Microsoft Intune App SDK for iOS 開發人員指南Microsoft Intune App SDK for iOS developer guide

注意

請考慮閱讀 Intune App SDK 快速入門指南一文,其中說明如何在每個支援的平台上進行整合準備。Consider reading the Get Started with Intune App SDK Guide article, which explains how to prepare for integration on each supported platform.

Microsoft Intune App SDK for iOS 可讓您將 Intune 應用程式保護原則 (也稱為 APPMAM 原則) 併入原生 iOS 應用程式中。The Microsoft Intune App SDK for iOS lets you incorporate Intune app protection policies (also known as APP or MAM policies) into your native iOS app. 啟用 MAM 的應用程式是與 Intune App SDK 整合的應用程式。A MAM-enabled application is one that is integrated with the Intune App SDK. IT 系統管理員可在 Intune 主動管理應用程式時,將應用程式保護原則部署至行動應用程式。IT administrators can deploy app protection policies to your mobile app when Intune actively manages the app.

必要條件Prerequisites

  • 您需要執行 OS X 10.8.5 或更新版本的 Mac OS 電腦,並且該電腦已安裝 Xcode 9 或更新版本。You will need a Mac OS computer that runs OS X 10.8.5 or later and has the Xcode 9 or later installed.

  • 您的應用程式必須以 iOS 9.3.5 或更新版本為目標。Your app must be targeted for iOS 9.3.5 or above.

  • 檢閱適用於 iOS 的 Intune App SDK 授權條款Review the Intune App SDK for iOS License Terms. 列印並保留一份授權條款供您備查。Print and retain a copy of the license terms for your records. 下載並使用 Intune App SDK for iOS 即表示您同意這些授權條款。By downloading and using the Intune App SDK for iOS, you agree to such license terms. 如果您不接受這些條款,請不要使用此軟體。If you do not accept them, do not use the software.

  • GitHub 上,下載 Intune App SDK for iOS 的檔案。Download the files for the Intune App SDK for iOS on GitHub.

SDK 的功能What’s in the SDK

Intune App SDK for iOS 包含靜態程式庫、資源檔、API 標頭、偵錯設定 .plist 檔案及設定程式工具。The Intune App SDK for iOS includes a static library, resource files, API headers, a debug settings .plist file, and a configurator tool. 若要強制執行大部分原則,行動應用程式只需要包含資源檔並以靜態方式連結至程式庫。Mobile apps might simply include the resource files and statically link to the libraries for most policy enforcement. 進階 Intune MAM 功能則是透過 API 來強制執行。Advanced Intune MAM features are enforced through APIs.

本指南涵蓋如何使用 Intune App SDK for iOS 的下列元件:This guide covers the use of the following components of the Intune App SDK for iOS:

  • libIntuneMAM.a:Intune App SDK 靜態程式庫。libIntuneMAM.a: The Intune App SDK static library. 如果您的應用程式未使用擴充功能,請將這個程式庫連結至專案,讓應用程式進行 Intune 行動應用程式管理。If your app does not use extensions, link this library to your project to enable your app for Intune mobile application management.

  • IntuneMAM.framework:Intune App SDK 架構。IntuneMAM.framework: The Intune App SDK framework. 請將這個架構連結至專案,讓應用程式進行 Intune 行動應用程式管理。Link this framework to your project to enable your app for Intune mobile application management. 如果您的應用程式使用延伸模組,讓您的專案不會建立靜態程式庫的多個複本,請使用架構而不是靜態程式庫。Use the framework instead of the static library if your app uses extensions, so that your project does not create multiple copies of the static library.

  • IntuneMAMResources.bundle:包含 SDK 相依資源的資源配套。IntuneMAMResources.bundle: A resource bundle that has resources that the SDK relies on.

  • 標頭:公開 Intune App SDK API。Headers: Exposes the Intune App SDK APIs. 如果您使用 API,您必須加入包含 API 的標頭檔。If you use an API, you will need to include the header file that contains the API. 下列標頭檔包含 API、資料類型及通訊協定,由 Intune App SDK 提供開發人員使用:The following header files include the APIs, data types, and protocols which the Intune App SDK makes available to developers:

    • IntuneMAMAppConfig.hIntuneMAMAppConfig.h
    • IntuneMAMAppConfigManager.hIntuneMAMAppConfigManager.h
    • IntuneMAMDataProtectionInfo.hIntuneMAMDataProtectionInfo.h
    • IntuneMAMDataProtectionManager.hIntuneMAMDataProtectionManager.h
    • IntuneMAMDefs.hIntuneMAMDefs.h
    • IntuneMAMEnrollmentDelegate.hIntuneMAMEnrollmentDelegate.h
    • IntuneMAMEnrollmentManager.hIntuneMAMEnrollmentManager.h
    • IntuneMAMEnrollmentStatus.hIntuneMAMEnrollmentStatus.h
    • IntuneMAMFileProtectionInfo.hIntuneMAMFileProtectionInfo.h
    • IntuneMAMFileProtectionManager.hIntuneMAMFileProtectionManager.h
    • IntuneMAMLogger.hIntuneMAMLogger.h
    • IntuneMAMPolicy.hIntuneMAMPolicy.h
    • IntuneMAMPolicyDelegate.hIntuneMAMPolicyDelegate.h
    • IntuneMAMPolicyManager.hIntuneMAMPolicyManager.h
    • IntuneMAMVersionInfo.hIntuneMAMVersionInfo.h

開發人員只要匯入 IntuneMAM.h,即可使用上述標頭的內容Developers can make the contents of all the above headers available by just importing IntuneMAM.h

Intune App SDK 的運作方式How the Intune App SDK works

Intune App SDK for iOS 的目標是以最少的程式碼變更,將管理功能加入 iOS 應用程式中。The objective of the Intune App SDK for iOS is to add management capabilities to iOS applications with minimal code changes. 程式碼變更越少,上市時間就越短,而不會影響行動應用程式的一致性與穩定性。The fewer the code changes, the less time to market--without affecting the consistency and stability of your mobile application.

將 SDK 建置到行動應用程式Build the SDK into your mobile app

若要啟用 Intune App SDK,請遵循下列步驟:To enable the Intune App SDK, follow these steps:

  1. 選項 1 (建議):將 IntuneMAM.framework 連結至您的專案。Option 1 (recommended): Link IntuneMAM.framework to your project. IntuneMAM.framework 拖曳至專案目標的 [內嵌的二進位檔案] 清單。Drag IntuneMAM.framework to the Embedded Binaries list of the project target.

    注意

    如果您使用架構,則必須先手動去除通用架構中的模擬器架構,再將應用程式提交至 App Store。If you use the framework, you must manually strip out the simulator architectures from the universal framework before you submit your app to the App Store. 請參閱將應用程式提交至 App Store 以取得詳細資料。See Submit your app to the App Store for more details.

    選項 2︰連結至 libIntuneMAM.a 程式庫。Option 2: Link to the libIntuneMAM.a library. libIntuneMAM.a 程式庫拖曳至專案目標的 「Linked Frameworks and Libraries」 (連結架構和程式庫) 清單中。Drag the libIntuneMAM.a library to the Linked Frameworks and Libraries list of the project target.

    Intune App SDK iOS:連結的架構和程式庫

    -force_load {PATH_TO_LIB}/libIntuneMAM.a 加入下列任一項中,並以 Intune App SDK 位置取代 {PATH_TO_LIB}Add -force_load {PATH_TO_LIB}/libIntuneMAM.a to either of the following, replacing {PATH_TO_LIB} with the Intune App SDK location:

    • 專案的 OTHER_LDFLAGS 組建組態設定The project’s OTHER_LDFLAGS build configuration setting

    • Xcode UI 的 [Other Linker Flags] (其他連結器旗標)The Xcode UI’s Other Linker Flags

      注意

      若要尋找 PATH_TO_LIB,請選取 libIntuneMAM.a 檔案,然後從 [檔案] 功能表中選擇 [取得資訊]。To find PATH_TO_LIB, select the file libIntuneMAM.a and choose Get Info from the File menu. 從 [資訊] 視窗的 [一般] 區段中,複製並貼上 [位置] 資訊 (路徑)。Copy and paste the Where information (the path) from the General section of the Info window.

      藉由拖曳 「Build Phases」 (建置階段) 的 「Copy Bundle Resources」 (複製配套資源) 下的資源配套,將 IntuneMAMResources.bundle 資源配套新增至專案。Add the IntuneMAMResources.bundle resource bundle to the project by dragging the resource bundle under Copy Bundle Resources within Build Phases.

      Intune App SDK iOS:複製配套資源

  2. 將下列 iOS 架構新增至專案:Add these iOS frameworks to the project:

    • MessageUI.frameworkMessageUI.framework
    • Security.frameworkSecurity.framework
    • MobileCoreServices.frameworkMobileCoreServices.framework
    • SystemConfiguration.frameworkSystemConfiguration.framework
    • libsqlite3.tbdlibsqlite3.tbd
    • libc++.tbdlibc++.tbd
    • ImageIO.frameworkImageIO.framework
    • LocalAuthentication.frameworkLocalAuthentication.framework
    • AudioToolbox.frameworkAudioToolbox.framework
    • QuartzCore.frameworkQuartzCore.framework
    • WebKit.frameworkWebKit.framework
  3. 如果尚未啟用 Keychain 共用,請在每個專案目標中選擇 [功能],然後啟用 「Keychain Sharing」 (Keychain 共用) 參數來加以啟用。Enable keychain sharing (if it isn't already enabled) by choosing Capabilities in each project target and enabling the Keychain Sharing switch. 您必須共用 Keychain 才能繼續進行下一個步驟。Keychain sharing is required for you to proceed to the next step.

