Microsoft Intune App SDK for iOS 開發人員指南Microsoft Intune App SDK for iOS developer guide


您可能想要先閱讀 Intune App SDK 快速入門指南文章,其中說明如何在每個支援的平台上進行整合準備。You might want to first read the Get Started with Intune App SDK Guide article, which explains how to prepare for integration on each supported platform.

Microsoft Intune App SDK for iOS 可讓您將 Intune 應用程式保護原則 (也稱為 APPMAM 原則) 併入原生 iOS 應用程式中。The Microsoft Intune App SDK for iOS lets you incorporate Intune app protection policies (also known as APP or MAM policies) into your native iOS app. 啟用 MAM 的應用程式是與 Intune App SDK 整合的應用程式,A MAM-enabled application is one that is integrated with the Intune App SDK. IT 系統管理員可在 Intune 主動管理應用程式時,將應用程式保護原則部署至行動應用程式。IT administrators can deploy app protection policies to your mobile app when Intune actively manages the app.


  • 您需要執行 OS X 10.8.5 或更新版本的 Mac OS 電腦,並在該電腦上安裝 Xcode 8 或更新版本。You will need a Mac OS computer that runs OS X 10.8.5 or later and has the Xcode 8 or later installed.

  • 您的應用程式必須以 iOS 9 或更新版本為目標。Your app must be targeted for iOS 9 or above.

  • 檢閱適用於 iOS 的 Intune App SDK 授權條款Review the Intune App SDK for iOS License Terms. 列印並保留一份授權條款供您備查。Print and retain a copy of the license terms for your records. 下載並使用 Intune App SDK for iOS 即表示您同意這些授權條款。By downloading and using the Intune App SDK for iOS, you agree to such license terms. 若貴用戶不同意這些授權條款,請不要使用「軟體」。If you do not accept them, do not use the software.

  • GitHub 上,下載 Intune App SDK for iOS 的檔案。Download the files for the Intune App SDK for iOS on GitHub.

SDK 的功能What’s in the SDK

Intune App SDK for iOS 包含靜態程式庫、資源檔、API 標頭、偵錯設定 .plist 檔案及設定程式工具。The Intune App SDK for iOS includes a static library, resource files, API headers, a debug settings .plist file, and a configurator tool. 若要強制執行大部分原則,行動應用程式只需要包含資源檔並以靜態方式連結至程式庫。Mobile apps might simply include the resource files and statically link to the libraries for most policy enforcement. 進階 Intune MAM 功能則是透過 API 來強制執行。Advanced Intune MAM features are enforced through APIs.

本指南涵蓋如何使用 Intune App SDK for iOS 的下列元件:This guide covers the use of the following components of the Intune App SDK for iOS:

  • libIntuneMAM.a:Intune App SDK 靜態程式庫。libIntuneMAM.a: The Intune App SDK static library. 如果您的應用程式未使用擴充功能,請將這個程式庫連結至專案,讓應用程式進行 Intune 行動應用程式管理。If your app does not use extensions, link this library to your project to enable your app for Intune mobile application management.

  • IntuneMAM.framework:Intune App SDK 架構。IntuneMAM.framework: The Intune App SDK framework. 請將這個架構連結至專案,讓應用程式進行 Intune 行動應用程式管理。Link this framework to your project to enable your app for Intune mobile application management. 如果您的應用程式使用擴充功能,讓您的專案不會建立靜態程式庫的多個複本,請使用架構而不是靜態程式庫。Use the framework instead of the static library if your app uses extensions, so that your project does not create multiple copies of the static library.

  • IntuneMAMResources.bundle:包含 SDK 相依資源的資源配套。IntuneMAMResources.bundle: A resource bundle that has resources that the SDK relies on.

  • 標頭:公開 Intune App SDK API。Headers: Exposes the Intune App SDK APIs. 如果您使用 API,您必須加入包含 API 的標頭檔。If you use an API, you will need to include the header file that contains the API. 下列標頭檔包含 API、資料類型及通訊協定,由 Intune App SDK 提供開發人員使用:The following header files include the APIs, data types, and protocols which the Intune App SDK makes available to developers:

    • IntuneMAMAppConfig.hIntuneMAMAppConfig.h
    • IntuneMAMAppConfigManager.hIntuneMAMAppConfigManager.h
    • IntuneMAMDataProtectionInfo.hIntuneMAMDataProtectionInfo.h
    • IntuneMAMDataProtectionManager.hIntuneMAMDataProtectionManager.h
    • IntuneMAMDefs.hIntuneMAMDefs.h
    • IntuneMAMEnrollmentDelegate.hIntuneMAMEnrollmentDelegate.h
    • IntuneMAMEnrollmentManager.hIntuneMAMEnrollmentManager.h
    • IntuneMAMEnrollmentStatus.hIntuneMAMEnrollmentStatus.h
    • IntuneMAMFileProtectionInfo.hIntuneMAMFileProtectionInfo.h
    • IntuneMAMFileProtectionManager.hIntuneMAMFileProtectionManager.h
    • IntuneMAMLogger.hIntuneMAMLogger.h
    • IntuneMAMPolicy.hIntuneMAMPolicy.h
    • IntuneMAMPolicyDelegate.hIntuneMAMPolicyDelegate.h
    • IntuneMAMPolicyManager.hIntuneMAMPolicyManager.h
    • IntuneMAMVersionInfo.hIntuneMAMVersionInfo.h

開發人員只要匯入 IntuneMAM.h,即可使用上述標頭的內容Developers can make the contents of all the above headers available by just importing IntuneMAM.h

Intune App SDK 的運作方式How the Intune App SDK works

Intune App SDK for iOS 的目標是以最少的程式碼變更,將管理功能加入 iOS 應用程式中。The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal code changes. 程式碼變更越少,上市時間就越短,而不會影響行動應用程式的一致性與穩定性。The fewer the code changes, the less time to market--without affecting the consistency and stability of your mobile application.

將 SDK 建置到行動應用程式Build the SDK into your mobile app

若要啟用 Intune App SDK,請遵循下列步驟:To enable the Intune App SDK, follow these steps:

  1. 選項 1 (建議):將 IntuneMAM.framework 連結至您的專案。Option 1 (recommended): Link IntuneMAM.framework to your project. IntuneMAM.framework 拖曳至專案目標的 [內嵌的二進位檔案] 清單。Drag IntuneMAM.framework to the Embedded Binaries list of the project target.


    如果您使用架構,則必須先手動去除通用架構中的模擬器架構,再將應用程式提交至 App Store。If you use the framework, you must manually strip out the simulator architectures from the universal framework before you submit your app to the App Store. 請參閱將應用程式提交至 App Store 以取得詳細資料。See Submit your app to the App Store for more details.

  2. 選項 2︰連結至 libIntuneMAM.a 程式庫。Option 2: Link to the libIntuneMAM.a library. libIntuneMAM.a 程式庫拖曳至專案目標的 「Linked Frameworks and Libraries」 (連結架構和程式庫) 清單中。Drag the libIntuneMAM.a library to the Linked Frameworks and Libraries list of the project target.

    Intune App SDK iOS:連結的架構和程式庫

    -force_load {PATH_TO_LIB}/libIntuneMAM.a 加入下列任一項中,並以 Intune App SDK 位置取代 {PATH_TO_LIB}Add -force_load {PATH_TO_LIB}/libIntuneMAM.a to either of the following, replacing {PATH_TO_LIB} with the Intune App SDK location:

    • 專案的 OTHER_LDFLAGS 組建組態設定The project’s OTHER_LDFLAGS build configuration setting
    • UI 的 「Other Linker Flags」 (其他連結器旗標)The UI’s Other Linker Flags


      若要尋找 PATH_TO_LIB,請選取 libIntuneMAM.a 檔案,然後從 [檔案] 功能表中選擇 [取得資訊]。To find PATH_TO_LIB, select the file libIntuneMAM.a and choose Get Info from the File menu. 從 [資訊] 視窗的 [一般] 區段中,複製並貼上 [位置] 資訊 (路徑)。Copy and paste the Where information (the path) from the General section of the Info window.

      藉由拖曳 「Build Phases」 (建置階段) 的 「Copy Bundle Resources」 (複製配套資源) 下的資源配套,將 IntuneMAMResources.bundle 資源配套新增至專案。Add the IntuneMAMResources.bundle resource bundle to the project by dragging the resource bundle under Copy Bundle Resources within Build Phases.

      Intune App SDK iOS:複製配套資源

  3. 將下列 iOS 架構新增至專案:Add these iOS frameworks to the project:

    • MessageUI.frameworkMessageUI.framework
    • Security.frameworkSecurity.framework
    • MobileCoreServices.frameworkMobileCoreServices.framework
    • SystemConfiguration.frameworkSystemConfiguration.framework
    • libsqlite3.tbdlibsqlite3.tbd
    • libc++.tbdlibc++.tbd
    • ImageIO.frameworkImageIO.framework
    • LocalAuthentication.frameworkLocalAuthentication.framework
    • AudioToolbox.frameworkAudioToolbox.framework
  4. 如果您的行動應用程式在其 Info.plist 檔案中定義主要 nib 或腳本檔案,請剪下「Main Storyboard」(主要腳本) 或「Main Nib」(主要 Nib) 欄位。If your mobile app defines a main nib or storyboard file in its Info.plist file, cut the Main Storyboard or Main Nib field(s). 視需要在 Info.plist 中,使用下列索引鍵名稱,將這些欄位和其對應的值貼入至名為 IntuneMAMSettings 的新目錄下:In Info.plist, paste these fields and their corresponding values under a new dictionary named IntuneMAMSettings with the following key names, as applicable:

    • MainStoryboardFileMainStoryboardFile
    • MainStoryboardFile~ipadMainStoryboardFile~ipad
    • MainNibFileMainNibFile
    • MainNibFile~ipadMainNibFile~ipad


      如果您的行動應用程式未在其 Info.plist 檔案中定義主要 nib 或腳本檔案,則不需要這些設定。If your mobile app doesn’t define a main nib or storyboard file in its Info.plist file, these settings are not required.

