使用 WIP 和 Intune 保护运行 Office 加载项的文档中的企业数据。Use WIP and Intune to protect enterprise data in documents running Office Add-ins

组织中的用户使用 Office 加载项与组织数据进行交互时可能产生潜在风险,泄露某些数据。When users in an organization use Office Add-ins to interact with organizational data, this introduces a potential risk that some data might be leaked. 用户正在运行 Office 加载项时,可使用 Windows 信息保护 (WIP) 和 Microsoft Intune 保护企业数据。You can use Windows Information Protection (WIP) and Microsoft Intune to protect enterprise data when users are running Office Add-ins.

企业可使用 WIP以前称为企业数据保护 (EDP))保护知识产权和公司数据。WIP, previously known as enterprise data protection (EDP), enables enterprises to protect intellectual property and corporate data. WIP 有助于防范企业应用和数据在企业自有设备和员工带到工作中的个人设备上的意外数据泄露,而无需对环境或其他应用进行更改。WIP helps protect enterprise apps and data against accidental data leaks, on both enterprise-owned devices and personal devices that employees bring to work, without requiring changes to the environment or other apps.

Intune 提供一组不同的工具,用于管理复杂的移动环境。Intune provides a diverse set of tools for managing your complex mobile environment. Intune 结合使用移动应用管理和设备管理选项,使 IT 管理员和最终用户能够灵活管理和提高移动生产力。Intune’s combination of mobile application management and device management options gives IT administrators and end users the flexibility to manage and secure mobile productivity.

可以使用 Intune 创建和部署 WIP 策略You can use Intune to create and deploy your WIP policy. 使用 Intune 可以选择受保护的应用和 WIP 的保护级别,并在网络上查找企业数据。With Intune, you can choose your protected apps and your WIP protection level, and find enterprise data on the network.

使用 WIP 和 Intune:With WIP and Intune:

  • 即使数据下载到个人设备上,企业也能提供合理的企业数据实施策略。Enterprises can provide reasonable corporate data policy enforcement, even when data is downloaded to personal devices.

  • 企业可以运用上下文策略知识,告知用户如何防范数据意外泄露给非托管的应用和服务。Enterprises can use contextual policy education to inform users about how to protect against inadvertent data disclosure to unmanaged apps and services.

  • 最终用户可以遵守公司数据策略,无需中断其典型工作流。End users can comply with corporate data policies without disrupting their typical workflow.

  • 还可以在工作和个人工作效率之间无缝转换。End users can seamlessly transition between work and personal productivity.

如果用户没有将个人和企业内容混合,WIP 和 Intune 会在后台自动运行并且实际上不可见。WIP and Intune run silently in the background and are virtually invisible when users don’t mix personal and enterprise content.

Office 加载项 是基于 Web 技术生成的。Office Add-ins are built on web technologies. 它们将 Web 上的功能和信息带到 Office 应用程序中。They bring the power and information from the web to Office applications. 通过 Office.js 中可用的 API 与 Office 应用程序中的内容进行交互。Add-ins interact with the content in an Office application via the APIs available in Office.js. Office 加载项的核心原则包括:Core tenets of Office Add-ins include:

  • 安全性:Office JavaScript 平台体系结构确保加载项代码是沙盒化的,并在与主机 Office 应用程序相关的单独进程中运行。Security: The Office JavaScript platform architecture ensures that the add-in code is sandboxed and runs in a separate process with respect to the host Office application. 当加载项不满足性能标准或存在潜在恶意行为时,这可使平台采取纠正措施,例如通知用户,或在某些情况下,禁用加载项。This enables the platform to take corrective action when an add-in does not meet performance standards or is potentially malicious by notifying the user, and in some cases, disabling the add-in. 此体系结构适用于支持 Office 加载项的所有平台。This architecture works on all platforms that support Office Add-ins.

  • 复原性:加载项平台的“进程外”性质可确保加载项本身不影响主机 Office 应用程序的性能或用户体验。Resiliency: The “out-of-process” nature of the add-in platform ensures that the add-in itself does not affect the performance or user experience of the host Office application. 这对保持 Office 快速响应用户操作至关重要。This is critical to keeping Office fast and responsive to user actions.

  • 跨平台:一次编写,到处运行 Office 运行项。Cross-platform: Write once, run everywhere Office runs. 目前 Windows、Office Online、Mac 和 iPad 均支持加载项。Add-ins are currently supported on Windows, Office Online, Mac, and iPad. Android 和通用平台也即将支持加载项。Support for add-ins on Android and Universal platform will be available soon.

Office 加载项可与文档中的企业内容和潜在敏感内容集成。Office Add-ins can work with enterprise and potentially sensitive content within a document. 作为应用程序扩展性的一部分,加载项继承了其来自主机应用程序策略的访问。As part of the application extensibility, add-ins inherit their access from the host application policy. 例如,如果 WIP 设置阻止 Word 访问企业内容,则加载项无法访问 Word 文档中的企业内容。For example, if WIP settings prevent Word from accessing enterprise content, add-ins won’t be able to access enterprise content in a Word document.

