to modify. 可看到“Intune 应用保护”窗格 。The Intune App Protection pane is displayed.
  4. 从“Intune 应用保护”窗格中选择“受保护的应用” 。Choose Protected apps from the Intune App Protection pane. 随即打开“受保护的应用”窗格,并显示此应用保护策略列表中已包含的全部应用 。The Protected apps pane opens showing you all apps that are already included in the list for this app protection policy.
  5. 选择“添加应用” 。Select Add apps. “添加应用”信息显示筛选后的应用列表 。The Add apps information shows you a filtered list of apps. 可使用窗格顶部的列表更改列表筛选器。The list at the top of the pane allows you to change the list filter.
  6. 选择要允许其访问公司数据的各个应用。Select each app that you want to allow access your corporate data.
  7. 单击" 确定"。Click OK. “受保护的应用”窗格会进行更新,并显示已选中的所有应用 。The Protected apps pane is updated showing all selected apps.
  8. 单击 “保存”Click Save.

将 Microsoft Store 应用添加到受保护的应用列表中Add a Store app to your protected apps list

添加“应用商店”应用To add a Store app

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “应用保护策略” 。Select Apps > App protection policies.
  3. 在“应用保护策略”窗格中,选择要修改的策略 。On the App protection policies pane, choose the policy you want to modify. 可看到“Intune 应用保护”窗格 。The Intune App Protection pane is displayed.
  4. 从“Intune 应用保护”窗格中选择“受保护的应用” 。Choose Protected apps from the Intune App Protection pane. 随即打开“受保护的应用”窗格,并显示此应用保护策略列表中已包含的全部应用 。The Protected apps pane opens showing you all apps that are already included in the list for this app protection policy.
  5. 选择“添加应用” 。Select Add apps. “添加应用”信息显示筛选后的应用列表 。The Add apps information shows you a filtered list of apps. 可使用窗格顶部的列表更改列表筛选器。The list at the top of the pane allows you to change the list filter.
  6. 从列表中,选择“应用商店应用” 。From the list, select Store apps.
  7. 输入“名称”、“发行商”、“产品名称”和“操作”的值 。Enter values for Name, Publisher, Product Name, and Action. 请确保将“操作”值设为“允许”,使应用可访问公司数据 。Be sure to set the Action value to Allow, so that the app will have access to your corporate data.
  8. 单击" 确定"。Click OK. “受保护的应用”窗格会进行更新,并显示已选中的所有应用 。The Protected apps pane is updated showing all selected apps.
  9. 单击 “保存”Click Save.

将桌面应用添加到受保护的应用列表中Add a desktop app to your protected apps list

添加桌面应用To add a desktop app

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.
  2. 选择“应用” > “应用保护策略” 。Select Apps > App protection policies.
  3. 在“应用保护策略”窗格中,选择要修改的策略 。On the App protection policies pane, choose the policy you want to modify. 可看到“Intune 应用保护”窗格 。The Intune App Protection pane is displayed.
  4. 从“Intune 应用保护”窗格中选择“受保护的应用” 。Choose Protected apps from the Intune App Protection pane. 随即打开“受保护的应用”窗格,并显示此应用保护策略列表中已包含的全部应用 。The Protected apps pane opens showing you all apps that are already included in the list for this app protection policy.
  5. 选择“添加应用” 。Select Add apps. “添加应用”信息显示筛选后的应用列表 。The Add apps information shows you a filtered list of apps. 可使用窗格顶部的列表更改列表筛选器。The list at the top of the pane allows you to change the list filter.
  6. 从列表中,选择“桌面应用” 。From the list, select Desktop apps.
  7. 输入“名称”、“发行商”、“产品名称”、“文件”、“最低版本”、“最高版本”和“操作”的值 。Enter values for Name, Publisher, Product Name, File, Min Version, Max Version, and Action. 请确保将“操作”值设为“允许”,使应用可访问公司数据 。Be sure to set the Action value to Allow, so that the app will have access to your corporate data.
  8. 单击" 确定"。Click OK. “受保护的应用”窗格会进行更新,并显示已选中的所有应用 。The Protected apps pane is updated showing all selected apps.
  9. 单击 “保存”Click Save.

WIP LearningWIP Learning

添加要使用 WIP 保护的应用后,必须使用“WIP Learning” 应用保护模式。After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP Learning.

在开始之前Before you begin

WIP Learning 是一个报表,用于监视已启用 WIP 和 WIP 未知的应用。WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. 未知应用指不是由组织的 IT 部门部署的应用。The unknown apps are the ones not deployed by your organization's IT department. 在“块”模式下强制执行 WIP 前,可从报告中导出这些应用并将其添加到 WIP 策略,以避免生产力中断。You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in "Block" mode.

除了查看已启用 WIP 的应用的相关信息外,还可以查看与网站共享工作数据的设备的摘要。In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. 通过此信息,可以确定应将哪些网站添加到组和用户 WIP 策略中。With this information, you can determine which websites should be added to group and user WIP policies. 摘要显示已启用 WIP 的应用访问的网站 URL。The summary shows which website URLs are accessed by WIP-enabled apps.

使用已启用 WIP 的应用和 WIP 未知的应用时,建议对在受保护的应用列表上具有相应应用的小组进行验证时,从“无提示”或“允许覆盖”开始 。When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. 完成后,可以更改为最终的强制策略“块” 。After you're done, you can change to your final enforcement policy, Block.

