Microsoft Intune 中的移动设备安全策略设置Mobile device security policy settings in Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.
重要

现在,Microsoft Intune 针对每个设备平台都具有单独的配置策略。Microsoft Intune now features separate configuration policies for each device platform. 这些策略包含可使用的最新设置。These policies contain the most up-to-date settings that you can use. 你可以继续使用移动设备安全策略,并且任何现有的部署仍将起作用。You can continue to use the mobile device security policy, and any existing deployments will still work. 但是,你应计划尽快迁移到新的配置策略,因为以后会删除移动设备安全策略。However, you should plan to migrate to the new configuration policies as soon as possible because the mobile device security policy will be removed in the future.

你可使用 Intune 移动设备安全策略配置各种可部署到组织中的托管设备的设置。You can use Intune mobile device security policies to configure a wide range of settings that you can deploy to managed devices in your organization. 这些设置用于控制设备的功能和安全性。These settings are used to control the functionality and security of your devices.

可为下列设备类型创建和部署移动设备安全策略:You can create and deploy mobile device security policies for the following device types:

  • Windows RT 8.1 和注册的 Windows 8.1 设备Windows RT 8.1 and enrolled Windows 8.1 devices

  • Windows RTWindows RT

  • Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1

  • iOSiOS

  • Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard

备注

某些设置并不适用于某些设备。Some settings are not applicable to some devices. 请参阅下表,获取可配置的设置的完整列表。See the tables below for a full list of settings that you can configure. 从 2016 年 10 月开始,Microsoft Intune 将终止对 Windows 8 公司门户应用的支持。From October 2016, Microsoft Intune will deprecate support for Windows 8 Company Portal apps. 另外,Microsoft Intune 还将终止对 Windows Phone 8 和 WinRT 平台的支持。Microsoft Intune will also deprecate support for the Windows Phone 8 and WinRT platforms. 因此,将无法注册或更新任何 Windows Phone 8 或 WinRT 设备。As a consequence, you will not be able to enroll or update any Windows Phone 8 or WinRT devices. 可以继续管理已注册的 Windows Phone 8、WinRT 和 Windows 8 设备。You can continue to manage Windows Phone 8, WinRT and Windows 8 devices that are already enrolled. 将 Windows Phone 8 和 Windows 8 设备更新到 Windows 8.1 和 Windows Phone 8.1,并使用相应的 Windows 8.1 和 Windows Phone 8.1 公司门户应用在不中断的情况下继续向这些设备分发应用。Update Windows Phone 8 and Windows 8 devices to Windows 8.1 and Windows Phone 8.1, and use the corresponding Windows 8.1 and Windows Phone 8.1 Company Portal apps to continue distributing apps to these devices without disruptions.

安全设置Security settings

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
需要密码才可解锁移动设备Require a password to unlock mobile devices No No Yes Yes Yes
所需的密码类型Required password type

此设置指定需要的密码类型,例如仅限数字或字母数字。This setting specifies the type of password that will be required, such as numeric only or alphanumeric.
Yes Yes Yes Yes No
必填密码类型 – 字符集最小数量Required password type – Minimum number of character sets

有以下四个字符集:小写字母、大写字母、数字和符号。There are four character sets: lowercase letters, uppercase letters, numbers, and symbols. 此设置指定密码中必须包括多少个不同的字符集。This setting specifies how many different character sets must be included in the password. 但是,对于 iOS 设备,此设置指定密码中必须包括的符号字符的数量。However, for iOS devices, this specifies the number of symbol characters that must be included in the password.
Yes Yes Yes Yes No
最短密码长度Minimum password length Yes Yes Yes Yes Yes
允许简单密码Allow simple passwords

