MAM 和應用程式保護的相關常見問題Frequently asked questions about MAM and app protection

本文章提供 Intune 行動應用程式管理 (MAM) 與 Intune 應用程式保護相關常見問題的解答。This article provides answers to some frequently asked questions on Intune mobile application management (MAM) and Intune app protection.

MAM 基本概念MAM Basics

什麼是 MAM?What is MAM?
Intune 行動應用程式管理指的是 Intune 管理功能套件,可讓您針對您的使用者發行、推送、設定、保護、監視與更新行動應用程式。Intune mobile application management refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps for your users.

MAM 應用程式保護的優點有哪些?What are the benefits of MAM app protection?
MAM 可保護應用程式內組織的資料。MAM protects an organization's data within an application. 透過不需註冊的 MAM (MAM-WE),包含機密資料的工作或學校相關應用程式幾乎可在任何裝置上管理,包含攜帶您自己的裝置 (BYOD) 案例中的個人裝置。With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. 許多生產力應用程式 (例如 Microsoft Office 應用程式) 可以由 Intune MAM 管理。Many productivity apps, such as the Microsoft Office apps, are able to be managed by Intune MAM. 請參閱可供公開使用的 Intune 受控應用程式官方清單。See the official list of Intune-managed apps available for public use.

MAM 支援哪些裝置組態?What device configurations does MAM support?
Intune MAM 支援兩個組態︰Intune MAM supports two configurations:

  • Intune MDM + MAM:IT 系統管理員只能針對已在 Intune 行動裝置管理 (MDM) 註冊的裝置,使用 MAM 與應用程式保護原則來管理應用程式。Intune MDM + MAM: IT administrators can only manage apps using MAM and app protection policies on devices that are enrolled with Intune mobile device management (MDM). 若要使用 MDM + MAM 管理應用程式,客戶應該在 Azure 入口網站中使用 Intune 主控台,網址為 https://portal.azure.com。To manage apps using MDM + MAM, customers should use the Intune console in the Azure portal at https://portal.azure.com.

  • 沒有裝置註冊的 MAM:沒有裝置註冊的 MAM (或 MAM-WE) 允許 IT 系統管理員管理未在 Intune MDM 註冊之裝置上使用 MAM 與應用程式保護原則的應用程式。MAM without device enrollment: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. 這表示應用程式可由向協力廠商 EMM 提供者註冊之裝置上的 Intune 來管理。This means apps can be managed by Intune on devices enrolled with third-party EMM providers. 若要使用 MAM-WE 管理應用程式,客戶應該在 Azure 入口網站中使用 Intune 主控台,網址為 http://portal.azure.com。To manage apps using MAM-WE, customers should use the Intune console in the Azure portal at http://portal.azure.com. 此外,向協力廠商企業行動管理 (EMM) 提供者註冊的裝置,或是完全不註冊 MDM 的裝置,也可使用 Intune 來管理應用程式。Also, apps can be managed by Intune on devices enrolled with third-party Enterprise Mobility Management (EMM) providers or not enrolled with an MDM at all.

應用程式防護原則App protection policies

什麼是應用程式保護原則What are app protection policies?
應用程式保護原則是確保組織資料能夠在受管理的應用程式中保持安全或受到管制的規則。App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. 原則可以是在使用者嘗試存取或移動「公司」資料時,強制執行的一項規則,或者是當使用者在應用程式內時,禁止執行或受到監視的一組動作。A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

應用程式保護原則的範例有哪些?What are examples of app protection policies?
如需每個應用程式保護原則設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS 應用程式保護原則設定See the Android app protection policy settings and iOS app protection policy settings for detailed information on each app protection policy setting.

您可以使用應用程式保護原則管理的應用程式Apps you can manage with app protection policies

應用程式保護原則可以管理哪些應用程式?Which apps can be managed by app protection policies?
Intune App SDK 整合或由 Intune App Wrapping Tool 包裝的應用程式,都可以使用應用程式保護原則加以管理。Any app that has been integrated with the Intune App SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. 請參閱可供公開使用的 Intune 受控應用程式官方清單。See the official list of Intune-managed apps available for public use.