      您可以在文件本文中的任何位置按一下滑鼠右鍵,然後將檢視類型變更為 「Show Raw Keys/Values」 (顯示原始索引鍵/值),來檢視原始格式的 Info.plist (以查看索引鍵名稱)。You can view Info.plist in raw format (to see the key names) by right-clicking anywhere in the document body and changing the view type to Show Raw Keys/Values.

  5. 如果尚未啟用 Keychain 共用,請在每個專案目標中選擇 [功能],然後啟用 「Keychain Sharing」 (Keychain 共用) 參數來加以啟用。Enable keychain sharing (if it isn't already enabled) by choosing Capabilities in each project target and enabling the Keychain Sharing switch. 您必須共用 Keychain 才能繼續進行下一個步驟。Keychain sharing is required for you to proceed to the next step.


    您的佈建設定檔必須能夠支援新的 Keychain 共用值。Your provisioning profile needs to support new keychain sharing values. Keychain 存取群組應該支援萬用字元。The keychain access groups should support a wildcard character. 若要確認這項作業,請在文字編輯器中開啟 .mobileprovision 檔案,並搜尋 keychain-access-groups,然後確認是否有萬用字元。You can check this by opening the .mobileprovision file in a text editor, searching for keychain-access-groups, and ensuring that you have a wildcard. 例如:For example:

  6. 啟用 Keychain 共用之後,請遵循下列步驟建立另一個可供 Intune App SDK 儲存其資料的存取群組。After you enable keychain sharing, follow these steps to create a separate access group in which the Intune App SDK will store its data. 您可以使用 UI 或權利檔案來建立 Keychain 存取群組。You can create a keychain access group by using the UI or by using the entitlements file. 如果您是使用 UI 來建立 Keychain 存取群組,請務必遵循下列步驟:If you are using the UI to create the keychain access group, make sure to follow the steps below:

    1. 如果您的行動應用程式未定義任何 Keychain 存取群組,請加入應用程式的配套識別碼作為第一個群組。If your mobile app does not have any keychain access groups defined, add the app’s bundle ID as the first group.

    2. 將共用 Keychain 群組 新增至現有的存取群組。Add the shared keychain group to your existing access groups. Intune App SDK 使用這個存取群組來儲存資料。The Intune App SDK uses this access group to store data.

    3. 新增至現有存取群組。Add to your existing access groups.

      Intune App SDK iOS:Keychain 共用

    4. 如果您正在直接編輯權利檔案,而不是使用上方所示的 Xcode UI 來建立 Keychain 存取群組,請將 $(AppIdentifierPrefix) 附加到 Keychain 存取群組 (Xcode 會自動處理此動作)。If you are editing the entitlements file directly, rather than using the Xcode UI shown above to create the keychain access groups, prepend the keychain access groups with $(AppIdentifierPrefix) (Xcode handles this automatically). 例如:For example:

       * `$(AppIdentifierPrefix)`
       * `$(AppIdentifierPrefix)`


      權利檔案是行動應用程式特有的 XML 檔案,An entitlements file is an XML file that's unique to your mobile application. 它用來指定 iOS 應用程式內的特殊權限和功能。It is used to specify special permissions and capabilities in your iOS app. 如果您的應用程式之前沒有權利檔案,啟用 Keychain 共用 (步驟 6) 應該會使得 Xcode 為您的應用程式產生一個權利檔案。If your app did not previously have an entitlements file, enabling keychain sharing (step 6) should have caused Xcode to generate one for your app.

  7. 如果應用程式在其 Info.plist 檔案中定義 URL 配置,請針對每個 URL 配置新增另一個具有 -intunemam 尾碼的配置。If the app defines URL schemes in its Info.plist file, add another scheme, with a -intunemam suffix, for each URL scheme.

  8. 若應用程式在其 Info.plist 檔案內定義 Document 類型,請在每個項目的「文件內容類型 UTI」陣列,為每個有 ""If the app defines Document types in its Info.plist file, for each item's "Document Content Type UTIs" array, add a duplicate entry for each string with a "" 前置詞的字串新增重複項。prefix.

  9. 若是在 iOS 9+ 上開發的行動應用程式,請包含應用程式傳遞給應用程式 Info.plist 檔案之 LSApplicationQueriesSchemes 陣列中 UIApplication canOpenURL 的每個通訊協定。For mobile apps developed on iOS 9+, include each protocol that your app passes to UIApplication canOpenURL in the LSApplicationQueriesSchemes array of your app's Info.plist file. 此外,針對每個列出的通訊協定,新增一個通訊協定並附加 -intunemamAdditionally, for each protocol listed, add a new protocol and append it with -intunemam. 您也必須在陣列中包含 http-intunemamhttps-intunemamms-outlook-intunemamYou must also include http-intunemam, https-intunemam, and ms-outlook-intunemam in the array.

  10. 如果應用程式已在其權利中定義應用程式群組,請將這些群組以字串陣列形式新增至 IntuneMAMSettings 字典的 AppGroupIdentifiers 索引鍵下。If the app has app groups defined in its entitlements, add these groups to the IntuneMAMSettings dictionary under the AppGroupIdentifiers key as an array of strings.

使用 Intune MAM 設定程式工具 (Intune MAM Configurator Tool)Using the Intune MAM Configurator Tool

Intune MAM 設定程式工具 (Intune MAM Configurator Tool) 現在能夠處理手動整合 SDK 時,所需的所有 info.plist 操作。The Intune MAM Configurator Tool now handles all info.plist manipulation that is needed to integrate our SDK manually. 您可以在適用於 iOS 的 Intune App SDK 存放庫中找到此工具。You can find it in the repo for the Intune App SDK for iOS. 此工具不會處理 multi-ID、AAD 設定等任何其他應用程式特定設定。Any additional app specific settings such as multi-ID, AAD settings, etc are not handled by this tool. 此工具有 3 個參數:The tool has 3 parameters:

屬性Property 用法How to use it
- i- i <Path to the input plist>
- e- e 權利檔案The entitlements files
- o- o (選擇性) <Path for the changed input plist>(Optional) <Path for the changed input plist>

Intune MAM 設定程式工具 (Intune MAM Configurator Tool) 可用於更新:The Intune MAM Configurator Tool can be used to update:

  • 任何您應用程式的主要腳本及 (或) 主要 nib 檔到 IntuneMAMSettings 中。Any of your app's Main Storyboard and/or Main Nib files into the IntuneMAMSettings.
  • 任何您應用程式在其具有 -intunemam 尾碼的 Info.plist 檔案中,定義的每個 URL 配置。Any of your app's defined URL schemes in its Info.plist file with the -intunemam suffix, for each URL scheme.
  • 任何您應用程式在其 Info.plist 檔案中定義的「文件」類型,針對每個項目的「文件內容類型 UTI」陣列,為每個具有 "" 的字串新增重複項目。Any of your app's defined Document types in its Info.plist file, for each item's "Document Content Type UTIs" array, add a duplicate entry for each string with a "" 前置詞的字串新增重複項。prefix.
  • 任何您應用程式在其權利中定義的應用程式群組,將這些群組以字串陣列的形式新增到 AppGroupIdentifiers 索引鍵下的 IntuneMAMSettings 字典中。Any of your app's app groups defined in its entitlements, add these groups to the IntuneMAMSettings dictionary under the AppGroupIdentifiers key as an array of strings.


若您決定使用此工具來取代 info.plist 操作,建議每當應用程式的 info.plist 或權利變更時重新執行。If you decide to use this tool instead of manual info.plist manipulation, we recommend it be rerun whenever changes to your app's info.plist or entitlements have been made.

設定 Azure Active Directory Authentication Library (ADAL)Configure Azure Active Directory Authentication Library (ADAL)

Intune App SDK 針對其驗證和條件式啟動案例使用 Azure Active Directory Authentication Library (英文)The Intune App SDK uses Azure Active Directory Authentication Library for its authentication and conditional launch scenarios. 它也會依賴 ADAL 向 MAM 服務註冊使用者身分識別來進行沒有裝置註冊案例的管理。It also relies on ADAL to register the user identity with the MAM service for management without device enrollment scenarios.

一般來說,ADAL 需要應用程式向 Azure Active Directory (AAD) 註冊並取得唯一識別碼 (用戶端識別碼) 及其他識別碼,以確保授與應用程式的權杖安全無虞。Typically, ADAL requires apps to register with Azure Active Directory (AAD) and get a unique ID (Client ID) and other identifiers, to guarantee the security of the tokens granted to the app. 除非另行指定,否則 Intune App SDK 在連絡 Azure AD 時會使用預設登錄值。Unless otherwise specified, the Intune App SDK uses default registration values when it contacts Azure AD.

如果您的應用程式已經使用 ADAL 來驗證使用者,該應用程式必須使用其現有的登錄值,並覆寫 Intune App SDK 預設值。If your app already uses ADAL to authenticate users, the app must use its existing registration values and override the Intune App SDK default values. 這能確保不會提示使用者驗證兩次 (一次是由 Intune App SDK,另一次是由應用程式)。This ensures that users are not prompted for authentication twice (once by the Intune App SDK and once by the app).