    注意

    您的佈建設定檔必須能夠支援新的 Keychain 共用值。Your provisioning profile needs to support new keychain sharing values. Keychain 存取群組應該支援萬用字元。The keychain access groups should support a wildcard character. 若要確認這項作業,請在文字編輯器中開啟 .mobileprovision 檔案,並搜尋 keychain-access-groups,然後確認是否有萬用字元。You can check this by opening the .mobileprovision file in a text editor, searching for keychain-access-groups, and ensuring that you have a wildcard. 例如:For example:

    <key>keychain-access-groups</key>
    <array>
    <string>YOURBUNDLESEEDID.*</string>
    </array>
    
  4. 啟用 Keychain 共用之後,請遵循下列步驟建立另一個可供 Intune App SDK 儲存其資料的存取群組。After you enable keychain sharing, follow these steps to create a separate access group in which the Intune App SDK will store its data. 您可以使用 UI 或權利檔案來建立 Keychain 存取群組。You can create a keychain access group by using the UI or by using the entitlements file. 如果您是使用 UI 來建立 Keychain 存取群組,請務必遵循下列步驟:If you are using the UI to create the keychain access group, make sure to follow the steps below:

    1. 如果您的行動應用程式未定義任何 Keychain 存取群組,請加入應用程式的配套識別碼作為第一個群組。If your mobile app does not have any keychain access groups defined, add the app’s bundle ID as the first group.

    2. 將共用 Keychain 群組 com.microsoft.intune.mam 新增至現有的存取群組。Add the shared keychain group com.microsoft.intune.mam to your existing access groups. Intune App SDK 使用這個存取群組來儲存資料。The Intune App SDK uses this access group to store data.

    3. com.microsoft.adalcache 新增至現有存取群組。Add com.microsoft.adalcache to your existing access groups.

      Intune App SDK iOS:Keychain 共用

    4. 如果您正在直接編輯權利檔案,而不是使用上方所示的 Xcode UI 來建立 Keychain 存取群組,請將 $(AppIdentifierPrefix) 附加到 Keychain 存取群組 (Xcode 會自動處理此動作)。If you are editing the entitlements file directly, rather than using the Xcode UI shown above to create the keychain access groups, prepend the keychain access groups with $(AppIdentifierPrefix) (Xcode handles this automatically). 例如:For example:

       * `$(AppIdentifierPrefix)com.microsoft.intune.mam`
       * `$(AppIdentifierPrefix)com.microsoft.adalcache`
      

      注意

      權利檔案是行動應用程式特有的 XML 檔案,An entitlements file is an XML file that's unique to your mobile application. 它用來指定 iOS 應用程式內的特殊權限和功能。It is used to specify special permissions and capabilities in your iOS app. 如果您的應用程式之前沒有權利檔案,啟用 Keychain 共用 (步驟 3) 應該會使得 Xcode 為您的應用程式產生一個權利檔案。If your app did not previously have an entitlements file, enabling keychain sharing (step 3) should have caused Xcode to generate one for your app.

  5. 請包含應用程式傳遞給應用程式 Info.plist 檔案之 LSApplicationQueriesSchemes 陣列中 UIApplication canOpenURL 的每個通訊協定。Include each protocol that your app passes to UIApplication canOpenURL in the LSApplicationQueriesSchemes array of your app's Info.plist file. 繼續進行下一個步驟支援,請務必儲存您的變更。Be sure to save your changes before proceeding to the next step.

  6. 使用 SDK 存放庫中包含的 IntuneMAMConfigurator 工具來設定您應用程式的 Info.plist。Use the IntuneMAMConfigurator tool that is included in the SDK repo to finish configuring your app's Info.plist. 此工具有 3 個參數:The tool has 3 parameters:

    屬性Property 用法How to use it
    - i- i <Path to the input plist>
    - e- e <Path to the entitlements file>
    - o- o (選擇性) <Path to the output plist>(Optional) <Path to the output plist>

若未指定 '-o' 參數,將就地修改輸入檔案。If the '-o' parameter is not specified, the input file will be modified in-place. 此工具是理想的,且應該在應用程式的 Info.plist 或權利變更時重新執行。The tool is idempotent, and should be rerun whenever changes to the app's Info.plist or entitlements have been made. 更新 Intune SDK 時,您也應該下載並執行此工具的最新版本,以免 Info.plist 設定需求在最新版本中有變更。You should also download and run the latest version of the tool when updating the Intune SDK, in case Info.plist config requirements have changed in the latest release.

注意

如果您的應用程式尚未使用 FaceID,請務必設定 NSFaceIDUsageDescription info.plist 索引鍵的預設訊息。If your app does not use FaceID already, ensure the NSFaceIDUsageDescription info.plist key is configured with a default message. iOS 需要此設定,才能讓使用者知道應用程式預計如何使用 FaceID。This is required so iOS can let the user know how the app intends to use FaceID. Intune 應用程式防護原則設定在 IT 系統管理員的設定下,可使用 FaceID 作為應用程式存取方法。An Intune app protection policy setting allows for FaceID to be used as a method for app access when configured by the IT admin.

設定 Azure Active Directory Authentication Library (ADAL)Configure Azure Active Directory Authentication Library (ADAL)

Intune App SDK 針對其驗證和條件式啟動案例使用 Azure Active Directory Authentication Library (英文)The Intune App SDK uses Azure Active Directory Authentication Library for its authentication and conditional launch scenarios. 它也會依賴 ADAL 向 MAM 服務註冊使用者身分識別來進行沒有裝置註冊案例的管理。It also relies on ADAL to register the user identity with the MAM service for management without device enrollment scenarios.

一般來說,ADAL 需要應用程式向 Azure Active Directory (AAD) 註冊並取得唯一識別碼 (用戶端識別碼) 及其他識別碼,以確保授與應用程式的權杖安全無虞。Typically, ADAL requires apps to register with Azure Active Directory (AAD) and get a unique ID (Client ID) and other identifiers, to guarantee the security of the tokens granted to the app. 除非另行指定,否則 Intune App SDK 在連絡 Azure AD 時會使用預設登錄值。Unless otherwise specified, the Intune App SDK uses default registration values when it contacts Azure AD.

如果您的應用程式已經使用 ADAL 來驗證使用者,該應用程式必須使用其現有的登錄值,並覆寫 Intune App SDK 預設值。If your app already uses ADAL to authenticate users, the app must use its existing registration values and override the Intune App SDK default values. 這能確保不會提示使用者驗證兩次 (一次是由 Intune App SDK,另一次是由應用程式)。This ensures that users are not prompted for authentication twice (once by the Intune App SDK and once by the app).

建議Recommendations

建議您的應用程式連接至 ADAL Master 分支上最新版本的 ADAL (英文)It is recommended that your app links to the latest version of ADAL on its master branch. Intune App SDK 目前使用 ADAL 的 Broker 分支,以支援需要條件式存取的應用程式。The Intune App SDK currently uses the broker branch of ADAL to support apps that require conditional access. (因此這些應用程式需要 Microsoft Authenticator 應用程式)。不過,SDK 仍然與主要 ADAL 分支相容。(These apps therefore depend on the Microsoft Authenticator app.) But the SDK is still compatible with the master branch of ADAL. 請使用適合您應用程式的分支。Use the branch that is appropriate for your app.

請遵循下列步驟以將應用程式連結至 ADAL 二進位檔:Follow the steps below to link your app to the ADAL binaries:

  1. 從 GitHub 下載適用於 Objective-C 的 Azure Active Directory Authentication Library (ADAL) (英文),然後遵循使用 Git 子模組或 CocoaPods 下載 ADAL 的指示 (英文)Download the Azure Active Directory Authentication Library (ADAL) for Objective-C from GitHub, then follow the instructions on how to download ADAL using Git submodules or CocoaPods.

  2. 將 ADAL 架構 (選項 1) 或靜態程式庫 (選項 2) 新增到您的專案:Add the the ADAL framework (option 1) or static library (option 2) to your project:

    選項 1 (建議):將 ADAL.framework 拖曳到專案目標的 [內嵌的二進位檔案] 清單。Option 1 (recommended): Drag ADAL.framework to the Embedded Binaries list of the project target.

    選項 2:將 libADALiOS.a 程式庫拖曳至專案目標的 [Linked Frameworks and Libraries] (連結架構和程式庫) 清單。Option 2: Drag the libADALiOS.a library to the Linked Frameworks and Libraries list of the project target. -force_load {PATH_TO_LIB}/libADALiOS.a 新增至專案的 OTHER_LDFLAGS 組建組態設定或 Xcode UI 的 [Other Linker Flags] (其他連結器旗標) 中。Add -force_load {PATH_TO_LIB}/libADALiOS.a to the project’s OTHER_LDFLAGS build configuration setting or Other Linker Flags in the Xcode UI. PATH_TO_LIB 應該取代成 ADAL 二進位檔位置。PATH_TO_LIB should be replaced with the location of the ADAL binaries.

要與其他使用相同佈建設定檔簽署的應用程式共用 ADAL 權杖快取?Share the ADAL token cache with other apps signed with the same provisioning profile?

如果您想要在使用相同佈建設定檔簽署的應用程式之間共用 ADAL 權杖,請遵循下列指示:Follow the instructions below if you want to share ADAL tokens between apps signed with the same provisioning profile:

  1. 如果您的應用程式未定義任何 Keychain 存取群組,請加入應用程式的配套識別碼作為第一個群組。If your app does not have any keychain access groups defined, add the app’s bundle ID as the first group.

  2. 透過將 com.microsoft.adalcache 新增到 Keychain 存取群組以啟用 ADAL 單一登入 (SSO)。Enable ADAL single sign-on (SSO) by adding com.microsoft.adalcache to the keychain access groups.

  3. 如果您想要指定自訂 Keychain 群組以取代 com.microsoft.adalcache,請在 Info.plist 檔案的 IntuneMAMSettings 下使用 ADALCacheKeychainGroupOverride 索引鍵指定該行為。If you want to specify a custom keychain group to replace com.microsoft.adalcache, specify that in the Info.plist file under IntuneMAMSettings, by using the key ADALCacheKeychainGroupOverride.

