如何管理 iOS 應用程式之間的資料傳輸How to manage data transfer between iOS apps

管理 iOS 應用程式Manage iOS apps

保護公司資料包括確定檔案傳輸僅限於您所管理的應用程式。Protecting your company data includes making sure that file transfers are restricted to apps that are managed by you. 您可以使用下列方式管理 iOS 應用程式:You can manage iOS apps in the following ways:

  • 為應用程式設定應用程式保護原則 (我們稱之為原則管理的應用程式),從而避免公司資料遺失。Prevent company data loss by configuring an app protection policy for the apps, which we will refer to as policy-managed apps. 請參閱 all the Intune-enlightened apps you can manage with app protection policy (您可以使用應用程式保護原則管理的所有啟用 Intune 的應用程式)。See all the Intune-enlightened apps you can manage with app protection policy

  • 您也可以透過 MDM 通道來部署和管理應用程式。You can also deploy and manage apps through the MDM channel. 這需要在 MDM 方案中註冊裝置。This requires that the devices are enrolled in the MDM solution. 這些可以是 受原則管理的 應用程式或其他受管理的應用程式。These can be policy-managed apps or other managed apps.

iOS 裝置適用的開啟位置管理功能可以限制透過 MDM 通道部署的應用程式之間的檔案傳輸。The Open in management feature for iOS devices can limit file transfers between apps that are deployed through the MDM channel. 「開啟位置管理」限制是在組態設定中設定,並使用 MDM 軟體部署。Open in management restrictions are set in configuration settings and deployed using your MDM solution. 當使用者安裝部署的應用程式時,就會套用您設定的限制。When the user installs the deployed app, the restrictions you set are applied.

對 iOS 應用程式施以應用程式保護Using app protection with iOS apps

應用程式保護原則與 iOS 的打開方式管理功能一起使用,可以下列方式保護公司資料︰App protection policies can be used with the iOS Open in management feature to protect company data in the following ways:

  • 員工擁有但未交由任何 MDM 解決方案管理的裝置:您可以將應用程式保護原則設定設為 [Allow app to transfer data to only Policy Managed apps] (只允許應用程式將資料傳送至受原則管理的應用程式)。Employee owned devices not managed by any MDM solution: You can set the app protection policy settings to Allow app to transfer data to only Policy Managed apps. 受原則管理應用程式中的「開啟於」行為只會將其他受原則管理的應用程式呈現為共用選項。The Open-In behavior in a Policy Managed app will only present other Policy Managed apps as an option for sharing. 如果使用者嘗試在原生郵件中將來自 OneDrive 之受原則保護的檔案當作附件傳送,則該檔案將會無法讀取。If a user tries to send a policy protected file as an attachment from OneDrive in the native mail, that file will be unreadable.

  • Intune 管理的裝置:對於已向 Intune 註冊的裝置,會自動允許設有應用程式保護原則之應用程式與透過 Intune 部署之其他受管理 iOS 應用程式間的資料傳輸。Devices managed by Intune: For devices enrolled in Intune, data transfer between apps with app protection policies and other managed iOS apps deployed through Intune is allowed automatically. 若要允許設有應用程式保護原則之應用程式間的資料傳輸,請啟用 [Allow app to transfer data to only managed apps](只允許應用程式將資料傳送至受管理的應用程式) 設定。To allow data transfer between apps with app protection policies, enable the Allow app to transfer data to only managed apps setting. 您可以使用開啟位置功能來控制透過 Intune 部署的應用程式之間的資料傳輸。You can use the Open in management feature to control data transfer between apps that are deployed through Intune.

  • 第三方 MDM 解決方案管理的裝置:您可以使用 iOS 的開啟位置管理功能,將資料傳輸在限制僅限受管理的應用程式。Devices managed by a third party MDM solution: You can restrict data transfer to only managed apps by using the iOS Open in management feature. 若要確定您使用第三方 MDM 解決方案部署的應用程式也關聯了您在 Intune 中設定的應用程式保護原則,您必須依照設定使用者 UPN 設定逐步解說所述,設定使用者 UPN 設定。To make sure that apps that you deploy using your third party MDM solution are also associated with the app protection policies you have configured in Intune, you must configure the user UPN setting as described in the Configure user UPN setting walkthrough. 應用程式若是透過使用者 UPN 設定部署,便會在使用者使用其工作帳戶登入時,將應用程式保護原則套用到應用程式。When apps are deployed with the user UPN setting, the app protection policies are applied to the app when the end user signs-in using their work account.

重要

只有部署到協力廠商 MDM 所管理裝置的應用程式,才需要使用者 UPN 設定。The user UPN setting is only required for apps deployed to devices managed by a third-party MDM. Intune 受管理裝置則不需要此設定。For Intune-managed devices, this setting is not required.

設定協力廠商 EMM 的使用者 UPN 設定Configure user UPN setting for third-party EMM

協力廠商 EMM 解決方案所管理的裝置需要設定使用者 UPN 設定。Configuring the user UPN setting is required for devices that are managed by a third-party EMM solution. 下面程序描述設定 UPN 設定之方式和所產生使用者體驗的一般流程︰The procedure described below is a general flow on how to configure the UPN setting and the resulting end user experience:

  1. Azure 入口網站中,針對 iOS 建立和指派應用程式保護原則In the Azure portal, create and assign an app protection policy for iOS. 根據公司需求設定原則設定,然後選取應該具有此原則的 iOS 應用程式。Configure policy settings per your company requirements and select the iOS apps that should have this policy.

