為受控的 Android Enterprise 裝置新增應用程式設定原則Add app configuration policies for managed Android Enterprise devices

Microsoft Intune 中的應用程式設定原則能為受控 Android Enterprise 裝置上的受控 Google Play 應用程式提供設定。App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android Enterprise devices. 應用程式開發人員會公開受 Android 管理的應用程式組態設定。The app developer exposes Android-managed app configuration settings. Intune 會使用這些公開設定來讓管理員設定應用程式的功能。Intune uses these exposed setting to let the admin configure features for the app. 應用程式設定原則會指派給您的使用者群組。The app configuration policy is assigned to your user groups. 每當應用程式檢查是否有原則設定時 (通常是應用程式第一次執行時),便會使用這些原則設定。The policy settings are used when the app checks for them, typically the first time the app runs.

注意

並非每個應用程式都支援應用程式設定。Not every app supports app configuration. 請連絡應用程式開發人員,以了解他們的應用程式是否支援應用程式設定原則。Check with the app developer to see if their app supports app configuration policies.

電子郵件應用程式Email apps

Android Enterprise 有數種註冊方法。Android Enterprise has several enrollment methods. 註冊類型取決於電子郵件在裝置上的設定方式:The enrollment type depends on how email is configured on the device:

  • 在 Android Enterprise 完全受控的專用公司擁有工作設定檔中,請使用應用程式設定原則及本文中的步驟。On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles, use an app configuration policy and the steps in this article. 應用程式設定原則可支援 Gmail 及 Nine Work 電子郵件應用程式。App configuration policies support Gmail and Nine Work email apps.
  • 在具有工作設定檔的 Android Enterprise 個人擁有裝置上,建立 Android Enterprise 電子郵件裝置組態設定檔On Android Enterprise personally owned devices with a work profile, create an Android Enterprise email device configuration profile. 當建立設定檔時,可針對支援應用程式設定原則的電子郵件用戶端進行設定。When you create the profile, you can configure settings for email clients that support app configuration policies. 使用設定設計工具時,Intune 會包含 Gmail 與 Nine Work 應用程式特定的電子郵件設定。When using the configuration designer, Intune includes email settings specific to Gmail and Nine Work apps.
  • 在 Android 裝置系統管理員上,針對 Samsung Knox 裝置建立 Android 裝置系統管理員電子郵件裝置組態設定檔On Android device administrator, create an Android device administrator email device configuration profile for Samsung Knox devices. 當建立設定檔時,可進行 Exchange 電子郵件設定,例如 outlook.office365.comWhen you create the profile, you can configure Exchange email settings, such as outlook.office365.com.

建立應用程式設定原則Create an app configuration policy

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 選擇 [應用程式] > [應用程式設定原則] > [新增] > [受控裝置]。Choose the Apps > App configuration policies > Add > Managed devices. 請注意,您可以在 [受控裝置] 和 [受管理的應用程式] 之間選擇。Note that you can choose between Managed devices and Managed apps. 如需詳細資訊,請參閱支援應用程式設定的應用程式For more information see Apps that support app configuration.

  3. 在 [基本] 頁面上,設定下列詳細資料:On the Basics page, set the following details:

    • 名稱 - 在 Azure 入口網站中顯示的設定檔名稱。Name - The name of the profile that appears in the Azure portal.
    • 描述 - 在 Azure 入口網站中顯示的設定檔描述。Description - The description of the profile that appears in the Azure portal.
    • [裝置註冊類型] - 此設定會設定為 [受控裝置]。Device enrollment type - This setting is set to Managed devices.
  4. 選取 [Android Enterprise] 作為 [平台]。Select Android Enterprise as the Platform.

  5. 按一下 [目標應用程式] 旁邊的 [選取應用程式]。Click Select app next to Targeted app. [相關聯的應用程式] 窗格隨即顯示。The Associated app pane is displayed.

