使用 Intune 建立及部署 Windows 資訊保護 (WIP) 應用程式保護原則Create and deploy Windows Information Protection (WIP) app protection policy with Intune

您可以搭配 Windows 10 應用程式使用應用程式保護原則,不用註冊裝置即可保護應用程式。You can use app protection policies with Windows 10 apps to protect apps without device enrollment.

開始之前Before you begin

您必須了解新增 WIP 原則時的一些概念:You must understand a few concepts when adding a WIP policy:

允許和豁免應用程式的清單List of allowed and exempt apps

  • 受保護的應用程式︰ 這些應用程式是必須遵守此原則的應用程式。Protected apps: These apps are the apps that need to adhere to this policy.

  • 豁免應用程式︰ 這些應用程式不會套用此原則,且可以不受限制地存取公司資料。Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.

應用程式類型Types of apps

  • 建議的應用程式︰ 此為預先填入的應用程式清單 (大部分是 Microsoft Office 應用程式),可讓您輕鬆匯入原則。Recommended apps: A pre-populated list of (mostly Microsoft Office) apps that allow you easily import into policy.
  • 市集應用程式︰ 您可以將 Windows 市集中的任何應用程式新增至原則。Store apps: You can add any app from the Windows store to the policy.
  • Windows 傳統型應用程式︰ 您可以將任何傳統的 Windows 傳統型應用程式新增至原則 (例如 .exe、.dll)。Windows desktop apps: You can add any traditional Windows desktop apps to the policy (for example, .exe, .dll)

必要條件Prerequisites

您必須先設定 MAM 提供者,才能建立 WIP 應用程式保護原則。You must configure the MAM provider before you can create a WIP app protection policy. 深入了解如何設定搭配 Intune 的 MAM 提供者 (英文)Learn more about how to configure your MAM provider with Intune.

此外,您也需要下列授權和更新:Additionally, you need to have the following license and update:

重要

WIP 不支援多重身分識別,一次只能存在一個受管理的身分識別。WIP does not support multi-identity, only one managed identity can exist at a time.

新增 WIP 應用程式保護原則To add a WIP app protection policy

當您在組織中設定 Intune 之後,就可以建立 WIP 特定原則。After you set up Intune in your organization, you can create a WIP-specific policy.

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 選擇 [所有服務] > [Intune]。Choose All Services > Intune.
  3. 在 [Microsoft Intune] 刀鋒視窗中選取 [行動應用程式]。Select Mobile apps on the Microsoft Intune blade.
  4. 在 [行動應用程式] 刀鋒視窗中選取 [應用程式防護原則]。Select App protection policies on the Mobile apps blade.
  5. 選取 [新增原則],即可顯示 [新增原則] 刀鋒視窗。Select Add a policy to display the Add a policy blade.
  6. 新增下列值:Add the following values:
    • 名稱: 輸入新原則的名稱 (必要)。Name: Type a name (required) for your new policy.
    • 描述:(選擇性) 鍵入描述。Description: (Optional) Type a description.
    • 平台: 選擇 [Windows 10] 做為應用程式保護原則的支援平台。Platform: Choose Windows 10 as the supported platform for your app protection policy.
    • 註冊狀態: 選擇 [沒有註冊] 做為原則的註冊狀態。Enrollment state: Choose Without enrollment as the enrollment state for your policy.
  7. 選擇 [建立]Choose Create. 原則會建立並顯示在 [應用程式防護原則] 刀鋒視窗的表格中。The policy is created and appears in the table on the App protection policies blade.
  1. 在 [Microsoft Intune] 刀鋒視窗中選取 [行動應用程式]。Select Mobile apps on the Microsoft Intune blade.
  2. 在 [行動應用程式] 刀鋒視窗中選取 [應用程式防護原則]。Select App protection policies on the Mobile apps blade.
  3. 在 [應用程式防護原則] 刀鋒視窗中,選擇您想要修改的原則。On the App protection policies blade, choose the policy you want to modify. [Intune 應用程式防護] 刀鋒視窗隨即出現。The Intune App Protection blade is displayed.
  4. 從 [Intune 應用程式防護] 刀鋒視窗中選擇 [受保護的應用程式]。Choose Protected apps from the Intune App Protection blade. [受保護的應用程式] 刀鋒視窗隨即開啟,顯示此應用程式保護原則清單中已包含的所有應用程式。The Protected apps blade opens showing you all apps that are already included in the list for this app protection policy.
  5. 選取 [新增應用程式]。Select Add apps. [新增應用程式] 資訊會向您顯示應用程式的篩選清單。The Add apps information shows you a filtered list of apps. 刀鋒視窗頂端的清單允許您變更清單篩選條件。The list at the top of the blade allows you to change the list filter.
  6. 選取您希望允許存取公司資料的每個應用程式。Select each app that you want to allow access your corporate data.
  7. 按一下 [確定]。Click OK. [受保護的應用程式] 刀鋒視窗隨即更新,顯示所有選取的應用程式。The Protected apps blade is updated showing all selected apps.
  8. 按一下 [儲存]Click Save.