在 Intune 受控應用程式上,使用應用程式保護原則的基本需求為何?What are the baseline requirements to use app protection policies on an Intune-managed app?

  • 終端使用者必須擁有 Azure Active Directory (AAD) 帳戶。The end user must have an Azure Active Directory (AAD) account. 請參閱新增使用者並提供管理權限給 Intune,以了解如何在 Azure Active Directory 中建立 Intune 使用者。See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.

  • 終端使用者必須擁有指派給其 Azure Active Directory 帳戶的 Microsoft Intune 授權。The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. 請參閱管理 Intune 授權,以了解如何將 Intune 授權指派給終端使用者。See Manage Intune licenses to learn how to assign Intune licenses to end users.

  • 終端使用者必須隸屬於由應用程式保護原則設為目標的安全性群組。The end user must belong to a security group that is targeted by an app protection policy. 相同的應用程式保護原則必須將已使用的特定應用程式設為目標。The same app protection policy must target the specific app being used. 應用程式保護原則可在 Azure 入口網站中的 Intune 主控台中建立與部署。App protection policies can be created and deployed in the Intune console in the Azure portal. 安全群組目前可以在 Office 入口網站中建立。Security groups can currently be created in the Office portal.

  • 終端使用者必須使用其 AAD 帳戶來登入應用程式。The end user must sign into the app using their AAD account.

使用 Outlook 行動裝置應用程式 (英文) 時有哪些其他需求?What are the additional requirements to use the Outlook mobile app?

  • 終端使用者必須在其裝置上安裝 Outlook 行動裝置應用程式。The end user must have the Outlook mobile app installed to their device.

  • 終端使用者必須具有連結到其 Azure Active Directory 帳戶的 Office 365 Exchange Online 信箱和授權。The end user must have an Office 365 Exchange Online mailbox and license linked to their Azure Active Directory account.

    注意

    Outlook 行動應用程式目前僅針對 Microsoft Exchange Online 和具有混合式新式驗證的 Exchange Server 支援「Intune 應用程式防護」,而不支援「Office 365 專用」中的 Exchange。The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

使用 Word、Excel 與 PowerPoint 應用程式時有哪些其他需求?What are the additional requirements to use the Word, Excel, and PowerPoint apps?

  • 終端使用者必須擁有連結到其 Azure Active Directory 帳戶的 Office 365 商務版或企業版授權。The end user must have a license for Office 365 Business or Enterprise linked to their Azure Active Directory account. 訂用帳戶必須包括行動裝置版 Office 應用程式,而且可以包括可搭配商務用 OneDrive 使用的雲端儲存體帳戶。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. Office 365 授權可以在 Office 入口網站中依照下列指示指派。Office 365 licenses can be assigned in the Office portal following these instructions.

  • 終端使用者必須有受控的位置,此位置是使用 [不可進行另存新檔] 應用程式保護原則設定下的細微另存新檔功能設定的。The end user must have a managed location configured using the granular save as functionality under the "Prevent Save As" application protection policy setting. 例如,若受控位置是 OneDrive,則 OneDrive 應用程式應該在終端使用者的 Word、Excel 或 PowerPoint 應用程式中設定。For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.

  • 若受控位置是 OneDrive,則應用程式必須是部署到終端使用者之應用程式保護原則的目標。If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end user.

    注意

    Office 行動裝置應用程式目前僅支援 SharePoint Online,不支援 SharePoint 內部部署。The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Office 為何需要受控位置 (例如 OneDrive)?Why is a managed location (i.e. OneDrive) needed for Office?
Intune 會將應用程式中所有資料標示為「公司」或「個人」。Intune marks all data in the app as either "corporate" or "personal." 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列位置視為公司地點:電子郵件 (Exchange) 或雲端儲存體 (包含商務用 OneDrive 帳戶的 OneDrive 應用程式)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).

使用商務用 Skype 有哪些其他需求?What are the additional requirements to use Skype for Business?
請參閱商務用 Skyp 授權需求。See Skype for Business license requirements.

注意

商務用 Skyp 行動裝置應用程式目前僅支援商務用 Skype Online。The Skype for Business mobile app currently only supports Skype for Business Online.