简单密码包括“0000”和“1234”。Simple passwords include ‘0000’ and ‘1234’.
No No Yes Yes No
擦除设备前允许的重复登录失败次数Number of repeated sign-in failures to allow before the device is wiped Yes Yes Yes Yes Yes
屏幕关闭前处于非活动状态的分钟数1Minutes of inactivity before screen turns off1 Yes Yes Yes Yes Yes
密码过期(天数)Password expiration (days) Yes Yes Yes Yes Yes
记住密码历史记录Remember password history Yes Yes Yes Yes Yes
“记住密码历史记录”“防止重用以前的密码”Remember password historyPrevent reuse of previous passwords Yes Yes Yes Yes Yes
密码质量Password quality No No No No Yes
允许图片密码和 PINAllow picture password and PIN Yes Yes No No No
需要提供密码之前处于非活动状态的分钟数Minutes of inactivity before password is required No No No Yes No
允许指纹解锁Allow fingerprint unlock No No No iOS 7 及更高版本iOS 7 and later No

1对于 iOS 设备,配置“屏幕关闭前处于非活动状态的分钟数”和“需要提供密码之前处于非活动状态的分钟数”设置时,它们会按顺序应用。1For iOS devices, when you configure the settings Minutes of inactivity before screen turns off and Minutes of inactivity before password is required, they are applied in sequence. 例如,如果你设置的两个设置的值均为“5” 分钟,屏幕在 5 分钟后将自动关闭,然后再过 5 分钟后该设备将锁定。For example, if you set the value for both settings to 5 minutes, the screen will turn off automatically after 5 minutes, and the device will be locked after an additional 5 minutes. 但是,如果用户手动关闭屏幕,第二个设置将立即应用。However, if the user turns off the screen manually, the second setting is immediately applied. 在相同的示例中,用户关闭屏幕后,该设备将在 5 分钟后锁定。In the same example, after the user turns off the screen, the device will lock 5 minutes later.

当你将密码长度策略部署到运行 Windows RT 的设备时,用户会被强制重置密码,即使他们当前的密码是符合策略要求的。When you deploy a password length policy to devices that run Windows RT, users will be forced to reset their password—even if their current password complies with the policy requirements.

加密设置Encryption settings

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
需要对移动设备加密1Require encryption on mobile device1

对于 Windows Phone 8 设备,必须将其设置为 “是”For Windows Phone 8 devices, you must set this to Yes.

若要在 iOS 设备上启用加密,请启用设置 “需要密码以解锁移动设备”To enable encryption on iOS devices, enable the setting Require a password to unlock mobile devices.
Yes No Yes No Yes
需要对存储卡进行加密Require encryption on storage cards

此设置也适用于由 Exchange ActiveSync 托管的设备。This setting applies to devices that are managed by Exchange ActiveSync also.
n/an/a n/an/a n/an/a
会对应用和关联的数据进行自动加密。Apps and associated data are automatically encrypted.
n/an/a Yes

1以下是运行 Windows 8.1 的设备的其他信息:1Here is additional information for devices that run Windows 8.1:

  • 若要在运行 Windows 8.1 的设备上强制加密,必须在每台设备上安装 用于 Windows 的 December 2014 MDM 客户端更新To enforce encryption on devices that run Windows 8.1, you must install the December 2014 MDM client update for Windows on each device.

  • 如果对 Windows 8.1 设备启用此设置,则该设备的所有用户必须都具有 Microsoft 帐户。If you enable this setting for Windows 8.1 devices, all users of the device must have a Microsoft account.

  • 为了使加密正常工作,该设备必须满足 Microsoft InstantGo 硬件认证要求。For encryption to work, the device must meet the Microsoft InstantGo hardware certification requirements.

  • 在设备上强制加密时,恢复密钥仅可从用户的 Microsoft 帐户(从用户的 OneDrive 帐户访问)进行访问。When you enforce encryption on a device, the recovery key is only accessible from the user's Microsoft account, which is accessed from their OneDrive account. 无法代表用户恢复此密钥。You cannot recover this key on behalf of a user.

恶意软件设置Malware settings

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
需要网络防火墙Require network firewall Yes No No No No
启用 SmartScreenEnable SmartScreen Yes No No No No

系统设置System settings

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
需要自动更新Require automatic updates Yes No No No No
需要自动更新 - 要自动安装的最小更新分类Require automatic updates – Minimum classification of updates to install automatically

选择将自动安装的更新分类:Choose the classification of updates that will be installed automatically:

- 重要说明- Important. 安装归类为重要的所有更新。Installs all updates that are classified as important.

