Microsoft Intune 的 Android 應用程式保護原則設定Android app protection policy settings in Microsoft Intune

本文描述 Android 裝置的應用程式防護原則設定。This article describes the app protection policy settings for Android devices. 您可以在 Azure 入口網站的 [設定] 窗格上,為應用程式防護原則設定所述的原則設定。The policy settings that are described can be configured for an app protection policy on the Settings pane in the Azure portal. 原則設定分為三類:資料保護設定、存取需求和條件式啟動。There are three categories of policy settings: data protection settings, access requirements, and conditional launch. 在本文中「受原則管理的應用程式」一詞是指設有應用程式保護原則的應用程式。In this article, the term policy-managed apps refers to apps that are configured with app protection policies.

重要

Android 裝置上需要有 Intune 公司入口網站,才能接收應用程式保護原則。The Intune Company Portal is required on the device to receive App Protection Policies for Android devices. 如需詳細資訊,請參閱 Intune 公司入口網站存取應用程式需求For more information, see the Intune Company Portal access apps requirements.

Intune Managed Browser 已淘汰。The Intune Managed Browser has been retired. 請改用 Microsoft Edge 作為受保護的 Intune 瀏覽器。Use Microsoft Edge for your protected Intune browser experience.

資料保護Data protection

資料轉送Data Transfer

設定Setting 如何使用How to use 預設值Default value
將組織資料備份至 Android 備份服務Backup org data to Android backup services 選取 [封鎖],防止此應用程式將公司或學校資料備份至 Android 備份服務Select Block to prevent this app from backing up work or school data to the Android Backup Service.

選取 [允許],允許此應用程式備份公司或學校資料。Select Allow to allow this app to back up work or school data.
允許Allow
將組織資料傳送至其他應用程式Send org data to other apps 指定可以接收這個應用程式資料的應用程式:Specify what apps can receive data from this app:
  • 受原則管理的應用程式:只允許傳送至其他受原則管理的應用程式。Policy managed apps: Allow transfer only to other policy-managed apps.
  • 所有應用程式:允許傳送到任何應用程式。All apps: Allow transfer to any app.
  • :不允許將資料傳送到任何應用程式 (包括其他受原則管理的應用程式)。None: Do not allow data transfer to any app, including other policy-managed apps.

Intune 可預設應用程式和服務的豁免清單,允許資料傳送。There are some exempt apps and services to which Intune may allow data transfer by default. 此外,如果您需要允許資料傳送至不支援 Intune 應用程式的應用程式,您可以建立您自己的豁免清單。In addition, you can create your own exemptions if you need to allow data to transfer to an app that doesn't support Intune APP. 如需詳細資訊,請參閱資料轉送豁免For more information, see Data transfer exemptions.

此原則也適用於 Android 應用程式連結。This policy may also apply to Android App Links. 一般 Web 連結則是由 [在 Intune Managed Browser 中開啟應用程式連結] 原則設定所管理。General web links are managed by the Open app links in Intune Managed Browser policy setting.

注意Note

Intune 目前不支援 Android Instant Apps 功能。Intune doesn't currently support the Android Instant Apps feature. Intune 會封鎖與此應用程式之間的任何資料連接。Intune will block any data connection to or from the app. 如需詳細資訊,請參閱 Android 開發人員文件中的 Android Instant Apps (英文)。For more information, see Android Instant Apps in the Android Developer documentation.

如果 [將組織資料傳送至其他應用程式] 已設定為 [所有應用程式],則文字資料仍可透過 OS 共用傳送至剪貼簿。If Send org data to other apps is configured to All apps, text data may still be transferred via OS sharing to the clipboard.

所有應用程式All apps
    選取要豁免的應用程式Select apps to exempt
當您針對上一個選項選取 [受原則管理的應用程式] 時,可以使用這個選項。This option is available when you select Policy managed apps for the previous option.
    儲存組織資料的複本Save copies of org data
選擇 [封鎖],在這個應用程式中停用 [另存新檔] 選項。Choose Block to disable the use of the Save As option in this app. 如果您想要允許使用 [另存新檔],請選擇 [允許]。Choose Allow if you want to allow the use of Save As. 當設定為 [封鎖] 時,您可以設定 [允許使用者儲存所選服務的複本] 。When set to Block, you can configure the setting Allow user to save copies to selected services.

注意:Note:
  • Microsoft Excel、OneNote、PowerPoint 和 Word 支援此設定。協力廠商和 LOB 應用程式也可能支援此設定。This setting is supported for Microsoft Excel, OneNote, PowerPoint, and Word. It may also be supported by third-party and LOB apps.
  • 只有當 [將組織資料傳送至其他應用程式] 設定為 [受原則管理的應用程式]、[具有 OS 共用的原則受控應用程式] 或 [具有開啟方式/共用的原則受控應用程式篩選] 時,才會強制執行此設定。This setting is only enforced if the setting Send org data to other apps is set to Policy managed apps, Policy managed apps with OS sharing or Policy managed apps with Open-In/Share filtering.
允許Allow
      允許使用者儲存複本到指定的服務位置Allow user to save copies to selected services
使用者可以儲存到幾個選取的服務 (商務用 OneDrive、SharePoint 和本機存放區)。Users can save to the selected services (OneDrive for Business, SharePoint, and Local Storage). 將會封鎖所有其他服務。All other services will be blocked. 0 (已選取)0 selected
    將電信資料傳送至Transfer telecommunications data to
一般來說,當使用者在應用程式中選取超連結電話號碼時,撥號程式應用程式將使用預先填入的電話號碼開啟,而且準備撥號。Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. 當此類型的內容從受原則管理的應用程式起始時,請針對此設定選擇如何處理這類傳送:For this setting, choose how to handle this type of content transfer when it is initiated from a policy-managed app:
  • 無,不在應用程式之間傳送此資料:當偵測到電話號碼時,不傳送通訊資料。None, do not transfer this data between apps: Do not transfer communication data when a phone number is detected.
  • 特定的撥號程式應用程式:當偵測到電話號碼時,允許特定的撥號程式應用程式起始連絡人。A specific dialer app: Allow a specific dialer app to initiate contact when a phone number is detected.
  • 任一受原則管理的撥號程式應用程式:當偵測到電話號碼時,允許任一受原則管理的撥號程式應用程式起始連絡人。Any policy-managed dialer app: Allow any policy managed dialer app to initiate contact when a phone number is detected.
  • 任一撥號程式應用程式:當偵測到電話號碼時,允許使用任一撥號程式應用程式起始連絡人。Any dialer app: Allow any dialer app to be used to initiate contact when a phone number is detected.
任一撥號程式應用程式Any dialer app
      撥號程式應用程式套件識別碼Dialer App Package ID
當您選取特定的撥號程式時,必須提供應用程式套件識別碼When a specific dialer app has been selected, you must provide the app package ID. 空白Blank
      撥號程式應用程式名稱Dialer App Name
當您選取特定的撥號程式時,必須提供撥號程式應用程式的名稱。When a specific dialer app has been selected, you must provide the name of the dialer app. 空白Blank
接收來自其他應用程式的資料Receive data from other apps 指定可將資料傳送至這個應用程式的應用程式:Specify what apps can transfer data to this app:
  • 受原則管理的應用程式:只允許從其他受原則管理的應用程式傳送。Policy managed apps: Allow transfer only from other policy-managed apps.
  • 所有應用程式:允許從任何應用程式傳送資料。All apps: Allow data transfer from any app.
  • :不允許從任何應用程式 (包括其他受原則管理的應用程式) 傳送資料。None: Do not allow data transfer from any app, including other policy-managed apps.