應用程式保護功能App protection features

什麼是多重身分識別支援?What is multi-identity support?
多重身分識別支援是 Intune App SDK 僅將應用程式保護原則套用至已登入應用程式之工作或學校帳戶的功能。Multi-identity support is the ability for the Intune App SDK to only apply app protection policies to the work or school account signed into the app. 如果個人帳戶已登入應用程式,就不會更動資料。If a personal account is signed into the app, the data is untouched.

多重身分識別支援的用途為何?What is the purpose of multi-identity support?
多重身分識別支援允許公開發行同時包含「公司」與消費者對象的應用程式 (例如,Office 應用程式),並且讓「公司」帳戶具有 Intune 應用程式保護功能。Multi-identity support allows apps with both "corporate" and consumer audiences (i.e. the Office apps) to be released publicly with Intune app protection capabilities for the "corporate" accounts.

Outlook 以及多重身分識別呢?What about Outlook and multi-identity?
因為 Outlook 有合併個人與「公司」電子郵件的電子郵件檢視,所以 Outlook 應用程式會在啟動時提示 Intune PIN。Because Outlook has a combined email view of both personal and "corporate" emails, the Outlook app prompts for the Intune PIN on launch.

什麼是 Intune 應用程式 PIN?What is the Intune app PIN?
個人識別碼 (PIN) 是一組密碼,用來驗證在應用程式中存取組織資料的是正確的使用者。The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.

  • 何時會提示使用者輸入 PIN?When is the user prompted to enter their PIN?
    Intune 會在使用者要存取「公司」資料時,提示使用者提供應用程式 PIN。Intune prompts for the user's app PIN when the user is about to access "corporate" data. 在多重身分識別應用程式 (例如 Word/Excel/PowerPoint) 中,系統會在使用者嘗試開啟「公司」文件或檔案時提示他們提供 PIN。In multi-identity apps such as Word/Excel/PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file. 在單一身分識別應用程式 (例如,使用 Intune App Wrapping Tool 管理的企業營運應用程式) 中,會在啟動時提示提供 PIN,因為 Intune App SDK 知道使用者一定是在「公司」環境中使用應用程式。In single-identity apps, such as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune App SDK knows the user's experience in the app is always "corporate."

  • 使用者收到 Intune PIN 提示的頻率為何?How often will the user be prompted for the Intune PIN?
    IT 系統管理員可以在 Intune 管理主控台中定義 Intune 應用程式保護原則設定「重新檢查存取需求前的剩餘時間 (分鐘)」。The IT admin can define the Intune app protection policy setting 'Recheck the access requirements after (minutes)' in the Intune admin console. 這項設定會指定多久之後要在裝置上檢查存取要求,並再次顯示應用程式 PIN 畫面。This setting specifies the amount of time before the access requirements are checked on the device, and the application PIN screen is shown again. 不過,還有下列關於 PIN 的重要詳細資料會影響使用者收到通知的頻率:However, important details about PIN that affect how often the user will be prompted are:

    • PIN 會在相同發行者的多個應用程式間共用,以提升可用性: 在 iOS,一組應用程式 PIN 會在相同應用程式發行者的所有應用程式間共用。The PIN is shared among apps of the same publisher to improve usability: On iOS, one app PIN is shared amongst all apps of the same app publisher. 在 Android,一組應用程式 PIN 會在所有應用程式間共用。On Android, one app PIN is shared amongst all apps.
    • 裝置重新開機之後的「重新檢查存取需求前的剩餘時間 (分鐘)」行為:「PIN 計時器」會追蹤閒置分鐘數,以判斷何時顯示下一個 Intune 應用程式 PIN。The 'Recheck the access requirements after (minutes)' behaviour after a device reboot: A "PIN timer" tracks the number of minutes of inactivity that determine when to show the Intune app PIN next. 在 iOS 上,PIN 計時器不會受到裝置重新開機的影響。On iOS, the PIN timer is unaffected by device reboot. 因此,裝置重新啟動不會影響使用者在使用 Intune PIN 原則的 iOS 應用程式中閒置的分鐘數。Thus, device restart has no effect on the number of minutes the user has been inactive from an iOS app with Intune PIN policy. 在 Android 上,PIN 計時器會在裝置重新開機時重設。On Android, the PIN timer is reset on device reboot. 因此,使用 Intune PIN 原則的 Android 應用程式可能會提示輸入應用程式 PIN,而不論裝置重新開機之後的「重新檢查存取需求前的剩餘時間 (分鐘)」設定值。As such, Android apps with Intune PIN policy will likely prompt for an app PIN regardless of the 'Recheck the access requirements after (minutes)' setting value after a device reboot.
    • 與 PIN 相關的計時器過時性質: 在輸入 PIN 以存取應用程式 (應用程式 A) 之後,應用程式會離開裝置的前景 (主要輸入焦點),而該組 PIN 的 PIN 計時器會重設。The rolling nature of the timer associated with the PIN: Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the PIN timer gets reset for that PIN. 由於計時器已經重設,共用這組 PIN 任何應用程式 (應用程式 B) 都不會提示使用者輸入 PIN。Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset. 提示會在再次達到「重新檢查存取需求前的剩餘時間 (分鐘)」值時再度顯示。The prompt will show up again once the 'Recheck the access requirements after (minutes)' value is met again.

