如何建立及部署應用程式保護原則How to create and assign app protection policies

了解如何建立及指派 Microsoft Intune 應用程式防護原則給使用者。Learn how to create and assign Microsoft Intune app protection policies to your users. 本主題也會描述如何變更現有的原則。This topic also describes how to make changes to existing policies.

開始之前Before you begin

如果您正在 Intune 傳統入口網站中尋找指示,請參閱如何建立應用程式保護原則If you're looking for instructions in the Intune classic portal, see how to create app protection policies.

無論裝置是否交由 Intune 管理,都能對裝置上執行的應用程式套用應用程式保護原則。App protection policies can be applied to apps running on devices that may or may not be managed by Intune. 如需應用程式保護原則的運作方式,以及 Intune 應用程式保護原則支援案例詳細說明,請參閱什麼是 Microsoft Intune 應用程式保護原則For a more detailed description of how app protection policies work and the scenarios supported by Intune app protection policies, see What is Microsoft Intune app protection policies.

如果您正在尋找 MAM 支援之應用程式的清單,請參閱 MAM 應用程式清單If you're looking for a list of MAM supported apps, see MAM apps list.

建立應用程式保護原則Create an app protection policy

  1. 在 [行動應用程式] 工作負載中,從 [管理] 區段中選取 [應用程式防護原則]。In the Mobile apps workload, select App protection policies from the Manage section. 此選取項目會開啟 [應用程式原則] 的詳細資料,讓您從中建立新的原則及編輯現有的原則。This selection opens the App protection policies details, where you create new policies and edit existing policies.

  2. 選擇 [新增原則]Choose Add a policy.

    [新增原則] 刀鋒視窗的螢幕擷取畫面

  3. 為您的原則鍵入名稱、新增簡短描述並選取平台類型。Type a name for the policy, add a brief description, and select the platform type for your policy. 如需要,您可以針對每個平台建立多項原則。If needed, you can create more than one policy for each platform.

  4. 選擇 [應用程式] 以開啟 [應用程式] 刀鋒視窗,其中會顯示可用的應用程式清單。Choose Apps to open the Apps blade, where a list of available apps is displayed. 請從清單中選取要與所建立之原則建立關聯的一或多個應用程式。Select one or more apps from the list that you want to associate with the policy that you're creating.

  5. 選取應用程式後,請選擇 [選取] 來儲存您的選擇。Once you've selected the apps, choose Select to save your selection.

    重要

    您至少必須選取一個應用程式,才能建立原則。You must select at least one app to create a policy.

  6. 在 [新增原則] 刀鋒視窗上,選擇 [設定必要設定] 以開啟 [設定]。Choose Configure required settings on the Add a policy blade to open Settings.

    原則設定分為兩類:[資料重新配置] 和 [存取]。There are two categories of policy settings, Data relocation and Access. 資料重新配置原則適用於應用程式的資料移入和移出。Data relocation policies are applicable to data movement in and out of the apps. 存取原則決定終端使用者如何存取工作內容中的應用程式。The access polices determine how the end user accesses the apps in a work context. 原則設定中的預設值可協助您開始使用。To get you started, the policy settings have default values. 如果預設值符合您的需求,則不需要進行任何變更。If the default values meet your requirements, you don't have to make any changes.

    提示

    只有在工作內容中使用應用程式時,才會強制執行這些原則設定。These policy settings are enforced only when using apps in the work context. 當終端使用者使用應用程式來執行個人工作時,不會受到這些原則的影響。When end users use the app to do a personal task, they aren't affected by these policies.

  7. 選擇 [確定] 儲存這項設定。Choose OK to save this configuration. 現在您已回到 [新增原則] 窗格。You are now back in the Add a policy pane. 選擇 [建立] 建立原則並儲存您的設定。Choose Create to create the policy and save your settings.

  8. 選擇 [確定] 儲存這項設定。Choose OK to save this configuration. 現在您已回到 [新增原則] 刀鋒視窗。You're now back in the Add a policy blade.

  9. 選擇 [建立] 建立原則並儲存您的設定。Choose Create to create the policy and save your settings.

