使用應用程式防護原則的資料保護架構Data protection framework using app protection policies

隨著越來越多的組織實作行動裝置策略來存取公司或學校資料,防止資料外洩變得至關重要。As more organizations implement mobile device strategies for accessing work or school data, protecting against data leakage becomes paramount. 應用程式防護原則 (APP) 就是為了防止資料外洩所推出的 Intune 行動應用程式管理解決方案。Intune's mobile application management solution for protecting against data leakage is App Protection Policies (APP). APP 是一組規則,可確保組織資料保持安全或包含在受控應用程式中,而不論是否已註冊裝置。APP are rules that ensure an organization's data remains safe or contained in a managed app, regardless of whether the device is enrolled. 如需詳細資訊,請參閱應用程式防護原則概觀For more information, see App protection policies overview.

設定應用程式防護原則時,有多種設定和選項可讓組織根據其特定需求來量身打造防護措施。When configuring App Protection Policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. 由於此彈性,實作完整案例需要哪種原則設定組合可能不是那麼明顯。Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. 為協助組織排列用戶端端點強化工作的優先順序,Microsoft 在 Windows 10 的安全性設定中推出了新分類法,而 Intune 將在其 APP 資料保護架構中利用類似的分類法來進行行動應用程式管理。To help organizations prioritize client endpoint hardening endeavors, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.

APP 資料保護設定架構可分成三種不同的設定案例:The APP data protection configuration framework is organized into three distinct configuration scenarios:

  • 層級 1 企業基本資料保護 – Microsoft 建議企業裝置使用此設定作為基本資料保護設定。Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.

  • 層級 2 企業增強資料保護 – 若裝置的使用者須存取敏感性或機密資訊,則 Microsoft 建議這些裝置使用此設定。Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. 此設定適用於大部分存取公司或學校資料的行動使用者。This configuration is applicable to most mobile users accessing work or school data. 有些控制措施可能會影響使用者體驗。Some of the controls may impact user experience.

  • 層級 3 企業高度資料保護 – 若裝置是由具有更大型或更複雜安全性小組的組織所執行,或針對特別高風險的特定使用者或群組 (處理未經授權的洩漏會造成組織實質性損失之高度敏感性資料的使用者) 所執行,則 Microsoft 建議針對這些裝置使用此設定。Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). 若組織可能成為資金充裕且經驗老道的攻擊者目標,則應該會想要使用此設定。An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.

APP 資料保護架構部署方法APP Data Protection Framework deployment methodology

如同新軟體、功能或設定的任何部署,Microsoft 建議在部署 APP 資料保護架構之前,先投資更新步調方法以測試驗證。As with any deployment of new software, features or settings, Microsoft recommends investing in a ring methodology for testing validation prior to deploying the APP data protection framework. 定義部署更新步調通常是一次性事件 (或至少不常發生),但 IT 人員應該重新瀏覽這些群組,以確保排序仍然正確。Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct.

Microsoft 建議 APP 資料保護架構使用下列部署更新步調方法:Microsoft recommends the following deployment ring approach for the APP data protection framework:

部署更新步調Deployment ring 租用戶Tenant 評定小組Assessment teams 輸出Output 時間表Timeline
品質保證Quality Assurance 進入生產階段前租用戶Pre-production tenant 行動功能擁有者、安全性、風險評定、隱私權、UXMobile capability owners, Security, Risk Assessment, Privacy, UX 功能案例驗證、草稿文件Functional scenario validation, draft documentation 0-30 天0-30 days
預覽Preview 生產租用戶Production tenant 行動功能擁有者、UXMobile capability owners, UX 終端使用者案例驗證、使用者互動文件End user scenario validation, user facing documentation 7-14 天,品質保證後7-14 days, post Quality Assurance
生產Production 生產租用戶Production tenant 行動功能擁有者、IT 支援人員Mobile capability owners, IT help desk N/AN/A 7 天到數週,預覽後7 days to several weeks, post Preview

如上表所示,應用程式防護原則的所有變更應該先在進入生產階段前環境中執行,以了解原則設定影響。As the above table indicates, all changes to the App Protection Policies should be first performed in a pre-production environment to understand the policy setting implications. 測試完成之後,您可以將變更移入生產環境,並套用至生產使用者的子集 (通常是 IT 部門和其他適用的群組)。Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. 最後,您可以完整推出給其餘的行動使用者社群。And finally, the rollout can be completed to the rest of the mobile user community. 推出到生產環境可能需要較長的時間,視變更的影響程度而定。Rollout to production may take a longer amount of time depending on the scale of impact regarding the change. 如果使用者不受影響,則變更的推出速度應該很快;但如果變更會對使用者造成影響,由於必須向使用者群傳達變更,因此可能必須放慢推出速度。If there is no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.