建議您的應用程式連接至 ADAL Master 分支上最新版本的 ADAL (英文)It is recommended that your app links to the latest version of ADAL on its master branch. Intune App SDK 目前使用 ADAL 的 Broker 分支,以支援需要條件式存取的應用程式。The Intune App SDK currently uses the broker branch of ADAL to support apps that require conditional access. (因此這些應用程式需要 Microsoft Authenticator 應用程式)。不過,SDK 仍然與主要 ADAL 分支相容。(These apps therefore depend on the Microsoft Authenticator app.) But the SDK is still compatible with the master branch of ADAL. 請使用適合您應用程式的分支。Use the branch that is appropriate for your app.

請遵循下列步驟以將應用程式連結至 ADAL 二進位檔:Follow the steps below to link your app to the ADAL binaries:

  1. 從 GitHub 下載適用於 Objective-C 的 Azure Active Directory Authentication Library (ADAL) (英文),然後遵循使用 Git 子模組或 CocoaPods 下載 ADAL 的指示 (英文)Download the Azure Active Directory Authentication Library (ADAL) for Objective-C from GitHub, then follow the instructions on how to download ADAL using Git submodules or CocoaPods.

  2. 藉由拖曳 「Build Phases」 (建置階段) 的 「Copy Bundle Resources」 (複製配套資源) 下的資源配套,將 ADALiOSBundle.bundle 資源配套加入專案。Include the ADALiOSBundle.bundle resource bundle in the project by dragging the resource bundle under Copy Bundle Resources within Build Phases.

  3. -force_load {PATH_TO_LIB}/libADALiOS.a 新增至專案的 OTHER_LDFLAGS 組建組態設定或 UI 的 「Other Linker Flags」 (其他連結器旗標) 中。Add -force_load {PATH_TO_LIB}/libADALiOS.a to the project’s OTHER_LDFLAGS build configuration setting or Other Linker Flags in the UI. PATH_TO_LIB 應該取代成 ADAL 二進位檔位置。PATH_TO_LIB should be replaced with the location of the ADAL binaries.

與其他使用相同佈建設定檔簽署的應用程式共用 ADAL 權杖快取?Share the ADAL token cache with other apps signed with the same provisioning profile?

如果您想要在使用相同佈建設定檔簽署的應用程式之間共用 ADAL 權杖,請遵循下列指示:Follow the instructions below if you want to share ADAL tokens between apps signed with the same provisioning profile:

  1. 如果您的應用程式未定義任何 Keychain 存取群組,請加入應用程式的配套識別碼作為第一個群組。If your app does not have any keychain access groups defined, add the app’s bundle ID as the first group.

  2. 在 Keychain 權利中新增 存取群組,以啟用 ADAL 單一登入 (SSO)。Enable ADAL single sign-on (SSO) by adding and access groups in the keychain entitlements.

  3. 如果您明確地設定 ADAL 共用快取 Keychain 群組,請確定它設為 <app_id_prefix> you are explicitly setting the ADAL shared cache keychain group, make sure it is set to <app_id_prefix> 除非您覆寫這個項目,否則 ADAL 將為您進行設定。ADAL will set this for you unless you override it. 如果您想要指定自訂 Keychain 群組以取代,請在 Info.plist 檔案的 IntuneMAMSettings 下使用 ADALCacheKeychainGroupOverride 索引鍵指定該行為。If you want to specify a custom keychain group to replace, specify that in the Info.plist file under IntuneMAMSettings, by using the key ADALCacheKeychainGroupOverride.

設定 Intune App SDK 的 ADAL 設定Configure ADAL settings for the Intune App SDK

如果您的應用程式已經使用 ADAL 來進行驗證,並擁有自己的 ADAL 設定,您可以強制 Intune App SDK 在針對 Azure Active Directory 進行驗證期間使用相同的設定。If your app already uses ADAL for authentication and has its own ADAL settings, you can force the Intune App SDK to use the same settings during authentication against Azure Active Directory. 這能確保應用程式不會重複提示使用者進行驗證。This ensures that the app will not double-prompt the user for authentication. 請參閱設定 Intune App SDK 的設定,以取得如何填入下列設定的相關資訊:See Configure settings for the Intune App SDK for information on populating the following settings:

  • ADALClientIdADALClientId
  • ADALAuthorityADALAuthority
  • ADALRedirectUriADALRedirectUri
  • ADALRedirectSchemeADALRedirectScheme
  • ADALCacheKeychainGroupOverrideADALCacheKeychainGroupOverride

如果您的應用程式已經使用 ADAL,下列設定為必要:If your app already uses ADAL, the following configurations are required:

  1. 在專案的 Info.plist 檔案中,在 IntuneMAMSettings 字典下的索引鍵名稱 ADALClientId 處,指定要用於呼叫 ADAL 的用戶端識別碼。In the project’s Info.plist file, under the IntuneMAMSettings dictionary with the key name ADALClientId, specify the client ID to be used for ADAL calls.

  2. 另外在 IntuneMAMSettings 字典下的索引鍵名稱 ADALAuthority 處,指定 Azure AD 授權。Also under the IntuneMAMSettings dictionary with the key name ADALAuthority, specify the Azure AD authority.

  3. 另外在 IntuneMAMSettings 字典下的索引鍵名稱 ADALRedirectUri 處,指定要用於呼叫 ADAL 的重新導向 URI。Also under the IntuneMAMSettings dictionary with the key name ADALRedirectUri, specify the redirect URI to be used for ADAL calls. 根據您應用程式的重新導向 URI 格式,您可能還需要指定 ADALRedirectSchemeYou might also need to specify ADALRedirectScheme, depending on the format of your app’s redirect URI.

除此之外,您可以於執行階段將 Azure AD 授權 URL 覆寫為租用戶特定 URL。Additionally, you can override the Azure AD Authority URL with a tenant-specific URL at runtime. 若要這麼做,請設定 IntuneMAMPolicyManager 執行個體上的 aadAuthorityUriOverride 屬性。To do this, simply set the aadAuthorityUriOverride property on the IntuneMAMPolicyManager instance.


針對沒有裝置註冊的應用程式,設定 AAD 授權 URL 是必要的,因為這才能讓 SDK 重複使用應用程式所擷取的 ADAL 重新整理權杖。Setting the AAD Authority URL is required for APP without device enrollment to let the SDK reuse the ADAL refresh token fetched by the app.

除非清除或變更值,否則 SDK 將繼續使用這個授權單位 URL 進行原則重新整理以及任何後續註冊要求。The SDK will continue to use this authority URL for policy refresh and any subsequent enrollment requests, unless the value is cleared or changed. 因此,請務必在受管理使用者登出應用程式時清除值,並在新的受管理使用者登入時重設該值。Therefore, it is important to clear the value when a managed user signs out of the app and to reset the value when a new managed user signs in.

如果您的應用程式未使用 ADALIf your app does not use ADAL

如果您的應用程式未使用 ADAL,Intune App SDK 將會提供 ADAL 參數的預設值,並處理針對 Azure AD 的驗證。If your app does not use ADAL, the Intune App SDK will provide default values for ADAL parameters and handle authentication against Azure AD. 您不需要為上面所列的 ADAL 設定指定任何值。You do not have to specify any values for the ADAL settings listed above.

無裝置註冊的應用程式保護原則App protection policy without device enrollment


無裝置註冊的 Intune 應用程式保護原則 (也稱為 APP-WE 或 MAM-WE) 可讓 Intune 管理應用程式,而不需要向 Intune 行動裝置管理 (MDM) 註冊裝置。Intune app protection policy without device enrollment, also known as APP-WE or MAM-WE, allows apps to be managed by Intune without the need for the device to be enrolled Intune mobile device management (MDM). 若要支援這項新功能,應用程式必須參與註冊使用者帳戶以進行管理。To support this new functionality, the app must participate to register user accounts for management. 若要使用新的 API,請遵循下列步驟:To use the new APIs, follow these steps:

  1. 使用 Intune App SDK 的最新版本,其在註冊或未註冊裝置的情況下支援管理應用程式。Use the latest release of the Intune App SDK, which supports management of apps with or without device enrollment.

  2. 將 IntuneMAMEnrollment.h 新增至任何將呼叫 API 的檔案。Add IntuneMAMEnrollment.h to any files that will call the APIs.

註冊使用者帳戶Register user accounts

如果應用程式代表指定的使用者帳戶向 APP-WE 服務註冊,應用程式就可以從 Intune 服務接收應用程式保護原則。An app can receive app protection policy from the Intune service if the app enrolls with the APP-WE service on behalf of a specified user account. 應用程式必須負責向 SDK 註冊任何新登入的使用者。The app is responsible for registering any newly signed-in user with the SDK. 驗證新的使用者帳戶之後,應用程式應該呼叫 Headers/IntuneMAMEnrollment.h 中的 registerAndEnrollAccount 方法:After the new user account has been authenticated, the app should call the registerAndEnrollAccount method in Headers/IntuneMAMEnrollment.h:


 *  This method will add the account to the list of registered accounts.
 *  An enrollment request will immediately be started.
 *  @param identity The UPN of the account to be registered with the SDK

(void)registerAndEnrollAccount:(NSString *)identity;

藉由呼叫 registerAndEnrollAccount 方法,SDK 將註冊使用者帳戶,並代表這個帳戶嘗試註冊應用程式。By calling the registerAndEnrollAccount method, the SDK will register the user account and attempt to enroll the app on behalf of this account. 如果註冊因任何原因而失敗,SDK 將自動在 24 個小時之後重新嘗試註冊。If the enrollment fails for any reason, the SDK will automatically retry the enrollment 24 hours later. 基於偵錯目的,應用程式可以透過委派來接收有關任何註冊要求結果的通知。For debugging purposes, the app can receive notifications, via a delegate, about the results of any enrollment requests.

