透過 Microsoft Intune 使用受保護的瀏覽器原則管理網際網路存取Manage Internet access using protected browser policies with Microsoft Intune

受保護的瀏覽器包括 Microsoft Edge 與 Intune Managed Browser。Protected browsers include Microsoft Edge and the Intune Managed Browser. Edge 與 Managed Browser 是網頁瀏覽應用程式,您可以從公共應用程式市集下載,提供您的組織使用。Edge and Managed Browser are web browsing apps that you can download from public app stores for use in your organization. 使用 Intune 設定時,受保護的瀏覽器可以:When configured with Intune, protected browsers can be:

  • 透過 MyApps 服務搭配單一登入用來存取公司網站和 SaaS 應用程式,同時還能保護網頁資料。Used to access corporate sites and SaaS apps with Single Sign-On via the MyApps service, while keeping web data protected.
  • 使用 URL 和網域清單進行預先設定,在公司內容中限制使用者能巡覽的網站。Pre-configured with a list of URLs and domains to restrict which sites the user can navigate to in the corporate context.
  • 使用首頁和您指定的書籤進行預先設定。Pre-configured with a homepage, and bookmarks you specify.

因為 Edge 與 Managed Browser 已經和 Intune SDK 整合,所以您也可以將應用程式保護原則套用至這些應用程式,包括:Because Edge and Managed Browser have integration with the Intune SDK, you can also apply app protection policies to them, including:

  • 控制剪下、複製和貼上的運用Controlling the use of cut, copy, and paste
  • 防止擷取螢幕畫面Preventing screen captures
  • 確保使用者選取的內容連結,只在其他受管理的應用程式中開啟。Ensuring that links to content that users select open only in other managed apps.

如需詳細資料,請參閱什麼是應用程式保護原則?For details, see What are app protection policies?

您可以套用這些設定至:You can apply these settings to:

  • 向 Intune 註冊的裝置Devices that are enrolled with Intune
  • 向其他 MDM 產品註冊Enrolled with another MDM product
  • 未受管理的裝置Unmanaged devices

如果使用者從應用程式市集安裝 Managed Browser,且 Intune 並沒有管理它,可以將它作為基本網頁瀏覽器使用,並透過 Microsoft MyApps 網站支援單一登入。If users install the Managed Browser from the app store and Intune does not manage it, it can be used as a basic web browser, with support for Single Sign-On through the Microsoft MyApps site. 系統會將使用者直接帶往 MyApps 網站,他們可以在該網站看到其所有已佈建的 SaaS 應用程式。Users are taken directly to the MyApps site, where they can see all of their provisioned SaaS applications. 由於 Managed Browser 或 Edge 未受 Intune 管理,所以無法存取來自其他受 Intune 管理的應用程式資料。While Managed Browser or Edge are not managed by Intune, they cannot access data from other Intune-managed applications.

Managed Browser 不支援安全通訊端層版本 3 (SSLv3) 密碼編譯通訊協定。The Managed Browser does not support the Secure Sockets Layer version 3 (SSLv3) cryptographic protocol.

您可以針對下列裝置類型建立受保護的瀏覽器原則:You can create protected browser policies for the following device types:

  • 執行 Android 4 和更新版本的裝置Devices that run Android 4 and later

  • 執行 iOS 8.0 和更新版本的裝置Devices that run iOS 8.0 and later

重要

自 2017 年 10 月起,Android 應用程式上的 Intune Managed Browser 應用程式只會支援執行 Android 4.4 和更新版本的裝置。As of October 2017, the Intune Managed Browser app on Android app supports only devices running Android 4.4 and later. iOS 上的 Intune Managed Browser 應用程式只支援執行 iOS 9.0 及更新版本的裝置。The Intune Managed Browser app on iOS will support only devices running iOS 9.0 and later. 較舊版本的 Android 和 iOS 能夠繼續使用 Managed Browser,但是無法安裝新版的應用程式,而且可能無法存取所有的應用程式功能。Earlier versions of Android and iOS will be able to continue using the Managed Browser, but will be unable to install new versions of the app and might not be able to access all of the app capabilities. 建議您將這些裝置更新為受支援的作業系統版本。We encourage you to update these devices to a supported operating system version.

