在 Configuration Manager 中進行應用程式管理的安全性和隱私權Security and privacy for application management in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

應用程式管理的安全性指引Security guidance for application management

在沒有應用程式目錄的情況下使用軟體中心Use the Software Center without the application catalog

從 1806 最新分支版本開始即不支援應用程式類別目錄的 Silverlight 使用者體驗。The application catalog's Silverlight user experience isn't supported as of current branch version 1806. 此設定可協助您減少將應用程式傳遞給使用者所需的伺服器基礎結構。This configuration helps you reduce the server infrastructure required to deliver applications to users.

從 1906 版開始,已更新的用戶端會自動使用適用於使用者可用應用程式部署的管理點。Starting in version 1906, updated clients automatically use the management point for user-available application deployments. 此外,您也無法安裝新的應用程式目錄角色。You also can't install new application catalog roles. 1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 減少伺服器基礎結構,也會減少受攻擊面。Reducing the server infrastructure also reduces the attack surface.

若要針對以網際網路為基礎的用戶端提供一致且安全的應用程式體驗,請使用 Azure Active Directory 與雲端管理閘道。To deliver a consistent and secure application experience for internet-based clients, use Azure Active Directory and the cloud management gateway.

如需詳細資訊,請參閱設定軟體中心For more information, see Configure Software Center.

使用 HTTPS 搭配應用程式類別目錄Use HTTPS with the application catalog

重要

1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

將「應用程式類別目錄」網站點和「應用程式類別目錄」Web 服務點設定成接受 HTTPS 連線。Configure the application catalog website point and the application catalog web service point to accept HTTPS connections. 使用此設定時,會向使用者驗證伺服器。With this configuration, the server is authenticated to users. 傳輸的資料會受到保護,以免遭到竄改和檢視。The transmitted data is protected from tampering and viewing.

藉由教導使用者只連線到受信任的網站,來協助防止社交工程攻擊。Help prevent social engineering attacks by educating users to only connect to trusted websites. 教育使用者惡意網站的危險性。Educate users about the dangers of malicious websites.

如果您不使用 HTTPS,請勿使用商標設定選項。When you don't use HTTPS, don't use the branding configuration options. 這些設定會在應用程式類別目錄中顯示貴組織的名稱以作為身分識別證明。These settings show the name of your organization in the application catalog as proof of identity.

使用角色隔離Use role separation

重要

1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

將應用程式類別目錄網站點和應用程式類別目錄 Web 服務點安裝於不同的伺服器上。Install the application catalog website point and the application catalog web service point on separate servers. 如果網站遭到入侵,便會與 Web 服務點分離。If the website point is compromised, it's separate from the web service point. 此設計有助於保護 Configuration Manager 用戶端和基礎結構。This design helps to protect the Configuration Manager clients and infrastructure. 如果網站點會接受來自網際網路的用戶端連線,此設定特別重要。This configuration is especially important if the website point accepts client connections from the internet. 它讓伺服器更容易遭受攻擊。It makes the server more vulnerable to attack.

關閉瀏覽器視窗Close browser windows

重要

1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

教育使用者在完成使用應用程式類別目錄之後將瀏覽器視窗關閉。Educate users to close the browser window when they finish using the application catalog. 若使用者以用於應用程式類別目錄的同一個瀏覽器視窗瀏覽外部網站,瀏覽器會繼續使用內部網路中信任站台所適用的安全性設定。If users browse to an external website in the same browser window that they used for the application catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet.

集中指定使用者裝置親和性Centrally specify user device affinity

手動指定使用者裝置親和性,而不是讓使用者識別自己的主要裝置。Manually specify the user device affinity instead of letting users identify their primary device. 請勿啟用以使用方式為基礎的設定。Don't enable usage-based configuration.

請勿將自使用者或裝置收集到的資訊視為已授權。Don't consider information that's collected from users or from the device to be authoritative. 如果您使用受信任系統管理員未指定的使用者裝置親和性來部署軟體,可能會將該軟體安裝到未獲授權來接收該軟體的電腦和使用者。If you deploy software by using user device affinity that a trusted administrator doesn't specify, the software might be installed on computers and to users who aren't authorized to receive that software.

請勿從發佈點執行部署Don't run deployments from distribution points

一律將部署設定為從發佈點下載內容,而不是直接於發佈點上執行。Always configure deployments to download content from distribution points rather than run from distribution points. 當您將部署設定為從發佈點下載內容並於本機執行時,Configuration Manager 用戶端會在下載內容後驗證套件雜湊。When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content. 如果該雜湊與原則中的雜湊不相符,用戶端就會捨棄該套件。The client discards the package if the hash doesn't match the hash in the policy.