有一些 Intune 可以允許從中進行資料傳輸的豁免應用程式和服務。There are some exempt apps and services from which Intune may allow data transfer. 如需應用程式和服務的完整清單,請參閱資料傳輸豁免See Data transfer exemptions for a full list of apps and services.

所有應用程式All apps
    將資料開啟為組織文件Open data into Org documents
選取 [封鎖] 可停用 [開啟] 選項,或在此應用程式中共用帳戶間資料的其他選項。Select Block to disable the use of the Open option or other options to share data between accounts in this app. 如果您想要允許使用 [開啟],請選取 [允許]。Select Allow if you want to allow the use of Open.

當設定為 [封鎖] 時,您可以進行 [允許使用者從選取的服務開啟資料] 設定,以指定允許組織資料位置使用的服務。When set to Block you can configure the Allow user to open data from selected services to specific which services are allowed for Org data locations.

注意:Note:
  • 只有當 [接收其他應用程式的資料] 設定為 [受原則管理的應用程式] 時,才會強制執行此設定。This setting is only enforced if the setting Receive data from other apps is set to Policy managed apps.
  • 下列應用程式支援此設定:The following apps support this setting:
    • OneDrive 6.14.1 或更新版本。OneDrive 6.14.1 or later.
    • Android 版 Outlook 4.2039.2 或更新版本。Outlook for Android 4.2039.2 or later.
..


允許Allow
      允許使用者從選取的服務開啟資料Allow users to open data from selected services
選取使用者可從中開啟資料的應用程式儲存體服務。Select the application storage services that users can open data from. 會封鎖所有其他服務。All other services are blocked. 不選取任何服務可防止使用者開啟資料。Selecting no services will prevent users from opening data.

支援的服務:Supported services:
  • 商務用 OneDriveOneDrive for Business
  • SharePoint OnlineSharePoint Online
  • 相機Camera
已選取全部All selected
限制其他應用程式之間的剪下、複製和貼上Restrict cut, copy and paste between other apps 指定何時剪下、複製和貼上動作可與這個應用程式搭配使用。Specify when cut, copy, and paste actions can be used with this app. 從下列選項進行選擇:Choose from:
  • 封鎖:不允許在這個應用程式與任何其他應用程式之間進行剪下、複製和貼上動作。Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • 受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下、複製和貼上動作。Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • 具有貼上的受原則管理的應用程式:允許在這個應用程式與其他受原則管理的應用程式之間進行剪下或複製。Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. 允許將資料從任何應用程式貼入這個應用程式。Allow data from any app to be pasted into this app.
  • 任何應用程式:不限制與這個應用程式之間的剪下、複製和貼上。Any app: No restrictions for cut, copy, and paste to and from this app.
任何應用程式Any app
    任何應用程式的剪下和複製字元限制Cut and copy character limit for any app
指定可以從組織資料和帳戶剪下或複製的字元數。Specify the number of characters that may be cut or copied from org data and accounts. 如此可允許共用指定的字元數,除非遭到 [限制利用其他應用程式剪下、複製及貼上] 設定封鎖。This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.

預設值 = 0Default Value = 0

注意:需要 Intune 公司入口網站 5.0.4364.0 版或更新版本。Note: Requires Intune Company Portal version 5.0.4364.0 or later.

00
螢幕擷取和 Google 助理Screen capture and Google Assistant 選取 [封鎖],在使用這個應用程式時封鎖裝置的螢幕擷取和 Google 助理 功能。Select Block to block screen capture and the Google Assistant capabilities of the device when using this app. 選擇 [允許],也會在搭配使用這個應用程式與工作或學校帳戶時模糊應用程式切換器預覽影像。Choosing Allow will also blur the App-switcher preview image when using this app with a work or school account. 封鎖Block
核准的鍵盤Approved keyboards 選取 [需要],然後指定此原則核准的鍵盤清單。Select Require and then specify a list of approved keyboards for this policy.

未使用核准鍵盤的使用者會收到提示,必須下載並安裝核准的鍵盤,才能使用受保護的應用程式。Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. 此設定需要應用程式具有適用於 Android 的 Intune SDK 6.2.0 版或更新版本。This setting requires the app to have the Intune SDK for Android version 6.2.0 or later.