設定 Intune App SDK 的 ADAL 設定Configure ADAL settings for the Intune App SDK

如果您的應用程式已經使用 ADAL 來進行驗證,並擁有自己的 ADAL 設定,您可以強制 Intune App SDK 在針對 Azure Active Directory 進行驗證期間使用相同的設定。If your app already uses ADAL for authentication and has its own ADAL settings, you can force the Intune App SDK to use the same settings during authentication against Azure Active Directory. 這能確保應用程式不會重複提示使用者進行驗證。This ensures that the app will not double-prompt the user for authentication. 請參閱設定 Intune App SDK 的設定,以取得如何填入下列設定的相關資訊:See Configure settings for the Intune App SDK for information on populating the following settings:

  • ADALClientIdADALClientId
  • ADALAuthorityADALAuthority
  • ADALRedirectUriADALRedirectUri
  • ADALRedirectSchemeADALRedirectScheme
  • ADALCacheKeychainGroupOverrideADALCacheKeychainGroupOverride

如果您的應用程式已經使用 ADAL,下列設定為必要:If your app already uses ADAL, the following configurations are required:

  1. 在專案的 Info.plist 檔案中,在 IntuneMAMSettings 字典下的索引鍵名稱 ADALClientId 處,指定要用於呼叫 ADAL 的用戶端識別碼。In the project’s Info.plist file, under the IntuneMAMSettings dictionary with the key name ADALClientId, specify the client ID to be used for ADAL calls.

  2. 另外在 IntuneMAMSettings 字典下的索引鍵名稱 ADALAuthority 處,指定 Azure AD 授權。Also under the IntuneMAMSettings dictionary with the key name ADALAuthority, specify the Azure AD authority.

  3. 另外在 IntuneMAMSettings 字典下的索引鍵名稱 ADALRedirectUri 處,指定要用於呼叫 ADAL 的重新導向 URI。Also under the IntuneMAMSettings dictionary with the key name ADALRedirectUri, specify the redirect URI to be used for ADAL calls. 此外,若應用程式的重新導向 URI 格式為 scheme://bundle_id,您也可以改為指定 ADALRedirectSchemeAlternatively, you could specify ADALRedirectScheme instead, if the application's redirect URI is in the format scheme://bundle_id.

此外,應用程式可以在執行階段覆寫這些 Azure AD 設定。Additionally, apps can override these Azure AD settings at runtime. 若要這樣做,請設定 IntuneMAMPolicyManager 執行個體上的 aadAuthorityUriOverrideaadClientIdOverrideaadRedirectUriOverride 屬性。To do this, simply set the aadAuthorityUriOverride, aadClientIdOverride, and aadRedirectUriOverride properties on the IntuneMAMPolicyManager instance.

注意

建議您為靜態且不需要在執行階段決定的所有設定使用 Info.plist 方法。The Info.plist approach is recommended for all settings which are static and do not need to be determined at runtime. 指派給 IntuneMAMPolicyManager 屬性之值的優先順序高於在 Info.plist 中指定的對應值,而且在應用程式重新啟動之後仍然存在。Values assigned to the IntuneMAMPolicyManager properties take precedence over any corresponding values specified in the Info.plist, and will persist even after the app is restarted. SDK 將會繼續為原則簽入使用它們,直到使用者取消註冊或值被清除或變更。The SDK will continue to use them for policy check-ins until the user is unenrolled or the values are cleared or changed.

如果您的應用程式未使用 ADALIf your app does not use ADAL

如果您的應用程式未使用 ADAL,Intune App SDK 將會提供 ADAL 參數的預設值,並處理針對 Azure AD 的驗證。If your app does not use ADAL, the Intune App SDK will provide default values for ADAL parameters and handle authentication against Azure AD. 您不需要為上面所列的 ADAL 設定指定任何值。You do not have to specify any values for the ADAL settings listed above.

接收應用程式保護原則Receiving app protection policy

概觀Overview

若要接收 Intune 應用程式保護原則,應用程式必須向 Intune MAM 服務起始註冊要求。To receive Intune app protection policy, apps must initiate an enrollment request with the Intune MAM service. 應用程式可以在 Intune 主控台中設定,以接收應用程式保護原則 (不論是否有裝置註冊)。Apps can be configured in the Intune console to receive app protection policy with or without device enrollment. 無註冊的應用程式保護原則 (亦稱為 APP-WE 或 MAM-WE) 可讓 Intune 管理應用程式,而不需要向 Intune 行動裝置管理 (MDM) 註冊裝置。App protection policy without enrollment, also known as APP-WE or MAM-WE, allows apps to be managed by Intune without the need for the device to be enrolled in Intune mobile device management (MDM). 在這兩種案例中,都必須向 Intune MAM 服務註冊才能接收原則。In both cases, enrolling with the Intune MAM service is required to receive policy.

使用 ADAL 的應用程式Apps that use ADAL

使用者成功驗證之後,已使用 ADAL 的應用程式應該呼叫 IntuneMAMEnrollmentManager 執行個體上的 registerAndEnrollAccount 方法:Apps which already use ADAL should call the registerAndEnrollAccount method on the IntuneMAMEnrollmentManager instance after the user has been successfully authenticated:

/*
 *  This method will add the account to the list of registered accounts.
 *  An enrollment request will immediately be started.
 *  @param identity The UPN of the account to be registered with the SDK
 */

(void)registerAndEnrollAccount:(NSString *)identity;

藉由呼叫 registerAndEnrollAccount 方法,SDK 將註冊使用者帳戶,並代表這個帳戶嘗試註冊應用程式。By calling the registerAndEnrollAccount method, the SDK will register the user account and attempt to enroll the app on behalf of this account. 如果註冊因任何原因而失敗,SDK 將自動在 24 個小時之後重新嘗試註冊。If the enrollment fails for any reason, the SDK will automatically retry the enrollment 24 hours later. 基於偵錯目的,應用程式可以透過委派來接收有關任何註冊要求結果的通知For debugging purposes, the app can receive notifications, via a delegate, about the results of any enrollment requests.

叫用這個 API 之後,應用程式可以繼續正常運作。After this API has been invoked, the app can continue to function as normal. 如果註冊成功,SDK 將通知使用者:需要重新啟動應用程式。If the enrollment succeeds, the SDK will notify the user that an app restart is required. 此時,使用者可以立即重新啟動應用程式。At that time, the user can immediately restart the app.

[[IntuneMAMEnrollmentManager instance] registerAndEnrollAccount:@”user@foo.com”];

不使用 ADAL 的應用程式Apps that do not use ADAL

未使用 ADAL 登入使用者的應用程式,仍然可以從 Intune MAM 服務接收應用程式保護原則,方法是呼叫 API 讓 SDK 處理該驗證。Apps that do not sign in the user using ADAL can still receive app protection policy from the Intune MAM service by calling the API to have the SDK handle that authentication. 如果應用程式尚未向 Azure AD 驗證使用者,但仍需要擷取應用程式保護原則以協助保護資料,則應用程式應該使用這項技術。Apps should use this technique when they have not authenticated a user with Azure AD but still need to retrieve app protection policy to help protect data. 例如:如果正在使用另一個驗證服務進行應用程式登入,或者,如果應用程式根本不支援登入。An example is if another authentication service is being used for app sign-in, or if the app does not support signing in at all. 若要這樣做,應用程式應該會呼叫 IntuneMAMEnrollmentManager 執行個體上的 loginAndEnrollAccount 方法:To do this, the application should call the loginAndEnrollAccount method on the IntuneMAMEnrollmentManager instance:

/**
 *  Creates an enrollment request which is started immediately.
 *  If no token can be retrieved for the identity, the user will be prompted
 *  to enter their credentials, after which enrollment will be retried.
 *  @param identity The UPN of the account to be logged in and enrolled.
 */
 (void)loginAndEnrollAccount: (NSString *)identity;

藉由呼叫這個方法,SDK 將在找不到現有權杖時提示使用者提供認證。By calling this method, the SDK will prompt the user for credentials if no existing token can be found. SDK 接著將會代表所提供的使用者帳戶,嘗試向 Intune MAM 服務註冊應用程式。The SDK will then try to enroll the app with the Intune MAM service on behalf of the supplied user account. 這個方法在呼叫時 "nil" 為身分識別。The method can be called with "nil" as the identity. 在這個情況下,SDK 將會使用裝置上現有的受控使用者註冊 (在 MDM 的案例中),或在找不到任何現有使用者時提示使用者提供使用者名稱。In that case, the SDK will enroll with the existing managed user on the device (in the case of MDM), or prompt the user for a user name if no existing user is found.

如果註冊失敗,應用程式應該考慮根據失敗詳細資料,在未來重新呼叫這個 API。If the enrollment fails, the app should consider calling this API again at a future time, depending on the details of the failure. 應用程式可以透過委派來接收有關任何註冊要求結果的通知The app can receive notifications, via a delegate, about the results of any enrollment requests.

叫用這個 API 之後,應用程式可以繼續正常運作。After this API has been invoked, the app can continue functioning as normal. 如果註冊成功,SDK 將通知使用者:需要重新啟動應用程式。If the enrollment succeeds, the SDK will notify the user that an app restart is required.

範例:Example:

[[IntuneMAMEnrollmentManager instance] loginAndEnrollAccount:@”user@foo.com”];

取消註冊使用者帳戶Deregister user accounts

將使用者登出應用程式之前,應用程式應該從 SDK 取消註冊使用者。Before a user is signed out of an app, the app should deregister the user from the SDK. 這確保:This will ensure:

  1. 使用者帳戶不再發生註冊重試。Enrollment retries will no longer happen for the user’s account.

  2. 將會移除應用程式保護原則。App protection policy will be removed.

  3. 如果應用程式起始選擇性抹除 (選擇性),則會刪除任何公司資料。If the app initiates a selective wipe (optional), any corporate data is deleted.