如果您將部署設定為直接從發佈點執行,Configuration Manager 用戶端就不會驗證套件雜湊。If you configure the deployment to run directly from a distribution point, the Configuration Manager client doesn't verify the package hash. 此行為意謂著 Configuration Manager 用戶端可以安裝已遭竄改的軟體。This behavior means that the Configuration Manager client can install software that's been tampered with.

如果您必須直接從發佈點安裝部署,請對發佈點上的套件使用 NTFS 最低權限。If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points. 此外,也請使用網際網路通訊協定安全性 (IPsec) 來確保用戶端與發佈點之間的通道安全,以及確保發佈點與站台伺服器之間的通道安全。Also use internet protocol security (IPsec) to secure the channel between the client and the distribution points, and between the distribution points and the site server.

請勿讓使用者與提高權限的處理序互動Don't let users interact with elevated processes

如果您啟用 [以系統管理權限執行] 或 [針對系統安裝] 選項,請勿讓使用者與那些應用程式互動。If you enable the options to Run with administrative rights or Install for system, don't let users interact with those applications. 當您設定應用程式時,可以設定 [允許使用者檢視程式安裝並與其互動] 。When you configure an application, you can set the option to Allow users to view and interact with the program installation. 此設定可允許使用者回應使用者介面中任何必要的提示。This setting allows users to respond to any required prompts in the user interface. 如果您也將應用程式設定成 [以系統管理權限執行] (或從 1802 版開始為 [針對系統安裝] ),執行該程式之電腦上的攻擊者便可透過使用者介面在用戶端電腦上提升權限。If you also configure the application to Run with administrative rights, or starting in version 1802 Install for system, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer.

透過使用Windows Installer 的程式進行安裝,並針對需要系統管理認證的軟體部署,使用依使用者提升的權限。Use programs that use Windows Installer for setup and per-user elevated privileges for software deployments that require administrative credentials. 安裝程式必須在不具系統管理認證的使用者內容中執行。Setup must be run in the context of a user who doesn't have administrative credentials. Windows Installer 依使用者提升的權限,提供您部署包含此需求的應用程式時一個最安全的方式。Windows Installer per-user elevated privileges provide the most secure way to deploy applications that have this requirement.

限制使用者是否可以互動方式安裝軟體Restrict whether users can install software interactively

在 [電腦代理程式] 群組中設定 [安裝權限] 用戶端設定。Configure the Install permissions client setting in the Computer Agent group. 這項設定會限制可在軟體中心安裝軟體的使用者類型。This setting restricts the types of users who can install software in Software Center.

例如,您可建立自訂用戶端設定,將 [安裝權限] 設為 [僅限系統管理員] 。For example, create a custom client setting with Install permissions set to Only administrators. 將此用戶端設定套用到伺服器集合。Apply this client setting to a collection of servers. 此設定可防止不具系統管理權限的使用者在那些伺服器上安裝軟體。This configuration prevents users without administrative permissions from installing software on those servers.

針對行動裝置,則只能部署已簽署的應用程式For mobile devices, deploy only applications that are signed

部署行動裝置應用程式時,僅針對由行動裝置信任的憑證授權單位 (CA) 完成程式碼簽署的應用程式進行部署。Deploy mobile device applications only if they're code-signed by a certification authority (CA) that the mobile device trusts.

例如:For example:

  • 由知名 CA (例如 VeriSign) 簽署的廠商應用程式。An application from a vendor, which is signed by a well-known CA like VeriSign.

  • 您未透過 Configuration Manager 而獨立使用內部 CA 簽署的內部應用程式。An internal application that you sign independent from Configuration Manager by using your internal CA.

  • 建立應用程式類型與使用簽署憑證時,您使用 Configuration Manager 簽署的內部應用程式。An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.

保護行動裝置應用程式簽署憑證的位置Secure the location of the mobile device application signing certificate

如果您使用 Configuration Manager 中的 [建立應用程式精靈] 簽署行動裝置應用程式,請確保簽署憑證檔案的位置和通訊通道的安全。If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel. 為了協助防止提升權限和攔截式攻擊,請將簽署憑證檔案儲存在受保護的資料夾中。To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder.