測試 APP 的變更時,請留意傳遞時間When testing changes to an APP, be aware of the delivery timing. 您可以監視指定使用者的 APP 傳遞狀態。The status of APP delivery for a given user can monitored. 如需詳細資料,請參閱如何監視應用程式保護原則For more information, see How to monitor app protection policies.

您可以使用 Edge 和 URL about:Intunehelp,在裝置上驗證每個應用程式的個別 APP 設定。Individual APP settings for each app can be validated on devices using Edge and the URL about:Intunehelp. 如需詳細資訊,請參閱檢閱用戶端應用程式保護記錄以及使用 iOS 和 Android 版 Edge 存取受控應用程式記錄檔For more information, see Review client app protection logs and Use Edge for iOS and Android to access managed app logs.

APP 資料保護架構設定APP Data Protection Framework settings

您應該針對適用的應用程式啟用下列應用程式防護原則設定,並將其指派給所有行動使用者。The following App Protection Policy settings should be enabled for the applicable apps and assigned to all mobile users. 如需每項原則設定的詳細資訊,請參閱 iOS 應用程式防護原則設定Android 應用程式防護原則設定For more information on each policy setting, see iOS app protection policy settings and Android app protection policy settings.

Microsoft 建議先檢閱和分類使用案例,再使用該層級的規範方針來設定使用者。Microsoft recommends reviewing and categorizing usage scenarios, and then configuring users using the prescriptive guidance for that level. 如同任何架構,對應層級內的設定可能需要根據組織的需求進行調整,因為資料保護必須評估威脅環境、風險偏好,以及對可用性的影響。As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as data protection must evaluate the threat environment, risk appetite, and impact to usability.

條件式存取原則Conditional Access Policies

為確保只有支援應用程式保護原則的應用程式可存取公司或學校帳戶資料,需要 Azure Active Directory 條件式存取原則。To ensure that only apps supporting App Protection Polices access work or school account data, Azure Active Directory Conditional Access policies are required. 請參閱 案例 1:Office 365 應用程式需要具有應用程式保護原則的已核准應用程式 (針對使用條件式存取的雲端應用程式存取,需要應用程式保護原則 (部分機器翻譯) 中),以取得實作特定原則的步驟。See Scenario 1: Office 365 apps require approved apps with app protection policies in Require app protection policy for cloud app access with Conditional Access for steps to implement the specific policies.

要包含在應用程式防護原則中的應用程式Apps to include in the App Protection Policies

針對每個應用程式防護原則,應該包含下列核心 Microsoft 應用程式:For each App Protection Policy, the following core Microsoft apps should be included:

  • EdgeEdge
  • ExcelExcel
  • OfficeOffice
  • OneDriveOneDrive
  • OneNoteOneNote
  • OutlookOutlook
  • PowerPointPowerPoint
  • Microsoft TeamsMicrosoft Teams
  • Microsoft To-DoMicrosoft To-Do
  • WordWord
  • Microsoft SharePointMicrosoft SharePoint

這些原則應該包含基於商務需求的其他 Microsoft 應用程式、已整合組織所用 Intune SDK 的其他協力廠商公用應用程式,以及已整合 (或已包裝) Intune SDK 的企業營運應用程式。The policies should include other Microsoft apps based on business need, additional third-party public apps that have integrated the Intune SDK used within the organization, as well as line-of-business apps that have integrated the Intune SDK (or have been wrapped).