Microsoft Edge 與 Intune Managed Browser 支援從 Microsoft Intune 應用程式合作夥伴開啟 Web 內容。Microsoft Edge and the Intune Managed Browser support opening web content from Microsoft Intune application partners.

受保護瀏覽器的條件式存取Conditional Access for protected browsers

Managed Browser 現在是進行條件式存取的經過核准用戶端應用程式。The Managed Browser is now an approved client app for Conditional Access. 這表示您可以限制行動瀏覽器對 Azure AD 已連線 Web 應用程式的存取,而在這些 Web 應用程式中,使用者只能使用 Managed Browser,並封鎖存取任何其他未受保護的瀏覽器 (如 Safari 或 Chrome)。This means that you can restrict mobile browser access to Azure AD-connected web apps where users can only use the Managed Browser, blocking access from any other unprotected browsers such as Safari or Chrome. 這項保護可以套用至 Azure 資源 (如 Exchange Online 和 SharePoint Online)、Office 入口網站,甚至是已透過 Azure AD 應用程式 Proxy公開到外部使用者的內部部署網站。This protection can be applied to Azure resources like Exchange Online and SharePoint Online, the Office portal, and even on-premises sites that you have exposed to external users via the Azure AD Application Proxy.

若要限制 Azure AD 已連線 Web 應用程式在行動平台上使用 Intune Managed Browser,您可以建立需要經過核准之用戶端應用程式的 Azure AD 條件式存取原則。To restrict Azure AD-connected web apps to use the Intune Managed Browser on mobile platforms, you can create an Azure AD Conditional Access policy requiring approved client applications.

  1. 在 Azure 入口網站中,選取 [Azure Active Directory] > [企業應用程式][條件式存取] > > [新增原則]。In the Azure portal, select Azure Active Directory > Enterprise applications > Conditional access > New policy.

  2. 接下來,選取刀鋒視窗之 [存取控制] 區段中的 [授與]。Next, select Grant from the Access controls section of the blade.

  3. 按一下 [需要經過核准的用戶端應用程式]。Click Require approved client app.

  4. 按一下 [授與] 刀鋒視窗上的 [選取]。Click Select on the Grant blade. 此原則必須指派給您只想要讓 Intune Managed Browser 應用程式存取的雲端應用程式。This policy must be assigned to the cloud apps that you want to be accessible to only the Intune Managed Browser app.

    Azure AD - Managed Browser 條件式存取原則

  5. 在 [指派] 區段中,選取 [條件] > [用戶端應用程式]。In the Assignments section, select Conditions > Client apps. 即會顯示 [用戶端應用程式] 刀鋒視窗。The Client apps blade is displayed.

  6. 按一下 [設定] 下的 [是],將原則套用至特定用戶端應用程式。Click Yes under Configure to apply the policy to specific client apps.

  7. 驗證將 [瀏覽器] 選取為用戶端應用程式。Verify that Browser is select as a client app.

    Azure AD - Managed Browser - 選取用戶端應用程式

    注意

    如果您想要限制哪些原生應用程式 (非瀏覽器應用程式) 可以存取這些雲端應用程式,則也可以選取 [行動裝置 App 及桌面用戶端]。If you want to restrict which native apps (non-browser apps) can access these cloud applications, you can also select Mobile apps and desktop clients.

  8. 在 [指派] 區段中,選取 [使用者和群組],然後選擇您想要指派此原則的使用者或群組。In the Assignments section, select Users and groups and then choose the users or groups you would like to assign this policy.

    注意

    使用者也必須設定進行 Intune 應用程式防護。Users must also be targeted with Intune App Protection policy. 如需建立 Intune 應用程式防護原則詳細資訊,請參閱什麼是應用程式防護原則?For more information about creating Intune App Protection policies, see What are app protection policies?

  9. 在 [指派] 區段中,選取 [雲端應用程式] 選擇要使用此原則保護的應用程式。In the Assignments section, select Cloud apps to choose which apps to protect with this policy.

