如何建立及部署應用程式保護原則How to create and assign app protection policies

了解如何建立及指派 Microsoft Intune 應用程式保護原則 (APP) 給您組織的使用者。Learn how to create and assign Microsoft Intune app protection policies (APP) for users of your organization. 本主題也會描述如何變更現有的原則。This topic also describes how to make changes to existing policies.

開始之前Before you begin

無論裝置是否由 Intune 管理,都能對裝置上執行的應用程式套用應用程式防護原則。App protection policies can apply to apps running on devices that may or may not be managed by Intune. 如需用程式保護原則運作方式,以及 Intune 應用程式保護原則支援之案例的詳細描述,請參閱應用程式保護原則概觀For a more detailed description of how app protection policies work and the scenarios that are supported by Intune app protection policies, see App protection policies overview.

應用程式保護原則 (APP) 中可用的選擇可讓組織針對其特定需求量身訂作保護方案。The choices available in app protection policies (APP) enable organizations to tailor the protection to their specific needs. 針對一些組織,實作完整案例需要哪種原則設定可能不是那麼明顯。For some, it may not be obvious which policy settings are required to implement a complete scenario. 為了協助組織排定行動用戶端端點強化的優先順序,Microsoft 引進了適用於 iOS 與 Android 行動裝置應用程式管理的 APP 資料保護架構分類法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

應用程式資料保護架構會組織成三個不同的設定層級,每個層級都以前一層為基礎而建置:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企業基本資料保護 (層級 1) 可確保應用程式使用 PIN 來保護並加密,並執行選擇性抹除作業。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 針對 Android 裝置,此層級會驗證 Android 裝置證明。For Android devices, this level validates Android device attestation. 這是一種入門級設定,可在 Exchange Online 信箱原則中提供類似的資料保護控制,並將 IT 與使用者人口引進 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企業增強的資料保護 (層級 2) 引進 APP 資料洩露防護機制與最低 OS 需求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此設定適用於大部分存取公司或學校資料的行動使用者。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企業高資料保護 (層級 3) 引進進階資料保護機制、增強的 PIN 設定,以及 APP 行動威脅防禦。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 對於存取高風險資料的使用者而言,這是理想的設定。This configuration is desirable for users that are accessing high risk data.

若要查看必須保護之每個設定層級與最低應用程式的特定建議,請參閱使用應用程式保護原則的資料保護架構To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

如果您要尋找已整合 Intune SDK 的應用程式清單,請參閱 Microsoft Intune 保護的應用程式If you're looking for a list of apps that have integrated the Intune SDK, see Microsoft Intune protected apps.

如需有關將您組織的企業營運 (LOB) 應用程式新增到 Microsoft Intune 以準備應用程式保護原則的資訊,請參閱將應用程式新增至 Microsoft IntuneFor information about adding your organization's line-of-business (LOB) apps to Microsoft Intune to prepare for app protection policies, see Add apps to Microsoft Intune.

適用於 iOS/iPadOS 和 Android 應用程式的應用程式保護原則App protection policies for iOS/iPadOS and Android apps

當您建立適用於 iOS/iPadOS 和 Android 應用程式的應用程式保護原則時,您會遵循會產生新應用程式保護原則的新式 Intune 程序流程。When you create an app protection policy for iOS/iPadOS and Android apps, you follow a modern Intune process flow that results in a new app protection policy. 如需建立適用於 Windows 應用程式的應用程式保護原則相關資訊,請參閱使用 Intune 建立及部署 Windows 資訊保護 (WIP) 原則For information about creating app protection policies for Windows apps, see Create and deploy Windows Information Protection (WIP) policy with Intune.

建立 iOS/iPadOS 或 Android 應用程式保護原則Create an iOS/iPadOS or Android app protection policy

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 在 Intune 入口網站中,選擇 [應用程式] > [應用程式保護原則]。In Intune portal, choose Apps > App protection policies. 此選取項目會開啟 [應用程式原則] 的詳細資料,讓您從中建立新的原則及編輯現有的原則。This selection opens the App protection policies details, where you create new policies and edit existing policies.

  3. 選取 [建立原則] 然後選取 [iOS/iPadOS] 或 [Android]。Select Create policy and select either iOS/iPadOS or Android. 隨即顯示 [建立原則] 窗格。The Create policy pane is displayed.

