Microsoft Intune App SDK for Android 开发人员测试指南Microsoft Intune App SDK for Android developers testing guide

用于 Android 的 Microsoft Intune App SDK 测试指南旨在帮助测试 Intune 托管的 Android 应用。The Microsoft Intune App SDK for Android testing guide is designed to help you test your Intune-managed Android app.

演示租户设置Demo tenant setup

如果还没有公司租户,可以使用或不使用预生成数据创建演示租户。If you do not already have a tenant with your company, you can create a demo tenant with or without pre-generated data. 必须注册为 Microsoft 合作伙伴才能访问 Microsoft CDX。You must register as a Microsoft partner to access Microsoft CDX. 创建新帐户:To create a new account:

  1. 导航到 Microsoft CDX 租户创建网站并创建 Microsoft 365 企业版租户。Navigate to the Microsoft CDX tenant creation site and create a Microsoft 365 Enterprise tenant.
  2. 设置 Intune 以启用移动设备管理 (MDM)。Set up Intune to enable mobile device management (MDM).
  3. 创建用户Create users.
  4. 创建组Create groups.
  5. 根据测试分配许可证Assign licenses as appropriate for your testing.

Azure 门户策略配置Azure portal policy configuration

Azure 门户的 Intune 边栏选项卡中,创建和分配应用保护策略Create and assign app protection policies in the Azure portal's Intune blade. 也可以在 Intune 边栏选项卡中创建和分配应用配置策略You can also create and assign your app configuration policy in the Intune blade.

备注

如果在 Azure 门户中未列出应用,则可以使用策略解决该问题,方法是选择“更多应用”选项并在文本框中提供包名称。If your app isn't listed in the Azure portal, you can target it with a policy by selecting the more apps option and providing the package name in the text box.

测试用例Test Cases

以下测试用例提供了配置和确认步骤。The following test cases provide configuration and confirmation steps. 使用这些测试来验证新集成的 Android 应用。Use these tests to verify your newly integrated Android app.

必须使用 PIN 和公司凭据Required PIN and corporate credentials

必须使用 PIN 才能访问公司资源。You can require a PIN to access corporate resources. 此外,在用户使用托管的应用之前,还可以强制对公司执行身份验证。Also, you can enforce corporate authentication before users can use managed apps. 操作方法如下:Here's how:

  1. 请将“需要 PIN 才能进行访问”和“需要公司凭据才能进行访问”设置为“是” 。Set Require PIN for access and Require corporate credentials for access to Yes. 有关详细信息,请参阅 Microsoft Intune 中的 Android 应用保护策略设置For more information, see Android app protection policy settings in Microsoft Intune.
  2. 确认以下情况:Confirm the following conditions:
    • 应用启动时应显示提示提供 PIN 输入或在注册公司门户期间使用的生产用户。App launch should present a prompt for PIN input, or the production user that was used during enrollment with the Company Portal.
    • 系统未提供有效的登录提示可能是由于 Android 清单配置不正确,特别是 Azure Active Directory 身份验证库 (ADAL) 集成(SkipBroker、ClientID 和 Authority)的值配置不正确。Failure to present a valid sign-in prompt might be due to an incorrectly configured Android manifest, specifically the values for Azure Active Directory Authentication Library (ADAL) integration (SkipBroker, ClientID, and Authority).
    • 系统未显示任何提示可能是由于错误地集成了 MAMActivity 值。Failure to present any prompt might be due to an incorrectly integrated MAMActivity value. 有关 MAMActivity 的详细信息,请参阅用于 Android 的 Microsoft Intune App SDK 开发人员指南For more information about MAMActivity, see Microsoft Intune App SDK for Android developer guide.

备注

如果前面的测试不起作用,下面的测试可能也会失败。If the preceding test isn't working, the following tests will likely also fail. 请查看 SDKADAL 集成。Review SDK and ADAL integration.

限制与其他应用传输和接收数据Restrict transferring and receiving data with other apps

可以控制公司托管应用程序之间的数据传输,如下所示:You can control data transfer between corporate managed applications, as follows:

  1. 请将“允许应用将数据传输到其他应用”设置为“策略托管应用” 。Set Allow app to transfer data to other apps to Policy-managed apps.
  2. 将“允许应用从其他应用接收数据”设置为“所有应用” 。Set Allow app to receive data from other apps to All apps.

这些策略将影响意向和内容提供商的使用。Use of intents and content providers are affected by these policies. 3. 确认以下情况:Confirm the following conditions: - 从非托管应用打开应用运行正常。Opening from an unmanaged app into your app functions correctly. - 允许在应用与托管应用之间共享内容。Sharing content between your app and managed apps is allowed. - 阻止从应用到非托管应用(如 Chrome)的共享。Sharing from your app to non-managed apps (for example, Chrome) is blocked.