層級 1 企業基本資料保護Level 1 enterprise basic data protection

層級 1 是企業行動裝置的基本資料保護設定。Level 1 is the minimum data protection configuration for an enterprise mobile device. 此設定藉由要求 PIN 來存取公司或學校資料、加密公司或學校帳戶資料,以及提供選擇性抹除學校或公司資料的功能,以取代基本 Exchange Online 裝置存取原則的需求。This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. 不過,不同於 Exchange Online 裝置存取原則,下列應用程式防護原則設定會套用至原則中選取的所有應用程式,藉此確保資料存取的保護延伸到行動訊息案例以外。However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.

層級 1 中原則會強制執行合理的資料存取層級,同時將使用者影響降到最低,並在 Microsoft 端點管理員中建立應用程式防護原則時,鏡像預設的資料保護和存取需求設定。The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Endpoint Manager.

資料保護Data protection

設定Setting 設定說明Setting description Value 平台Platform
資料傳輸Data Transfer 將組織資料備份到…Backup org data to… 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data Transfer 將組織資料傳送到其他應用程式Send org data to other apps 所有應用程式All apps iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data Transfer 接收其他應用程式的資料Receive data from other apps 所有應用程式All apps iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data Transfer 限制應用程式之間的剪下、複製和貼上Restrict cut, copy, and paste between apps 任何應用程式Any app iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data Transfer 協力廠商鍵盤Third-party keyboards 允許Allow iOS/iPadOSiOS/iPadOS
資料傳輸Data Transfer 核准的鍵盤Approved keyboards 不需要Not required AndroidAndroid
資料傳輸Data Transfer 螢幕擷取和 Google 助理Screen capture and Google Assistant 允許Allow AndroidAndroid
加密Encryption 加密組織資料Encrypt org data 要求Require iOS/iPadOS、AndroidiOS/iPadOS, Android
加密Encryption 加密已註冊裝置上的組織資料Encrypt org data on enrolled devices 要求Require AndroidAndroid
功能Functionality 與原生連絡人應用程式同步應用程式Sync app with native contacts app 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android
功能Functionality 列印組織資料Printing org data 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android
功能Functionality 限制與其他應用程式的 Web 內容傳輸Restrict web content transfer with other apps 任何應用程式Any app iOS/iPadOS、AndroidiOS/iPadOS, Android
功能Functionality 組織資料通知Org data notifications 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android

存取需求Access requirements

設定Setting Value 平台Platform 備忘錄Notes
使用 PIN 進行存取PIN for access 要求Require iOS/iPadOS、AndroidiOS/iPadOS, Android
PIN 類型PIN type 數字Numeric iOS/iPadOS、AndroidiOS/iPadOS, Android
簡單的 PINSimple PIN 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android
選取 PIN 長度下限Select Minimum PIN length 44 iOS/iPadOS、AndroidiOS/iPadOS, Android
以生物特徵辨識而非 PIN 存取Biometric instead of PIN for access 允許Allow iOS/iPadOS、AndroidiOS/iPadOS, Android
以覆寫生物特徵辨識而非 PIN 存取Override biometric instead of PIN for access 要求Require iOS/iPadOS、AndroidiOS/iPadOS, Android
逾時 (非使用狀態分鐘數)Timeout (minutes of activity) 720720 iOS/iPadOS、AndroidiOS/iPadOS, Android
以 Face ID 而非 PIN 存取Face ID instead of PIN for access 允許Allow iOS/iPadOSiOS/iPadOS
使用生物特徵辨識技術而非 PIN 來存取Biometrics instead of PIN for access 允許Allow AndroidAndroid
在數天後重設 PINPIN reset after number of days No iOS/iPadOS、AndroidiOS/iPadOS, Android
在設定裝置 PIN 時要求應用程式 PINApp PIN when device PIN is set 要求Require iOS/iPadOS、AndroidiOS/iPadOS, Android 如果裝置已在 Intune 中註冊,且系統管理員想要透過裝置合規性政策強制執行強式裝置 PIN,則可以考慮將其設定為「不需要」。If the device is enrolled in Intune, administrators can consider setting this to "Not required" if they are enforcing a strong device PIN via a device compliance policy.
公司或學校帳戶認證以進行存取Work or school account credentials for access 不需要Not required iOS/iPadOS、AndroidiOS/iPadOS, Android
重新檢查存取需求前的經過時間 (非使用中狀態分鐘數)Recheck the access requirements after (minutes of inactivity) 3030 iOS/iPadOS、AndroidiOS/iPadOS, Android