請在下列電腦之間使用 IPsec:Use IPsec between the following computers:

  • 執行 Configuration Manager 主控台的電腦The computer that runs the Configuration Manager console
  • 儲存憑證簽署檔案的電腦The computer that stores the certificate signing file
  • 儲存應用程式來源檔案的電腦The computer that stores the application source files

或者,在執行 [建立應用程式精靈] 之前,不透過 Configuration Manager 而獨立簽署應用程式。Alternatively, sign the application independent of Configuration Manager and before you run the Create Application Wizard.

實作存取控制Implement access controls

為了保護參照電腦,請實作存取控制。To protect reference computers, implement access controls. 當您透過瀏覽參照電腦的方式在部署類型中設定偵測方法時,請確定該電腦並未遭到入侵。When you configure the detection method in a deployment type by browsing to a reference computer, make sure that the computer isn't compromised.

限制並監視系統管理使用者Restrict and monitor administrative users

限制並監視您授與下列應用程式管理角色型安全性角色的系統管理使用者︰Restrict and monitor the administrative users who you grant the following application management role-based security roles:

  • 應用程式系統管理員Application Administrator
  • 應用程式作者Application Author
  • 應用程式部署管理員Application Deployment Manager

即使您已設定以角色為基礎的系統管理,可建立和部署應用程式的系統管理使用者所具有的權限可能比您想像的多。Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. 例如,建立或變更應用程式的系統管理使用者,可以選取其安全性範圍以外的相依應用程式。For example, administrative users who create or change an application can select dependent applications that aren't in their security scope.

在具有相同信任層級的虛擬環境中設定 App-V 應用程式Configure App-V apps in virtual environments with the same trust level

當您設定 Microsoft Application Virtualization (App-V) 虛擬環境時,請選取在虛擬環境中擁有相同信任層級的應用程式。When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications that have the same trust level in the virtual environment. 由於 App-V 虛擬環境中旳應用程式可共用資源 (例如剪貼簿),請設定虛擬環境,使其選取的應用程式都擁有相同信任層級。Because applications in an App-V virtual environment can share resources, like the clipboard, configure the virtual environment so that the selected applications have the same trust level.

如需詳細資訊,請參閱建立 App-V 虛擬環境For more information, see Create App-V virtual environments.

確定 macOS 應用程式來自可信任的來源Make sure macOS apps are from a trustworthy source

如果您部署適用於 macOS 裝置的應用程式,請確定來源檔案均來自可信任的來源。If you deploy applications for macOS devices, make sure that the source files are from a trustworthy source. CMAppUtil 工具不會驗證來源套件的簽章。The CMAppUtil tool doesn't validate the signature of the source package. 請確定該套件來自您信任的來源。Make sure the package comes from a source that you trust. CMAppUtil 工具無法偵測檔案是否已遭竄改。The CMAppUtil tool can't detect whether the files have been tampered with.

保護適用於 macOS 應用程式的 cmmac 檔案Secure the cmmac file for macOS apps

如果您部署適用於 macOS 電腦的應用程式,請保護 .cmmac 檔案的位置。If you deploy applications for macOS computers, secure the location of the .cmmac file. CMAppUtil 工具會產生此檔案,您接著要將它匯入到 Configuration Manager。The CMAppUtil tool generates this file, and then you import it to Configuration Manager. 此檔案並未經過簽署或驗證。This file isn't signed or validated.

當您將此檔案匯入到 Configuration Manager 時,請保護通訊通道。Secure the communication channel when you import this file to Configuration Manager. 為了協助防止此檔案遭到竄改,將它儲存於受保護的資料夾中。To help prevent tampering with this file, store it in a secured folder. 請在下列電腦之間使用 IPsec:Use IPsec between the following computers:

  • 執行 Configuration Manager 主控台的電腦The computer that runs the Configuration Manager console
  • 儲存 .cmmac 檔案的電腦The computer that stores the .cmmac file

針對 Web 應用程式使用 HTTPSUse HTTPS for web applications

如果您設定 Web 應用程式部署類型,請使用 HTTPS 來保護連線的安全。If you configure a web application deployment type, use HTTPS to secure the connection. 如果您使用 HTTP 連結而不是 HTTPS 連結來部署 Web 應用程式,則裝置可能被重新導向到 Rogue 伺服器。If you deploy a web application by using an HTTP link rather than an HTTPS link, the device could be redirected to a rogue server. 在裝置與伺服器之間傳輸的資料可能會遭到竄改。Data that's transferred between the device and server could be tampered with.

