使用 Intune 管理 Android 工作配置文件设备Manage Android work profile devices with Intune

Android 企业版提供了一组注册选项,为用户提供最新且安全的功能。Android Enterprise offers a set of enrollment options that provide users with the most up-to-date and secure features. 通过注册 Android 企业工作配置文件,可启用一组功能和服务,用于分隔个人应用和数据与工作应用和数据。Enrolling with Android Enterprise work profile allows a set of features and services that separate personal apps and data from work apps and data. 用户将其个人 Android 设备用于工作时,该服务还会提供额外的管理功能和隐私。It also provides additional management capabilities and privacy when people use their personal Android devices for work.

支持的设备Supported devices

Android 企业管理功能依赖于最新 Android 操作系统中的功能。Android Enterprise management capabilities rely upon features that are part of more recent Android operating systems. 对于不支持 Android 企业的设备,仍可使用传统 Android 管理。For devices that do not support Android Enterprise, conventional Android management remains available. 有关详细信息,请参阅 Android 企业要求For more information, see Android Enterprise requirements.

载入Onboarding

注册 Android 企业工作配置文件设备前,必须完成一些载入步骤。Before enrolling Android Enterprise work profile devices, you must complete some onboarding steps. 这些步骤在 Intune 租户和托管的 Google Play 之间建立连接。These steps establish a connection between your Intune tenant and Managed Google Play. 有关详细信息,请参阅启用 Android 企业工作配置文件设备的注册For more information, see Enable enrollment of Android Enterprise work profile devices.

工作配置文件管理Work profile management

使用 Intune 管理 Android Enterprise 工作配置文件设备时,不会管理整个设备。When you manage an Android Enterprise work profile device with Intune, you don't manage the entire device. 管理功能只会影响设备注册期间创建的工作配置文件。Management capabilities only affect the work profile that is created on the device during enrollment. 使用 Intune 部署到设备的任何应用都会安装到工作配置文件中。Any apps deployed to the device with Intune get installed in the work profile. 工作配置文件中的应用图标与设备上的个人应用不同。App icons in the work profile are differentiated from personal apps on the device. 设备中 Android 企业部分以外的所有 Android 应用和数据保留为个人,且受最终用户的控制。All Android apps and data outside the Android enterprise portion of the device remain personal and under the control of the end user. 用户可将所选任何应用安装到设备的个人端。Users can install any app they choose to the personal side of the device. 管理员可管理和监视工作配置文件范围内的应用和操作。Administrators can manage and monitor apps and actions scoped to the work profile.

Intune 提供了一系列内置常规设置,可以在 Android 工作配置文件设备上进行配置。Intune supplies a range of built-in general settings that you can configure on Android work profile devices. 有关详细信息,请参阅 Android 工作配置文件设备策略设置For more information, see Android work profile device policy settings.

应用发布和分发App publishing and distribution

托管的 Google Play 是 Android 企业应用分发和管理的必要组成部分。Managed Google Play is an integral part of Android Enterprise app distribution and management. 在工作配置文件中,部署到 Android 企业工作配置文件设备的所有应用,均来自托管的 Google Play 服务。All apps deployed to Android Enterprise work profile devices in the work profile come from the Managed Google Play service. 若要在 Play Store 中管理和部署应用,请使用公司用于 Google 管理的管理员凭据登录到 Google Play 网站。To manage and deploy apps in the Play Store, you sign in to the Google Play website with your company's administrator credentials for Google management. 可以批准用于 Android 企业部署的应用,使其显示在设备的工作配置文件中。You can approve apps for Android Enterprise deployment to have them appear in devices' work profiles. 然后,这些应用将同步到 Intune 控制台中,可在控制台中使用 Intune 进行部署和管理。These apps then sync to the Intune console where they can then be deployed and managed using Intune. 组织开发的业务线 (LOB) 应用必须使用 Google Android 应用发布控制台发布到托管的 Google Play。Line of business (LOB) apps developed by your organization must be published to Managed Google Play using Google's Android app publishing console. 必须在 Android 应用发布控制台中配置业务线应用,以限制对组织的访问权限。Line-of-business apps must be configured in the Android app publishing console to restrict access to your organization.

应用安装无需用户交互,且不要求用户允许从未知源安装Apps can be installed without user interaction and without requiring that the user allow Installation from Unknown Sources. 若要浏览和安装可选或可用应用,用户可在其设备上浏览 Play for Work 应用商店。To browse and install optional or available apps, the user can browse the Play for Work store on their device. 有关详细信息,请参阅使用 Intune 将应用分配到 Android 企业工作配置文件设备For more information, see Assign apps to Android Enterprise work profile devices with Intune.

应用配置App configuration

Android 企业提供基础结构,用于将应用配置值部署到支持它们的应用。Android Enterprise provides infrastructure for deploying app configuration values to apps that support them. 通过为工作应用指定配置值,确保在用户首次启动该应用时已正确对其进行设置。By specifying configuration values for work apps, you ensure they are properly set when users launch the app for the first time. 要支持应用配置,需要应用开发人员创建自己的 Android 应用,专门支持托管的配置值。Support for app configuration requires that app developers create their Android apps specifically to support managed configuration values. 完成此操作后,可使用 Intune 指定和应用这些配置设置。If they do, then you can use Intune to specify and apply these configuration settings. 有关详细信息,请参阅为受管理的 Android 设备添加应用配置策略For more information, see Add app configuration policies for managed Android devices.