叫用這個 API 之後,應用程式可以繼續正常運作。After this API has been invoked, the app can continue to function as normal. 如果註冊成功,SDK 將通知使用者:需要重新啟動應用程式。If the enrollment succeeds, the SDK will notify the user that an app restart is required. 此時,使用者可以立即重新啟動應用程式。At that time, the user can immediately restart the app.

取消註冊使用者帳戶Deregister user accounts

將使用者登出應用程式之前,應用程式應該從 SDK 取消註冊使用者。Before a user is signed out of an app, the app should deregister the user from the SDK. 這確保:This will ensure:

  1. 使用者帳戶不再發生註冊重試。Enrollment retries will no longer happen for the user’s account.

  2. 將會移除應用程式保護原則。App protection policy will be removed.

  3. 如果應用程式起始選擇性抹除 (選擇性),則會刪除任何公司資料。If the app initiates a selective wipe (optional), any corporate data is deleted.

將使用者登出之前,應用程式應該呼叫 Headers/IntuneMAMEnrollment.h 中的下列 API:Before the user is signed out, the app should call the following API in Headers/IntuneMAMEnrollment.h:

 *  This method will remove the provided account from the list of
 *  registered accounts.  Once removed, if the account has enrolled
 *  the application, the account will be un-enrolled.
 *  @note In the case where an un-enroll is required, this method will block
 *  until the Intune MAM AAD token is acquired, then return.  This method must be called before  
 *  the user is removed from the application (so that required AAD tokens are not purged
 *  before this method is called).
 *  @param identity The UPN of the account to be removed.
 *  @param doWipe   If YES, a selective wipe if the account is un-enrolled

(void)deRegisterAndUnenrollAccount:(NSString *)identity withWipe:(BOOL)doWipe;

刪除使用者帳戶的 Azure AD 權杖之前,必須呼叫這個方法。This method must be called before the user account’s Azure AD tokens are deleted. SDK 需要使用者帳戶的 AAD 權杖,才能代表使用者對 APP-WE 服務提出特定要求。The SDK needs the user account’s AAD token(s) to make specific requests to the APP-WE service on behalf of the user.

如果應用程式將自行刪除使用者的公司資料,則 doWipe 旗標可以設定為 false。If the app will delete the user’s corporate data on its own, the doWipe flag can be set to false. 否則,應用程式可以讓 SDK 起始選擇性抹除,Otherwise, the app can have the SDK initiate a selective wipe. 這樣會呼叫應用程式的選擇性抹除委派。This will result in a call to the app's selective wipe delegate.

[[IntuneMAMEnrollmentManager instance] deRegisterAndUnenrollAccount:@”” withWipe:YES];

不使用 ADAL 的應用程式Apps that do not use ADAL

未使用 ADAL 登入使用者的應用程式,仍然可以從 Intune 服務接收應用程式保護原則,方法是呼叫 API 讓 SDK 處理該驗證。Apps that do not sign in the user using ADAL can still receive app protection policy from the Intune service by calling the API to have the SDK handle that authentication. 如果應用程式尚未向 Azure AD 驗證使用者,但仍需要擷取應用程式保護原則以協助保護資料,則應用程式應該使用這項技術。Apps should use this technique when they have not authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. 例如:如果正在使用另一個驗證服務進行應用程式登入,或者,如果應用程式根本不支援登入。An example is if another authentication service is being used for app sign-in, or if the app does not support signing in at all. 若要這麼做,應用程式應該呼叫 Headers/IntuneMAMEnrollment.h 中的 loginAndEnrollAccount 方法:To do this, the application should call the loginAndEnrollAccount method in Headers/IntuneMAMEnrollment.h:

 *  Creates an enrollment request which is started immediately.
 *  If no token can be retrieved for the identity, the user will be prompted
 *  to enter their credentials, after which enrollment will be retried.
 *  @param identity The UPN of the account to be logged in and enrolled.
 (void)loginAndEnrollAccount: (NSString *)identity;

藉由呼叫這個方法,SDK 將在找不到現有權杖時提示使用者提供認證。By calling this method, the SDK will prompt the user for credentials if no existing token can be found. SDK 接著將會代表所提供的使用者帳戶,嘗試向 APP-WE 服務註冊應用程式。The SDK will then try to enroll the app with the APP-WE service on behalf of the supplied user account. 這個方法在呼叫時 "nil" 為身分識別。The method can be called with "nil" as the identity. 在這個情況下,SDK 將會使用裝置上現有的受管理使用者註冊,或在找不到任何現有使用者時提示使用者提供使用者名稱。In that case, the SDK will enroll with the existing managed user on the device, or prompt the user for a user name if no existing user is found.

如果註冊失敗,應用程式應該考慮根據失敗詳細資料,在未來重新呼叫這個 API。If the enrollment fails, the app should consider calling this API again at a future time, depending on the details of the failure. 應用程式可以透過委派來接收有關任何註冊要求結果的通知The app can receive notifications, via a delegate, about the results of any enrollment requests.

叫用這個 API 之後,應用程式可以繼續正常運作。After this API has been invoked, the app can continue functioning as normal. 如果註冊成功,SDK 將通知使用者:需要重新啟動應用程式。If the enrollment succeeds, the SDK will notify the user that an app restart is required.

狀態、結果和偵錯通知Status, result, and debug notifications

應用程式可以接收有關向 Intune MAM 服務提出下列要求的狀態、結果和偵錯通知:The app can receive status, result, and debug notifications about the following requests to the Intune MAM service:

  • 註冊要求Enrollment requests
  • 原則更新要求Policy update requests
  • 取消註冊要求Unenrollment requests

透過 Headers/IntuneMAMEnrollmentDelegate.h 中的委派方法來呈現通知:The notifications are presented via delegate methods in Headers/IntuneMAMEnrollmentDelegate.h:

 *  Called when an enrollment request operation is completed.
 * @param status status object containing debug information

(void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

 *  Called when a MAM policy request operation is completed.
 *  @param status status object containing debug information
(void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

 *  Called when a un-enroll request operation is completed.
 *  @Note: when a user is un-enrolled, the user is also de-registered with the SDK
 *  @param status status object containing debug information

(void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

這些委派方法傳回 IntuneMAMEnrollmentStatus 物件,其中包含下列資訊:These delegate methods return an IntuneMAMEnrollmentStatus object that has the following information:

  • 與要求相關聯之帳戶的身分識別The identity of the account associated with the request
  • 表示要求結果的狀態碼A status code that indicates the result of the request
  • 狀態碼描述的錯誤字串An error string with a description of the status code
  • NSError 物件An NSError object

這個物件與可傳回的特定狀態碼定義在 IntuneMAMEnrollmentStatus.h 中。This object is defined in IntuneMAMEnrollmentStatus.h, along with the specific status codes that can be returned.

範例程式碼Sample code

下列是委派方法的範例實作:These are example implementations of the delegate methods:

- (void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
    NSLog(@"enrollment result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);

- (void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
    NSLog(@"policy check-in result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);

- (void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
    NSLog(@"un-enroll result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);

應用程式重新啟動App restart

應用程式第一次收到應用程式保護原則時,必須重新啟動,才能套用必要的勾點。When an app receives app protection policies for the first time, it must restart to apply the required hooks. 為了通知需要重新啟動的應用程式,SDK 在 Headers/IntuneMAMPolicyDelegate.h 中提供委派方法。To notify the app that a restart needs to happen, the SDK provides a delegate method in Headers/IntuneMAMPolicyDelegate.h.

 - (BOOL) restartApplication

這個方法的傳回值會指示 SDK,應用程式是否必須處理必要的重新啟動:The return value of this method tells the SDK if the application must handle the required restart:

  • 如果傳回 true,應用程式就必須處理重新啟動。If true is returned, the application must handle the restart.

  • 如果傳回 false,則 SDK 將在傳回這個方法之後重新啟動應用程式。If false is returned, the SDK will restart the application after this method returns. SDK 會立即顯示一個對話方塊,指示使用者重新啟動應用程式。The SDK will immediately show a dialog box that tells the user to restart the application.

自訂您的應用程式行為Customize your app's behavior

Intune 應用程式 SDK 中有多個 API,您可以呼叫以取得部署至應用程式之 Intune 應用程式保護原則的相關資訊。The Intune App SDK has several APIs you can call to get information about the Intune app protection policy deployed to the app. 您可以使用這項資料來自訂您的應用程式行為。You can use this data to customize your app's behavior. 大部分的應用程式保護原則設定會由 SDK 自動強制執行,而不是應用程式。Most app protection policy settings are automatically enforced by the SDK and not the application. 應用程式應該實作的唯一設定是「另存新檔」控制項。The only setting that the app should implement is the Save-as control.

取得應用程式保護原則Get app protection policy


IntuneMAMPolicyManager 類別會公開部署給應用程式的 Intune 應用程式保護原則。The IntuneMAMPolicyManager class exposes the Intune app protection policy deployed to the application. 值得注意的是,它會公開適用於啟用多重身分識別的 API。Notably, it exposes APIs that are useful for Enabling multi-identity.


IntuneMAMPolicy 類別會公開部署給應用程式的 Intune 應用程式保護原則。The IntuneMAMPolicy class exposes the Intune app protection policy deployed to the application. 此類別中大部分公開的原則設定會由 SDK 強制執行,但您一律可以根據如何強制執行原則設定來自訂應用程式的行為。Most the policy settings exposed in this class are enforced by the SDK, but you can always customize your app's behavior based on how policy settings are enforced.

這個類別會公開要實作另存新檔控制項所需的部分 API,如下節中所詳述。This class exposes some APIs needed to implement save-as controls, detailed in the next section.