- 推荐- Recommended. 安装归类为重要或推荐的所有更新。Installs all updates that are classified as important or recommended.
Yes No No No No
允许屏幕捕获Allow screen capture No No 仅 Windows Phone 8.1Windows Phone 8.1 only Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许在锁定屏幕中使用控制中心Allow control center in lock screen No No No iOS 7 及更高版本iOS 7 and later No
允许在锁定屏幕中使用通知视图Allow notification view in lock screen No No No iOS 7 及更高版本iOS 7 and later No
允许在锁定屏幕中使用今日视图Allow today view in lock screen No No No iOS 7 及更高版本iOS 7 and later No
用户帐户控制User Account Control Yes No No No No
允许提交诊断数据Allow diagnostic data submission Yes No 仅 Windows Phone 8.1Windows Phone 8.1 only Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许使用不受信任的 TLS 证书Allow untrusted TLS certificates No No No Yes No
锁定时允许使用个人钱包软件Allow personal wallet software while locked No No No Yes No
允许恢复出厂设置Allow factory reset No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

云设置 – 文档和数据Cloud settings – documents and data

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许备份到 iCloudAllow backup to iCloud No No No Yes No
允许将文档与 iCloud 同步Allow document sync to iCloud No No No Yes No
允许将照片流与 iCloud 同步Allow Photo Stream sync to iCloud No No No Yes No
需要加密的备份Require encrypted backup No No No Yes No
工作文件夹 URLWork Folders URL

此设置设置工作文件夹的 URL,以允许跨设备同步文档。This setting sets the URL of the work folder to allow documents to be synchronized across devices.
Yes No No No No
允许 Google 备份Allow Google backup No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

云设置 – 帐户和同步Cloud settings – accounts and synchronization

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
支持 Microsoft 帐户Allow Microsoft account No No 仅 Windows Phone 8.1Windows Phone 8.1 only No No
允许 Google 帐户自动同步Allow Google account auto sync No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

电子邮件设置Email settings

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许用户下载电子邮件附件1Allow users to download email attachments1 n/an/a n/an/a n/an/a n/an/a n/an/a
电子邮件同步时间段Email synchronization period

此设置也适用于由 Exchange ActiveSync 托管的设备。This setting applies to devices that are managed by Exchange ActiveSync also.
n/an/a n/an/a n/an/a n/an/a n/an/a
允许支持以上部分设置的移动设备与 Exchange (Exchange ActiveSync) 进行同步Allow mobile devices that don’t fully support these settings to synchronize with Exchange (Exchange ActiveSync)

此设置也适用于由 Exchange ActiveSync 托管的设备。This setting applies to devices that are managed by Exchange ActiveSync also.
n/an/a n/an/a n/an/a n/an/a n/an/a
在 Windows 邮件应用程序中将 Microsoft 帐户设为可选Make Microsoft account optional in Windows Mail application Yes No No No No
允许自定义电子邮件帐户Allow custom email accounts No No 仅 Windows Phone 8.1Windows Phone 8.1 only No No

应用设置 - 浏览器Application settings - browser

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许 Web 浏览器Allow web browser No No 仅 Windows Phone 8.1Windows Phone 8.1 only Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许自动填充Allow autofill Yes No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许使用弹出窗口阻止程序Allow pop-up blocker Yes No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许使用 CookieAllow cookies No No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许使用插件Allow plug-ins Yes No No No No
允许使用活动脚本Allow active scripting Yes No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许使用欺诈警告Allow fraud warning Yes No No Yes No
允许 Intranet 站点使用单字条目Allow intranet site for single word entry

(此设置允许使用一个词将 Internet Explorer 转到某个网站,例如“必应”。)(This setting allows the use of a single word to direct Internet Explorer to a website—for example, ‘Bing’.)
Yes No No No No
允许自动检测 Intranet 网络Allow automatic detection of intranet network Yes No No No No
互联网的安全级别Security level for Internet Yes No No No No
Intranet 安全级别Security level for intranet Yes No No No No
受信任的站点的安全级别Security level for trusted sites Yes No No No No
受限制的站点的安全级别Security level for restricted sites Yes No No No No
发送“不跟踪”标头Send Do Not Track header Yes No No No No
允许企业模式菜单访问Allow Enterprise Mode menu access Yes No No No No
企业模式网站列表位置Enterprise Mode site list location Yes No No No No