條件式啟動Conditional launch

設定Setting 設定說明Setting description 值 / 動作Value / Action 平台Platform 備忘錄Notes
應用程式條件App conditions PIN 嘗試次數上限Max PIN attempts 5 / 重設 PIN5 / Reset PIN iOS/iPadOS、AndroidiOS/iPadOS, Android
應用程式條件App conditions 離線寬限期Offline grace period 720 / 封鎖存取 (分鐘)720 / Block access (minutes) iOS/iPadOS、AndroidiOS/iPadOS, Android
應用程式條件App conditions 離線寬限期Offline grace period 90 / 抹除資料 (天)90 / Wipe data (days) iOS/iPadOS、AndroidiOS/iPadOS, Android
裝置條件Device conditions 已進行 JB 或 Root 破解的裝置Jailbroken/rooted devices N/A / 封鎖存取N/A / Block access iOS/iPadOS、AndroidiOS/iPadOS, Android
裝置條件Device conditions SafetyNet 裝置證明SafetyNet device attestation 基本完整性和經認證的裝置 / 封鎖存取Basic integrity and certified devices / Block access AndroidAndroid

此設定會在終端使用者裝置上設定 Google 的 SafetyNet 證明。This setting configures Google's SafetyNet Attestation on end user devices. [基本完整性] 會驗證裝置的完整性。Basic integrity validates the integrity of the device. Root 過的裝置、模擬器、虛擬裝置,以及具有竄改跡象的裝置都無法通過基本完整性檢查。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity.

[基本完整性和經認證的裝置] 會驗證裝置與 Google 服務的相容性。Basic integrity and certified devices validates the compatibility of the device with Google's services. 只有經過 Google 認證且未修改的裝置可以通過這項檢查。Only unmodified devices that have been certified by Google can pass this check.

裝置條件Device conditions 需要對應用程式進行威脅掃描Require threat scan on apps N/A / 封鎖存取N/A / Block access AndroidAndroid 此設定可確保 Google 的驗證應用程式掃描已針對終端使用者裝置開啟。This setting ensures that Google's Verify Apps scan is turned on for end user devices. 如果設定,終端使用者將會遭到封鎖存取,直到他們在其 Android 裝置上開啟 Google 的應用程式掃描為止。If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device.

層級 2 企業增強資料保護Level 2 enterprise enhanced data protection

層級 2 是針對使用者須存取更敏感資訊的裝置,建議作為標準的資料保護設定。Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. 這些裝置理所當然會成為現今企業中的攻擊目標。These devices are a natural target in enterprises today. 這些建議不會假定要有大量具備高技能的安全性從業人員配備,因此應該可供大部分企業組織使用。These recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. 此設定藉由限制資料傳輸案例,並要求最低作業系統版本,以擴充層級 1 中的設定。This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and by requiring a minimum operating system version.

於層級 2 中強制執行的原則設定包括了建議用於層級 1 中的所有原則設定,但只會列出以下這些已新增或變更的設定,以比層級 1 有更多控制及較精確的設定。The policy settings enforced in level 2 include all the policy settings recommended for level 1 but only lists those settings below that have been added or changed to implement more controls and a more sophisticated configuration than level 1. 雖然這些設定可能會對使用者或應用程式造成稍微偏高的影響,但其所強制執行的資料保護層級,更適合須在行動裝置上存取敏感性資訊的高風險使用者。While these settings may have a slightly higher impact to users or to applications, they enforce a level of data protection more commensurate with the risks facing users with access to sensitive information on mobile devices.

資料保護Data protection

設定Setting 設定說明Setting description Value 平台Platform 備忘錄Notes
資料轉送Data Transfer 將組織資料備份到…Backup org data to… 封鎖Block iOS/iPadOS、AndroidiOS/iPadOS, Android
資料轉送Data Transfer 將組織資料傳送到其他應用程式Send org data to other apps 受原則管理的應用程式Policy managed apps iOS/iPadOS、AndroidiOS/iPadOS, Android

使用 iOS/iPadOS,系統管理員可以將此值設定為 [受原則管理的應用程式]、[共用 OS 且受原則管理的應用程式] 或 [具 Open-In/Share 篩選且受原則管理的應用程式]。With iOS/iPadOS, administrators can configure this value to be "Policy managed apps", "Policy managed apps with OS sharing", or "Policy managed apps with Open-In/Share filtering".

