MAM 和應用程式保護的相關常見問題Frequently asked questions about MAM and app protection

此頁面有所助益嗎?

本文章提供 Intune 行動應用程式管理 (MAM) 與 Intune 應用程式保護相關常見問題的解答。This article provides answers to some frequently asked questions on Intune mobile application management (MAM) and Intune app protection.

MAM 基本概念MAM Basics

什麼是 MAM?What is MAM?
Intune 行動應用程式管理指的是 Intune 管理功能套件,可讓您針對您的使用者發行、推送、設定、保護、監視與更新行動應用程式。Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps for your users.

MAM 應用程式保護的優點有哪些?What are the benefits of MAM app protection?
MAM 可保護應用程式內組織的資料。MAM protects an organization's data within an application. 透過不需註冊的 MAM (MAM-WE),包含機密資料的工作或學校相關應用程式幾乎可在任何裝置上管理,包含攜帶您自己的裝置 (BYOD) 案例中的個人裝置。With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. 許多生產力應用程式 (例如 Microsoft Office 應用程式) 可以由 Intune MAM 管理。Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. 請參閱可供公開使用的 Intune 受控應用程式官方清單。See the official list of Intune-managed apps available for public use.

MAM 支援哪些裝置組態?What device configurations does MAM support?
Intune MAM 支援兩個組態︰Intune MAM supports two configurations:

  • Intune MDM + MAM:IT 系統管理員只能管理已在 Intune 行動裝置管理 (MDM) 註冊之裝置上使用 MAM 與應用程式保護原則的應用程式。Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). 若要使用 MDM + MAM 管理應用程式,客戶應該在 Azure 入口網站中使用 Intune 主控台,網址為 https://portal.azure.comTo manage apps using MDM + MAM, customers should use the Intune console in the Azure portal at https://portal.azure.com.

  • 沒有裝置註冊的 MAM:沒有裝置註冊的 MAM (或 MAM-WE) 允許 IT 系統管理員管理未在 Intune MDM 註冊之裝置上使用 MAM 與應用程式保護原則的應用程式。MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. 這表示應用程式可由向協力廠商 EMM 提供者註冊之裝置上的 Intune 來管理。This means apps can be managed by Intune on devices enrolled with third-party EMM providers. 若要使用 MAM-WE 管理應用程式,客戶應該在 Azure 入口網站中使用 Intune 主控台,網址為 https://portal.azure.comTo manage apps using MAM-WE, customers should use the Intune console in the Azure portal at https://portal.azure.com. 此外,向協力廠商企業行動管理 (EMM) 提供者註冊的裝置,或是完全不註冊 MDM 的裝置,也可使用 Intune 來管理應用程式。Also, apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all.

應用程式防護原則App protection policies

什麼是應用程式保護原則What are app protection policies?
應用程式保護原則是確保組織資料能夠在受管理的應用程式中保持安全或受到管制的規則。App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. 原則可以是在使用者嘗試存取或移動「公司」資料時,強制執行的一項規則,或者是當使用者在應用程式內時,禁止執行或受到監視的一組動作。A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

應用程式保護原則的範例有哪些?What are examples of app protection policies?
如需每個應用程式保護原則設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS 應用程式保護原則設定See the Android app protection policy settings and iOS app protection policy settings for detailed information on each app protection policy setting.

您可以使用應用程式保護原則管理的應用程式Apps you can manage with app protection policies

應用程式保護原則可以管理哪些應用程式?Which apps can be managed by app protection policies?
Intune App SDK 整合或由 Intune App Wrapping Tool 包裝的應用程式,都可以使用應用程式保護原則加以管理。Any app that has been integrated with the Intune App SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. 請參閱可供公開使用的 Intune 受控應用程式官方清單。See the official list of Intune-managed apps available for public use.

在 Intune 受控應用程式上,使用應用程式保護原則的基本需求為何?What are the baseline requirements to use app protection policies on an Intune-managed app?

  • 終端使用者必須擁有 Azure Active Directory (AAD) 帳戶。The end user must have an Azure Active Directory (AAD) account. 請參閱新增使用者並提供管理權限給 Intune,以了解如何在 Azure Active Directory 中建立 Intune 使用者。See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.

  • 終端使用者必須擁有指派給其 Azure Active Directory 帳戶的 Microsoft Intune 授權。The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. 請參閱管理 Intune 授權,以了解如何將 Intune 授權指派給終端使用者。See Manage Intune licenses to learn how to assign Intune licenses to end users.

  • 終端使用者必須隸屬於由應用程式保護原則設為目標的安全性群組。The end user must belong to a security group that is targeted by an app protection policy. 相同的應用程式保護原則必須將已使用的特定應用程式設為目標。The same app protection policy must target the specific app being used. 應用程式保護原則可在 Azure 入口網站中的 Intune 主控台中建立與部署。App protection policies can be created and deployed in the Intune console in the Azure portal. 安全群組目前可在 Microsoft 365 糸統管理中心內建立。Security groups can currently be created in the Microsoft 365 admin center.