不需要Not required
    選取要核准的鍵盤Select keyboards to approve
當針對上一個選項選取 [需要] 時,可以使用這個選項。This option is available when you select Require for the previous option. 選擇 [選取] 以管理可與受此原則保護的應用程式搭配使用的鍵盤和輸入方法清單。Choose Select to manage the list of keyboards and input methods that can be used with apps protected by this policy. 您可以將其他鍵盤新增至清單,並移除任何預設選項。You can add additional keyboards to the list, and remove any of the default options. 您必須至少有一個核准的鍵盤,才能儲存設定。You must have at least one approved keyboard to save the setting. 若要新增鍵盤,請指定:To add a keyboard, specify:
  • 名稱:識別鍵盤並向使用者顯示的易記名稱。Name: A friendly name that that identifies the keyboard, and is visible to the user.
  • 套件識別碼:Google Play 商店中的應用程式套件識別碼。Package ID: The Package ID of the app in the Google Play store. 例如,如果應用程式在 Play 商店中的 URL 為 https://play.google.com/store/details?id=com.contoskeyboard.android.prod,則套件識別碼為 com.contosokeyboard.android.prodFor example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contoskeyboard.android.prod, then the Package ID is com.contosokeyboard.android.prod. 此套件識別碼會以簡單的連結形式呈現給使用者,以從 Google Play 下載鍵盤。This package ID is presented to the user as a simple link to download the keyboard from Google Play.

    注意Note

    已指派多項應用程式防護原則的使用者,只能使用所有原則皆通用的核准鍵盤。A user assigned multiple app protection policies will be allowed to use only the approved keyboards common to all policies.

加密Encryption

設定Setting 如何使用How to use 預設值Default value
加密組織資料Encrypt org data 選擇 [需要],在這個應用程式中啟用公司或學校資料的加密。Choose Require to enable encryption of work or school data in this app. Intune 可搭配使用 OpenSSL 256 位元 AES 加密配置與 Android 金鑰儲存區系統,安全地加密應用程式資料。Intune uses an OpenSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. 資料會在檔案 I/O 工作期間,以同步方式加密。Data is encrypted synchronously during file I/O tasks. 將一律加密裝置儲存空間上的內容。Content on the device storage is always encrypted. 新檔案將會以 256 位元的金鑰進行加密。New files will be encrypted with 256-bit keys. 現有的 128 位元加密檔案將會針對 256 位元金鑰進行移轉嘗試,但該程序不一定會成功。Existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. 以 128 位元金鑰加密的檔案將會維持可讀取性。Files encrypted with 128-bit keys will remain readable.

此加密方法已通過 FIPS 140-2 驗證;如需詳細資訊,請參閱 OpenSSL FIPS Library and Android Guide (OpenSSL FIPS Library 和 Android Guide)。The encryption method is FIPS 140-2 validated; for more information, see OpenSSL FIPS Library and Android Guide.
需要Require
    加密已註冊之裝置上的組織資料Encrypt org data on enrolled devices
選取 [需要] 以強制在所有裝置上使用 Intune 應用程式層加密來加密組織資料。Select Require to enforce encrypting org data with Intune app layer encryption on all devices. 選取 [不需要] 以不強制在已註冊的裝置上使用 Intune 應用程式層加密來加密組織資料。Select Not required to not enforce encrypting org data with Intune app layer encryption on enrolled devices. 需要Require

功能Functionality

設定Setting 如何使用How to use 預設值Default value
將受原則管理的應用程式資料與原生應用程式同步Sync policy managed app data with native apps 選擇 [封鎖] 以防止受原則管理的應用程式將資料儲存到裝置上的原生連絡人和行事曆應用程式。Choose Block to prevent the policy managed apps from saving data to the native Contacts and Calendar apps on the device. 如果您選擇 [允許],當受原則管理的應用程式中啟用這些功能時,應用程式便可以將資料儲存至裝置上的原生連絡人和行事曆應用程式。If you choose Allow, the app can save data to the native Contacts and Calendar apps on the device, when those features are enabled within the policy managed app.

當您執行選擇性抹除以移除應用程式中的公司或學校資料時,會移除直接從應用程式同步到原生連絡人和行事曆應用程式的連絡人和行事曆資料。When you perform a selective wipe to remove work, or school data from the app, contacts and calendar data synced directly from the app to the native Contacts and Calendar apps are removed. 無法抹除從原生連絡人或行事曆應用程式同步至其他外部來源的任何連絡人或行事歷資料。Any contacts or calendar data synced from the native Contacts or Calendar apps to another external source can't be wiped. 目前,這只能套用到適用於 iOS 和 Android 應用程式的 Outlook;如需詳細資訊,請參閱部署適用於 iOS 和 Android 應用程式的 Outlook 的設定Currently, this applies only to Outlook for iOS and Android app; for more information, see Deploying Outlook for iOS and Android app configuration settings.
允許Allow
列印組織資料Printing Org data 選擇 [封鎖],防止應用程式列印公司或學校資料。Choose Block to prevent the app from printing work or school data. 如果您將此設定保留為 [允許] (預設值),則使用者將能夠匯出及列印所有組織資料。If you leave this setting to Allow, the default value, users will be able to export and print all Org data. 允許Allow
限制與其他應用程式的 Web 傳輸Restrict web content transfer with other apps 指定如何從原則受控的應用程式開啟 Web 內容 (HTTP/HTTPS 連結)。Specify how web content (http/https links) are opened from policy-managed applications. 從下列選項進行選擇:Choose from:
  • 任何應用程式:允許任何應用程式中的 Web 連結。Any app: Allow web links in any app.
  • Intune Managed Browser:只允許在 Intune Managed Browser 中開啟 Web 內容。Intune Managed Browser: Allow web content to open only in the Intune Managed Browser. 此瀏覽器為受原則管理的瀏覽器。This browser is a policy-managed browser.
  • Microsoft Edge:只允許在 Microsoft Edge 中開啟 Web 內容。Microsoft Edge: Allow web content to open only in the Microsoft Edge. 此瀏覽器為受原則管理的瀏覽器。This browser is a policy-managed browser.
  • 非受控瀏覽器:只允許在 [非受控瀏覽器通訊協定] 設定中定義的非受控瀏覽器中開啟 Web 內容。Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. Web 內容在目標瀏覽器中將會是非受控。The web content will be unmanaged in the target browser.
    注意:需要 Intune 公司入口網站 5.0.4415.0 版或更新版本。Note: Requires Intune Company Portal version 5.0.4415.0 or later.