限制从其他应用接收数据Restrict receiving data from other apps

  1. 将“将组织数据发送到其他应用”设为“所有应用”。Set Send org data to other apps to All apps.
  2. 将“从其他应用接收数据”设为“策略托管应用”。Set Receive data from other apps to Policy managed apps.
  3. 确认以下情况:Confirm the following conditions:
    • 从应用发送到非托管应用正常。Sending to an unmanaged app from your app functions correctly.
    • 允许在应用与托管应用之间共享内容。Sharing content between your app and managed apps is allowed.
    • 从非托管应用(如 Chrome)共享到应用受到阻止。Sharing from non-managed apps (for example, Chrome) to your app is blocked.

如果应用需要集成的“打开位置”控件,可以按如下方式控制“打开位置”功能:If your app requires integrated 'open from' controls, you can control open from functionality as follows:

  1. 将“从其他应用接收数据”设为“策略托管应用”。Set Receive data from other apps to Policy managed apps.
  2. 将“在组织文档中打开数据”设为“阻止”。Set Open data into org documents to Block.
  3. 确认以下情况:Confirm the following conditions:
    • 打开仅限于适当的托管位置。Opening is restricted to only appropriate managed locations.

限制剪切、复制和粘贴Restrict cut, copy, and paste

可以将系统剪贴板限制为托管应用程序,如下所示:You can restrict the system clipboard to managed applications, as follows:

  1. 请将“限制与其他应用进行剪切、复制和粘贴”设置为“通过粘贴托管策略” 。Set Restrict cut, copy, and paste with other apps to Policy managed with paste in.
  2. 确认以下情况:Confirm the following conditions:
    • 阻止将应用中的文本复制到非托管应用(如 Message)。Copying text from your app into an unmanaged app (for example, Messages) is blocked.

阻止“保存”Prevent save

如果应用需要集成的“另存为”控件,可以按如下方式控制“另存为”功能:If your app requires integrated Save As controls, you can control Save As functionality, as follows:

  1. 将“阻止‘另存为’”设为“是”。Set Prevent 'Save As' to Yes.
  2. 确认以下情况:Confirm the following conditions:
    • 保存仅限于适当的托管位置。Save is restricted to only appropriate managed locations.

文件加密File Encryption

可以加密设备上的数据,如下所示:You can encrypt data on the device, as follows:

  1. 请将“加密应用数据”设置为“是” 。Set Encrypt app data to Yes.
  2. 确认以下情况:Confirm the following conditions:
    • 正常的应用程序行为不受影响。Normal application behavior isn't affected.

阻止 Android 备份Prevent Android Backups

可以控制应用备份,如下所示:You can control app backup, as follows:

  1. 如果设置了集成备份限制,请将“阻止 Android 备份”设置为“是” 。If you have set integrated backup restrictions, set Prevent Android backups to Yes.
  2. 确认以下情况:Confirm the following conditions:
    • 备份会受到限制。Backups are restricted.

擦除Wipe

可以从包含的公司电子邮件和文档中远程擦除托管应用。You can remotely wipe managed apps from containing corporate email and documents. 当不再管理个人数据时,将对其进行解密。Personal data is decrypted when it's no longer administered. 操作方法如下:Here's how:

  1. 从 Azure 门户中,发出擦除From the Azure portal, issue a wipe.
  2. 如果应用未注册任何擦除处理程序,请确认以下情况:If your app doesn't register for any wipe handlers, confirm the following conditions:
    • 完全擦除应用。A full wipe of the app occurs.
  3. 如果应用已注册 WIPE_USER_DATAWIPE_USER_AUXILARY_DATA,请确认以下情况:If your app has registered for WIPE_USER_DATA or WIPE_USER_AUXILARY_DATA, confirm the following conditions:

多身份支持Multi-Identity support

集成多标识支持是一项高风险的更改,需要进行全面测试。Integrating multi-identity support is a high risk change that needs to be thoroughly tested. 发生最常见的问题是由于活动标识设置不当(Context 与会话级别),或者跟踪文件标识不当 (MAMFileProtectionManager)。The most common issues occur because of improperly setting the active identity (Context vs. thread level) or improperly tracking file identities (MAMFileProtectionManager).

至少要确认:Minimally, confirm that:

  • 另存为策略对托管标识运行正常。Save As policy is working correctly for managed identities.
  • 从托管到个人恰当地强制执行复制粘贴限制。Copy and paste restrictions are correctly enforced from managed to personal.
  • 仅加密属于托管标识的数据,并且不修改个人文件。Only data belonging to the managed identity is encrypted, and personal files are not modified.
  • 取消注册期间,选择性擦除仅删除托管标识数据。Selective wipe during unenrollment only removes the managed identity data.
  • 从非托管帐户更改为托管帐户时,系统会提示最终用户进行条件性启动(仅限第一次)。The end user is prompted for conditional launch when changing from an unmanaged to a managed account (first time only).

应用配置(可选)App configuration (optional)

可以配置托管应用的行为。You can configure behavior of managed apps. 如果应用使用任何应用配置设置,应测试应用是否正确处理你(如管理员)可设置的所有值。If your app consumes any app configuration settings, you should test that your app correctly handles all values that you (as the admin) can set. 你可以在 Intune 中创建和分配应用配置策略You can create and assign app configuration policies in Intune.