實作另存新檔控制項Implement save-as controls

Intune 可讓 IT 系統管理員選取受管理的應用程式可儲存資料的儲存位置。Intune lets IT admins select which storage locations a managed app can save data to. 應用程式可以使用 isSaveToAllowedForLocation API 向 Intune App SDK 查詢所能使用的儲存位置,如 IntuneMAMPolicy.h 中所定義。Apps can query the Intune App SDK for allowed storage locations by using the isSaveToAllowedForLocation API, defined in IntuneMAMPolicy.h.

應用程式必須先向 isSaveToAllowedForLocation API 查詢,確認 IT 系統管理員是否允許將資料另存於其他位置,才能將受管理的資料儲存到雲端儲存體或本機位置。Before apps can save managed data to a cloud-storage or local location, they must check with the isSaveToAllowedForLocation API to know if the IT admin has allowed data to be saved there.

當應用程式使用 isSaveToAllowedForLocation API 時,必須傳遞儲存位置的 UPN (如有使用)。When apps use the isSaveToAllowedForLocation API, they must pass in the UPN for the storage location, if it is available.

支援的儲存位置Supported save locations

IsSaveToAllowedForLocation API 提供常數以確認 IT 系統管理員是否可將資料儲存到 IntuneMAMPolicy.h 中定義的下列位置:The isSaveToAllowedForLocation API provides constants to check whether the IT admin permits data to be saved to the following locations defined in IntuneMAMPolicy.h:

  • IntuneMAMSaveLocationOtherIntuneMAMSaveLocationOther
  • IntuneMAMSaveLocationOneDriveForBusinessIntuneMAMSaveLocationOneDriveForBusiness
  • IntuneMAMSaveLocationSharePointIntuneMAMSaveLocationSharePoint
  • IntuneMAMSaveLocationLocalDriveIntuneMAMSaveLocationLocalDrive

應用程式應使用 isSaveToAllowedForLocation API 的常數確認是否可以將資料另存於其他被視為「受管理」(例如商務用 OneDrive) 或「個人」的位置。Apps should use the constants in the isSaveToAllowedForLocation API to check if data can be saved to locations considered "managed," like OneDrive for Business, or "personal." 此外,當應用程式無法確認位置為「受管理」或「個人」的位置時,也應使用 API。Additionally, the API should be used when the app can't check whether a location is "managed" or "personal."

已知為「個人」的位置會以 IntuneMAMSaveLocationOther 常數代表。Locations known to be "personal" are represented by the IntuneMAMSaveLocationOther constant.

若應用程式會將資料儲存到本機裝置上的任何位置,則應使用 IntuneMAMSaveLocationLocalDrive 常數。The IntuneMAMSaveLocationLocalDrive constant should be used when the app is saving data to any location on the local device.

設定 Intune App SDK 的設定Configure settings for the Intune App SDK

您可以使用應用程式 Info.plist 檔案中的 IntuneMAMSettings 字典,以設定 Intune App SDK。You can use the IntuneMAMSettings dictionary in the application’s Info.plist file to set up and configure the Intune App SDK. 如果 Info.plist 檔案中看不到 IntuneMAMSettings 字典,您應該使用欄位名稱 "IntuneMAMSettings" 在應用程式的 Info.plist 中建立字典。If the IntuneMAMSettings dictionary is not seen in your Info.plist file, you should create a dictionary in your app's Info.plist with the field name "IntuneMAMSettings."

在 IntuneMAMSettings 字典底下,您可以新增組態設定的索引鍵/值列以設定 SDK。Under the IntuneMAMSettings dictionary, you can add key/value rows of configuration settings to configure the SDK. 下表列出所有支援的設定。The table below lists all supported settings.

其中一些設定可能在前幾節中討論過,而且有些設定並不適用於所有應用程式。Some of these settings might have been covered in previous sections, and some do not apply to all apps.

設定Setting 類型Type 定義Definition 必要?Required?
ADALClientIdADALClientId 字串String 應用程式的 Azure AD 用戶端識別碼。The app’s Azure AD client identifier. 如果應用程式使用 ADAL,則為必要項。Required if the app uses ADAL.
ADALAuthorityADALAuthority 字串String 應用程式的使用中 Azure AD 授權單位。The app's Azure AD authority in use. 您應該使用已設定 AAD 帳戶的專屬環境。You should use your own environment where AAD accounts have been configured. 如果應用程式使用 ADAL,則為必要項。Required if the app uses ADAL. 如果此值不存在,則會使用 Intune 預設值。If this value is absent, an Intune default is used.
ADALRedirectUriADALRedirectUri 字串String 應用程式的 Azure AD 重新導向 URI。The app’s Azure AD redirect URI. 如果應用程式使用 ADAL,則需要 ADALRedirectUri 或 ADALRedirectScheme。ADALRedirectUri or ADALRedirectScheme is required if the app uses ADAL.
ADALRedirectSchemeADALRedirectScheme 字串String 應用程式的 Azure AD 重新導向配置。The app's Azure AD redirect scheme. 如果應用程式的重新導向 URI 格式為 scheme://bundle_id,則這可以用來代替 ADALRedirectUri。This can be used in place of ADALRedirectUri if the application's redirect URI is in the format scheme://bundle_id. 如果應用程式使用 ADAL,則需要 ADALRedirectUri 或 ADALRedirectScheme。ADALRedirectUri or ADALRedirectScheme is required if the app uses ADAL.
ADALLogOverrideDisabledADALLogOverrideDisabled 布林值Boolean 指定 SDK 是否會將所有 ADAL 記錄 (包括任何來自應用程式的 ADAL 呼叫) 路由傳送至其本身的記錄檔。Specifies whether the SDK will route all ADAL logs (including ADAL calls from the app, if any) to its own log file. 預設為 [否]。Defaults to NO. 如果應用程式將設定自己的 ADAL 記錄回呼,請設定為 [是]。Set to YES if the app will set its own ADAL log callback. 選擇性。Optional.
ADALCacheKeychainGroupOverrideADALCacheKeychainGroupOverride 字串String 指定要用於 ADAL 快取而非 "" 的 Keychain 群組。Specifies the keychain group to use for the ADAL cache, instead of “" 請注意,這不包含 app-id 前置詞。Note that this doesn’t have the app-id prefix. 這會在執行階段加在所提供字串的前面。That will be prefixed to the provided string at runtime. 選擇性。Optional.
AppGroupIdentifiersAppGroupIdentifiers 字串陣列Array of string 應用程式之權利 區段中的應用程式群組陣列。Array of app groups from the app’s entitlements section. 如果應用程式使用應用程式群組,則為必要項。Required if the app uses application groups.
ContainingAppBundleIdContainingAppBundleId 字串String 指定含有應用程式之擴充功能的配套識別碼。Specifies the bundle ID of the extension’s containing application. 對 IOS 擴充功能而言為必要項。Required for iOS extensions.
DebugSettingsEnabledDebugSettingsEnabled 布林值Boolean 如果設定為 [是],則可以套用 [設定] 配套內的測試原則。If set to YES, test policies within the Settings bundle can be applied. 啟用這個設定時,應該提供應用程式。Applications should not be shipped with this setting enabled. 選擇性。Optional.
字串String 這項設定應該包含應用程式的主要 nib 檔案名稱。This setting should have the application’s main nib file name. 如果應用程式在 Info.plist 中定義 MainNibFile,則為必要項。Required if the application defines MainNibFile in Info.plist.
字串String 這項設定應該包含應用程式的主要腳本檔案名稱。This setting should have the application’s main storyboard file name. 如果應用程式在 Info.plist 中定義 UIMainStoryboardFile,則為必要項。Required if the application defines UIMainStoryboardFile in Info.plist.
AutoEnrollOnLaunchAutoEnrollOnLaunch 布林值Boolean 指定如果偵測到現有的受管理身分識別,而且其尚未註冊,應用程式是否要在啟動時嘗試自動註冊。Specifies whether the app should attempt to automatically enroll on launch if an existing managed identity is detected and it has not yet done so. 預設為 [否]。Defaults to NO.

注意事項:若找不到受管理身分識別,或 ADAL 快取中沒有可用的身分識別有效權杖,除非應用程式也有將 MAMPolicyRequired 設為 [是],否則註冊嘗試會失敗而不提示輸入認證。Notes: If no managed identity is found or no valid token for the identity is available in the ADAL cache, the enrollment attempt will silently fail without prompting for credentials, unless the app has also set MAMPolicyRequired to YES.
MAMPolicyRequiredMAMPolicyRequired 布林值Boolean 指定應用程式在沒有 Intune 應用程式保護原則時,是否無法予以啟動。Specifies whether the app will be blocked from starting if the app does not have an Intune app protection policy. 預設為 [否]。Defaults to NO.

注意事項︰MAMPolicyRequired 設為 [是] 時,無法將應用程式提交至 App Store。Notes: Apps cannot be submitted to the App Store with MAMPolicyRequired set to YES. 當 MAMPolicyRequired 設定為 [是] 時,AutoEnrollOnLaunch 也應該設定為 [是]。When setting MAMPolicyRequired to YES, AutoEnrollOnLaunch should also be set to YES.
MAMPolicyWarnAbsentMAMPolicyWarnAbsent 布林值Boolean 指定應用程式在沒有 Intune 應用程式保護原則時,是否將在啟動期間警告使用者。Specifies whether the app will warn the user during launch if the app does not have an Intune app protection policy.