应用设置 - 应用程序Application settings - apps

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许应用程序商店Allow application store No No 仅 Windows Phone 8.1Windows Phone 8.1 only Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
需要提供密码来访问应用程序商店Require a password to access application store No No No Yes No
允许应用内购买Allow in-app purchases No No No Yes No
允许在其他非托管应用中使用托管文档Allow managed documents in other unmanaged apps No No No iOS 7 及更高版本iOS 7 and later No
允许在其他托管应用中使用非托管文档Allow unmanaged documents in other managed apps No No No iOS 7 及更高版本iOS 7 and later No
允许视频会议Allow video conferencing No No No Yes No
允许媒体存储中有成人内容Allow adult content in media store No No No Yes No
允许应用安装Allow app installation No No No iOS 6 和更高版本iOS 6 and later No

应用设置 - 游戏Application settings - gaming

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许游戏中心好友Allow Game Center friends No No No Yes No
允许多玩家游戏Allow multiplayer gaming No No No Yes No

设备性能设置 - 硬件Device capabilities settings - hardware

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许照相机Allow camera No No 仅 Windows Phone 8.1Windows Phone 8.1 only Yes Yes
允许可移动存储Allow removable storage No No Yes No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许 Wi-FiAllow Wi-Fi No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许 Wi-Fi tetheringAllow Wi-Fi tethering No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许自动连接到免费 Wi-Fi 热点Allow automatic connection to free Wi-Fi hotspots No No 仅 Windows Phone 8.1Windows Phone 8.1 only No No
允许 Wi-Fi 热点报告Allow Wi-Fi hotspot reporting

此设置发送有关 Wi-Fi 连接的信息,以帮助发现附近的连接。This setting sends information about Wi-Fi connections to help discover nearby connections.
No No 仅 Windows Phone 8.1Windows Phone 8.1 only No No
允许地理位置Allow geolocation

此设置允许设备利用位置信息。This setting allows the device to utilize location information.
No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许 NFCAllow NFC

此设置允许使用近场通信的操作。This setting allows operations that use near-field communication.
No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许蓝牙Allow Bluetooth No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许关闭电源Allow power off
如果禁用了此设置,则 Samsung KNOX 标准版设备的“擦除设备前允许重复登录失败的次数”设置不起作用。If this setting is disabled, the setting Number of repeated sign in failures to allow before the device is wiped for Samsung KNOX Standard devices does not function.
No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

设备性能设置 - 蜂窝网络Device capabilities settings - cellular

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许语音漫游Allow voice roaming No No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许数据漫游Allow data roaming Yes No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许漫游时自动同步Allow automatic synchronization while roaming No No No Yes No
允许 SMS/MMS 消息传送Allow SMS/MMS messaging No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

设备性能设置 - 功能Device capabilities settings - features

设置名Setting name Windows 8.1 和 Windows RT 8.1Windows 8.1 and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 iOSiOS Android 和 Samsung KNOX 标准版Android and Samsung KNOX Standard
允许使用语音助手Allow voice assistant No No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
锁定设备时允许使用语音助手Allow voice assistant while device is locked No No No Yes No
允许语音拨号Allow voice dialing No No No Yes 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许复制和粘贴Allow copy and paste No No 仅 Windows Phone 8.1Windows Phone 8.1 only No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许应用程序之间共享剪贴板Allow clipboard share between applications No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)
允许 YouTubeAllow YouTube No No No No 是(仅 Samsung KNOX 标准版)Yes (Samsung KNOX Standard only)

另请参阅See also

使用 Microsoft Intune 策略管理设备上的设置和功能Manage settings and features on your devices with Microsoft Intune policies

要提交产品反馈,请访问 Intune Feedback