  • 原則受控的瀏覽器Policy-managed browsers
    在 Android 上,如果未安裝 Intune Managed Browser 或 Microsoft Edge,您的終端使用者可以從支援 HTTP/HTTPS 連結的其他原則受控應用程式中進行選擇。On Android, your end users can choose from other policy-managed apps that support http/https links if neither Intune Managed Browser nor Microsoft Edge are installed.

    如果受控瀏覽器為必要但尚未安裝,則會提示終端使用者安裝 Microsoft Edge。If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge.

    如果原則受控的瀏覽器為必要,則 Android 應用程式連結是由 [允許應用程式將資料傳送至其他應用程式] 原則設定所管理。If a policy-managed browser is required, Android App Links are managed by the Allow app to transfer data to other apps policy setting.

    Intune 裝置註冊Intune device enrollment
    如果您使用 Intune 管理裝置,請參閱透過 Microsoft Intune 使用受管理的瀏覽器原則管理網際網路存取If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.

    原則受控的 Microsoft EdgePolicy-managed Microsoft Edge
    適用於行動裝置 (iOS/iPadOS 和 Android) 的 Microsoft Edge 瀏覽器支援 Intune 應用程式保護原則。The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. 使用其公司 Azure AD 帳戶登入 Microsoft Edge 瀏覽器應用程式的使用者,將會受到 Intune 的保護。Users who sign in with their corporate Azure AD accounts in the Microsoft Edge browser application will be protected by Intune. Microsoft Edge 瀏覽器可整合應用程式 SDK,並支援其所有的資料保護原則,但會防止:The Microsoft Edge browser integrates the APP SDK and supports all of its data protection policies, with the exception of preventing:

    • 另存新檔:Microsoft Edge 瀏覽器不允許使用者將直接的應用程式內連線新增至雲端儲存體提供者 (例如 OneDrive)。Save-as: The Microsoft Edge browser does not allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive).
    • 連絡人同步:Microsoft Edge 瀏覽器不會儲存至原生連絡人清單。Contact sync: The Microsoft Edge browser does not save to native contact lists.
    注意︰ 應用程式 SDK 無法判斷目標應用程式是否為瀏覽器。在 Android 裝置上,允許支援 HTTP/HTTPS 意圖的其他 Managed Browser 應用程式。Note: The APP SDK cannot determine if a target app is a browser. On Android devices, other managed browser apps that support the http/https intent are allowed.
未設定Not configured
    非受控瀏覽器Unmanaged Browser ID
輸入單一瀏覽器的應用程式識別碼。Enter the application ID for a single browser. 來自原則受控應用程式的 Web 內容 (http/https 連結) 將會在指定的瀏覽器中開啟。Web content (http/https links) from policy managed applications will open in the specified browser. Web 內容在目標瀏覽器中將會是非受控。The web content will be unmanaged in the target browser. 空白Blank
    非受控瀏覽器名稱Unmanaged Browser Name
輸入與 [非受控瀏覽器識別碼] 關聯之瀏覽器的應用程式名稱。Enter the application name for browser associated with the Unmanaged Browser ID. 若未安裝指定的瀏覽器,將會向使用者顯示此名稱。This name will be displayed to users if the specified browser is not installed. 空白Blank
組織資料通知Org data notifications 透過組織帳戶的 OS 通知,以指定要共用多少組織資料。Specify how much org data is shared via OS notifications for org accounts. 此原則設定會影響本機裝置和任何連線的裝置,例如穿戴式裝置和智慧型喇叭。This policy setting will impact the local device and any connected devices such as wearables and smart speakers. 應用程式可能會提供其他控制項來自訂通知行為,或選擇不接受所有值。Apps may provide additional controls to customize notification behavior or may choose to not honor all values. 從下列項目進行選取:Select from:
  • 封鎖:不要共用通知。Block: Do not share notifications.
    • 如果應用程式不支援,則會允許通知。If not supported by the application, notifications will be allowed.
  • 封鎖組織資料:不要在通知中共用組織資料。Block org data: Do not share org data in notifications. 例如,「您有新郵件」;「您有一個會議」。For example, "You have new mail"; "You have a meeting".
    • 如果應用程式不支援,則會封鎖通知。If not supported by the application, notifications will be blocked.
  • 允許:共用通知中的組織資料Allow: Shares org data in the notifications

注意此設定需要應用程式支援:

  • 適用於 Android 4.0.95 或更新版本的 Outlook
  • 適用於 Android 1416/1.0.0.2020092202 或更新版本的 Teams。Note: This setting requires app support:
    • Outlook for Android 4.0.95 or later
    • Teams for Android 1416/1.0.0.2020092202 or later.
允許Allow

資料傳輸豁免Data transfer exemptions

Intune 應用程式保護原則可以允許豁免某些應用程式和平台服務傳送和接收資料傳輸。There are some exempt apps and platform services that Intune app protection policies allow data transfer to and from. 例如,Android 上所有 Intune 受控應用程式都必須能夠將資料傳輸至 Google 文字轉換語音並從中傳輸資料,因此可以大聲讀出您行動裝置螢幕中的文字。For example, all Intune-managed apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. 這份清單可能隨時變更,並反映視為對安全產能有所幫助的服務和應用程式。This list is subject to change and reflects the services and apps considered useful for secure productivity.

完整豁免Full exemptions

這些應用程式和服務完全可以接收和傳送 Intune 管理應用程式的資料傳輸。These apps and services are fully allowed for data transfer to and from Intune-managed apps.