注意事項︰使用者在關閉警告之後,仍可在沒有原則的情況下使用應用程式。Note: Users will still be allowed to use the app without policy after dismissing the warning.
MultiIdentityMultiIdentity 布林值Boolean 指定應用程式是否為多重身分識別感知。Specifies whether the app is multi-identity aware. 選擇性。Optional.
字串String 指定 Intune 啟動顯示 (啟動) 畫面的圖示檔。Specifies the Intune splash (startup) icon file. 選擇性。Optional.
SplashDurationSplashDuration 數字Number Intune 啟動畫面將於應用程式啟動時顯示的最短時間 (以秒為單位)。Minimum amount of time, in seconds, that the Intune startup screen will be shown at application launch. 預設為 1.5。Defaults to 1.5. 選擇性。Optional.
BackgroundColorBackgroundColor 字串String 指定啟動畫面和 PIN 畫面的背景色彩。Specifies the background color for the startup and PIN screens. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為淺灰色。Defaults to light grey.
ForegroundColorForegroundColor 字串String 指定啟動畫面和 PIN 畫面的前景色彩,例如文字色彩。Specifies the foreground color for the startup and PIN screens, like text color. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為黑色。Defaults to black.
AccentColorAccentColor 字串String 指定 PIN 畫面的輔色,例如按鈕文字色彩和方塊醒目提示色彩。Specifies the accent color for the PIN screen, like button text color and box highlight color. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為系統藍色。Defaults to system blue.
MAMTelemetryDisabledMAMTelemetryDisabled 布林值Boolean 指定 SDK 是否不會將任何遙測資料傳送至其後端。Specifies if the SDK will not send any telemetry data to its back end. 選擇性。Optional.
WebViewHandledURLSchemesWebViewHandledURLSchemes 字串陣列Array of Strings 指定您應用程式的 WebView 所處理的 URL 配置。Specifies the URL schemes that your app's WebView handles. 如果您的應用程式使用透過連結及 (或) JavaScript 處理 URL 的 WebView,則為必要項。Required if your app uses a WebView that handles URLs via links and/or javascript.


如果您的應用程式將發行到 App Store,MAMPolicyRequired 必須設為 [否],這是根據 App Store 的標準。If your app will be released to the App Store, MAMPolicyRequired must be set to "NO," per App Store standards.

啟用 iOS 應用程式的 MAM 目標設定Enabling MAM targeted configuration for your iOS applications

MAM 目標設定可讓應用程式透過 Intune App SDK 接收設定資料。MAM targeted configuration allows an app to receive configuration data through the Intune App SDK. 應用程式擁有者/開發人員必須定義此資料的格式和變化,並向 Intune 客戶溝通。The format and variants of this data must be defined and communicated to Intune customers by the application owner/developer. Intune 系統管理員可以透過 Intune Azure 入口網站為設定資料設定目標並進行部署。Intune administrators can target and deploy configuration data via the Intune Azure portal. 在 Intune App SDK for iOS (v7.0.1) 中,可以透過 MAM 服務提供 MAM 目標設定資料給參與 MAM 目標設定的應用程式。As of the Intune App SDK for iOS (v 7.0.1), apps that are participating in MAM targeted configuration can be provded MAM targeted configuration data via the MAM Service. 應用程式設定資料是透過我們的 MAM 服務 (而非透過 MDM 通道) 直接向應用程式發佈。The application configuration data is pushed through our MAM Service directly to the app instead of through the MDM channel. Intune App SDK 會提供類別來存取從這些主控台擷取的資料。The Intune App SDK provides a class to access the data retrieved from these consoles. 請將下列各項視為必要條件:Consider the following as prerequisites:

  • 應用程式必須已完成 MAM-WE 註冊,才能存取 MAM 目標設定 UI。The app needs to be MAM-WE enrolled before you access the MAM targeted config UI. 如需 MAM-WE 的詳細資訊,請參閱 App protection policy without device enrollment in the Intune App SDK guide (Intune App SDK 指南中無裝置註冊的應用程式保護原則)。For more information about MAM-WE, see App protection policy without device enrollment in the Intune App SDK guide.
  • 在應用程式的原始程式檔中包含 IntuneMAMAppConfigManager.hInclude IntuneMAMAppConfigManager.h in your app's source file.
  • 呼叫 [[IntuneMAMAppConfig instance] appConfigForIdentity:] 以取得應用程式設定物件。Call [[IntuneMAMAppConfig instance] appConfigForIdentity:] to get the App Config Object.
  • IntuneMAMAppConfig 物件上呼叫適當的選取器。Call the appropriate selector on IntuneMAMAppConfig object. 例如,如果您的應用程式金鑰是字串,您會想要使用 stringValueForKeyallStringsForKeyFor example, if your application's key is a string, you'd want to use stringValueForKey or allStringsForKey. IntuneMAMAppConfig.h header 檔案是針對傳回值/錯誤狀況。The IntuneMAMAppConfig.h header file talks about return values/error conditions.

如需圖形 API 與 MAM 目標設定值有關之功能的詳細資訊,請參閱 Graph API Reference MAM Targeted Config (圖形 API 參考 MAM 目標設定)。For more information about the capabilities of the Graph API with respect to the MAM targeted configuration values, see Graph API Reference MAM Targeted Config.

如需如何在 iOS 建立 MAM 目標應用程式設定原則的詳細資訊,請參閱 How to use Microsoft Intune app configuration policies for iOS (如何使用適用於 iOS 的 Microsoft Intune 應用程式設定原則) 的<MAM 目標應用程式設定>一節。For more information about how to create a MAM targeted app configuration policy in iOS, see the section on MAM targeted app config in How to use Microsoft Intune app configuration policies for iOS.


Intune App SDK for iOS 預設會記錄下列使用事件的遙測資料。By default, the Intune App SDK for iOS logs telemetry data on the following usage events. 這些資料會傳送到 Microsoft Intune。This data is sent to Microsoft Intune.

  • 應用程式啟動:協助 Microsoft Intune 依管理類型了解啟用 MAM 的應用程式使用量 (含 MDM 的 MAM、不含 MDM 註冊的 MAM 等)。App launch: To help Microsoft Intune learn about MAM-enabled app usage by management type (MAM with MDM, MAM without MDM enrollment, and so on).

  • 註冊呼叫:協助 Microsoft Intune 了解從用戶端起始的註冊呼叫成功率和其他效能標準。Enrollment calls: To help Microsoft Intune learn about success rate and other performance metrics of enrollment calls initiated from the client side.


如果您選擇不要將 Intune App SDK 遙測資料從您的行動應用程式傳送至 Microsoft Intune,您必須停用 Intune App SDK 遙測擷取。If you choose not to send Intune App SDK telemetry data to Microsoft Intune from your mobile application, you must disable Intune App SDK telemetry capture. 在 IntuneMAMSettings 字典中將 MAMTelemetryDisabled 屬性設定為 [是]。Set the property MAMTelemetryDisabled to YES in the IntuneMAMSettings dictionary.

啟用多重身分識別 (選擇性)Enable multi-identity (optional)

SDK 預設會將原則套用至應用程式整體。By default, the SDK applies a policy to the app as a whole. 多重身分識別是 MAM 功能,您可啟用以將原則套用至每個身分識別層級。Multi-identity is a MAM feature that you can enable to apply a policy on a per-identity level. 這需要的應用程式參與高於其他 MAM 功能。This requires more app participation than other MAM features.

當應用程式想要變更作用中身分識別時,必須通知 APP SDK。The app must inform the app SDK when it intends to change the active identity. 需要身分識別變更時,SDK 也會通知應用程式。The SDK also notifies the app when an identity change is required. 目前僅支援一個受管理的身分識別。Currently, only one managed identity is supported. 使用者註冊裝置或應用程式之後,SDK 會使用這個身分識別,並將其視為主要受管理身分識別。After the user enrolls the device or the app, the SDK uses this identity and considers it the primary managed identity. 應用程式中的其他使用者則會因不受限制原則設定而視為不受管理。Other users in the app will be treated as unmanaged with unrestricted policy settings.

請注意,身分識別只會定義為字串。Note that an identity is simply defined as a string. 身分識別不區分大小寫。Identities are case-insensitive. 身分識別的 SDK 要求可能不會傳回設定身分識別時原本使用的相同大小寫。Requests to the SDK for an identity might not return the same casing that was originally used when the identity was set.

身分識別概觀Identity overview

身分識別就是帳戶的使用者名稱 (例如。An identity is simply the user name of an account (for example, 開發人員可以設定應用程式在下列層級的身分識別:Developers can set the identity of the app on the following levels:

  • 處理序身分識別:設定整個處理序的身分識別,並且主要用於單一身分識別應用程式。Process identity: Sets the process-wide identity and is mainly used for single identity applications. 這個身分識別會影響所有工作、檔案和 UI。This identity affects all tasks, files, and UI.

  • UI 身分識別:判斷在主要執行緒上將哪些原則套用至 UI 工作,例如剪下/複製/貼上、PIN、驗證和資料共用。UI identity: Determines what policies are applied to UI tasks on the main thread, like cut/copy/paste, PIN, authentication, and data sharing. UI 身分識別不會影響檔案工作,例如加密和備份。The UI identity does not affect file tasks like encryption and backup.

  • 執行緒身分識別:影響在目前執行緒上套用哪些原則。Thread identity: Affects what policies are applied on the current thread. 這個身分識別會影響所有工作、檔案和 UI。This identity affects all tasks, files, and UI.

不論使用者是否受管理,應用程式都必須負責適當地設定身分識別。The app is responsible for setting the identities appropriately, whether or not the user is managed.

在任何時間,每個執行緒都會有 UI 工作和檔案工作的有效身分識別。At any time, every thread has an effective identity for UI tasks and file tasks. 這是用來確認應該套用哪些原則 (如果有的話) 的身分識別。This is the identity that's used to check what policies, if any, should be applied. 如果身分識別是 [沒有身分識別],或使用者未受管理,則不會套用任何原則。If the identity is "no identity" or the user is not managed, no policies will be applied. 下列圖表顯示如何決定有效的身分識別。The diagrams below show how the effective identities are determined.

