應用程式保護原則概觀App protection policies overview

應用程式保護原則 (APP) 是確保組織資料能夠被保護或保留在受控應用程式中的規則。App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. 原則可以是在使用者嘗試存取或移動「公司」資料時,強制執行的一項規則,或者是當使用者在應用程式內時,禁止執行或受到監視的一組動作。A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. 受管理應用程式是已套用應用程式保護原則的應用程式,而且可由 Intune 管理。A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

行動應用程式管理 (MAM) 應用程式防護原則可讓您管理和保護應用程式內的組織資料。Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. 透過沒有註冊的 MAM (MAM-WE),便幾乎可以管理位於任何裝置上包含敏感性資料的公司或學校相關應用程式,這包括攜帶您自己的裝置 (BYOD) 案例中的個人裝置。With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. 許多生產力應用程式 (例如 Microsoft Office 應用程式) 可以由 Intune MAM 管理。Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. 請參閱可供公開使用的 Microsoft Intune 受保護應用程式官方清單。See the official list of Microsoft Intune protected apps available for public use.

如何保護應用程式資料How you can protect app data

您的員工使用行動裝置處理公私事務。Your employees use mobile devices for both personal and work tasks. 確保員工生產力的同時,想要防止故意和不小心的資料外洩。While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. 您還想要保護從您非受控裝置存取的公司資料。You'll also want to protect company data that is accessed from devices that are not managed by you.

您可以使用 Intune 應用程式保護原則,而不受任何行動裝置管理 (MDM) 解決方案影響You can use Intune app protection policies independent of any mobile-device management (MDM) solution. 不論是否在裝置管理解決方案中註冊裝置,這項獨立性都有助保護公司的資料。This independence helps you protect your company's data with or without enrolling devices in a device management solution. 您可以實作應用程式層級原則,以限制存取公司資源,並將資料保留在 IT 部門範疇內。By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.

裝置上的應用程式防護原則App protection policies on devices

可為裝置上執行的應用程式所設定應用程式保護原則,包括下列:App protection policies can be configured for apps that run on devices that are:

  • 在 Microsoft Intune 中註冊: 這些裝置通常是公司所擁有的裝置。Enrolled in Microsoft Intune: These devices are typically corporate owned.

  • 在協力廠商的行動裝置管理 (MDM) 解決方案中註冊: 這些裝置通常是公司所擁有的裝置。Enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned.

    注意

    行動應用程式管理原則不應搭配使用協力廠商的行動應用程式管理或安全容器解決方案。Mobile app management policies should not be used with third-party mobile app management or secure container solutions.

  • 未在任何行動裝置管理解決方案中註冊: 這些裝置通常是員工所擁有的裝置,且沒有在 Intune 或其他 MDM 解決方案中受控或註冊。Not enrolled in any mobile device management solution: These devices are typically employee owned devices that aren't managed or enrolled in Intune or other MDM solutions.

重要

您可為連接至 Microsoft 365 服務的 Office 行動應用程式建立行動應用程式管理原則。You can create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. 您也可以透過建立適用於 iOS/iPadOS 版 Outlook 以及已啟用混合式新式驗證的 Android 的 Intune 應用程式保護原則,以保護對 Exchange 內部部署信箱的存取。You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern Authentication. 開始使用此功能之前,請確定您符合 iOS/iPadOS 版和 Android 版 Outlook 的需求Before using this feature, make sure you meet the Outlook for iOS/iPadOS and Android requirements. 連線到內部部署 Exchange 或 SharePoint 服務的其他應用程式不支援應用程式保護原則。App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services.

使用應用程式保護原則的優點Benefits of using App protection policies

使用應用程式保護原則的重要優點如下:The important benefits of using App protection policies are the following:

  • 在應用程式層級保護公司資料。Protecting your company data at the app level. 因為行動應用程式管理不需要裝置管理,您可以同時在受控與非受控的裝置上保護公司資料。Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. 管理的重心是使用者身分識別,不需要管理裝置。The management is centered on the user identity, which removes the requirement for device management.

  • 終端使用者生產力不受影響,且在個人環境內使用應用程式時,不會套用原則。End-user productivity isn't affected and policies don't apply when using the app in a personal context. 原則只會套用在工作內容上,所以您能夠在不碰到個人資料的情況下保護公司資料。The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.

  • 應用程式保護原則可確保應用程式層保護就定位。App protection policies makes sure that the app-layer protections are in place. 例如,您可以:For example, you can:

    • 需要 PIN 才能在工作環境中開啟應用程式Require a PIN to open an app in a work context
    • 控制應用程式之間的資料共用Control the sharing of data between apps
    • 防止將公司應用程式資料儲存到個人儲存位置Prevent the saving of company app data to a personal storage location
  • 除了 MAM 以外,MDM 也會確保裝置受到保護MDM, in addition to MAM, makes sure that the device is protected. 例如,您可以要求存取裝置的 PIN,或者將受管理的應用程式部署到裝置。For example, you can require a PIN to access the device, or you can deploy managed apps to the device. 也可以透過 MDM 解決方案將應用程式部署到裝置,取得對應用程式管理的更多控制。You can also deploy apps to devices through your MDM solution, to give you more control over app management.

搭配使用 MDM 與應用程式保護原則還有其他多項優點,且公司可以在使用或不使用 MDM 的狀況下使用應用程式保護原則。There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. 例如,請考慮使用公司所核發手機和自己個人平板電腦的員工。For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. 公司的手機會在 MDM 中註冊,並受到應用程式保護原則的保護,而個人裝置只會受到應用程式保護原則的保護。The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only.

如果您在未設定裝置狀態的情況下將 MAM 原則套用至使用者,則使用者將在 BYOD 裝置和 Intune 管理的裝置上取得 MAM 原則。If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. 您也可以根據受控狀態來套用 MAM 原則。You can also apply a MAM policy based on the managed state. 因此,當您建立應用程式保護原則時,請在 [以所有應用程式類型為目標] 旁邊選取 [否]。So when you create an app protection policy, next to Target to all app types, you'd select No. 接著,執行下列其中一項動作:Then do any of the following:

  • 將較不嚴格的 MAM 原則套用至 Intune 管理的裝置,並將較嚴格的 MAM 原則套用至非 MDM 註冊的裝置。Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non MDM-enrolled devices.
  • 僅將 MAM 原則套用至未註冊的裝置。Apply a MAM policy to unenrolled devices only.

支援應用程式保護原則的平台Supported platforms for app protection policies

Intune 提供各種功能,可協助您在所要的裝置上取得所需的應用程式並執行。Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on. 如需詳細資訊,請參閱各種平台的應用程式管理功能For more information, see App management capabilities by platform.

針對 Android 和 iOS/iPadOS 裝置,Intune 應用程式保護原則平台支援與 Office 行動應用程式平台支援為一致。Intune app protection policies platform support aligns with Office mobile application platform support for Android and iOS/iPadOS devices. 如需詳細資料,請參閱 Office 系統需求行動應用程式一節。For details, see the Mobile apps section of Office System Requirements.