加载项的目标之一是为最终用户消除任何阻止的问题,同时还确保企业管理员可以阻止加载项(如需要)。One of the goals for add-ins is to remove any blocking issues for end users while also ensuring that enterprise administrators can block add-ins if necessary. 有关 Office 加载项启用数据保护的主要原则包括:The main principles for Office Add-ins regarding enabling data protection include:

  • 为 IT 管理员提供阻止加载项加载的方法。Provide a way for IT administrators to block add-ins from loading.

  • 尽量减少或消除管理员要求的工作,使加载项企业准备就绪。Minimize or eliminate work required by administrators to make add-ins enterprise ready.

  • 在加载项使用期间,尽量减少为最终用户提供的提示和消息。Minimize the prompts and messages for end users during add-in usage.

  • 如果文档和加载项具有相同的上下文,消除对最终用户的提示。Eliminate prompts for end users when the document and the add-in have the same context.

加载项和 WIPAdd-ins and WIP

在环境中启用 WIP 时,可以为 Office 加载项启用以下方案:When you enable WIP in your environment, you can enable the following scenarios for your Office Add-ins:

  • Office 加载项使用文档上下文激活。Office Add-ins are activated using the document context. 对于 Outlook,加载项的上下文基于当前的活动邮箱。For Outlook, the context for the add-in is based on the current active mailbox. 激活加载项之前,在信任提示中明确定义加载项权限。Add-in permissions are clearly defined in the Trust prompt before the add-in is activated. 用户决定特定文档中的加载项是否适用,以及是否允许加载项运行。The user decides whether the add-in is appropriate in a specific document, and whether to allow the add-in to run.

  • 管理员可以使用组策略来阻止所有 Office 应用商店加载项或所有 Office 加载项。这意味着用户可以激活来自 SharePoint 或 Office 365 企业目录的仅受信任的加载项。Administrators can use group policy to block all Office Store add-ins or all Office Add-ins. This means that users can activate only trusted add-ins from a SharePoint or Office 365 corporate catalog.

  • 管理员可以使用移动设备管理 (MDM) 阻止防火墙级别的加载项。Administrators can block add-ins at the firewall level using mobile device management (MDM). 请注意,这不适用于移动或自带设备办公 (BYOD) 方案。Note that this does not work for mobile or bring your own device (BYOD) scenarios.

  • 加载项应用企业和个人上下文之间的复制粘贴操作。Add-ins apply the copy-paste operation between enterprise and personal contexts. 例如,用户复制企业上下文加载项并粘贴到个人文档时,会显示默认跨上下文复制粘贴的提示。For example, when a user copies from an enterprise context add-in and pastes into a personal document, the default copy-paste across contexts prompt is displayed.

下表列出了启用 WIP 时企业和个人上下文以及文档中需要的加载项行为。The following table lists the expected add-in behavior in enterprise and personal contexts and documents when WIP is enabled.

备注

  • 主机应用程序内部和外部的剪切、复制和粘贴操作在所有方案中均按预期工作。Cut, copy, and paste operations within and outside of the host application work as expected in all scenarios.
  • 数据传输到加载项服务未在所有方案中受到保护。Data transfer to add-in services is not protected in all scenarios.
文档或邮箱类型Document or mailbox type 个人上下文中的加载项Add-in in personal context 企业上下文中的加载项Add-in in enterprise context
个人Personal 加载项在个人上下文中加载。Add-in loads in personal context.

不允许导航到企业 URL(即使是在自己的应用域中)。Navigation to enterprise URLs is not allowed (even if in its own app domain).

允许导航到个人 URLNavigation to personal URLS is allowed
加载项无法加载或激活。Add-in fails to load or activate.

如果升级了文档的上下文(例如:通过将其保存到企业位置):If the document’s context is elevated (for example: by saving it to an enterprise location):

- 允许导航到企业 URL。- Navigation to enterprise URLs is allowed.

- 允许导航到个人 URL。- Navigation to personal URLs is allowed.
企业Enterprise 加载项在企业上下文中加载。Add-in loads in enterprise context.

允许导航到企业 URL。Navigation to enterprise URLs is allowed.

允许导航到个人 URL。Navigation to personal URLs is allowed.
加载项在企业上下文中加载。Add-in loads in enterprise context.

允许导航到企业 URL。Navigation to enterprise URLs is allowed.

允许导航到个人 URL。Navigation to personal URLs is allowed.
未保存Unsaved 加载项在个人上下文中加载。Add-in loads in personal context.

不允许导航到企业 URL(即使是在自己的应用域中)。Navigation to enterprise URLs is not allowed (even if in its own app domain).