當您如先前程序中所述完成建立原則時,該原則不會部署給任何使用者。When you finish creating a policy as described in the previous procedure, it is not deployed to any users. 若要部署原則,請參閱<將原則部署給使用者>To deploy a policy, see Deploy a policy to users.

將原則部署給使用者Deploy a policy to users

  1. 在 [應用程式防護原則] 窗格中,選取原則。In the App protection policies pane, select a policy.

  2. 在 [原則] 窗格中,選擇 [指派],這會開啟 [Intune 應用程式防護 - 指派] 窗格。In the Policy pane, choose Assignments, which opens the Intune App Protection - Assignments pane. 在 [指派] 窗格中選擇 [選取要包含的群組],來開啟 [選取要包含的群組] 窗格。Choose Select groups to include in the Assignments pane to open the Select groups to include pane.

    將 [選取要包含的群組] 功能表選項反白之指派窗格的螢幕擷取畫面

  3. [新增使用者群組] 窗格中會顯示使用者群組清單。A list of user groups is displayed on the Add user group pane. 此清單會顯示 Azure Active Directory中的所有安全性群組。This list shows all the security groups in your Azure Active Directory. 請選取要套用這項原則的使用者群組,然後選擇 [選取]。Select the user groups you want this policy to apply to, and then choose Select. 選擇 [選取] 可將原則部署給使用者。Choosing Select, deploys the policy to users.

    顯示 Azure Active Directory 使用者清單的 [新增使用者群組] 窗格的螢幕擷取畫面

您現在已建立原則並將其部署給使用者。You've now created a policy and deployed it to users.

只有獲指派 Microsoft Intune 授權的使用者才會受此原則影響。Only users with assigned Microsoft Intune licenses are affected by the policy. 已選取安全性群組中的使用者若無指派的 Intune 授權,則不會受到影響。Users in the selected security group that don’t have an assigned Intune license aren't affected.

重要

如果您使用 Intune 和 Configuration Manager 來管理您的裝置,則只會將原則套用至您選取之群組中的直屬使用者。If you're using Intune with Configuration Manager to manage your devices, the policy is only applied to the users directly in the group that you selected. 而不會影響巢狀於您選取之群組中的子群組成員。Members of child groups nested within the group you selected aren't affected.

使用者可以從應用程式市集或 Google Play 下載應用程式。End users can download the apps from the App store or Google Play. 如需詳細資訊,請參閱:For more information, see:

變更現有的原則Change existing policies

您可以編輯現有的原則,並將它套用到目標使用者。You can edit an existing policy and apply it to the targeted users. 不過,當您變更現有的原則時,已登入應用程式的使用者將有 8 小時看不到變更。However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an 8-hour period.

若要立即查看變更的影響,終端使用者必須登出應用程式再重新登入。To see the effect of the changes immediately, the end user must log out of the app, and sign back in.

變更與原則相關聯的應用程式清單To change the list of apps associated with the policy

  1. 在 [應用程式防護原則] 窗格中,選擇您想要變更的原則,以開啟特定於您選取之原則的窗格。In the App protection policies pane, choose the policy you want to change to open a pane specific to the policy you just selected.

  2. 在 [原則] 窗格中,選擇 [目標應用程式] 開啟應用程式清單。In the policy pane, choose Targeted apps to open the list of apps.

  3. 在清單中移除或新增應用程式,然後選擇 [儲存] 圖示儲存您的變更。Remove or add apps from the list and choose the Save icon to save your changes.

變更使用者群組清單To change the list of user groups

  1. 在 [應用程式防護原則] 窗格中,選擇您想要變更的原則,以開啟特定於您選取之原則的窗格。In the App protection policies pane, choose the policy you want to change to open the pane specific to the policy you selected.

  2. 在 [原則] 窗格中,選擇 [指派] 來開啟 [Intune 應用程式防護 - 指派]窗格,該窗格會顯示具有這項原則的目前使用者群組清單。In the policy pane, choose Assignments to open the Intune App Protection - Assignments pane that shows the list of current user groups who have this policy.

