治理探索到的應用程式Govern discovered apps

Applies to: Microsoft Cloud App Security

重要

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

在您已檢查環境中探索到的應用程式清單之後,您可以藉由核准安全的應用程式來保護您的環境 (獲批准) ,或透過下列方式 (待批准) 來禁止不必要的應用程式。After you've reviewed the list of discovered apps in your environment, you can secure your environment by approving safe apps (Sanctioned) or prohibiting unwanted apps (Unsanctioned) in the following ways.

批准/unsanctioning 應用程式Sanctioning/unsanctioning an app

您可以待批准具風險的特定應用程式,只要按一下資料列結尾的三個點,You can unsanction a specific risky app by clicking the three dots at the end of the row. 然後選取 [待批准]****。Then select Unsanction. 不批准應用程式不會封鎖使用,而是讓您透過 Cloud Discovery 篩選更輕鬆地監視其使用情況。Unsanctioning an app doesn't block use, but enables you to more easily monitor its use with the Cloud Discovery filters. 然後,您可以通知待批准應用程式的使用者,建議他們使用其他安全的應用程式。You can then notify users of the unsanctioned app and suggest an alternative safe app for their use.

標記為待批准

如果您有一份想要批准或待批准的應用程式清單,請使用核取方塊選取想要管理的應用程式,然後選取此動作。If you have a list of apps you want to sanction or unsanction, use the checkbox to select the apps you want to manage, then select the action.

若要查詢待批准應用程式的清單,您可以使用 Cloud App Security API 產生區塊指令碼To query a list of unsanctioned apps, you can generate a block script using the Cloud App Security APIs.

注意

如果您的租使用者使用 Microsoft Defender 進階威脅防護 (ATP) 、Zscaler NSS 或 iboss,則您標示為待批准的任何應用程式都會被 Cloud App Security 自動封鎖,而下列有關建立封鎖腳本的章節則是不必要的。If your tenant uses Microsoft Defender Advanced Threat Protection (ATP), Zscaler NSS, or iboss, any app you mark as unsanctioned is automatically blocked by Cloud App Security, and the following sections regarding creating blocking scripts are unnecessary. 如需詳細資訊,請參閱 與 Microsoft DEFENDER ATP 整合與 Zscaler 整合,以及分別 與 iboss 整合For more information, see Integrate with Microsoft Defender ATP, Integrate with Zscaler, and Integrate with iboss respectively.

匯出封鎖指令碼治理探索到的應用程式Export a block script to govern discovered apps

Cloud App Security 可讓您使用現有的內部部署安全性設備來封鎖存取待批准的應用程式。Cloud App Security enables you to block access to unsanctioned apps by using your existing on-prem security appliances. 您可以產生專用的封鎖指令碼並將它匯入您的設備。You can generate a dedicated block script and import it to your appliance. 此解決方案不需要將組織所有的網路流量重新導向到 Proxy。This solution doesn't require redirection of all of the organization's web traffic to a proxy.

  1. 在 Cloud Discovery 儀表板中,將您要封鎖的應用程式標記為待批准In the Cloud Discovery dashboard, tag any apps you want to block as Unsanctioned.

    標記為待批准

  2. 在標題列上,按一下三個點,然後選取 [Generate block script](產生封鎖指令碼)****。In the title bar, click on the three dots and select Generate block script....

    產生區塊指令碼

  3. 在 [Generate block script](產生封鎖指令碼)**** 中,選取所產生之封鎖指令碼的適用裝置。In Generate block script, select the appliance you want to generate the block script for.

    產生封鎖指令碼快顯

  4. 然後,按一下 [產生指令碼] 按鈕,為您所有待批准的應用程式建立封鎖指令碼。Then, click the Generate script button to create a block script for all your unsanctioned apps. 檔案預設以匯出日期及您選取的設備類型命名。By default, the file will be named with the date on which it was exported and the appliance type you selected. 檔案名稱範例:2017-02-19_CAS_Fortigate_block_script.txt2017-02-19_CAS_Fortigate_block_script.txt would be an example file name

    [Generate block script] (產生封鎖指令碼) 按鈕

  5. 將建立的檔案匯入您的設備。Import the file created to your appliance.

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.