iOS 應用程式保護原則設定iOS app protection policy settings

您可以為 Azure 入口網站的 [新增原則] > [設定] 刀鋒視窗上的應用程式保護原則,設定本主題中所述的原則設定。The policy settings described in this topic can be configured for an app protection policy on the Add a Policy > Settings blade in the Azure portal.

原則設定分為「資料重新配置」和「存取」設定兩類。There are two categories of policy settings: data relocation settings and access settings. 在本主題中 [受原則管理的應用程式] 一詞是指設有應用程式保護原則的應用程式。In this topic, the term policy-managed apps refers to apps that are configured with app protection policies.

資料重新配置設定Data relocation settings

設定Setting 如何使用How to use 預設值Default value
禁止 iTunes 和 iCloud 備份Prevent iTunes and iCloud backups 選擇 [是],防止這個應用程式將工作或學校資料備份至 iTunes 和 iCloud。Choose Yes to prevent this app from backing up work or school data to iTunes and iCloud. 選擇 [否],允許這個應用程式將工作或學校資料備份至 iTunes 和 iCloud。Choose No to allow this app to back up of work or school data to iTunes and iCloud. Yes
允許應用程式將資料傳送到其他應用程式Allow app to transfer data to other apps 指定可以接收這個應用程式資料的應用程式:Specify what apps can receive data from this app:
  • 受原則管理的應用程式:只允許傳送至其他受原則管理的應用程式。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有應用程式:允許傳送到任何應用程式。All apps: Allow transfer to any app.
  • :不允許將資料傳送到任何應用程式 (包括其他受原則管理的應用程式)。None: Do not allow data transfer to any app, including other policy-managed apps.
此外,如果這個選項設定為 [受原則管理的應用程式] 或 [無],則會封鎖允許焦點搜尋在應用程式中搜尋資料的 iOS 9 功能。Additionally, if you set this option to Policy managed apps or None, the iOS 9 feature that allows Spotlight Search to search data within apps will be blocked.

此原則也會影響 Web 內容的行為。This policy also impacts the behavior of web content. 如果此原則設定為 [封鎖],使用者將無法開啟通往任何瀏覽器的 HTTP 連結,包括 Managed Browser。If this policy is set to blocked, the user will be unable to open http links to any browser, including the Managed Browser. 此外,如果此原則設定為 [僅受原則管理],HTTP 連結只能在 Managed Browser 中開啟。Additionally, if this policy is set to policy managed only, then http links will only be able to open in the Managed Browser.

有一些 Intune 可預設允許資料傳送至其中的豁免應用程式和服務。There are some exempt apps and services to which Intune may allow data transfer by default. 此外,如果您需要允許資料傳送至不支援 Intune 應用程式的應用程式,您可以建立您自己的豁免設定。In addition, you can create your own exemptions if you need to allow data to be transferred to an app that does not support Intune APP. 請參閱資料轉送豁免以取得詳細資訊。See data transfer exemptions for more information.

所有應用程式All apps
允許應用程式接收來自其他應用程式的資料Allow app to receive data from other apps 指定可將資料傳送至這個應用程式的應用程式:Specify what apps can transfer data to this app:
  • 受原則管理的應用程式:只允許從其他受原則管理的應用程式傳送。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有應用程式:允許從任何應用程式傳送資料。All apps: Allow data transfer from any app.
  • :不允許從任何應用程式 (包括其他受原則管理的應用程式) 傳送資料。None: Do not allow data transfer from any app, including other policy-managed apps.
有一些 Intune 可以允許從中進行資料傳輸的豁免應用程式和服務。There are some exempt apps and services from which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See data transfer exemptions for a full list of apps and services. 在未註冊的 iOS 裝置上,啟用多重身分識別 MAM 的應用程式會忽略這項原則,並允許所有內送資料。Multi-identity MAM enabled applications on non-enrolled iOS devices ignore this policy and allow all incoming data.
所有應用程式All apps
不可進行另存新檔Prevent "Save As" 選擇 [是],在這個應用程式中停用 [另存新檔] 選項。Choose Yes to disable the use of the Save As option in this app. 如果您想要允許使用 [另存新檔],請選擇 [否]。Choose No if you want to allow the use of Save As.