應用程式/服務名稱App/service name 說明Description
com.android.phonecom.android.phone 原生 Phone 應用程式Native phone app
com.android.vendingcom.android.vending Google Play 商店Google Play Store
com.android.documentsuicom.android.documentsui Android 文件選擇器Android Document Picker
com.google.android.webviewcom.google.android.webview WebView,這是許多應用程式 (包括 Outlook) 的必要項目。WebView, which is necessary for many apps including Outlook.
com.android.webviewcom.android.webview WebView,這是許多應用程式 (包括 Outlook) 的必要項目。Webview, which is necessary for many apps including Outlook.
com.google.android.ttscom.google.android.tts Google 文字轉換語音Google Text-to-speech
com.android.providers.settingscom.android.providers.settings Android 系統設定Android system settings
com.android.settingscom.android.settings Android 系統設定Android system settings
com.azure.authenticatorcom.azure.authenticator Azure Authenticator 應用程式,這是許多情況下成功驗證的必要項目。Azure Authenticator app, which is required for successful authentication in many scenarios.
com.microsoft.windowsintune.companyportalcom.microsoft.windowsintune.companyportal Intune 公司入口網站Intune Company Portal

條件式豁免Conditional exemptions

只有在特定情況下,這些應用程式和服務才能接收和傳送 Intune 管理應用程式的資料傳輸。These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.

應用程式/服務名稱App/service name 說明Description 豁免條件Exemption condition
com.android.chromecom.android.chrome Google Chrome 瀏覽器Google Chrome Browser Chrome 用於 Android 7.0+ 上的一些 WebView 元件,而且絕不會隱藏,可供檢視。Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. 不過,一律會限制接收或傳送至應用程式的資料流程。Data flow to and from the app, however, is always restricted.
com.skype.raidercom.skype.raider SkypeSkype Skype 應用程式只允許能夠使用通話的特定動作。The Skype app is allowed only for certain actions that result in a phone call.
com.android.providers.mediacom.android.providers.media Android 媒體內容提供者Android media content provider 只允許進行鈴聲選取動作的媒體內容提供者。The media content provider allowed only for the ringtone selection action.
com.google.android.gms; com.google.android.gsfcom.google.android.gms; com.google.android.gsf Google Play Services 套件Google Play Services packages 這些套件允許用於 Google Cloud Messaging 動作 (例如推送通知)。These packages are allowed for Google Cloud Messaging actions, such as push notifications.
com.google.android.apps.mapscom.google.android.apps.maps Google 地圖Google Maps 允許瀏覽地址Addresses are allowed for navigation

如需詳細資訊,請參閱應用程式的資料傳輸原則例外狀況For more information, see Data transfer policy exceptions for apps.

存取需求Access requirements

設定Setting 如何使用How to use
PIN 以進行存取PIN for access 選取 [需要],要求 PIN 來使用此應用程式。Select Require to require a PIN to use this app. 使用者第一次在工作或學校內容中執行應用程式時,系統會提示他們設定這個 PIN。The user is prompted to set up this PIN the first time they run the app in a work or school context.

預設值 = 需要Default value = Require

您可以使用PIN 以進行存取區段底下可用的設定,設定 PIN 強度。You can configure the PIN strength using the settings available under the PIN for access section.
    PIN 類型PIN type
先設定數值或密碼類型的 PIN 需求,再存取已套用應用程式保護原則的應用程式。Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. 數值需求只有數字,密碼則至少要以 1 個字母 至少要以 1 個特殊字元定義。Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.

預設值 = 數值Default value = Numeric

注意︰ 允許的特殊字元包括 Android 英文鍵盤上的特殊字元和符號。Note: Special characters allowed include the special characters and symbols on the Android English language keyboard.
    簡單的 PIN Simple PIN
選取 [允許],允許使用者使用簡單的 PIN 序列 (例如 12341111abcdaaaa)。Select Allow to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa. 選取 [封鎖],防止其使用簡單的序列。Select Blocks to prevent them from using simple sequences. 系統會在 3 字元滑動視窗中檢查簡單序列。Simple sequences are checked in 3 character sliding windows. 如果設定了 [區塊],系統就不接受終端使用者將 PIN 設定為 1235 或 1112,但允許 1122。If Block is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed.

預設值 = 允許Default value = Allow

注意︰ 如果已設定密碼類型 PIN,而且 [簡單的 PIN] 已設定為 [允許],則使用者的 PIN 中需要至少有一個字母 至少一個特殊字元。Note: If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter or at least one special character in their PIN. 如果已設定密碼類型 PIN,且 [簡單的 PIN] 已設定為 [封鎖],則使用者的 PIN 中需要至少一個數字 一個字母 以及 至少一個特殊字元。If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number and one letter and at least one special character in their PIN.
    選取 PIN 長度下限 Select minimum PIN length
指定 PIN 序列的最小位數。Specify the minimum number of digits in a PIN sequence.

預設值 = 4Default value = 4
    指紋而非 PIN 以進行存取 (Android 6.0+) Fingerprint instead of PIN for access (Android 6.0+)
選取 [允許],允許使用者使用指紋驗證而非 PIN 以進行應用程式存取。Select Allow to allow the user to use fingerprint authentication instead of a PIN for app access.

預設值 = 允許Default value = Allow

注意︰ 此功能支援 Android 裝置上的生物特徵辨識通用控制項。Note: This feature supports generic controls for biometric on Android devices. 「不支援」OEM 特定的生物特徵辨識設定,例如 Samsung Pass。OEM-specific biometric settings, like Samsung Pass, are not supported.

在 Android 上,您可以讓使用者使用 Android 指紋驗證而非 PIN 來證明其身分識別。On Android, you can let the user prove their identity by using Android fingerprint authentication instead of a PIN. 使用者嘗試使用自己的公司或學校帳戶來使用這個應用程式時,系統會提示他們提供自己的指紋識別,而不是輸入 PIN。When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN.

已註冊 Android 工作設定檔的裝置必須註冊個別指紋,才能強制執行 指紋而非 PIN 以進行存取 原則。Android work profile enrolled devices require registering a separate fingerprint for the Fingerprint instead of PIN for access policy to be enforced. 此原則僅針對 Android 工作設定檔中安裝的原則管理應用程式生效。This policy takes effect only for policy-managed apps installed in the Android work profile. 藉著在公司入口網站中註冊而建立 Android 工作設定檔之後,個別指紋必須在裝置上註冊。The separate fingerprint must be registered with the device after the Android work profile is created by enrolling in the Company Portal. 如需使用 Android 工作設定檔的工作設定檔指紋詳細資訊,請參閱鎖定您的工作資料夾For more information about work profile fingerprints using Android work profiles, see Lock your work profile.
    逾時後以 PIN 覆寫指紋Override fingerprint with PIN after timeout
若要使用此設定,請選取 [需要],然後設定非使用狀態逾時。To use this setting, select Require and then configure an inactivity timeout.

