使用 Intune App Wrapping Tool 準備應用程式保護原則的 iOS 應用程式Prepare iOS apps for app protection policies with the Intune App Wrapping Tool

適用於︰IntuneApplies to: Intune
本主題適用於 Azure 入口網站和傳統入口網站中的 Intune。This topic applies to Intune in both the Azure portal and the classic portal.

使用 Microsoft Intune App Wrapping Tool for iOS 啟用內部 iOS 應用程式的 Intune 應用程式保護原則,而不需要變更應用程式本身的程式碼。Use the Microsoft Intune App Wrapping Tool for iOS to enable Intune app protection policies for in-house iOS apps without changing the code of the app itself.

此工具為 Mac OS 命令列應用程式,可會建立應用程式的包裝函式。The tool is a macOS command-line application that creates a wrapper around an app. 處理應用程式之後,將應用程式保護原則部署給它,即可變更應用程式的功能。Once an app is processed, you can change the app's functionality by deploying app protection policies to it.

若要下載此工具,請參閱 GitHub 上的 Microsoft Intune App Wrapping Tool for iOSTo download the tool, see Microsoft Intune App Wrapping Tool for iOS on GitHub.

App Wrapping Tool 的一般必要條件General prerequisites for the App Wrapping Tool

您必須符合某些一般必要條件,才能執行 App Wrapping Tool︰Before you run the App Wrapping Tool, you need to fulfill some general prerequisites:

  • 從 GitHub 下載 Microsoft Intune App Wrapping Tool for iOSDownload the Microsoft Intune App Wrapping Tool for iOS from GitHub.

  • 執行 OS X 10.8.5 或更新版本的 macOS 電腦,並在該電腦上安裝 Xcode 工具組第 5 版或更新版本。A macOS computer that runs OS X 10.8.5 or later and has the Xcode toolset version 5 or later installed.

  • 輸入 iOS 應用程式必須由您的公司或獨立軟體廠商 (ISV) 所開發並簽署。The input iOS app must be developed and signed by your company or an independent software vendor (ISV).

    • 輸入應用程式檔案的副檔名必須為 .ipa.appThe input app file must have the extension .ipa or .app.

    • 輸入應用程式必須針對 iOS 8.0The input app must be compiled for iOS 8.0. 或更新版本進行編譯。or later.

    • 無法加密輸入應用程式。The input app cannot be encrypted.

    • 輸入應用程式不能有擴充檔案屬性。The input app cannot have extended file attributes.

    • 輸入應用程式必須已設定權利,Intune App Wrapping Tool 才能對其進行處理。The input app must have entitlements set before being processed by the Intune App Wrapping Tool. 權利會將一般不會授與的其他權限和功能提供給應用程式。Entitlements give the app additional permissions and capabilities beyond those typically granted. 如需指示,請參閱設定應用程式權利See Setting app entitlements for instructions.

App Wrapping Tool 的 Apple Developer 必要條件Apple Developer prerequisites for the App Wrapping Tool

若要將已包裝的應用程式只發佈至您組織的使用者,您需要 Apple Developer Enterprise Program 的帳戶以及連結至 Apple Developer 帳戶之應用程式簽署的數個實體。To distribute wrapped apps exclusively to your organization's users, you need an account with the Apple Developer Enterprise Program and several entities for app signing that are linked to your Apple Developer account.

若要深入了解如何將 iOS 應用程式內部發佈至您組織的使用者,請閱讀 Distributing Apple Developer Enterprise Program Apps (發佈 Apple Developer Enterprise Program 應用程式) 的正式指南。To learn more about distributing iOS apps internally to your organization's users, read the official guide to Distributing Apple Developer Enterprise Program Apps.

您需要有下列項目,才能發佈 Intune 所包裝的應用程式︰You will need the following to distribute apps wrapped by Intune:

  • Apple Developer Enterprise Program 的開發人員帳戶。A developer account with the Apple Developer Enterprise Program.

  • 具有有效小組識別碼的內部和特定發佈簽署憑證。In-house and ad-hoc distribution signing certificate with valid Team Identifier.

    • 您需要將簽署憑證的 SHA1 雜湊作為 Intune App Wrapping Tool 的參數。You will need the SHA1 hash of the signing certificate as a parameter to the Intune App Wrapping Tool.
  • 內部發佈佈建設定檔。In-house distribution provisioning profile.

建立 Apple Developer Enterprise 帳戶的步驟Steps to create an Apple Developer Enterprise account

  1. 前往 Apple Developer Enterprise Program 網站Go to the Apple Developer Enterprise Program site.

  2. 按一下頁面右上方的 [註冊]。In the top right of the page, click Enroll.

  3. 閱讀註冊所需項目的檢查清單。Read the checklist of what you need to enroll. 按一下頁面底部的 [Start Your Enrollment](開始註冊)。Click Start Your Enrollment at the bottom of the page.

  4. 使用組織的 Apple 識別碼登入Sign in with the Apple ID of your organization. 如果您沒有 Apple 識別碼,請按一下 [Create Apple ID](建立 Apple 識別碼)。If you don't have one, click Create Apple ID.

  5. 選取您的 [實體類型],然後按一下 [繼續]。Select your Entity Type and click Continue.

  6. 使用您組織的資訊來填寫表單。Fill out the form with your organization's information. 按一下 [繼續] 。Click Continue. Apple 此時會連絡您,確認您已獲授權可註冊您的組織。At this point, Apple contacts you to verify that you are authorized to enroll your organization.

  7. 驗證之後,請按一下 [Agree to License](同意授權)。After verification, click Agree to License.

  8. 同意授權之後,即可透過購買和啟動程式來完成。After agreeing to license, finish by purchasing and activating the program.