  • 終端使用者必須使用其 AAD 帳戶來登入應用程式。The end user must sign into the app using their AAD account.

使用 Outlook 行動裝置應用程式 (英文) 時有哪些其他需求?What are the additional requirements to use the Outlook mobile app?

  • 終端使用者必須在其裝置上安裝 Outlook 行動裝置應用程式。The end user must have the Outlook mobile app installed to their device.

  • 終端使用者必須具有連結到其 Azure Active Directory 帳戶的 Office 365 Exchange Online 信箱和授權。The end user must have an Office 365 Exchange Online mailbox and license linked to their Azure Active Directory account.

    注意

    Outlook 行動應用程式目前僅針對 Microsoft Exchange Online 和具有混合式新式驗證的 Exchange Server 支援「Intune 應用程式防護」,而不支援「Office 365 專用」中的 Exchange。The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

使用 Word、Excel 與 PowerPoint 應用程式時有哪些其他需求?What are the additional requirements to use the Word, Excel, and PowerPoint apps?

  • 終端使用者必須擁有連結到其 Azure Active Directory 帳戶的 Office 365 商務版或企業版授權。The end user must have a license for Office 365 Business or Enterprise linked to their Azure Active Directory account. 訂用帳戶必須包括行動裝置版 Office 應用程式,而且可以包括可搭配商務用 OneDrive 使用的雲端儲存體帳戶。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. Office 365 授權可在 Microsoft 365 系統管理中心內遵循下列指示指派。Office 365 licenses can be assigned in the Microsoft 365 admin center following these instructions.

  • 終端使用者必須有受控的位置,此位置是使用 [不可進行另存新檔] 應用程式保護原則設定下的細微另存新檔功能設定的。The end user must have a managed location configured using the granular save as functionality under the "Prevent Save As" application protection policy setting. 例如,若受控位置是 OneDrive,則 OneDrive 應用程式應該在終端使用者的 Word、Excel 或 PowerPoint 應用程式中設定。For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.

  • 若受控位置是 OneDrive,則應用程式必須是部署到終端使用者之應用程式保護原則的目標。If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end user.

    注意

    Office 行動裝置應用程式目前僅支援 SharePoint Online,不支援 SharePoint 內部部署。The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Office 為何需要受控位置 (例如 OneDrive)?Why is a managed location (i.e. OneDrive) needed for Office?
Intune 會將應用程式中所有資料標示為「公司」或「個人」。Intune marks all data in the app as either "corporate" or "personal." 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列位置視為公司地點:電子郵件 (Exchange) 或雲端儲存體 (包含商務用 OneDrive 帳戶的 OneDrive 應用程式)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).

使用商務用 Skype 有哪些其他需求?What are the additional requirements to use Skype for Business?
請參閱商務用 Skyp 授權需求。See Skype for Business license requirements. 如需商務用 Skype (SfB) 的混合式和內部部署設定,請分別參閱 Hybrid Modern Auth for SfB and Exchange goes GA (正式推出適用於 SfB 和 Exchange 的混合式新式驗證) 和 Modern Auth for SfB OnPrem with AAD (使用 AAD 啟用適用於 SfB 內部部署的新式驗證)。For Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with AAD, respectively.

應用程式保護功能App protection features

什麼是多重身分識別支援?What is multi-identity support?
多重身分識別支援是 Intune App SDK 僅將應用程式保護原則套用至已登入應用程式之工作或學校帳戶的功能。Multi-identity support is the ability for the Intune App SDK to only apply app protection policies to the work or school account signed into the app. 如果個人帳戶已登入應用程式,就不會更動資料。If a personal account is signed into the app, the data is untouched.

多重身分識別支援的用途為何?What is the purpose of multi-identity support?
多重身分識別支援允許公開發行同時包含「公司」與消費者對象的應用程式 (例如,Office 應用程式),並且讓「公司」帳戶具有 Intune 應用程式保護功能。Multi-identity support allows apps with both "corporate" and consumer audiences (i.e. the Office apps) to be released publicly with Intune app protection capabilities for the "corporate" accounts.

Outlook 以及多重身分識別呢?What about Outlook and multi-identity?
因為 Outlook 有合併個人與「公司」電子郵件的電子郵件檢視,所以 Outlook 應用程式會在啟動時提示 Intune PIN。Because Outlook has a combined email view of both personal and "corporate" emails, the Outlook app prompts for the Intune PIN on launch.

什麼是 Intune 應用程式 PIN?What is the Intune app PIN?
個人識別碼 (PIN) 是一組密碼,用來驗證在應用程式中存取組織資料的是正確的使用者。The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.