  4. 在 [基本] 頁面上,新增下列值:On the Basics page, add the following values:

    Value 說明Description
    NameName 此應用程式保護原則的名稱。The name of this app protection policy.
    說明Description [選擇性] 此應用程式保護原則的描述。[Optional] The description of this app protection policy.

    [平台] 值是根據您的上述選擇進行設定。The Platform value is set based on your above choice.

    [建立原則] 窗格 [基本] 頁面的螢幕擷取畫面

  5. 按一下 [下一步] 以顯示 [應用程式] 頁面。Click Next to display the Apps page.
    [應用程式] 頁面可讓您選擇要如何將此原則套用至不同裝置上的應用程式。The Apps page allows you to choose how you want to apply this policy to apps on different devices. 您必須新增至少一個應用程式。You must add at least one app.

    值/選項Value/Option 說明Description
    鎖定所有裝置類型上的應用程式Target to apps on all devices types 使用此選項可將原則的目標設為任何管理狀態裝置上的應用程式。Use this option to target your policy to apps on devices of any management state. 選擇 [否],將特定裝置類型上的應用程式設為目標。Choose No to target apps on specific devices types. 如需相關資訊,請參閱根據裝置管理狀態來設定應用程式保護原則目標For information, see Target app protection policies based on device management state.
    裝置類型Device types 使用此選項來指定此原則是否適用於 MDM 受控裝置或非受控裝置。Use this option to specify whether this policy applies to MDM managed devices or unmanaged devices. 針對 iOS/iPadOS 應用程式原則,請從 [非受控] 和 [受控] 裝置中選取。For iOS/iPadOS APP policies, select from Unmanaged and Managed devices. 針對 Android 應用程式原則,請從 [非受控]、[Android 裝置系統管理員] 和 [Android Enterprise] 中選取。For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.
    公用應用程式Public apps
    • 在 [目標] 下拉式方塊中,選擇要將您的應用程式保護原則目標設定為 [所有公用應用程式]、[Microsoft 應用程式] 或 [核心 Microsoft 應用程式]。In the Target to dropdown box, choose to target your app protection policy to All public apps, Microsoft apps, or Core Microsoft apps. 接著,您可以選取 [檢視將設為目標的應用程式清單],以檢視將受此原則影響的應用程式清單。Next, you can select View a list of the apps that will be targeted to view a list of the apps that will be affected by this policy.
    • 您可以視需要按一下 [選取公用應用程式],以選擇將個別應用程式設為目標。If needed, you can choose to target individual apps by clicking Select public apps.
    自訂應用程式Custom apps 按一下 [選取自訂應用程式] 以根據套件組合識別碼選取要設為目標的自訂應用程式。Click Select custom apps to select custom apps to target based on a Bundle ID.

    如果您選取了個別應用程式,應用程式將會出現在公用與自訂應用程式清單中。If you have selected individual apps, the apps will appear in the public and custom apps list.

  6. 按一下 [下一步] 以顯示 [資料保護] 頁面。Click Next to display the Data protection page.
    此頁面提供資料遺失防護 (DLP) 控制項的設定,包含剪下、複製、貼上,以及另存新檔限制。This page provides settings for data loss prevention (DLP) controls, including cut, copy, paste, and save-as restrictions. 這些設定會決定使用者如何與套用此應用程式保護原則之應用程式中的資料互動。These settings determine how users interact with data in the apps that this app protection policy applies.

    資料保護設定Data protection settings:

  7. 按一下 [下一步] 以顯示 [存取需求] 頁面。Click Next to display the Access requirements page.
    此頁面提供的設定可讓您設定使用者必須符合的 PIN 和認證需求,才能存取工作內容中的應用程式。This page provides settings to allow you to configure the PIN and credential requirements that users must meet to access apps in a work context.

    存取需求設定Access requirements settings:

  8. 按一下 [下一步] 以顯示 [條件式啟動] 頁面。Click Next to display the Conditional launch page.
    此頁面提供您設定應用程式保護原則的登入安全性需求的設定。This page provides settings to set the sign-in security requirements for your app protection policy. 選取 [設定],並輸入使用者必須符合以登入公司應用程式的 [值]。Select a Setting and enter the Value that users must meet to sign in to your company app. 然後選取使用者不符合您的需求時要採取的 [動作]。Then select the Action you want to take if users do not meet your requirements. 在某些情況下,您可以針對單一設定指定多個動作。In some cases, multiple actions can be configured for a single setting.