若為 iOS 裝置,即使在不同發行者的應用程式之間共用 PIN,當非主要輸入焦點之應用程式的 [重新檢查存取需求前等候時間 (分鐘)] 值再次達到時,就會再度顯示提示。For iOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. 例如,使用者有發行者 X 的應用程式 A 和發行者 Y 的應用程式 B,而且這兩個應用程式共用相同的 PIN。So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. 使用者將焦點放在應用程式 A (前景),並將應用程式 B 最小化。The user is focused on app A (foreground), and app B is minimized. 達到 [重新檢查存取需求前等候時間 (分鐘)] 值,而且使用者切換至應用程式 B 之後,則需要 PIN。After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required.

  >[!NOTE] 
  > In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting. 
  
  • Intune PIN 如何搭配使用 Outlook 和 OneDrive 的內建應用程式 PIN ?How does the Intune PIN work with built-in app PINs for Outlook and OneDrive?
    Intune PIN 會根據以閒置為基礎的計時器 (又稱為「重新檢查存取需求前的剩餘時間 (分鐘)」值) 運作。The Intune PIN works based on an inactivity based timer (aka the value of 'Recheck the access requirements after (minutes)'). 因此,Intune PIN 提示會與 Outlook 和 OneDrive 的內建應用程式 PIN 提示分開顯示,後者預設通常與應用程式啟動相關。As such, Intune PIN prompts show up independently from the built-in app PIN prompts for Outlook and OneDrive which often are tied to app launch by default. 如果使用者同時收到兩個 PIN 提示,預期的行為應該是優先使用 Intune PIN。If the user recieves both PIN prompts at the same time, the expected behaviour should be that the Intune PIN takes precedence.

  • PIN 安全嗎?Is the PIN secure?
    PIN 是用來允許僅有正確的使用者可以存取應用程式中的組織資料。The PIN serves to allow only the correct user to access their organization's data in the app. 因此,終端使用者必須使用他們的公司或學校帳戶登入,之後才能設定或重設其 Intune 應用程式 PIN。Therefore, an end user must sign in with their work or school account before they can set or reset their Intune app PIN. 這項驗證是由 Azure Active Directory 透過安全語彙基元交換來處理,且未向 Intune App SDK 公開。This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune App SDK. 從安全性角度來看,保護工作或學校資料的最佳方式是將資料加密。From a security perspective, the best way to protect work or school data is to encrypt it. 加密與應用程式 PIN 無關,而是其本身的應用程式保護原則。Encryption is not related to the app PIN, but is its own app protection policy.

  • Intune 如何針對暴力密碼破解攻擊保護 PIN?How does Intune protect the PIN against brute force attacks?
    做為應用程式 PIN 原則的一部份,IT 系統管理員可以設定在鎖定應用程式之前,使用者可以嘗試驗證其 PIN 的次數上限。As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. 當嘗試次數達到上限之後,Intune App SDK 可以抹除應用程式中的「公司」資料。After the number of attempts has been met, the Intune App SDK can wipe the "corporate" data in the app.