  • 何時會提示使用者輸入 PIN?When is the user prompted to enter their PIN?
    Intune 會在使用者要存取「公司」資料時,提示使用者提供應用程式 PIN。Intune prompts for the user's app PIN when the user is about to access "corporate" data. 在多重身分識別應用程式 (例如 Word/Excel/PowerPoint) 中,系統會在使用者嘗試開啟「公司」文件或檔案時提示他們提供 PIN。In multi-identity apps such as Word/Excel/PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file. 在單一身分識別應用程式 (例如,使用 Intune App Wrapping Tool 管理的企業營運應用程式) 中,會在啟動時提示提供 PIN,因為 Intune App SDK 知道使用者一定是在「公司」環境中使用應用程式。In single-identity apps, such as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune App SDK knows the user's experience in the app is always "corporate."

  • 使用者收到 Intune PIN 提示的頻率為何?How often will the user be prompted for the Intune PIN?
    IT 系統管理員可以在 Intune 管理主控台中定義 Intune 應用程式保護原則設定「重新檢查存取需求前的剩餘時間 (分鐘)」。The IT admin can define the Intune app protection policy setting 'Recheck the access requirements after (minutes)' in the Intune admin console. 這項設定會指定多久之後要在裝置上檢查存取要求,並再次顯示應用程式 PIN 畫面。This setting specifies the amount of time before the access requirements are checked on the device, and the application PIN screen is shown again. 不過,還有下列關於 PIN 的重要詳細資料會影響使用者收到通知的頻率:However, important details about PIN that affect how often the user will be prompted are:

    • PIN會在相同發行者的應用程式間共用,以改進可用性: 在 iOS 上,應用程式個人識別碼會在相同應用程式發行者的所有應用程式之間共用。The PIN is shared among apps of the same publisher to improve usability: On iOS, one app PIN is shared amongst all apps of the same app publisher. 在 Android,一組應用程式 PIN 會在所有應用程式間共用。On Android, one app PIN is shared amongst all apps.
    • 裝置重新開機後「重新檢查存取需求前等候時間 (分鐘)」行為:[PIN 計時器] 會追蹤非使用狀態的分鐘數,可判斷何時顯示下一個 Intune 應用程式個人識別碼。The 'Recheck the access requirements after (minutes)' behavior after a device reboot: A "PIN timer" tracks the number of minutes of inactivity that determine when to show the Intune app PIN next. 在 iOS 上,PIN 計時器不會受到裝置重新開機的影響。On iOS, the PIN timer is unaffected by device reboot. 因此,裝置重新啟動不會影響使用者在使用 Intune PIN 原則的 iOS 應用程式中閒置的分鐘數。Thus, device restart has no effect on the number of minutes the user has been inactive from an iOS app with Intune PIN policy. 在 Android 上,PIN 計時器會在裝置重新開機時重設。On Android, the PIN timer is reset on device reboot. 因此,使用 Intune PIN 原則的 Android 應用程式可能會提示輸入應用程式 PIN,而不論裝置重新開機之後的「重新檢查存取需求前的剩餘時間 (分鐘)」設定值。As such, Android apps with Intune PIN policy will likely prompt for an app PIN regardless of the 'Recheck the access requirements after (minutes)' setting value after a device reboot.
    • 與 PIN 相關的計時器過時性質: 在輸入 PIN 以存取應用程式 (應用程式 A) 之後,應用程式會離開裝置的前景 (主要輸入焦點),而該組 PIN 的 PIN 計時器會重設。The rolling nature of the timer associated with the PIN: Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the PIN timer gets reset for that PIN. 由於計時器已經重設,共用這組 PIN 任何應用程式 (應用程式 B) 都不會提示使用者輸入 PIN。Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset. 提示會在再次達到「重新檢查存取需求前的剩餘時間 (分鐘)」值時再度顯示。The prompt will show up again once the 'Recheck the access requirements after (minutes)' value is met again.

若為 iOS 裝置,即使在不同發行者的應用程式之間共用 PIN,當非主要輸入焦點之應用程式的 [重新檢查存取需求前等候時間 (分鐘)] 值再次達到時,就會再度顯示提示。For iOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. 例如,使用者有發行者 X 的應用程式 A 和發行者 Y 的應用程式 B,而且這兩個應用程式共用相同的 PIN。So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. 使用者將焦點放在應用程式 A (前景),並將應用程式 B 最小化。The user is focused on app A (foreground), and app B is minimized. 達到 [重新檢查存取需求前等候時間 (分鐘)] 值,而且使用者切換至應用程式 B 之後,則需要 PIN。After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required.

注意

為了提高驗證使用者存取需求的頻率 (亦即 PIN 提示),尤其是經常使用的應用程式,建議您降低「重新檢查存取需求前的剩餘時間 (分鐘)」設定的值。In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.

