iOS 應用程式保護原則設定iOS app protection policy settings

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

您可為 Azure 入口網站中 [設定] 刀鋒視窗上的應用程式保護原則,設定本主題內所述的原則設定。The policy settings described in this topic can be configured for an app protection policy on the Settings blade in the Azure portal.

原則設定分為「資料重新配置」和「存取」設定兩類。There are two categories of policy settings: data relocation settings and access settings. 在本主題中 [受原則管理的應用程式] 一詞是指設有應用程式保護原則的應用程式。In this topic, the term policy-managed apps refers to apps that are configured with app protection policies.

資料重新配置設定Data relocation settings

設定Setting 如何使用How to use 預設值Default value
禁止 iTunes 和 iCloud 備份Prevent iTunes and iCloud backups 選擇 [是],防止這個應用程式將工作或學校資料備份至 iTunes 和 iCloud。Choose Yes to prevent this app from backing up work or school data to iTunes and iCloud. 選擇 [否],允許這個應用程式將工作或學校資料備份至 iTunes 和 iCloud。Choose No to allow this app to back up of work or school data to iTunes and iCloud. Yes
允許應用程式將資料傳送到其他應用程式Allow app to transfer data to other apps 指定可以接收這個應用程式資料的應用程式:Specify what apps can receive data from this app:
  • 受原則管理的應用程式:只允許傳送至其他受原則管理的應用程式。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有應用程式:允許傳送到任何應用程式。All apps: Allow transfer to any app.
  • :不允許將資料傳送到任何應用程式 (包括其他受原則管理的應用程式)。None: Do not allow data transfer to any app, including other policy-managed apps.
此外,如果這個選項設定為 [受原則管理的應用程式] 或 [無],則會封鎖允許焦點搜尋在應用程式中搜尋資料的 iOS 9 功能。Additionally, if you set this option to Policy managed apps or None, the iOS 9 feature that allows Spotlight Search to search data within apps will be blocked.

有一些 Intune 可以允許資料傳輸至其中的豁免應用程式和服務。There are some exempts apps and services to which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See Data transfer exemptions for a full list of apps and services.
所有應用程式All apps
允許應用程式接收來自其他應用程式的資料Allow app to receive data from other apps 指定可將資料傳送至這個應用程式的應用程式:Specify what apps can transfer data to this app:
  • 受原則管理的應用程式:只允許從其他受原則管理的應用程式傳送。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有應用程式:允許從任何應用程式傳送資料。All apps: Allow data transfer from any app.
  • :不允許從任何應用程式 (包括其他受原則管理的應用程式) 傳送資料。None: Do not allow data transfer from any app, including other policy-managed apps.
有一些 Intune 可以允許從中進行資料傳輸的豁免應用程式和服務。There are some exempts apps and services from which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See Data transfer exemptions for a full list of apps and services.
所有應用程式All apps
不可進行另存新檔Prevent "Save As" 選擇 [是],在這個應用程式中停用 [另存新檔] 選項。Choose Yes to disable the use of the Save As option in this app. 如果您想要允許使用 [另存新檔],請選擇 [否]。Choose No if you want to allow the use of Save As. No
限制與其他應用程式的剪下、複製和貼上Restrict cut, copy and paste with other apps 指定何時剪下、複製和貼上動作可與這個應用程式搭配使用。Specify when cut, copy, and paste actions can be used with this app. 從下列選項進行選擇:Choose from:
  • 封鎖:不允許在這個應用程式與任何其他應用程式之間進行剪下、複製和貼上動作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下、複製和貼上動作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 具有貼上的受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下或複製。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允許將資料從任何應用程式貼入這個應用程式。Allow data from any app to be pasted into this app.
  • 任何應用程式:不限制與這個應用程式之間的剪下、複製和貼上。Any app: No restrictions for cut, copy, and paste to and from this app.
任何應用程式Any app
限制 Web 內容以顯示於受管理的瀏覽器中Restrict web content to display in the Managed Browser 選擇 [是],強制在 Managed Browser 應用程式中開啟應用程式中的網頁連結。Choose Yes to enforce web links in the app to be opened in the Managed Browser app.