Intune App SDK iOS:連結的架構和程式庫

執行緒佇列Thread queues

應用程式通常會將非同步和同步工作分派至執行緒佇列。Apps often dispatch asynchronous and synchronous tasks to thread queues. SDK 會攔截 Grand Central Dispatch (GCD) 呼叫,並產生目前執行緒身分識別與已分派工作的關聯。The SDK intercepts Grand Central Dispatch (GCD) calls and associates the current thread identity with the dispatched tasks. 完成工作時,SDK 會將執行緒身分識別暫時變更為與工作相關聯的身分識別,並完成工作,然後還原原始執行緒身分識別。When the tasks are finished, the SDK temporarily changes the thread identity to the identity associated with the tasks, finishes the tasks, then restores the original thread identity.

因為 NSOperationQueue 的建置基礎是 GCD,所以 NSOperations 將會在工作新增至 NSOperationQueue 時針對執行緒的身分識別執行。Because NSOperationQueue is built on top of GCD, NSOperations will run on the identity of the thread at the time the tasks are added to NSOperationQueue. NSOperations 或直接透過 GCD 分派的函數也可以在執行時變更目前執行緒身分識別。NSOperations or functions dispatched directly through GCD can also change the current thread identity as they are running. 這個身分識別將會覆寫繼承自分派執行緒的身分識別。This identity will override the identity inherited from the dispatching thread.

檔案擁有者File owner

SDK 會追蹤本機檔案擁有者的身分識別,並據以套用原則。The SDK tracks the identities of local file owners and applies policies accordingly. 建立檔案時,或以截斷模式開啟檔案時,會建立檔案擁有者。A file owner is established when a file is created or when a file is opened in truncate mode. 擁有者設為執行工作之執行緒的有效檔案工作身分識別。The owner is set to the effective file task identity of the thread that's performing the task.

或者,應用程式可以使用 IntuneMAMFilePolicyManager 明確地設定檔案擁有者身分識別。Alternatively, apps can set the file owner identity explicitly by using IntuneMAMFilePolicyManager. 應用程式可以使用 IntuneMAMFilePolicyManager 來擷取檔案擁有者,並在顯示檔案內容之前設定 UI 身分識別。Apps can use IntuneMAMFilePolicyManager to retrieve the file owner and set the UI identity before showing the file contents.

共用資料Shared data

如果應用程式建立包含受管理和不受管理使用者之資料的檔案,則應用程式必須負責加密受管理使用者的資料。If the app creates files that have data from both managed and unmanaged users, the app is responsible for encrypting the managed user’s data. 您可以使用 IntuneMAMDataProtectionManager 中的 protectunprotect API 來加密資料。You can encrypt data by using the protect and unprotect APIs in IntuneMAMDataProtectionManager.

protect 方法會接受可以是受管理或不受管理使用者的身分識別。The protect method accepts an identity that can be a managed or unmanaged user. 如果是受管理使用者,則會加密資料。If the user is managed, the data will be encrypted. 如果是不受管理使用者,則會將標頭新增至編碼身分識別的資料,但不會加密資料。If the user is unmanaged, a header will be added to the data that's encoding the identity, but the data will not be encrypted. 您可以使用 protectionInfo 方法來擷取資料的擁有者。You can use the protectionInfo method to retrieve the data’s owner.

共用擴充功能Share extensions

如果應用程式包含共用擴充功能,則可以透過 IntuneMAMDataProtectionManager 中的 protectionInfoForItemProvider 方法來擷取正在共用之項目的擁有者。If the app has a share extension, the owner of the item being shared can be retrieved through the protectionInfoForItemProvider method in IntuneMAMDataProtectionManager. 如果共用的項目是檔案,則 SDK 會處理檔案擁有者的設定。If the shared item is a file, the SDK will handle setting the file owner. 如果共用的項目是資料,則在這項資料保存至檔案時,應用程式必須負責設定檔案擁有者,以及呼叫 setUIPolicyIdentity API,再於 UI 中顯示這項資料。If the shared item is data, the app is responsible for setting the file owner if this data is persisted to a file, and for calling the setUIPolicyIdentity API before showing this data in the UI.

開啟多重身分識別Turning on multi-identity

預設會將應用程式視為單一身分識別。By default, apps are considered single identity. SDK 會將處理序身分識別設定為已註冊的使用者。The SDK sets the process identity to the enrolled user. 若要啟用多重身分識別支援,請將名稱為 MultiIdentity 且值為 [是] 的布林設定新增至應用程式 Info.plist 檔案中的 IntuneMAMSettings 字典。To enable multi-identity support, add a Boolean setting with the name MultiIdentity and a value of YES to the IntuneMAMSettings dictionary in the app's Info.plist file.


啟用多重身分識別時,處理序身分識別、UI 身分識別和執行緒身分識別都會設定為 nil。When multi-identity is enabled, the process identity, UI identity, and thread identities are set to nil. 應用程式必須負責正確設定它們。The app is responsible for setting them appropriately.

切換身分識別Switching identities

  • 應用程式起始的身分識別切換App-initiated identity switch:

    啟動時,會將多重身分識別應用程式視為正在使用未知且不受管理的帳戶執行。At launch, multi-identity apps are considered to be running under an unknown, unmanaged account. 條件式啟動 UI 將不會執行,而且不會對應用程式執行任何原則。The conditional launch UI will not run, and no policies will be enforced on the app. 應用程式必須負責在應該變更身分識別時通知 SDK。The app is responsible for notifying the SDK whenever the identity should be changed. 一般而言,只要應用程式即將顯示特定使用者帳戶的資料,就會發生這種情形。Typically, this will happen whenever the app is about to show data for a specific user account.

    範例是使用者嘗試在筆記本中開啟文件、信箱或索引標籤時。An example is when the user attempts to open a document, a mailbox, or a tab in a notebook. 應用程式需要在實際開啟檔案、信箱或索引標籤之前通知 SDK。The app needs to notify the SDK before the file, mailbox, or tab is actually opened. 這是透過 IntuneMAMPolicyManager 中的 setUIPolicyIdentity API 所完成。This is done through the setUIPolicyIdentity API in IntuneMAMPolicyManager. 不論是否為受管理使用者,都應該呼叫這個 API。This API should be called whether or not the user is managed. 如果使用者是受管理的,SDK 將執行條件式啟動檢查,例如破解偵測、PIN 和驗證。If the user is managed, the SDK will perform the conditional launch checks, like jailbreak detection, PIN, and authentication.

    身分識別切換的結果是透過完成處理常式,以非同步方式傳回給應用程式。The result of the identity switch is returned to the app asynchronously through a completion handler. 應用程式應該延後開啟文件、信箱或索引標籤,直到傳回成功結果碼。The app should postpone opening the document, mailbox, or tab until a success result code is returned. 如果身分識別切換失敗,應用程式應該取消工作。If the identity switch failed, the app should cancel the task.

  • SDK 起始的身分識別切換SDK-initiated identity switch:

    SDK 有時需要要求應用程式切換至特定身分識別。Sometimes, the SDK needs to ask the app to switch to a specific identity. 多重身分識別應用程式必須在 IntuneMAMPolicyDelegate 中實作 identitySwitchRequired 方法,以處理這個要求。Multi-identity apps must implement the identitySwitchRequired method in IntuneMAMPolicyDelegate to handle this request.

    呼叫此方法時,如果應用程式可以處理切換至所指定身分識別的要求,則應該將 IntuneMAMAddIdentityResultSuccess 傳遞至完成處理常式。When this method is called, if the app can handle the request to switch to the specified identity, it should pass IntuneMAMAddIdentityResultSuccess into the completion handler. 如果無法處理身分識別切換,則應用程式應該將 IntuneMAMAddIdentityResultFailed 傳遞至完成處理常式。If it can't handle switching the identity, the app should pass IntuneMAMAddIdentityResultFailed into the completion handler.

    應用程式不需要呼叫 setUIPolicyIdentity 來回應這個呼叫。The app does not have to call setUIPolicyIdentity in response to this call. 如果 SDK 需要應用程式切換至未受管理使用者帳戶,則會將空字串傳遞至 identitySwitchRequired 呼叫。If the SDK needs the app to switch to an unmanaged user account, the empty string will be passed into the identitySwitchRequired call.

  • 選擇性抹除Selective wipe:

    選擇性地抹除應用程式時,SDK 將會在 IntuneMAMPolicyDelegate 中呼叫 wipeDataForAccount 方法。When the app is selectively wiped, the SDK will call the wipeDataForAccount method in IntuneMAMPolicyDelegate. 應用程式必須負責移除指定的使用者帳戶和其相關聯的任何資料。The app is responsible for removing the specified user’s account and any data associated with it. SDK 可以移除使用者擁有的所有檔案,並在應用程式從 wipeDataForAccount 呼叫傳回 FALSE 時執行。The SDK is capable of removing all files owned by the user and will do so if the app returns FALSE from the wipeDataForAccount call.

    請注意,會從背景執行緒呼叫這個方法。Note that this method is called from a background thread. 在移除使用者的所有資料之前,應用程式不應該傳回值 (不包括應用程式傳回 FALSE 時的檔案)。The app should not return a value until all data for the user has been removed (with the exception of files if the app returns FALSE).

在 Xcode 中測試應用程式保護原則設定Test app protection policy settings in Xcode

在您手動於生產環境中測試啟用 Intune 的應用程式之前,您可以在 Xcode 中使用 Settings.bundle 檔案。Before you manually test your Intune-enlightened app in production, you can use a Settings.bundle file while in Xcode. 這可讓您在無需要連線到 Intune 的情況下,針對測試設定應用程式保護原則。This will let you set app protection policies for testing without requiring a connection to Intune.