  9. 如果您是小組代理程式 (代表您組織加入 Apple Developer Enterprise Program 的人員),請先邀請小組成員並指派角色以建置您的小組。If you are the team agent (the person who joins the Apple Developer Enterprise Program on behalf of your organization), build your team first by inviting team members and assigning roles. 若要了解如何管理您的小組,請閱讀 Managing Your Developer Account Team (管理開發人員帳戶小組) 的 Apple 文件。To learn how to manage your team, read the Apple documentation on Managing Your Developer Account Team.

建立 Apple 簽署憑證的步驟Steps to create an Apple signing certificate

  1. 前往 Apple Developer 入口網站Go to the Apple Developer portal.

  2. 按一下頁面右上方的 [帳戶]。In the top right of the page, click Account.

  3. 使用組織 Apple 識別碼登入Sign in with your organizational Apple ID.

  4. 按一下 [Certificates, IDs & Profiles](憑證、識別碼和設定檔)。Click Certificates, IDs & Profiles.

    Apple Developer 入口網站

  5. 按一下 [裝置]Click the Apple Developer 入口網站加號 (右上角) 來新增 iOS 憑證。in the top right corner to add an iOS certificate.

  6. 選擇在 Production 下建立 In-House and Ad Hoc 憑證。Choose to create an In-House and Ad Hoc certificate under Production.

    選取內部和特定憑證

    注意

    如果不打算散發應用程式,而只想要在內部進行測試,您可以使用 iOS 應用程式開發憑證,而不是生產環境憑證。If do not plan to distribute the app, and only want to test it internally, you can use an iOS App Development certificate instead of a certificate for Production. 如果您使用開發憑證,請確定行動佈建設定檔參考應用程式安裝所在的裝置。If you use a development certificate, make sure the mobile provisioning profile references the devices on which the app will be installed.

  7. 按一下頁面底部的 [下一步]。Click Next at the bottom of the page.

  8. 閱讀如何在 macOS 電腦上使用金鑰鏈存取應用程式建立憑證簽署要求 (CSR) 的指示。Read the instructions on creating a Certificate Signing Request (CSR) using the Keychain Access application on your macOS computer.

    閱讀建立 CSR 的指示

  9. 請遵循上方的指示來建立憑證簽署要求。Follow the instructions above to create a Certificate Signing Request. 在 macOS 電腦上,啟動金鑰鏈存取應用程式。On your macOS computer, launch the Keychain Access application.

  10. 在畫面頂端的 macOS 功能表上,移至 [Keychain Access](金鑰鏈存取) > [Certificate Assistant]( 憑證助理) > [Request a Certificate From a Certificate Authority](向憑證授權單位要求憑證)。On the macOS menu at the top of the screen, go to Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.

    在金鑰鏈存取中向憑證授權單位要求憑證

  11. 遵循上面的 Apple Developer 網站中如何建立 CSR 檔案的指示。Follow the instructions from the Apple developer site above on how to create a CSR file. 將 CSR 檔案儲存到 macOS 電腦。Save the CSR file to your macOS computer.

    在金鑰鏈存取中向憑證授權單位要求憑證

  12. 返回 Apple Developer 站台。Return to the Apple developer site. 按一下 [繼續] 。Click Continue. 然後上傳 CSR 檔案。Then upload the CSR file.

  13. Apple 會產生您的簽署憑證。Apple generates your signing certificate. 將它下載並儲存到 macOS 電腦上的易記位置。Download and save it to a memorable location on your macOS computer.

    下載簽署憑證

  14. 按兩下您剛剛下載的憑證,以將憑證新增至金鑰鏈。Double-click the certificate file you just downloaded to add the certificate to a keychain.

  15. 再次開啟金鑰鏈存取Open Keychain Access again. 在右上方搜尋列中搜尋憑證的名稱,以找到憑證。Locate your certificate by searching for its name in the top right search bar. 以滑鼠右鍵按一下項目來顯示功能表,然後按一下 [Get Info](取得資訊)。Right-click on the item to bring up the menu and click Get Info. 在範例畫面中,我們會使用開發憑證,而不是生產環境憑證。In the example screens, we are using a development certificate instead of a production certificate.

    將憑證新增至金鑰鏈

  16. 隨即出現參考視窗。An informational window appears. 捲動到底部,並查看 [指紋] 標籤下方。Scroll to the bottom and look under the Fingerprints label. 複製 SHA1 字串 (模糊化),作為 App Wrapping Tool 之 "-c" 的引數。Copy the SHA1 string (blurred out) to use as the argument for "-c" for the App Wrapping Tool.

    將憑證新增至金鑰鏈

建立內部發佈佈建設定檔的步驟Steps to create an In-House Distribution Provisioning profile

  1. 返回 Apple Developer 帳戶入口網站,並使用組織 Apple 識別碼登入Go back to the Apple Developer account portal and sign in with your organizational Apple ID.

  2. 按一下 [Certificates, IDs & Profiles](憑證、識別碼和設定檔)。Click Certificates, IDs & Profiles.

  3. 按一下 [裝置]Click the Apple Developer 入口網站加號 (右上角) 來新增 iOS 佈建設定檔。in the top right corner to add an iOS provisioning profile.

  4. 選擇在 [Distribution](發佈) 下建立 [In House](內部) 佈建設定檔。Choose to create an In House provisioning profile under Distribution.

    選取內部佈建設定檔

  5. 按一下 [繼續] 。Click Continue. 一定要將先前產生的簽署憑證連結至佈建設定檔。Make sure to link the previously generated signing certificate to the provisioning profile.