針對未在 Intune 中註冊的裝置,受原則管理應用程式中的網頁連結只能在 Managed Browser 應用程式中開啟。For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.

如果您使用 Intune 管理裝置,請參閱透過 Microsoft Intune 使用受管理的瀏覽器原則管理網際網路存取If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
No
加密應用程式資料Encrypt app data 針對受原則管理的應用程式,使用 iOS 所提供的裝置層級加密配置來加密待用資料。For policy-managed apps, data is encrypted at rest using the device-level encryption scheme provided by iOS. 需要 PIN 時,會根據應用程式保護原則中的設定來加密資料。When a PIN is required, the data is encrypted according to the settings in the app protection policy.

前往這裡的正式 Apple 文件,來查看哪些 iOS 加密模組已經 FIPS 140-2 認證或擱置 FIPS 140-2 認證。Go to the official Apple documentation here to see which iOS encryption modules are FIPS 140-2 certified or pending FIPS 140-2 certification.

指定何時加密這個應用程式中的工作或學校資料。Specify when work or school data in this app is encrypted. 從下列選項進行選擇:Choose from:
  • 鎖定裝置時:鎖定裝置時,會加密與這個原則相關聯的所有應用程式資料。When device is locked: All app data that is associated with this policy is encrypted while the device is locked.
  • 當裝置鎖定時且有開啟的檔案:鎖定裝置時,除了在應用程式中目前開啟的檔案資料以外,會加密與這個原則相關聯的其他所有應用程式資料。When device is locked and there are open files: All app data associated with this policy is encrypted while the device is locked, except for data in the files that are currently open in the app.
  • 裝置重新啟動後:重新啟動裝置後,會加密與這個原則相關聯的所有應用程式資料,直到第一次解除鎖定裝置為止。After device restart:All app data associated with this policy is encrypted when the device is restarted, until the device is unlocked for the first time.
  • 使用裝置設定:應用程式資料會根據裝置上的預設設定加密。Use device settings: App data is encrypted based on the default settings on the device.
當您啟用這項設定時,使用者可能必須設定並使用 PIN 才能存取其裝置。When you enable this setting, the user may be required to set up and use a PIN to access their device. 如果不需要裝置 PIN 和加密,將不會開啟應用程式,而且會出現下列訊息提示使用者設定 PIN:「您的組織要求您先啟用裝置 PIN,才能存取此應用程式」。If there is no device PIN and encryption is required, the apps will not open and the user will be prompted to set a PIN with the message “Your organization has required you to first enable a device PIN to access this app.”
當裝置鎖住時When device is locked
停用連絡人同步Disable contact sync 選擇 [是],防止應用程式將資料儲存至裝置上的原生「連絡人」應用程式。Choose Yes to prevent the app from saving data to the native Contacts app on the device. 如果您選擇 [否],則應用程式可以將資料儲存至裝置上的原生「連絡人」應用程式。If you choose No, the app can save data to the native Contacts app on the device.

當您執行選擇性抹除以移除應用程式中的工作或學校資料時,會移除直接從應用程式同步到原生「連絡人」應用程式的連絡人。When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. 無法清除從原生通訊錄同步處理到其他外部來源的任何連絡人。Any contacts synced from the native address book to another external source cannot be wiped. 目前這僅適用於 Microsoft Outlook 應用程式。Currently this applies only to the Microsoft Outlook app.
No
停用列印Disable printing 選擇 [是],防止應用程式列印工作或學校資料。Choose Yes to prevent the app from printing work or school data. No
選取要用於儲存公司資料的儲存體服務Select which storage services corporate data can be saved to 使用者可以儲存到幾個選取的服務 (商務用 OneDrive、SharePoint 和本機存放區)。Users are able to save to the selected services (OneDrive for Business, SharePoint and Local Storage). 將會封鎖所有其他服務。All other services will be blocked. 已選取 0 個0 Selected

注意

沒有資料重新配置設定可以控制 iOS 裝置上的 Apple 受管理「開啟於」功能。None of the data relocation settings controls the Apple managed open-in feature on iOS devices. 若要使用管理 Apple「開啟於」,請參閱使用 Microsoft Intune 管理 iOS 應用程式之間的資料傳輸To use manage Apple open-in, see Manage data transfer between iOS apps with Microsoft Intune.