  6. 在 [相關聯的應用程式] 窗格上,選擇要與設定原則相關聯的受控應用程式,然後按一下 [確定]。On the Associated app pane, choose the managed app to associate with the configuration policy and click OK.

  7. 按一下 [下一步] 以顯示 [設定] 頁面。Click Next to display the Settings page.

  8. 按一下 [新增] 以顯示 [新增權限] 窗格。Click Add to display the Add permissions pane.

  9. 按一下您覆寫的權限。Click the permissions that you want to override. 所授與權限將會覆寫所選應用程式的 [預設應用程式權限] 原則。Permissions granted will override the "Default app permissions" policy for the selected apps.

  10. 針對每個權限設定 [權限狀態]。Set the Permission state for each permission. 您可以選擇 [提示]、[自動授與] 或 [自動拒絕]。You can choose from Prompt, Auto grant, or Auto deny. 如需權限的詳細資訊,請參閱使用 Intune,透過 Android Enterprise 設定將裝置標示為相容或不相容For more information about permissions, see Android Enterprise settings to mark devices as compliant or not compliant using Intune.

  11. 若受管理應用程式支援組態設定,將會顯示 [組態設定格式] 下拉式清單。If the managed app supports configuration settings, the Configuration settings format dropdown box is visible. 選取下列其中一種方法來新增設定資訊:Select one of the following methods to add configuration information:

    • 使用設定設計工具Use configuration designer
    • 輸入 JSON 資料Enter JSON data

    如需使用設定設計工具的詳細資料,請參閱使用設定設計工具For details about using the configuration designer, see Use configuration designer. 如需輸入 XML 資料的詳細資料,請參閱輸入 JSON 資料For details about entering XML data, see Enter JSON data.

  12. 按一下 [下一步] 以顯示 [指派] 頁面。Click Next to display the Assignments page.

  13. 在 [指派給] 旁邊的下拉式方塊中,選取 [選取的群組]、[所有使用者]、[所有裝置],或 [所有使用者和所有裝置] 來指派應用程式設定原則。In the dropdown box next to Assign to, select either Selected groups, All users, All devices, or All users and all devies to assign the app configuration policy to.

    [原則指派] [包含] 索引標籤的螢幕擷取畫面

  14. 在下拉式方塊中,選取 [所有使用者]。Select All users in the dropdown box.

    [原則指派 - 所有使用者] 下拉式選項的螢幕擷取畫面

  15. 按一下 [選取要排除的群組] 以顯示相關的窗格。Click Select groups to exclude to display the related pane.

    [原則指派 - 選取要排除的群組] 窗格的螢幕擷取畫面

  16. 選擇您要排除的群組,然後按一下 [選取]。Choose the groups you want to exclude and then click Select.

    注意

    新增群組時,如已包含任何其他群組用於指定的指派類型,就會預先選取且無法針對其他包含指派類型進行變更。When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. 因此,已使用的該群組,不能用為排除的群組。Therefore, that group that has been used, cannot be used as an excluded group.

  17. 按一下 [下一步] 以顯示 [檢閱 + 建立] 頁面。Click Next to display the Review + create page.

  18. 按一下 [建立] 以將應用程式設定原則新增至 Intune。Click Create to add the app configuration policy to Intune.

使用設定設計工具Use the configuration designer

當應用程式已設計為支援組態設定時,您可以針對受控 Google Play 應用程式使用設定設計工具。You can use the configuration designer for Managed Google Play apps when the app is designed to support configuration settings. 設定會套用至已在 Intune 中註冊的裝置。Configuration applies to devices enrolled in Intune. 設計工具可讓您針對應用程式公開的設定,設定特定的設定值。The designer lets you configure specific configuration values for the settings exposed by the app.

  1. 選取 [新增]。Select Add. 選擇您要為應用程式輸入的組態設定清單。Choose the list of configuration settings that you want to enter for the app.