    條件式啟動設定Conditional launch settings:

  9. 按一下 [下一步] 以顯示 [指派] 頁面。Click Next to display the Assignments page.
    [指派] 頁面可讓您將應用程式保護原則指派給使用者群組。The Assignments page allows you to assign the app protection policy to groups of users. 您必須將原則套用至使用者群組,原則才會生效。You must apply the policy to a group of users to have the policy take effect.

  10. 按一下 [下一步:檢閱 + 建立],以檢閱您為此應用程式保護原則輸入的值和設定。Click Next: Review + create to review the values and settings you entered for this app protection policy.

  11. 完成後,請按一下 [建立],在 Intune 中建立應用程式保護原則。When you are done, click Create to create the app protection policy in Intune.

    提示

    只有在工作內容中使用應用程式時,才會強制執行這些原則設定。These policy settings are enforced only when using apps in the work context. 當終端使用者使用應用程式來執行個人工作時,不會受到這些原則的影響。When end users use the app to do a personal task, they aren't affected by these policies. 請記得,當您建立新檔案時,它會被視為個人檔案。Note that when you create a new file it is considered a personal file.

    重要

    應用程式保護原則可能需要一些時間才能套用到現有的裝置。It can take time for app protection policies to apply to existing devices. 套用應用程式保護原則時,終端使用者將會在裝置上看到通知。End users will see a notification on the device when the app protection policy is applied. 套用條件式存取規則之前,請先將您的應用程式保護原則套用至裝置。Apply your app protection policies to devices before applying condidtional access rules.

使用者可以從應用程式市集或 Google Play 下載應用程式。End users can download the apps from the App store or Google Play. 如需詳細資訊,請參閱:For more information, see:

變更現有的原則Change existing policies

您可以編輯現有的原則,並將它套用到目標使用者。You can edit an existing policy and apply it to the targeted users. 不過,當變更現有的原則時,已登入應用程式的使用者將有 8 小時看不到變更。However, when you change existing policies, users who are already signed in to the apps won't see the changes for an eight-hour period.

若要立即查看變更的影響,終端使用者必須登出應用程式再重新登入。To see the effect of the changes immediately, the end user must sign out of the app, and then sign back in.

變更與原則相關聯的應用程式清單To change the list of apps associated with the policy

  1. 在 [應用程式防護原則] 窗格中,選取您想要變更的原則。In the App protection policies pane, select the policy you want to change.

  2. 在 [Intune 應用程式防護] 窗格中,選取 [屬性]。In the Intune App Protection pane, select Properties.

  3. 在標題為 [應用程式] 的區段旁邊,選取 [編輯]。Next to the section titled Apps, select Edit.

  4. [應用程式] 頁面可讓您選擇要如何將此原則套用至不同裝置上的應用程式。The Apps page allows you to choose how you want to apply this policy to apps on different devices. 您必須新增至少一個應用程式。You must add at least one app.

    值/選項Value/Option 說明Description
    鎖定所有裝置類型上的應用程式Target to apps on all devices types 使用此選項可將原則的目標設為任何管理狀態裝置上的應用程式。Use this option to target your policy to apps on devices of any management state. 選擇 [否],將特定裝置類型上的應用程式設為目標。Choose No to target apps on specific devices types. 此設定可能需要其他的應用程式設定。Additional app configuration may be required for this setting. 如需詳細資訊,請參閱根據裝置管理狀態將應用程式保護原則設為目標For more information, see Target app protection policies based on device management state.
    裝置類型Device types 使用此選項來指定此原則是否適用於 MDM 受控裝置或非受控裝置。Use this option to specify whether this policy applies to MDM managed devices or unmanaged devices. 針對 iOS/iPadOS 應用程式原則,請從 [非受控] 和 [受控] 裝置中選取。For iOS/iPadOS APP policies, select from Unmanaged and Managed devices. 針對 Android 應用程式原則,請從 [非受控]、[Android 裝置系統管理員] 和 [Android Enterprise] 中選取。For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.
    公用應用程式Public apps
    • 在 [目標] 下拉式方塊中,選擇要將您的應用程式保護原則目標設定為 [所有公用應用程式]、[Microsoft 應用程式] 或 [核心 Microsoft 應用程式]。In the Target to dropdown box, choose to target your app protection policy to All public apps, Microsoft apps, or Core Microsoft apps. 接著,您可以選取 [檢視將設為目標的應用程式清單],以檢視將受此原則影響的應用程式清單。Next, you can select View a list of the apps that will be targeted to view a list of the apps that will be affected by this policy.
    • 您可以視需要按一下 [選取公用應用程式],以選擇將個別應用程式設為目標。If needed, you can choose to target individual apps by clicking Select public apps.
    自訂應用程式Custom apps 按一下 [選取自訂應用程式] 以根據套件組合識別碼選取要設為目標的自訂應用程式。Click Select custom apps to select custom apps to target based on a Bundle ID.