資料傳輸豁免Data transfer exemptions

在特定情況下,有一些 Intune 應用程式保護原則可以允許豁免應用程式和平台服務傳送和接收資料傳輸。There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from in certain scenarios. 這份清單可能隨時變更,並反映視為對安全產能有所幫助的服務和應用程式。This list is subject to change and reflects the services and apps considered useful for secure productivity.

應用程式/服務名稱App/service name(s) 說明Description
tel; telprompttel; telprompt 原生 Phone 應用程式Native phone app
skypeskype SkypeSkype
app-settingsapp-settings 裝置設定Device settings
itms; itmss; itms-apps; itms-appss; itms-servicesitms; itmss; itms-apps; itms-appss; itms-services App StoreApp Store
calshowcalshow 原生行事曆Native Calendar

存取設定Access settings

設定Setting 如何使用How to use 預設值Default value
需要 PIN 碼才可存取Require PIN for access 選擇 [是],需要 PIN 才能使用這個應用程式。Choose Yes to require a PIN to use this app. 使用者第一次在工作或學校內容中執行應用程式時,系統會提示他們設定這個 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context. 預設值 = [是]。Default value = Yes.

進行下列 PIN 強度設定:Configure the following settings for PIN strength:
  • PIN 碼重設前的嘗試次數:指定使用者必須嘗試順利輸入幾次其 PIN 後才能重設 PIN。Number of attempts before PIN reset: Specify the number of tries the user has to successfully enter their PIN before they must reset it. 預設值 = 5Default value = 5.
  • 允許簡單的 PIN:選擇 [是],允許使用者使用簡單的 PIN 序列 (例如 1234 或 1111)。Allow simple PIN: Choose Yes to allow users to use simple PIN sequences like 1234 or 1111. 選擇 [否],防止其使用簡單的序號。Choose No to prevent them from using simple sequences. 預設值 = [是]。Default value = Yes.
  • PIN 長度:指定 PIN 序列的最小位數。PIN length: Specify the minimum number of digits in a PIN sequence. 預設值 = 4Default value = 4.
  • 設定密碼:當您存取已套用應用程式保護原則的應用程式並出現提示時,您可以設定密碼。Set passcode: You can set a passcode when prompted while accessing an app that have app protection policies applied to. 您可以定義至少使用 1 個字母或特殊字元的密碼。A passcode can be defined with at least 1 letter or special character. 線上或離線工作時都會套用密碼。The passcode is applied when working either online or offline.
  • 允許指紋而非 PIN (iOS 8.0+):選擇 [是],讓使用者對應用程式存取使用 Touch ID,而非 PIN。Allow fingerprint instead of PIN (iOS 8.0+): Choose Yes to allow the user to use Touch ID instead of a PIN for app access. 預設值 = [是]Default value = Yes
在 iOS 裝置上,您可以讓使用者使用 Touch ID 而非 PIN 來證明其身分識別。On iOS devices, you can let the user prove their identity by using Touch ID instead of a PIN. 使用者嘗試使用自己的工作或學校帳戶來使用這個應用程式時,系統會提示他們提供自己的指紋識別,而不是輸入 PIN。When the user tries use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. 啟用此設定時,App 切換預覽影像會在使用工作或學校帳戶時變得很模糊。When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account.
需要 PIN 碼:是Require PIN: Yes

