什麼是應用程式保護原則?What are app protection policies?

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

Microsoft Intune 應用程式保護原則可協助保護公司資料,避免資料遺失。Microsoft Intune app protection policies help protect your company data and prevent data loss.

如何保護應用程式資料How you can protect app data

您的員工使用行動裝置處理公私事務。Your employees use mobile devices for both personal and work tasks. 確保員工生產力的同時,也要防止故意和不小心的資料外洩。While making sure your employees can be productive, you also want to prevent data loss, intentional and unintentional. 此外,即使您並不管理裝置,您也想要保護使用裝置所存取的公司資料。In addition, you want to have the ability to protect company data accessed using devices even in the case where they are not managed by you.

您可以使用 Intune 應用程式保護原則來協助保護您公司的資料。You can use Intune app protection policies to help protect your company’s data. 因為 Intune 原則可自外於任何行動裝置管理 (MDM) 解決方案之外,所以無論裝置是否在裝置管理解決方案中註冊,都可以這些原則來保護公司資料。Because Intune app protection policies can be used independent of any mobile-device management (MDM) solution, you can use it to protect your company’s data with or without enrolling devices in a device management solution. 您可以實作應用程式層級原則,以限制存取公司資源,並將資料保留在 IT 部門範疇內。By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

裝置上執行可以設定應用程式保護原則的應用程式包括:App protection policies can be configured for app running on devices that are:

  • 在 Microsoft Intune 中註冊︰ 此類別中的裝置通常是公司所擁有的裝置。Enrolled in Microsoft Intune: The devices in this category are typically corporate owned devices.

  • 在協力廠商的行動裝置管理 (MDM) 解決方案中註冊︰ 此類別中的裝置通常是公司所擁有的裝置。Enrolled in a third-party Mobile device management (MDM) solution: The devices in this category are typically corporate owned devices.


    行動裝置應用程式管理原則不應搭配使用協力廠商的行動裝置應用程式管理或安全容器解決方案。Mobile app management policies should not be used with third party mobile app management or secure container solutions.

  • 未註冊任何行動裝置管理解決方案︰ 此類別中的裝置通常是員工所擁有的裝置,且沒有在 Intune 或其他 MDM 解決方案中受到管理或註冊。Not enrolled in any mobile device management solution: The devices in this category are typically employee owned devices that are not managed or enrolled in Intune or other MDM solutions.


您可以為連接至 Office 365 服務的 Office 行動應用程式建立行動應用程式管理原則。You can create mobile app management policies for Office mobile apps that connect to Office 365 services. 連線到內部部署 Exchange 或 SharePoint 服務的應用程式不支援應用程式保護原則。App protection policies are not supported for apps that connect to on-premises Exchange or SharePoint services.

使用應用程式保護原則的重要優點包括:The important benefits of using App protection policies are

  • 在應用程式層級保護公司資料。Protecting your company data at the app level. 因為行動裝置應用程式管理不需要裝置管理,所以您可以保護受管理和不受管理裝置上的公司資料。Since mobile app management does not require device management, you can protect company data on both managed and unmanaged devices. 管理的重心是使用者身分識別,不需要管理裝置。The management is centered on the user identity, which removes the requirement for device management.

  • 使用者生產力不受影響,在個人領域內使用應用程式時不套用原則。End user productivity is not impacted, and the policies are not applied when using the app in a personal context. 原則只會套用在公務內容上,所以您能夠在不碰到個人資料的情況下保護公司資料。The policies are applied only in a work context, thus giving you the ability to protect company data without touching personal data.

並用 MDM 與應用程式保護原則還有其他多項優點,而且公司可以同時在使用或不使用 MDM 的狀況下使用應用程式保護原則。There are additional benefits to using MDM with App protection policies, and companies can use both App protection policies with and without MDM at the same time. 例如,員工可能使用公司核發的手機,也可以使用及個人的平板電腦。For example, an employee may use a phone issued by the company as well as a personal tablet. 在此情況下,公司的手機會在 MDM 中註冊,並受到 MAM 原則的保護,而個人裝置只會受到 MAM 原則的保護。In this case, the company phone is enrolled in MDM and protected by App protection policies, and the personal device is protected by App protection policies only.

  • MDM 確保裝置受到保護MDM makes sure that the device is protected. 例如,您可以要求存取裝置的 PIN,或者將受管理的應用程式部署到裝置。For example, you can require a PIN to access the device, or you can deploy managed apps to the device. 也可以透過 MDM 解決方案將應用程式部署到裝置,取得對應用程式管理的更多控制。You can also deploy apps to devices through your MDM solution, to give you more control over app management.

  • 應用程式保護原則可確保應用程式層保護完全就位App protection policies makes sure that the app-layer protections are in place. 例如,如果資料可以在應用程式間共用,您可以要求在公務內容中開啟應用程式的 PIN,或防止公司應用程式資料儲存到個人的存放位置。For example, you can require a PIN to open an app in a work context, or if data can be shared between apps, or preventing company app data from being saved to a personal storage location.

支援應用程式保護原則的平台Supported platforms for app protection polices

Intune 應用程式保護原則平台支援與 Office 應用程式平台支援一致。Intune app protection policies platform support is aligned with Office application platform support. 如需詳細資訊,請參閱 Office 的系統需求For details, see Office System Requirements.