重要

Android 裝置上需要有 Intune 公司入口網站,才能接收應用程式保護原則。The Intune Company Portal is required on the device to receive App Protection Policies on Android. 如需詳細資訊,請參閱 Intune 公司入口網站存取應用程式需求For more information, see the Intune Company Portal access apps requirements.

應用程式防護原則的資料保護架構App protection policy data protection framework

應用程式防護原則 (APP) 中可用的選擇可讓組織針對其特定需求量身訂作保護方案。The choices available in app protection policies (APP) enable organizations to tailor the protection to their specific needs. 針對一些組織,實作完整案例需要哪種原則設定可能不是那麼明顯。For some, it may not be obvious which policy settings are required to implement a complete scenario. 為了協助組織排定行動用戶端端點強化的優先順序,Microsoft 引進了適用於 iOS 與 Android 行動裝置應用程式管理的 APP 資料保護架構分類法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

應用程式資料保護架構會組織成三個不同的設定層級,每個層級都以前一層為基礎而建置:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企業基本資料保護 (層級 1) 可確保應用程式使用 PIN 來保護並加密,並執行選擇性抹除作業。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 針對 Android 裝置,此層級會驗證 Android 裝置證明。For Android devices, this level validates Android device attestation. 這是一種入門級設定,可在 Exchange Online 信箱原則中提供類似的資料保護控制,並將 IT 與使用者人口引進 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企業增強的資料保護 (層級 2) 引進 APP 資料洩露防護機制與最低 OS 需求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此設定適用於大部分存取公司或學校資料的行動使用者。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企業高資料保護 (層級 3) 引進進階資料保護機制、增強的 PIN 設定,以及 APP 行動威脅防禦。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 對於存取高風險資料的使用者而言,這是理想的設定。This configuration is desirable for users that are accessing high risk data.

若要查看必須保護之每個設定層級與最低應用程式的特定建議,請參閱使用應用程式防護原則的資料保護架構To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

應用程式保護原則如何保護應用程式資料How app protection policies protect app data

沒有應用程式保護原則的應用程式Apps without app protection policies

在沒有條件限制下使用應用程式時,公司和個人資料會互相混合。When apps are used without restrictions, company and personal data can get intermingled. 公司資料最終會放在個人儲存空間等位置或傳送到範圍外的應用程式,進而導致資料外洩。Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. 下圖中的箭號顯示資料在公司與個人應用程式之間無限制地移動和移至儲存位置。The arrows in the following diagram show unrestricted data movement between both corporate and personal apps, and to storage locations.

沒有原則時在應用程式之間移動資料的概念影像

使用應用程式保護原則 (APP) 保護資料Data protection with app protection policies (APP)

您可以使用應用程式保護原則來防止公司資料儲存到裝置的本機儲存體 (請參閱下圖)。You can use App protection policies to prevent company data from saving to the local storage of the device (see the image below). 您也可以限制將資料移到其他未受應用程式保護原則保護的應用程式。You can also restrict data movement to other apps that aren't protected by App protection policies. 應用程式保護原則設定包括︰App protection policy settings include:

  • 資料重新配置原則,如 [儲存組織資料複本] 和 [限制剪下、複製及貼上]。Data relocation policies like Save copies of org data, and Restrict cut, copy, and paste.
  • 存取原則設定,例如 [需要簡單 PIN 碼才可存取]、[禁止受控應用程式在經 JB 或 Root 破解的裝置上執行]。Access policy settings like Require simple PIN for access, and Block managed apps from running on jailbroken or rooted devices.

顯示公司資料正受原則保護的概念影像

在 MDM 解決方案所管理的裝置上使用應用程式保護資料Data protection with APP on devices managed by an MDM solution

下圖顯示 MDM 與應用程式保護原則共同提供的多層保護。The below illustration shows the layers of protection that MDM and App protection policies offer together.

此圖顯示應用程式保護原則在 BYOD 裝置上的運作方式

MDM 解決方案會藉由提供下列各項來增加價值:The MDM solution adds value by providing the following:

  • 註冊裝置Enrolls the device
  • 將應用程式部署至裝置Deploys the apps to the device
  • 提供持續的裝置合規性和管理Provides ongoing device compliance and management

應用程式防護原則會藉由提供下列各項來增加價值:The App protection policies add value by providing the following:

  • 協助保護公司資料不外洩至消費性應用程式和服務Help protect company data from leaking to consumer apps and services
  • 將「另存新檔」、「剪貼簿」或 PIN 等限制套用到用戶端應用程式Apply restrictions like save-as, clipboard, or PIN, to client apps
  • 必要時抹除應用程式中的公司資料,但不從裝置移除那些應用程式Wipe company data when needed from apps without removing those apps from the device

在沒有註冊的裝置上使用應用程式保護資料Data protection with APP for devices without enrollment

下圖說明在沒有 MDM 的情況下,資料保護原則於應用程式層級的運作方式。The following diagram illustrates how the data protection policies work at the app level without MDM.

顯示應用程式保護原則在沒有註冊的裝置 (非受控裝置) 上運作方式的影像

對於未在任何 MDM 解決方案中註冊的 BYOD 裝置,應用程式保護原則可在應用程式層級保護公司資料。For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. 但有一些限制需要注意,例如:However, there are some limitations to be aware of, such as:

  • 您無法將應用程式部署到裝置。You can't deploy apps to the device. 使用者必須從存放區取得應用程式。The end user has to get the apps from the store.
  • 您無法在這些裝置上佈建憑證設定檔。You can't provision certificate profiles on these devices.
  • 您無法在這些裝置上佈建公司 Wi-Fi 和 VPN 設定。You can't provision company Wi-Fi and VPN settings on these devices.

您可以使用應用程式保護原則管理的應用程式Apps you can manage with app protection policies

Intune SDK 整合或由 Intune App Wrapping Tool 包裝的應用程式,都可以使用 Intune 應用程式防護原則加以管理。Any app that has been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. 查看已使用這些工具建置並可供公開使用的 Microsoft Intune 受保護應用程式官方清單。See the official list of Microsoft Intune protected apps that have been built using these tools and are available for public use.

Intune SDK 開發小組會針對使用原生 Android、iOS/iPadOS (Obj-C、Swift)、Xamarin 與 Xamarin.Forms 平台所建置的應用程式,主動地進行測試並維護支援。The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. 雖然有部分客戶成功搭配其他平台 (例如 React Native 和 NativeScript) 整合 Intune SDK,我們並沒有針對使用我們所不支援之平台的應用程式開發人員提供明確的指引或外掛程式。While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms.

使用應用程式防護原則的終端使用者需求End-user requirements to use app protection policies

下列清單提供在 Intune 受控應用程式上使用應用程式防護原則的終端使用者需求:The following list provides the end-user requirements to use app protection policies on an Intune-managed app:

  • 終端使用者必須擁有 Azure Active Directory (Azure AD) 帳戶。The end user must have an Azure Active Directory (Azure AD) account. 請參閱新增使用者並提供管理權限給 Intune,以了解如何在 Azure Active Directory 中建立 Intune 使用者。See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.