PIN 碼重設嘗試次數:5PIN reset attempts: 5

允許簡單的 PIN:是Allow simple PIN: Yes

PIN 長度:4PIN length: 4

允許指紋:是Allow fingerprint: Yes
需要公司認證才能存取Require corporate credentials for access 選擇 [是],需要使用者使用工作或學校帳戶登入來進行應用程式存取,而不是輸入 PIN。Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. 如果您設定為 [是],則會覆寫 PIN 或 Touch ID 的需求。If you set this to Yes, this overrides the requirements for PIN or Touch ID. No
封鎖在已進行 JB 或 Root 破解的裝置上執行受管理的應用程式Block managed apps from running on jailbroken or rooted devices 選擇 [是],防止在已進行 JB 或 Root 破解的裝置上執行這個應用程式。Choose Yes to prevent this app from running on jailbroken or rooted devices. 使用者仍然可以繼續使用這個應用程式來執行個人工作,但必須使用不同的裝置來存取這個應用程式中的工作或學校資料。The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Yes
重新檢查存取需求前等候時間 (分鐘)Recheck the access requirements after (minutes) 進行以下設定:Configure the following settings:
  • 逾時︰這是重新檢查存取需求 (稍早定義於原則中) 前經過的分鐘數。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,當系統管理員開啟原則中的 PIN 時,若使用者開啟 MAM 應用程式,則必須輸入 PIN。For example, an admin turns on PIN in the policy, a user opens a MAM app, and must enter a pin. 如果使用這項設定,使用者在 30 分鐘 (預設值) 內都不需要在任何 MAM 應用程式上輸入 PIN。When using this setting, the user would not have to enter a PIN on any MAM app for another 30 minutes (default value).
  • 離線寬限期:這是 MAM 應用程式可離線執行的分鐘數,指定經過多少時間 (分鐘) 之後即會重新檢查應用程式存取需求。Offline grace period: This is the number of minutes that MAM apps can run offline, specify the time (in minutes) before the access requirements for the app are rechecked. 預設值 = 720 分鐘 (12 小時)。Default value = 720 minutes (12 hours). 到期後,應用程式將會要求使用者驗證至 AAD,以便應用程式可以繼續執行。After this period is expired, the app will require user authentication to AAD, so the app can continue to run.
逾時:30Timeout: 30

離線:720Offline: 720
離線間隔幾天後抹除 App 資料Offline interval before app data is wiped (days) 在離線執行達到此天數 (由系統管理員定義) 之後,應用程式需要使用者連線到網路並重新驗證。After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and re-authenticate. 如果使用者成功驗證,就可以繼續存取其資料,而且會重設離線間隔。If the user successfully authenticates, they can continue to access their data and the offline interval will reset. 如果使用者無法驗證,應用程式會執行使用者帳戶和資料的選擇性抹除。If the user fails to authenticate, the app will perform a selective wipe of the users account and data. 如需使用選擇性抹除會移除哪些資料的詳細資訊,請參閱如何只抹除 Intune 管理之應用程式中的公司資料See How to wipe only corporate data from Intune-managed apps for more information on what data is removed with a selective wipe.

90 天90 days
當裝置 PIN 受到管理時,停用應用程式 PINDisable app PIN when device PIN is managed 選擇 [是] 以在已註冊裝置上偵測到裝置鎖定時停用應用程式 PIN。Choose Yes to disable the app PIN when a device lock is detected on an enrolled device. No
需要最低的 iOS 作業系統Require minimum iOS operating system 選擇 [是] 以要求使用此應用程式的最低 iOS 作業系統。Choose Yes to require a minimum iOS operating system to use this app. 如果裝置上的 iOS 版本不符合需求,將會封鎖使用者進行存取。The user will be blocked from access if the iOS version on the device does not meet the requirement. 此原則僅支援一個小數位數,如 iOS 10.3。This policy supports a single decimal point, like iOS 10.3. No
需要最低的 iOS 作業系統 (僅警告)Require minimum iOS operating system (Warning only) 選擇 [是] 以要求使用此應用程式的最低 iOS 作業系統。Choose Yes to require a minimum iOS operating system to use this app. 如果裝置上的 iOS 版本不符合需求,使用者將會看見通知。The user will see a notification if the iOS version on the device does not meet the requirement. 此通知可以關閉。This notification can be dismissed. 此原則僅支援一個小數位數,如 iOS 10.3。This policy supports a single decimal point, like iOS 10.3. No
需要最低的應用程式版本Require minimum app version 選擇 [是] 以要求使用應用程式的最低應用程式版本。Choose Yes to require a minimum app version to use the app. 如果裝置上的應用程式版本不符合需求,會封鎖使用者進行存取。The user is blocked from access if the app version on the device does not meet the requirement.

