Microsoft Intune 中适用于 Android 设备的合规性策略设置Compliance policy settings for Android devices in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本主题中描述的策略设置适用于运行 Android 4.0 及更高版本或 Samsung KNOX 4.0 及更高版本的设备。The policy settings described in this topic apply to devices that are running Android 4.0 and later or Samsung KNOX 4.0 and later.

如果要查找关于其他平台的信息,请选择以下选项之一:If you're looking for information about other platforms, select one of the following:

系统安全设置System security settings

PasswordPassword

  • 需要密码才可解锁移动设备:将此选项设置为“是”,以要求用户在访问其设备之前输入密码。Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before they can access their device.

  • 最短密码长度:指定用户密码必须包含的最小位数或最小字符数。Minimum password length: Specify the minimum number of digits or characters that the user’s password must have.

  • 密码质量:此设置检测是否在设备上设置了指定的密码要求。Password quality: This setting detects if the password requirements that you specify are set up on the device. 启用此设置可要求用户满足 Android 设备的特定密码要求。Enable this setting to require that users meet certain password requirements for Android devices. 选择:Choose from:

    • 低安全性生物识别Low security biometric
    • 必需Required
    • 至少为数字At least numeric
    • 至少为字母At least alphabetic
    • 至少包含字母数字At least alphanumeric
    • 包含符号的字母数字Alphanumeric with symbols
  • 需要提供密码之前处于非活动状态的分钟数:指定用户必须重新输入其密码前的空闲时间。Minutes of inactivity before password is required: Specify the idle time before the user must re-enter their password.

  • 密码过期(天):选择用户密码过期之前的天数,然后必须创建一个新的密码。Password expiration (days): Select the number of days before the user’s password expires and they must create a new one.

  • 记住密码历史记录:将此设置与“防止重用以前的密码”结合使用,以限制用户使用以前创建的密码。Remember password history: Use this setting together with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

  • 防止重用以前的密码:如果选择了“记住密码历史记录”,请指定不能重用的以前用过的密码数量。Prevent reuse of previous passwords: Specify the number of previously used passwords that cannot be re-used (if Remember password history is selected).

  • 设备从空闲状态返回时需要密码:与“要求提供密码之前的非活动分钟数”设置一起使用。Require a password when the device returns from an idle state: Use together with the Minutes of inactivity before password is required setting. 设备在“需要提供密码之前处于非活动状态的分钟数”设置指定的时间内处于非活动状态时,会提示用户输入密码才能访问设备。Users are prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

加密Encryption

  • 需要对移动设备进行加密:将此选项设置为“是”,要求对移动设备进行加密以连接到资源。Require encryption on mobile device: Set this to Yes to require devices to be encrypted to be able connect to resources. 当你配置“需要密码解锁移动设备”设置时将加密设备。Devices are encrypted when you configure the setting Require a password to unlock mobile devices.

设备运行状况和安全设置Device health and security settings

  • 设备不得越狱或取得 root 权限:如果启用此设置,已越狱的设备将评估为不符合要求。Device must not be jailbroken or rooted: If you enable this setting, jailbroken devices are evaluated as noncompliant.
  • 要求设备阻止安装来自未知来源的应用(Android 4.0 或更高版本):若要阻止启用了“安全”>“未知源”的设备,启用此设置并将其设置为“是”。Require that devices prevent installation of apps from unknown sources (Android 4.0 or later): To block devices that have Security > Unknown sources enabled on the device, enable this setting and set it to Yes.

重要

旁加载应用程序需要启用“未知源”设置。Side-loading applications requires that the Unknown sources setting is enabled. 仅在不旁加载设备上的 Android 应用时实施此合规性策略。Enforce this compliance policy only if you are not side-loading Android apps on devices.

  • 要求禁用 USB 调试(Android 4.2 或更高版本):指定是否要检测设备上是否启用了 USB 调试选项。Require that USB debugging is disabled (Android 4.2 or later): Specify whether to detect if the USB debugging option on the device is enabled.
  • 要求设备已启用“扫描设备的安全威胁”(Android 4.2-4.4):指定在设备上启用“验证应用”功能。Require devices have enabled Scan device for security threats (Android 4.2-4.4): Specify that the Verify apps feature is enabled on the device.
  • 最低 Android 安全修补程序级别 (Android 6.0 或更高版本):指定最小 Android 修补程序级别。Minimum Android security patch level (Android 6.0 or later): Specify the minimum Android patch level. 不满足此修补程序级别的设备将会不相容。Devices that are not at least at this patch level will be noncompliant. 必须以 YYYY-MM-DD 格式来指定日期。The date must be specified in this format: YYYY-MM-DD.
  • 需要启用设备威胁保护:使用此设置将 Lookout MTP 解决方案的风险评估视为合规性的条件。Require device threat protection to be enabled: Use this setting to take the risk assessment from the Lookout MTP solution as a condition for compliance. 从下面选择一个允许的最高威胁等级:Select the maximum allowed threat level, which is one of the following:

    • 无(安全)这是最安全的选项。None (secured) This is the most secure. 这意味着该设备不能具有任何威胁。This means that the device cannot have any threats. 若检测到设备具有任何威胁,则将其评为不合规。If the device is detected as having any threats, it is evaluated as noncompliant.
    • 低:若设备上仅存在低级威胁,则将其评为合规。Low: The device is evaluated as compliant if only low-level threats are present. 低级以上的任意威胁都将使设备不合规。Anything higher puts the device in noncompliant status.
    • 中:若设备上存在的威胁为低级或中级,则将其评为合规。Medium: The device is evaluated as compliant if the threats that are present on the device are low- or medium-level. 若检测到设备存在高级威胁,则将其确定为不合规。If high-level threats are detected on the device, it is determined to be noncompliant.
    • 高:这是最不安全的选项。High: This is the least secure. 本质上而言,此选项允许所有威胁等级,可能仅在将此解决方案用于报告时有用。Essentially this allows all threat levels, which is perhaps only useful if you using this solution only for reporting purposes.

    有关详细信息,请参阅创建 Lookout 设备符合性策略For more details, see Create Lookout device compliance policy.

设备属性设置Device property settings

  • 所需的最低 OS 版本:设备不满足最低 OS 版本要求时,它将被报告为不符合要求。Minimum OS required: When a device doesn't meet the minimum OS version requirement, it is reported as noncompliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information about how to upgrade is displayed. 用户可以选择升级其设备,升级后他们可以访问公司资源。The user can choose to upgrade their device, after which they can access company resources.

  • 允许的最高 OS 版本:设备使用的 OS 版本高于规则中指定的版本时,将阻止访问公司资源,并要求用户联系其 IT 管理员。除非变更规则以允许该 OS 版本,否则此设备将不能用于访问公司资源。Maximum OS version allowed: When a device is using an OS version that's later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until the rule changes to allow the OS version, this device cannot be used to access company resources.