設定上述原則之後,會強制使用者使用 Intune Managed Browser 存取您使用此原則保護的 Azure AD 已連線 Web 應用程式。Once the above policy is configured, users will be forced to use the Intune Managed Browser to access the Azure AD-connected web apps you have protected with this policy. 在此情況下,如果使用者嘗試使用非受控瀏覽器,則會注意到必須改為使用 Intune Managed Browser。If users attempt to use an unmanaged browser in this scenario, they will see a notice that the Intune Managed Browser must be used instead.

Managed Browser 不支援傳統「條件式存取」原則。The Managed Browser does not support classic Conditional Access policies. 如需詳細資訊,請參閱移轉 Azure 入口網站中的傳統原則For more information, see Migrate classic policies in the Azure portal.

Intune Managed Browser 中 Azure AD 已連線 Web 應用程式的單一登入Single Sign-on to Azure AD-connected web apps in the Intune Managed Browser

iOS 和 Android 上的 Intune Managed Browser 應用程式現在可以利用所有 Azure AD 已連線 Web 應用程式 (SaaS 和內部部署) 的 SSO。The Intune Managed Browser application on iOS and Android can now take advantage of SSO to all web apps (SaaS and on-prem) that are Azure AD-connected. iOS 上存在 Microsoft Authenticator 應用程式或 Android 上存在 Intune 公司入口網站應用程式時,Intune Managed Browser 使用者可以存取 Azure AD 已連線 Web 應用程式,而不需要重新輸入其認證。When the Microsoft Authenticator app is present on iOS or the Intune Company Portal app on Android, users of the Intune Managed Browser will be able to access Azure AD-connected web apps without having to re-enter their credentials.

Intune Managed Browser 中的 SSO 需要 iOS 上的 Microsoft Authenticator 應用程式或 Android 上的 Intune 公司入口網站註冊裝置。SSO in the Intune Managed Browser requires your device to be registered by the Microsoft Authenticator app on iOS or the Intune Company Portal on Android. 如果另一個應用程式尚未註冊具有 Authenticator 應用程式或 Intune 公司入口網站的使用者的裝置,則這些使用者在 Intune Managed Browser 中巡覽至 Azure AD 已連線 Web 應用程式時,系統會提示他們註冊其裝置。Users with the Authenticator app or Intune Company Portal will be prompted to register their device when they navigate to an Azure AD-connected web app in the Intune Managed Browser, if their device has not already been registered by another application. 使用 Intune 所管理的帳戶註冊裝置之後,該帳戶也已啟用 Azure AD 已連線 Web 應用程式的 SSO。Once the device is registered with the account managed by Intune, that account will have SSO enabled for Azure AD-connected web apps.

注意

裝置註冊是使用 Azure AD 服務的簡單簽入。Device registration is a simple check-in with the Azure AD service. 它不需要完整裝置註冊,而且不表示將裝置上的任何其他權限授與 IT。It does not require full device enrollment and does not give IT any additional privileges on the device.

建立受保護的瀏覽器應用程式設定Create a protected browser app configuration

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [管理] 清單的 [用戶端應用程式] 刀鋒視窗上,選擇 [應用程式設定原則]。On the Client apps blade of the Manage list, choose App configuration policies.
  4. 在 [應用程式設定原則] 刀鋒視窗上,選擇 [新增]。On the App configuration policies blade, choose Add.
  5. 在 [新增設定原則] 刀鋒視窗上,輸入應用程式組態設定的 [名稱] 和選擇性 [描述]。On the Add configuration policy blade, enter a Name and optional Description for the app configuration settings.
  6. 針對 [裝置註冊] 類型請選擇 [受管理的應用程式]。For Device enrollment type, choose Managed apps.
  7. 選擇 [Select the required apps] (選取必要的應用程式),然後在 [目標 App] 刀鋒視窗上,選擇適用於 iOS、Android 或兩者的 Managed BrowserEdgeChoose Select the required app and then, on the Targeted apps blade, choose the Managed Browser and/or Edge for iOS, for Android, or for both.
  8. 選擇 [確定] 返回 [新增設定原則] 刀鋒視窗。Choose OK to return to the Add configuration policy blade.
  9. 選擇 [組態設定]。Choose Configuration settings. 在 [設定] 刀鋒視窗上,您可以定義金鑰和值組來為 Managed Browser 提供設定。On the Configuration blade, you define key and value pairs to supply configurations for the Managed Browser. 請使用本文稍後的各個章節,來了解您可以定義的不同金鑰和值組。Use the sections later in this article to learn about the different key and value pairs you can define.
  10. 完成後,請選擇 [確定]。When you are done, choose OK.
  11. 在 [新增設定原則] 刀鋒視窗上,選擇 [新增]。On the Add configuration policy blade, choose Add.
  12. 就會建立新設定,然後在 [應用程式設定] 刀鋒視窗上顯示。The new configuration is created, and displayed on the App configuration blade.