    如果您正在使用 Gmail 或 Nine Work 電子郵件應用程式,請參閱用來設定電子郵件的 Android Enterprise 裝置設定,以取得這些特定設定其詳細資訊。If you're using Gmail or Nine Work email apps, Android Enterprise device settings to configure email has more information on these specific settings.

  2. 對於設定中的每個金鑰和值,請設定:For each key and value in the configuration, set:

    • 值類型:設定值的資料類型。Value type: The data type of the configuration value. 針對「字串」值類型,您可以視需要選擇變數或憑證設定檔作為值類型。For String value types, you can optionally choose a variable or certificate profile as the value type.
    • 設定值:設定的值。Configuration value: The value for the configuration. 如果您為 [值類型] 選取變數或憑證,請從變數或憑證設定檔清單中進行選擇。If you select variable or certificate for the Value type, choose from a list of variables or certificate profiles. 如果您選擇憑證,則會在執行階段填入部署至裝置之憑證的憑證別名。If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime.

支援的設定值變數Supported variables for configuration values

如果您選擇變數作為值類型,將可以選擇下列選項:You can choose the following options if you choose variable as the value type:

選項Option 範例Example
Azure AD 裝置識別碼Azure AD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82dc0dc142-11d8-4b12-bfea-cae2a8514c82
帳戶識別碼Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81fc0dc142-71d8-4b12-bbea-bae2a8514c81
Intune 裝置識別碼Intune Device ID b9841cd9-9843-405f-be28-b2265c59ef97b9841cd9-9843-405f-be28-b2265c59ef97
DomainDomain contoso.comcontoso.com
郵件Mail john@contoso.com
部分 UPNPartial UPN johnjohn
使用者識別碼User ID 3ec2c00f-b125-4519-acf0-302ac37618223ec2c00f-b125-4519-acf0-302ac3761822
使用者名稱User name John DoeJohn Doe
使用者主體名稱User Principal Name john@contoso.com

在多重身分識別應用程式中只允許設定的組織帳戶Allow only configured organization accounts in multi-identity apps

身為 Microsoft Intune 系統管理員,您可以控制要在受控裝置的 Microsoft 應用程式中新增的公司或學校帳戶。As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. 您可以僅允許組織使用者帳戶進行存取,並封鎖已註冊裝置上的個人帳戶。You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. 針對 Android 裝置,請在受控裝置應用程式設定原則中使用下列金鑰/值組:For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

KeyKey com.microsoft.intune.mam.AllowedAccountUPNscom.microsoft.intune.mam.AllowedAccountUPNs
Values
  • 一或多個以 ; 分隔的 UPN。One or more ; delimited UPNs.
  • 只有允許的帳戶才是這個索引鍵所定義受控使用者帳戶。Only account(s) allowed are the managed user account(s) defined by this key.
  • 若為 Intune 註冊的裝置,{{userprincipalname}} 權杖可用來代表註冊的使用者帳戶。For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

注意

下列應用程式會處理上述應用程式設定,而且只允許組織帳戶:The following apps process the above app configuration and only allow organization accounts:

  • 適用於 Android 的 Edge (42.0.4.4048 和更新版本)Edge for Android (42.0.4.4048 and later)
  • 適用於 Android 的 Office、Word、Excel、PowerPoint (16.0.9327.1000 和更新版本)Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
  • 適用於 Android 的 OneDrive (5.28 和更新版本)OneDrive for Android (5.28 and later)
  • 適用於 Android 的 OneNote (16.0.13231.20222 或更新版本)OneNote for Android (16.0.13231.20222 or later)
  • 適用於 Android 的 Outlook (2.2.222 和更新版本)Outlook for Android (2.2.222 and later)
  • 適用於 Android 的 Teams (1416/1.0.0.2020073101 和更新版本)Teams for Android (1416/1.0.0.2020073101 and later)

輸入 JSON 資料Enter JSON data

應用程式 (例如套件組合類型的應用程式) 上的某些組態設定無法使用設定設計工具來設定。Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration designer. 請使用 JSON 編輯器來設定那些值。Use the JSON editor for those values. 安裝應用程式時,會自動將設定值提供給應用程式。Settings are supplied to apps automatically when the app is installed.

