Intune App SDK 概觀Intune App SDK overview

Intune App SDK (適用於 iOS 和 Android) 可啟用應用程式的 Intune 應用程式保護原則。The Intune App SDK, available for both iOS and Android, enables your app for Intune app protection policies. 它會盡力將應用程式開發人員所需的程式碼變更數量減到最少。It strives to minimize the amount of code changes required from the app developer. 您會發現,您可以啟用大多數 SDK 功能,而不需要變更您的應用程式行為。You'll find that you can enable most of the SDK's features without changing your app’s behavior. 為了增強使用者和 IT 系統管理員體驗,您可以利用 API,針對需要應用程式參與的功能自訂您的應用程式行為。For enhanced end-user and IT administrator experience, you can utilize the APIs to customize your app behavior for features that require your app participation.

啟用應用程式的應用程式保護原則之後,IT 系統管理員就可以部署這些原則,以保護他們在應用程式內的公司資料。Once you have enabled your app for app protection policies, IT administrators can deploy these policies to protect their corporate data within the app.

應用程式保護功能App protection features

下列是可使用 SDK 所啟用的 Intune 應用程式保護功能範例。The following are examples of Intune app protection features that can be enabled with the SDK.

控制使用者移動公司檔案的能力Control users’ ability to move corporate files

IT 系統管理員可以控制可在何處移動應用程式中的工作或學校資料。IT administrators can control where work or school data in the app can be moved. 例如,他們可以部署原則來停用應用程式將公司資料備份到雲端。For instance, they can deploy a policy that disables the app from backing up corporate data to the cloud.

設定剪貼簿限制Configure clipboard restrictions

IT 系統管理員可以在受 Intune 管理的應用程式中設定 [剪貼簿] 行為。IT administrators can configure the clipboard behavior in Intune-managed apps. 例如,他們可以部署原則,來防止終端使用者從應用程式剪下或複製資料,並貼入未受管理的個人應用程式。For instance, they can deploy a policy to prevent end users from cutting or copying data from the app and pasting into an unmanaged, personal app.

強制加密已儲存的資料Enforce encryption on saved data

IT 系統管理員可以強制執行原則,以確保應用程式儲存到裝置的資料會經過加密。IT administrators can enforce a policy that ensures that data saved to the device by the app is encrypted.

從遠端抹除公司資料Remotely wipe corporate data

IT 系統管理員可以從受 Intune 管理的應用程式遠端抹除公司資料。IT administrators can remotely wipe corporate data from an Intune-managed app. 這項功能是以身分識別為基礎,而且只會刪除與使用者公司身分識別相關聯的檔案。This feature is identity-based and will only delete the files associated with the corporate identity of the end user. 若要執行這項操作,此功能需要應用程式的參與。To do that, the feature requires the app’s participation. 應用程式可以根據使用者設定,指定應該進行抹除的身分識別。The app can specify the identity for which the wipe should occur based on user settings. 如果沒有來自應用程式的這些指定的使用者設定,預設行為是抹除應用程式目錄,並通知使用者已移除存取權。In the absence of these specified user settings from the app, the default behavior is to wipe the application directory and notify the end user that access has been removed.

強制使用受管理的瀏覽器Enforce the use of a managed browser

IT 系統管理員可以強制使用 Intune Managed Browser 應用程式開啟應用程式中的網頁連結。IT administrators can force web links in the app to be opened with the Intune Managed Browser app. 此功能可確保出現在公司環境中的連結會保留在受 Intune 管理之應用程式的網域內。This functionality ensures that links that appear in a corporate environment are kept within the domain of Intune-managed apps.

強制執行 PIN 原則Enforce a PIN policy

IT 系統管理員可以要求終端使用者先輸入 PIN,才能存取應用程式中的公司資料。IT administrators can require the end-user to enter a PIN before accessing corporate data in the app. 這可確保使用應用程式的人員就是一開始使用其工作或學校帳戶登入的相同人員。This ensures that the person using the app is the same person who initially signed in with their work or school account. 當終端使用者設定其 PIN 時,Intune App SDK 會使用 Azure Active Directory 依據已註冊的 Intune 帳戶來驗證終端使用者的認證。When end users configure their PIN, the Intune App SDK uses Azure Active Directory to verify the credentials of end-users against the enrolled Intune account.