  • 終端使用者必須擁有指派給其 Azure Active Directory 帳戶的 Microsoft Intune 授權。The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. 請參閱管理 Intune 授權,以了解如何將 Intune 授權指派給終端使用者。See Manage Intune licenses to learn how to assign Intune licenses to end users.

  • 終端使用者必須隸屬於由應用程式保護原則設為目標的安全性群組。The end user must belong to a security group that is targeted by an app protection policy. 相同的應用程式保護原則必須將已使用的特定應用程式設為目標。The same app protection policy must target the specific app being used. 應用程式保護原則可在 Azure 入口網站中的 Intune 主控台中建立與部署。App protection policies can be created and deployed in the Intune console in the Azure portal. 安全群組目前可在 Microsoft 365 糸統管理中心內建立。Security groups can currently be created in the Microsoft 365 admin center.

  • 終端使用者必須使用 Azure AD 帳戶登入應用程式。The end user must sign into the app using their Azure AD account.

Microsoft Office 應用程式的應用程式防護原則App protection policies for Microsoft Office apps

使用應用程式防護原則搭配 Microsoft Office 應用程式時,需要注意幾個額外的需求。There are a few additional requirements that you want to be aware of when using App protection policies with Microsoft Office apps.

Outlook 行動應用程式Outlook mobile app

使用 Outlook 行動應用程式的其他需求包括下列各項:The additional requirements to use the Outlook mobile app include the following:

  • 終端使用者必須在其裝置上安裝 Outlook 行動裝置應用程式。The end user must have the Outlook mobile app installed to their device.

  • 終端使用者必須具有連結到其 Azure Active Directory 帳戶的 Microsoft 365 Exchange Online 信箱和授權。The end user must have an Microsoft 365 Exchange Online mailbox and license linked to their Azure Active Directory account.

    注意

    Outlook 行動應用程式目前僅針對 Microsoft Exchange Online 和具有混合式新式驗證的 Exchange Server 支援「Intune 應用程式防護」,而不支援「Office 365 專用」中的 Exchange。The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.

Word、Excel 和 PowerPointWord, Excel, and PowerPoint

使用 Word、Excel 與 PowerPoint 應用程式的其他需求包括下列各項:The additional requirements to use the Word, Excel, and PowerPoint apps include the following:

  • 終端使用者必須擁有連結到其 Azure Active Directory 帳戶的 Microsoft 365 Apps 商務版或企業版授權。The end user must have a license for Microsoft 365 Apps for business or enterprise linked to their Azure Active Directory account. 訂用帳戶必須包括行動裝置版 Office 應用程式,而且可以包括商務用 OneDrive 的雲端儲存體帳戶。The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. Microsoft 365 授權可在 Microsoft 365 系統管理中心內根據這些指示指派。Microsoft 365 licenses can be assigned in the Microsoft 365 admin center following these instructions.

  • 使用者必須有受控的位置,此位置是使用 [儲存組織資料複本] 應用程式保護原則設定下的細微另存新檔功能所設定。The end user must have a managed location configured using the granular save as functionality under the "Save copies of org data" application protection policy setting. 例如,若受控位置是 OneDrive,則 OneDrive 應用程式應該在終端使用者的 Word、Excel 或 PowerPoint 應用程式中設定。For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.

  • 若受控位置是 OneDrive,則應用程式必須是部署到終端使用者之應用程式保護原則的目標。If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end user.

    注意

    Office 行動裝置應用程式目前僅支援 SharePoint Online,不支援 SharePoint 內部部署。The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.

Office 所需的受控位置Managed location needed for Office

Office 所需的受控位置 (例如 OneDrive)。A managed location (i.e. OneDrive) is needed for Office. Intune 會將應用程式中的所有資料標示為「公司」或「個人」。Intune marks all data in the app as either "corporate" or "personal". 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列位置視為公司地點:電子郵件 (Exchange) 或雲端儲存體 (包含商務用 OneDrive 帳戶的 OneDrive 應用程式)。For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).

商務用 SkypeSkype for Business

使用商務用 Skype 還有其他需求。There are additional requirements to use Skype for Business. 請參閱商務用 Skype 授權需求。See Skype for Business license requirements. 如需商務用 Skype (SfB) 的混合式和內部部署設定,請分別參閱正式推出適用於 SfB 和 Exchange 的混合式新式驗證 (英文) 和適用於 SfB 內部部署與 Azure AD 的新式驗證 (英文)。For Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively.

應用程式保護的全域原則App protection Global policy

如果 OneDrive 系統管理員瀏覽至 admin.onedrive.com 並選取 [裝置] 存取,他們可以設定 OneDrive 和 SharePoint 用戶端應用程式的 [行動應用程式管理] 控制項。If a OneDrive administrator browses to admin.onedrive.com and selects Device access, they can set Mobile application management controls to the OneDrive and SharePoint client apps.

這些設定會開放給 OneDrive 管理主控台使用,可設定稱為全域原則的特殊 Intune 應用程式保護原則。The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy called the Global policy. 此全域原則適用於租用戶中的所有使用者,且無法控制原則目標。This global policy applies to all users in your tenant, and has no way to control the policy targeting.

一旦啟用,則適用於 iOS/iPadOS 和 Android 的 OneDrive 和 SharePoint 應用程式預設會以所選取設定來進行保護。Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are protected with the selected settings by default. IT 專業人員可以在 Intune 主控台中編輯此原則,以新增更多目標應用程式,並修改任何原則設定。An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify any policy setting.

根據預設,每個租用戶只能有一個全域原則。By default, there can only be one Global policy per tenant. 不過,您可以使用 Intune 圖形 API 來建立每個租用戶的額外全域原則,但不建議這樣做。However, you can use Intune Graph APIs to create extra global policies per tenant, but doing so isn't recommended. 因為針對這類原則的實作進行疑難排解會變得很複雜,所以不建議建立額外的全域原則。Creating extra global policies isn't recommended because troubleshooting the implementation of such a policy can become complicated.

雖然全域原則會套用到租用戶中的所有使用者,但任何標準的 Intune 應用程式保護原則都會覆寫這些設定。While the Global policy applies to all users in your tenant, any standard Intune app protection policy will override these settings.

應用程式保護功能App protection features

多重身分識別Multi-identity

多重身分識別支援可讓應用程式支援多個對象。Multi-identity support allows an app to support multiple audiences. 這些對象同時是「公司」使用者和「個人」使用者。These audiences are both "corporate" users and "personal" users. 公司和學校帳戶是由「公司」對象使用,而個人帳戶則會針對消費者對象使用 (例如 Microsoft Office 使用者)。Work and school accounts are used by "corporate" audiences, whereas personal accounts would be used for consumer audiences, such as Microsoft Office users. 支援多重身分識別的應用程式可公開發行,其中應用程式防護原則只適用於在公司和學校 (「公司」) 內容中使用應用程式的情況。An app that supports multi-identity can be released publicly, where app protection policies apply only when the app is used in the work and school ("corporate") context. 多重身分識別支援使用 Intune SDK 僅將應用程式防護原則套用至已登入應用程式之公司或學校帳戶的功能。Multi-identity support uses the Intune SDK to only apply app protection policies to the work or school account signed into the app. 如果個人帳戶已登入應用程式,就不會更動資料。If a personal account is signed into the app, the data is untouched.