選取要用於儲存公司資料的儲存體服務Select which storage services corporate data can be saved to
使用者可以儲存到幾個選取的服務 (商務用 OneDrive、SharePoint 和本機存放區)。Users are able to save to the selected services (OneDrive for Busines, SharePoint and Local Storage). 將會封鎖所有其他服務。All other services will be blocked.

No

0 (已選取)0 selected
限制與其他應用程式的剪下、複製和貼上Restrict cut, copy and paste with other apps 指定何時剪下、複製和貼上動作可與這個應用程式搭配使用。Specify when cut, copy, and paste actions can be used with this app. 從下列選項進行選擇:Choose from:
  • 封鎖:不允許在這個應用程式與任何其他應用程式之間進行剪下、複製和貼上動作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下、複製和貼上動作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 具有貼上的受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下或複製。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允許將資料從任何應用程式貼入這個應用程式。Allow data from any app to be pasted into this app.
  • 任何應用程式:不限制與這個應用程式之間的剪下、複製和貼上。Any app: No restrictions for cut, copy, and paste to and from this app.
任何應用程式Any app
限制 Web 內容以顯示於受管理的瀏覽器中Restrict web content to display in the Managed Browser 選擇 [是],強制在 Managed Browser 應用程式中開啟應用程式中的網頁連結。Choose Yes to enforce web links in the app to be opened in the Managed Browser app.

針對未在 Intune 中註冊的裝置,受原則管理應用程式中的網頁連結只能在 Managed Browser 應用程式中開啟。For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.

如果您使用 Intune 管理裝置,請參閱透過 Microsoft Intune 使用受管理的瀏覽器原則管理網際網路存取If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.

適用於行動裝置 (iOS 和 Android) 的 Microsoft Edge 瀏覽器支援 Intune 應用程式保護原則。The Microsoft Edge browser for mobile devices (iOS and Android) supports Intune app protection policies. 使用其公司 Azure AD 帳戶登入 Edge 瀏覽器應用程式的使用者,將會受到 Intune 的保護。Users who sign-in with their corporate Azure AD accounts in the Edge browser application will be protected by Intune. Edge 瀏覽器可整合 MAM SDK,並支援其所有的資料保護原則,但會防止:The Edge browser integrates the MAM SDK and support all of its data protection policies, with the exception of preventing:
  • 另存新檔:Edge 瀏覽器不允許使用者將直接的應用程式內連線新增至雲端儲存體提供者 (例如 OneDrive),而且不允許使用者將檔案下載至本機檔案系統。Save-as: The Edge browser does not allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive) and does not allow the user to download files to the local file system.
  • 連絡人同步:Edge 瀏覽器不會儲存至原生連絡人清單。Contact sync: The Edge browser does not save to native contact lists.
Edge 瀏覽器會利用 Intune 原則的自動註冊。The Edge browser will take advantage of automatic enrollment for Intune policies. 這表示當裝置上的另一個 Microsoft 應用程式正由 Intune 原則管理時,Edge 瀏覽器會自動檢查是否有以 Edge 應用程式為目標的原則。This means that when another Microsoft application on the device is being managed by an Intune policy, the Edge browser will automatically check to see if there is a policy targeting the Edge app. Intune 原則的自動註冊是由 MAM SDK 處理,因此無需任何應用程式參與。Automatic enrollment for Intune policies is handled by the MAM SDK, therefore no app participation is required.
No
加密應用程式資料Encrypt app data 針對受原則管理的應用程式,使用 iOS 所提供的裝置層級加密配置來加密待用資料。For policy-managed apps, data is encrypted at rest using the device-level encryption scheme provided by iOS. 需要 PIN 時,會根據應用程式保護原則中的設定來加密資料。When a PIN is required, the data is encrypted according to the settings in the app protection policy.