  2. 使用下面的一般化步驟,透過協力廠商 MDM 解決方案來部署應用程式和您要受管理的電子郵件設定檔。Deploy the apps and the email profile that you want managed through your third-party MDM solution using the generalized steps below. 範例 1 也涵蓋這個體驗。This experience is also covered by Example 1.

    1. 使用下列應用程式組態設定來部署應用程式:Deploy the app with the following app configuration settings:

      金鑰 = IntuneMAMUPN, = username@company.comkey = IntuneMAMUPN, value = username@company.com

      範例:[‘IntuneMAMUPN’, ‘jondoe@microsoft.com’]Example: [‘IntuneMAMUPN’, ‘jondoe@microsoft.com’]

    2. 使用協力廠商 MDM 提供者,將「開啟位置管理」原則部署到已註冊的裝置。Deploy the Open in management policy using your third-party MDM provider to enrolled devices.

範例 1︰協力廠商 MDM 主控台中的管理體驗Example 1: Admin experience in third-party MDM console

  1. 移至協力廠商 MDM 提供者的管理主控台。Go to the admin console of your third-party MDM provider. 移至主控台區段,您可以在其中將應用程式組態設定部署到已註冊的 iOS 裝置。Go to the section of the console in which you deploy application configuration settings to enrolled iOS devices.

  2. 在 [應用程式設定] 區段中,輸入下列設定:In the Application Configuration section, enter the following setting:

    金鑰 = IntuneMAMUPN, = username@company.comkey = IntuneMAMUPN, value = username@company.com

    根據您的協力廠商 MDM 提供者,金鑰/值配對的確切語法可能會不同。The exact syntax of the key/value pair may differ based on your third-party MDM provider. 下表顯示協力廠商 MDM 提供者範例,以及應該輸入的金鑰/值配對確切值。The table below shows examples of third-party MDM providers and the exact values you should enter for the key/value pair.

協力廠商 MDM 提供者Third-party MDM provider 設定機碼Configuration Key 數值類型Value Type 設定值Configuration Value
VMware AirWatchVMware AirWatch IntuneMAMUPNIntuneMAMUPN 字串String {UserPrincipalName}{UserPrincipalName}
MobileIronMobileIron IntuneMAMUPNIntuneMAMUPN 字串String ${userUPN} ${userEmailAddress}${userUPN} or ${userEmailAddress}

範例 2:使用者體驗Example 2: End-user experience

  1. 使用者會在裝置上安裝 Microsoft Word 應用程式。End user installs Microsoft Word app on the device.

  2. 使用者會啟動受管理的原生電子郵件應用程式來存取其電子郵件。End user launches the managed native email app to access their email.

  3. 使用者嘗試從 Microsoft Word 的原生郵件中開啟文件。End user tries to open document from native mail in Microsoft Word.

  4. Word 應用程式啟動時,系統會提示使用者使用其工作帳戶登入。When the Word app launches, the end user is prompted to log in using their work account. 出現提示時使用者輸入的此工作帳戶,應該符合您在應用程式組態設定中針對 Microsoft Word 應用程式指定的帳戶。This work account the end user enters when prompted should match account you specified in the configured in the app configuration settings for the Microsoft Word app.

    注意

    使用者可以在 Word 中新增其他個人帳戶來執行個人工作,而且在個人內容中使用 Word 應用程式時,也不會受到應用程式保護原則的影響。The end user can add other personal accounts to Word to do their personal work and not be affected by the app protection policies when using the Word app in a personal context.

  5. 登入成功時,會將應用程式保護原則設定套用至 Word 應用程式。When the login is successful, the app protection policy settings are applied to the Word app.

  6. 現在,資料傳輸成功,而且文件會標有應用程式中的公司身分識別。Now the data transfer succeeds and the document is tagged with a corporate identity in the app. 此外,還會將資料視為在工作環境中,並據以套用原則設定。In addition, the data is treated in a work context and the policy settings are applied accordingly.

驗證協力廠商 EMM 的使用者 UPN 設定Validate user UPN setting for third-party EMM

設定使用者 UPN 設定之後,您應該驗證 iOS 應用程式能夠接收並符合 Intune 應用程式保護原則。After configuring the user UPN setting, you should validate the iOS app's ability to receive and comply to Intune app protection policy.

例如,[Require app PIN](需要應用程式 PIN) 原則設定可以輕鬆地以視覺化方式在裝置上進行測試。For example, the Require app PIN policy setting is easy to visually test on a device. 如果原則設定設為 [是],則使用者應該會在嘗試存取公司資料時看到設定或輸入 PIN 的提示。If the policy setting is set to Yes, the end user should see a prompt to set or enter a PIN when attempting to access company data.

首先,建立和指派應用程式保護原則到 iOS 應用程式。First, create and assign an app protection policy to the iOS app. 如需如何測試應用程式保護原則的詳細資訊,請參閱驗證應用程式保護原則See Validate app protection policies for more information on how to test app protection policy.

請參閱See also

什麼是 Intune 應用程式保護原則What is Intune app protection policy