  6. 遵循將設定檔 (副檔名為 .mobileprovision) 下載至 macOS 電腦的步驟。Follow the steps to download your profile (with extension .mobileprovision) to your macOS computer.

  7. 將檔案儲存至易記位置。Save the file in a memorable location. 使用 App Wrapping Tool 時,這個檔案將作為 -p 參數。This file will be used for the -p parameter while using the App Wrapping Tool.

下載 App Wrapping ToolDownload the App Wrapping Tool

  1. GitHub 將 App Wrapping Tool 的檔案下載到 macOS 電腦。Download the files for the App Wrapping Tool from GitHub to a macOS computer.

  2. 按兩下 Microsoft Intune App Wrapping Tool for iOS.dmgDouble-click Microsoft Intune App Wrapping Tool for iOS.dmg. 終端使用者授權合約 (EULA) 視窗隨即出現。A window with the End User License Agreement (EULA) will appear. 請仔細閱讀文件。Read the document carefully.

  3. 選擇 [同意] 接受 EULA,將封裝掛接到您的電腦。Choose Agree to accept EULA, which mounts the package to your computer.

  4. 開啟 IntuneMAMPackager 資料夾,並將其內容儲存到 macOS 電腦。Open the IntuneMAMPackager folder and save its contents to your macOS computer. 您現在已可開始執行 App Wrapping Tool。You are now ready to run the App Wrapping Tool.

執行應用程式包裝工具Run the App Wrapping Tool

使用終端機Use terminal

開啟 macOS 終端機程式,並瀏覽至您儲存 App Wrapping Tool 檔案的資料夾。Open the macOS Terminal program and navigate to the folder where you saved the app wrapping tool files. 可執行檔工具的名稱為 IntuneMAMPackager,位於 IntuneMAMPackager/Contents/MacOS 中。The executable tool is named IntuneMAMPackager and is located in IntuneMAMPackager/Contents/MacOS. 執行命令如下︰Run the command as follows:

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i /<path of input app>/<app filename> -o /<path to output folder>/<app filename> -p /<path to provisioning profile> -c <SHA1 hash of the certificate> [-b [<output app build string>]] [-v] [-e] [-x /<array of extension provisioning profile paths>]

注意

下表中有一些是選擇性參數。Some parameters are optional as shown in the following table.

範例:下列範例命令會在名為 MyApp.ipa 的應用程式上執行 App Wrapping Tool。Example: The following example command runs the App Wrapping Tool on the app named MyApp.ipa. 佈建設定檔和簽署憑證的 SHA-1 雜湊均已指定並可用來簽署已包裝的應用程式。A provisioning profile and SHA-1 hash of the signing certificate are specified and used to sign the wrapped app. 輸出應用程式 (MyApp_Wrapped.ipa) 會建立並儲存在您的桌面資料夾中。The output app (MyApp_Wrapped.ipa) is created and stored in your Desktop folder.

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager -i ~/Desktop/MyApp.ipa -o ~/Desktop/MyApp_Wrapped.ipa -p ~/Desktop/My_Provisioning_Profile_.mobileprovision -c "12 A3 BC 45 D6 7E F8 90 1A 2B 3C DE F4 AB C5 D6 E7 89 0F AB"  -v true

命令列參數Command-line parameters

使用 App Wrapping Tool 時,可以搭配下列命令列參數:You can use the following command line parameters with the App Wrapping Tool:

屬性Property 用法How to use it
-i-i <Path of the input native iOS application file><Path of the input native iOS application file>. 檔案結尾必須是 .app 或 .ipa。The file name must end in .app or .ipa.
-o-o <Path of the wrapped output application>
-p-p <Path of your provisioning profile for iOS apps>
-c-c <SHA1 hash of the signing certificate>
-h-h 顯示可搭配 App Wrapping Tool 一起使用之命令列屬性的詳細用法資訊。Shows detailed usage information about the available command line properties for the App Wrapping Tool.
-v-v (選擇性) 將詳細訊息輸出到主控台。(Optional) Outputs verbose messages to the console. 建議使用此旗標來偵錯任何錯誤。It is recommended to use this flag to debug any errors.
-e-e (選擇性) 若使用此旗標,App Wrapping Tool 會書處理應用程式時移除缺少的權利。(Optional) Use this flag to have the App Wrapping Tool remove missing entitlements as it processes the app. 如需詳細資料,請參閱設定應用程式的權利。See Setting app entitlements for more details.
-xe-xe (選擇性) 列印應用程式 iOS 延伸模組的相關資訊,以及使用這些功能所需的權利。(Optional) Prints information about the iOS extensions in the app and what entitlements are required to use them. 如需詳細資料,請參閱<設定應用程式的權利>。See Setting app entitlements for more details.
-x-x (可省略) <An array of paths to extension provisioning profiles>(Optional) <An array of paths to extension provisioning profiles>. 如果您的應用程式需要延伸模組佈建設定檔,請使用此選項。Use this if your app needs extension provisioning profiles.
-f-f (選擇性) <Path to a plist file specifying arguments.>:若選擇使用 plist 範本指定其餘的 IntuneMAMPackager 屬性 (例如 -i、-o、-p 等等),請在 plist 檔案之前設定此旗標。(Optional) <Path to a plist file specifying arguments.> Use this flag in front of the plist file if you choose to use the plist template to specify the rest of the IntuneMAMPackager properties like -i, -o, and -p. 請參閱<使用 plist 輸入引數>。See Use a plist to input arguments.
-b-b (可省略) 如果希望包裝的輸出應用程式和輸入應用程式有相同的套件組合版本,請使用 -b 不加引數 (不建議使用)。(Optional) Use -b without an argument if you want the wrapped output app to have the same bundle version as the input app (not recommended).