前往這裡的正式 Apple 文件,來查看哪些 iOS 加密模組已經 FIPS 140-2 認證或擱置 FIPS 140-2 認證。Go to the official Apple documentation here to see which iOS encryption modules are FIPS 140-2 certified or pending FIPS 140-2 certification.

指定何時加密這個應用程式中的工作或學校資料。Specify when work or school data in this app is encrypted. 從下列選項進行選擇:Choose from:
  • 鎖定裝置時:鎖定裝置時,會加密與這個原則相關聯的所有應用程式資料。When device is locked: All app data that is associated with this policy is encrypted while the device is locked.
  • 當裝置鎖定時且有開啟的檔案:鎖定裝置時,除了在應用程式中目前開啟的檔案資料以外,會加密與這個原則相關聯的其他所有應用程式資料。When device is locked and there are open files: All app data associated with this policy is encrypted while the device is locked, except for data in the files that are currently open in the app.
  • 裝置重新啟動後:重新啟動裝置後,與這項原則相關聯的所有應用程式資料都會經過加密,直到第一次解除鎖定裝置為止。After device restart: All app data associated with this policy is encrypted when the device is restarted, until the device is unlocked for the first time.
  • 使用裝置設定:應用程式資料會根據裝置上的預設設定加密。Use device settings: App data is encrypted based on the default settings on the device.
當您啟用這項設定時,使用者可能必須設定並使用 PIN 才能存取其裝置。When you enable this setting, the user may be required to set up and use a PIN to access their device. 如果不需要裝置 PIN 和加密,將不會開啟應用程式,而且會出現下列訊息提示使用者設定 PIN:「您的組織要求您先啟用裝置 PIN,才能存取此應用程式」。If there is no device PIN and encryption is required, the apps will not open and the user will be prompted to set a PIN with the message “Your organization has required you to first enable a device PIN to access this app.”
當裝置鎖住時When device is locked
停用連絡人同步Disable contact sync 選擇 [是],防止應用程式將資料儲存至裝置上的原生「連絡人」應用程式。Choose Yes to prevent the app from saving data to the native Contacts app on the device. 如果您選擇 [否],則應用程式可以將資料儲存至裝置上的原生「連絡人」應用程式。If you choose No, the app can save data to the native Contacts app on the device.

當您執行選擇性抹除以移除應用程式中的工作或學校資料時,會移除直接從應用程式同步到原生「連絡人」應用程式的連絡人。When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. 無法清除從原生通訊錄同步處理到其他外部來源的任何連絡人。Any contacts synced from the native address book to another external source cannot be wiped. 目前這僅適用於 Microsoft Outlook 應用程式。Currently this applies only to the Microsoft Outlook app.
No
停用列印Disable printing 選擇 [是],防止應用程式列印工作或學校資料。Choose Yes to prevent the app from printing work or school data. No

注意

沒有資料重新配置設定可以控制 iOS 裝置上的 Apple 受管理「開啟於」功能。None of the data relocation settings controls the Apple managed open-in feature on iOS devices. 若要使用管理 Apple「開啟於」,請參閱使用 Microsoft Intune 管理 iOS 應用程式之間的資料傳輸To use manage Apple open-in, see Manage data transfer between iOS apps with Microsoft Intune.

資料傳輸豁免Data transfer exemptions

在特定情況下,有一些 Intune 應用程式保護原則可以允許豁免應用程式和平台服務傳送和接收資料傳輸。There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from in certain scenarios. 這份清單可能隨時變更,並反映視為對安全產能有所幫助的服務和應用程式。This list is subject to change and reflects the services and apps considered useful for secure productivity.

應用程式/服務名稱App/service name(s) 說明Description
tel; telprompt 原生 Phone 應用程式Native phone app
skype SkypeSkype
app-settings 裝置設定Device settings
itms; itmss; itms-apps; itms-appss; itms-services App StoreApp Store
calshow 原生行事曆Native Calendar

存取設定Access settings

設定Setting 如何使用How to use 預設值Default value
需要 PIN 碼才可存取Require PIN for access 選擇 [是],需要 PIN 才能使用這個應用程式。Choose Yes to require a PIN to use this app. 使用者第一次在工作或學校內容中執行應用程式時,系統會提示他們設定這個 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context. 線上或離線工作時都會套用 PIN。The PIN is applied when working either online or offline. 預設值 = [是]。Default value = Yes.

