透過使用 iOS 及 Android 版 Teams 與 Microsoft Intune 的搭配組合,管理小組共同作業的存取權Manage team collaboration access by using Teams for iOS and Android with Microsoft Intune

Microsoft Teams 是 Microsoft 365 中小組共同作業的中樞,可整合人員、內容和工具,提升小組的互動效果和作業效率。Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the people, content, and tools your team needs to be more engaged and effective.

當訂閱 Enterprise Mobility + Security 套件 (包括 Microsoft Intune 與 Azure Active Directory Premium 功能,例如條件式存取) 時,可使用 Microsoft 365 資料最豐富且最廣泛的保護功能。The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. 建議您至少部署允許從行動裝置連線到 iOS 及 Android 版 Teams 的條件式存取原則,以及可確保共同作業體驗受到保護的 Intune 應用程式防護原則。At a minimum, you will want to deploy a conditional access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.

套用條件式存取Apply Conditional Access

組織可以使用 Azure AD 條件式存取原則來確保使用者只能使用 iOS 與 Android 版 Teams 來存取公司或學校內容。Organizations can use use Azure AD Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. 若要這樣做,您將需要以所有潛在使用者為目標的條件式存取原則。To do this, you will need a conditional access policy that targets all potential users. 如需有關如何建立此原則的詳細資料,請參閱需要應用程式保護原則,以使用條件式存取來存取雲端應用程式 (部分機器翻譯)。Details on creating this policy can be found in Require app protection policy for cloud app access with Conditional Access.

  1. 遵循「步驟1:為 Office 365 設定 Azure AD 條件式存取原則」(案例 1:Office 365 應用程式需要具有應用程式防護原則的已核准應用程式,允許 iOS 及 Android 版 Teams,但禁止協力廠商 OAuth 支援行動裝置用戶端連線至 Office 365 端點。)Follow "Step 1: Configure an Azure AD Conditional Access policy for Office 365" in Scenario 1: Office 365 apps require approved apps with app protection policies, which allows Teams for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Office 365 endpoints.

    注意

    此原則會確保行動使用者能使用適合的應用程式來存取所有 Office 端點。This policy ensures mobile users can access all Office endpoints using the applicable apps.

建立 Intune 應用程式保護原則Create Intune app protection policies

應用程式保護原則 (APP) 定義允許哪些應用程式,以及其可以對組織資料採取的動作。App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. APP 中可用的選擇可讓組織針對其特定需求量身訂作保護方案。The choices available in APP enable organizations to tailor the protection to their specific needs. 針對一些組織,實作完整案例需要哪種原則設定可能不是那麼明顯。For some, it may not be obvious which policy settings are required to implement a complete scenario. 為了協助組織排定行動用戶端端點強化的優先順序,Microsoft 引進了適用於 iOS 與 Android 行動裝置應用程式管理的 APP 資料保護架構分類法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

應用程式資料保護架構會組織成三個不同的設定層級,每個層級都以前一層為基礎而建置:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企業基本資料保護 (層級 1) 可確保應用程式使用 PIN 來保護並加密,並執行選擇性抹除作業。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 針對 Android 裝置,此層級會驗證 Android 裝置證明。For Android devices, this level validates Android device attestation. 這是一種入門級設定,可在 Exchange Online 信箱原則中提供類似的資料保護控制,並將 IT 與使用者人口引進 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企業增強的資料保護 (層級 2) 引進 APP 資料洩露防護機制與最低 OS 需求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此設定適用於大部分存取公司或學校資料的行動使用者。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企業高資料保護 (層級 3) 引進進階資料保護機制、增強的 PIN 設定,以及 APP 行動威脅防禦。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 對於存取高風險資料的使用者而言,這是理想的設定。This configuration is desirable for users that are accessing high risk data.

若要查看必須保護之每個設定層級與最低應用程式的特定建議,請參閱使用應用程式保護原則的資料保護架構To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

無論裝置是否已在聯合式端點管理 (UEM) 解決方案中註冊,都必須使用如何建立及指派應用程式保護原則中的步驟,為 iOS 與 Android 應用程式建立 Intune 應用程式保護原則。Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. 這些原則至少必須符合下列條件:These policies, at a minimum, must meet the following conditions:

  1. 包括所有 Microsoft 365 行動應用程式,例如 Edge、Outlook、OneDrive、Office 或 Teams,因為這可確保使用者能夠以安全的方式存取及操作任何 Microsoft 應用程式中的公司或學校資料。They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion.