如果希望包裝的應用程式有自訂的 CFBundleVersion,請使用 -b <custom bundle version>Use -b <custom bundle version> if you want the wrapped app to have a custom CFBundleVersion. 若選擇指定自訂 CFBundleVersion,建議使用最低有效元件累加原生應用程式的 CFBundleVersion,例如 1.0.0 -> 1.0.1。If you choose to specify a custom CFBundleVersion, it's a good idea to increment the native app’s CFBundleVersion by the least significant component, like 1.0.0 -> 1.0.1.

使用 plist 輸入引數Use a plist to input arguments

您可將所有命令引數放入 plist 檔案,即可輕鬆執行應用程式包裝工具。An easy way to run the App Wrapping Tool is to put all the command arguments into a plist file. Plist 是一種類似於 XML 的檔案格式,可讓您透過表單介面輸入命令列引數。Plist is a file format similar to XML that you can use to input your command line arguments using a form interface.

在 IntuneMAMPackager/Contents/MacOS 資料夾中,使用文字編輯器或 Xcode 開啟 Parameters.plist {空白的 plist 範本)。In the IntuneMAMPackager/Contents/MacOS folder, open Parameters.plist (a blank plist template) with a text editor or Xcode. 為下列金鑰輸入您的引數︰Enter your arguments for the following keys:

Plist 金鑰Plist key 預設值Default value 附註Notes
輸入應用程式封裝路徑Input Application Package Path emptyempty 與 -i 相同Same as -i
輸出應用程式封裝路徑Output Application Package Path emptyempty 與 -o 相同Same as -o
佈建設定檔路徑Provisioning Profile Path emptyempty 與 -p 相同Same as -p
SHA-1 憑證雜湊SHA-1 Certificate Hash emptyempty 與 -c 相同Same as -c
啟用詳細資訊Verbose Enabled falsefalse 與 -v 相同Same as -v
移除缺少的權利Remove Missing Entitlements falsefalse 與 -c 相同Same as -c
避免預設的組建Prevent Default Build falsefalse 相當於只使用 -b 而不使用引數Equivalent to using -b without arguments
組建字串覆寫Build String Override emptyempty 已包裝的輸出應用程式的自訂 CFBundleVersionThe custom CFBundleVersion of the wrapped output app
延伸模組佈建設定檔路徑Extension Provisioning Profile Paths emptyempty 應用程式的延伸模組佈建設定檔陣列。An array of extension provisioning profiles for the app.

執行 IntuneMAMPackager 並指設定 plist 一個引數︰Run the IntuneMAMPackager with the plist as the sole argument:

./IntuneMAMPackager –f Parameters.plist

包裝後置動作Post-wrapping

完成包裝程序之後,即會顯示「應用程式已成功地包裝」訊息。After the wrapping process completes, the message "The application was successfully wrapped" will be displayed. 如果發生錯誤,請參閱錯誤訊息以取得協助。If an error occurs, see Error messages for help.

已包裝的應用程式會儲存在您先前指定的輸出資料夾。The wrapped app is saved in the output folder you specified previously. 您可以將應用程式上傳到 Intune 管理主控台,然後將其關聯到行動應用程式管理原則。You can upload the app to the Intune admin console and associate it with a mobile application management policy.

重要

上傳已包裝的應用程式時,如果較舊的 (包裝或原生) 版本已部署到 Intune,您可以嘗試更新舊版應用程式。When uploading a wrapped app, you can try to update an older version of the app if an older (wrapped or native) version was already deployed to Intune. 如果發生錯誤,請將應用程式上傳為新的應用程式,並刪除舊版。If you experience an error, upload the app as a new app and delete the older version.

您現在可以將應用程式部署到使用者群組,並將應用程式保護原則的目標設定為該應用程式。You can now deploy the app to your user groups and target app protection policies to the app. 應用程式將會使用您指定的應用程式保護原則在裝置上執行。The app will run on the device using the app protection policies you specified.

錯誤訊息和記錄檔Error messages and log files

使用下列資訊對您使用 App Wrapping Tool 時所遇到的問題進行疑難排解。Use the following information to troubleshoot issues you have with the app wrapping tool.

錯誤訊息Error messages

若 App Wrapping Tool 無法成功完成,將會在主控台中顯示下列其中一則錯誤訊息:If the app wrapping tool fails to finish successfully, one of the following error messages will be displayed in the console:

錯誤訊息Error message 詳細資訊More information
您必須指定有效的 iOS 佈建設定檔。You must specify a valid iOS provisioning profile. 您的佈建設定檔可能無效。Your provisioning profile might not be valid. 請確認您具備裝置正確的權限,且您已將設定檔的目標設定在開發或散發。Check to make sure you have the correct permissions for devices and that your profile is correctly targeting development or distribution. 您的佈建設定檔也可能過期。Your provisioning profile might also be expired.
請指定有效的輸入應用程式名稱。Specify a valid input application name. 請確定您指定的輸入應用程式名稱正確。Make sure that the input application name you specified is correct.
請指定輸出應用程式的有效路徑。Specify a valid path to the output application. 請確定您指定的輸出應用程式路徑已存在且正確。Make sure that the path to the output application you specified exists, and is correct.
請指定有效的輸入佈建設定檔。Specify a valid input provisioning profile. 請確定您提供有效的佈建設定檔名稱和副檔名。Make sure you supplied a valid provisioning profile name and extension. 您的佈建設定檔可能缺少權利,或是您可能未加入 -p 命令列選項。Your provisioning profile might be missing entitlements, or you might not have included the –p command line option.
找不到您指定的輸入應用程式。The input application you specified was not found. 請指定有效的輸入應用程式名稱和路徑。Specify a valid input application name and path. 請確定您的輸入應用程式路徑有效且已存在。Make sure your input app path is valid and exists. 請確定輸入應用程式存在於該位置。Make sure the input app exists at that location.
找不到您指定的輸入佈建設定檔。The input provisioning profile file you specified was not found. 請指定有效的輸入佈建設定檔。Specify a valid input provisioning profile file. 請確定輸入佈建檔案的路徑有效,且您指定的檔案已存在。Make sure that the path to the input provisioning file is valid and that the file you specified exists.
找不到您指定的輸出應用程式資料夾。The output application folder you specified was not found. 請指定輸出應用程式的有效路徑。Specify a valid path to the output application. 請確定您指定的輸出路徑有效且已存在。Make sure that the output path you specified is valid and exists.
輸出應用程式的副檔名不是 .ipaOutput app does not have .ipa extension. App Wrapping Tool 只接受副檔名為 .app.ipa 的應用程式。Only apps with the .app and .ipa extensions are accepted by the App Wrapping Tool. 請確定您的輸出檔案具有有效的副檔名。Make sure your output file has a valid extension.
指定了無效的簽章憑證。An invalid signing certificate was specified. 請指定有效的 Apple 簽章憑證。Specify a valid Apple signing certificate. 請確定您已經從 Apple 開發人員入口網站下載正確的簽章憑證。Make sure you’ve downloaded the correct signing certificate from the Apple developer portal. 您的憑證可能已過期,或可能缺少公用或私用金鑰。Your certificate might be expired or might be missing a public or private key. 您的 Apple 憑證及佈建設定檔若能正確地在 Xcode 中簽署應用程式,便能用於 App Wrapping Tool。If your Apple certificate and provisioning profile can be used to correctly sign an app within Xcode, then they are valid for the App Wrapping Tool.
您指定的輸入應用程式無效。The input application you specified is invalid. 請指定有效的應用程式。Specify a valid application. 請確定您具有已經編譯為 .app 或 .ipa 檔案的有效 iOS 應用程式。Make sure you have a valid iOS application that has been compiled as an .app or .ipa file.
您指定的輸入應用程式已加密。The input application you specified is encrypted. 請指定有效的未加密應用程式。Specify a valid unencrypted application. App Wrapping Tool 不支援經過加密的應用程式。The App Wrapping Tool does not support encrypted apps. 請提供未加密的應用程式。Provide an unencrypted app.
您指定的輸入應用程式不是位置獨立可執行檔 (PIE) 格式。The input application you specified is not in a Position Independent Executable (PIE) format. 請指定有效的 PIE 格式應用程式。Specify a valid application in PIE format. 無關位置的可執行檔 (PIE) 應用程式可以在執行時從隨機記憶體位址載入。Position Independent Executable (PIE) apps can be loaded at a random memory address when run. 這在安全性上有許多好處。This can have security benefits. 如需安全性優點的詳細資訊,請參閱您的 Apple 開發人員文件。For more about security benefits, see your Apple Developer documentation.
您指定的輸入應用程式已經包裝。The input app you specified has already been wrapped. 請指定有效的未包裝應用程式。Specify a valid unwrapped application. 您無法處理此工具已經處理過的應用程式。You cannot process an app that has already been processed by the tool. 如果您想要再次處理應用程式,請使用原始版本的應用程式來執行此工具。If you want to process an app again, run the tool using the original version of the app.
您指定的輸入應用程式未簽署。The input application you specified is not signed. 請指定有效的已簽署應用程式。Specify a valid signed application. 應用程式包裝工具需要已簽署的應用程式。The app wrapping tool requires apps to be signed. 請參閱您的開發人員文件,了解如何簽署已包裝的應用程式。Consult your developer documentation to learn how to sign a wrapped app.
您指定的輸入應用程式必須為 .ipa 或 .app 格式。The input application you specified must be in the .ipa or .app format. 應用程式包裝工具只接受 .app 和 .ipa 副檔名。Only .app and .ipa extensions are accepted by the app wrapping tool. 請確定您的輸入檔副檔名有效,且已經編譯為 .app 或 .ipa 檔案。Make sure your input file has a valid extension and has been compiled as a .app or .ipa file.
您指定的輸入應用程式已包裝,且是最新的原則範本版本。The input app you specified has already been wrapped and is on the latest policy template version. App Wrapping Tool 不會使用最新的原則範本版本重新包裝現有已經包裝的應用程式。The App Wrapping Tool will not rewrap an existing wrapped app with the latest policy template version.
警告:未指定 SHA1 憑證雜湊。WARNING: You did not specify a SHA1 certificate hash. 請確定您的已包裝應用程式已經簽署,然後再部署。Make sure that your wrapped application is signed before deploying. 請務必在 –c 命令列旗標後指定有效的 SHA1 雜湊。Ensure that you specify a valid SHA1 hash following the –c command line flag.

App Wrapping Tool 的記錄檔Log files for the App Wrapping Tool

使用 App Wrapping Tool 包裝的應用程式會產生記錄,而這些記錄會寫入 iOS 用戶端裝置主控台。Apps that have been wrapped by using the App Wrapping Tool generate logs that are written to the iOS client device console. 當您的應用程式出現問題,需要判斷問題是否與 App Wrapping Tool 相關時,此資訊即能派上用場。This information is useful when you are having problems with the application and need to determine if the issue is related to the App Wrapping Tool. 若要得到此資訊,請使用下列步驟:To retrieve this information, use the following steps:

  1. 藉由執行應用程式來重現問題。Reproduce the issue by running the app.