  • Intune PIN 如何搭配使用 Outlook 和 OneDrive 的內建應用程式 PIN ?How does the Intune PIN work with built-in app PINs for Outlook and OneDrive?
    Intune PIN 會根據以閒置為基礎的計時器 (又稱為「重新檢查存取需求前的剩餘時間 (分鐘)」值) 運作。The Intune PIN works based on an inactivity-based timer (aka the value of 'Recheck the access requirements after (minutes)'). 因此,Intune PIN 提示會與 Outlook 和 OneDrive 的內建應用程式 PIN 提示分開顯示,後者預設通常與應用程式啟動相關。As such, Intune PIN prompts show up independently from the built-in app PIN prompts for Outlook and OneDrive which often are tied to app launch by default. 如果使用者同時收到兩個 PIN 提示,預期的行為應該是優先使用 Intune PIN。If the user receives both PIN prompts at the same time, the expected behavior should be that the Intune PIN takes precedence.

  • PIN 安全嗎?Is the PIN secure?
    PIN 是用來允許僅有正確的使用者可以存取應用程式中的組織資料。The PIN serves to allow only the correct user to access their organization's data in the app. 因此,終端使用者必須使用他們的公司或學校帳戶登入,之後才能設定或重設其 Intune 應用程式 PIN。Therefore, an end user must sign in with their work or school account before they can set or reset their Intune app PIN. 這項驗證是由 Azure Active Directory 透過安全語彙基元交換來處理,且未向 Intune App SDK 公開。This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune App SDK. 從安全性角度來看,保護工作或學校資料的最佳方式是將資料加密。From a security perspective, the best way to protect work or school data is to encrypt it. 加密與應用程式 PIN 無關,而是其本身的應用程式保護原則。Encryption is not related to the app PIN but is its own app protection policy.

  • Intune 如何針對暴力密碼破解攻擊保護 PIN?How does Intune protect the PIN against brute force attacks?
    做為應用程式 PIN 原則的一部份,IT 系統管理員可以設定在鎖定應用程式之前,使用者可以嘗試驗證其 PIN 的次數上限。As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. 當嘗試次數達到上限之後,Intune App SDK 可以抹除應用程式中的「公司」資料。After the number of attempts has been met, the Intune App SDK can wipe the "corporate" data in the app.

  • 為何我需要在來自同一個發行者的應用程式上設定兩次 PIN?Why do I have to set a PIN twice on apps from same publisher?
    MAM (在 iOS 上) 目前允許應用程式層級 PIN 包含英數字元與特殊字元 (稱為「密碼」),這需要應用程式參與 (亦即 WXP、Outlook、Managed Browser、Yammer) 以整合適用於 iOS 的 Intune APP SDK。MAM (on iOS) currently allows application-level PIN with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for iOS. 如果沒有,密碼設定將不會正確地針對目標應用程式強制執行。Without this, the passcode settings are not properly enforced for the targeted applications. 這是在「適用於 iOS 7.1.12 版的 Intune SDK」中推出的功能This was a feature released in the Intune SDK for iOS v. 7.1.12.

    為了支援此功能,並確保對其他版本「適用於 iOS 的 Intune SDK」的回溯相容性,7.1.12 及更新版本中的所有 PIN (不論數字或密碼),都與先前 SDK 版本中的數字 PIN 分開處理。In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. 因此,如果裝置上有來自同一個發行者的多個應用程式,且其使用的「適用於 iOS 的 Intune SDK」有 7.1.12 之前和 7.1.12 之後的版本,則這些應用程式必須設定兩次 PIN。Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs.

    雖然如此,這兩個 PIN (針對每個應用程式) 沒有任何關係,亦即,它們必須遵守套用至應用程式的應用程式保護原則。That being said, the two PINs (for each app) are not related in any way i.e. they must adhere to the app protection policy that’s applied to the app. 確切地說,只有當應用程式 A 和 B 套用相同的原則 (相對於 PIN) 時,使用者才需要設定相同的 PIN 兩次。As such, only if apps A and B have the same policies applied (with respect to PIN), user may setup the same PIN twice.

    針對啟用了「Intune 行動裝置應用程式管理」的 iOS 應用程式,這是應用程式上的 PIN 特有的行為。This behavior is specific to the PIN on iOS applications that are enabled with Intune Mobile App Management. 一段時間之後,隨著應用程式採用較新版的「適用於 iOS 的 Intune SDK」,需要針對同一個發行者的應用程式設定 PIN 兩次的問題就會減少。Over time, as applications adopt later versions of the Intune SDK for iOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. 如需範例,請查看下面的注意事項。Please see the note below for an example.

    注意

    例如,若應用程式 A 是使用 7.1.12 前的版本建置,且應用程式 B 是使用 7.1.12 或之後的版本建置,當 A 和 B 安裝在同一部 iOS 裝置上時,終端使用者將需要針對兩者分別設定 PIN。For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to 7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an iOS device.