    您所選取的應用程式將會出現在公用和自訂應用程式清單中。The app(s) you have selected will appear in the public and custom apps list.

  5. 按一下 [檢閱 + 建立] 以檢閱針對此原則所選取的應用程式。Click Review + create to review the apps selected for this policy.

  6. 完成後,請按一下 [儲存] 來更新應用程式保護原則。When you are done, click Save to update the app protection policy.

變更使用者群組清單To change the list of user groups

  1. 在 [應用程式防護原則] 窗格中,選取您想要變更的原則。In the App protection policies pane, select the policy you want to change.

  2. 在 [Intune 應用程式防護] 窗格中,選取 [屬性]。In the Intune App Protection pane, select Properties.

  3. 在標題為 [指派] 的區段旁邊,選取 [編輯]。Next to the section titled Assignments, select Edit.

  4. 若要將新的使用者群組新增至原則,在 [包含] 索引標籤選擇 [選取要包含的群組],並選取使用者群組。To add a new user group to the policy, on the Include tab choose Select groups to include, and select the user group. 選擇 [選取] 來新增群組。Choose Select to add the group.

  5. 若要排除使用者群組,在 [排除] 索引標籤上,選取 [選取要排除的群組],並選取使用者群組。To exclude a user group, on the Exclude tab choose Select groups to exclude, and select the user group. 選擇 [選取]以移除使用者群組。Choose Select to remove the user group.

  6. 若要刪除先前新增的群組,請在 [包含] 或 [排除] 索引標籤上,選取省略符號 (...),然後選取 [刪除]。To delete groups that were added previously, on either the Include or Exclude tabs, select the ellipsis (...) and select Delete.

  7. 按一下 [檢閱 + 建立] 以檢閱針對此原則所選取的使用者群組。Click Review + create to review the user groups selected for this policy.

  8. 完成對指派的變更之後,選取 [儲存] 來儲存設定,並將原則部署到新的一組使用者。After your changes to the assignments are ready, select Save to save the configuration and deploy the policy to the new set of users. 如果您在儲存設定之前選取 [取消],您將會捨棄您對 [包含] 和 [排除] 索引標籤所做的所有變更。If you select Cancel before you save your configuration, you will discard all changes you've made to the Include and Exclude tabs.

變更原則設定To change policy settings

  1. 在 [應用程式防護原則] 窗格中,選取您想要變更的原則。In the App protection policies pane, select the policy you want to change.

  2. 在 [Intune 應用程式防護] 窗格中,選取 [屬性]。In the Intune App Protection pane, select Properties.

  3. 在您想要變更設定之對應區段的旁邊,選取 [編輯]。Next to the section corresponding to the settings you want to change, select Edit. 然後將設定變更為新的值。Then change the settings to new values.

  4. 按一下 [檢閱 + 建立] 以檢閱針對此原則所更新的設定。Click Review + create to review the updated settings for this policy.

  5. 選取 [儲存] 以儲存您的變更。Select the Save to save your changes. 重複此程序,選取設定區域並進行修改,然後儲存變更,直到您的所有變更都已完成。Repeat the process to select a settings area and modify and then save your changes, until all your changes are complete. 接著,您即可以關閉 [Intune 應用程式防護 - 屬性] 窗格。You can then close the Intune App Protection - Properties pane.

根據裝置管理狀態來設定應用程式保護原則目標Target app protection policies based on device management state

在許多組織中,同時允許終端使用者使用 Intune 行動裝置管理 (MDM) 受控裝置 (例如公司擁有的裝置) 和僅以 Intune 應用程式防護原則保護的非受控裝置,是很常見的情況。In many organizations, it's common to allow end users to use both Intune Mobile Device Management (MDM) managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies. 非受控裝置通常被視為「攜帶您自己的裝置」 (BYOD)。Unmanaged devices are often known as Bring Your Own Devices (BYOD).