  1. 對於 [組態設定格式],請選取 [進入 JSON 編輯器]。For Configuration settings format, select Enter JSON editor.
  2. 您可以在編輯器中定義組態設定的 JSON 值。In the editor, you can define JSON values for configuration settings. 您可以選擇 [下載 JSON 範本] 來下載之後可以設定的範例檔案。You can choose Download JSON template to download a sample file that you can then configure.
  3. 選擇 [確定],然後選擇 [新增]。Choose OK, and then choose Add.

原則隨即建立,並顯示在清單中。The policy is created and shown in the list.

當指派的應用程式在裝置上執行時,會依照您在應用程式設定原則中的設定執行。When the assigned app is run on a device, it runs with the settings that you configured in the app configuration policy.

預先設定應用程式的權限授與狀態Preconfigure the permissions grant state for apps

您也可以預先設定應用程式權限以存取 Android 裝置功能。You can also preconfigure app permissions to access Android device features. 根據預設,需要裝置權限 (例如存取位置或裝置相機) 的 Android 應用程式會提示使用者接受或拒絕授與權限。By default, Android apps that require device permissions, such as access to location or the device camera, prompt users to accept or deny permissions.

以使用裝置麥克風的應用程式為例。For example, an app uses the device's microphone. 系統會提示使用者授與應用程式使用麥克風的權限。The user is prompted to grant the app permission to use the microphone.

  1. Microsoft 端點管理員系統管理中心中,選取 [應用程式] > [應用程式設定原則] > [新增] > [受控裝置]。In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed devices.
  2. 新增下列屬性:Add the following properties:
    • 名稱:輸入政策的描述性名稱。Name: Enter a descriptive name for the policy. 為您的設定檔命名,以方便之後能夠輕鬆識別。Name your policies so you can easily identify them later. 例如,良好的原則名稱是 適用於整家公司的 Android Enterprise 提示權限應用程式原則For example, a good policy name is Android Enterprise prompt permissions app policy for entire company.
    • 描述Description. 輸入設定檔的描述。Enter a description for the profile. 這是選擇性設定,但建議執行。This setting is optional, but recommended.
    • 裝置註冊類型:此設定已設定為 [受控裝置]。Device enrollment type: This setting is set to Managed devices.
    • 平台:選取 [Android 企業] 。Platform: Select Android Enterprise.
  3. 選取 [設定檔類型]:Select Profile Type:
  4. 選取 [目標應用程式]。Select Targeted App. 選擇想要與設定原則建立關聯的應用程式。Choose the app that you want to associate a configuration policy with. 從 Android Enterprise 完全受控工作設定檔應用程式清單中,選取已經使用 Intune 核准並同步處理的應用程式。Select from the list of Android Enterprise fully managed work profile apps that you've approved and synchronized with Intune.
  5. 選取 [權限] > [新增]。Select Permissions > Add. 從清單中,選取可用的應用程式權限 > [確定]。From the list, select the available app permissions > OK.
  6. 為每個權限選取要使用此原則授與的選項:Select an option for each permission to grant with this policy:
    • 提示Prompt. 提示使用者接受或拒絕。Prompt the user to accept or deny.
    • 自動授與Auto grant. 自動核准且不通知使用者。Automatically approve without notifying the user.
    • 自動拒絕Auto deny. 自動拒絕且不通知使用者。Automatically deny without notifying the user.
  7. 若要指派應用程式設定原則,請選取應用程式設定原則 > [指派] > [選取群組]。To assign the app configuration policy, select the app configuration policy > Assignment > Select groups. 選擇要指派的使用者群組 > [選取]。Choose the user groups to assign > Select.
  8. 選擇 [儲存] 來指派原則。Choose Save to assign the policy.

其他資訊Additional information

後續步驟Next steps

繼續指派監視應用程式。Continue to assign and monitor the app.