  • 為何我需要在來自同一個發行者的應用程式上設定兩次 PIN?Why do I have to set a PIN twice on apps from same publisher?
    MAM (在 iOS 上) 目前允許應用程式層級 PIN 包含英數字元與特殊字元 (稱為「密碼」),這需要應用程式參與 (亦即 WXP、Outlook、Managed Browser、Yammer) 以整合適用於 iOS 的 Intune APP SDK。MAM (on iOS) currently allows application-level PIN with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for iOS. 如果沒有,密碼設定將不會正確地針對目標應用程式強制執行。Without this, the passcode settings are not properly enforced for the targeted applications. 這是在「適用於 iOS 7.1.12 版的 Intune SDK」中推出的功能This was a feature released in the Intune SDK for iOS v. 7.1.12.

    為了支援此功能,並確保對其他版本「適用於 iOS 的 Intune SDK」的回溯相容性,7.1.12 及更新版本中的所有 PIN (不論數字或密碼),都與先前 SDK 版本中的數字 PIN 分開處理。In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. 因此,如果裝置上有來自同一個發行者的多個應用程式,且其使用的「適用於 iOS 的 Intune SDK」有 7.1.12 之前和 7.1.12 之後的版本,則這些應用程式必須設定兩次 PIN。Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs.

    雖然如此,這兩個 PIN (針對每個應用程式) 沒有任何關係,亦即,它們必須遵守套用至應用程式的應用程式保護原則。That being said, the two PINs (for each app) are not related in any way i.e. they must adhere to the app protection policy that’s applied to the app. 確切地說,只有當應用程式 A 和 B 套用相同的原則 (相對於 PIN) 時,使用者才需要設定相同的 PIN 兩次。As such, only if apps A and B have the same policies applied (with respect to PIN), user may setup the same PIN twice.

    針對啟用了「Intune 行動裝置應用程式管理」的 iOS 應用程式,這是應用程式上的 PIN 特有的行為。This behavior is specific to the PIN on iOS applications that are enabled with Intune Mobile App Management. 一段時間之後,隨著應用程式採用較新版的「適用於 iOS 的 Intune SDK」,需要針對同一個發行者的應用程式設定 PIN 兩次的問題就會減少。Over time, as applications adopt later versions of the Intune SDK for iOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. 如需範例,請查看下面的注意事項。Please see the note below for an example.

    注意

    例如,若應用程式 A 是使用 7.1.12 前的版本建置,且應用程式 B 是使用 7.1.12 或之後的版本建置,當 A 和 B 安裝在同一部 iOS 裝置上時,終端使用者將需要針對兩者分別設定 PIN。For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to 7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an iOS device.

    如果 SDK 版本是 7.1.9 的應用程式 C 安裝在該裝置上,則它會和應用程式 A 共用相同的 PIN。If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A.

    SDK 版本是 7.1.14 的應用程式 D 會和應用程式 B 共用相同的 PIN。An app D built with 7.1.14 will share the same PIN as app B.

    如果只有應用程式 A 和 C 安裝在同一部裝置上,則只需要設定一個 PIN。If only apps A and C are installed on a device, then one PIN will need to be set. 只有應用程式 B 和 D 安裝在同一部裝置上的情況也是如此。The same applies to if only apps B and D are installed on a device.

那加密呢?What about encryption?
IT 系統管理員可以部署要求將應用程式資料加密的應用程式保護原則。IT administrators can deploy an app protection policy that requires app data to be encrypted. 做為原則的一部分,IT 系統管理員也可以指定將內容加密的時機。As part of the policy, the IT administrator can also specify when the content is encrypted.

  • Intune 如何加密資料?How does Intune encrypt data?
    如需加密應用程式保護原則設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS 應用程式保護原則設定See the Android app protection policy settings and iOS app protection policy settings for detailed information on the encryption app protection policy setting.

  • 哪些項目會加密?What gets encrypted?
    僅有標示為「公司」的資料會根據 IT 系統管理員的應用程式保護原則加密。Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列位置視為公司地點:電子郵件 (Exchange) 或雲端儲存體 (包含商務用 OneDrive 帳戶的 OneDrive 應用程式)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account). 針對 Intune App Wrapping Tool 管理的企業營運應用程式,所有的應用程式資料都將視為「公司」資料。For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate."