  3. 若要將新的使用者群組新增至原則,在 [包含] 索引標籤選擇 [選取要包含的群組],並選取使用者群組。To add a new user group to the policy, on the Include tab choose Select groups to include, and select the user group. 選擇 [選取] 將原則部署到您選取的群組。Choose Select to deploy the policy to the group you selected.

  4. 若要刪除使用者群組新增,在 [排除] 索引標籤選擇 [選取群組以排除],並選取使用者群組。To delete a user group, on the Exclude tab choose Select groups to exclude, and select the user group. 選擇 [選取]以移除使用者群組。Choose Select to remove the user group.

變更原則設定To change policy settings

  1. 在 [應用程式防護原則] 窗格中,選擇您想要變更的原則,以開啟特定於您選取之原則的窗格。In the App protection policies pane, choose the policy you want to change to open a pane specific to the policy you just selected.

  2. 選擇 [原則設定] 以開啟 [原則設定] 窗格。Choose Policy settings to open the Policy settings pane.

  3. 變更設定,然後選擇 [儲存] 圖示儲存您的變更。Change the settings, and choose the Save icon to save your changes.

根據裝置管理狀態來設定應用程式保護原則目標Target app protection policies based on device management state

在許多組織中,同時允許使用者使用 Intune「行動裝置管理」(MDM) 受控裝置 (例如公司擁有的裝置) 及僅以 Intune 應用程式保護原則保護的非受控裝置 (例如 BYO 裝置),是很常見的情況。In many organizations it’s common to allow end users to use both Intune Mobile Device Management (MDM) managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies, such as BYO devices.

因為 Intune 應用程式保護原則會以使用者的身分識別為目標,所以傳統上,使用者的保護設定會同時套用至已註冊 (MDM 受控) 和未註冊的裝置 (非 MDM)。Because Intune app protection policies are targeted to a user’s identity, the protection settings for a user traditionally apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). 因此,您可以讓 Intune 應用程式保護原則以 Intune 已註冊或未註冊 iOS 及 Android 裝置為目標。Therefore, you can target an Intune app protection policy to either Intune enrolled or un-enrolled iOS and Android devices. 您可以有一個用於非受控裝置的保護原則,其中會提供適當的嚴格資料外洩防護 (DLP) 控制措施,並有另一個用於 MDM 受控裝置的保護原則,其中可能提供較寬鬆的 DLP 控制措施。You can have one protection policy for un-managed devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed.

若要建立這些原則,請在 Intune 主控台中瀏覽至 [行動應用程式] > [應用程式保護原則],然後按一下 [新增原則]。To create these policies, browse to Mobile apps > App protection policies in the Intune console, and click Add a policy. 您也可以編輯現有的應用程式保護原則。You can also edit an existing app protection policy. 如果您想要將應用程式保護原則同時套用至受控和非受控裝置,請確認將 [以所有應用程式類型為目標] 設定為 [是] (預設值)。If you want the app protection policy to apply to both managed and un-managed devices, confirm that the Target to all app types is set to Yes, the default value. 如果您想要根據管理狀態進行更精細的指派,請將 [以所有應用程式類型為目標] 選項設定為 [否]。If you want to granularly assign base on management state, set the Target to all app types option to No.

針對視為「受控」的 iOS 應用程式,需要為每個應用程式部署 IntuneMAMUPN 設定原則設定。For iOS apps to be considered "Managed," the IntuneMAMUPN configuration policy setting needs to be deployed for each app. 如需詳細資訊,請參閱如何使用 Microsoft Intune 管理 iOS 應用程式之間的資料傳輸For more information, see How to manage data transfer between iOS apps in Microsoft Intune.

注意

針對以裝置管理狀態為基礎的應用程式保護原則,如需特定 iOS 的支援資訊,請參閱根據管理狀態來設定目標的 MAM 保護原則For specific iOS support information about app protection policies based on device management state, see MAM protection policies targeted based on management state.

原則設定Policy settings

若要查看 iOS 和 Android 的原則設定的完整清單,請選取下列其中一個連結︰To see a full list of the policy settings for iOS and Android, select one of the following links:

接下來的步驟Next steps

監視合規性和使用者狀態Monitor compliance and user status

另請參閱See also