進行下列 PIN 強度設定:Configure the following settings for PIN strength:
  • 選取類型:先設定數值或密碼類型的 PIN 需求,再存取已套用應用程式保護原則的應用程式。Select Type: Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. 數值需求只有數字,密碼則至少要以 1 個字母至少要以 1 個特殊字元定義。Numeric requirements involve only numbers, while a passcode can be defined with atleast 1 alphabetical letter or atleast 1 special character.

    注意: 若要設定密碼類型,應用程式需要有 Intune SDK 版本 7.1.12 或更新版本。Note: To configure passcode type, it requires app to have Intune SDK version 7.1.12 or above. 數值類型沒有 Intune SDK 版本限制。Numeric type has no Intune SDK version restriction. 允許的特殊字元包括 iOS 英文鍵盤上的特殊字元和符號。Special characters allowed include the special characters and symbols on the iOS English language keyboard. 預設值 = 數值Default value = Numeric.

  • PIN 碼重設前的嘗試次數:指定使用者必須嘗試順利輸入幾次其 PIN 後才能重設 PIN。Number of attempts before PIN reset: Specify the number of tries the user has to successfully enter their PIN before they must reset it. 此原則設定格式支援正整數。This policy setting format supports a positive whole number. 預設值 = 5Default value = 5.

  • 允許簡單的 PIN:選擇 [是],允許使用者使用簡單的 PIN 序列,例如 1234、1111、abcd 或 aaaa。Allow simple PIN: Choose Yes to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa. 選擇 [否],防止其使用簡單的序號。Choose No to prevent them from using simple sequences.

    注意:如果已設定密碼類型 PIN,而且 [允許簡單的 PIN] 設定為 [是],那麼使用者的 PIN 中需要至少 1 個字母至少 1 個特殊字元。Note: If Passcode type PIN is configured, and Allow simple PIN is set to Yes, the user needs atleast 1 letter or atleast 1 special character in their PIN. 如果已設定密碼類型 PIN,而且 [允許簡單的 PIN] 設定為 [否],那麼使用者的 PIN 中需要至少 1 個數字 1 個字母以及至少 1 個特殊字元。If Passcode type PIN is configured, and Allow simple PIN is set to No, the user needs atleast 1 number and 1 letter and atleast 1 special character in their PIN. 預設值 = [是]。Default value = Yes.

  • PIN 長度:指定 PIN 序列的最小位數。PIN length: Specify the minimum number of digits in a PIN sequence.

    注意:在某些 iOS 裝置上,當設定 PIN 長度 > 6 時,使用者會在 UI 上看到文字輸入欄位,但仍需要輸入類型為 [選取類型] 設定所決定之類型的 PIN。Note: On some iOS devices, when a PIN length > 6 is configured, the user will see a text input field on the UI but still be required to enter a PIN of the type determined by the "Select Type" setting. 預設值 = 4Default value = 4.

  • 允許指紋而非 PIN (iOS 8.0+):選擇 [是],讓使用者對應用程式存取使用 Touch ID,而非 PIN。Allow fingerprint instead of PIN (iOS 8.0+): Choose Yes to allow the user to use Touch ID instead of a PIN for app access. 預設值 = [是]。Default value = Yes.

  • 允許臉部辨識而非 PIN (iOS 11+):選擇 [是],以允許使用者使用 Face ID 而非 PIN 存取應用程式。Allow facial recognition instead of PIN (iOS 11+): Choose Yes to allow the user to use Face ID instead of a PIN for app access.

    注意: 若要設定臉部辨識,應用程式需要有 Intune SDK 7.1.19 版或更新版本。Note: To configure facial recognition, it requires app to have Intune SDK version 7.1.19 or above. 預設值 = [是]。Default value = Yes. 當使用者透過其公司帳戶存取應用程式時,系統會提示使用者提供臉部識別碼。Users are prompted to provide face identification when they access the app with their work accounts.