重要

Managed Browser 目前依賴自動註冊。Currently, the Managed Browser relies on auto-enrollment. 如要套用應用程式設定,裝置上的另一個應用程式必須已受 Intune 應用程式保護原則管理。For app configurations to apply, another application on the device must already be managed by Intune app protection policies.

指派您建立的組態設定Assign the configuration settings you created

您可以將設定指派給使用者的 Azure AD 群組。You assign the settings to Azure AD groups of users. 如果該使用者已經安裝目標受保護的瀏覽器應用程式,則此應用程式是由您指定的設定管理。If that user has the targeted protected browser app installed, then the app is managed by the settings you specified.

  1. 在 Intune 行動應用程式管理儀表板的 [用戶端應用程式] 刀鋒視窗上,選擇 [應用程式設定原則]。On the Client apps blade of the Intune mobile application management dashboard, choose App configuration policies.
  2. 從應用程式設定清單,選取您要指派的設定。From the list of app configurations, select the one you want to assign.
  3. 在下一個刀鋒視窗上,選擇 [指派]。On the next blade, choose Assignments.
  4. 在 [指派] 刀鋒視窗上,選取您要指派應用程式設定的 Azure AD 群組,然後選擇 [確定]。On the Assignments blade, select the Azure AD group to which you want to assign the app configuration, and then choose OK.

如何設定受保護瀏覽器的應用程式 Proxy 設定How to configure Application Proxy settings for protected browsers

Microsoft Edge 與 Intune Managed Browser 和 Azure AD 應用程式 Proxy 可以一起使用,以支援下列 iOS 和 Android 裝置的使用者案例:Microsoft Edge and the Intune Managed Browser and Azure AD Application Proxy can be used together to support the following scenarios for users of iOS and Android devices:

  • 使用者下載並登入 Microsoft Outlook 應用程式。A user downloads and signs in to the Microsoft Outlook app. 自動套用 Intune 應用程式保護原則。Intune app protection policies are automatically applied. 它們會加密已儲存的資料,並阻擋使用者將公司檔案傳輸至裝置上未受管理的應用程式或位置。They encrypt saved data and block the user from transferring corporate files to unmanaged apps or locations on the device. 當使用者接著在 Outlook 中按一下內部網路網站的連結時,您可以指定用受保護的瀏覽器應用程式開啟該連結,不用其他瀏覽器。When the user then clicks a link to an intranet site in Outlook, you can specify that the link opens in a protected browser application, rather than another browser. 受保護的瀏覽器可辨識此內部網路網站是透過應用程式 Proxy 向使用者公開。The protected browser recognizes that this intranet site has been exposed to the user through the Application Proxy. 使用者是透過應用程式 Proxy 自動路由,在到達內部網路網站之前,向所有合適的 Multi-Factor Authentication 和條件式存取驗證。The user is automatically routed through the Application Proxy, to authenticate with any applicable multi-factor authentication, and conditional access before reaching the intranet site. 使用者以前從遠端找不到這個網站,現在不但可以存取,Outlook 中的連結也一如預期般運作。This site, which could previously not be found while the user was remote, is now accessible and the link in Outlook works as expected.
  • 遠端使用者開啟受保護的瀏覽器應用程式,並瀏覽至使用內部 URL 的內部網路網站。A remote user opens the protected browser application and navigates to an intranet site using the internal URL. 受保護的瀏覽器可辨識此內部網路網站是透過應用程式 Proxy 向使用者公開。The protected browser recognizes that this intranet site has been exposed to the user via the Application Proxy. 使用者是透過應用程式 Proxy 自動路由,在到達內部網路網站之前,向所有合適的 Multi-Factor Authentication 和條件式存取驗證。The user is automatically routed through the Application Proxy, to authenticate with any applicable multi-factor authentication, and conditional access before reaching the intranet site. 使用者以前從遠端找不到這個網站,但現在可以存取。This site, which could previously not be found while the user was remote, is now accessible.