Intune 如何從遠端抹除資料?How does Intune remotely wipe data?
Intune 可以透過三種不同的方式抹除資料:完整的裝置抹除、MDM 選擇性抹除和 MAM 選擇性抹除。Intune can wipe app data in three different ways: full device wipe, selective wipe for MDM, and MAM selective wipe. 如需 MDM 遠端抹除的詳細資訊,請參閱使用抹除或淘汰來移除裝置For more information about remote wipe for MDM, see Remove devices by using wipe or reture. 如需使用 MAM 選擇性抹除的詳細資訊,請參閱淘汰動作如何只抹除應用程式中的公司資料For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.

  • 什麼是抹除?What is wipe?
    抹除會移除裝置的所有使用者資料和設定,方法是將裝置還原為其原廠預設設定。Wipe removes all user data and settings from the device by restoring the device to its factory default settings. 並從 Intune 移除裝置。The device is removed from Intune.

    注意

    抹除只能在已向 Intune 行動裝置管理 (MDM) 註冊的裝置上執行。Wipe can only be achieved on devices enrolled with Intune mobile device management (MDM).

  • 什麼是 MDM 選擇性抹除?What is selective wipe for MDM?
    請參閱移除裝置 - 淘汰,以閱讀移除公司資料的相關資訊。See Remove devices - retire to read about removing company data.

  • 什麼是 MAM 選擇性抹除?What is selective wipe for MAM?
    MAM 選擇性抹除僅會從應用程式移除公司應用程式資料。Selective wipe for MAM simply removes company app data from an app. 要求是使用 Intune Azure 入口網站來起始。The request is initiated using the Intune Azure portal. 若要了解如何起始抹除要求,請參閱如何只抹除應用程式中的公司資料To learn how to initiate a wipe request, see How to wipe only corporate data from apps.

  • MAM 選擇性抹除發生的速度有多快?How quickly does selective wipe for MAM happen?
    如果使用者在起始選擇性抹除時正在使用應用程式,Intune App SDK 每隔 30 分鐘就會檢查來自 Intune MAM 服務的選擇性抹除要求。If the user is using the app when selective wipe is initiated, the Intune App SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. 它也會在使用者首次啟動應用程式並以其工作或學校帳戶登入時檢查選擇性抹除。It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.

為什麼內部部署 (on-prem) 服務無法搭配受 Intune 保護的應用程式運作?Why don't On-Premises (on-prem) services work with Intune protected apps?
Intune 應用程式保護取決於使用者的身分識別在應用程式與 Intune App SDK 之間保持一致。Intune app protection depends on the identity of the user to be consistent between the application and the Intune App SDK. 保證一致的唯一方式是透過新式驗證。The only way to guarantee that is through modern authentication. 有些案例中,應用程式可搭配內部部署組態運作,但是不一致也不保證。There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.

是否有安全的方式能夠從受管理的應用程式開啟網頁連結?Is there a secure way to open web links from managed apps?
可以!Yes! IT 系統管理員可以針對 Intune Managed Browser 應用程式部署與設定應用程式保護原則,這是由 Microsoft Intune 開發的網頁瀏覽器,可輕鬆地利用 Intune 加以管理。The IT administrator can deploy and set app protection policy for the Intune Managed Browser app, a web browser developed by Microsoft Intune that can be managed easily with Intune. 針對 Intune 受控應用程式,IT 系統管理員可以要求其中的所有網頁連結都必須使用 Managed Browser 應用程式來開啟。The IT administrator can require all web links in Intune-managed apps to be opened using the Managed Browser app.

Intune APP SDK 支援 Microsoft 驗證程式庫 (MSAL) 或社交帳戶?Does the Intune APP SDK support Microsoft Authentication Library (MSAL), or social accounts? Intune APP SDK 會針對第一方及協力廠商 SDK 版本使用部分進階 ADAL 功能。The Intune APP SDK uses some advanced ADAL capabilities for both the 1st party and the 3rd party versions of the SDK. 因此,MSAL 並不適用於我們的許多核心案例,例如向 Intune 應用程式防護服務進行驗證,以及條件式啟動。As such, MSAL does not work well with many of our core scenarios such as authentication into the Intune App Protection service and conditional launch. 目前未規劃提供支援。There are no plans today to support it.