  • 在裝置 PIN 受控時,停用應用程式 PIN:選擇 [是] 以在於註冊的裝置上偵測到裝置鎖定時,停用應用程式 PIN。Disable app PIN when device PIN is managed: Choose Yes to disable the app PIN when a device lock is detected on an enrolled device.

    注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above. 預設值 = [否]。Default value = No.
在 iOS 裝置上,您可以讓使用者使用 Touch IDFace ID而非 PIN 來證明其身分識別。On iOS devices, you can let the user prove their identity by using Touch ID or Face ID instead of a PIN. Intune 使用 LocalAuthentication API 來驗證使用 Touch ID 和 Face ID 的使用者。Intune uses the LocalAuthentication API to authenticate users using Touch ID and Face ID. 若要深入了解 Touch ID 和 Face ID,請參閱 iOS 安全性指南To learn more about Touch ID and Face ID, see the iOS Security Guide. 使用者嘗試透過其公司或學校帳戶使用此應用程式時,系統會提示他們提供自己的指紋識別或臉部識別,而不是輸入 PIN。When the user tries use this app with their work or school account, they are prompted to provide their fingerprint identity or face identity instead of entering a PIN. 啟用此設定時,App 切換預覽影像會在使用工作或學校帳戶時變得很模糊。When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account.
存取需要 PIN 碼:是Require PIN for access: Yes

選取類型:數值Select Type: Numeric

PIN 碼重設嘗試次數:5PIN reset attempts: 5

允許簡單的 PIN:是Allow simple PIN: Yes

PIN 長度:4PIN length: 4

允許指紋:是Allow fingerprint: Yes

允許臉部辨識:是Allow facial recognition: Yes

停用應用程式 PIN:否Disable app PIN: No
需要公司認證才能存取Require corporate credentials for access 選擇 [是],需要使用者使用工作或學校帳戶登入來進行應用程式存取,而不是輸入 PIN。Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. 如果您將此設定為 [是],並且已開啟 PIN 或生物識別登入提示 ,則將會顯示公司認證以及 PIN 或生物識別登入提示 。If you set this to Yes, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts will be shown. No
封鎖在已進行 JB 或 Root 破解的裝置上執行受管理的應用程式Block managed apps from running on jailbroken or rooted devices 選擇 [是],防止在已進行 JB 或 Root 破解的裝置上執行這個應用程式。Choose Yes to prevent this app from running on jailbroken or rooted devices. 使用者仍然可以繼續使用這個應用程式來執行個人工作,但必須使用不同的裝置來存取這個應用程式中的工作或學校資料。The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Yes
重新檢查存取需求前等候時間 (分鐘)Recheck the access requirements after (minutes) 進行以下設定:Configure the following settings:
  • 逾時︰這是重新檢查存取需求 (稍早定義於原則中) 前經過的分鐘數。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,若管理員在原則中開啟「PIN」及「封鎖已 Root 破解的裝置」,當使用者開啟受控於 Intune 的裝置時,就必須輸入 PIN 並在未 Root 破解的裝置上使用應用程式。For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN and must be using the app on a non-rooted device. 如果使用這項設定,使用者在另外 30 分鐘 (預設值) 內都不需要在任何受控於 Intune 的應用程式上輸入 PIN 或接受另一次 Root 偵測檢查。When using this setting, the user would not have to enter a PIN or undergo another root-detection check on any Intune-managed app for another 30 minutes (default value).

    注意: 在 iOS 上,相同發行者的所有受 Intune 管理的應用程式會共用一組 PIN。Note: On iOS, the PIN is shared amongst all Intune-managed apps of the same publisher. 當裝置上的應用程式離開前景時,特定 PIN 的 PIN 計時器就會重設。The PIN timer for a specific PIN is reset once the app leaves the foreground on the device. 在此設定中定義的逾時持續時間內,使用者不需要在任何共用 PIN 並受 Intune 管理的應用程式上輸入 PIN。The user would not have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. 此原則設定格式支援正整數。This policy setting format supports a positive whole number.