開始之前Before you start

  • 透過 Azure AD 應用程式 Proxy 設定內部應用程式。Set up your internal applications through the Azure AD Application Proxy.

  • 您至少必須使用 Managed Browser 應用程式 1.2.0 版本。You must be using minimum version 1.2.0 of the Managed Browser app.

  • Managed Browser 或 Edge 應用程式的使用者已將 Intune 應用程式保護原則指派給應用程式。Users of the Managed Browser or Edge app have an Intune app protection policy assigned to the app.

    注意

    更新的應用程式 Proxy 重新導向資料,最多可能需要 24 小時才會在 Managed Browser 或 Edge 中生效。Updated Application Proxy redirection data can take up to 24 hours to take effect in the Managed Browser and Edge.

步驟 1:從 Outlook 啟用自動重新導向到受保護的瀏覽器Step 1: Enable automatic redirection to a protected browser from Outlook

Outlook 必須設定啟用以下設定的應用程式保護原則:限制 Web 內容只在 Managed Browser 中顯示Outlook must be configured with an app protection policy that enables the setting Restrict web content to display in the Managed Browser.

步驟 2:為受保護的瀏覽器指派應用程式設定原則。Step 2: Assign an app configuration policy assigned for the protected browser.

此程序會設定 Managed Browser 或 Edge 應用程式使用應用程式 Proxy 重新導向。This procedure configures the Managed Browser or Edge app to use app proxy redirection. 使用程序來建立 Managed Browser 或 Edge 應用程式設定,提供以下金鑰和值組:Using the procedure to create an Edge or Managed Browser app configuration, supply the following key and value pair:

金鑰Key Value
com.microsoft.intune.mam.managedbrowser.AppProxyRedirectioncom.microsoft.intune.mam.managedbrowser.AppProxyRedirection truetrue

如需如何前後使用 Managed Browser、Edge 與 Azure AD 應用程式 Proxy 緊密 (並受保護) 存取內部部署 Web 應用程式的詳細資訊,請參閱 Enterprise Mobility + Security 部落格文章:搭配使用最好:Intune 和 Azure Active Directory 合作以改善使用者存取 (英文)。For more information about how the Managed Browser, Edge, and Azure AD Application Proxy can be used in tandem for seamless (and protected) access to on-premises web apps, see the Enterprise Mobility + Security blog post Better together: Intune and Azure Active Directory team up to improve user access.

注意

Edge 使用與 Managed Browser 相同的金鑰和值組。Edge uses the same key and value pairs as the Managed Browser.

如何未受保護的瀏覽器設定首頁How to configure the homepage for a protected browser

此設定可讓您設定使用者啟動受保護的瀏覽器或建立新索引標時會看到的首頁。使用程序來建立 Managed Browser 或 Edge 應用程式設定,提供以下金鑰和值組:This setting allows you to configure the homepage that users see when they start a protected browser or create a new tab. Using the procedure to create an Edge or Managed Browser app configuration, supply the following key and value pair:

金鑰Key Value
com.microsoft.intune.mam.managedbrowser.homepagecom.microsoft.intune.mam.managedbrowser.homepage 指定有效的 URL。Specify a valid URL. 基於安全性考量,會封鎖不正確的 URL。Incorrect URLs are blocked as a security measure.
範例: <https://www.bing.com>Example: <https://www.bing.com>

如何設定受保護瀏覽器的書籤How to configure bookmarks for a protected browser

此設定可讓您設定一組書籤,供 Edge 或 Managed Browser 的使用者使用。This setting allows you to configure a set of bookmarks that is available to users of Edge or the Managed Browser.