啟用原則測試Enable policy testing

遵循下列步驟以在 Xcode 中啟用原則測試:Follow the steps below to enable policy testing in Xcode:

  1. 請確定您是使用偵錯組建。Make sure to be in a debug build. 以滑鼠右鍵按一下您專案中的最上層資料夾,來新增 Settings.bundle 檔案。Add a Settings.bundle file by right-clicking the top-level folder in your project. 從功能表選擇 [新增] > [新增檔案]。Choose Add > New File from the menu. 在 [資源] 底下,選擇 [設定配套] 範本。Under Resources, choose the Settings Bundle template.

  2. 將下列區塊複製到偵錯組建的 Settings.bundle/Root.plist 檔案:Copy the following block to the Settings.bundle/Root.plist file for the debug build:

            <string>MDM Debug Settings</string>
  3. 在應用程式 Info.plist 中的 IntuneMAMSettings 字典中,新增名為 "DebugSettingsEnabled" 的布林值。In the IntuneMAMSettings dictionary in the app's Info.plist, add a boolean called "DebugSettingsEnabled." 將 DebugSettingsEnabled 的值設定為 [是]。Set the value of DebugSettingsEnabled to "YES."

應用程式保護原則設定App protection policy settings

下表描述您可以使用 MAMDebugSettings.plist 進行測試的應用程式保護原則設定。The table below describes the app protection policy settings that you can test using MAMDebugSettings.plist. 若要開啟某個設定,請將它新增到 MAMDebugSettings.plist。To turn on a setting, add it in MAMDebugSettings.plist.

原則設定名稱Policy setting name 說明Description 可能值Possible values
AccessRecheckOfflineTimeoutAccessRecheckOfflineTimeout 在啟用驗證的情況下,於 Intune 封鎖應用程式進行啟動或繼續之前,應用程式可以保持離線的時間長度 (以分鐘為單位)。The length of time in minutes the app can be offline before Intune blocks the app from launching or resuming if authentication is enabled. 任何大於 0 的整數Any integer greater than 0
AccessRecheckOnlineTimeoutAccessRecheckOnlineTimeout 在針對存取啟用驗證或 PIN 的情況下,於啟動或繼續時提示使用者輸入 PIN 或進行驗證之前,應用程式可以執行的時間長度 (以分鐘為單位)。The length of time in minutes the app can run before the user is prompted for PIN or authentication at launch or resume (if authentication or PIN for access is enabled). 任何大於 0 的整數Any integer greater than 0
AppSharingFromLevelAppSharingFromLevel 指定此應用程式可以從哪些應用程式接收資料。Specifies which apps this app can accept data from. 0 =0 =

iOS 最佳做法iOS best practices

以下是用於開發 iOS 的建議最佳做法:Here are recommended best practices for developing for iOS:

  • IOS 檔案系統區分大小寫。The iOS file system is case-sensitive. 請確定檔案名稱的大小寫正確,例如 libIntuneMAM.aIntuneMAMResources.bundleEnsure that the case is correct for file names like libIntuneMAM.a and IntuneMAMResources.bundle.

  • 如果 Xcode 在尋找 libIntuneMAM.a 時遇到問題,您可以藉由將這個程式庫的路徑加入連結器搜尋路徑中,來修正問題。If Xcode has trouble finding libIntuneMAM.a, you can fix the problem by adding the path to this library into the linker search paths.


是否可透過原生 Swift 或 Objective-C 以及 Swift 互通性定址所有 API?Are all of the APIs addressable through native Swift or the Objective-C and Swift interoperability?

Intune App SDK API 僅限於 Objective-C 且不支援原生 Swift。The Intune App SDK APIs are in Objective-C only and do not support native Swift. 必須有 Swift 與 Objective-C 的互通性。Swift interoperability with Objective-C is required.

是否需要向 APP-WE 服務註冊應用程式的所有使用者?Do all users of my application need to be registered with the APP-WE service?

否。No. 事實上,只應該向 Intune App SDK 註冊工作或學校帳戶。In fact, only work or school accounts should be registered with the Intune App SDK. 應用程式負責決定是否在工作或學校內容中使用帳戶。Apps are responsible for determining if an account is used in a work or school context.

已登入應用程式的使用者如何?是否需要註冊它們?What about users that have already signed in to the application? Do they need to be enrolled?

應用程式必須負責註冊已成功通過驗證的使用者。The application is responsible for enrolling users after they have been successfully authenticated. 應用程式也必須負責註冊在應用程式具有較少 MDM 的 MAM 功能之前可能已存在的任何現有帳戶。The application is also responsible for enrolling any existing accounts that might have been present before the application had MDM-less MAM functionality.

若要這樣做,應用程式應該會使用 registeredAccounts: 方法。To do this, the application should make use of the registeredAccounts: method. 這個方法會傳回包含所有已註冊至 Intune MAM 服務之帳戶的 NSDictionary。This method returns an NSDictionary that has all of the accounts registered into the Intune MAM service. 如果應用程式中的任何現有帳戶都不在清單中,則應用程式應該透過 registerAndEnrollAccount: 來註冊這些帳戶。If any existing accounts in the application are not in the list, the application should register and enroll those accounts via registerAndEnrollAccount:.

SDK 重試註冊的頻率為何?How often does the SDK retry enrollments?

SDK 會依 24 小時間隔自動重試所有先前失敗的註冊。The SDK will automatically retry all previously failed enrollments on a 24-hour interval. SDK 這麼做以確保如果使用者的組織已在使用者登入應用程式之後啟用 MAM,則使用者會順利註冊並接收原則。The SDK does this to ensure that if a user’s organization enabled MAM after the user signed in to the application, the user will successfully enroll and receive policies.

SDK 將會在偵測到使用者已順利註冊應用程式時停止重試。The SDK will stop retrying when it detects that a user has successfully enrolled the application. 原因是只有一位使用者可以在特定時間註冊應用程式。This is because only one user can enroll an application at a particular time. 如果取消註冊使用者,則重試會以相同的 24 小時間隔重新開始。If the user is unenrolled, the retries will begin again on the same 24-hour interval.

為何需要取消註冊使用者?Why does the user need to be deregistered?

SDK 將會在背景定期採取下列動作:The SDK will take these actions in the background periodically:

  • 如果尚未註冊應用程式,則會每隔 24 小時嘗試註冊所有已註冊的帳戶。If the application is not yet enrolled, it will try to enroll all registered accounts every 24 hours.
  • 如果已註冊應用程式,SDK 會每隔 8 小時檢查應用程式保護原則更新。If the application is enrolled, the SDK will check for app protection policy updates every 8 hours.

取消註冊使用者會通知 SDK,使用者無法再使用應用程式,而且 SDK 可以停止該使用者帳戶的任何定期事件。Deregistering a user notifies the SDK that the user will no longer use the application, and the SDK can stop any of the periodic events for that user account. 它也會在必要時觸發應用程式取消註冊和選擇性抹除。It also triggers an app unenroll and selective wipe if necessary.

是否應該將取消註冊方法中的 doWipe 旗標設為 true?Should I set the doWipe flag to true in the deregister method?

將使用者登出應用程式之前,應該呼叫這個方法。This method should be called before the user is signed out of the application. 如果在登出時於應用程式中刪除使用者的資料,則 doWipe 可以設為 false。If the user’s data is deleted from the application as part of the sign-out, doWipe can be set to false. 不過,如果應用程式未移除使用者的資料,則 doWipe 應該設為 true,讓 SDK 可以刪除資料。But if the application does not remove the user’s data, doWipe should be set to true so that the SDK can delete the data.

是否有任何其他方式可以取消註冊應用程式?Are there any other ways that an application can be un-enrolled?

是,IT 系統管理員可以將選擇性抹除命令傳送給應用程式,Yes, the IT admin can send a selective wipe command to the application. 以取消註冊使用者以及抹除使用者資料。This will deregister and unenroll the user, and it will wipe the user’s data. SDK 會自動處理這種情況,並透過取消註冊委派方法來傳送通知。The SDK automatically handles this scenario and sends a notification via the unenroll delegate method.

將應用程式提交至 App StoreSubmit your app to the App Store

Intune App SDK 的靜態程式庫和架構組建是通用二進位檔,Both the static library and framework builds of the Intune App SDK are universal binaries. 表示它們包含適用於所有裝置和模擬器架構的程式碼。This means they have code for all device and simulator architectures. 如果提交至 App Store 的應用程式包含模擬器程式碼,則 Apple 會拒絕提交這些應用程式。Apple will reject apps submitted to the App Store if they have simulator code. 針對僅限裝置組建的靜態程式庫進行編譯時,連結器會自動去除模擬器程式碼。When compiling against the static library for device-only builds, the linker will automatically strip out the simulator code. 請遵循下列步驟,確認已移除所有模擬器程式碼,然後再將您的應用程式上傳至 App Store。Follow the steps below to ensure all simulator code is removed before you upload your app to the App Store.

  1. 確定 IntuneMAM.framework 在桌面上。Make sure IntuneMAM.framework is on your desktop.

  2. 執行下列命令:Run these commands:

    lipo ~/Desktop/IntuneMAM.framework/IntuneMAM -remove i386 -remove x86_64 -output ~/Desktop/IntuneMAM.device_only
    cp ~/Desktop/IntuneMAM.device_only ~/Desktop/IntuneMAM.framework/IntuneMAM

    第一個命令會去除架構 DYLIB 檔案中的模擬器架構。The first command strips the simulator architectures from the framework's DYLIB file. 第二個命令會將僅限裝置 DYLIB 檔案複製回架構目錄。The second command copies the device-only DYLIB file back into the framework directory.