預設值 = 需要Default value = Require
      逾時 (非使用狀態分鐘數) Timeout (minutes of inactivity)
指定密碼或數字 (依設定) PIN 將會覆寫使用指紋的時間 (分鐘)。Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. 此逾時值應該大於在 [重新檢查存取需求前的剩餘時間 (分鐘)] 下指定的值。This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.

預設值 = 30Default value = 30
    在數天後重設 PINPIN reset after number of days
選取 [是],要求使用者在設定的一段時間 (以天為單位) 後變更其應用程式 PIN。Select Yes to require users to change their app PIN after a set period of time, in days.

當設定為 [是] 時,您可以接著設定需要重設 PIN 前的經過天數。When set to Yes, you then configure the number of days before the PIN reset is required.

預設值 = 否Default value = No
      天數 Number of days
設定需要重設 PIN 前的經過天數。Configure the number of days before the PIN reset is required.

預設值 = 90Default value = 90
    選取要維護的先前 PIN 值數目Select number of previous PIN values to maintain
此設定會指定 Intune 將維護的先前 PIN 數目。This setting specifies the number of previous PINs that Intune will maintain. 所有新的 PIN 都必須不同於 Intune 所維護的 PIN。Any new PINs must be different from those that Intune is maintaining.

預設值 = 0Default value = 0
    設定裝置 PIN 時的應用程式 PINApp PIN when device PIN is set
選取 [不需要],在設定公司入口網站的已註冊裝置上偵測到裝置鎖定時,停用應用程式 PIN。Select Not required to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

預設值 = 需要Default value = Require.
公司或學校帳戶認證以進行存取Work or school account credentials for access 選擇 [需要],要求使用者使用其公司或學校帳戶登入以進行應用程式存取,而不是輸入 PIN。Choose Require to require the user to sign in with their work or school account instead of entering a PIN for app access. 當設定為 [需要] 且已開啟 PIN 或生物特徵辨識提示時,會顯示公司認證以及 PIN 或生物特徵辨識提示。When set to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.

預設值 = 不需要Default value = Not required
重新檢查存取需求前的經過時間 (非使用中狀態分鐘數)Recheck the access requirements after (minutes of inactivity) 進行下列設定:Configure the following setting:
  • 逾時︰這是重新檢查存取需求 (稍早定義於原則中) 前經過的分鐘數。Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. 例如,若管理員在原則中開啟 PIN 及「封鎖已 Root 破解的裝置」,則當使用者開啟 Intune 受控應用程式時,就必須輸入 PIN 並在未 Root 破解的裝置上使用應用程式。For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. 當使用這項設定時,使用者在等於設定值的時段內都不需要在任何 Intune 受控應用程式上輸入 PIN 或接受另一次 Root 偵測檢查。When using this setting, the user won't have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value.

    此原則設定格式支援正整數。This policy setting format supports a positive whole number.

    預設值 = 30 分鐘Default value = 30 minutes

    注意︰ 在 Android 上,PIN 會在所有 Intune 受控應用程式間共用。Note: On Android, the PIN is shared with all Intune-managed apps. 當裝置上的應用程式離開前景時,PIN 計時器就會重設。The PIN timer is reset once the app leaves the foreground on the device. 在此設定中所定義的逾時持續時間內,使用者不需要在任何共用 PIN 的 Intune 受控應用程式上輸入 PIN。The user won't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting.

注意

若要深入了解在同一應用程式和使用者集合的 [存取] 區段中設定的多個 Intune 應用程式保護設定如何在 Android 上運作,請參閱 Intune MAM 常見問題集在 Intune 中使用應用程式防護原則的存取動作選擇性地抹除資料To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.

條件式啟動Conditional launch

設定條件式啟動設定,以設定您應用程式保護原則的登入安全性需求。Configure conditional launch settings to set sign-in security requirements for your app protection policy.

根據預設,有數個設定會提供預先設定的值和動作。By default, several settings are provided with pre-configured values and actions. 您可以刪除某些設定,例如 [最低 OS 版本]。You can delete some settings, like the Min OS version. 您也可以從 [選取一個] 下拉式清單中選取其他設定。You can also select additional settings from the Select one dropdown.

設定Setting 如何使用How to use
PIN 嘗試次數上限Max PIN attempts 指定在執行已設定動作之前,使用者必須成功輸入 PIN 的嘗試次數。Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. 此原則設定格式支援正整數。This policy setting format supports a positive whole number. 「動作」包括:Actions include:
  • 重設 PIN - 使用者必須重設其 PIN。Reset PIN - The user must reset their PIN.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
預設值 = 5Default value = 5
離線寬限期Offline grace period MAM 應用程式可以離線執行的分鐘數。The number of minutes that MAM apps can run offline. 指定經過多少時間 (分鐘) 之後即會重新檢查應用程式存取需求。Specify the time (in minutes) before the access requirements for the app are rechecked. 「動作」包括:Actions include:
  • 封鎖存取 (分鐘) :MAM 應用程式可以離線執行的分鐘數。Block access (minutes) - The number of minutes that MAM apps can run offline. 指定經過多少時間 (分鐘) 之後即會重新檢查應用程式存取需求。Specify the time (in minutes) before the access requirements for the app are rechecked. 在這段期間過後,應用程式必須進行 Azure Active Directory (Azure AD) 的使用者驗證,如此應用程式才能繼續執行。After this period expires, the app requires user authentication to Azure Active Directory (Azure AD) so that the app can continue to run.

    此原則設定格式支援正整數。This policy setting format supports a positive whole number.