  • 使用者無法刪除或修改這些書籤These bookmarks cannot be deleted or modified by users
  • 這些書籤會顯示在清單頂端。These bookmarks display at the top of the list. 使用者建立的所有書籤都會顯示在這些書籤下方。Any bookmarks that users create are displayed below these bookmarks.
  • 如果您已啟用 App Proxy 重新導向,即可使用 App Proxy Web 應用程式的內部或外部 URL 來新增這些 Web 應用程式。If you have enabled App Proxy redirection, you can add App Proxy web apps using either their internal or external URL.

使用程序來建立 Managed Browser 或 Edge 應用程式設定,提供以下金鑰和值組:Using the procedure to create an Edge or Managed Browser app configuration, supply the following key and value pair:

金鑰Key Value
com.microsoft.intune.mam.managedbrowser.bookmarkscom.microsoft.intune.mam.managedbrowser.bookmarks 此設定值是一份書籤。The value for this configuration is a list of bookmarks. 每個書籤的組成都是書籤標題加書籤 URL。Each bookmark consists of the bookmark title, and the bookmark URL. 請使用 | 字元分隔標題和 URL。Separate the title, and URL with the | character.

範例:Example:
Microsoft Bing|https://www.bing.com

若要設定多個書籤,請以雙引號字元 || 分隔每組配對。To configure multiple bookmarks, separate each pair with the double character, ||

範例:Example:
Bing|https://www.bing.com||Contoso|https://www.contoso.com

如何為受保護的瀏覽器指定允許與封鎖的 URLHow to specify allowed and blocked URLs for a protected browser

使用程序來建立 Managed Browser 或 Edge 應用程式設定,提供以下金鑰和值組:Using the procedure to create an Edge or Managed Browser app configuration, supply the following key and value pair:

金鑰Key Value
從下列選項進行選擇:Choose from:
  • 指定允許的 URL (僅允許這些 URL;不能存取其他站台):Specify allowed URLs (only these URLs are allowed; no other sites can be accessed):
    com.microsoft.intune.mam.managedbrowser.AllowListURLscom.microsoft.intune.mam.managedbrowser.AllowListURLs

  • 指定封鎖的 URL (可以存取所有其他網站):Specify blocked URLs (all other sites can be accessed):
    com.microsoft.intune.mam.managedbrowser.BlockListURLscom.microsoft.intune.mam.managedbrowser.BlockListURLs
金鑰的相對應值為 URL 清單。The corresponding value for the key is a list of URLs. 您可以以單一值的方式,輸入想要允許或封鎖的所有 URL,並使用縱線 | 字元分隔。You enter all the URLs you want to allow or block as a single value, separated by a pipe | character.

範例:Examples:

URL1|URL2|URL3
http://.contoso.com/|https://.bing.com/|https://expenses.contoso.com

重要

請勿同時指定這兩個金鑰。Do not specify both keys. 如果兩個金鑰都以同一使用者為目標,會使用允許金鑰,因為它是最嚴格的選項。If both keys are targeted to the same user, the allow key is used, as it's the most restrictive option. 此外,請確定未封鎖重要的網頁,例如您的公司網站。Additionally, make sure not to block important pages like your company websites.

適用於允許和封鎖 URL 的 URL 格式URL format for allowed and blocked URLs

使用下列資訊,來了解您在允許和封鎖清單中指定 URL 時可使用的允許格式與萬用字元:Use the following information to learn about the allowed formats and wildcards that you can use when specifying URLs in the allowed and blocked lists:

  • 您可以根據下列許可模式清單中的規則,來使用萬用字元符號 (*):You can use the wildcard symbol (*) according to the rules in the following permitted patterns list:

  • 確定您在清單中輸入 UTL 時,已在所有 URL 中加上 httphttps 的前置詞。Ensure that you prefix all URLs with http or https when entering them into the list.

