使用 Intune 建立及部署 Windows 資訊保護 (WIP) 應用程式保護原則Create and deploy Windows Information Protection (WIP) app protection policy with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

從 Intune 1704 版開始,您可以搭配 Windows 10 使用應用程式保護原則,不用註冊即可保護應用程式。Beginning with Intune 1704 release, you can use app protection policies with Windows 10 in to protect apps without device enrollment.

開始之前Before you begin

我們先聊聊新增 WIP 原則時的一些概念。Let’s talk about a few concepts when adding a WIP policy.

允許和豁免應用程式的清單List of allowed and exempt apps

  • 允許的應用程式︰這些應用程式是必須遵守此原則的應用程式。Allowed apps: These are the apps that need to adhere to this policy.

  • 豁免應用程式︰這些應用程式不會套用此原則,且可以不受限制地存取公司資料。Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.

應用程式類型Types of apps

  • 建議的應用程式︰此為預先填入的應用程式清單 (大部分是 Microsoft Office 應用程式),可讓您輕鬆匯入原則。Recommended apps: a pre-populated list of (mostly Microsoft Office) apps that allow you easily import into policy.

  • 市集應用程式︰您可以將 Windows 市集中的任何應用程式新增至原則。Store apps: You can add any app from the Windows store to the policy.

  • Windows 傳統型應用程式︰您可以將任何傳統的 Windows 傳統型應用程式新增至原則 (例如 .exe、.dll)。Windows desktop apps: You can add any traditional Windows desktop apps to the policy (for example, .exe, .dll)

必要條件Pre-requisites

您必須先設定 MAM 提供者,才能建立 WIP 應用程式保護原則。You must configure the MAM provider before you can create a WIP app protection policy. 深入了解如何設定搭配 Intune 的 MAM 提供者 (英文)Learn more about how to configure your MAM provider with Intune.

此外,您也需要下列各項:Additionally, you need to have the following:

重要

WIP 不支援多重身分識別,一次只能存在一個受管理的身分識別。WIP does not support multi-identity, only one managed identity can exist at a time.

新增 WIP 原則To add a WIP policy

當您在組織中設定 Intune 之後,就可以透過 Azure 入口網站建立 WIP 特定原則。After you set up Intune in your organization, you can create a WIP-specific policy through the Azure portal.

  1. 移至 [Intune 行動應用程式管理儀表板],選擇 [所有設定] > [應用程式原則]。Go to the Intune mobile application management dashboard, choose All settings, > App policy.

  2. 在 [應用程式原則] 刀鋒視窗中,選擇 [新增原則],然後輸入下列值:In the App policy blade, choose Add a policy, then enter the following values:

    a.a. 名稱:輸入新原則的名稱 (必要)。Name: Type a name (required) for your new policy.

    b。b. 描述:輸入選擇性的描述。Description: Type an optional description.

    c.c. 平台:選擇 [Windows 10] 做為應用程式保護原則的支援平台。Platform: Choose Windows 10 as the supported platform for your app protection policy.

    d.d. 註冊狀態:選擇 [沒有註冊] 做為原則的註冊狀態。Enrollment state: Choose Without enrollment as the enrollment state for your policy.

  3. 選擇 [建立]Choose Create. 原則將會建立並顯示在 [應用程式原則] 刀鋒視窗的表格中。The policy is created and appears in the table on the App Policy blade.

  1. 從 [應用程式原則] 刀鋒視窗,選擇您的原則名稱,然後從 [新增原則] 刀鋒視窗選擇 [允許的應用程式]。From the App policy blade, choose the name of your policy, then choose Allowed apps from the Add a policy blade. [允許的應用程式] 刀鋒視窗隨即開啟,顯示此應用程式保護原則清單中已包含的所有應用程式。The Allowed apps blade opens, showing you all apps that are already included in the list for this app protection policy.

  2. 從 [允許的應用程式] 刀鋒視窗,選擇 [新增應用程式]。From the Allowed apps blade, choose Add apps. [新增應用程式] 刀鋒視窗隨即開啟,顯示此清單中包含的所有應用程式。The Add apps blade opens, showing you all apps that are part of this list.