  2. 其會指派給所有使用者。They are assigned to all users. 這可確保所有使用者都受到保護,不論他們是否使用 iOS 或 Android 版 Teams。This ensures that all users are protected, regardless of whether they use Teams for iOS or Android.

  3. 判斷哪一個架構層級符合您的需求。Determine which framework level meets your requirements. 大部分的組織都應該實作 Enterprise 增強的資料保護 (層級 2) 中所定義的設定,因為這樣可啟用資料保護與存取需求控制。Most organizations should implement the settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.

如需有關可用設定的詳細資訊,請參閱 Android 應用程式保護原則設定iOS 應用程式保護原則設定For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.

重要

若要針對未在 Intune 中註冊之 Android 裝置上的應用程式套用 Intune 應用程式保護原則,使用者也必須安裝 Intune 公司入口網站。To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. 如需詳細資訊,請參閱當 Android 應用程式交由應用程式保護原則管理時的行為For more information, see What to expect when your Android app is managed by app protection policies.

利用應用程式設定Utilize app configuration

iOS 與 Android 版 Teams 支援允許聯合式端點管理 (如 Microsoft 端點管理員) 的應用程式設定,可讓系統管理員自訂應用程式的行為。Teams for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint Manager, administrators to customize the behavior of the app.

應用程式設定可以透過已註冊裝置上的行動裝置管理 (MDM) OS 通道 (適用於 iOS 的受控應用程式設定 (英文) 或適用於 Android 的 Android in the Enterprise (英文) 通道) 或透過 Intune 應用程式保護原則 (APP) 通道來傳遞。App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Intune App Protection Policy (APP) channel. iOS 與 Android 版 Teams 支援下列設定案例:Teams for iOS and Android supports the following configuration scenarios:

  • 只允許公司或學校帳戶Only allow work or school accounts

重要

針對要求在 Android 進行裝置註冊的設定案例,裝置必須在 Android Enterprise 中註冊,而且必須透過受控 Google Play 商店部署 Android 版 Teams。For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Teams for Android must be deployed via the Managed Google Play store. 如需詳細資訊,請參閱設定 Android Enterprise 工作設定檔裝置的註冊為受控的 Android Enterprise 裝置新增應用程式設定原則For more information, see Set up enrollment of Android Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.

每個設定案例都會強調其特定需求。Each configuration scenario highlights its specific requirements. 例如,設定案例是否要求進行裝置註冊,因此可與任何 UEM 提供者搭配運作,或要求 Intune 應用程式保護原則。For example, whether the configuration scenario requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

注意

使用 Microsoft 端點管理員時,透過 MDM OS 通道傳遞的應用程式設定稱為受控裝置 應用程式組態原則 (ACP);透過應用程式保護原則通道提供的應用程式設定稱為受控應用程式應用程式組態原則。With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to as a Managed Apps App Configuration Policy.

只允許公司或學校帳戶Only allow work or school accounts

尊重我們最大規模且高度管制之客戶的資料安全性和合規性政策,是 Microsoft 365 價值的關鍵要件。Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the Microsoft 365 value. 有些公司需要在公司環境內擷取所有通訊資訊,以及確保裝置僅可用於公司通訊。Some companies have a requirement to capture all communications information within their corporate environment, as well as, ensure the devices are only used for corporate communications. 為了支援這些需求,可將已註冊裝置上的 iOS 與 Android 版 Teams 設定為只允許在應用程式內佈建單一公司帳戶。To support these requirements, Teams for iOS and Android on enrolled devices can be configured to only allow a single corporate account to be provisioned within the app.

您可以在這裡深入了解如何設定組織允許的帳戶模式設定:You can learn more about configuring the org allowed accounts mode setting here:

此設定案例僅適用於已註冊的裝置。This configuration scenario only works with enrolled devices. 不過,支援任何 UEM 提供者。However, any UEM provider is supported. 如果您不是使用 Microsoft 端點管理員,則需要參閱您的 UEM 文件,以了解如何部署這些設定金鑰。If you are not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these configuration keys.

後續步驟Next steps