    如果 SDK 版本是 7.1.9 的應用程式 C 安裝在該裝置上,則它會和應用程式 A 共用相同的 PIN。If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A.

    SDK 版本是 7.1.14 的應用程式 D 會和應用程式 B 共用相同的 PIN。An app D built with 7.1.14 will share the same PIN as app B.

    如果只有應用程式 A 和 C 安裝在同一部裝置上,則只需要設定一個 PIN。If only apps A and C are installed on a device, then one PIN will need to be set. 只有應用程式 B 和 D 安裝在同一部裝置上的情況也是如此。The same applies to if only apps B and D are installed on a device.

那加密呢?What about encryption?
IT 系統管理員可以部署要求將應用程式資料加密的應用程式保護原則。IT administrators can deploy an app protection policy that requires app data to be encrypted. 做為原則的一部分,IT 系統管理員也可以指定將內容加密的時機。As part of the policy, the IT administrator can also specify when the content is encrypted.

  • Intune 如何加密資料?How does Intune encrypt data?
    如需加密應用程式保護原則設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS 應用程式保護原則設定See the Android app protection policy settings and iOS app protection policy settings for detailed information on the encryption app protection policy setting.

  • 哪些項目會加密?What gets encrypted?
    僅有標示為「公司」的資料會根據 IT 系統管理員的應用程式保護原則加密。Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列位置視為公司地點:電子郵件 (Exchange) 或雲端儲存體 (包含商務用 OneDrive 帳戶的 OneDrive 應用程式)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account). 針對 Intune App Wrapping Tool 管理的企業營運應用程式,所有的應用程式資料都將視為「公司」資料。For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate."

Intune 如何從遠端抹除資料?How does Intune remotely wipe data?
Intune 可以透過三種不同的方式抹除資料:完整的裝置抹除、MDM 選擇性抹除和 MAM 選擇性抹除。Intune can wipe app data in three different ways: full device wipe, selective wipe for MDM, and MAM selective wipe. 如需 MDM 遠端抹除的詳細資訊,請參閱使用抹除或淘汰來移除裝置For more information about remote wipe for MDM, see Remove devices by using wipe or retire. 如需使用 MAM 選擇性抹除的詳細資訊,請參閱淘汰動作如何只抹除應用程式中的公司資料For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.

  • 什麼是抹除?What is wipe?
    抹除會移除裝置的所有使用者資料和設定,方法是將裝置還原為其原廠預設設定。Wipe removes all user data and settings from the device by restoring the device to its factory default settings. 並從 Intune 移除裝置。The device is removed from Intune.

    注意

    抹除只能在已向 Intune 行動裝置管理 (MDM) 註冊的裝置上執行。Wipe can only be achieved on devices enrolled with Intune mobile device management (MDM).

  • 什麼是 MDM 選擇性抹除?What is selective wipe for MDM?
    請參閱移除裝置 - 淘汰,以閱讀移除公司資料的相關資訊。See Remove devices - retire to read about removing company data.

  • 什麼是 MAM 選擇性抹除?What is selective wipe for MAM?
    MAM 選擇性抹除僅會從應用程式移除公司應用程式資料。Selective wipe for MAM simply removes company app data from an app. 要求是使用 Intune Azure 入口網站來起始。The request is initiated using the Intune Azure portal. 若要了解如何起始抹除要求,請參閱如何只抹除應用程式中的公司資料To learn how to initiate a wipe request, see How to wipe only corporate data from apps.

  • MAM 選擇性抹除發生的速度有多快?How quickly does selective wipe for MAM happen?
    如果使用者在起始選擇性抹除時正在使用應用程式,Intune App SDK 每隔 30 分鐘就會檢查來自 Intune MAM 服務的選擇性抹除要求。If the user is using the app when selective wipe is initiated, the Intune App SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. 它也會在使用者首次啟動應用程式並以其工作或學校帳戶登入時檢查選擇性抹除。It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.

為什麼內部部署 (on-prem) 服務無法搭配受 Intune 保護的應用程式運作?Why don't On-Premises (on-prem) services work with Intune protected apps?
Intune 應用程式保護取決於使用者的身分識別在應用程式與 Intune App SDK 之間保持一致。Intune app protection depends on the identity of the user to be consistent between the application and the Intune App SDK. 保證一致的唯一方式是透過新式驗證。The only way to guarantee that is through modern authentication. 有些案例中,應用程式可搭配內部部署組態運作,但是不一致也不保證。There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.