    預設值 = 720 分鐘 (12 小時)Default value = 720 minutes (12 hours)
  • 抹除資料 (天) - 在離線執行達到此天數 (由系統管理員定義) 之後,應用程式需要使用者連線到網路並重新驗證。Wipe data (days) - After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. 如果使用者成功驗證,就可以繼續存取其資料,而且會重設離線間隔。If the user successfully authenticates, they can continue to access their data and the offline interval will reset. 如果使用者無法驗證,應用程式會執行使用者帳戶和資料的選擇性抹除。If the user fails to authenticate, the app will perform a selective wipe of the users account and data. 如需詳細資訊,請參閱如何只抹除 Intune 管理之應用程式中的公司資料For more information, see How to wipe only corporate data from Intune-managed apps.
此原則設定格式支援正整數。This policy setting format supports a positive whole number.

預設值 = 90 天Default value = 90 days

此項目可以出現多次,每個執行個體支援不同的動作。This entry can appear multiple times, with each instance supporting a different action.
已越獄或 Root 破解的裝置Jailbroken/rooted devices 這項設定沒有可設定的值。There is no value to set for this setting. 「動作」包括:Actions include:
  • 封鎖存取 - 防止在已越獄或 Root 破解的裝置上執行此應用程式。Block access - Prevent this app from running on jailbroken or rooted devices. 使用者仍然可以繼續使用這個應用程式來執行個人工作,但必須使用不同裝置來存取這個應用程式中的工作或學校資料。The user continues to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
已停用的帳戶Disabled account 這項設定沒有可設定的值。There is no value to set for this setting. 「動作」包括:Actions include:
  • 封鎖存取 - 當我們確認已在 Azure Active Directory 中停用使用者時,應用程式會封鎖對公司或學校資料的存取。Block access - When we have confirmed the user has been disabled in Azure Active Directory, the app blocks access to work or school data.
  • 抹除資料 - 當我們確認已在 Azure Active Directory 中停用使用者時,應用程式將選擇性抹除使用者的帳戶與資料。Wipe data - When we have confirmed the user has been disabled in Azure Active Directory, the app will perform a selective wipe of the users' account and data.
最低 OS 版本Min OS version 指定要求使用此應用程式的最低 Android 作業系統。Specify a minimum Android operating system that is required to use this app. 「動作」包括:Actions include:
  • 警告 - 如果裝置上的 Android 版本不符合需求,使用者將會看見通知。Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. 此通知可以關閉。This notification can be dismissed.
  • 封鎖存取 - 如果裝置上的 Android 版本不符合需求,將會禁止使用者存取。Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
此原則設定格式支援 major.minor、major.minor.build、major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.
最低應用程式版本Min app version 指定作業系統最小值。Specify a value for the minimum operating system value. 「動作」包括:Actions include:
  • 警告 - 如果裝置上的應用程式版本不符合需求,使用者會看見通知。Warn - The user sees a notification if the app version on the device doesn't meet the requirement. 此通知可以關閉。This notification can be dismissed.
  • 封鎖存取 - 如果裝置上的應用程式版本不符合需求,會封鎖使用者進行存取。Block access - The user is blocked from access if the app version on the device does not meet the requirement.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
因為應用程式之間通常會有不同的版本控制配置,所以請建立包含一個針對單一應用程式之最低應用程式版本的原則 (例如,「Outlook 版本原則」)。As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, Outlook version policy).

此項目可以出現多次,每個執行個體支援不同的動作。This entry can appear multiple times, with each instance supporting a different action.

此原則設定格式支援 major.minor、major.minor.build、major.minor.build.revision。This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