[共用 OS 且受原則管理的應用程式] 適用於裝置也向 Intune 註冊的情況。Policy managed apps with OS sharing is available when the device is also enrolled with Intune. 此設定可將資料傳輸到其他受原則管理的應用程式,以及將檔案傳輸到由 Intune 管理的其他應用程式。This setting allows data transfer to other policy managed apps, as well as file transfers to other apps that have are managed by Intune.

[具 Open-In/Share 篩選且受原則管理的應用程式] 會篩選 OS [Open-in/Share] 對話方塊,以僅顯示受原則管理的應用程式。Policy managed apps with Open-In/Share filtering filters the OS Open-in/Share dialogs to only display policy managed apps.

如需詳細資訊,請參閱 iOS 應用程式防護原則設定For more information, see iOS app protection policy settings.

資料轉送Data Transfer 選取要豁免的應用程式Select apps to exempt Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services; iOS/iPadOSiOS/iPadOS
資料轉送Data Transfer 儲存組織資料的複本Save copies of org data 封鎖Block iOS/iPadOS、AndroidiOS/iPadOS, Android
資料轉送Data Transfer 允許使用者將複本儲存到選取的服務Allow users to save copies to selected services 商務用 OneDrive、SharePoint OnlineOneDrive for Business, SharePoint Online iOS/iPadOS、AndroidiOS/iPadOS, Android
資料轉送Data Transfer 將電信資料傳送至Transfer telecommunication data to 所有應用程式All apps iOS/iPadOS、AndroidiOS/iPadOS, Android
資料轉送Data Transfer 限制應用程式之間的剪下、複製和貼上Restrict cut, copy, and paste between apps 可貼上的受原則管理應用程式Policy managed apps with paste in iOS/iPadOS、AndroidiOS/iPadOS, Android
資料轉送Data Transfer 螢幕擷取和 Google 助理Screen capture and Google Assistant 封鎖Block AndroidAndroid
功能Functionality 限制與其他應用程式的 Web 內容傳輸Restrict web content transfer with other apps Microsoft EdgeMicrosoft Edge iOS/iPadOS、AndroidiOS/iPadOS, Android
功能Functionality 組織資料通知Org data notifications 封鎖組織資料Block Org Data iOS/iPadOS、AndroidiOS/iPadOS, Android 如需支援此設定的應用程式清單,請參閱 iOS 應用程式防護原則設定Android 應用程式防護原則設定For a list of apps that support this setting, see iOS app protection policy settings and Android app protection policy settings.