因為 Intune 應用程式防護原則會以使用者的身分識別為目標,使用者的防護設定可以同時套用至已註冊 (MDM 受控) 和未註冊的裝置 (非 MDM)。Because Intune app protection policies target a user's identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). 因此,您可以讓 Intune 應用程式保護原則以已註冊或未註冊 Intune 的 iOS/iPadOS 與 Android 裝置為目標。Therefore, you can target an Intune app protection policy to either Intune enrolled or unenrolled iOS/iPadOS and Android devices. 您可以有一個適用於非受控裝置的保護原則來提供嚴格的資料外洩防護 (DLP) 控制,並有另一個適用於 MDM 受控裝置的保護原則來提供可能較寬鬆的 DLP 控制。You can have one protection policy for unmanaged devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed. 如需這如何在個人 Android Enterprise 裝置上運作的詳細資訊,請參閱應用程式保護原則與工作設定檔For more information how this works on personal Android Enterprise devices, see App protection policies and work profiles.

若要建立這些原則,請在 Intune 主控台中瀏覽至 [應用程式] > [應用程式保護原則],然後選取 [建立原則]。To create these policies, browse to Apps > App protection policies in the Intune console, and then select Create policy. 您也可以編輯現有的應用程式保護原則。You can also edit an existing app protection policy. 若要將應用程式保護原則同時套用至受控和非受控裝置,請瀏覽至 [應用程式] 頁面,並確認將 [鎖定所有裝置類型上的應用程式] 設定為 [是] (預設值)。To have the app protection policy apply to both managed and un-managed devices, navigate to the Apps page and confirm that Target to apps on all device types is set to Yes, the default value. 如果您想要根據管理狀態進行更精細的指派,請將 [鎖定所有裝置類型上的應用程式] 設定為 [否]。If you want to granularly assign based on management state, set Target to apps on all device types to No.

裝置類型Device types

  • 非受控:針對 iOS/iPadOS 裝置,非受控裝置是 Intune MDM 管理或協力廠商 MDM/EMM 解決方案不會傳遞 IntuneMAMUPN 金鑰的任何裝置。Unmanaged: For iOS/iPadOS devices, unmanaged devices are any devices where either Intune MDM management or a 3rd party MDM/EMM solution does not pass the IntuneMAMUPN key. 針對 Android 裝置,非受控裝置是指尚未檢測到 Intune MDM 管理的裝置。For Android devices, unmanaged devices are devices where Intune MDM management has not been detected. 這包含由協力廠商 MDM 廠商所管理的裝置。This includes devices managed by third-party MDM vendors.
  • Intune 受控裝置:受控裝置由 Intune MDM 管理。Intune managed devices: Managed devices are managed by Intune MDM.
  • Android 裝置系統管理員:使用 Android 裝置系統管理員 API 的 Intune 受控裝置。Android device administrator: Intune-managed devices using the Android Device Administration API.
  • Android Enterprise:使用 Android Enterprise 工作設定檔或 Android Enterprise 完整裝置管理的 Intune 受控裝置。Android Enterprise: Intune-managed devices using Android Enterprise Work Profiles or Android Enterprise Full Device Management.

在 Android 上,無論選擇哪種裝置類型,Android 裝置都將提示您安裝 Intune 公司入口網站應用程式。On Android, Android devices will prompt to install the Intune Company Portal app regardless of which Device type is chosen. 例如,如果您選擇 [Android Enterprise],則系統仍將提示使用非受控 Android 裝置的使用者。For example, if you select 'Android Enterprise' then users with unmanaged Android devices will still be prompted.

針對 iOS/iPadOS,若要將 [裝置類型] 選取項目強制設定為 Intune 受控裝置,則需要其他的應用程式組態設定。For iOS/iPadOS, for the 'Device type' selection to be enforced to Intune managed devices, additional app configuration settings are required. 這些設定將會與管理特定應用程式的應用程式服務通訊,而且應用程式設定將不適用:These configurations will communicate to the APP service that a particular app is managed - and that APP settings will not apply:

注意

如需關於以裝置管理狀態為基礎之應用程式保護原則的特定 iOS/iPadOS 支援資訊,請參閱根據管理狀態將 MAM 保護原則設為目標For specific iOS/iPadOS support information about app protection policies based on device management state, see MAM protection policies targeted based on management state.

原則設定Policy settings

若要查看 iOS/iPadOS 與 Android 的完整原則設定清單,請選取下列其中一個連結︰To see a full list of the policy settings for iOS/iPadOS and Android, select one of the following links:

後續步驟Next steps

監視合規性和使用者狀態Monitor compliance and user status

請參閱See also