Android 應用程式保護原則設定Android app protection policy settings

您可以在 Azure 入口網站的 [設定] 刀鋒視窗上,為應用程式保護原則設定本主題所述的原則設定。The policy settings that are described in this topic can be configured for an app protection policy on the Settings blade in the Azure portal. 原則設定分為「資料重新配置」和「存取」設定兩類。There are two categories of policy settings: data relocation settings and access settings. 在本主題中 [受原則管理的應用程式] 一詞是指設有應用程式保護原則的應用程式。In this topic, the term policy-managed apps refers to apps that are configured with app protection policies.

資料重新配置設定Data relocation settings

設定Setting 如何使用How to use 預設值Default value(s)
禁止 Android 備份Prevent Android backups 選擇 [是] 防止這個應用程式將工作或學校資料備份至 Android Backup Service。選擇 [否] 允許這個應用程式備份工作或學校資料。Choose Yes to prevent this app from backing up work or school data to the Android Backup Service Choose No to allow this app to back up work or school data. Yes
允許應用程式將資料傳送到其他應用程式Allow app to transfer data to other apps 指定可以接收這個應用程式資料的應用程式:Specify what apps can receive data from this app:
  • 受原則管理的應用程式:只允許傳送至其他受原則管理的應用程式。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有應用程式:允許傳送到任何應用程式。All apps: Allow transfer to any app.
  • :不允許將資料傳送到任何應用程式 (包括其他受原則管理的應用程式)。None: Do not allow data transfer to any app, including other policy-managed apps.

有一些 Intune 可以允許資料傳輸至其中的豁免應用程式和服務。There are some exempts apps and services to which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See Data transfer exemptions for a full list of apps and services.

所有應用程式All apps
允許應用程式接收來自其他應用程式的資料Allow app to receive data from other apps 指定可將資料傳送至這個應用程式的應用程式:Specify what apps can transfer data to this app:
  • 受原則管理的應用程式:只允許從其他受原則管理的應用程式傳送。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有應用程式:允許從任何應用程式傳送資料。All apps: Allow data transfer from any app.
  • :不允許從任何應用程式 (包括其他受原則管理的應用程式) 傳送資料。None: Do not allow data transfer from any app, including other policy-managed apps.

有一些 Intune 可以允許從中進行資料傳輸的豁免應用程式和服務。There are some exempts apps and services from which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See Data transfer exemptions for a full list of apps and services.

所有應用程式All apps
不可進行另存新檔Prevent "Save As" 選擇 [是],在這個應用程式中停用 [另存新檔] 選項。Choose Yes to disable the use of the Save As option in this app. 如果您想要允許使用 [另存新檔],請選擇 [否]。Choose No if you want to allow the use of Save As.


選取要用於儲存公司資料的儲存體服務Select which storage services corporate data can be saved to
使用者可以儲存到幾個選取的服務 (商務用 OneDrive、SharePoint 和本機存放區)。Users are able to save to the selected services (OneDrive for Busines, SharePoint and Local Storage). 將會封鎖所有其他服務。All other services will be blocked.

No

0 (已選取)0 selected
限制與其他應用程式的剪下、複製和貼上Restrict cut, copy and paste with other apps 指定何時剪下、複製和貼上動作可與這個應用程式搭配使用。Specify when cut, copy, and paste actions can be used with this app. 從下列選項進行選擇:Choose from:
  • 封鎖:不允許在這個應用程式與任何其他應用程式之間進行剪下、複製和貼上動作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下、複製和貼上動作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 具有貼上的受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下或複製。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允許將資料從任何應用程式貼入這個應用程式。Allow data from any app to be pasted into this app.
  • 任何應用程式:不限制與這個應用程式之間的剪下、複製和貼上。Any app: No restrictions for cut, copy, and paste to and from this app.
任何應用程式Any app
限制 Web 內容以顯示於受管理的瀏覽器中Restrict web content to display in the Managed Browser 選擇 [是],強制在 Managed Browser 應用程式中開啟應用程式中的網頁連結。Choose Yes to enforce web links in the app to be opened in the Managed Browser app.

針對未在 Intune 中註冊的裝置,受原則管理應用程式中的網頁連結只能在 Managed Browser 應用程式中開啟。For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.

如果您使用 Intune 管理裝置,請參閱透過 Microsoft Intune 使用受管理的瀏覽器原則管理網際網路存取If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
No
加密應用程式資料Encrypt app data 選擇 [是],啟用這個應用程式中工作或學校資料的加密。Choose Yes to enable encryption of work or school data in this app. Intune 可搭配使用 OpenSSL 128 位元 AES 加密配置與 Android 金鑰儲存區系統,安全地加密應用程式資料。Intune uses an OpenSSL, 128-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. 資料會在檔案 I/O 工作期間,以同步方式加密。Data is encrypted synchronously during file I/O tasks. 裝置儲存空間上的內容將一律加密。Content on the device storage is always encrypted.