  • 離線寬限期:這是 MAM 應用程式可以離線執行的分鐘數。Offline grace period: This is the number of minutes that MAM apps can run offline. 指定經過多少時間 (分鐘) 之後即會重新檢查應用程式存取需求。Specify the time (in minutes) before the access requirements for the app are rechecked. 預設值 = 720 分鐘 (12 小時)。Default value = 720 minutes (12 hours). 在這段期間過後,應用程式必須進行 Azure Active Directory (Azure AD) 的使用者驗證,如此應用程式才能繼續執行;但僅限於 [需要公司認證] 設定為 [是] 時。After this period expires, the app requires user authentication to Azure Active Directory (Azure AD) so that the app can continue to run — but only if Require Corporate Credentials is set to YES. 此原則設定格式支援正整數。This policy-setting format supports a positive whole number.
逾時:30Timeout: 30

離線:720Offline: 720
離線間隔幾天後抹除 App 資料Offline interval before app data is wiped (days) 在離線執行達到此天數 (由系統管理員定義) 之後,應用程式需要使用者連線到網路並重新驗證。After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and re-authenticate. 如果使用者成功驗證,就可以繼續存取其資料,而且會重設離線間隔。If the user successfully authenticates, they can continue to access their data and the offline interval will reset. 如果使用者無法驗證,應用程式會執行使用者帳戶和資料的選擇性抹除。If the user fails to authenticate, the app will perform a selective wipe of the users account and data. 如需使用選擇性抹除會移除哪些資料的詳細資訊,請參閱如何只抹除 Intune 管理之應用程式中的公司資料See How to wipe only corporate data from Intune-managed apps for more information on what data is removed with a selective wipe. 此原則設定格式支援正整數。This policy setting format supports a positive whole number.
90 天90 days
需要最低的 iOS 作業系統Require minimum iOS operating system 選擇 [是] 以要求使用此應用程式的最低 iOS 作業系統。Choose Yes to require a minimum iOS operating system to use this app. 如果裝置上的 iOS 版本不符合需求,將會封鎖使用者進行存取。The user will be blocked from access if the iOS version on the device does not meet the requirement.

注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above.
No
需要最低的 iOS 作業系統 (僅警告)Require minimum iOS operating system (Warning only) 選擇 [是] 以要求使用此應用程式的最低 iOS 作業系統。Choose Yes to require a minimum iOS operating system to use this app. 如果裝置上的 iOS 版本不符合需求,使用者將會看見通知。The user will see a notification if the iOS version on the device does not meet the requirement. 此通知可以關閉。This notification can be dismissed.

注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above.
No
需要最低的應用程式版本Require minimum app version 選擇 [是] 以要求使用應用程式的最低應用程式版本。Choose Yes to require a minimum app version to use the app. 如果裝置上的應用程式版本不符合需求,會封鎖使用者進行存取。The user is blocked from access if the app version on the device does not meet the requirement.

因為應用程式之間通常會有不同的版本控制配置,所以請建立包含一個針對單一應用程式之最低應用程式版本的原則 (例如,Outlook 版本原則)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, "Outlook version policy").

此原則設定格式支援 major.minor、major.minor.build、major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above.
No
需要最低的應用程式版本 (僅警告)Require minimum app version (Warning only) 選擇 [是] 以建議使用此應用程式的最低應用程式版本。Choose Yes to recommend a minimum app version to use this app. 如果裝置上的應用程式版本不符合需求,使用者會看見通知。The user sees a notification if the app version on the device does not meet the requirement. 此通知可以關閉。This notification can be dismissed.

因為應用程式之間通常會有不同的版本控制配置,所以請建立包含一個針對單一應用程式之最低應用程式版本的原則 (例如,Outlook 版本原則)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, "Outlook version policy").