  2. 遵照 偵錯已部署的 iOS 應用程式的 Apple 指示收集主控台輸出。Collect the console output by following Apple's instructions for Debugging Deployed iOS Apps.

  3. 在主控台輸入下列指令碼,篩選應用程式限制輸出的已儲存記錄:Filter the saved logs for App Restrictions output by entering the following script into the console:

    grep “IntuneAppRestrictions” <text file containing console output> > <required filtered log file name>
    

    您可以將篩選過的記錄檔提交給 Microsoft。You can submit the filtered logs to Microsoft.

    注意

    在記錄檔中,項目「組建版本」表示 Xcode 的組建版本。In the log file, the item ‘build version’ represents the build version of Xcode.

    已包裝的應用程式也會提供使用者選項,在應用程式當機之後,直接從裝置透過電子郵件傳送記錄檔。Wrapped apps will also present users the option to send logs directly from the device via email after the app crashes. 使用者可以將記錄檔傳送給您檢查,並視需要轉寄給 Microsoft。Users can send the logs to you to examine and forward to Microsoft if necessary.

憑證、佈建設定檔和驗證需求Certificate, provisioning profile, and authentication requirements

App Wrapping Tool for iOS 必須滿足此工具的一些需求,才能發揮全部的功能。The App Wrapping Tool for iOS has some requirements that must be met in order to guarantee full functionality.

需求Requirement 詳細資料Details
iOS 佈建設定檔iOS provisioning profile 加入設定檔之前,請先確定其有效性。Make sure that the provisioning profile is valid before you include it. App Wrapping Tool 在處理 iOS 應用程式期間,不會檢查佈建設定檔過期與否。The App Wrapping Tool does not check whether the provisioning profile is expired when processing an iOS app. 如果指定了過期的佈建設定檔,應用程式包裝工具會包含過期的佈建設定檔,而您將不會知道有問題,直到在 iOS 裝置上安裝應用程式失敗。If an expired provisioning profile is specified, the app wrapping tool will include the expired provisioning profile, and you will not know there is a problem until the app fails to install on an iOS device.
iOS 簽署憑證iOS signing certificate 指定簽署憑證之前,請先確定其有效性。Make sure that the signing certificate is valid before you specify it. 工具在處理 iOS 應用程式時,不會檢查憑證是否已過期。The tool does not check whether a certificate is expired when processing iOS apps. 如果提供已過期憑證的雜湊,則工具會處理並簽署應用程式,但它無法在裝置上安裝。If the hash for an expired certificate is provided, the tool will process and sign the app, but it will fail to install on devices.

請確定為簽署已包裝應用程式提供的憑證,在佈建設定檔中有相符的項目。Make sure that the certificate provided for signing the wrapped app has a match in the provisioning profile. 工具不會驗證針對為簽署包裝應用程式所提供的憑證,佈建設定檔是否有相符的項目。The tool does not validate if the provisioning profile has a match for the certificate provided for signing the wrapped application.
驗證Authentication 裝置必須有 PIN,加密才能運作。A device must have a PIN for encryption to work. 在部署已包裝應用程式的裝置上,點選裝置上的狀態列,將要求使用者使用工作或學校帳戶重新登入。On devices to which you have deployed a wrapped app, touching the status bar on the device will require the user to sign in again with a work or school account. 包裝應用程式中的預設原則為「重新啟動時驗證」。The default policy in a wrapped app is authentication on re-launch. iOS 在處理任何外部通知 (例如來電) 時,會結束並重新啟動應用程式。iOS handles any external notification (like a phone call) by exiting the app and then re-launching it.

設定應用程式權利Setting app entitlements

包裝應用程式之前,您可以授與權利,將超過應用程式一般所能執行的其他權限及功能提供給應用程式。Before wrapping your app, you can grant entitlements to give the app additional permissions and capabilities that exceed what an app can typically do. 權利檔案還可在程式碼簽署期間,用於指定應用程式內的特殊權限 (例如共用金鑰鏈的存取權)。An entitlement file is used during code signing to specify special permissions within your app (for example, access to a shared keychain). 某些稱為功能的應用程式服務,會在應用程式開發期間於 Xcode 內啟用。Specific app services called capabilities are enabled within Xcode during app development. 啟用後,您的權利檔案中會反映這些功能。Once enabled, the capabilities are reflected in your entitlements file. 如需權利和功能的詳細資訊,請參閱 iOS Developer Library 中的新增功能For more information about entitlements and capabilities, see Adding Capabilities in the iOS Developer Library. 如需支援功能的完整清單,請參閱支援的功能For a complete list of supported capabilities, see Supported capabilities.

App Wrapping Tool for iOS 的支援功能Supported capabilities for the App Wrapping Tool for iOS

功能Capability 說明Description 建議的指引Recommended guidance
應用程式群組App groups 使用 [應用程式群組] 可以讓多個應用程式同時存取共用容器,並允許應用程式之間進行其他處理序之間的通訊。Use app groups to allow multiple apps to access shared containers and allow additional interprocess communication between apps.