  • 您可以在位址中指定連接埠號碼。You can specify port numbers in the address. 如不指定連接埠號碼,會使用下列值:If you do not specify a port number, the values used are:

    • 針對 http 使用連接埠 80Port 80 for http

    • 針對 https 使用連接埠 443Port 443 for https

    不支援對連接埠號碼使用萬用字元。Using wildcards for the port number is not supported. 例如,不支援 http://www.contoso.com:;http://www.contoso.com: /;For example, http://www.contoso.com:; and http://www.contoso.com: /; are not supported.

  • 使用下表來了解您在指定 URL 時可使用的允許模式:Use the following table to learn about the permitted patterns that you can use when you specify URLs:

URLURL 詳細資料Details 相符項Matches 不符合Does not match
http://www.contoso.com 比對單一頁面Matches a single page www.contoso.com host.contoso.com

www.contoso.com/images

contoso.com/
http://contoso.com 比對單一頁面Matches a single page contoso.com/ host.contoso.com

www.contoso.com/images

www.contoso.com
http://www.contoso.com/&#42; 比對所有以 www.contoso.com 開頭的 URLMatches all URLs that begin with www.contoso.com www.contoso.com

www.contoso.com/images

www.contoso.com/videos/tvshows
host.contoso.com

host.contoso.com/images
http://*.contoso.com/* 比對 contoso.com 下的所有子網域Matches all subdomains under contoso.com developer.contoso.com/resources

news.contoso.com/images

news.contoso.com/videos
contoso.host.com
http://www.contoso.com/images 比對單一資料夾Matches a single folder www.contoso.com/images www.contoso.com/images/dogs
http://www.contoso.com:80 使用連接埠號碼來比對單一頁面Matches a single page, by using a port number http://www.contoso.com:80
https://www.contoso.com 比對單一且安全的頁面Matches a single, secure page https://www.contoso.com http://www.contoso.com
http://www.contoso.com/images/&#42; 符合單一資料夾及所有子資料夾Matches a single folder and all subfolders www.contoso.com/images/dogs

www.contoso.com/images/cats
www.contoso.com/videos
  • 以下是一些您無法指定的輸入範例:The following are examples of some of the inputs that you cannot specify:

    • *.com

    • *.contoso/*

    • www.contoso.com/*images

    • www.contoso.com/*images*pigs

    • www.contoso.com/page*

    • IP 位址IP addresses

    • https://*

    • http://*

    • http://www.contoso.com:*

    • http://www.contoso.com: /*

如何在 iOS 上使用受管理的瀏覽器存取受管理應用程式的記錄檔How to access to managed app logs using the Managed Browser on iOS

在其 iOS 裝置上安裝了受管理瀏覽器的使用者,可以檢視所有 Microsoft 所發行應用程式的管理狀態。End users with the managed Browser installed on their iOS device can view the management status of all Microsoft published apps. 他們可以傳送記錄檔用於疑難排解其受管理的 iOS 應用程式。They can send logs for troubleshooting their managed iOS apps.

  1. 開啟 iOS [設定]。Open iOS Settings.
  2. 選取受管理的瀏覽器應用程式設定。Select the managed Browser application settings.
  3. 切換 [啟用 Intune 診斷] 在疑難排解模式中設定瀏覽器。Toggle Enable Intune Diagnostics to set the browser in troubleshooting mode.
  4. 開啟受管理的瀏覽器Open the managed Browser. 按一下 [檢視 Intune 應用程式狀態] 查看個別的應用程式原則設定。Click View Intune App Status to review individual application policy settings.
  5. 按 [開始使用] 和 [共用記錄] 或 [將記錄傳送給 Microsoft],將疑難排解記錄檔傳送給您的 IT 系統管理員或 Microsoft。Press Get Started and Share Logs or Send Logs to Microsoft to send the troubleshooting logs to your IT administrator or Microsoft.

您也可以從應用程式內,在疑難排解模式中開啟瀏覽器。You can also open the Browser in troubleshooting mode from within the app.

  1. 開啟受管理的瀏覽器。Open the Managed Browser.
  2. 網址方塊中的類型 about:intunehelpType about:intunehelp in the address box. 瀏覽器啟動疑難排解模式。The Browser launches troubleshooting mode.