此原則設定格式支援 major.minor、major.minor.build、major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above.
No
需要最低的 Intune 應用程式保護原則 SDK 版本Require minimum Intune app protection policy SDK version 選擇 [是] 以要求在應用程式上使用的最低 Intune 應用程式保護原則 SDK 版本。Choose Yes to require a minimum Intune app protection policy SDK version on the app to use. 如果應用程式的 Intune 應用程式保護原則 SDK 版本不符合需求,會封鎖使用者進行存取。The user is blocked from access if the app’s Intune app protection policy SDK version does not meet the requirement.

若要深入了解 Intune 應用程式保護原則 SDK,請參閱 Intune App SDK 概觀To learn more about the Intune app protection policy SDK, see Intune App SDK overview.

此原則設定格式支援 major.minor、major.minor.build、major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

注意: 應用程式需要 Intune SDK 7.0.1 版或更新版本。Note: Requires app to have Intune SDK version 7.0.1 or above.
No

注意

若要深入了解在同一應用程式和使用者集合的 [存取] 區段中設定的多個 Intune 應用程式保護設定如何在 iOS 上運作,請參閱 Intune MAM 常見問題集在 Intune 中使用應用程式防護原則的存取動作選擇性地抹除資料To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on iOS, see Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.

Outlook 應用程式增益集Add-ins for Outlook app

Outlook 最近為 iOS 版 Outlook 推出了增益集,您可將熱門的應用程式與電子郵件用戶端相整合。Outlook recently brought add-ins to Outlook for iOS which let you integrate popular apps with the email client. Web、Windows、Mac 和 iOS 版的 Outlook,皆提供 Outlook 增益集。Add-ins for Outlook are available on the web, Windows, Mac, and Outlook for iOS. 因為增益集透過 Microsoft Exchange 進行管理,所以除非使用者的 Exchange 對使用者關閉了增益集,否則,使用者將可在 Outlook 與未受管理的增益集應用程式之間,共用資料與郵件。Since add-ins are managed via Microsoft Exchange, users will be able to share data and messages across Outlook and unmanaged add-in applications unless add-ins are turned off for the user by their Exchange.

若想要停止讓使用者無法存取及安裝 Outlook 增益集 (如此會影響所有 Outlook 用戶端),請務必在 Exchange 系統管理中心對角色進行下列變更︰If you want to stop your end users from accessing and installing Outlook add-ins (this affects all Outlook clients), make sure you have the following changes to roles in the Exchange admin center:

  • 為避免使用者安裝 Office 市集增益集,請移除使用者的「我的市集」角色。To prevent users from installing Office Store add-ins, remove the My Marketplace role from them.
  • 為避免使用者側載增益集,請移除使用者的「我的自訂應用程式」角色。To prevent users from side loading add-ins, remove the My Custom Apps role from them.
  • 為避免使用者安裝所有增益集,請移除使用者的「我的自訂應用程式」與「我的市集」角色。To prevent users from installing all add-ins, remove both, My Custom Apps and My Marketplace roles from them.

這些指示適用於 Office 365、Exchange 2016、Exchange 2013 (跨 Web、Windows、Mac 與行動裝置上的 Outlook)。These instructions apply to Office 365, Exchange 2016, Exchange 2013 across Outlook on the web, Windows, Mac and mobile.

Microsoft 應用程式的 LinkedIn 帳戶連線LinkedIn account connections for Microsoft apps

LinkedIn 帳戶連線讓使用者在某些 Microsoft 應用程式內看到公用 LinkedIn 設定檔資訊。LinkedIn account connections allow users to see public LinkedIn profile information within certain Microsoft apps. 根據預設,您的使用者可以選擇連線 LinkedIn 和 Microsoft 工作或學校帳戶,來查看額外的 LinkedIn 設定檔資訊。By default, your users can choose to connect their LinkedIn and Microsoft work or school accounts to see additional LinkedIn profile information.

注意

LinkedIn 整合目前無法用於美國政府客戶,以及 裝載於澳洲、加拿大、中國、法國、德國、印度、韓國、英國、日本和南非的組織的 Exchange Online 信箱。LinkedIn integration is currently unavailable for United States Government customers and for organizations with Exchange Online mailboxes hosted in Australia, Canada, China, France, Germany, India, South Korea, United Kingdom, Japan, and South Africa.