舉一個個人內容的範例,想像有一個使用者在 Word 中開始一個新文件,這會被系統視為「個人」內容,因此不會套用 Intune 應用程式防護原則。For an example of "personal" context, consider a user who starts a new document in Word, this is considered personal context so Intune App Protection policies are not applied. 當該使用者把文件儲存到「公司」OneDrive 帳戶上時,系統便會把該文件視為「公司」內容,並套用 Intune 應用程式防護原則。Once the document is saved on the "corporate" OneDrive account, then it will be considered "corporate" context and Intune App Protection policies will be applied.

舉一個工作或「公司」內容的範例,想像有一個使用其公司帳戶來啟動 OneDrive 應用程式的使用者。For an example of work or "corporate" context, consider a user who starts the OneDrive app by using their work account. 在工作環境中,他們無法將檔案移至個人儲存位置。In the work context, they can't move files to a personal storage location. 之後,當使用者以個人帳戶使用 OneDrive 時,他們可以從個人 OneDrive 複製並移動資料,而沒有任何限制。Later, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.

Outlook 具有「個人」和「公司」電子郵件的合併電子郵件檢視。Outlook has a combined email view of both "personal" and "corporate" emails. 在此情況下,Outlook 應用程式會在啟動時提示您提供 Intune PIN。In this situation, the Outlook app prompts for the Intune PIN on launch.

注意

儘管 Edge 位於「公司」內容中,使用者還是能夠刻意地將 OneDrive「公司」內容檔案移至未知的個人雲端儲存空間位置。Although Edge is in "corporate" context, user can intentionally move OneDrive "corporate" context files to an unknown personal cloud storage location. 若要避免這種情況,請參閱管理受限制的網站,並為 Edge 設定允許/封鎖的網站清單。To avoid this, see Manage restricted web sites and configure the allowed/blocked site list for Edge.

如需 Intune 中多重身分識別的詳細資訊,請參閱 MAM 和多重身分識別For more information about multi-identity in Intune, see MAM and multi-identity.

Intune 應用程式 PINIntune app PIN

個人識別碼 (PIN) 是一組密碼,用來驗證在應用程式中存取組織資料的是正確的使用者。The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.

PIN 提示PIN prompt
Intune 會在使用者要存取「公司」資料時,提示使用者提供應用程式 PIN。Intune prompts for the user's app PIN when the user is about to access "corporate" data. 在多重身分識別應用程式 (例如 Word、Excel 或 PowerPoint) 中,系統會在使用者嘗試開啟「公司」文件或檔案時提示他們提供 PIN。In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file. 在單一身分識別應用程式 (例如使用 Intune App Wrapping Tool 管理的企業營運應用程式) 中,系統會在啟動時提示提供 PIN,因為 Intune SDK 知道使用者在該應用程式中的體驗一律會是「公司」。In single-identity apps, such as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune SDK knows the user's experience in the app is always "corporate".

PIN 提示,或公司認證提示,頻率PIN prompt, or corporate credential prompt, frequency
IT 系統管理員可以在 Intune 管理主控台中定義 Intune 應用程式防護原則設定 [重新檢查存取需求前的剩餘時間 (分鐘)]。The IT admin can define the Intune app protection policy setting Recheck the access requirements after (minutes) in the Intune admin console. 這項設定會指定多久之後要在裝置上檢查存取要求,並再次顯示應用程式 PIN 畫面或公司認證提示。This setting specifies the amount of time before the access requirements are checked on the device, and the application PIN screen, or corporate credential prompt, is shown again. 不過,還有下列關於 PIN 的重要詳細資料會影響使用者收到通知的頻率:However, important details about PIN that affect how often the user will be prompted are:

  • PIN會在相同發行者的應用程式間共用,以改進可用性:The PIN is shared among apps of the same publisher to improve usability:
    在 iOS/iPadOS 上,應用程式 PIN 會在相同應用程式發行者的所有應用程式之間共用。On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher. 例如,所有 Microsoft 應用程式會共用相同的 PIN。For example, all Microsoft apps share the same PIN. 在 Android,一組應用程式 PIN 會在所有應用程式間共用。On Android, one app PIN is shared amongst all apps.
  • 裝置重新開機後的 [重新檢查存取需求前的剩餘時間 (分鐘)] 行為:The Recheck the access requirements after (minutes) behavior after a device reboot:
    計時器會追蹤閒置的分鐘數,可判斷何時顯示下一個 Intune 應用程式 PIN 或公司認證提示。A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or corporate credential prompt next. 在 iOS/iPadOS 上,計時器不會受到裝置重新啟動的影響。On iOS/iPadOS, the timer is unaffected by device reboot. 因此,裝置重新啟動不會影響使用者在使用 Intune PIN (或公司認證) 原則的 iOS/iPadOS 應用程式中所閒置分鐘數。Thus, device reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or corporate credential) policy targeted. 在 Android 上,計時器會在裝置重新開機時重設。On Android, the timer is reset on device reboot. 因此,使用 Intune PIN (或公司認證) 原則的 Android 應用程式可能會提示輸入應用程式 PIN 或公司認證提示,而不論裝置重新開機之後的「重新檢查存取需求前等候時間 (分鐘)」設定值。As such, Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate credential prompt, regardless of the 'Recheck the access requirements after (minutes)' setting value after a device reboot.
  • 與 PIN 相關的計時器過時性質:The rolling nature of the timer associated with the PIN:
    在輸入 PIN 以存取應用程式 (應用程式 A) 之後,應用程式會離開裝置的前景 (主要輸入焦點),而該組 PIN 的計時器會重設。Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the timer gets reset for that PIN. 由於計時器已經重設,共用這組 PIN 的任何應用程式 (應用程式 B) 都不會提示使用者輸入 PIN。Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset. 提示會在再次達到「重新檢查存取需求前等候時間 (分鐘)」值時再度顯示。The prompt will show up again once the 'Recheck the access requirements after (minutes)' value is met again.

針對 iOS/iPadOS 裝置,即使在不同發行者應用程式之間共用 PIN,當非主要輸入焦點其應用程式的 [重新檢查存取需求前等候時間 (分鐘)] 值再次達到時,就會再度顯示提示。For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. 例如,使用者有發行者 X 的應用程式 A 和發行者 Y 的應用程式 B,而且這兩個應用程式共用相同的 PIN。So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. 使用者將焦點放在應用程式 A (前景),並將應用程式 B 最小化。The user is focused on app A (foreground), and app B is minimized. 達到 「重新檢查存取需求前等候時間 (分鐘)」 值,而且使用者切換至應用程式 B 之後,則需要 PIN。After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required.

注意

為了提高驗證使用者存取需求的頻率 (亦即 PIN 提示),尤其是經常使用的應用程式,建議您降低「重新檢查存取需求前等候時間 (分鐘)」設定的值。In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.