此外,您可以設定終端使用者可從 何處 取得企業營運 (LOB) 應用程式的更新版本。Additionally, you can configure where your end users can get an updated version of a line-of-business (LOB) app. 終端使用者將可在 [應用程式最小版本] 條件式啟動對話方塊中看見此功能,其將提示終端使用者更新為 LOB 應用程式的最小版本。End users will see this in the min app version conditional launch dialog, which will prompt end users to update to a minimum version of the LOB app. 在 Android 上,此功能會使用公司入口網站。On Android, this feature uses the Company Portal. 若要設定終端使用者應該更新 LOB 應用程式的位置,應用程式需要使用金鑰 com.microsoft.intune.myappstore 傳送給它的受控應用程式設定原則To configure where an end user should update a LOB app, the app needs a managed app configuration policy sent to it with the key, com.microsoft.intune.myappstore. 傳送的值將定義終端使用者要從哪個存放區下載應用程式。The value sent will define which store the end user will download the app from. 如果透過公司入口網站部署應用程式,則值必須為 CompanyPortalIf the app is deployed via the Company Portal, the value must be CompanyPortal. 針對任何其他存放區,您必須輸入完整的 URL。For any other store, you must enter a complete URL.
最低修補程式版本Min patch version 要求裝置具有由 Google 發行的最低 Android 安全性修補程式。Require devices have a minimum Android security patch released by Google.
  • 警告 - 如果裝置上的 Android 版本不符合需求,使用者將會看見通知。Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. 此通知可以關閉。This notification can be dismissed.
  • 封鎖存取 - 如果裝置上的 Android 版本不符合需求,將會禁止使用者存取。Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
此原則設定支援 YYYY-MM-DD 的日期格式。This policy setting supports the date format of YYYY-MM-DD.
裝置製造商Device manufacturer(s) 指定以分號分隔的製造商清單。Specify a semicolon separated list of manufacturer(s). 這些值不會區分大小寫。These values are not case sensitive. 「動作」包括:Actions include:
  • 允許指定 (封鎖非指定) - 僅有符合指定製造商的裝置可以使用應用程式。Allow specified (Block non-specified) - Only devices that match the specified manufacturer can use the app. 會封鎖所有其他裝置。All other devices are blocked.
  • 允許指定 (抹除非指定) - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Allow specified (Wipe non-specified) - The user account that is associated with the application is wiped from the device.
如需使用此設定的詳細資訊,請參閱條件式啟動動作For more information on using this setting, see Conditional Launch actions.
SafetyNet 裝置證明SafetyNet device attestation 應用程式保護原則支援 Google Play Protect 的部分 API。App protection policies support some of Google Play Protect's APIs. 特別的是,此設定會在終端使用者裝置上設定 Google 的 SafetyNet 證明。This setting in particular configures Google's SafetyNet Attestation on end user devices. 指定 [基本完整性] 或是 [基本完整性和經認證的裝置]。Specify either Basic integrity or Basic integrity and certified devices. [基本完整性] 會告訴您有關裝置的一般完整性。Basic integrity tells you about the general integrity of the device. Root 破解的裝置、模擬器、虛擬裝置,以及具有竄改跡象的裝置都無法通過基本完整性。Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. [基本完整性和經認證的裝置] 會告訴您有關裝置與 Google 服務的相容性。Basic integrity & certified devices tells you about the compatibility of the device with Google's services. 只有經過 Google 認證且未修改的裝置可以通過這項檢查。Only unmodified devices that have been certified by Google can pass this check. 「動作」包括:Actions include:
  • 警告 - 如果裝置不符合根據所設定值的 Google SafetyNet 證明掃描,使用者會看到通知。Warn - The user sees a notification if the device does not meet Google's SafetyNet Attestation scan based on the value configured. 此通知可以關閉。This notification can be dismissed.
  • 封鎖存取 - 如果裝置不符合根據所設定值的 Google SafetyNet 證明掃描,使用者會遭到封鎖存取。Block access - The user is blocked from access if the device does not meet Google's SafetyNet Attestation scan based on the value configured.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
如需此設定相關的常見問題集,請參閱關於 MAM 和應用程式防護的常見問題集For commonly asked questions related to this setting, see Frequently asked questions about MAM and app protection.
需要對應用程式進行威脅掃描Require threat scan on apps 應用程式保護原則支援 Google Play Protect 的部分 API。App protection policies support some of Google Play Protect's APIs. 此設定尤其可確保 Google 的驗證應用程式掃描已針對終端使用者裝置開啟。This setting in particular ensures that Google's Verify Apps scan is turned on for end user devices. 如果設定,終端使用者將會遭到封鎖存取,直到他們在其 Android 裝置上開啟 Google 的應用程式掃描為止。If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device. 「動作」包括:Actions include:
  • 警告 - 如果裝置上的 Google 驗證應用程式掃描未開啟,使用者會看到通知。Warn - The user sees a notification if Google's Verify Apps scan on the device is not turned on. 此通知可以關閉。This notification can be dismissed.
  • 封鎖存取 - 如果裝置上的 Google 驗證應用程式掃描未開啟,使用者會遭到封鎖存取。Block access - The user is blocked from access if Google's Verify Apps scan on the device is not turned on.
Google 驗證應用程式掃描結果會顯示在主控台中的 [可能有害的應用程式] 報表。Results from Google's Verify Apps scan are surfaced in the Potentially Harmful Apps report in the console.
最低公司入口網站版本Min Company Portal version 透過使用 [最低公司入口網站版本],您可以指定在終端使用者裝置上強制要求公司入口網站的特定最小定義版本。By using the Min Company Portal version, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. 此條件式啟動設定可讓您將值設定為 [封鎖存取]、[抹除資料],與 [警告],作為未符合每個值時的可能動作。This conditional launch setting allows you to set values to Block access, Wipe data, and Warn as possible actions when each value is not met. 此值的可能格式遵循模式 [主要].[次要]、[主要].[次要].[組建] 或 [主要].[次要].[組建].[修訂]。The possible formats for this value follows the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. 由於某些使用者可能不想立即強制更新應用程式,[警告] 選項可能是此設定的理想選項。Given that some end users may not prefer a forced update of apps on the spot, the 'warn' option may be ideal when configuring this setting. Google Play 商店可以只傳送應用程式更新的差異位元組,但這可能仍然是大量資料,如果更新時使用者使用的是行動數據,他們可能不會想要使用這些資料。The Google Play Store does a good job of only sending the delta bytes for app updates, but this can still be a large amount of data that the user may not want to utilize if they are on data at the time of the update. 強制更新並因此下載更新的應用程式,可能會在更新時產生未預期的行動數據費用。Forcing an update and thereby downloading an updated app could result in unexpected data charges at the time of the update. 如需詳細資訊,請參閱 Android 原則設定For more information, see Android policy settings.
公司入口網站版本存留期 (天數) 上限Max Company Portal version age (days) 您可以將天數上限設定為 Android 裝置的公司入口網站 (CP) 版本存留期。You can set a maximum number of days as the age of the Company Portal (CP) version for Android devices. 此設定可確保終端使用者在特定範圍的 CP 版本 (以天為單位)。This setting ensures that end users are within a certain range of CP releases (in days). 此值必須介於 0與 365 之間。The value must be between 0 and 365 days. 當不符合裝置的設定時,就會針對此設定觸發動作。When the setting for the devices is not met, the action for this setting is triggered. 動作包括 [封鎖存取]、[抹除資料] 或 [警告]。Actions include Block access, Wipe data, or Warn. 如需相關資訊,請參閱 Android 原則設定For related information, see Android policy settings.
允許的裝置威脅等級上限Max allowed device threat level 應用程式保護原則可以利用 Intune-MTD 連接器。App protection policies can take advantage of the Intune-MTD connector. 指定使用此應用程式可接受的最大威脅等級。Specify a maximum threat level acceptable to use this app. 威脅取決於您在終端使用者裝置上選擇的 Mobile Threat Defense (MTD) 廠商應用程式。Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. 指定 [安全]、[低]、[中] 或 [高]。Specify either Secured, Low, Medium, or High. [安全] 要求裝置上沒有威脅,而且是最嚴格的可設定值,而 [高] 基本上需要作用中的 Intune 對 MTD 連線。Secured requires no threats on the device and is the most restrictive configurable value, while High essentially requires an active Intune-to-MTD connection. 「動作」包括:Actions include:
  • [封鎖存取] - 如果終端使用者裝置上由您選擇的 Mobile Threat Defense (MTD) 廠商應用程式所決定的威脅等級不符合此需求,將會封鎖使用者進行存取。Block access - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
  • 抹除資料 - 與應用程式建立關聯的使用者帳戶會從裝置抹除。Wipe data - The user account that is associated with the application is wiped from the device.
如需使用此設定的詳細資訊,請參閱在 Intune 中針對尚未註冊的裝置啟用 Mobile Threat Defense 連接器For more information on using this setting, see Enable the Mobile Threat Defense connector in Intune for unenrolled devices.