加密方法經 FIPS 140-2 認證。The encryption method is not FIPS 140-2 certified.
Yes
停用連絡人同步Disable contact sync 選擇 [是],防止應用程式將資料儲存至裝置上的原生「連絡人」應用程式。Choose Yes to prevent the app from saving data to the native Contacts app on the device. 如果您選擇 [否],則應用程式可以將資料儲存至裝置上的原生「連絡人」應用程式。If you choose No, the app can save data to the native Contacts app on the device.

當您執行選擇性抹除以移除應用程式中的工作或學校資料時,會移除直接從應用程式同步到原生「連絡人」應用程式的連絡人。When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. 無法清除從原生通訊錄同步處理到其他外部來源的任何連絡人。Any contacts synced from the native address book to another external source cannot be wiped. 目前這僅適用於 Microsoft Outlook 應用程式。Currently this applies only to the Microsoft Outlook app.
No
停用列印Disable printing 選擇 [是],防止應用程式列印工作或學校資料。Choose Yes to prevent the app from printing work or school data. No
注意

[加密應用程式資料] 設定的加密方法經 FIPS 140-2 認證。The encryption method for the Encrypt app data setting is not FIPS 140-2 certified.

資料傳輸豁免Data transfer exemptions

有一些 Intune 應用程式保護原則可以允許豁免應用程式和平台服務傳送和接收資料傳輸。There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from. 例如,Android 上所有啟用 Intune 的應用程式都必須能夠將資料傳輸至 Google 文字轉換語音並從中傳輸資料,因此可以大聲讀出您行動裝置螢幕中的文字。For example, all Intune-enlightened apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. 這份清單可能隨時變更,並反映視為對安全產能有所幫助的服務和應用程式。This list is subject to change and reflects the services and apps considered useful for secure productivity.

完整豁免Full exemptions

這些應用程式和服務完全可以接收和傳送 Intune 管理應用程式的資料傳輸。These apps and services are fully allowed for data transfer to and from Intune-managed apps.

應用程式/服務名稱App/service name 描述Description
com.android.phonecom.android.phone 原生 Phone 應用程式Native phone app
com.android.vendingcom.android.vending Google Play 商店Google Play Store
com.android.documentsuicom.android.documentsui Android 文件選擇器Android Document Picker
com.google.android.webviewcom.google.android.webview WebView,這是許多應用程式 (包括 Outlook) 的必要項目。WebView, which is necessary for many apps including Outlook.
com.android.webviewcom.android.webview WebView,這是許多應用程式 (包括 Outlook) 的必要項目。Webview, which is necessary for many apps including Outlook.
com.google.android.ttscom.google.android.tts Google 文字轉換語音Google Text-to-speech
com.android.providers.settingscom.android.providers.settings Android 系統設定Android system settings
com.azure.authenticatorcom.azure.authenticator Azure Authenticator 應用程式,這是許多情況下成功驗證的必要項目。Azure Authenticator app, which is required for successful authentication in many scenarios.
com.microsoft.windowsintune.companyportalcom.microsoft.windowsintune.companyportal Intune 公司入口網站Intune Company Portal

條件式豁免Conditional exemptions

只有在特定情況下,這些應用程式和服務才能接收和傳送 Intune 管理應用程式的資料傳輸。These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.

應用程式/服務名稱App/service name 描述Description 豁免條件Exemption condition
com.android.chromecom.android.chrome Google Chrome 瀏覽器Google Chrome Browser Chrome 用於 Android 7.0+ 上的一些 WebView 元件,而且絕不會隱藏,可供檢視。Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. 不過,一律會限制送至應用程式的資料流程以及接收來自其中的資料流程。Data flow to and from the app, however, is always restricted.
com.skype.raidercom.skype.raider SkypeSkype Skype 應用程式只適用於導致通話的特定動作。The Skype app is allowed only for certain actions that result in a phone call.
com.android.providers.mediacom.android.providers.media Android 媒體內容提供者Android media content provider 只允許進行鈴聲選取動作的媒體內容提供者。The media content provider allowed only for the ringtone selection action.
com.google.android.gms; com.google.android.gsfcom.google.android.gms; com.google.android.gsf Google Play Services 套件Google Play Services packages 這些套件允許用於 Google Cloud Messaging 動作 (例如推送通知)。These packages are allowed for Google Cloud Messaging actions, such as push notifications.

存取設定Access settings

設定Setting 如何使用How to use 預設值Default value(s)
需要 PIN 碼才可存取Require PIN for access 選擇 [是],需要 PIN 才能使用這個應用程式。Choose Yes to require a PIN to use this app. 使用者第一次在工作或學校內容中執行應用程式時,系統會提示他們設定這個 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context. 預設值 = [是]。Default value = Yes.