將使用者登出之前,應用程式應該呼叫 IntuneMAMEnrollmentManager 執行個體上的下列方法:Before the user is signed out, the app should call the following method on the on the IntuneMAMEnrollmentManager instance:

/*
 *  This method will remove the provided account from the list of
 *  registered accounts.  Once removed, if the account has enrolled
 *  the application, the account will be un-enrolled.
 *  @note In the case where an un-enroll is required, this method will block
 *  until the Intune MAM AAD token is acquired, then return.  This method must be called before  
 *  the user is removed from the application (so that required AAD tokens are not purged
 *  before this method is called).
 *  @param identity The UPN of the account to be removed.
 *  @param doWipe   If YES, a selective wipe if the account is un-enrolled
 */
(void)deRegisterAndUnenrollAccount:(NSString *)identity withWipe:(BOOL)doWipe;

刪除使用者帳戶的 Azure AD 權杖之前,必須呼叫這個方法。This method must be called before the user account’s Azure AD tokens are deleted. SDK 需要使用者帳戶的 AAD 權杖,才能代表使用者對 Intune MAM 服務提出特定要求。The SDK needs the user account’s AAD token(s) to make specific requests to the Intune MAM service on behalf of the user.

如果應用程式將自行刪除使用者的公司資料,則 doWipe 旗標可以設定為 false。If the app will delete the user’s corporate data on its own, the doWipe flag can be set to false. 否則,應用程式可以讓 SDK 起始選擇性抹除。Otherwise, the app can have the SDK initiate a selective wipe. 這樣會呼叫應用程式的選擇性抹除委派。This will result in a call to the app's selective wipe delegate.

範例:Example:

[[IntuneMAMEnrollmentManager instance] deRegisterAndUnenrollAccount:@”user@foo.com” withWipe:YES];

狀態、結果和偵錯通知Status, result, and debug notifications

應用程式可以接收有關向 Intune MAM 服務提出下列要求的狀態、結果和偵錯通知:The app can receive status, result, and debug notifications about the following requests to the Intune MAM service:

  • 註冊要求Enrollment requests
  • 原則更新要求Policy update requests
  • 取消註冊要求Unenrollment requests

透過 Headers/IntuneMAMEnrollmentDelegate.h 中的委派方法來呈現通知:The notifications are presented via delegate methods in Headers/IntuneMAMEnrollmentDelegate.h:

/**
 *  Called when an enrollment request operation is completed.
 * @param status status object containing debug information
 */

(void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
 *  Called when a MAM policy request operation is completed.
 *  @param status status object containing debug information
 */
(void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

/**
 *  Called when a un-enroll request operation is completed.
 *  @Note: when a user is un-enrolled, the user is also de-registered with the SDK
 *  @param status status object containing debug information
 */

(void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status;

這些委派方法傳回 IntuneMAMEnrollmentStatus 物件,其中包含下列資訊:These delegate methods return an IntuneMAMEnrollmentStatus object that has the following information:

  • 與要求相關聯之帳戶的身分識別The identity of the account associated with the request
  • 表示要求結果的狀態碼A status code that indicates the result of the request
  • 狀態碼描述的錯誤字串An error string with a description of the status code
  • NSError 物件An NSError object

這個物件與可傳回的特定狀態碼定義在 IntuneMAMEnrollmentStatus.h 中。This object is defined in IntuneMAMEnrollmentStatus.h, along with the specific status codes that can be returned.

範例程式碼Sample code

下列是委派方法的範例實作:These are example implementations of the delegate methods:

- (void)enrollmentRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
    NSLog(@"enrollment result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);
}


- (void)policyRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
    NSLog(@"policy check-in result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);
}

- (void)unenrollRequestWithStatus:(IntuneMAMEnrollmentStatus *)status
{
    NSLog(@"un-enroll result for identity %@ with status code %ld", status.identity, (unsigned long)status.statusCode);
    NSLog(@"Debug Message: %@", status.errorString);
}

應用程式重新啟動App restart

應用程式第一次收到應用程式保護原則時,必須重新啟動,才能套用必要的勾點。When an app receives app protection policies for the first time, it must restart to apply the required hooks. 為了通知需要重新啟動的應用程式,SDK 在 Headers/IntuneMAMPolicyDelegate.h 中提供委派方法。To notify the app that a restart needs to happen, the SDK provides a delegate method in Headers/IntuneMAMPolicyDelegate.h.

 - (BOOL) restartApplication

這個方法的傳回值會指示 SDK,應用程式是否必須處理必要的重新啟動:The return value of this method tells the SDK if the application must handle the required restart:

  • 如果傳回 true,應用程式就必須處理重新啟動。If true is returned, the application must handle the restart.

  • 如果傳回 false,則 SDK 將在傳回這個方法之後重新啟動應用程式。If false is returned, the SDK will restart the application after this method returns. SDK 會立即顯示一個對話方塊,指示使用者重新啟動應用程式。The SDK will immediately show a dialog box that tells the user to restart the application.

自訂您的應用程式行為Customize your app's behavior

Intune 應用程式 SDK 中有多個 API,您可以呼叫以取得部署至應用程式之 Intune 應用程式保護原則的相關資訊。The Intune App SDK has several APIs you can call to get information about the Intune app protection policy deployed to the app. 您可以使用這項資料來自訂您的應用程式行為。You can use this data to customize your app's behavior. 大部分的應用程式保護原則設定會由 SDK 自動強制執行,而不是應用程式。Most app protection policy settings are automatically enforced by the SDK and not the application. 應用程式應該實作的唯一設定是「另存新檔」控制項。The only setting that the app should implement is the Save-as control.

取得應用程式保護原則Get app protection policy

IntuneMAMPolicyManager.hIntuneMAMPolicyManager.h

IntuneMAMPolicyManager 類別會公開部署給應用程式的 Intune 應用程式保護原則。The IntuneMAMPolicyManager class exposes the Intune app protection policy deployed to the application. 值得注意的是,它會公開適用於啟用多重身分識別的 API。Notably, it exposes APIs that are useful for Enabling multi-identity.

IntuneMAMPolicy.hIntuneMAMPolicy.h

IntuneMAMPolicy 類別會公開部署給應用程式的 Intune 應用程式保護原則。The IntuneMAMPolicy class exposes the Intune app protection policy deployed to the application. 此類別中大部分公開的原則設定會由 SDK 強制執行,但您一律可以根據如何強制執行原則設定來自訂應用程式的行為。Most the policy settings exposed in this class are enforced by the SDK, but you can always customize your app's behavior based on how policy settings are enforced.

這個類別會公開要實作另存新檔控制項所需的部分 API,如下節中所詳述。This class exposes some APIs needed to implement save-as controls, detailed in the next section.

實作另存新檔控制項Implement save-as controls

Intune 可讓 IT 系統管理員選取受管理的應用程式可儲存資料的儲存位置。Intune lets IT admins select which storage locations a managed app can save data to. 應用程式可以使用 isSaveToAllowedForLocation API 向 Intune App SDK 查詢所能使用的儲存位置,如 IntuneMAMPolicy.h 中所定義。Apps can query the Intune App SDK for allowed storage locations by using the isSaveToAllowedForLocation API, defined in IntuneMAMPolicy.h.

應用程式必須先向 isSaveToAllowedForLocation API 查詢,確認 IT 系統管理員是否允許將資料另存於其他位置,才能將受管理的資料儲存到雲端儲存體或本機位置。Before apps can save managed data to a cloud-storage or local location, they must check with the isSaveToAllowedForLocation API to know if the IT admin has allowed data to be saved there.

當應用程式使用 isSaveToAllowedForLocation API 時,必須傳遞儲存位置的 UPN (如有使用)。When apps use the isSaveToAllowedForLocation API, they must pass in the UPN for the storage location, if it is available.

支援的儲存位置Supported save locations

IsSaveToAllowedForLocation API 提供常數以確認 IT 系統管理員是否可將資料儲存到 IntuneMAMPolicy.h 中定義的下列位置:The isSaveToAllowedForLocation API provides constants to check whether the IT admin permits data to be saved to the following locations defined in IntuneMAMPolicy.h:

  • IntuneMAMSaveLocationOtherIntuneMAMSaveLocationOther
  • IntuneMAMSaveLocationOneDriveForBusinessIntuneMAMSaveLocationOneDriveForBusiness
  • IntuneMAMSaveLocationSharePointIntuneMAMSaveLocationSharePoint
  • IntuneMAMSaveLocationLocalDriveIntuneMAMSaveLocationLocalDrive

應用程式應使用 isSaveToAllowedForLocation API 的常數確認是否可以將資料另存於其他被視為「受管理」(例如商務用 OneDrive) 或「個人」的位置。Apps should use the constants in the isSaveToAllowedForLocation API to check if data can be saved to locations considered "managed," like OneDrive for Business, or "personal." 此外,當應用程式無法確認位置為「受管理」或「個人」的位置時,也應使用 API。Additionally, the API should be used when the app can't check whether a location is "managed" or "personal."

已知為「個人」的位置會以 IntuneMAMSaveLocationOther 常數代表。Locations known to be "personal" are represented by the IntuneMAMSaveLocationOther constant.

若應用程式會將資料儲存到本機裝置上的任何位置,則應使用 IntuneMAMSaveLocationLocalDrive 常數。The IntuneMAMSaveLocationLocalDrive constant should be used when the app is saving data to any location on the local device.

設定 Intune App SDK 的設定Configure settings for the Intune App SDK

您可以使用應用程式 Info.plist 檔案中的 IntuneMAMSettings 字典,以設定 Intune App SDK。You can use the IntuneMAMSettings dictionary in the application’s Info.plist file to set up and configure the Intune App SDK. 如果 Info.plist 檔案中看不到 IntuneMAMSettings 字典,您應該使用欄位名稱 "IntuneMAMSettings" 在應用程式的 Info.plist 中建立字典。If the IntuneMAMSettings dictionary is not seen in your Info.plist file, you should create a dictionary in your app's Info.plist with the field name "IntuneMAMSettings."