條件式啟動Conditional launch

設定Setting 設定說明Setting description 值 / 動作Value / Action 平台Platform 備忘錄Notes
應用程式條件App conditions 已停用的帳戶Disabled account N/A/封鎖存取N/A / Block access iOS/iPadOS、AndroidiOS/iPadOS, Android
裝置條件Device conditions 最低 OS 版本Min OS version 格式:Major.Minor.Build
範例: 13.7
/封鎖存取
Format: Major.Minor.Build
Example: 13.7
/ Block access
iOS/iPadOSiOS/iPadOS Microsoft 建議設定最低 iOS 主要版本,以符合 Microsoft 應用程式支援的 iOS 版本。Microsoft recommends configuring the minimum iOS major version to match the supported iOS versions for Microsoft apps. Microsoft 應用程式支援 N-1 方法,其中 N 是目前的 iOS 主要發行版本。Microsoft apps support a N-1 approach where N is the current iOS major release version. 針對次要和組建版本值,Microsoft 建議確保裝置已透過個別的安全性更新保持在最新狀態。For minor and build version values, Microsoft recommends ensuring devices are up to date with the respective security updates. 如需 Apple 的最新建議,請參閱 Apple 安全性更新See Apple security updates for Apple's latest recommendations
裝置條件Device conditions 最低 OS 版本Min OS version 格式:Major.Minor
範例:5.0
/ 封鎖存取
Format: Major.Minor
Example: 5.0
/ Block access
AndroidAndroid Microsoft 建議設定最低 Android 主要版本,以符合 Microsoft 應用程式支援的 Android 版本。Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. 遵守 Android Enterprise 建議需求的 OEM 和裝置必須支援目前發行版本 + 一個字母升級。OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. 目前,Android 建議知識工作者使用 Android 8.0 和更新版本。Currently, Android recommends Android 8.0 and later for knowledge workers. 如需 Android 的最新建議,請參閱 Android Enterprise Recommended 規格需求See Android Enterprise Recommended requirements for Android's latest recommendations
裝置條件Device conditions 最低修補程式版本Min patch version 格式: YYYY-MM-DD
範例:2020-01-01
/ 封鎖存取
Format: YYYY-MM-DD
Example: 2020-01-01
/ Block access
AndroidAndroid Android 裝置可能會收到每月安全性修補程式,但版本會取決於 OEM 及/或電訊廠商。Android devices can receive monthly security patches, but the release is dependent on OEMs and/or carriers. 組織應該確保所部署的 Android 裝置確實收到安全性更新,再實作此設定。Organizations should ensure that deployed Android devices do receive security updates before implementing this setting. 如需最新的修補程式版本,請參閱 Android 安全性公告See Android Security Bulletins for the latest patch releases.

層級 3 企業高度資料保護Level 3 enterprise high data protection

層級 3 是針對具有大型且複雜安全性小組的組織,或特別容易成為攻擊目標的特定使用者和群組,建議作為標準的資料保護設定。Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. 這類組織通常會成為資金充裕且經驗老道的攻擊者目標,因此應受到上述更多限制和控制。Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. 此設定藉由限制其他資料傳輸案例、提高 PIN 設定的複雜度,並新增行動威脅偵測,以擴充層級 2 中的設定。This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.

層級 3 中強制執行的原則設定,包括層級 2 中建議的所有原則設定,但只會列出以下這些新增或變更的設定,以實作比層級 2 更多的控制和更複雜的設定。The policy settings enforced in level 3 include all the policy settings recommended for level 2 but only lists those settings below that have been added or changed to implement more controls and a more sophisticated configuration than level 2. 這些原則設定可能會對使用者或應用程式造成潛在重大影響,但其所強制執行的安全性層級,相當適合高風險目標組織。These policy settings can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations.

資料保護Data protection

設定Setting 設定說明Setting description Value 平台Platform 備忘錄Notes
資料轉送Data Transfer 將電信資料傳送至Transfer telecommunication data to 任一原則受授撥號應用程式Any policy-managed dialer app AndroidAndroid 系統管理員也可將這項設定設為使用不支援應用程式防護原則的撥號應用程式,方法是選取 特定的撥號應用程式,並提供 撥號應用程式套件識別碼撥號應用程式名稱 值。Administrators can also configure this setting to use a dialer app that does not support App Protection Policies by selecting A specific dialer app and providing the Dialer App Package ID and Dialer App Name values.
資料轉送Data Transfer 將電信資料傳送至Transfer telecommunication data to 特定的撥號應用程式A specific dialer app iOS/iPadOSiOS/iPadOS
資料轉送Data Transfer 撥號應用程式 URL 配置Dialer App URL Scheme replace_with_dialer_app_url_schemereplace_with_dialer_app_url_scheme iOS/iPadOSiOS/iPadOS 在 iOS/iPadOS 上,此值必須取代為所用自訂撥號應用程式的 URL 配置。On iOS/iPadOS, this value must be replaced with the URL scheme for the custom dialer app being used. 如果 URL 配置未知,請連絡應用程式開發人員以取得詳細資訊。If the URL scheme is not known, contact the app developer for more information. 如需 URL 配置的詳細資訊,請參閱 Defining a Custom URL Scheme for Your App (定義應用程式的自訂 URL 配置)。For more information on URL schemes, see Defining a Custom URL Scheme for Your App.
資料傳輸Data transfer 接收其他應用程式的資料Receive data from other apps 受原則管理的應用程式Policy managed apps iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data transfer 將資料開啟為組織文件Open data into Org documents 封鎖Block iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data transfer 允許使用者從選取的服務開啟資料Allow users to open data from selected services 商務用 OneDrive、SharePointOneDrive for Business, SharePoint iOS/iPadOS、AndroidiOS/iPadOS, Android
資料傳輸Data transfer 協力廠商鍵盤Third-party keyboards 封鎖Block iOS/iPadOSiOS/iPadOS 在 iOS/iPadOS 上,這會使所有協力廠商鍵盤無法在應用程式中運作。On iOS/iPadOS, this blocks all third-party keyboards from functioning within the app.
資料傳輸Data transfer 核准的鍵盤Approved keyboards 要求Require AndroidAndroid
資料傳輸Data transfer 選取要核准的鍵盤Select keyboards to approve 新增/移除鍵盤add/remove keyboards AndroidAndroid 使用 Android,必須根據所部署的 Android 裝置選取鍵盤,才能使用這些鍵盤。With Android, keyboards must be selected in order to be used based on your deployed Android devices.
功能Functionality 列印組織資料Printing org data 封鎖Block iOS/iPadOS、AndroidiOS/iPadOS, Android