允许导航到个人 URL。Navigation to personal URLs is allowed.
加载项在企业上下文中加载,文档默认转换到企业上下文。Add-in loads in enterprise context, and the document is silently converted to enterprise context. 这意味着文档必须保存到企业位置。This means the document must be saved to an enterprise location.

允许导航到企业 URL。允许导航到个人 URL。Navigation to enterprise URLs is allowed.Navigation to personal URLs is allowed.

加载项和 IntuneAdd-ins and Intune

在 Office for iPad 上,Office 加载项当前支持 Word、Excel 和 PowerPoint。On Office for iPad, Office Add-ins are currently supported for Word, Excel, and PowerPoint. Outlook 当前支持 iOS(iPad 和 iPhone)上的加载项。Outlook currently supports add-ins on iOS (iPad and iPhone). Outlook 管理员可以在默认情况下关闭加载项,包括开发者安装的加载项,并仅启用其组织认可的特定加载项。Outlook administrators can turn off the add-ins by default, including developer installed add-ins, and only enable the specific add-ins approved by their organization. 下表概述了在 Office for iOS 设备上运行的加载项的数据保护方案支持,这些设备使用 Intune 应用保护工具。The following table outlines support for data protection scenarios for add-ins running on Office for iOS devices that use the Intune app protection tools.

备注

有关在 Android 和 iOS 设备上运行的 Outlook 加载项的信息,请参阅管理用户对 Outlook 加载项的访问Outlook 加载项For information about Outlook add-ins running on Android and iOS devices, see Manage user access to add-ins for Outlook and Add-ins for Outlook.

文档或邮箱类型Document or mailbox type 具有 Intune 应用保护的适用于 iOS 的个人上下文中的加载项*Add-ins in personal context for iOS with Intune App Protection* 具有 Intune 应用保护的适用于 iOS 的企业上下文的加载项*Add-ins in enterprise context for iOS with Intune App Protection*
个人Personal 加载项的使用情况不受个人文档中的 Intune 应用保护的影响。Add-ins usage is unaffected by Intune app protection in personal documents. 加载项的使用情况不受个人文档中的 Intune 应用保护的影响。Add-ins usage is unaffected by Intune app protection in personal documents.
企业Enterprise 允许激活个人加载项。Personal add-ins are allowed to activate.

Intune 应用保护策略可以保护加载项和设备上的其他应用程序之间的剪切、复制、粘贴和数据传输方案。Intune app protection policies can protect cut, copy, paste, and data transfer scenarios between the add-in and other applications on the device.

数据传输到加载项服务不受保护。Data transfer to add-in services is not protected.
允许激活企业加载项。Enterprise add-ins are allowed to activate. 管理员可以通过 Office 管理工具控制加载项的发布类型(Office 365 集中部署)Administrators can control which add-ins are published via Office management tools (Office 365 centralized deployment).

Intune 应用保护策略可以保护加载项和设备上的其他应用程序之间的剪切、复制、粘贴和数据传输方案。Intune app protection policies can protect cut, copy, paste, and data transfer scenarios between the add-in and other applications on the device.

数据传输到加载项服务不受保护。Data transfer to add-in services is not protected.

* 管理员可以使用 Office 365 集中部署将 Word、Excel 和 PowerPoint 加载项直接从 Office 365 管理中心或使用 PowerShell 脚本部署到个人用户、组或组织。* Administrators can use Office 365 Centralized deployment to deploy Word, Excel, and PowerPoint add-ins to individual users, groups, or an organization directly from the Office 365 admin center or using PowerShell scripts. 用户在 Windows、Mac 或 Office Online 上打开 Office 应用程序时,加载项自动安装到其功能区。When users open an Office application on Windows, Mac, or Office Online, the add-in is automatically installed on their ribbon.

“摘要”Summary

考虑到关于 Office 加载项的原则,管理员可以通过 WIP 和 Intune 管理企业数据,并提供最终用户完成其工作所需的工具。Given the principles with respect to Office Add-ins, WIP and Intune enable administrators to manage enterprise data and provide the tools that end users need to accomplish their work. 这就有可能导致企业数据在组织边界外部泄露。This creates the potential for enterprise data to leak outside the organization’s boundaries. Office JavaScript API 当前并未提供相关方法,因此开发人员无法识别在 Office 文档和加载项之间传输的数据类型。The Office JavaScript APIs do not currently provide a way for developers to recognize the type of data being transmitted between the Office document and the add-in. 他们需要向用户提供多个提示,在某些情况下,有可能将个人文件错误地标记为企业文件,这可能对用户体验造成负面影响,并且与数据保护原则不一致。This requires developers to surface multiple prompts to the user and in some cases erroneously mark personal files as enterprise files, which can have a negative effect on the user experience, and does not align with data protection principles.

Microsoft 致力于保护客户数据并继续投资于 Intune 和 WIP 技术创新,增强客户体验。Microsoft is committed to protecting customer data and will continue to invest in making the Intune and WIP technologies and experience better for customers.

了解详细信息Learn more