在 IntuneMAMSettings 字典底下,您可以新增組態設定的索引鍵/值列以設定 SDK。Under the IntuneMAMSettings dictionary, you can add key/value rows of configuration settings to configure the SDK. 下表列出所有支援的設定。The table below lists all supported settings.

其中一些設定可能在前幾節中討論過,而且有些設定並不適用於所有應用程式。Some of these settings might have been covered in previous sections, and some do not apply to all apps.

設定Setting 類型Type 定義Definition 必要?Required?
ADALClientIdADALClientId 字串String 應用程式的 Azure AD 用戶端識別碼。The app’s Azure AD client identifier. 如果應用程式使用 ADAL,則為必要項。Required if the app uses ADAL.
ADALAuthorityADALAuthority 字串String 應用程式的使用中 Azure AD 授權單位。The app's Azure AD authority in use. 您應該使用已設定 AAD 帳戶的專屬環境。You should use your own environment where AAD accounts have been configured. 如果應用程式使用 ADAL,則為必要項。Required if the app uses ADAL. 如果此值不存在,則會使用 Intune 預設值。If this value is absent, an Intune default is used.
ADALRedirectUriADALRedirectUri 字串String 應用程式的 Azure AD 重新導向 URI。The app’s Azure AD redirect URI. 如果應用程式使用 ADAL,則需要 ADALRedirectUri 或 ADALRedirectScheme。ADALRedirectUri or ADALRedirectScheme is required if the app uses ADAL.
ADALRedirectSchemeADALRedirectScheme 字串String 應用程式的 Azure AD 重新導向配置。The app's Azure AD redirect scheme. 如果應用程式的重新導向 URI 格式為 scheme://bundle_id,則這可以用來代替 ADALRedirectUri。This can be used in place of ADALRedirectUri if the application's redirect URI is in the format scheme://bundle_id. 如果應用程式使用 ADAL,則需要 ADALRedirectUri 或 ADALRedirectScheme。ADALRedirectUri or ADALRedirectScheme is required if the app uses ADAL.
ADALLogOverrideDisabledADALLogOverrideDisabled 布林值Boolean 指定 SDK 是否會將所有 ADAL 記錄 (包括任何來自應用程式的 ADAL 呼叫) 路由傳送至其本身的記錄檔。Specifies whether the SDK will route all ADAL logs (including ADAL calls from the app, if any) to its own log file. 預設為 [否]。Defaults to NO. 如果應用程式將設定自己的 ADAL 記錄回呼,請設定為 [是]。Set to YES if the app will set its own ADAL log callback. 選擇性。Optional.
ADALCacheKeychainGroupOverrideADALCacheKeychainGroupOverride 字串String 指定要用於 ADAL 快取而非 "com.microsoft.adalcache" 的 Keychain 群組。Specifies the keychain group to use for the ADAL cache, instead of “com.microsoft.adalcache." 請注意,這不包含 app-id 前置詞。Note that this doesn’t have the app-id prefix. 這會在執行階段加在所提供字串的前面。That will be prefixed to the provided string at runtime. 選擇性。Optional.
AppGroupIdentifiersAppGroupIdentifiers 字串陣列Array of string 應用程式之權利 com.apple.security.application-groups 區段中的應用程式群組陣列。Array of app groups from the app’s entitlements com.apple.security.application-groups section. 如果應用程式使用應用程式群組,則為必要項。Required if the app uses application groups.
ContainingAppBundleIdContainingAppBundleId 字串String 指定含有應用程式之擴充功能的配套識別碼。Specifies the bundle ID of the extension’s containing application. 對 IOS 擴充功能而言為必要項。Required for iOS extensions.
DebugSettingsEnabledDebugSettingsEnabled 布林值Boolean 如果設定為 [是],則可以套用 [設定] 配套內的測試原則。If set to YES, test policies within the Settings bundle can be applied. 啟用這個設定時,應該提供應用程式。Applications should not be shipped with this setting enabled. 選擇性。Optional.
MainNibFileMainNibFile
MainNibFileipadMainNibFileipad
字串String 這項設定應該包含應用程式的主要 nib 檔案名稱。This setting should have the application’s main nib file name. 如果應用程式在 Info.plist 中定義 MainNibFile,則為必要項。Required if the application defines MainNibFile in Info.plist.
MainStoryboardFileMainStoryboardFile
MainStoryboardFileipadMainStoryboardFileipad
字串String 這項設定應該包含應用程式的主要腳本檔案名稱。This setting should have the application’s main storyboard file name. 如果應用程式在 Info.plist 中定義 UIMainStoryboardFile,則為必要項。Required if the application defines UIMainStoryboardFile in Info.plist.
AutoEnrollOnLaunchAutoEnrollOnLaunch 布林值Boolean 指定如果偵測到現有的受管理身分識別,而且其尚未註冊,應用程式是否要在啟動時嘗試自動註冊。Specifies whether the app should attempt to automatically enroll on launch if an existing managed identity is detected and it has not yet done so. 預設為 [否]。Defaults to NO.

注意事項:若找不到受管理身分識別,或 ADAL 快取中沒有可用的身分識別有效權杖,除非應用程式也有將 MAMPolicyRequired 設為 [是],否則註冊嘗試會失敗而不提示輸入認證。Notes: If no managed identity is found or no valid token for the identity is available in the ADAL cache, the enrollment attempt will silently fail without prompting for credentials, unless the app has also set MAMPolicyRequired to YES.
選擇性。Optional.
MAMPolicyRequiredMAMPolicyRequired 布林值Boolean 指定應用程式在沒有 Intune 應用程式保護原則時,是否無法予以啟動。Specifies whether the app will be blocked from starting if the app does not have an Intune app protection policy. 預設為 [否]。Defaults to NO.

注意事項︰MAMPolicyRequired 設為 [是] 時,無法將應用程式提交至 App Store。Notes: Apps cannot be submitted to the App Store with MAMPolicyRequired set to YES. 當 MAMPolicyRequired 設定為 [是] 時,AutoEnrollOnLaunch 也應該設定為 [是]。When setting MAMPolicyRequired to YES, AutoEnrollOnLaunch should also be set to YES.
選擇性。Optional.
MAMPolicyWarnAbsentMAMPolicyWarnAbsent 布林值Boolean 指定應用程式在沒有 Intune 應用程式保護原則時,是否將在啟動期間警告使用者。Specifies whether the app will warn the user during launch if the app does not have an Intune app protection policy.

注意事項︰使用者在關閉警告之後,仍可在沒有原則的情況下使用應用程式。Note: Users will still be allowed to use the app without policy after dismissing the warning.
選擇性。Optional.
MultiIdentityMultiIdentity 布林值Boolean 指定應用程式是否為多重身分識別感知。Specifies whether the app is multi-identity aware. 選擇性。Optional.
SplashIconFileSplashIconFile
IntuneMAMSettingsSplashIconFile~ipad
字串String 指定 Intune 啟動顯示 (啟動) 畫面的圖示檔。Specifies the Intune splash (startup) icon file. 選擇性。Optional.
SplashDurationSplashDuration 數字Number Intune 啟動畫面將於應用程式啟動時顯示的最短時間 (以秒為單位)。Minimum amount of time, in seconds, that the Intune startup screen will be shown at application launch. 預設為 1.5。Defaults to 1.5. 選擇性。Optional.
BackgroundColorBackgroundColor 字串String 指定啟動畫面和 PIN 畫面的背景色彩。Specifies the background color for the startup and PIN screens. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為淺灰色。Defaults to light grey.
ForegroundColorForegroundColor 字串String 指定啟動畫面和 PIN 畫面的前景色彩,例如文字色彩。Specifies the foreground color for the startup and PIN screens, like text color. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為黑色。Defaults to black.
AccentColorAccentColor 字串String 指定 PIN 畫面的輔色,例如按鈕文字色彩和方塊醒目提示色彩。Specifies the accent color for the PIN screen, like button text color and box highlight color. 接受格式為 #XXXXXX 的十六進位 RGB 字串,其中 X 的範圍可以是 0-9 或 A-F。Accepts a hexadecimal RGB string in the form of #XXXXXX, where X can range from 0-9 or A-F. 可能會省略井字號。The pound sign might be omitted. 選擇性。Optional. 預設為系統藍色。Defaults to system blue.
MAMTelemetryDisabledMAMTelemetryDisabled 布林值Boolean 指定 SDK 是否不會將任何遙測資料傳送至其後端。Specifies if the SDK will not send any telemetry data to its back end. 選擇性。Optional.
WebViewHandledURLSchemesWebViewHandledURLSchemes 字串陣列Array of Strings 指定您應用程式的 WebView 所處理的 URL 配置。Specifies the URL schemes that your app's WebView handles. 如果您的應用程式使用透過連結及 (或) JavaScript 處理 URL 的 WebView,則為必要項。Required if your app uses a WebView that handles URLs via links and/or javascript.

注意

如果您的應用程式將發行到 App Store,MAMPolicyRequired 必須設為 [否],這是根據 App Store 的標準。If your app will be released to the App Store, MAMPolicyRequired must be set to "NO," per App Store standards.

透過 UIActivityViewController 共用資料Sharing Data via UIActivityViewController

Starting v. 8.0.2+ 版開始,Intune APP SDK 將可篩選 UIActivityViewController 動作,因此將不能選取非 Intune 共用位置。8.0.2+, the Intune APP SDK will be able to filter the UIActivityViewController actions so that no non-Intune sharing locations are available to select. 此行為將由應用程式資料傳輸原則和即將推出的應用程式功能所控制。This behavior will be controlled by the application data transfer policy and an upcoming APP feature. 即將推出的功能將在大多數 Microsoft 第一方應用程式 (也就是The upcoming feature will be enabled after the majority of Microsoft 1st party applications (i.e Word、Excel、Powerpoint) 進行必要變更,以透過 UIActivityViewController 支援共用資料後啟用。Word, Excel, Powerpoint) have made the required changes to support Sharing Data via UIActivityViewController.