應用程式管理的安全性問題Security issues for application management

  • 低權限使用者可在用戶端電腦上從用戶端快取複製檔案。Low-rights users can copy files from the client cache on the client computer.

    使用者可以讀取用戶端快取,但無法寫入。Users can read the client cache but can't write to it. 但只要有讀取權限,使用者可在不同電腦之間複製應用程式安裝檔案。With read permissions, a user can copy application installation files from one computer to another.

  • 低權限的使用者可在用戶端電腦上變更記錄軟體部署歷程記錄的檔案。Low-rights users can change files that record software deployment history on the client computer.

    由於應用程式歷程記錄資訊未受到保護,因此使用者可以針對回報是否已安裝應用程式的檔案進行變更。Because the application history information isn't protected, a user can change files that report whether an application is installed.

  • 未簽署 App-V 套件。App-V packages aren't signed.

    Configuration Manager 中的 App-V 套件不支援簽署。App-V packages in Configuration Manager don't support signing. 數位簽章可確認內容來自受信任的來源,且在傳輸過程中未遭到更改。Digital signatures verify the content is from a trusted source and wasn't altered in transit. 此安全性問題沒有任何風險降低方式。There's no mitigation for this security issue. 請依照安全性最佳做法,從受信任的來源和安全的位置下載內容。Follow the security best practice to download the content from a trusted source and from a secure location.

  • 已發佈的 App-V 應用程式可供電腦上的所有使用者安裝。Published App-V applications can be installed by all users on the computer.

    若已在電腦上發佈 App-V 應用程式,所有登入該電腦的使用者都可安裝此應用程式。When an App-V application is published on a computer, all users who sign in to that computer can install the application. 在發佈應用程式之後,您便無法限制可安裝應用程式的使用者。You can't restrict the users who can install the application after it's published.

應用程式類別目錄需要 Microsoft Silverlight 5 憑證和更高的信任模式Certificates for Microsoft Silverlight 5 and elevated trust mode required for the application catalog

重要

1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

Configuration Manager 用戶端 1710 版和較早版本需要 Microsoft Silverlight 5,其必須在提高權限的信任模式中執行,讓使用者可從應用程式類別目錄安裝軟體。Configuration Manager clients version 1710 and earlier require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the application catalog. 根據預設,Silverlight 會以部分信任模式執行,以防止應用程式存取使用者資料。By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. 如果尚未安裝,Configuration Manager 就會在用戶端上自動安裝 Microsoft Silverlight 5。If it isn't already installed, Configuration Manager automatically installs Microsoft Silverlight 5 on clients. 根據預設,Configuration Manager 會將電腦代理程式的 [允許 Silverlight 應用程式在更高的信任模式下執行] 用戶端設定設為 [是] 。By default, Configuration Manager sets the Computer Agent Allow Silverlight applications to run in elevated trust mode client setting to Yes. 此設定讓已簽署和信任的 Silverlight 應用程式能夠要求更高的信任模式。This setting lets signed and trusted Silverlight applications request elevated trust mode.

當您安裝應用程式類別目錄網站點站台系統角色時,用戶端會同時將 Microsoft 簽署憑證安裝在每部 Configuration Manager 用戶端電腦上的 [信任的發行者] 電腦憑證存放區中。When you install the application catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. 此憑證所簽署的 Silverlight 應用程式會在更高的信任模式下執行,這是電腦從「應用程式類別目錄」安裝軟體所需的模式。Silverlight applications signed by this certificate run in the elevated trust mode, which computers require to install software from the application catalog. Configuration Manager 會自動管理此簽署憑證。Configuration Manager automatically manages this signing certificate. 若要提高服務連續性,請勿手動刪除或移動此 Microsoft 簽署憑證。To increase service continuity, don't manually delete or move this Microsoft signing certificate.

警告

啟用 [允許 Silverlight 應用程式在更高的信任模式下執行] 用戶端設定時,會讓已由電腦存放區或使用者存放區上 [受信任的發行者] 憑證存放區中憑證所簽署的所有 Silverlight 應用程式,能夠在更高的信任模式下執行。When enabled, the Allow Silverlight applications to run in elevated trust mode client setting lets all Silverlight applications, which are signed by certificates in the Trusted Publishers certificate store in either the computer store or the user store, run in elevated trust mode. 此用戶端設定無法特別針對「Configuration Manager 應用程式類別目錄」或針對電腦存放區中的 [受信任的發行者] 憑證存放區,啟用更高的信任模式。The client setting can't enable elevated trust mode specifically for the Configuration Manager application catalog or for the Trusted Publishers certificate store in the computer store. 如果惡意程式碼在 [受信任的發行者] 存放區中新增 Rogue 憑證,使用自己 Silverlight 應用程式的惡意程式碼現在便也可以在更高的信任模式下執行。If malware adds a rogue certificate in the Trusted Publishers store, malware that uses its own Silverlight application can now also run in elevated trust mode.