是否有安全的方式能夠從受管理的應用程式開啟網頁連結?Is there a secure way to open web links from managed apps?
可以!Yes! IT 系統管理員可以針對 Intune Managed Browser 應用程式部署與設定應用程式保護原則,這是由 Microsoft Intune 開發的網頁瀏覽器,可輕鬆地利用 Intune 加以管理。The IT administrator can deploy and set app protection policy for the Intune Managed Browser app, a web browser developed by Microsoft Intune that can be managed easily with Intune. 針對 Intune 受控應用程式,IT 系統管理員可以要求其中的所有網頁連結都必須使用 Managed Browser 應用程式來開啟。The IT administrator can require all web links in Intune-managed apps to be opened using the Managed Browser app.

Intune APP SDK 支援 Microsoft 驗證程式庫 (MSAL) 或社交帳戶?Does the Intune APP SDK support Microsoft Authentication Library (MSAL), or social accounts? Intune APP SDK 會針對第一方及協力廠商 SDK 版本使用部分進階 ADAL 功能。The Intune APP SDK uses some advanced ADAL capabilities for both the 1st party and the 3rd party versions of the SDK. 因此,MSAL 並不適用於我們的許多核心案例,例如向 Intune 應用程式防護服務進行驗證,以及條件式啟動。As such, MSAL does not work well with many of our core scenarios such as authentication into the Intune App Protection service and conditional launch. 目前未規劃提供支援。There are no plans today to support it.

Android 上的應用程式體驗App experience on Android

為什麼需要公司入口網站應用程式,才能讓 Intune 應用程式保護在 Android 裝置上運作呢?Why is the Company Portal app needed for Intune app protection to work on Android devices?
大部分的應用程式保護功能是內建在公司入口網站應用程式中。Much of app protection functionality is built into the Company Portal app. 即使公司入口網站應用程式一律為必要,也_不需要_註冊裝置。Device enrollment is not required even though the Company Portal app is always required. 若是 MAM-WE,終端使用者只需要在裝置上安裝公司入口網站應用程式即可。For MAM-WE, the end user just needs to have the Company Portal app installed on the device.

已設定為相同應用程式和使用者集合的多個 Intune 應用程式保護存取設定,在 Android 上如何運作?How do multiple Intune app protection access settings that are configured to the same set of apps and users work on Android?
Intune 應用程式保護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end user devices as they try to access a targeted app from their corporate account. 一般情況下,封鎖會優先,然後是可以關閉的警告。In general, a block would take precedence, then a dismissible warning. 例如,如果適用於特定的使用者/應用程式,警告使用者進行修補程式升級的最低 Android 修補程式版本設定,將在封鎖使用者使其無法存取的最低 Android 修補程式版本設定之後套用。For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 Android 修補程式版本設定為 2018-03-01,最低 Android 修補程式版本 (僅警告) 設定為 2018-02-01 時,如果嘗試存取應用程式的裝置使用修補程式版本 2018-01-01,則因為導致封鎖存取的最低 Android 修補程式版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access.

處理不同類型的設定時,應用程式版本需求會優先,然後是 Android 作業系統版本需求和 Android 修補程式版本需求。When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked.

Intune 應用程式防護原則提供一項功能,讓系統管理員要求終端使用者裝置通過 Google 適用於 Android 裝置的 SafetyNet 證明。將新 SafetyNet 證明結果傳送至服務的頻率為何?Intune App Protection Policies provide the capability for admins to require end user devices to pass Google's SafetyNet Attestation for Android devices. How often is a new SafetyNet Attestation result sent to the service?

新 Google Play 服務判斷將會依照 Intune 服務所決定的間隔報告給 IT 系統管理員。A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. 進行服務呼叫的頻率已由於負載而節流處理,因此這個值會在內部維護,且無法設定。How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. 將會根據條件式啟動時上次回報給 Intune 服務的結果,來採取任何 IT 系統管理員針對 Google SafetyNet 證明設定所設定的動作。Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. 如果沒有任何資料,將會根據沒有其他的條件式啟動檢查失敗來允許存取,而 Google Play 服務用來判斷證明結果的「往返」動作將在後端開始,並在裝置未通過時以非同步方式提示使用者。If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. 如果有過時的資料,將會根據上次回報的結果封鎖或允許存取,同樣地,Google Play 服務用來判斷證明結果的「往返」動作將會開始,並在裝置未通過時以非同步方式提示使用者。If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously if the device has failed.

Intune 應用程式防護原則提供一項功能,讓系統管理員要求終端使用者裝置透過 Google 適用於 Android 裝置的 Verify Apps API 傳送訊號。終端使用者如何開啟應用程式掃描,讓它們不會因此而被封鎖存取?Intune App Protection Policies provide the capability for admins to require end user devices to send signals via Google's Verify Apps API for Android devices. How can an end user turn on the app scan so that they are not blocked from access due to this?