將市集應用程式新增到受保護的應用程式清單Add a Store app to your protected apps list

新增市集應用程式To add a Store app

  1. 在 [Microsoft Intune] 刀鋒視窗中選取 [行動應用程式]。Select Mobile apps on the Microsoft Intune blade.
  2. 在 [行動應用程式] 刀鋒視窗中選取 [應用程式防護原則]。Select App protection policies on the Mobile apps blade.
  3. 在 [應用程式防護原則] 刀鋒視窗中,選擇您想要修改的原則。On the App protection policies blade, choose the policy you want to modify. [Intune 應用程式防護] 刀鋒視窗隨即出現。The Intune App Protection blade is displayed.
  4. 從 [Intune 應用程式防護] 刀鋒視窗中選擇 [受保護的應用程式]。Choose Protected apps from the Intune App Protection blade. [受保護的應用程式] 刀鋒視窗隨即開啟,顯示此應用程式保護原則清單中已包含的所有應用程式。The Protected apps blade opens showing you all apps that are already included in the list for this app protection policy.
  5. 選取 [新增應用程式]。Select Add apps. [新增應用程式] 資訊會向您顯示應用程式的篩選清單。The Add apps information shows you a filtered list of apps. 刀鋒視窗頂端的清單允許您變更清單篩選條件。The list at the top of the blade allows you to change the list filter.
  6. 從清單中,選取 [市集應用程式]。From the list, select Store apps.
  7. 輸入 [名稱]、[Pubisher] (發行者)、[產品名稱] 和 [動作] 的值。Enter values for Name, Pubisher, Product Name, and Action. 請務必將 [動作] 的值設定為 [允許],以便應用程式可以存取您的公司資料。Be sure to set the Action value to Allow, so that the app will have access to your corporate data.
  8. 按一下 [確定]。Click OK. [受保護的應用程式] 刀鋒視窗隨即更新,顯示所有選取的應用程式。The Protected apps blade is updated showing all selected apps.
  9. 按一下 [儲存]Click Save.

將桌面應用程式新增到受保護的應用程式清單Add a desktop app to your protected apps list

新增傳統型應用程式To add a desktop app

  1. 在 [Microsoft Intune] 刀鋒視窗中選取 [行動應用程式]。Select Mobile apps on the Microsoft Intune blade.
  2. 在 [行動應用程式] 刀鋒視窗中選取 [應用程式防護原則]。Select App protection policies on the Mobile apps blade.
  3. 在 [應用程式防護原則] 刀鋒視窗中,選擇您想要修改的原則。On the App protection policies blade, choose the policy you want to modify. [Intune 應用程式防護] 刀鋒視窗隨即出現。The Intune App Protection blade is displayed.
  4. 從 [Intune 應用程式防護] 刀鋒視窗中選擇 [受保護的應用程式]。Choose Protected apps from the Intune App Protection blade. [受保護的應用程式] 刀鋒視窗隨即開啟,顯示此應用程式保護原則清單中已包含的所有應用程式。The Protected apps blade opens showing you all apps that are already included in the list for this app protection policy.
  5. 選取 [新增應用程式]。Select Add apps. [新增應用程式] 資訊會向您顯示應用程式的篩選清單。The Add apps information shows you a filtered list of apps. 刀鋒視窗頂端的清單允許您變更清單篩選條件。The list at the top of the blade allows you to change the list filter.
  6. 從清單中,選取 [桌面應用程式]。From the list, select Desktop apps.
  7. 輸入 [名稱]、[Pubisher] (發行者)、[產品名稱]、[檔案]、[最小版本]、[最大版本] 和 [動作] 的值。Enter values for Name, Pubisher, Product Name, File, Min Version, Max Version, and Action. 請務必將 [動作] 的值設定為 [允許],以便應用程式可以存取您的公司資料。Be sure to set the Action value to Allow, so that the app will have access to your corporate data.
  8. 按一下 [確定]。Click OK. [受保護的應用程式] 刀鋒視窗隨即更新,顯示所有選取的應用程式。The Protected apps blade is updated showing all selected apps.
  9. 按一下 [儲存]Click Save.