您可以停用整個組織的 LinkedIn 帳戶連線,或是您可以針對組織中的選取使用者群組啟用 LinkedIn 帳戶連線。You can disable LinkedIn account connections for your entire organization, or you can enable LinkedIn account connections for selected user groups in your organization. 這些設定會影響跨所有平台 (Web、行動裝置和桌面) 上的 Office 365 應用程式之間的 LinkedIn 連線。These settings affect LinkedIn connections across Office 365 apps on all platforms (web, mobile, and desktop). 您可以:You can:

  • 在 Azure 入口網站為租用戶啟用或停用 LinkedIn 帳戶連線。Enable or disable LinkedIn account connections for your tenant in the Azure portal.
  • 使用群組原則為組織的 Office 2016 應用程式啟用或停用 LinkedIn 帳戶連線。Enable or disable LinkedIn account connections for your organization's Office 2016 apps using Group Policy.

如果已為租用戶啟用 LinkedIn 整合,則當您組織中的使用者連線 LinkedIn 和 Microsoft 工作或學校帳戶時,他們有兩個選項:If LinkedIn integration is enabled for your tenant, when users in your organization connect their LinkedIn and Microsoft work or school accounts, they have two options:

  • 他們可以提供在這兩個帳戶之間共用資料的權限。They can give permission to share data between both accounts. 這表示他們會提供權限讓 LinkedIn 帳戶與 Microsoft 工作或學校帳戶共用資料,以及讓 Microsoft 工作或學校帳戶與其 LinkedIn 帳戶共用資料。This means that they give permission for their LinkedIn account to share data with their Microsoft work or school account, as well as their Microsoft work or school account to share data with their LinkedIn account. 與 LinkedIn 共用的資料會離開連線服務。Data that is shared with LinkedIn leaves the online services.
  • 他們只能提供從 LinkedIn 帳戶共用資料到 Microsoft 工作及學校帳戶的權限They can give permission to share data only from their LinkedIn account to their Microsoft work and school account

如果使用者同意在帳戶之間共用資料,如同 Office 增益集一樣,LinkedIn 整合會使用現有的 Microsoft Graph API。If a user consents to sharing data between accounts, as with Office add-ins, LinkedIn integration uses existing Microsoft Graph APIs. LinkedIn 整合只會使用可供 Office 增益集使用的 API 子集,並支援各種排除項目。LinkedIn integration uses only a subset of the APIs available to Office add-ins and supports various exclusions.

Microsoft Graph 權限Microsoft Graph permissions 說明Description
人員的讀取權限Read permissions for People 可讓應用程式讀取與登入與使用者相關的人員評分清單。Allows the app to read a scored list of people relevant to the signed-in user. 清單可以包括本機連絡人、來自社交網路或貴組織目錄的連絡人,以及最近連絡過 (例如電子郵件與 Skype) 的人員。The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype).
行事曆的讀取權限Read permissions for Calendars 允許應用程式讀取使用者行事曆中的事件。Allows the app to read events in user calendars. 包含登入使用者行事曆中的會議、其時間、位置及出席者。Includes the meetings in signed-in user calendars, their times, locations, and attendees.
使用者設定檔的讀取權限Read permissions for User Profile 允許使用者登入應用程式,以及允許應用程式讀取登入之使用者的設定檔。Allows users to sign in to the app, and allows the app to read the profile of signed-in users. 它也允許應用程式讀取登入之使用者的基本公司資訊。It also allows the app to read basic company information for signed-in users.
SubscriptionsSubscriptions 未提供此範圍且尚未使用。This scope is not available and not yet in use. 它包含使用者組織提供給 Microsoft 應用程式和服務 (例如 Office 365) 的訂閱。It includes subscriptions provided by the user's organization to Microsoft apps and services, such as Office 365.
深入資訊Insights 未提供此範圍且尚未使用。This scope is not available and not yet in use. 它包含根據 Microsoft 服務的使用,與登入的使用者帳戶建立關聯的興趣。It includes the interests associated with the signed-in user's account based on their use of Microsoft services.

深入了解Learn more