適用於 Outlook 和 OneDrive 的內建應用程式 PINBuilt-in app PINs for Outlook and OneDrive
Intune PIN 會根據以閒置為基礎的計時器 ( [重新檢查存取需求前的剩餘時間 (分鐘)] 的值) 運作。The Intune PIN works based on an inactivity-based timer (the value of Recheck the access requirements after (minutes)). 因此,Intune PIN 提示會與 Outlook 和 OneDrive 的內建應用程式 PIN 提示分開顯示,後者預設通常與應用程式啟動相關。As such, Intune PIN prompts show up independently from the built-in app PIN prompts for Outlook and OneDrive which often are tied to app launch by default. 如果使用者同時收到兩個 PIN 提示,預期的行為應該是優先使用 Intune PIN。If the user receives both PIN prompts at the same time, the expected behavior should be that the Intune PIN takes precedence.

Intune PIN 安全性Intune PIN security
PIN 是用來允許僅有正確的使用者可以存取應用程式中的組織資料。The PIN serves to allow only the correct user to access their organization's data in the app. 因此,終端使用者必須使用他們的公司或學校帳戶登入,之後才能設定或重設其 Intune 應用程式 PIN。Therefore, an end user must sign in with their work or school account before they can set or reset their Intune app PIN. 這個驗證是由 Azure Active Directory 透過安全性權杖交換來處理,且未向 Intune SDK 公開。This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune SDK. 從安全性角度來看,保護工作或學校資料的最佳方式是將資料加密。From a security perspective, the best way to protect work or school data is to encrypt it. 加密與應用程式 PIN 無關,而是其本身的應用程式保護原則。Encryption is not related to the app PIN but is its own app protection policy.

防範暴力密碼破解攻擊,以及 Intune PINProtecting against brute force attacks and the Intune PIN
做為應用程式 PIN 原則的一部份,IT 系統管理員可以設定在鎖定應用程式之前,使用者可以嘗試驗證其 PIN 的次數上限。As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. 當嘗試次數達到上限之後,Intune SDK 可以抹除應用程式中的「公司」資料。After the number of attempts has been met, the Intune SDK can wipe the "corporate" data in the app.

Intune PIN 和選擇性抹除Intune PIN and a selective wipe
在 iOS/iPadOS 上,應用程式層級 PIN 資訊會儲存在金鑰鏈中,此金鑰會在相同發行者應用程式之間共用,例如所有第一方 Microsoft 應用程式。On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared between apps with the same publisher, such as all first party Microsoft apps. 此 PIN 資訊也會繫結至使用者帳戶。This PIN information is also tied to an end user account. 對某個應用程式進行選擇性抹除,應該不會影響到另一個不同的應用程式。A selective wipe of one app shouldn't affect a different app.

例如,已登入的使用者針對 Outlook 所設定的 PIN 會儲存在共用的鑰匙串中。For example, a PIN set for Outlook for the signed in user is stored in a shared keychain. 當使用者登入 OneDrive (也是由 Microsoft 所發行) 時,他們將會看到和 Outlook 相同的 PIN,因為它會使用相同的共用鑰匙串。When the user signs into OneDrive (also published by Microsoft), they will see the same PIN as Outlook since it uses the same shared keychain. 登出 Outlook 或抹除 Outlook 中的使用者資料時,Intune SDK 並不會清除鑰匙串,因為 OneDrive 可能仍然在使用該 PIN。When signing out of Outlook or wiping the user data in Outlook, the Intune SDK does not clear that keychain because OneDrive might still be using that PIN. 因此,選擇性抹除並不會清除共用鑰匙串,包括 PIN 在內。Because of this, selective wipes do not clear that shared keychain, including the PIN. 此行為會維持不變,即使裝置上只存在來自某個發行者的單一應用程式。This behavior remains the same even if only one app by a publisher exists on the device.

由於 PIN 是儲存在具有相同發行者的應用程式之間,如果對單一應用程式進行抹除,Intune SDK 並無法知道裝置上是否還有其他具有相同發行者的應用程式。Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a single app, the Intune SDK does not know if there are any other apps on the device with the same publisher. 因此 Intune SDK 不會清除 PIN,因為它可能仍然由其他應用程式使用。Thus, the Intune SDK does not clear the PIN since it might still be used for other apps. 預期的情況是,該應用程式 PIN 於未來會隨著 OS 清理之類的作業,在移除來自該發行者的最後一個應用程式時一起抹除。The expectation is that the app PIN should be wiped when last app from that publisher will be removed eventually as part of some OS cleanup.

如果您觀察到 PIN 在某些裝置上被抹除,很可能發生下列情況:由於 PIN 會繫結至身分識別,如果使用者在抹除後使用不同的帳戶登入,系統將會提示他們輸入新的 PIN。If you observe the PIN being wiped on some devices, the following is likely happening: Since the PIN is tied to an identity, if the user signed in with a different account after a wipe, they will be prompted to enter a new PIN. 不過,如果他們是使用先前的現有帳戶登入,便能使用儲存在鑰匙串中的 PIN 來登入。However, if they sign in with a previously existing account, a PIN stored in the keychain already can be used to sign in.

在同一個發行者的應用程式上設定 PIN 兩次?Setting a PIN twice on apps from the same publisher?
MAM (在 iOS/iPadOS 上) 目前允許應用程式層級 PIN 包含英數字元與特殊字元 (稱為「密碼」),這需要應用程式 (亦即 WXP、Outlook、Managed Browser、Yammer) 參與以整合適用於 iOS 的 Intune SDKMAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to integrate the Intune SDK for iOS. 如果沒有,密碼設定將不會正確地針對目標應用程式強制執行。Without this, the passcode settings are not properly enforced for the targeted applications. 這是在「適用於 iOS 7.1.12 版的 Intune SDK」中推出的功能This was a feature released in the Intune SDK for iOS v. 7.1.12.

為了支援此功能,並確保與適用於 iOS/iPadOS 其 Intune SDK 先前版本的回溯相容性,因此 7.1.12 及更新版本中的所有 PIN (不論數字或密碼),都與先前 SDK 版本中的數字 PIN 分開處理。In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. 因此,如果裝置上有來自同一個發行者的多個應用程式,且其使用的「適用於 iOS 的 Intune SDK」有 7.1.12 之前和 7.1.12 之後的版本,則這些應用程式必須設定兩次 PIN。Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs. 這兩個 PIN (針對每個應用程式) 沒有任何關係 (亦即,其必須遵守套用至應用程式的應用程式保護原則)。The two PINs (for each app) are not related in any way (i.e. they must adhere to the app protection policy that's applied to the app). 確切地說,只有當應用程式 A 和 B 套用相同的原則 (相對於 PIN) 時,使用者才需要設定相同的 PIN 兩次。As such, only if apps A and B have the same policies applied (with respect to PIN), user may set up the same PIN twice.

針對已啟用 Intune 行動裝置應用程式管理的 iOS/iPadOS 應用程式,這是應用程式上的 PIN 特定行為。This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App Management. 一段時間之後,隨著應用程式採用適用於 iOS 的 Intune SDK 較新版本,需要針對同一個發行者應用程式設定 PIN 兩次的問題就會減少。Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. 如需範例,請查看下面的注意事項。Please see the note below for an example.