若要啟用應用程式群組,請開啟 [功能] 窗格,然後按一下 [應用程式群組] 中的 [開啟]。To enable app groups, open the Capabilities pane and click ON in App Groups. 您可以新增應用程式群組或選取現有的應用程式群組。You can add app groups or select existing ones.
使用應用程式群組時,請使用反向 DNS 標記法:When using App Groups, use reverse DNS notation:

group.com.companyName.AppGroupgroup.com.companyName.AppGroup
背景模式Background modes 啟用 [背景模式] 可讓您的 iOS 應用程式繼續在背景中執行。Enabling background modes lets your iOS app continue running in the background.
資料保護Data protection [資料保護] 為使用 iOS 應用程式儲存在磁碟上的檔案,增加一層安全性。Data protection adds a level of security to files stored on disk by your iOS app. [資料保護] 使用特定裝置上的現有內建加密硬體,以加密格式將檔案儲存在磁碟上。Data protection uses the built-in encryption hardware present on specific devices to store files in an encrypted format on disk. 您必須佈建應用程式,才能使用 [資料保護]。Your app needs to be provisioned to use data protection.
在應用程式內購買In-app purchase [在應用程式內購買] 讓您可以連線到市集,並安全地處理使用者的付款,形同將市集直接內嵌在您的應用程式中。In-app purchase embeds a store directly into your app by enabling you to connect to the store and securely process payments from the user. 您可以使用 [在應用程式內購買] 為增強功能或您應用程式可用的其他內容收款。You can use in-app purchase to collect payment for enhanced functionality or for additional content usable by your app.
金鑰鏈共用Keychain sharing 啟用 [金鑰鏈共用] 可讓您的應用程式與您小組所開發的其他應用程式共用金鑰鏈中的密碼。Enabling keychain sharing lets your app share passwords in the keychain with other apps developed by your team. 使用 [金鑰鏈共用] 時,請使用反向 DNS 標記法:When using keychain sharing, use reverse DNS notation:

com.companyName.KeychainGroupcom.companyName.KeychainGroup
個人 VPNPersonal VPN 啟用 [個人 VPN] 可讓您的應用程式建立及控制使用網路擴充功能架構的自訂系統 VPN 組態。Enable personal VPN to allow your app to create and control a custom system VPN configuration using the Network Extension framework.
推送通知Push notifications Apple Push Notification Service (APNs) 可讓不在前景執行的應用程式在有使用者可用的資訊時,通知使用者。Apple Push Notification service (APNs) lets an app that isn’t running in the foreground notify the user that it has information for the user. 若要讓 [推播通知] 運作,您必須使用應用程式專屬的佈建設定檔。For push notifications to work, you need to use an app-specific provisioning profile.

遵循 Apple 開發人員文件中的步驟。Follow the steps in the Apple developer documentation.
無線配件組態Wireless accessory configuration 啟用 [無線配件組態] 可為您的專案新增外部配件架構,並允許您的應用程式設定 MFi Wi-Fi 配件。Enabling wireless accessory configuration adds the External Accessory framework to your project and lets your app set up MFi Wi-Fi accessories.

啟用權利的步驟Steps to enable entitlements

  1. 啟用您應用程式中的功能:Enable capabilities in your app:

    a.a. 在 Xcode 中,移至您的應用程式的目標,然後按一下 [功能]。In Xcode, go to your app’s target, and click Capabilities.

    b。b. 開啟適當的功能。Turn on the appropriate capabilities. 如需每項功能及如何決定正確值的詳細資訊,請參閱 iOS Developer Library 中的新增功能For detailed information about each capability and how to determine the correct values, see Adding Capabilities in the iOS Developer Library.

    c.c. 記下您在程序期間所建立的任何識別碼。Note any IDs that you created during the process.

    d.d. 建置並簽署要包裝的應用程式。Build and sign your app to be wrapped.

  2. 啟用您佈建設定檔中的權利:Enable entitlements in your provisioning profile:

    a.a. 登入 Apple Developer Member Center。Sign in to the Apple Developer Member Center.

    b。b. 為您的應用程式建立佈建設定檔。Create a provisioning profile for your app. 如需相關指示,請參閱如何取得 Intune App Wrapping Tool for iOS 的必要條件For instructions, see How to Obtain the Prerequisites for the Intune App Wrapping Tool for iOS.

    c.c. 在您的佈建設定檔中,啟用您應用程式中所擁有的相同權利。In your provisioning profile, enable the same entitlements that you have in your app. 您必須提供在開發應用程式期間所指定的相同識別碼。You will need to supply the same IDs that you specified during the development of your app.

    d.d. 完成 [佈建設定檔精靈],並下載您的檔案。Finish the provisioning profile wizard and download your file.

  3. 確定您已符合所有必要條件,然後再包裝應用程式。Ensure that you have satisfied all the prerequisites, and then wrap the app.

權利常見錯誤的疑難排解Troubleshoot common errors with entitlements

若 App Wrapping Tool for iOS 顯示權利錯誤,請嘗試下列疑難排解步驟。If the App Wrapping Tool for iOS shows an entitlement error, try the following troubleshooting steps.

問題Issue 原因Cause 解決方法Resolution
無法剖析從輸入應用程式產生的權利。Failed to parse entitlements generated from the input application. App Wrapping Tool 無法讀取從應用程式解壓縮的權利檔案。The App Wrapping Tool cannot read the entitlements file that was extracted from the app. 權利檔案的格式可能不正確。The entitlements file might be malformed. 檢查您應用程式的權利檔案。Inspect the entitlements file for your app. 下列指示說明其作法。The following instructions explain how to do so. 檢查權利檔案時,請檢查是否有任何格式不正確的語法。When inspecting the entitlements file, check for any malformed syntax. 檔案格式應該是 XML。The file should be in XML format.
佈建設定檔中遺失權利 (會列出遺失的權利)。Entitlements are missing in the provisioning profile (missing entitlements are listed). 使用具有這些權利的佈建設定檔重新封裝應用程式。Repackage the app with a provisioning profile that has these entitlements. 在佈建設定檔中啟用的權利與在應用程式中啟用的功能不符。There is a mismatch between the entitlements enabled in the provisioning profile and the capabilities enabled in the app. 與特定功能 (例如 [應用程式群組]、[金鑰鏈共用] 等等) 相關聯的識別碼也會不符。This mismatch also applies to the IDs associated with particular capabilities (like app groups and keychain access). 一般而言,您可以建立新的佈建設定檔,並啟用與應用程式相同的功能。Generally, you can create a new provisioning profile that enables the same capabilities as the app. 當設定檔與應用程式之間的識別碼不符時,App Wrapping Tool 會更換識別碼 (如果可以)。When IDs between the profile and app don't match, the App Wrapping Tool will replace the IDs if it is able to. 若在建立新的佈建設定檔之後繼續收到此錯誤,您可以嘗試使用 -e 參數移除應用程式的權利 (請參閱<使用 -e 參數移除應用程式的權利>一節)。If you still get this error after creating a new provisioning profile, you can try removing entitlements from the app by using the –e parameter (see Using the –e parameter to remove entitlements from an app section).