电子邮件配置Email configuration

Android Enterprise 不提供默认电子邮件应用或(如 iOS/iPadOS 提供的)本机电子邮件配置文件对象。Android Enterprise doesn't provide a default email app or native email profile object like those provided by iOS/iPadOS. 而可以通过将应用配置设置应用到支持它们的电子邮件应用中,来设置电子邮件配置。Instead, email configurations can be set by applying app configuration settings to email apps that support them. Gmail 和 Nine Work 是 Play Store 中的两种 Exchange ActiveSync (EAS) 客户端应用,它们支持使用 Android 企业应用配置进行配置。Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that support configuration with Android Enterprise app configuration.

在 Gmail 和 Nine Work 应用作为工作应用管理时,Intune 为其提供配置模板。Intune provides configuration templates for Gmail and Nine Work apps when managed as work apps. 其他支持应用配置的配置文件的电子邮件应用可使用移动应用配置策略进行配置。Other email apps that support app configuration profiles can be configured with mobile app configuration policies.

如果对 Android 企业工作配置文件设备使用的是 Exchange ActiveSync 条件访问,请考虑使用 Gmail 或 Nine Work 电子邮件应用。If you are using Exchange ActiveSync Conditional Access for an Android Enterprise work profile device, consider using either the Gmail or Nine Work email app. 同样支持 Microsoft Outlook for Android 应用,以及任何通过 ADAL 使用新式验证的其他电子邮件应用。The Microsoft Outlook for Android app, or any other email app that uses modern authentication via ADAL, is also supported. 有关详细信息,请参阅如何在 Microsoft Intune 中配置电子邮件设置For more information, see How to configure email settings in Microsoft Intune.

应用保护策略App protection policies

工作配置文件和个人配置文件完全支持所应用的应用保护策略。App protection policies applied are fully supported in the work profile and in the personal profile. 可在 Android 应用发布控制台中发布业务线应用,地址为 https://play.google.com/apps/publishYou can publish line-of-business apps in the Android app publishing console at https://play.google.com/apps/publish. 此控制台包含让应用专用于组织的选项。This console includes an option to make apps private to your organization. 有关详细信息,请参阅在 Intune 中添加适用于 Android 企业工作配置文件设备的设备合规性策略For more information, see Add a device compliance policy for Android Enterprise work profile devices in Intune. 有关应用保护策略的一般信息,请参阅什么是应用保护策略?For general information about app protection policies, see What are app protection policies?

VPN 配置文件VPN profiles

VPN 支持类似于 Android VPN 配置文件。VPN support is similar to Android VPN profiles. 可使用相同的 VPN 提供商和基本配置选项管理 Android 企业,只有两点差别:The same VPN providers and basic configuration options are available for Android Enterprise management with two differences:

  • 限于工作配置文件的 VPN - VPN 连接仅限于部署到工作配置文件的应用。Work profile-scoped VPN – VPN connections are limited to just the apps deployed to the work profile. 仅 Android 企业托管应用可使用 VPN 连接。Only Android Enterpise-managed apps can use the VPN connection. 设备上的个人应用无法使用托管 VPN 连接。Personal apps on the device cannot use a managed VPN connection. 有关详细信息,请参阅 Android 企业 VPN 设置For more information, see Android Enterprise VPN settings.

  • 特定于应用的 VPN - 如果 VPN 提供程序支持以下项,可在 Intune 中配置特定于应用的 VPN:App-specific VPN – App-specific VPN can be configured in Intune if the VPN provider supports:

证书配置文件Certificate profiles

适用于 Android 管理的证书配置文件配置选项在 Android 企业工作配置文件设备也适用。The same certificate profile configuration options that are available to Android management are available on Android Enterprise work profile devices. Android 企业提供增强的证书管理 API。Android Enterprise provides enhanced certificate management APIs. 增强的证书管理提供以下功能:Enhanced certificate management provides the following functionality:

  • 确保用户的证书部署静默且无缝。Ensures that cert deployment is silent and seamless for the user.
  • 设备从 Intune 停用并删除了工作配置文件时,确保已删除部署的证书。Ensures that deployed certs are removed when a device is retired from Intune and the work profile is removed.
  • 提供改进的消息传送功能,通知用户 IT 部门通过管理服务部署和配置证书。Provides improved messaging that informs users that the certificate was deployed and configured by their IT department via their management service.

有关详细信息,请参阅在 Microsoft Intune 中为设备配置证书配置文件For more information, see Configure a certificate profile for your devices in Microsoft Intune.

Wi-Fi 配置文件Wi-Fi profiles

设备从 Intune 中停用且删除了工作配置文件时,将删除 Android 企业管理的 Wi-Fi 配置文件。Wi-Fi profiles managed by Android Enterprise are removed when the device is retired from Intune and the work profile is deleted. 有关详细信息,请参阅如何在 Microsoft Intune 中配置 Wi-Fi 设置For more information, see How to configure Wi-Fi settings in Microsoft Intune.

后续步骤Next steps