「複製到」動作‘Copy To’ actions

當透過 UIActivityViewController 和 UIDocumentInteractionController 共用文件時,iOS 會針對支援開啟已共用文件的每個應用程式,顯示「複製到」動作。When sharing documents via the UIActivityViewController and UIDocumentInteractionController, iOS displays ‘Copy to’ actions for each application that supports opening the document being shared. 應用程式會透過其 Info.plist 中的 CFBundleDocumentTypes 設定,宣告它們支援的文件類型。Applications declare the document types they support through the CFBundleDocumentTypes setting in their Info.plist. 如果原則不允許共用到未受管理的應用程式,那麼此類型的共用將無法再使用。This type of sharing will no longer be available if the policy disallows sharing to unmanaged applications. 替代方案是,應用程式必須將非 UI 動作延伸模組新增到其應用程式,並將它連結到適用於 iOS 的 Intune APP SDK。As a replacement, applications will have to add a non-ui Action extension to their application and link it to the Intune APP SDK for iOS. 動作延伸模組就像是虛設常式。The Action extension acts like a stub. SDK 會實作所有的檔案共用行為。The SDK will implement all of the file sharing behavior. 請遵循上述 SDK 整合步驟以及下列事項:Follow the SDK integration steps above plus the following:

  1. 您的應用程式必須在其 Info.plist CFBundleURLTypes 下至少定義一個 schemeURL。Your application must have at least one schemeURL defined under its Info.plist CFBundleURLTypes.
  2. 您應用程式和動作延伸模組至少必須共用一個應用程式群組,而且應用程式群組必須列在應用程式和延伸模組 IntuneMAMSettings 字典下的 AppGroupIdentifiers 陣列下。Your application and action extension must share at least one App Group and the App Group must be listed under the AppGroupIdentifiers array under the app and extension IntuneMAMSettings dictionary.
  3. 將動作延伸模組命名為「以 ... 開啟」,其中 ... 是應用程式名稱。Name the action extension “Open in” followed by the application name. 視需要將 Info.plist 當地語系化。Localize the Info.plist as needed.
  4. 為延伸模組設計範本圖示,如同 Apple 開發人員文件所述。Design a template icon for the extension as described by Apple’s developer documentation. 或者,可使用 IntuneMAMConfigurator 工具,從應用程式的 .app 目錄中產生這些影像。Alternatively, the IntuneMAMConfigurator tool can be used to generate these images from the application .app directory. 執行「IntuneMAMConfigurator-generateOpenInIcons /path/to/app.app-o /path/to/output/directory」Run ‘IntuneMAMConfigurator -generateOpenInIcons /path/to/app.app -o /path/to/output/directory’
  5. 在延伸模組的 Info.plist 中的 IntuneMAMSettings 下,新增名為 OpenInActionExtension 的布林值設定,且其值為 YES。Under IntuneMAMSettings in the extension’s Info.plist, add a Boolean setting named OpenInActionExtension with value YES.
  6. 從應用程式的 CFBundleDocumentTypes 加上「com.microsoft.intune.mam」為開頭,設定 NSExtensionActivationRule 以支援單一檔案和所有類型。Configure the NSExtensionActivationRule to support a single file and all types from the application’s CFBundleDocumentTypes prefixed with ‘com.microsoft.intune.mam’. 例如,如果應用程式支援 public.text 和 public.image,則啟用規則將會是:For example, if the application supports public.text and public.image, the activation rule would be:
SUBQUERY ( 
    extensionItems, 
    $extensionItem, 
    SUBQUERY ( 
        $extensionItem.attachments, 
        $attachment, 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.text” || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.image”).@count == 1 
).@count == 1 

更新現有的共用和動作延伸模組Update existing Share and Action extensions

如果您的應用程式中已包含共用或動作延伸模組,那麼必須修改其 NSExtensionActivationRule 以允許 Intune 類型。If your application already contains Share or Action extensions, then their NSExtensionActivationRule will have to be modified to allow the Intune types. 針對延伸模組支援的每個類型,額外類型的開頭加上「com.microsoft.intune.mam」。For each type supported by the extension, an additional type prefixed with ‘com.microsoft.intune.mam.’. 例如,如果現有的啟用規則是:For example, if the existing activation rule is:

SUBQUERY ( 
    extensionItems, 
    $extensionItem, 
    SUBQUERY ( 
        $extensionItem.attachments, 
        $attachment, 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.url" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.plain-text" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.image" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.data" 
    ).@count > 0 
).@count > 0 

則必須變更為:It should be changed to:

SUBQUERY ( 
    extensionItems, 
    $extensionItem, 
    SUBQUERY ( 
        $extensionItem.attachments, 
        $attachment, 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.url" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.plain-text" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.image" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "public.data" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.url" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.plain-text" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.image" || 
        ANY $attachment.registeredTypeIdentifiers UTI-CONFORMS-TO "com.microsoft.intune.mam.public.data 
    ).@count > 0 
).@count > 0 

注意

IntuneMAMConfigurator 工具可用來將 Intune 類型新增至啟用規則。The IntuneMAMConfigurator tool can be used to add the Intune types to the activation rule. 如果您現有的啟用規則使用預先定義的字串常數 (例如 NSExtensionActivationSupportsFileWithMaxCount、NSExtensionActivationSupportsText 等),那麼述詞語法可能變得相當複雜。If your existing activation rule uses the predefined string constants (e.g. NSExtensionActivationSupportsFileWithMaxCount, NSExtensionActivationSupportsText, etc.), the predicate syntax can get quite complex. IntuneMAMConfigurator 工具也可用來在新增 Intune 類型時,將啟用規則從字串常數轉換成述詞字串。The IntuneMAMConfigurator tool can also be used to convert the activation rule from the string constants to a predicate string while adding the Intune types. IntuneMAMConfigurator 可在我們的 GitHub 儲存機制中找到。The IntuneMAMConfigurator is found in our GitHub repository.

啟用 iOS 應用程式的 MAM 目標設定Enabling MAM targeted configuration for your iOS applications

MAM 目標設定可讓應用程式透過 Intune App SDK 接收設定資料。MAM targeted configuration allows an app to receive configuration data through the Intune App SDK. 應用程式擁有者/開發人員必須定義此資料的格式和變化,並向 Intune 客戶溝通。The format and variants of this data must be defined and communicated to Intune customers by the application owner/developer. Intune 系統管理員可以透過 Intune Azure 入口網站為設定資料設定目標並進行部署。Intune administrators can target and deploy configuration data via the Intune Azure portal. 從 Intune App SDK for iOS 7.0.1 版開始,可以透過 MAM 服務提供 MAM 目標設定資料給參與 MAM 目標設定的應用程式。As of version 7.0.1 of the Intune App SDK for iOS, apps that are participating in MAM targeted configuration can be provided MAM targeted configuration data via the MAM Service. 應用程式設定資料是透過我們的 MAM 服務 (而非透過 MDM 通道) 直接向應用程式發佈。The application configuration data is pushed through our MAM Service directly to the app instead of through the MDM channel. Intune App SDK 會提供類別來存取從這些主控台擷取的資料。The Intune App SDK provides a class to access the data retrieved from these consoles. 請將下列各項視為必要條件:Consider the following as prerequisites:

  • 應用程式必須向 Intune MAM 服務註冊,您才能存取 MAM 目標設定 UI。The app needs to be enrolled with the Intune MAM service before you access the MAM targeted config UI. 如需詳細資訊,請參閱接收應用程式保護原則For more information, see Receiving app protection policy.
  • 在應用程式的原始程式檔中包含 IntuneMAMAppConfigManager.hInclude IntuneMAMAppConfigManager.h in your app's source file.
  • 呼叫 [[IntuneMAMAppConfigManager instance] appConfigForIdentity:] 以取得應用程式設定物件。Call [[IntuneMAMAppConfigManager instance] appConfigForIdentity:] to get the App Config Object.
  • IntuneMAMAppConfig 物件上呼叫適當的選取器。Call the appropriate selector on IntuneMAMAppConfig object. 例如,如果您的應用程式金鑰是字串,您會想要使用 stringValueForKeyallStringsForKeyFor example, if your application's key is a string, you'd want to use stringValueForKey or allStringsForKey. IntuneMAMAppConfig.h header 檔案是針對傳回值/錯誤狀況。The IntuneMAMAppConfig.h header file talks about return values/error conditions.

如需圖形 API 功能的詳細資訊,請參閱圖形 API 參考For more information about the capabilities of the Graph API, see Graph API Reference.

如需如何在 iOS 建立 MAM 目標應用程式設定原則的詳細資訊,請參閱 How to use Microsoft Intune app configuration policies for iOS (如何使用適用於 iOS 的 Microsoft Intune 應用程式設定原則) 的<MAM 目標應用程式設定>一節。For more information about how to create a MAM targeted app configuration policy in iOS, see the section on MAM targeted app config in How to use Microsoft Intune app configuration policies for iOS.

遙測Telemetry

Intune App SDK for iOS 預設會記錄下列使用事件的遙測資料。By default, the Intune App SDK for iOS logs telemetry data on the following usage events. 這些資料會傳送到 Microsoft Intune。This data is sent to Microsoft Intune.

  • 應用程式啟動:協助 Microsoft Intune 依管理類型了解啟用 MAM 的應用程式使用量 (含 MDM 的 MAM、不含 MDM 註冊的 MAM 等)。App launch: To help Microsoft Intune learn about MAM-enabled app usage by management type (MAM with MDM, MAM without MDM enrollment, and so on).

  • 註冊呼叫:協助 Microsoft Intune 了解從用戶端起始的註冊呼叫成功率和其他效能標準。Enrollment calls: To help Microsoft Intune learn about success rate and other performance metrics of enrollment calls initiated from the client side.