注意

例如,若應用程式 A 是使用 7.1.12 前的版本建置,而相同發行者應用程式 B 是使用 7.1.12 或更新版本建置,當 A 和 B 安裝在同一部 iOS/iPadOS 裝置上時,終端使用者將需要針對兩者分別設定 PIN。For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to 7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an iOS/iPadOS device. 如果 SDK 版本是 7.1.9 的應用程式 C 安裝在該裝置上,則它會和應用程式 A 共用相同的 PIN。使用 7.1.14 建置的應用程式 D 將與應用程式 B 共用相同的 PIN。If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A. An app D built with 7.1.14 will share the same PIN as app B.
如果只有應用程式 A 和 C 安裝在同一部裝置上,則只需要設定一個 PIN。If only apps A and C are installed on a device, then one PIN will need to be set. 只有應用程式 B 和 D 安裝在同一部裝置上的情況也是如此。The same applies to if only apps B and D are installed on a device.

應用程式資料加密App data encryption

IT 系統管理員可以部署要求將應用程式資料加密的應用程式保護原則。IT administrators can deploy an app protection policy that requires app data to be encrypted. 做為原則的一部分,IT 系統管理員也可以指定將內容加密的時機。As part of the policy, the IT administrator can also specify when the content is encrypted.

Intune 資料加密的處理方式How does Intune data encryption process
如需加密應用程式保護原則設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS/iPadOS 應用程式保護原則設定See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed information on the encryption app protection policy setting.

已加密的資料Data that is encrypted
僅有標示為「公司」的資料會根據 IT 系統管理員的應用程式保護原則加密。Only data marked as "corporate" is encrypted according to the IT administrator's app protection policy. 當資料來自公司地點時,會將資料視為「公司」資料。Data is considered "corporate" when it originates from a business location. 針對 Office 應用程式,Intune 會將下列內容視為商務位置:For the Office apps, Intune considers the following as business locations:

  • 電子郵件 (Exchange)Email (Exchange)
  • 雲端儲存體 (使用商務用 OneDrive 帳戶的 OneDrive 應用程式)Cloud storage (OneDrive app with a OneDrive for Business account)

針對由 Intune App Wrapping Tool 管理的企業營運應用程式,所有的應用程式資料都將視為「公司」資料。For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate".

選擇性抹除Selective wipe

從遠端抹除資料Remotely wipe data
Intune 可以用三種不同的方式抹除應用程式資料:Intune can wipe app data in three different ways:

  • 完整裝置抹除Full device wipe
  • 適用於 MDM 的選擇性抹除Selective wipe for MDM
  • MDM 選擇性抹除MAM selective wipe

如需 MDM 遠端抹除的詳細資訊,請參閱使用抹除或淘汰來移除裝置For more information about remote wipe for MDM, see Remove devices by using wipe or retire. 如需使用 MAM 選擇性抹除的詳細資訊,請參閱淘汰動作如何只抹除應用程式中的公司資料For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.

完整裝置抹除會移除裝置的所有使用者資料和設定,方法是將裝置還原為其原廠預設設定。Full device wipe removes all user data and settings from the device by restoring the device to its factory default settings. 並從 Intune 移除裝置。The device is removed from Intune.

注意

完整裝置抹除,以及 MDM 的選擇性抹除只能在已向 Intune 行動裝置管理 (MDM) 註冊的裝置上執行。Full device wipe, and selective wipe for MDM can only be achieved on devices enrolled with Intune mobile device management (MDM).

適用於 MDM 的選擇性抹除Selective wipe for MDM
請參閱移除裝置 - 淘汰,以閱讀移除公司資料的相關資訊。See Remove devices - retire to read about removing company data.

適用於 MAM 的選擇性抹除Selective wipe for MAM
MAM 選擇性抹除僅會從應用程式移除公司應用程式資料。Selective wipe for MAM simply removes company app data from an app. 該要求是使用 Intune Azure 入口網站來起始的。The request is initiated using the Intune Azure portal. 若要了解如何起始抹除要求,請參閱如何只抹除應用程式中的公司資料To learn how to initiate a wipe request, see How to wipe only corporate data from apps.

如果使用者在起始選擇性抹除時正在使用應用程式,Intune SDK 每隔 30 分鐘就會檢查來自 Intune MAM 服務的選擇性抹除要求。If the user is using the app when selective wipe is initiated, the Intune SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. 它也會在使用者首次啟動應用程式並以其工作或學校帳戶登入時檢查選擇性抹除。It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.

當內部部署 (on-prem) 服務無法搭配受 Intune 保護的應用程式運作時When On-Premises (on-prem) services don't work with Intune protected apps
Intune 應用程式防護會取決於使用者的身分識別,以在應用程式與 Intune SDK 之間保持一致。Intune app protection depends on the identity of the user to be consistent between the application and the Intune SDK. 保證一致的唯一方式是透過新式驗證。The only way to guarantee that is through modern authentication. 有些案例中,應用程式可搭配內部部署組態運作,但是不保證一定運作。There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.

從受控應用程式開啟網頁連結的安全方式Secure way to open web links from managed apps
IT 系統管理員可以針對 Microsoft Edge部署與設定應用程式保護原則,這是可利用 Intune 輕鬆管理的網頁瀏覽器。The IT administrator can deploy and set app protection policy for the Microsoft Edge, a web browser that can be managed easily with Intune. 針對 Intune 受控應用程式,IT 系統管理員可以要求其中的所有網頁連結都必須使用 Managed Browser 應用程式來開啟。The IT administrator can require all web links in Intune-managed apps to be opened using the Managed Browser app.

iOS 裝置的應用程式防護體驗App protection experience for iOS devices

裝置指紋或 Face IDDevice fingerprint or face IDs

Intune 應用程式防護原則可控制應用程式只存取 Intune 授權使用者。Intune app protection policies allow control over app access to only the Intune licensed user. 控制應用程式存取的其中一種方式,就是在支援裝置上要求 Apple 的 Touch ID 或 Face ID。One of the ways to control access to the app is to require either Apple's Touch ID or Face ID on supported devices. 如果裝置的生物特徵辨識資料庫有任何變更,Intune 會在下次達到非使用狀態逾時值時,提示使用者輸入 PIN。Intune implements a behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. 對生物特徵辨識資料所做的變更包括新增或移除指紋或臉部。Changes to biometric data include the addition or removal of a fingerprint, or face. 如果 Intune 使用者未設定 PIN,則會引導他們設定一個 Intune PIN。If the Intune user does not have a PIN set, they are led to set up an Intune PIN.