要求使用者使用工作或學校帳戶登入來存取應用程式Require users to sign in with work or school account for app access

IT 系統管理員可以要求使用者使用其工作或學校帳戶登入來存取應用程式。IT administrators can require users to sign in with their work or school account to access the app. Intune App SDK 使用 Azure Active Directory 來提供單一登入體驗,其中認證一旦輸入,便可供後續登入重複使用。The Intune App SDK uses Azure Active Directory to provide a single sign-on experience, where the credentials, once entered, are reused for subsequent logins. 我們也支援驗證與 Azure Active Directory 建立同盟的身分識別管理解決方案。We also support authentication of identity management solutions federated with Azure Active Directory.

檢查裝置健全狀況和合規性Check device health and compliance

IT 系統管理員可以在終端使用者存取應用程式之前,檢查裝置的健全狀況以及其是否符合 Intune 原則。IT administrators can a check the health of the device and its compliance with Intune policies before end-users access the app. 在 iOS 上,這項原則會檢查裝置是否已進行 JB 破解。On iOS, this policy checks if the device has been jailbroken. 在 Android 上,這項原則會檢查裝置是否已進行 Root 破解。On Android, this policy checks if the device has been rooted.

多重身分識別支援Multi-identity support

多重身分識別支援是一種 SDK 功能,允許單一應用程式中可以共存受原則管理的帳戶 (公司) 和未受管理的帳戶 (個人)。Multi-identity support is a feature of the SDK that enables coexistence of policy-managed (corporate) and unmanaged (personal) accounts in a single app.

例如,許多使用者會在適用於 iOS 和 Android 的 Office 行動應用程式中,同時設定公司和個人電子郵件帳戶。For example, many users configure both corporate and personal email accounts in the Office mobile apps for iOS and Android. 使用者使用其公司帳戶來存取資料時,IT 系統管理員必須確定將套用應用程式保護原則。When a user accesses data with their corporate account, the IT administrator must be confident that app protection policy will be applied. 不過,當使用者存取個人電子郵件帳戶,該資料則不在 IT 系統管理員的控制範圍內。However, when a user is accessing a personal email account, that data should be outside of the IT administrator's control. Intune App SDK 藉由將應用程式保護原則的目標限於應用程式中的公司身分識別,來達成這項目的。The Intune App SDK achieves this by targeting the app protection policy to only the corporate identity in the app.

多重身分識別功能有助於解決組織在使用同時支援個人和工作帳戶的市集應用程式時,所遇到的資料保護問題。The multi-identity feature helps solve the data protection problem that organizations face with store apps that support both personal and work accounts.

無裝置註冊的應用程式保護App protection without device enrollment


針對不需註冊裝置的 Intune 應用程式,您可以使用 Intune App Wrapping Tools、Intune App SDK for Android、Intune App SDK for iOS 及 Intune App SDK Xamarin 繫結來提供保護。Intune app protection without device enrollment is available with the Intune App Wrapping Tools, Intune App SDK for Android, Intune App SDK for iOS, and Intune App SDK Xamarin Bindings.

許多個人裝置的使用者想要存取公司資料,但不想向行動裝置管理 (MDM) 提供者註冊其個人裝置。Many users with personal devices want to access corporate data without enrolling their personal device with a Mobile Device Management (MDM) provider. 因為 MDM 註冊需要裝置的通用控制權,所以使用者通常不太願意將其個人裝置的控制權提供給公司。Since MDM enrollment requires global control of the device, users are often hesitant to give control of their personal device over to their company.

無裝置註冊的應用程式保護可讓 Microsoft Intune 服務將應用程式保護原則直接部署到應用程式,而不需要裝置管理通道來部署原則。App protection without device enrollment allows the Microsoft Intune service to deploy app protection policy to an app directly, without relying on a device management channel to deploy the policy.