如果您將 [允許 Silverlight 應用程式在更高的信任模式下執行] 設定設為 [否] ,用戶端就無法移除 Microsoft 簽署憑證。If you set the Allow Silverlight applications to run in elevated trust mode setting to No, clients don't remove the Microsoft signing certificate.

如需 Silverlight 中信任的應用程式詳細資訊,請參閱信任的應用程式For more about trusted applications in Silverlight, see Trusted Applications.

應用程式管理的隱私權資訊Privacy information for application management

應用程式管理可讓您在階層中的任何用戶端上,執行任何應用程式、程式或指令碼。Application management lets you run any application, program, or script on any client in the hierarchy. Configuration Manager 無法控制您所執行的應用程式、程式或指令碼的類型,或是它們所傳輸的資訊類型。Configuration Manager has no control over the types of applications, programs, or scripts that you run or the type of information that they transmit. 在應用程式部署程序期間,Configuration Manager 可能會於用戶端和伺服器之間,傳輸可識別裝置與登入帳戶的資訊。During the application deployment process, Configuration Manager might transmit information that identifies the device and sign-in accounts between clients and servers.

Configuration Manager 會保存軟體部署程序的狀態資訊。Configuration Manager maintains status information about the software deployment process. 除非用戶端使用 HTTPS 來進行通訊,否則軟體部署狀態資訊在傳輸期間不會進行加密。Software deployment status information isn't encrypted during transmission unless the client communicates by using HTTPS. 此狀態資訊在資料庫中不會以加密形式儲存。The status information isn't stored in encrypted form in the database.

使用 Configuration Manager 應用程式安裝以遠端、互動或無訊息方式在用戶端上安裝軟體,可能會受到該軟體的軟體授權合約所約束。The use of Configuration Manager application installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software. 這個用法有別於 Configuration Manager 的軟體授權條款。This use is separate from the Software License Terms for Configuration Manager. 在您使用 Configuration Manager 部署軟體之前,請一律檢閱並同意軟體授權條款。Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager.

Configuration Manager 會收集關於應用程式的診斷和使用方式資料,Microsoft 會使用這些資料來改進未來版本。Configuration Manager collects diagnostics and usage data about applications, which is used by Microsoft to improve future releases. 如需詳細資訊,請參閱診斷和使用方式資料For more information, see Diagnostics and usage data.

應用程式部署預設並不會進行,而是需要數個設定步驟才能進行。Application deployment doesn't happen by default and requires several configuration steps.

下列功能有助於提升軟體部署的效率:The following features help efficient software deployment:

  • 使用者裝置親和性會將使用者對應到裝置。User device affinity maps a user to devices. Configuration Manager 系統管理員可將軟體部署至使用者。A Configuration Manager administrator deploys software to a user. 用戶端會自動將軟體安裝在使用者最常使用的一或多部電腦上。The client automatically installs the software on one or more computers that the user uses most often.

  • 當您安裝 Configuration Manager 用戶端時,軟體中心會自動安裝於裝置上。Software Center is installed automatically on a device when you install the Configuration Manager client. 使用者會從軟體中心變更設定、瀏覽並安裝軟體。Users change settings, browse for and install software from Software Center.

  • 應用程式類別目錄是一個讓使用者要求軟體安裝的網站。The application catalog is a website that lets users request software to install.

    重要

    1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

使用者裝置親和性隱私權資訊User device affinity privacy information

  • Configuration Manager 可能會在用戶端與管理點站台系統之間傳輸資訊。Configuration Manager might transmit information between clients and management point site systems. 資訊可能會識別電腦與登入帳戶,以及登入帳戶的使用方式摘要。The information might identify the computer and sign-in account and the summarized usage for sign-in accounts.

  • 除非已將管理點設定成要求用戶端使用 HTTPS 進行通訊,否則不會加密在用戶端與伺服器之間傳輸的資訊。The information that's transmitted between the client and server isn't encrypted, unless the management point is configured to require clients to communicate by using HTTPS.