此程序的用意是為了持續確保應用程式內組織資料的安全,並在應用程式層級受到保護。The intent of this process is to continue keeping your organization's data within the app secure and protected at the app level. 此功能僅適用於 iOS/iPadOS,並需要整合適用於 iOS/iPadOS 其 Intune SDK 9.0.1 版或更新版本的應用程式參與。This feature is only available for iOS/iPadOS, and requires the participation of applications that integrate the Intune SDK for iOS/iPadOS, version 9.0.1 or later. 您必須整合此 SDK,才能針對目標應用程式強制執行該行為。Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. 這項整合會輪流發生並取決於特定的應用程式小組。This integration happens on a rolling basis and is dependent on the specific application teams. 參與的一些應用程式包括 WXP、Outlook、Managed Browser 和 Yammer。Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.

iOS 共用延伸模組iOS share extension

您可以使用 iOS/iPadOS 共用延伸模組在非受控應用程式中開啟公司或學校資料,即使在資料傳輸原則已設定為 [僅限受控應用程式] 或 [沒有應用程式] 的情況下也可以。You can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to managed apps only or no apps. Intune 應用程式保護原則必須管理裝置才能控制 iOS/iPadOS 共用延伸模組。Intune app protection policy cannot control the iOS/iPadOS share extension without managing the device. 因此,Intune 會先加密「公司」資料,才會在應用程式之外共用Therefore, Intune encrypts "corporate" data before it is shared outside the app. 您可以嘗試在受控應用程式外開啟「公司」檔案來驗證此加密行為。You can validate this encryption behavior by attempting to open a "corporate" file outside of the managed app. 檔案應已加密且無法在受管理的應用程式之外開啟。The file should be encrypted and unable to be opened outside the managed app.

根據預設,Intune 應用程式防護原則會防止存取未經授權的應用程式內容。By default, Intune app protection policies will prevent access to unauthorized application content. 在 iOS/iPadOS 中,有一項功能可使用通用連結來開啟特定的內容或應用程式。In iOS/iPadOS, there is functionality to open specific content or applications using Universal Links.

使用者可以在 Safari 中瀏覽這些應用程式的通用連結,然後選取 [在新索引標籤中開啟] 或 [開啟],以停用這些連結。Users can disable an app's Universal Links by visiting them in Safari and selecting Open in New Tab or Open. 若要搭配 Intune 應用程式防護原則來使用通用連結,請務必重新啟用通用連結。In order to user Universal Links with Intune app protection policies, it's important to re-enable the universal links. 長按對應的連結之後,終端使用者必須在 Safari 中執行 [在 <應用程式名稱> 中開啟]。The end user would need to do an Open in <app name> in Safari after long pressing a corresponding link. 這應該會提示任何其他受保護的應用程式,將所有通用連結路由至裝置上受保護的應用程式。This should prompt any additional protected app to route all Universal Links to the protected application on the device.

相同應用程式和使用者集合的多個 Intune 應用程式防護存取設定Multiple Intune app protection access settings for same set of apps and users

Intune 應用程式防護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. 一般情況下,其順序會是抹除、封鎖及可關閉的警告。In general, a wipe would take precedence, followed by a block, then a dismissible warning. 例如,如果適用於特定的使用者/應用程式,則警告使用者更新其 iOS/iPadOS 版本的最低 iOS/iPadOS 作業系統設定,將在封鎖使用者使其無法存取的最低 iOS/iPadOS 作業系統設定之後套用。For example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system setting that warns a user to update their iOS/iPadOS version will be applied after the minimum iOS/iPadOS operating system setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 iOS 作業系統設定為 11.0.0.0,最低 iOS 作業系統 (僅警告) 設定為 11.1.0.0 時,如果嘗試存取應用程式的裝置使用 iOS 10,則因為導致封鎖存取的最低 iOS 作業系統版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access.

處理不同類型的設定時,Intune SDK 版本需求會優先,然後是應用程式版本需求,最後才是 iOS/iPadOS 作業系統版本需求。When dealing with different types of settings, an Intune SDK version requirement would take precedence, then an app version requirement, followed by the iOS/iPadOS operating system version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked. 我們建議您只針對必要的封鎖情況,在 Intune 產品小組的指導下,設定 Intune SDK 版本需求。We recommend the Intune SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.

Android 裝置的應用程式防護體驗App protection experience for Android devices

裝置生物識別驗證Device biometric authentication

針對支援生物識別驗證的 Android 裝置,您可以讓終端使用者視其 Android 裝置支援的功能而定使用指紋或臉部解鎖。For Android devices that support biometric authentication, you can allow end users to use fingerprint or Face Unlock, depending on what their Android device supports. 您可以設定是否能夠使用指紋以外的所有生物識別類型來進行驗證。You can configure whether all biometric types beyond fingerprint can be used to authenticate. 請注意,指紋和臉部解鎖僅適用於為了支援這些生物識別類型而製造,且正在執行正確 Android 版本的裝置。Note that fingerprint and Face Unlock are only available for devices manufactured to support these biometric types and are running the correct version of Android. 指紋需要 Android 6 和更新版本,臉部解鎖則需要 Android 10 和更新版本。Android 6 and higher is required for fingerprint, and Android 10 and higher is required for Face Unlock.

公司入口網站應用程式和 Intune 應用程式防護Company Portal app and Intune app protection

大部分的應用程式保護功能是內建在公司入口網站應用程式中。Much of app protection functionality is built into the Company Portal app. 雖然公司入口網站應用程式一律為必要,但也不需要註冊裝置。Device enrollment is not required even though the Company Portal app is always required. 針對沒有註冊的行動應用程式管理 (MAM-WE),終端使用者只需要在裝置上安裝公司入口網站應用程式即可。For mobile application management without enrollment (MAM-WE), the end user just needs to have the Company Portal app installed on the device.

相同應用程式和使用者集合的多個 Intune 應用程式防護存取設定Multiple Intune app protection access settings for same set of apps and users

Intune 應用程式防護存取原則,在使用者嘗試從其公司帳戶存取目標應用程式時,會以特定順序套用在終端使用者裝置上。Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. 一般情況下,封鎖會優先,然後是可以關閉的警告。In general, a block would take precedence, then a dismissible warning. 例如,如果適用於特定的使用者/應用程式,警告使用者進行修補程式升級的最低 Android 修補程式版本設定,將在封鎖使用者使其無法存取的最低 Android 修補程式版本設定之後套用。For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. 因此,當情況是 IT 系統管理員將最低 Android 修補程式版本設定為 2018-03-01,最低 Android 修補程式版本 (僅警告) 設定為 2018-02-01 時,如果嘗試存取應用程式的裝置使用修補程式版本 2018-01-01,則因為導致封鎖存取的最低 Android 修補程式版本設定限制更多,而使得終端使用者將會被封鎖。So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access.

處理不同類型的設定時,應用程式版本需求會優先,然後是 Android 作業系統版本需求和 Android 修補程式版本需求。When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. 接著會以相同順序檢查所有類型之設定的任何警告。Then, any warnings for all types of settings in the same order are checked.