注意

如果您選擇不要將 Intune App SDK 遙測資料從您的行動應用程式傳送至 Microsoft Intune,您必須停用 Intune App SDK 遙測擷取。If you choose not to send Intune App SDK telemetry data to Microsoft Intune from your mobile application, you must disable Intune App SDK telemetry capture. 在 IntuneMAMSettings 字典中將 MAMTelemetryDisabled 屬性設定為 [是]。Set the property MAMTelemetryDisabled to YES in the IntuneMAMSettings dictionary.

啟用多重身分識別 (選擇性)Enable multi-identity (optional)

SDK 預設會將原則套用至應用程式整體。By default, the SDK applies a policy to the app as a whole. 多重身分識別是 MAM 功能,您可啟用以將原則套用至每個身分識別層級。Multi-identity is a MAM feature that you can enable to apply a policy on a per-identity level. 這需要的應用程式參與高於其他 MAM 功能。This requires more app participation than other MAM features.

當應用程式想要變更作用中身分識別時,必須通知 APP SDK。The app must inform the app SDK when it intends to change the active identity. 需要身分識別變更時,SDK 也會通知應用程式。The SDK also notifies the app when an identity change is required. 目前僅支援一個受管理的身分識別。Currently, only one managed identity is supported. 使用者註冊裝置或應用程式之後,SDK 會使用這個身分識別,並將其視為主要受管理身分識別。After the user enrolls the device or the app, the SDK uses this identity and considers it the primary managed identity. 應用程式中的其他使用者則會因不受限制原則設定而視為不受管理。Other users in the app will be treated as unmanaged with unrestricted policy settings.

請注意,身分識別只會定義為字串。Note that an identity is simply defined as a string. 身分識別不區分大小寫。Identities are case-insensitive. 身分識別的 SDK 要求可能不會傳回設定身分識別時原本使用的相同大小寫。Requests to the SDK for an identity might not return the same casing that was originally used when the identity was set.

身分識別概觀Identity overview

身分識別就是帳戶的使用者名稱 (例如 user@contoso.com)。An identity is simply the user name of an account (for example, user@contoso.com). 開發人員可以設定應用程式在下列層級的身分識別:Developers can set the identity of the app on the following levels:

  • 處理序身分識別:設定整個處理序的身分識別,並且主要用於單一身分識別應用程式。Process identity: Sets the process-wide identity and is mainly used for single identity applications. 這個身分識別會影響所有工作、檔案和 UI。This identity affects all tasks, files, and UI.

  • UI 身分識別:判斷在主要執行緒上將哪些原則套用至 UI 工作,例如剪下/複製/貼上、PIN、驗證和資料共用。UI identity: Determines what policies are applied to UI tasks on the main thread, like cut/copy/paste, PIN, authentication, and data sharing. UI 身分識別不會影響檔案工作,例如加密和備份。The UI identity does not affect file tasks like encryption and backup.

  • 執行緒身分識別:影響在目前執行緒上套用哪些原則。Thread identity: Affects what policies are applied on the current thread. 這個身分識別會影響所有工作、檔案和 UI。This identity affects all tasks, files, and UI.

不論使用者是否受管理,應用程式都必須負責適當地設定身分識別。The app is responsible for setting the identities appropriately, whether or not the user is managed.

在任何時間,每個執行緒都會有 UI 工作和檔案工作的有效身分識別。At any time, every thread has an effective identity for UI tasks and file tasks. 這是用來確認應該套用哪些原則 (如果有的話) 的身分識別。This is the identity that's used to check what policies, if any, should be applied. 如果身分識別是 [沒有身分識別],或使用者未受管理,則不會套用任何原則。If the identity is "no identity" or the user is not managed, no policies will be applied. 下列圖表顯示如何決定有效的身分識別。The diagrams below show how the effective identities are determined.

Intune App SDK iOS:連結的架構和程式庫

執行緒佇列Thread queues

應用程式通常會將非同步和同步工作分派至執行緒佇列。Apps often dispatch asynchronous and synchronous tasks to thread queues. SDK 會攔截 Grand Central Dispatch (GCD) 呼叫,並產生目前執行緒身分識別與已分派工作的關聯。The SDK intercepts Grand Central Dispatch (GCD) calls and associates the current thread identity with the dispatched tasks. 完成工作時,SDK 會將執行緒身分識別暫時變更為與工作相關聯的身分識別,並完成工作,然後還原原始執行緒身分識別。When the tasks are finished, the SDK temporarily changes the thread identity to the identity associated with the tasks, finishes the tasks, then restores the original thread identity.

因為 NSOperationQueue 的建置基礎是 GCD,所以 NSOperations 將會在工作新增至 NSOperationQueue 時針對執行緒的身分識別執行。Because NSOperationQueue is built on top of GCD, NSOperations will run on the identity of the thread at the time the tasks are added to NSOperationQueue. NSOperations 或直接透過 GCD 分派的函數也可以在執行時變更目前執行緒身分識別。NSOperations or functions dispatched directly through GCD can also change the current thread identity as they are running. 這個身分識別將會覆寫繼承自分派執行緒的身分識別。This identity will override the identity inherited from the dispatching thread.

檔案擁有者File owner

SDK 會追蹤本機檔案擁有者的身分識別,並據以套用原則。The SDK tracks the identities of local file owners and applies policies accordingly. 建立檔案時,或以截斷模式開啟檔案時,會建立檔案擁有者。A file owner is established when a file is created or when a file is opened in truncate mode. 擁有者設為執行工作之執行緒的有效檔案工作身分識別。The owner is set to the effective file task identity of the thread that's performing the task.

或者,應用程式可以使用 IntuneMAMFilePolicyManager 明確地設定檔案擁有者身分識別。Alternatively, apps can set the file owner identity explicitly by using IntuneMAMFilePolicyManager. 應用程式可以使用 IntuneMAMFilePolicyManager 來擷取檔案擁有者,並在顯示檔案內容之前設定 UI 身分識別。Apps can use IntuneMAMFilePolicyManager to retrieve the file owner and set the UI identity before showing the file contents.

共用資料Shared data

如果應用程式建立包含受管理和不受管理使用者之資料的檔案,則應用程式必須負責加密受管理使用者的資料。If the app creates files that have data from both managed and unmanaged users, the app is responsible for encrypting the managed user’s data. 您可以使用 IntuneMAMDataProtectionManager 中的 protectunprotect API 來加密資料。You can encrypt data by using the protect and unprotect APIs in IntuneMAMDataProtectionManager.

protect 方法會接受可以是受管理或不受管理使用者的身分識別。The protect method accepts an identity that can be a managed or unmanaged user. 如果是受管理使用者,則會加密資料。If the user is managed, the data will be encrypted. 如果是不受管理使用者,則會將標頭新增至編碼身分識別的資料,但不會加密資料。If the user is unmanaged, a header will be added to the data that's encoding the identity, but the data will not be encrypted. 您可以使用 protectionInfo 方法來擷取資料的擁有者。You can use the protectionInfo method to retrieve the data’s owner.

共用擴充功能Share extensions

如果應用程式包含共用擴充功能,則可以透過 IntuneMAMDataProtectionManager 中的 protectionInfoForItemProvider 方法來擷取正在共用之項目的擁有者。If the app has a share extension, the owner of the item being shared can be retrieved through the protectionInfoForItemProvider method in IntuneMAMDataProtectionManager. 如果共用的項目是檔案,則 SDK 會處理檔案擁有者的設定。If the shared item is a file, the SDK will handle setting the file owner. 如果共用的項目是資料,則在這項資料保存至檔案時,應用程式必須負責設定檔案擁有者,以及呼叫 setUIPolicyIdentity API,再於 UI 中顯示這項資料。If the shared item is data, the app is responsible for setting the file owner if this data is persisted to a file, and for calling the setUIPolicyIdentity API before showing this data in the UI.

開啟多重身分識別Turning on multi-identity

預設會將應用程式視為單一身分識別。By default, apps are considered single identity. SDK 會將處理序身分識別設定為已註冊的使用者。The SDK sets the process identity to the enrolled user. 若要啟用多重身分識別支援,請將名稱為 MultiIdentity 且值為 [是] 的布林設定新增至應用程式 Info.plist 檔案中的 IntuneMAMSettings 字典。To enable multi-identity support, add a Boolean setting with the name MultiIdentity and a value of YES to the IntuneMAMSettings dictionary in the app's Info.plist file.

注意

啟用多重身分識別時,處理序身分識別、UI 身分識別和執行緒身分識別都會設定為 nil。When multi-identity is enabled, the process identity, UI identity, and thread identities are set to nil. 應用程式必須負責正確設定它們。The app is responsible for setting them appropriately.

切換身分識別Switching identities

  • 應用程式起始的身分識別切換App-initiated identity switch:

    啟動時,會將多重身分識別應用程式視為正在使用未知且不受管理的帳戶執行。At launch, multi-identity apps are considered to be running under an unknown, unmanaged account. 條件式啟動 UI 將不會執行,而且不會對應用程式執行任何原則。The conditional launch UI will not run, and no policies will be enforced on the app. 應用程式必須負責在應該變更身分識別時通知 SDK。The app is responsible for notifying the SDK whenever the identity should be changed. 一般而言,只要應用程式即將顯示特定使用者帳戶的資料,就會發生這種情形。Typically, this will happen whenever the app is about to show data for a specific user account.

    範例是使用者嘗試在筆記本中開啟文件、信箱或索引標籤時。An example is when the user attempts to open a document, a mailbox, or a tab in a notebook. 應用程式需要在實際開啟檔案、信箱或索引標籤之前通知 SDK。The app needs to notify the SDK before the file, mailbox, or tab is actually opened. 這是透過 IntuneMAMPolicyManager 中的 setUIPolicyIdentity API 所完成。This is done through the setUIPolicyIdentity API in IntuneMAMPolicyManager. 不論是否為受管理使用者,都應該呼叫這個 API。This API should be called whether or not the user is managed. 如果使用者是受管理的,SDK 將執行條件式啟動檢查,例如破解偵測、PIN 和驗證。If the user is managed, the SDK will perform the conditional launch checks, like jailbreak detection, PIN, and authentication.