  3. 選取要存取公司資料的每個應用程式,然後選擇 [確定]。Select each app you want to access your corporate data, and then choose OK. [允許的應用程式] 刀鋒視窗隨即更新,顯示所有選取的應用程式。The Allowed apps blade gets updated showing you all selected apps.

將市集應用程式新增到允許的應用程式清單Add a Store app to your allowed apps list

新增市集應用程式To add a Store app

  1. 從 [應用程式原則] 刀鋒視窗,選擇您的原則名稱,然後從顯示的功能表中選擇 [允許的應用程式]。此功能表會顯示此應用程式保護原則清單中已包含的所有應用程式。From the App policy blade, choose the name of your policy, then choose Allowed apps from the menu that appears showing all apps that are already included in the list for this app protection policy.

  2. 從 [允許的應用程式] 刀鋒視窗,選擇 [新增應用程式]。From the Allowed apps blade, choose Add apps.

  3. 在 [新增應用程式] 刀鋒視窗上,從下拉式清單中選擇 [市集應用程式]。On the Add apps blade, choose Store apps from the dropdown list. 刀鋒視窗會變更為顯示方塊,讓您新增發行者和應用程式名稱The blade changes to show boxes for you to add a publisher and app name.

  4. 輸入應用程式的名稱與其發行者的名稱,然後選擇 [確定]。Type the name of the app and the name of its publisher, and then choose OK.

    提示

    以下是範例應用程式,其中發行者CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US,而產品名稱Microsoft.MicrosoftAppForWindowsHere’s an app example, where the Publisher is CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and the Product name is Microsoft.MicrosoftAppForWindows.

  5. 在您將資訊輸入欄位之後,選擇 [確定],便可將應用程式新增到 [允許的應用程式] 清單。After you’ve entered the info into the fields, choose OK to add the app to your Allowed apps list.

注意

若要同時新增多個市集應用程式,可以按一下應用程式列結尾的功能表 (…),然後繼續新增更多應用程式。To add multiple Store apps at the same time, you can click the menu (…) at the end of the app row, then continue to add more apps. 完成後,選擇 [確定]。Once you’re done, choose OK.

將傳統型應用程式新增到允許的應用程式清單Add a desktop app to your allowed apps list

新增傳統型應用程式To add a desktop app

  1. 從 [應用程式原則] 刀鋒視窗,選擇您的原則名稱,然後選擇 [允許的應用程式]。From the App policy blade, choose the name of your policy, and then choose Allowed apps. [允許的應用程式] 刀鋒視窗隨即開啟,顯示此應用程式保護原則清單中已包含的所有應用程式。The Allowed apps blade opens showing you all apps that are already included in the list for this app protection policy.

  2. 從 [允許的應用程式] 刀鋒視窗,選擇 [新增應用程式]。From the Allowed apps blade, choose Add apps.

  3. 從 [新增應用程式] 刀鋒視窗的下拉式清單中選擇 [傳統型應用程式]。On the Add apps blade, choose Desktop apps from the drop-down list.

  4. 在您將資訊輸入欄位之後,選擇 [確定],即可將應用程式新增到 [允許的應用程式] 清單。After you entered the info into the fields, choose OK to add the app to your Allowed apps list.

注意

若要同時新增多個傳統型應用程式,可以按一下應用程式資料列結尾的功能表 (…),然後繼續新增更多應用程式。To add multiple desktop apps at the same time, you can click the menu (…) at the end of the app row, then continue to add more apps. 完成後,選擇 [確定]。Once you’re done, choose OK.

WIP 學習WIP Learning

在您新增要使用 WIP 來保護的應用程式之後,需要使用「WIP 學習」來套用保護模式。After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP Learning.