  • 電腦與登入帳戶使用方式資訊 (用來將使用者與裝置對應) 會儲存在用戶端電腦上、傳送到管理點,然後儲存在 Configuration Manager 資料庫中。The computer and sign-in account usage information, which is used to map a user to a device, is stored on client computers, sent to management points, and then stored in the Configuration Manager database. 根據預設,超過 90 天的舊資訊會從資料庫刪除。The old information is deleted from the database by default after 90 days. 藉由設定 [刪除過時使用者裝置親和性資料] 站台維護工作,就可以設定刪除行為。The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task.

  • Configuration Manager 會保存使用者裝置親和性的狀態資訊。Configuration Manager maintains status information about user device affinity. 除非已將用戶端設定成使用 HTTPS 來與管理點進行通訊,否則狀態資訊不會在傳輸過程中加密。Status information isn't encrypted during transmission, unless clients are configured to communicate with management points by using HTTPS. 狀態資訊不會以加密形式儲存於資料庫。Status information isn't stored in encrypted form in the database.

  • 用於建立使用者與裝置親和性的電腦和登入使用方式資訊會隨時保持啟用狀態。Computer and sign-in usage information that's used to establish user and device affinity is always enabled. 使用者與系統管理使用者都可提供使用者親和性資訊。Users and administrative users can supply user device affinity information.

軟體中心隱私權資訊Software Center privacy information

  • 軟體中心可讓 Configuration Manager 系統管理員發佈任何應用程式、程式或指令碼,以供使用者執行。Software Center lets the Configuration Manager admin publish any application or program or script for users to run. Configuration Manager 無法控制類別目錄中所發佈的程式或指令碼的類型,或是它們所傳輸的資訊類型。Configuration Manager has no control over the types of programs or scripts that are published in the catalog or the type of information that they transmit.

  • Configuration Manager 可能會在用戶端與管理點之間傳輸資訊。Configuration Manager might transmit information between clients and the management point. 此資訊可能會識別電腦與登入帳戶。The information might identify the computer and sign-in accounts. 除非您設定管理點以要求用戶端使用 HTTPS 進行連線,否則不會加密在用戶端與伺服器之間傳輸的資訊。The information that's transmitted between the client and servers isn't encrypted, unless you configure the management point to require clients connect by using HTTPS.

  • 應用程式核准要求的相關資訊會儲存在 Configuration Manager 資料庫中。The information about the application approval request is stored in the Configuration Manager database. 被取消或拒絕的要求與對應的要求歷程記錄項目,預設會在 30 天後刪除。Requests that are canceled or denied and the corresponding request history entries are deleted by default after 30 days. 藉由設定 [刪除過時應用程式要求資料] 站台維護工作,就可以設定刪除行為。The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. 處於核准與擱置狀態的應用程式核准要求永遠不會遭到刪除。Application approval requests that are in approved and pending states are never deleted.

  • 當您在裝置上安裝 Configuration Manager 用戶端時,即會自動安裝軟體中心。Software Center is installed automatically when you install the Configuration Manager client on a device.

應用程式類別目錄隱私權資訊Application catalog privacy information

重要

1910 版會終止對應用程式類別目錄角色的支援。Support ends for the application catalog roles with version 1910. 如需詳細資訊,請參閱移除應用程式類別目錄For more information, see Remove the application catalog.

  • 根據預設,不會安裝應用程式類別目錄。The application catalog isn't installed by default. 此安裝需要數個設定步驟。This installation requires several configuration steps.

  • 應用程式類別目錄可讓 Configuration Manager 系統管理員發佈任何應用程式、程式或指令碼,以供使用者執行。The application catalog lets the Configuration Manager admin publish any application or program or script for users to run. Configuration Manager 無法控制類別目錄中所發佈的程式或指令碼的類型,或是它們所傳輸的資訊類型。Configuration Manager has no control over the types of programs or scripts that are published in the catalog or the type of information that they transmit.

  • Configuration Manager 可能會在用戶端與應用程式類別目錄站台系統角色之間。Configuration Manager might transmit information between clients and the application catalog site system roles. 此資訊可能會識別電腦與登入帳戶。The information might identify the computer and sign-in accounts. 除非已將這些站台系統角色設定成要求用戶端使用 HTTPS 進行連線,否則不會加密在用戶端與伺服器之間傳輸的資訊。The information that's transmitted between the client and servers isn't encrypted, unless these site system roles are configured to require clients connect by using HTTPS.