適用於 Android 裝置的 Intune 應用程式防護原則和 Google SafetyNet 證明Intune app protection policies and Google's SafetyNet Attestation for Android devices

Intune 應用程式防護原則提供一個功能,可讓系統管理員要求終端使用者裝置通過 Google 適用於 Android 裝置的 SafetyNet 證明。Intune app protection policies provide the capability for admins to require end-user devices to pass Google's SafetyNet Attestation for Android devices. 新 Google Play 服務判斷將會依照 Intune 服務所決定的間隔報告給 IT 系統管理員。A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. 進行服務呼叫的頻率已由於負載而節流處理,因此這個值會在內部維護,且無法設定。How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. 任何 IT 系統管理員針對 Google SafetyNet 證明設定所設定的動作,將會根據條件式啟動上次回報給 Intune 服務的結果來執行。Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. 如果沒有任何資料,將會根據沒有其他的條件式啟動檢查失敗來允許存取,而 Google Play 服務用來判斷證明結果的「往返」動作將在後端開始,並在裝置未通過時以非同步方式提示使用者。If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. 如果有過時的資料,將會根據上次回報的結果封鎖或允許存取,同樣地,Google Play 服務用來判斷證明結果的「往返」動作將會開始,並在裝置未通過時以非同步方式提示使用者。If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously if the device has failed.

適用於 Android 裝置的 Intune 應用程式防護原則和 Google Verify Apps APIIntune app protection policies and Google's Verify Apps API for Android devices

Intune 應用程式防護原則提供一個功能,可讓系統管理員要求終端使用者裝置透過 Google 適用於 Android 裝置的 Verify Apps API 來傳送訊號。Intune App Protection Policies provide the capability for admins to require end-user devices to send signals via Google's Verify Apps API for Android devices. 有關如何執行這項操作的指示會因裝置而稍有差異。The instructions on how to do this vary slightly by device. 一般步驟是前往 Google Play 商店,然後按一下 [我的應用程式與遊戲],再按一下上次應用程式掃描結果,其會將您引導至「Play 安全防護」功能表。The general process involves going to the Google Play Store, then clicking on My apps & games, clicking on the result of the last app scan which will take you into the Play Protect menu. 確定 [掃描裝置中的安全性威脅] 的切換開關已切換為開啟。Ensure the toggle for Scan device for security threats is switched to on.

Google 的 SafetyNet Attestation APIGoogle's SafetyNet Attestation API

Intune 會利用 Google Play Protect SafetyNet API,在我們現有 Root 破解偵測檢查中新增對已取消註冊裝置的檢查。Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled devices. 如果不想在 Root 破解的裝置上執行其應用程式,Google 已開發和維護這個 API 集合供 Android 應用程式採用。Google has developed and maintained this API set for Android apps to adopt if they do not want their apps to run on rooted devices. 例如,Android Pay 應用程式已採用此集合。The Android Pay app has incorporated this, for example. 雖然 Google 不會公開共用所發生 Root 破解偵測檢查的全部內容,但我們預期這些 API 會偵測到其裝置遭到 Root 破解的使用者。While Google does not share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices. 接著可防止這些使用者存取,或從其啟用原則的應用程式抹除其公司帳戶。These users can then be blocked from accessing, or their corporate accounts wiped from their policy enabled apps. [檢查基本完整性] 會告訴您有關裝置的一般完整性。Check basic integrity tells you about the general integrity of the device. Root 破解的裝置、模擬器、虛擬裝置,以及具有竄改跡象的裝置都無法通過基本完整性檢查。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. [檢查基本完整性與經過認證的裝置] 會告訴您有關裝置與 Google 服務的相容性。Check basic integrity & certified devices tells you about the compatibility of the device with Google's services. 只有經過 Google 認證且未修改的裝置可以通過這項檢查。Only unmodified devices that have been certified by Google can pass this check. 下列裝置將無法通過:Devices that will fail include the following:

  • 無法通過基本完整性的裝置Devices that fail basic integrity
  • 開機載入器已解除鎖定的裝置Devices with an unlocked bootloader
  • 具有自訂系統映像/ROM 的裝置Devices with a custom system image/ROM
  • 製造商未為其申請或通過 Google 認證的裝置Devices for which the manufacturer didn't apply for, or pass, Google certification
  • 直接從 Android Open Source Program 來源檔案建置系統映像的裝置Devices with a system image built directly from the Android Open Source Program source files
  • 具有搶鮮版 (Beta)/開發人員預覽系統映像的裝置Devices with a beta/developer preview system image

如需技術詳細資料,請參閱 Google 有關 SafetyNet 證明的文件See Google's documentation on the SafetyNet Attestation for technical details.

[SafetyNet 裝置證明] 設定和 [已進行越獄或 Root 的裝置] 設定SafetyNet device attestation setting and the 'jailbroken/rooted devices' setting

「Google Play 安全防護」的 SafetyNet API 檢查,需要終端使用者至少在判斷證明結果之「往返」動作執行的時間範圍內已連線。Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time when the "roundtrip" for determining attestation results executes. 如果終端使用者已離線,IT 系統管理員還是能夠預期從 [已進行越獄或 Root 的裝置] 設定強制執行的結果。If end user is offline, IT admin can still expect a result to be enforced from the jailbroken/rooted devices setting. 話雖如此,如果終端使用者離線太久,[離線寬限期] 值就會起作用,一旦達到該計時器值,對公司或學校資料的存取便會被封鎖,直到可以存取網路為止。That being said, if the end user has been offline too long, the Offline grace period value comes into play, and all access to work or school data is blocked once that timer value is reached, until network access is available. 開啟這兩個設定可允許採用分層方式來保持終端使用者裝置的良好狀況,這在終端使用者存取行動裝置上的公司或學校資料時非常重要。Turning on both settings allows for a layered approach to keeping end-user devices healthy which is important when end-users access work or school data on mobile.

Google Play Protect API 與 Google Play ServicesGoogle Play Protect APIs and Google Play Services

利用 Google Play Protect API 的應用程式保護原則設定需要 Google Play Services 才能正常運作。The app protection policy settings that leverage Google Play Protect APIs require Google Play Services to function. [SafetyNet 裝置證明] 和 [對應用程式進行威脅掃描] 設定,都需要 Google 決定的 Google Play Services 版本才能正確運作。Both the SafetyNet device attestation, and Threat scan on apps settings require Google determined version of Google Play Services to function correctly. 由於這些都是屬於安全性領域的設定,如果終端使用者是這些設定的目標,但不符合適當的 Google Play Services 版本或無法存取 Google Play 服務,則會封鎖這些使用者。Since these are settings that fall in the area of security, the end user will be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google Play Services or have no access to Google Play Services.

後續步驟Next steps

如何使用 Microsoft Intune 建立及部署應用程式保護原則How to create and deploy app protection policies with Microsoft Intune

搭配 Microsoft Intune 的可用 Android 應用程式防護原則設定Available Android app protection policy settings with Microsoft Intune

搭配 Microsoft Intune 的可用 iOS/iPadOS 應用程式防護原則設定Available iOS/iPadOS app protection policy settings with Microsoft Intune

請參閱See also

協力廠商應用程式 (例如 Salesforce 行動應用程式) 可以特定方式與 Intune 搭配使用來保護公司資料。Third-party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data. 若要深入了解 Salesforce 應用程式與 Intune 搭配使用的特定方式 (包括 MDM 應用程式組態設定),請參閱 Salesforce 應用程式和 Microsoft Intune (英文)。To learn more about how the Salesforce app in particular works with Intune (including MDM app configurations settings), see Salesforce App and Microsoft Intune.