    身分識別切換的結果是透過完成處理常式,以非同步方式傳回給應用程式。The result of the identity switch is returned to the app asynchronously through a completion handler. 應用程式應該延後開啟文件、信箱或索引標籤,直到傳回成功結果碼。The app should postpone opening the document, mailbox, or tab until a success result code is returned. 如果身分識別切換失敗,應用程式應該取消工作。If the identity switch failed, the app should cancel the task.

  • SDK 起始的身分識別切換SDK-initiated identity switch:

    SDK 有時需要要求應用程式切換至特定身分識別。Sometimes, the SDK needs to ask the app to switch to a specific identity. 多重身分識別應用程式必須在 IntuneMAMPolicyDelegate 中實作 identitySwitchRequired 方法,以處理這個要求。Multi-identity apps must implement the identitySwitchRequired method in IntuneMAMPolicyDelegate to handle this request.

    呼叫此方法時,如果應用程式可以處理切換至所指定身分識別的要求,則應該將 IntuneMAMAddIdentityResultSuccess 傳遞至完成處理常式。When this method is called, if the app can handle the request to switch to the specified identity, it should pass IntuneMAMAddIdentityResultSuccess into the completion handler. 如果無法處理身分識別切換,則應用程式應該將 IntuneMAMAddIdentityResultFailed 傳遞至完成處理常式。If it can't handle switching the identity, the app should pass IntuneMAMAddIdentityResultFailed into the completion handler.

    應用程式不需要呼叫 setUIPolicyIdentity 來回應這個呼叫。The app does not have to call setUIPolicyIdentity in response to this call. 如果 SDK 需要應用程式切換至未受管理使用者帳戶,則會將空字串傳遞至 identitySwitchRequired 呼叫。If the SDK needs the app to switch to an unmanaged user account, the empty string will be passed into the identitySwitchRequired call.

  • 選擇性抹除Selective wipe:

    選擇性地抹除應用程式時,SDK 將會在 IntuneMAMPolicyDelegate 中呼叫 wipeDataForAccount 方法。When the app is selectively wiped, the SDK will call the wipeDataForAccount method in IntuneMAMPolicyDelegate. 應用程式必須負責移除指定的使用者帳戶和其相關聯的任何資料。The app is responsible for removing the specified user’s account and any data associated with it. SDK 可以移除使用者擁有的所有檔案,並在應用程式從 wipeDataForAccount 呼叫傳回 FALSE 時執行。The SDK is capable of removing all files owned by the user and will do so if the app returns FALSE from the wipeDataForAccount call.

    請注意,會從背景執行緒呼叫這個方法。Note that this method is called from a background thread. 在移除使用者的所有資料之前,應用程式不應該傳回值 (不包括應用程式傳回 FALSE 時的檔案)。The app should not return a value until all data for the user has been removed (with the exception of files if the app returns FALSE).

iOS 最佳做法iOS best practices

以下是用於開發 iOS 的建議最佳做法:Here are recommended best practices for developing for iOS:

  • IOS 檔案系統區分大小寫。The iOS file system is case-sensitive. 請確定檔案名稱的大小寫正確,例如 libIntuneMAM.aIntuneMAMResources.bundleEnsure that the case is correct for file names like libIntuneMAM.a and IntuneMAMResources.bundle.

  • 如果 Xcode 在尋找 libIntuneMAM.a 時遇到問題,您可以藉由將這個程式庫的路徑加入連結器搜尋路徑中,來修正問題。If Xcode has trouble finding libIntuneMAM.a, you can fix the problem by adding the path to this library into the linker search paths.

常見問題集FAQs

是否可透過原生 Swift 或 Objective-C 以及 Swift 互通性定址所有 API?Are all of the APIs addressable through native Swift or the Objective-C and Swift interoperability?

Intune App SDK API 僅限於 Objective-C 且不支援原生 Swift。The Intune App SDK APIs are in Objective-C only and do not support native Swift. 必須有 Swift 與 Objective-C 的互通性。Swift interoperability with Objective-C is required.

是否需要向 APP-WE 服務註冊應用程式的所有使用者?Do all users of my application need to be registered with the APP-WE service?

否。No. 事實上,只應該向 Intune App SDK 註冊工作或學校帳戶。In fact, only work or school accounts should be registered with the Intune App SDK. 應用程式負責決定是否在工作或學校內容中使用帳戶。Apps are responsible for determining if an account is used in a work or school context.

已登入應用程式的使用者如何?是否需要註冊它們?What about users that have already signed in to the application? Do they need to be enrolled?

應用程式必須負責註冊已成功通過驗證的使用者。The application is responsible for enrolling users after they have been successfully authenticated. 應用程式也必須負責註冊在應用程式具有較少 MDM 的 MAM 功能之前可能已存在的任何現有帳戶。The application is also responsible for enrolling any existing accounts that might have been present before the application had MDM-less MAM functionality.

若要這樣做,應用程式應該會使用 registeredAccounts: 方法。To do this, the application should make use of the registeredAccounts: method. 這個方法會傳回包含所有已註冊至 Intune MAM 服務之帳戶的 NSDictionary。This method returns an NSDictionary that has all of the accounts registered into the Intune MAM service. 如果應用程式中的任何現有帳戶都不在清單中,則應用程式應該透過 registerAndEnrollAccount: 來註冊這些帳戶。If any existing accounts in the application are not in the list, the application should register and enroll those accounts via registerAndEnrollAccount:.

SDK 重試註冊的頻率為何?How often does the SDK retry enrollments?

SDK 會依 24 小時間隔自動重試所有先前失敗的註冊。The SDK will automatically retry all previously failed enrollments on a 24-hour interval. SDK 這麼做以確保如果使用者的組織已在使用者登入應用程式之後啟用 MAM,則使用者會順利註冊並接收原則。The SDK does this to ensure that if a user’s organization enabled MAM after the user signed in to the application, the user will successfully enroll and receive policies.

SDK 將會在偵測到使用者已順利註冊應用程式時停止重試。The SDK will stop retrying when it detects that a user has successfully enrolled the application. 原因是只有一位使用者可以在特定時間註冊應用程式。This is because only one user can enroll an application at a particular time. 如果取消註冊使用者,則重試會以相同的 24 小時間隔重新開始。If the user is unenrolled, the retries will begin again on the same 24-hour interval.

為何需要取消註冊使用者?Why does the user need to be deregistered?

SDK 將會在背景定期採取下列動作:The SDK will take these actions in the background periodically:

  • 如果尚未註冊應用程式,則會每隔 24 小時嘗試註冊所有已註冊的帳戶。If the application is not yet enrolled, it will try to enroll all registered accounts every 24 hours.
  • 如果已註冊應用程式,SDK 會每隔 8 小時檢查應用程式保護原則更新。If the application is enrolled, the SDK will check for app protection policy updates every 8 hours.

取消註冊使用者會通知 SDK,使用者無法再使用應用程式,而且 SDK 可以停止該使用者帳戶的任何定期事件。Deregistering a user notifies the SDK that the user will no longer use the application, and the SDK can stop any of the periodic events for that user account. 它也會在必要時觸發應用程式取消註冊和選擇性抹除。It also triggers an app unenroll and selective wipe if necessary.

是否應該將 deregister 方法中的 doWipe 旗標設為 true?Should I set the doWipe flag to true in the deregister method?

將使用者登出應用程式之前,應該呼叫這個方法。This method should be called before the user is signed out of the application. 如果在登出時於應用程式中刪除使用者的資料,則 doWipe 可以設為 false。If the user’s data is deleted from the application as part of the sign-out, doWipe can be set to false. 不過,如果應用程式未移除使用者的資料,則 doWipe 應該設為 true,讓 SDK 可以刪除資料。But if the application does not remove the user’s data, doWipe should be set to true so that the SDK can delete the data.

是否有任何其他方式可以取消註冊應用程式?Are there any other ways that an application can be un-enrolled?

是,IT 系統管理員可以將選擇性抹除命令傳送給應用程式,Yes, the IT admin can send a selective wipe command to the application. 以取消註冊使用者以及抹除使用者資料。This will deregister and unenroll the user, and it will wipe the user’s data. SDK 會自動處理這種情況,並透過取消註冊委派方法來傳送通知。The SDK automatically handles this scenario and sends a notification via the unenroll delegate method.

將應用程式提交至 App StoreSubmit your app to the App Store

Intune App SDK 的靜態程式庫和架構組建是通用二進位檔,Both the static library and framework builds of the Intune App SDK are universal binaries. 表示它們包含適用於所有裝置和模擬器架構的程式碼。This means they have code for all device and simulator architectures. 如果提交至 App Store 的應用程式包含模擬器程式碼,則 Apple 會拒絕提交這些應用程式。Apple will reject apps submitted to the App Store if they have simulator code. 針對僅限裝置組建的靜態程式庫進行編譯時,連結器會自動去除模擬器程式碼。When compiling against the static library for device-only builds, the linker will automatically strip out the simulator code. 請遵循下列步驟,確認已移除所有模擬器程式碼,然後再將您的應用程式上傳至 App Store。Follow the steps below to ensure all simulator code is removed before you upload your app to the App Store.

  1. 確定 IntuneMAM.framework 在桌面上。Make sure IntuneMAM.framework is on your desktop.

  2. 執行下列命令:Run these commands:

    lipo ~/Desktop/IntuneMAM.framework/IntuneMAM -remove i386 -remove x86_64 -output ~/Desktop/IntuneMAM.device_only
    
    cp ~/Desktop/IntuneMAM.device_only ~/Desktop/IntuneMAM.framework/IntuneMAM
    

    第一個命令會去除架構 DYLIB 檔案中的模擬器架構。The first command strips the simulator architectures from the framework's DYLIB file. 第二個命令會將僅限裝置 DYLIB 檔案複製回架構目錄。The second command copies the device-only DYLIB file back into the framework directory.