開始之前Before you begin

WIP 學習是一種報表,可讓您監視 WIP 未知的應用程式。WIP Learning is a report that allows you to monitor your WIP-unknown apps. 未知的應用程式是不屬於組織 IT 部門所部署的應用程式。The unknown apps are the ones not deployed by your organization’s IT department. 在應用程式強制 WIP 使用「隱藏覆寫」模式之前,您可以從報告匯出這些應用程式,然後將它們新增到 WIP 原則,以避免造成生產力中斷。You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Hide Override” mode.

您應該利用一小群使用者來驗證允許的應用程式清單中是否有正確的應用程式。驗證時,建議先使用「無訊息」或「允許覆寫」模式。We recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your allowed apps list. 完成之後,您就可以變更為最終強制原則「隱藏覆寫」。After you're done, you can change to your final enforcement policy, Hide Overrides.

什麼是保護模式?What are the protection modes?

隱藏覆寫Hide Overrides

WIP 會尋找不適當的資料共用做法,並阻止使用者完成動作。WIP looks for inappropriate data sharing practices and stops the user from completing the action. 這可能包括與未受公司保護的應用程式共用資料,以及與組織以外的人員或裝置共用公司資料。This can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

允許覆寫Allow Overrides

WIP 會尋找不適當的資料共用,並在使用者執行某些可能不安全的動作時警告使用者。WIP looks for inappropriate data sharing, warning users if they do something deemed potentially unsafe. 不過,此模式可讓使用者覆寫原則並共用資料,但是會將動作記錄到稽核記錄中。However, this mode lets the user override the policy and share the data, logging the action to your audit log.

無訊息Silent

WIP 會以無訊息方式執行,記錄不適當的資料共用,而不會封鎖在「允許覆寫」模式中可能會提示員工互動的任何動作。WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. 此模式仍然會停止不允許的動作,例如,應用程式以不適當的方式嘗試存取網路資源或受 WIP 保護的資料。Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

此模式會關閉 WIP,因此不會協助保護或稽核資料。WIP is turned off and doesn't help to protect or audit your data.

關閉 WIP 之後,系統會嘗試將本機連接之磁碟機上任何 WIP 標記的檔案解密。After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. 請注意,如果您再次開啟 WIP 保護,則不會自動重新套用先前的解密和原則資訊。Be aware that previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

新增保護模式Add a protection mode

  1. 從 [應用程式原則] 刀鋒視窗,選擇您的原則名稱,然後選擇 Required settingsFrom the App policy blade, choose the name of your policy, then chose Required settings.

    學習模式的螢幕擷取畫面

  2. 選擇 [儲存]。Choose Save.

使用 WIP 學習Use WIP Learning

  1. 開啟 Azure 入口網站。Open the Azure portal. 選擇 More servicesChoose More services. 在文字方塊篩選中,鍵入 IntuneType Intune in the text box filter.

  2. 選擇 [Intune] > [行動應用程式]。Choose Intune > Mobile Apps.

  3. 選擇 [應用程式保護狀態] > [報告] > [Windows 資訊保護學習]。Choose App protection status > Reports > Windows Information Protection learning.

    您可以根據 WIP 學習記錄報告中顯示的應用程式,將這些應用程式新增至應用程式保護原則。Once you have the apps showing up in the WIP Learning logging report, you can add them to your app protection policies.

部署 WIP 應用程式保護原則Deploy your WIP app protection policy

重要

這適用於不註冊裝置的 WIP。This applies for WIP without device enrollment.

建立 WIP 應用程式保護原則之後,您需要使用 MAM 將它部署到組織。After you created your WIP app protection policy, you need to deploy it to your organization using MAM.

  1. 在 [應用程式原則] 刀鋒視窗上,選擇您新建立的應用程式保護原則,然後選擇 [使用者群組] > Add user groupOn the App policy blade, choose your newly created app protection policy, choose User groups > Add user group.

    [新增使用者群組] 刀鋒視窗中隨即會開啟使用者群組清單,此清單由 Azure Active Directory 中的所有安全性群組所組成。A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add user group blade.

  2. 選擇您要套用原則的群組,然後選擇 [選取] 來部署原則。Choose the group you want your policy to apply to, then choose Select to deploy the policy.