WIP 學習WIP Learning

在您新增要使用 WIP 來保護的應用程式之後,需要使用「WIP 學習」來套用保護模式。After you add the apps you want to protect with WIP, you need to apply a protection mode by using WIP Learning.

開始之前Before you begin

WIP 學習是一種報表,可讓您監視啟用 WIP 的應用程式與 WIP 未知的應用程式。WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. 未知的應用程式是不屬於組織 IT 部門所部署的應用程式。The unknown apps are the ones not deployed by your organization’s IT department. 在應用程式強制 WIP 使用「封鎖」模式之前,您可以從報告匯出這些應用程式,然後將它們新增到 WIP 原則,以避免造成生產力中斷。You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

除了檢視啟用 WIP 之應用程式的資訊外,您也可檢視與網站共用工作資料之裝置的摘要。In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. 您可以藉由這項資訊,決定哪些網站應該加入群組和使用者 WIP 原則。With this information, you can determine which websites should be added to group and user WIP policies. 摘要會顯示啟用 WIP 之應用程式所存取的網站 URL。The summary shows which website URLs are accessed by WIP-enabled apps.

在進行啟用 WIP 的應用程式和 WIP 未知的應用程式相關工作時,建議您先從 [無訊息] 或 [允許覆寫] 開始,同時透過少數幾名使用者確認受保護的應用程式清單上具有正確的應用程式。When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. 完成之後,您就可以變更為最終強制原則封鎖After you're done, you can change to your final enforcement policy, Block.

什麼是保護模式?What are the protection modes?

封鎖Block

WIP 會尋找不適當的資料共用做法,並阻止使用者完成動作。WIP looks for inappropriate data sharing practices and stops the user from completing the action. 這可能包括與未受公司保護的應用程式共用資料,以及與組織以外的人員或裝置共用公司資料。This can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

允許覆寫Allow Overrides

WIP 會尋找不適當的資料共用,並在使用者執行某些可能不安全的動作時警告使用者。WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. 不過,此模式可讓使用者覆寫原則並共用資料,但是會將動作記錄到稽核記錄中。However, this mode lets the user override the policy and share the data, logging the action to your audit log.

無訊息Silent

WIP 會以無訊息方式執行,記錄不適當的資料共用,而不會封鎖在「允許覆寫」模式中可能會提示員工互動的任何動作。WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. 此模式仍然會停止不允許的動作,例如,應用程式以不適當的方式嘗試存取網路資源或受 WIP 保護的資料。Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

此模式會關閉 WIP,因此不會協助保護或稽核資料。WIP is turned off and doesn't help to protect or audit your data.

關閉 WIP 之後,系統會嘗試將本機連接之磁碟機上任何 WIP 標記的檔案解密。After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. 請注意,如果您再次開啟 WIP 保護,則不會自動重新套用先前的解密和原則資訊。Note that previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

新增保護模式Add a protection mode

  1. 從 [應用程式原則] 刀鋒視窗,選擇您的原則名稱,然後選擇 [Required settings] (必要設定)。From the App policy blade, choose the name of your policy, then choose Required settings.

    學習模式的螢幕擷取畫面

  2. 選取設定,然後選擇 [儲存]。Select a setting and then choose Save.