進行下列 PIN 強度設定:Configure the following settings for PIN strength:
  • PIN 碼重設前的嘗試次數:指定使用者必須嘗試順利輸入幾次其 PIN 後才能重設 PIN。Number of attempts before PIN reset: Specify the number of tries the user has to successfully enter their PIN before they must reset it. 預設值 = 5Default value = 5.
  • 允許簡單的 PIN:選擇 [是],允許使用者使用簡單的 PIN 序列 (例如 1234 或 1111)。Allow simple PIN: Choose Yes to allow users to use simple PIN sequences like 1234 or 1111. 選擇 [否],防止其使用簡單的序號。Choose No to prevent them from using simple sequences. 預設值 = [是]。Default value = Yes.
  • PIN 長度:指定 PIN 序列的最小位數。PIN length: Specify the minimum number of digits in a PIN sequence. 預設值 = 4Default value = 4.
  • 允許指紋而非 PIN (Android 6.0+):選擇 [是],讓使用者針對應用程式存取使用指紋驗證,而非 PIN。Allow fingerprint instead of PIN (Android 6.0+): Choose Yes to allow the user to use fingerprint authentication instead of a PIN for app access. 預設值 = [是]。Default value = Yes.
在 Android 裝置上,您可以讓使用者使用 Android fingerprint authentication (Android 指紋驗證) 而非 PIN 來證明其身分識別。On Android devices, you can let the user prove their identity by using Android fingerprint authentication instead of a PIN. 使用者嘗試使用自己的工作或學校帳戶來使用這個應用程式時,系統會提示他們提供自己的指紋識別,而不是輸入 PIN。When the user tries use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN.
需要 PIN 碼:是Require PIN: Yes

PIN 碼重設嘗試次數:5PIN reset attempts: 5

允許簡單的 PIN:是Allow simple PIN: Yes

PIN 長度:4PIN length: 4

允許指紋:是Allow fingerprint: Yes
需要公司認證才能存取Require corporate credentials for access 選擇 [是],需要使用者使用工作或學校帳戶登入來進行應用程式存取,而不是輸入 PIN。Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. 如果您設定為 [是],則會覆寫 PIN 或 Touch ID 的需求。If you set this to Yes, this overrides the requirements for PIN or Touch ID. No
封鎖在已進行 JB 或 Root 破解的裝置上執行受管理的應用程式Block managed apps from running on jailbroken or rooted devices 選擇 [是],防止在已進行 JB 或 Root 破解的裝置上執行這個應用程式。Choose Yes to prevent this app from running on jailbroken or rooted devices. 使用者仍然可以繼續使用這個應用程式來執行個人工作,但必須使用不同的裝置來存取這個應用程式中的工作或學校資料。The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Yes
重新檢查存取需求前等候時間 (分鐘)Recheck the access requirements after (minutes) 進行以下設定:Configure the following settings:
  • 逾時︰這是重新檢查存取需求 (稍早定義於原則中) 前經過的分鐘數。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,當系統管理員開啟原則中的 PIN 時,若使用者開啟 MAM 應用程式,則必須輸入 PIN。For example, an admin turns on PIN in the policy, a user opens a MAM app, and must enter a pin. 如果使用這項設定,使用者在 30 分鐘 (預設值) 內都不需要在任何 MAM 應用程式上輸入 PIN。When using this setting, the user would not have to enter a PIN on any MAM app for another 30 minutes (default value).
  • 離線寬限期:這是 MAM 應用程式可離線執行的分鐘數,指定經過多少時間 (分鐘) 之後即會重新檢查應用程式存取需求。Offline grace period: This is the number of minutes that MAM apps can run offline, specify the time (in minutes) before the access requirements for the app are rechecked. 預設值 = 720 分鐘 (12 小時)。Default value = 720 minutes (12 hours). 到期後,應用程式將會要求使用者驗證至 AAD,以便應用程式可以繼續執行。After this period is expired, the app will require user authentication to AAD, so the app can continue to run.
逾時:30Timeout: 30

離線:720Offline: 720
離線間隔幾天後抹除 App 資料Offline interval before app data is wiped (days) 在離線執行達到此天數 (由系統管理員定義) 之後,應用程式本身會執行選擇性抹除。After this many days (defined by the admin) of running offline, the app itself will do a selective wipe. 此選擇性抹除與系統管理員在 MAM 抹除工作流程中起始的抹除相同。This selective wipe is the same wipe as the one that can be initiated by the admin in the MAM wipe work-flow.

90 天90 days
封鎖螢幕擷取及 Android 助手 (Android 6.0+)Block screen capture and Android Assistant (Android 6.0+) 選擇 [是],在使用這個應用程式時封鎖裝置的螢幕擷取和 [Android 助手] 功能。Choose Yes to block screen capture and the Android Assistant capabilities of the device when using this app. 選擇 [是],也會在搭配使用這個應用程式與工作或學校帳戶時模糊應用程式切換器預覽影像。Choosing Yes will also blur the App-switcher preview image when using this app with a work or school account. No
當裝置 PIN 受到管理時,停用應用程式 PINDisable app PIN when device PIN is managed 選擇 [是] 以在已註冊裝置上偵測到裝置鎖定時停用應用程式 PIN。Choose Yes to disable the app PIN when a device lock is detected on an enrolled device. No
若要提交意見反應,請前往 Intune Feedback