尋找已簽署應用程式的現有權利Find the existing entitlements of a signed app

若要檢閱已簽署應用程式和佈建設定檔的現有權利:To review the existing entitlements of a signed app and provisioning profile:

  1. 找到 .ipa 檔案並將其副檔名變更為 .zip。Find the .ipa file and change its the extension to .zip.

  2. 展開 .zip 檔案。Expand the .zip file. 這會產生內含 .app 套件組合的 Payload 資料夾。This will produce a Payload folder containing your .app bundle.

  3. 使用 codesign 工具檢查 .app 套件的權利,其中 YourApp.app 是 .app 套件的實際名稱:Use the codesign tool to check the entitlements on the .app bundle, where YourApp.app is the actual name of your .app bundle.:

    $ codesign -d --entitlements :- "Payload/YourApp.app"
    
  4. 使用安全性工具檢查應用程式之內嵌佈建設定檔的權利,其中 YourApp.app 是 .app 套件的實際名稱。Use the security tool to check the entitlements of the app's embedded provisioning profile, where YourApp.app is the actual name of your .app bundle.

    $ security -D -i "Payload/YourApp.app/embedded.mobileprovision"
    

使用 –e 參數移除應用程式的權利Remove entitlements from an app by using the –e parameter

這個命令會移除應用程式中任何已啟用但不在權利檔案中的功能。This command removes any enabled capabilities in the app that are not in the entitlements file. 如果您移除的是應用程式正在使用的功能,可能會中斷您的應用程式。If you remove capabilities that are being used by the app, it can break your app. 例如若廠商生產的應用程式預設應具備所有功能,您可能會移除缺少的功能。An example of where you might remove missing capabilities is in a vendor-produced app that has all capabilities by default.

./IntuneMAMPackager/Contents/MacOS/IntuneMAMPackager –i /<path of input app>/<app filename> -o /<path to output folder>/<app filename> –p /<path to provisioning profile> –c <SHA1 hash of the certificate> -e

App Wrapping Tool 的安全性與隱私權Security and privacy for the App Wrapping Tool

當您使用 App Wrapping Tool 時,請使用下列安全性與隱私權的最佳作法。Use the following security and privacy best practices when you use the App Wrapping Tool.

  • 要簽署的憑證、佈建設定檔,以及您指定的企業營運系統應用程式,必須位在用以執行 App Wrapping Tool 的該部 macOS 電腦上。The signing certificate, provisioning profile, and the line-of-business app you specify must be on the same macOS machine that you use to run the app wrapping tool. 若檔案使用 UNC 路徑,請確定這些路徑可從 macOS 電腦存取。If the files are on a UNC path, ensure that these are accessible from the macOS machine. 路徑必須透過 IPsec 或 SMB 簽章保護。The path must be secured via IPsec or SMB signing.

    匯入管理主控台的已包裝應用程式,必須位於工具執行所在的同一部電腦上。The wrapped application imported into the admin console should be on the same computer that you run the tool on. 若檔案位於 UNC 路徑上,請確定該路徑可從執行管理主控台的電腦存取。If the file is on a UNC path, ensure that it is accessible on the computer running the admin console. 路徑必須透過 IPsec 或 SMB 簽章保護。The path must be secured via IPsec or SMB signing.

  • 從 GitHub 存放庫下載 App Wrapping Tool 的環境,必須透過 IPsec 或 SMB 簽署加以保護。The environment where the App Wrapping Tool is downloaded from the GitHub repository needs to be secured via IPsec or SMB signing.

  • 您所處理的應用程式必須來自值得信任的來源,以確保防護免於攻擊威脅。The app you process must come from a trustworthy source to ensure protection against attacks.

  • 確保您在 App Wrapping Tool 中指定的輸出資料夾受到保護。若此資料夾為遠端資料夾更應如此。Ensure that the output folder you specify in the App Wrapping Tool is secured, particularly if it is a remote folder.

  • 包含檔案上傳對話方塊的 iOS 應用程式,可以讓使用者規避應用程式適用的剪下、複製及貼上限制。iOS apps that include a file upload dialog box can allow users to circumvent, cut, copy, and paste restrictions applied to the app. 例如,使用者可以使用檔案上傳對話方塊,來上傳應用程式資料的螢幕擷取畫面。For example, a user could use the file upload dialog box to upload a screenshot of the app data.

  • 當您從經過包裝的應用程式內監視裝置上的文件資料夾時,可能會出現一個名為 .msftintuneapplauncher 的資料夾。When you monitor the documents folder on your device from within a wrapped app, you might see a folder named .msftintuneapplauncher. 若您變更或刪除此檔案,可能會影響受限應用程式正常運作。If you change or delete this file, it might affect the correct functioning of restricted apps.

請參閱See also