有關如何執行這項操作的指示會因裝置而稍有差異。The instructions on how to do this vary slightly by device. 一般程序包含前往 Google Play 商店,然後按一下 [我的應用程式與遊戲],再按一下上次應用程式掃描結果,其會將您引導至「Play 安全防護」功能表。The general process involves going to the Google Play Store, then clicking on My apps & games, clicking on the result of the last app scan which will take you into the Play Protect menu. 確定 [掃描裝置中的安全性威脅] 的切換開關已切換為開啟。Ensure the toggle for Scan device for security threats is switched to on.

Google 的 SafetyNet Attestation API 實際上會在 Android 裝置上檢查什麼項目?[檢查基本完整性] 與 [檢查基本完整性與經過認證的裝置] 的可設定值之間有何差異?What does Google's SafetyNet Attestation API actually check on Android devices? What is the difference between the configurable values of 'Check basic integrity' and 'Check basic integrity & certified devices'?

Intune 會利用 Google Play Protect SafetyNet API,在我們現有 Root 破解偵測檢查中新增對已取消註冊裝置的檢查。Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled devices. 如果不想在 Root 破解的裝置上執行其應用程式,Google 已開發和維護這個 API 集合供 Android 應用程式採用。Google has developed and maintained this API set for Android apps to adopt if they do not want their apps to run on rooted devices. 例如,Android Pay 應用程式已併入此集合。The Android Pay app has incorporated this, for example. 雖然 Google 不會公開共用所發生 Root 破解偵測檢查的全部內容,但我們預期這些 API 會偵測到其裝置遭到 Root 破解的使用者。While Google does not share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices. 接著可防止這些使用者存取,或從其啟用原則的應用程式抹除其公司帳戶。These users can then be blocked from accessing, or their corporate accounts wiped from their policy enabled apps. [檢查基本完整性] 會告訴您有關裝置的一般完整性。'Check basic integrity' tells you about the general integrity of the device. Root 破解的裝置、模擬器、虛擬裝置,以及具有竄改跡象的裝置都無法通過基本完整性。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. [檢查基本完整性與經認證的裝置] 會告訴您有關裝置與 Google 服務的相容性。'Check basic integrity & certified devices' tells you about the compatibility of the device with Google's services. 只有經過 Google 認證且未修改的裝置可以通過這項檢查。Only unmodified devices that have been certified by Google can pass this check. 將會失敗的裝置包括下列各項:Devices that will fail include the following:

  • 無法通過基本完整性的裝置Devices that fail basic integrity
  • 其開機載入器已解除鎖定的裝置Devices with an unlocked bootloader
  • 具有自訂系統映像/ROM 的裝置Devices with a custom system image/ROM
  • 製造商未為其申請或通過 Google 認證的裝置Devices for which the manufacturer didn’t apply for, or pass, Google certification
  • 直接從 Android Open Source Program 來源檔案建置系統映像的裝置Devices with a system image built directly from the Android Open Source Program source files
  • 具有搶鮮版 (Beta)/開發人員預覽系統映像的裝置Devices with a beta/developer preview system image

如需技術詳細資料,請參閱 Google 有關 SafetyNet 證明的文件See Google's documentation on the SafetyNet Attestation for technical details.

為 Android 裝置建立 Intune 應用程式防護原則時,[條件式啟動] 區段中有兩個類似的檢查。我應該需要 [SafetyNet 裝置證明] 設定或 [已越獄/Root 破解的裝置] 設定嗎?There are two similiar checks in the Conditional Launch section when creating an Intune App Protection Policy for Android devices. Should I be requiring the 'SafetyNet device attestation' setting or the 'jailbroken/rooted devices' setting?

「Google Play 安全防護」的 SafetyNet API 檢查,需要終端使用者至少在判斷證明結果之「往返」動作執行的時間範圍內已連線。Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time when the "roundtrip" for determining attestation results executes. 如果終端使用者已離線,IT 系統管理員還是能夠預期從 [已越獄或 Root 破解的裝置] 設定強制執行結果。If end user is offline, IT admin can still expect a result to be enforced from the 'jailbroken/rooted devices' setting. 話雖如此,如果終端使用者離線太久,[離線寬限期] 值就會起作用,一旦達到該計時器值,對公司或學校資料的存取便會遭到封鎖,直到可以存取網路為止。That being said, if the end user has been offline too long, the 'Offline grace period' value comes into play, and all access to work or school data is blocked once that timer value is reached, until network access is available. 開啟這兩個設定可允許採用分層方式來保持終端使用者裝置的良好狀況,這在終端使用者存取行動裝置上的公司或學校資料時非常重要。Turning on both settings allows for a layered approach to keeping end user devices healthy which is important when end users access work or school data on mobile.

利用 Google Play Protect API 的應用程式保護原則設定需要 Google Play Services 正常運作。如果終端使用者所在位置中不允許使用 Google Play Services,該怎麼辦?The app protection policy settings that leverage Google Play Protect APIs require Google Play Services to function. What if Google Play Services are not allowed in the location where the end user may be?

