如何建立及部署應用程式保護原則How to create and assign app protection policies

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

開始之前Before you begin

如果您正在 Intune 傳統主控台中尋找指示,請參閱如何建立應用程式保護原則If you're looking for instructions in the Intune classic console, see how to create app protection policies.

無論裝置是否交由 Intune 管理,都能對裝置上執行的應用程式套用應用程式保護原則。App protection policies can be applied to apps running on devices that may or may not be managed by Intune. 如需應用程式保護原則的運作方式,以及 Intune 應用程式保護原則支援案例詳細說明,請參閱什麼是 Microsoft Intune 應用程式保護原則For a more detailed description of how app protection policies work and the scenarios supported by Intune app protection policies, see What is Microsoft Intune app protection policies.

如果您正在尋找 MAM 支援之應用程式的清單,請參閱 MAM 應用程式清單If you're looking for a list of MAM supported apps, see MAM apps list.

建立應用程式保護原則Create an app protection policy

  1. 在 [行動應用程式] 工作負載中,選擇 [管理] > [應用程式保護原則]。In the Mobile apps workload, choose Manage > App protection policies.

  2. 這會開啟 [應用程式原則] 刀鋒視窗,讓您從中建立新的原則及編輯現有的原則。This opens the App protection policies blade, where you'll create new policies and edit existing policies. 選擇 [新增原則]Choose Add a policy.

    [新增原則] 刀鋒視窗的螢幕擷取畫面

  3. 輸入原則的名稱、新增簡短描述並選取平台類型,以建立適用於 iOS 或 Android 的原則。Type a name for the policy, add a brief description, and select the platform type to create a policy for iOS or Android. 您可以針對每部平台建立多項原則。You can create more than one policy for each platform.

  4. 選擇 [應用程式] 開啟 [應用程式] 刀鋒視窗,其中會顯示可用的應用程式清單。Choose Apps to open the Apps blade, where a list of available apps is displayed. 請從清單中選取要與所建立之原則建立關聯的一或多個應用程式。Select one or more apps from the list that you want to associate with the policy that you are creating. 選取應用程式之後,選擇 [應用程式] 刀鋒視窗底部的 [選取] 儲存您的選擇。Once you have selected the apps, choose Select at the bottom of the Apps blade to save your selection.

    重要

    您至少必須選取一個應用程式,才能建立原則。You must select at least one app to create a policy.

  5. 在 [新增原則] 刀鋒視窗上,選擇 [設定必要設定] 開啟 [原則設定] 刀鋒視窗。On the Add a policy blade, choose Configure required settings to open the policy settings blade.

    原則設定分為兩類:[資料重新配置] 和 [存取]。There are two categories of policy settings, Data relocation and Access. 資料重新配置原則適用於在應用程式中移入及移出資料,而存取原則決定使用者如何存取工作內容中的應用程式。Data relocation policies are applicable to data movement in and out of the apps, while the access polices determine how the end user accesses the apps in a work context. 原則設定中的預設值可協助您開始使用。To get you started, the policy settings have default values. 如果預設值符合您的需求,則不需要進行任何變更。You do not have to make any changes if the default values meet your requirements.

    提示

    只有在工作內容中使用應用程式時,才會強制執行這些原則設定。These policy settings are enforced only when using apps in the work context. 當使用者使用應用程式來執行個人工作時,不會受到這些原則的影響。When the end user uses the app to do a personal task, they will not be affected by these policies.

  6. 選擇 [確定] 儲存這項設定。Choose OK to save this configuration. 現在您已回到 [新增原則] 刀鋒視窗。You are now back in the Add a policy blade. 選擇 [建立] 建立原則並儲存您的設定。Choose Create to create the policy and save your settings.

當您如先前程序中所述完成建立原則時,該原則不會部署給任何使用者。When you finish creating a policy as described in the previous procedure, it is not deployed to any users. 若要部署原則,請參閱下列章節<將原則部署給使用者>。To deploy a policy, see the following section, "Deploy a policy to users."

將原則部署給使用者Deploy a policy to users

  1. 在 [原則] 刀鋒視窗中,選擇 [使用者群組] 開啟 [使用者群組] 刀鋒視窗。In the Policy blade, choose User groups, which opens the User groups blade. 在 [使用者群組] 刀鋒視窗中,選擇 [新增使用者群組] 開啟 [新增使用者群組] 刀鋒視窗。Choose Add user group in the User groups blade to open the Add user group blade.