存取需求Access requirements

設定Setting Value 平台Platform
簡單的 PINSimple PIN 封鎖Block iOS/iPadOS、AndroidiOS/iPadOS, Android
選取 PIN 長度下限Select Minimum PIN length 66 iOS/iPadOS、AndroidiOS/iPadOS, Android
在數天後重設 PINPIN reset after number of days Yes iOS/iPadOS、AndroidiOS/iPadOS, Android
天數Number of days 365365 iOS/iPadOS、AndroidiOS/iPadOS, Android

條件式啟動Conditional launch

設定Setting 設定說明Setting description 值 / 動作Value / Action 平台Platform 備忘錄Notes
裝置條件Device conditions 最低 OS 版本Min OS version 格式:Major.Minor
範例:8.0
/ 封鎖存取
Format: Major.Minor
Example: 8.0
/ Block access
AndroidAndroid Microsoft 建議設定最低 Android 主要版本,以符合 Microsoft 應用程式支援的 Android 版本。Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. 遵守 Android Enterprise 建議需求的 OEM 和裝置必須支援目前發行版本 + 一個字母升級。OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. 目前,Android 建議知識工作者使用 Android 8.0 和更新版本。Currently, Android recommends Android 8.0 and later for knowledge workers. 如需 Android 的最新建議,請參閱 Android Enterprise Recommended 規格需求See Android Enterprise Recommended requirements for Android's latest recommendations
裝置狀況Device conditions 已進行 JB 或 Root 破解的裝置Jailbroken/rooted devices N/A / 抹除資料N/A / Wipe data iOS/iPadOS、AndroidiOS/iPadOS, Android
裝置狀況Device conditions 允許的最高威脅等級Max allowed threat level 受保護 / 封鎖存取Secured / Block access iOS/iPadOS、AndroidiOS/iPadOS, Android

您可以使用 Mobile Threat Defense 來檢查未註冊的裝置是否有任何威脅。Unenrolled devices can be inspected for threats using Mobile Threat Defense. 如需詳細資訊,請參閱未註冊裝置的 Mobile Threat Defense (英文)。For more information, see Mobile Threat Defense for unenrolled devices.

如果已註冊裝置,則可以略過此設定來為已註冊的裝置部署 Mobile Threat Defense。If the device is enrolled, this setting can be skipped in favor of deploying Mobile Threat Defense for enrolled devices. 如需詳細資訊,請參閱已註冊裝置的 Mobile Threat DefenseFor more information, see Mobile Threat Defense for enrolled devices.

後續步驟Next steps

系統管理員可以藉由匯入範例 Intune 應用程式防護原則設定架構 JSON 範本Intune 的 PowerShell 指令碼,在其部署更新步調方法中納入上述設定層級,以供測試和生產使用。Administrators can incorporate the above configuration levels within their ring deployment methodology for testing and production use by importing the sample Intune App Protection Policy Configuration Framework JSON templates with Intune's PowerShell scripts.

請參閱See also