Android 上的應用程式體驗App experience on Android

為什麼需要公司入口網站應用程式,才能讓 Intune 應用程式保護在 Android 裝置上運作呢?Why is the Company Portal app needed for Intune app protection to work on Android devices?
大部分的應用程式保護功能是內建在公司入口網站應用程式中。Much of app protection functionality is built into the Company Portal app. 即使公司入口網站應用程式一律為必要,也_不需要_註冊裝置。Device enrollment is not required even though the Company Portal app is always required. 若是 MAM-WE,終端使用者只需要在裝置上安裝公司入口網站應用程式即可。For MAM-WE, the end user just needs to have the Company Portal app installed on the device.

已設定為相同應用程式和使用者集合的多個 Intune 應用程式保護存取設定,在 Android 上如何運作?How do multiple Intune app protection access settings that are configured to the same set of apps and users work on Android?
Intune 應用程式保護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end user devices as they try to access a targeted app from their corporate account. 一般情況下,封鎖會優先,然後是可以關閉的警告。In general, a block would take precedence, then a dismissable warning. 例如,如果適用於特定的使用者/應用程式,警告使用者進行修補程式升級的最低 Android 修補程式版本設定,將在封鎖使用者使其無法存取的最低 Android 修補程式版本設定之後套用。For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 Android 修補程式版本設定為 2018-03-01,最低 Android 修補程式版本 (僅警告) 設定為 2018-02-01 時,如果嘗試存取應用程式的裝置使用修補程式版本 2018-01-01,則因為導致封鎖存取的最低 Android 修補程式版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access.

處理不同類型的設定時,應用程式版本需求會優先,然後是 Android 作業系統版本需求和 Android 修補程式版本需求。When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked.

iOS 上的應用程式體驗App experience on iOS

我可以使用 iOS 共用延伸模組在不受管理的應用程式中開啟工作或學校資料,甚至可將資料傳輸原則設為 [僅限受管理的應用程式] 或 [沒有應用程式]。這樣不會流失資料嗎?I am able to use the iOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to "managed apps only" or "no apps." Doesn't this leak data?
Intune 應用程式保護原則必須管理裝置才能控制 iOS 共用延伸模組。Intune app protection policy cannot control the iOS share extension without managing the device. 因此,Intune 會先加密「公司」資料,才會在應用程式之外共用Therefore, Intune encrypts "corporate" data before it is shared outside the app. 您可以嘗試在受管理的應用程式外開啟「公司」檔案來加以驗證。You can validate this by attempting to open the "corporate" file outside of the managed app. 檔案應已加密且無法在受管理的應用程式之外開啟。The file should be encrypted and unable to be opened outside the managed app.

已設定為相同應用程式和使用者集合的多個 Intune 應用程式保護存取設定,在 iOS 上如何運作?How do multiple Intune app protection access settings that are configured to the same set of apps and users work on iOS?
Intune 應用程式保護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end user devices as they try to access a targeted app from their corporate account. 一般情況下,其順序會是抹除、封鎖及可關閉的警告。In general, a wipe would take precedence, followed by a block, then a dismissable warning. 例如,如果適用於特定的使用者/應用程式,警告使用者更新其 iOS 版本的最低 iOS 作業系統設定,將在封鎖使用者使其無法存取的最低 iOS 作業系統設定之後套用。For example, if applicable to the specific user/app, a minimum iOS operating system setting that warns a user to update their iOS version will be applied after the minimum iOS operating system setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 iOS 作業系統設定為 11.0.0.0,最低 iOS 作業系統 (僅警告) 設定為 11.1.0.0 時,如果嘗試存取應用程式的裝置使用 iOS 10,則因為導致封鎖存取的最低 iOS 作業系統版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access.

處理不同類型的設定時,Intune 應用程式 SDK 版本需求會優先,然後是應用程式版本需求,再然後是 iOS 作業系統版本需求。When dealing with different types of settings, an Intune App SDK version requirement would take precedence, then an app version requirement, followed by the iOS operating system version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked. 我們建議您只針對基本的封鎖情況,在 Intune 產品小組的指導下,設定 Intune App SDK 版本需求。We recommend the Intune App SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

另請參閱See also