    反白顯示 [新增使用者群組] 功能表選項的 [使用者群組] 刀鋒視窗的螢幕擷取畫面

  2. [新增使用者群組] 刀鋒視窗中會顯示使用者群組清單。A list of user groups is displayed on the Add user group blade. 這是 Azure Active Directory中的所有安全性群組清單。This is a list of all the security groups in your Azure Active Directory. 請選取要套用這項原則的使用者群組,然後選擇 [選取]。Select the user groups you want this policy to apply to, and then choose Select. 選擇 [選取] 可將原則部署給使用者。Choosing Select, deploys the policy to users. 顯示 Azure Active Directory 使用者清單的 [新增使用者群組] 刀鋒視窗的螢幕擷取畫面Screenshot of the Add user group blade showing the list of Azure Active Directory users

您現在已建立原則並將其部署給使用者。You have now created a policy and deployed it to users.

只有獲指派 Microsoft Intune 授權的使用者才會受此原則影響。Only users with Microsoft Intune licenses assigned to them are affected by the policy. 所選安全性群組中的使用者若未獲指派 Microsoft Intune 授權,將不受影響。Users who are in the security group that you selected who don’t have a Microsoft Intune license assigned to them are not affected.

重要

如果您使用 Intune 和 Configuration Manager 來管理您的 iOS 和 Android 裝置,則只會將原則套用至您選取之群組中的直屬使用者,If you are using Intune with Configuration Manager to manage your iOS and Android devices, the policy is only applied to the users directly in the group that you selected. 而不會影響巢狀於您選取之群組中的子群組成員。Members of child groups nested within the group you selected are not affected.

使用者可以從應用程式市集或 Google Play 下載應用程式。End users can download the apps from the App store or Google Play. 如需詳細資訊,請參閱:For more information, see:

變更現有的原則Change existing policies

您可以編輯現有的原則,並將它套用到目標使用者。You can edit an existing policy and apply it to the targeted users. 不過,當您變更現有的原則時,已登入應用程式的使用者將有 8 小時看不到變更。However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an 8-hour period.

若要立即查看變更的影響,使用者必須登出應用程式再重新登入。To see the effect of the changes immediately, the end user will have to log out of the app, and sign back in.

變更與原則相關聯的應用程式清單To change the list of apps associated with the policy

  1. 在 [應用程式原則] 刀鋒視窗中,選擇您要變更的原則。In the App policy blade, choose the policy you want to change. 這會開啟您剛才選取之原則的特定刀鋒視窗。This opens a blade specific to the policy you just selected.

  2. 在 [原則] 刀鋒視窗中,選擇 [目標應用程式] 開啟應用程式清單。In the policy blade, choose Targeted apps to open the list of apps.

  3. 在清單中移除或新增應用程式,然後選擇 [儲存] 圖示儲存您的變更。Remove or add apps from the list and choose the Save icon to save your changes.

變更使用者群組清單To change the list of user groups

  1. 在 [應用程式原則] 刀鋒視窗中,選擇您要變更的原則。In the App policy blade, choose the policy you want to change. 這會開啟您選取之原則的特定刀鋒視窗。This opens the blade specific to the policy you selected.

  2. 在 [原則] 刀鋒視窗中,選擇 [使用者群組] 開啟 [使用者群組] 刀鋒視窗,其中會顯示具有這項原則的目前使用者群組清單。In the policy blade, choose User groups to open the User group blade that shows the list of current user groups who have this policy.

  3. 若要將新的使用者群組加入原則中,請選擇 [新增使用者群組],然後選取使用者群組。To add a new user group to the policy, choose Add user group, and select the user group. 選擇 [選取] 將原則部署到您選取的群組。Choose Select to deploy the policy to the group you selected.

  4. 若要刪除使用者群組,請反白顯示您想要移除的使用者群組。To delete a user group, highlight the user group you want to remove. 然後選擇省略符號 (...),再選擇 [刪除] 移除使用者群組。Then choose the ellipses (…), and choose Delete to remove the user group. 顯示 [刪除] 選項的螢幕擷取畫面Screenshot showing Delete option

變更原則設定To change policy settings

  1. 在 [應用程式原則] 刀鋒視窗中,選擇您要變更的原則。In the App policy blade, choose the policy you want to change. 這會開啟您剛才選取之原則的特定刀鋒視窗。This opens a blade specific to the policy you just selected.

  2. 選擇 [原則設定] 開啟 [原則設定] 刀鋒視窗。Choose Policy settings to open the Policy settings blade.

  3. 變更設定,然後選擇 [儲存] 圖示儲存您的變更。Change the settings, and choose the Save icon to save your changes.

原則設定Policy settings

若要查看 iOS 和 Android 的原則設定的完整清單,請選取下列其中一項︰To see a full list of the policy settings for iOS and Android, select one of the following:

後續步驟Next steps

監視合規性和使用者狀態Monitor compliance and user status

請參閱See also

若要提交意見反應,請前往 Intune Feedback