什么是保护模式?What are the protection modes?

阻止Block

WIP 将查找不正确的数据共享做法并阻止用户完成操作。WIP looks for inappropriate data sharing practices and stops the user from completing the action. 阻止的操作包括在不受公司保护的应用中共享信息,以及在组织外部的其他人员和设备之间共享公司数据。Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

允许覆盖Allow Overrides

WIP 查找不正确的数据共享操作,在用户执行的操作被认为存在潜在危险时,对用户发出警告。WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. 但是,用户可以通过此模式覆盖该策略并共享数据,并将操作记录到审核日志中。However, this mode lets the user override the policy and share the data, logging the action to your audit log.

无提示Silent

WIP 以无提示的方式运行,并记录不正确的数据共享操作,但不阻止在“允许覆盖”模式下收到提示进行员工互动的任何操作。WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. 仍然阻止不允许的操作,例如应用以不正确的方式尝试访问网络资源或受 WIP 保护的数据。Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

关闭 WIP,并且不帮助保护或审核数据。WIP is turned off and doesn't help to protect or audit your data.

关闭 WIP 后,将尝试在本地连接的驱动器上解密所有带有 WIP 标记的文件。After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. 请注意,如果重新打开 WIP 保护,不会自动重新应用之前的解密和策略信息。Note that previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.

添加保护模式Add a protection mode

  1. 在“应用策略”窗格中,选择策略的名称,然后选择“所需设置” 。From the App policy pane, choose the name of your policy, then choose Required settings.

    学习模式窗格的屏幕截图

  2. 选择一种设置,然后选择“保存” 。Select a setting and then choose Save.

使用 WIP LearningUse WIP Learning

  1. 打开 Azure 门户Open the Azure portal. 选择“所有服务” 。Choose All services. 在文本框筛选器中键入“Intune” 。Type Intune in the text box filter.

  2. 选择“Intune” > “应用” 。Choose Intune > Apps.

  3. 选择“应用保护状态” > “报告” > “Windows 信息保护学习” 。Choose App protection status > Reports > Windows Information Protection learning.

    WIP 学习日志报告中显示应用后,可以将这些应用添加到应用保护策略中。Once you have the apps showing up in the WIP Learning logging report, you can add them to your app protection policies.

允许 Windows Search 索引器搜索加密项Allow Windows Search Indexer to search encrypted items

允许或不允许项的索引。Allows or disallows the indexing of items. 此开关适用于 Windows Search 索引器,用于控制是否索引加密项,如受 Windows 信息保护 (WIP) 保护的文件。This switch is for the Windows Search Indexer, which controls whether it indexes items that are encrypted, such as the Windows Information Protection (WIP) protected files.

此应用保护策略选项位于 Windows 信息保护策略的“高级设置”中 。This app protection policy option is in the Advanced settings of the Windows Information Protection policy. 应用保护策略必须设置为 Windows 10 平台,应用策略“注册状态”必须设置为“已注册” 。The app protection policy must be set to the Windows 10 platform and the app policy Enrollment state must be set to With enrollment.

启用策略后,即会索引受 WIP 保护的项,且相关元数据存储在未加密位置。When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. 元数据包括文件路径和修改日期等。The metadata includes things like file path and date modified.

禁用策略后,不会索引受 WIP 保护的项,也不会在 Cortana 或文件资源管理器的结果中显示这些项。When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. 如果设备上存在许多受 WIP 保护的媒体文件,可能还会对照片和 Groove 应用产生性能影响。There may also be a performance impact on photos and Groove apps if there are many WIP protected media files on the device.

添加加密文件扩展名Add encrypted file extensions

除了设置“允许 Windows Search 索引器搜索加密项”选项外,还可以指定文件扩展名列表 。In addition to setting the Allow Windows Search Indexer to search encrypted items option, you can specify a list of file extensions. 当从网络位置列表中定义的企业边界内的服务器消息块 (SMB) 共享进行复制时,会对具有这些扩展名的文件进行加密。Files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the network location list. 如果未指定此策略,则应用现有自动加密行为。When this policy is not specified, the existing auto-encryption behavior is applied. 如果已配置此策略,则仅对具有列表中的扩展名的文件进行加密。When this policy is configured, only files with the extensions in the list will be encrypted.

部署 WIP 应用保护策略Deploy your WIP app protection policy

重要

此信息适用于未注册设备的 WIP。This information applies for WIP without device enrollment.

创建 WIP 应用保护策略后,必须使用 MAM 将其部署到组织。After you created your WIP app protection policy, you need to deploy it to your organization using MAM.

  1. 在“应用策略”窗格上,选择新创建的应用保护策略,然后选择“用户组” > “添加用户组” 。On the App policy pane, choose your newly created app protection policy, choose User groups > Add user group.

    由 Azure Active Directory 中的所有安全组组成的用户组列表在“添加用户组” 窗格中打开。A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add user group pane.

  2. 选择要向其应用策略的组,然后单击“选择” 部署此策略。Choose the group you want your policy to apply to, then choose Select to deploy the policy.

后续步骤Next steps

有关 Windows 信息保护的详细信息,请参阅 Protect your enterprise data using Windows Information Protection (WIP)(使用 Windows 信息保护 (WIP) 保护企业数据)。Learn more about Windows Information Protection, see Protect your enterprise data using Windows Information Protection (WIP).