因為應用程式之間通常會有不同的版本控制配置,所以請建立包含一個針對單一應用程式之最低應用程式版本的原則 (例如,Outlook 版本原則)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, "Outlook version policy").

No
需要最低的應用程式版本 (僅警告)Require minimum app version (Warning only) 選擇 [是] 以建議使用此應用程式的最低應用程式版本。Choose Yes to recommend a minimum app version to use this app. 如果裝置上的應用程式版本不符合需求,使用者會看見通知。The user sees a notification if the app version on the device does not meet the requirement. 此通知可以關閉。This notification can be dismissed.

因為應用程式之間通常會有不同的版本控制配置,所以請建立包含一個針對單一應用程式之最低應用程式版本的原則 (例如,Outlook 版本原則)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, "Outlook version policy").

No
需要最低的 Intune 應用程式保護原則 SDK 版本Require minimum Intune app protection policy SDK version 選擇 [是] 以要求在應用程式上使用的最低 Intune 應用程式保護原則 SDK 版本。Choose Yes to require a minimum Intune app protection policy SDK version on the app to use. 如果應用程式的 Intune 應用程式保護原則 SDK 版本不符合需求,會封鎖使用者進行存取。The user is blocked from access if the app’s Intune app protection policy SDK version does not meet the requirement.

若要深入了解 Intune 應用程式保護原則 SDK,請參閱 Intune App SDK 概觀To learn more about the Intune app protection policy SDK, see Intune App SDK overview

No

Outlook 應用程式增益集Add-ins for Outlook app

Outlook 最近為 iOS 版 Outlook 推出了增益集,您可將熱門的應用程式與電子郵件用戶端相整合。Outlook recently brought add-ins to Outlook for iOS which let you integrate popular apps with the email client. Web、Windows、Mac 和 iOS 版的 Outlook,皆提供 Outlook 增益集。Add-ins for Outlook are available on the web, Windows, Mac, and Outlook for iOS. 因為增益集透過 Microsoft Exchange 進行管理,所以除非使用者的 Exchange 對使用者關閉了增益集,否則,使用者將可在 Outlook 與未受管理的增益集應用程式之間,共用資料與郵件。Since add-ins are managed via Microsoft Exchange, users will be able to share data and messages across Outlook and unmanaged add-in applications unless add-ins are turned off for the user by their Exchange.

若想要停止讓使用者無法存取及安裝 Outlook 增益集 (如此會影響所有 Outlook 用戶端),請務必在 Exchange 系統管理中心對角色進行下列變更︰If you want to stop your end users from accessing and installing Outlook add-ins (this affects all Outlook clients), make sure you have the following changes to roles in the Exchange admin center:

  • 為避免使用者安裝 Office 市集增益集,請移除使用者的「我的市集」角色。To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
  • 為避免使用者側載增益集,請移除使用者的「我的自訂應用程式」角色。To prevent users from side loading add-ins, remove the My Custom Apps role from them.
  • 為避免使用者安裝所有增益集,請移除使用者的「我的自訂應用程式」與「我的市集」角色。To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from them.

這些指示適用於 Office 365、Exchange 2016、Exchange 2013 (跨 Web、Windows、Mac 與行動裝置上的 Outlook)。These instructions apply to Office 365, Exchange 2016, Exchange 2013 across Outlook on the web, Windows, Mac and mobile.