使用 WIP 學習Use WIP Learning

  1. 開啟 Azure 入口網站Open the Azure portal. 選擇 [所有服務]。Choose All services. 在文字方塊篩選中,鍵入 IntuneType Intune in the text box filter.

  2. 選擇 [Intune] > [行動應用程式]。Choose Intune > Mobile Apps.

  3. 選擇 [應用程式保護狀態] > [報告] > [Windows 資訊保護學習]。Choose App protection status > Reports > Windows Information Protection learning.

    您可以根據 WIP 學習記錄報告中顯示的應用程式,將這些應用程式新增至應用程式保護原則。Once you have the apps showing up in the WIP Learning logging report, you can add them to your app protection policies.

允許 Windows 搜尋索引子搜尋加密項目Allow Windows Search Indexer to search encrypted items

允許或不允許編製項目的索引。Allows or disallows the indexing of items. 這個參數是針對 Windows 搜尋索引子,它控制是否編製加密項目的索引,例如 Windows 資訊保護 (WIP) 保護的檔案。This switch is for the Windows Search Indexer, which controls whether it indexes items that are encrypted, such as the Windows Information Protection (WIP) protected files.

這個應用程式保護原則選項是在 Windows 資訊保護原則的 [進階設定] 中。This app protection policy option is in the Advanced settings of the Windows Information Protection policy. 應用程式保護原則必須設為 Windows 10 平台,且應用程式原則 [註冊狀態] 必須設為 [註冊]。The app protection policy must be set to the Windows 10 platform and the app policy Enrollment state must be set to With enrollment.

啟用此原則時,會編製 WIP 保護項目的索引,而其相關中繼資料會儲存在未加密的位置。When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. 中繼資料包含像是檔案路徑和修改日期等事項。The metadata includes things like file path and date modified.

停用此原則時,不會編製 WIP 保護項目的索引,且不會出現在 Cortana 或檔案總管的結果中。When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. 如果裝置上有許多 WIP 保護的媒體檔案,也可能影響相片和 Groove 應用程式的效能。There may also be a performance impact on photos and Groove apps if there are many WIP protected media files on the device.

新增加密副檔名Add encrypted file extensions

除了設定 [Allow Windows Search Indexer to search encrypted items] (允許 Windows 搜尋索引子搜尋加密項目 選項,您也可以指定副檔名清單。In addition to setting the Allow Windows Search Indexer to search encrypted items option, you can specify a list of file extensions. 從網路位置清單中所定義之公司界限內的伺服器訊息區塊 (SMB) 共用複製時,會加密具有這些副檔名的檔案。Files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the network location list. 未指定此原則時,會套用現有的自動加密行為。When this policy is not specified, the existing auto-encryption behavior is applied. 已設定此原則時,將只會加密具有清單中之副檔名的檔案。When this policy is configured, only files with the extensions in the list will be encrypted.

部署 WIP 應用程式保護原則Deploy your WIP app protection policy

重要

此資訊適用於未不註冊裝置的 WIP。This information applies for WIP without device enrollment.

建立 WIP 應用程式保護原則之後,您需要使用 MAM 將它部署到組織。After you created your WIP app protection policy, you need to deploy it to your organization using MAM.

  1. 在 [應用程式原則] 刀鋒視窗上,選擇您新建立的應用程式保護原則,然後選擇 [使用者群組] > [Add user group] (新增使用者群組)。On the App policy blade, choose your newly created app protection policy, choose User groups > Add user group.

    [新增使用者群組] 刀鋒視窗中隨即會開啟使用者群組清單,此清單由 Azure Active Directory 中的所有安全性群組所組成。A list of user groups, made up of all the security groups in your Azure Active Directory, opens in the Add user group blade.

  2. 選擇您要套用原則的群組,然後選擇 [選取] 來部署原則。Choose the group you want your policy to apply to, then choose Select to deploy the policy.

接下來的步驟Next steps

深入了解 Windows 資訊保護,請參閱使用 Windows 資訊保護 (WIP) 保護您的企業資料Learn more about Windows Information Protection, see Protect your enterprise data using Windows Information Protection (WIP).