目前不支援 Windows 裝置。Windows devices are currently not supported. 不過,當您將 Windows 10 裝置註冊 Intune 時,即可使用 Windows 資訊保護,以提供類似的功能。However, when you enroll Windows 10 devices with Intune, you can use Windows Information Protection, which offers similar functionality. 如需詳細資訊,請參閱使用 Windows 資訊保護 (WIP) 保護您的企業資料For details, see Protect your enterprise data using Windows Information Protection (WIP).

應用程式保護原則如何保護應用程式資料How app protection policies protect app data

沒有應用程式保護原則的應用程式Apps without app protection policies


在沒有條件限制下使用應用程式時,公司和個人資料會互相混合。When apps are used without restrictions, company and personal data can get intermingled. 公司資料最終可能放在個人存放裝置或傳送到外部應用程式,導致資料外洩。Company data could end up in locations like personal storage or transferred to apps outside of your purview, resulting in data loss. 圖中的箭號顯示資料在應用程式 (公司和個人) 之間無限制移動和移至儲存體位置。The arrows in the diagram show unrestricted data movement between apps (corporate and personal) and to storage locations.

使用應用程式保護原則保護資料Data protection with app protection policies

此圖顯示套用應用程式保護原則後公司資料受到保護的情況Image that shows how company data is protect when App protection policies are applied

您可以使用應用程式保護原則禁止將公司資料儲存到裝置的本機儲存體,以及限制資料不得移至不受應用程式保護原則保護的其他應用程式。You can use App protection policies to prevent company data from saving to the local storage of the device, and restrict data movement to other apps that are not protected by App protection policies. 應用程式保護原則設定包括︰App protection policy settings include:

  • 資料重新配置原則,例如 [不可進行另存新檔]、[限制剪下、複製與貼上]。Data relocation policies like Prevent Save As, Restrict cut, copy, and paste.
  • 存取原則設定,例如 [需要簡單 PIN 碼才可存取]、[禁止受管理的應用程式在經過破解或刷機的裝置上執行]。Access policy settings like Require simple PIN for access, Block managed apps from running on jailbroken or rooted devices.

在 MDM 解決方案管理的裝置上使用應用程式保護原則保護資料Data protection with app protection policies on devices managed by a MDM solution

此圖顯示應用程式保護原則在 BYOD 裝置上的運作方式

在 MDM 解決方案中註冊的裝置-For devices enrolled in an MDM solution-

上列圖例顯示 MDM 與應用程式保護原則共同提供的多層保護。The illustration above shows the layers of protection that MDM and App protection policies offer together.

MDM 解決方案:The MDM solution:

  • 註冊裝置Enrolls the device

  • 將應用程式部署至裝置Deploys the apps to the device

  • 提供持續的裝置合規性和管理Provides ongoing device compliance and management

應用程式保護原則藉由下列方式提升價值︰App protection policies add value by:

  • 協助保護公司資料不外洩給消費性應用程式和服務Helping protect company data from leaking to consumer apps and services

  • 對行動應用程式套用限制 (另存新檔、剪貼簿、PIN 等等)Applying restrictions (save-as, clipboard, PIN, etc.) to mobile apps

  • 抹除應用程式中的公司資料,但不從裝置移除這些應用程式Wipe company data from apps without removing those apps from the device

在未註冊的裝置上使用資料保護原則保護資料Data protection with app protection policies for devices without enrollment


上圖顯示不使用 MDM 時資料保護原則在應用程式層級上的運作方式。The diagram above illustrates how the data protection policies work at the app level without MDM.

對於未在任何 MDM 解決方案中註冊的 BYOD 裝置,應用程式保護原則可在應用程式層級保護公司資料。For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. 但有一些限制需要注意,例如:However, there are some limitations to be aware of, like:

  • 您無法將應用程式部署到裝置。You cannot deploy apps to the device. 使用者必須從存放區取得應用程式。The end user has to get the apps from the store.

  • 您無法在這些裝置上佈建憑證設定檔。You cannot provision certificate profiles on these devices.

  • 您無法在這些裝置上佈建公司 Wi-Fi 和 VPN 設定。You cannot provision company Wi-Fi and VPN settings on these devices.


當應用程式保護原則只有在工作環境中使用應用程式時才會套用,支援多重身分識別的應用程式讓您能夠使用不同的帳戶 (工作和個人) 來存取相同的應用程式。Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies are applied only when the apps are used in the work context.

例如,當使用者使用其工作帳戶啟動 OneDrive 應用程式,他們無法將檔案移動至個人存放區位置。For example, when a user starts the OneDrive app by using their work account, they can't move the files to a personal storage location. 不過,當使用者以個人帳戶使用 OneDrive 時,他們可以從個人 OneDrive 複製並移動資料,而沒有任何限制。However, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

接下來的步驟Next steps

如何使用 Microsoft Intune 建立及部署應用程式保護原則How to create and deploy app protection policies with Microsoft Intune

另請參閱See also

協力廠商應用程式 (例如 Salesforce 行動裝置應用程式) 可以特定方式與 Intune 搭配使用來保護公司資料。3rd party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data. 若要深入了解 Salesforce 應用程式與 Intune 搭配使用的特定方式 (包括 MDM 應用程式組態設定),請參閱 Salesforce 應用程式和 Microsoft Intune (英文)。To learn more about how the Salesforce app in particular works with Intune (including MDM app configurations settings), see Salesforce App and Microsoft Intune.