如需儲存在應用程式記錄中的設定清單,請參閱在 Managed Browser 中檢閱應用程式保護記錄For a list of the settings stored in the app logs, see Review app protection logs in the Managed Browser.

Managed Browser 的安全性與隱私權Security and privacy for the Managed Browser

  • Managed Browser 不會使用使用者在其裝置上針對內建瀏覽器所做的設定。The Managed Browser does not use settings that users make for the built-in browser on their devices. Managed Browser 無法存取這些設定。The Managed Browser cannot access to these settings.

  • 如果您已在與 Managed Browser 建立關聯的應用程式防護原則中設定 [需要簡單的 PIN 以進行存取] 或 [需要公司認證以進行存取] 選項,而且使用者選取了驗證頁面上的說明連結,他們就可以瀏覽任何的網際網路網站,而不論其是否已加入原則的封鎖清單中。If you configure the option Require simple PIN for access or Require corporate credentials for access in an app protection policy associated with the Managed Browser, and a user selects the help link on the authentication page, they can browse any Internet sites regardless of whether they were added to a block list in the policy.

  • Managed Browser 只有在它們直接存取網站時,才能封鎖對網站的存取。The Managed Browser can block access to sites only when they are accessed directly. 使用中繼服務 (例如翻譯服務) 存取網站時,不封鎖存取。It does not block access when intermediate services (such as a translation service) are used to access the site.

  • 若要允許驗證並存取 Intune 文件,請從允許或封鎖清單設定中排除 *.microsoft.comTo allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or block list settings. 一律允許。It is always allowed.

關閉使用量資料Turn off usage data

Microsoft 會自動收集有關 Managed Browser 效能和使用的匿名資料,以改善 Microsoft 產品和服務。Microsoft automatically collects anonymous data about the performance and use of the Managed Browser to improve Microsoft products and services. 使用者可以在裝置上使用 [使用方式資料] 設定以關閉資料收集。Users can turn off data collection by using the Usage Data setting on their devices. 您無法控制這項資料的收集。You have no control over the collection of this data.

  • 在 iOS 裝置上,無法開啟使用者利用過期或未受信任的憑證瀏覽的網站。On iOS devices, websites that users visit that have an expired or untrusted certificate cannot be opened.

  • Managed Browser 不會使用使用者在其裝置上針對內建瀏覽器所做的設定。The Managed Browser does not use settings that users make for the built-in browser on their devices. Managed Browser 無法存取這些設定。The Managed Browser cannot access to these settings.

  • 如果您已在與 Managed Browser 建立關聯的應用程式防護原則中設定 [需要簡單的 PIN 以進行存取] 或 [需要公司認證以進行存取] 選項,而且使用者選取了驗證頁面上的說明連結,他們就可以瀏覽任何的網際網路網站,而不論其是否已加入原則的封鎖清單中。If you configure the option Require simple PIN for access or Require corporate credentials for access in an app protection policy associated with the Managed Browser, and a user selects the help link on the authentication page, they can browse any Internet sites regardless of whether they were added to a block list in the policy.

  • Managed Browser 只有在它們直接存取網站時,才能封鎖對網站的存取。The Managed Browser can block access to sites only when they are accessed directly. 使用中繼服務 (例如翻譯服務) 存取網站時,不封鎖存取。It does not block access when intermediate services (such as a translation service) are used to access the site.

  • 若要允許驗證並存取 Intune 文件,請從允許或封鎖清單設定中排除 *.microsoft.comTo allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or block list settings. 一律允許。It is always allowed.

關閉使用量資料Turn off usage data

Microsoft 會自動收集有關 Managed Browser 效能和使用的匿名資料,以改善 Microsoft 產品和服務。Microsoft automatically collects anonymous data about the performance and use of the Managed Browser to improve Microsoft products and services. 使用者可以在裝置上使用 [使用方式資料] 設定以關閉資料收集。Users can turn off data collection by using the Usage Data setting on their devices. 您無法控制這項資料的收集。You have no control over the collection of this data.

接下來的步驟Next steps