[SafetyNet 裝置證明] 和 [對應用程式進行威脅掃描] 設定,需要 Google 決定的 Google Play Services 版本才能正確運作。Both the 'SafetyNet device attestation', and 'Threat scan on apps' settings require Google determined version of Google Play Services to function correctly. 由於這些都是屬於安全性領域的設定,如果終端使用者是這些設定的目標,但不符合適當的 Google Play Services 版本或無法存取 Google Play 服務,則會封鎖這些使用者。Since these are settings that fall in the area of security, the end user will be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google Play Services or have no access to Google Play Services.

iOS 上的應用程式體驗App experience on iOS

如果我將指紋或臉部新增至我的裝置,或是從中移除,會發生什麼情況?What happens if I add or remove a fingerprint or face to my device? Intune 應用程式防護原則可控制應用程式只存取 Intune 授權使用者。Intune app protection policies allow control over app access to only the Intune licensed user. 控制應用程式存取的其中一種方式,就是在支援裝置上要求 Apple 的 Touch ID 或 Face ID。One of the ways to control access to the app is to require either Apple's Touch ID or Face ID on supported devices. 如果裝置的生物特徵辨識資料庫有任何變更,Intune 會實作一項行為,那就是 Intune 會在達到下次非使用狀態逾時值時,提示使用者輸入 PIN。Intune implements a behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. 對生物特徵辨識資料所做的變更包括新增或移除指紋或臉部。Changes to biometric data include the addition or removal of a fingerprint, or face. 如果 Intune 使用者未設定 PIN,則會引導他們設定一個 Intune PIN。If the Intune user does not have a PIN set, they are led to set up an Intune PIN.

這樣做的用意是為了持續確保應用程式中的組織資料安全,並在應用程式層級受到保護。The intent of this is to continue keeping your organization's data within the app secure and protected at the app level. 此功能僅適用於 iOS,並需要整合 Intune APP SDK for iOS 9.0.1 版或更新版本的應用程式參與。This feature is only available for iOS, and requires the participation of applications that integrate the Intune APP SDK for iOS, version 9.0.1 or later. 您必須整合此 SDK,才能針對目標應用程式強制執行該行為。Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. 這項整合會輪流發生並取決於特定的應用程式小組。This integration happens on a rolling basis and is dependent on the specific application teams. 參與的一些應用程式包括 WXP、Outlook、Managed Browser 和 Yammer。Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.

我可以使用 iOS 共用延伸模組在不受管理的應用程式中開啟工作或學校資料,甚至可將資料傳輸原則設為 [僅限受管理的應用程式] 或 [沒有應用程式]。這樣不會流失資料嗎?I am able to use the iOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to "managed apps only" or "no apps." Doesn't this leak data?
Intune 應用程式保護原則必須管理裝置才能控制 iOS 共用延伸模組。Intune app protection policy cannot control the iOS share extension without managing the device. 因此,Intune 會先加密「公司」資料,才會在應用程式之外共用Therefore, Intune encrypts "corporate" data before it is shared outside the app. 您可以嘗試在受管理的應用程式外開啟「公司」檔案來加以驗證。You can validate this by attempting to open the "corporate" file outside of the managed app. 檔案應已加密且無法在受管理的應用程式之外開啟。The file should be encrypted and unable to be opened outside the managed app.

已設定為相同應用程式和使用者集合的多個 Intune 應用程式保護存取設定,在 iOS 上如何運作?How do multiple Intune app protection access settings that are configured to the same set of apps and users work on iOS?
Intune 應用程式保護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end user devices as they try to access a targeted app from their corporate account. 一般情況下,其順序會是抹除、封鎖及可關閉的警告。In general, a wipe would take precedence, followed by a block, then a dismissible warning. 例如,如果適用於特定的使用者/應用程式,警告使用者更新其 iOS 版本的最低 iOS 作業系統設定,將在封鎖使用者使其無法存取的最低 iOS 作業系統設定之後套用。For example, if applicable to the specific user/app, a minimum iOS operating system setting that warns a user to update their iOS version will be applied after the minimum iOS operating system setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 iOS 作業系統設定為 11.0.0.0,最低 iOS 作業系統 (僅警告) 設定為 11.1.0.0 時,如果嘗試存取應用程式的裝置使用 iOS 10,則因為導致封鎖存取的最低 iOS 作業系統版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access.

處理不同類型的設定時,Intune 應用程式 SDK 版本需求會優先,然後是應用程式版本需求,再然後是 iOS 作業系統版本需求。When dealing with different types of settings, an Intune App SDK version requirement would take precedence, then an app version requirement, followed by the iOS operating system version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked. 我們建議您只針對基本的封鎖情況,在 Intune 產品小組的指導下,設定 Intune App SDK 版本需求。We recommend the Intune App SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

請參閱See also