规划用户和设备组Plan your user and device groups

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Intune 中的组使你能非常灵活地管理设备和用户。Groups in Intune give you great flexibility when you're managing your devices and users. 你可以根据以下条件设置适合你组织需求的组:You can set up groups to suit your organizational needs according to:

  • 地理位置geographic location
  • departmentdepartment
  • 硬件特征hardware characteristics
  • 操作系统operating system
  • 设备是用户拥有还是公司拥有whether the device is user-owned or company-owned

Intune 组如何工作How Intune groups work

这是 Intune 管理控制台中“组”节点的默认视图:This is the default view of the Groups node in the Intune admin console:

Intune 控制台中“组”节点的默认视图的屏幕截图

策略将部署到组上,因此组层次结构是关键的设计注意事项之一。Policies are deployed to groups, so group hierarchy is one of your key design considerations. 请务必注意在你创建组后,便无法更改该组的父组。It's important to know that you cannot change a group’s parent group after you've created the group. 因此从开始使用 Intune 服务的那一刻起,设计组的方式便显得至关重要。How you design your groups is critically important from the moment you start using the Intune service. 此处介绍了一些设计基于组织需求的组层次结构的建议做法。Some recommended practices for designing a group hierarchy based on your organizational needs are described here.

组成员资格规则Group membership rules

  • 组可以包含用户或设备,但不能同时包含两者。A group can contain either users or devices, but not both.

    • 设备组Device groups. 这既包括计算机,又包括移动设备。This includes computers and mobile devices. 必须先注册计算机,然后才能将其添加到组中。Before you can add a computer to a group, it must be enrolled. 必须将你的环境配置为支持移动设备,并且必须已注册了设备或通过 Exchange ActiveSync 发现了设备,才能将移动设备添加到组中。Before you can add a mobile device to a group, your environment must be configured to support mobile devices, and the device must be enrolled or discovered in Exchange ActiveSync.

    • 用户组User groups. 组中可包含安全组中的用户。A group can have users from security groups. 安全组与 Active Directory 的实例同步。Security groups sync with your instance of Active Directory. 如果没有与 Active Directory 同步,则可以手动创建这些组。If you do not sync with Active Directory, you can manually create these groups.

  • 设备或用户可以属于多个组。A device or a user can belong to more than one group.

  • 一个组可以根据下列成员资格规则包括和排除成员:A group can include and exclude members based on the following membership rules:

    • 条件成员资格Criteria Membership. 这些是动态的规则,Intune 运行这些规则来添加或排除成员资格。These are dynamic rules that Intune runs to include or exclude members. 这些条件使用与 Active Directory 的本地实例同步的安全组和其他信息。These criteria use security groups and other information synced with your local instance of Active Directory. 当安全组或数据更改时,组成员资格可能会在与 Active Directory 进行同步时更改。When the security group or data changes, the group membership changes when you sync with Active Directory.

    • 直接成员身份Direct Membership. 这些是静态的规则,可用来明确地添加或删除成员。These are static rules that explicitly add or exclude members. 成员资格列表是静态的。The membership list is static.

  • 在创建用户组或包括用户或计算机的设备组时,不需要 Active Directory 域服务 (AD DS)。Active Directory Domain Services (AD DS) is not required when you create user groups or device groups that include users or computers. 但是,对于包括移动设备的设备组,必须将你的环境配置为支持移动设备。But, for device groups to include mobile devices, your environment must be configured to support mobile devices.

    此外,必须发现设备且将其添加到 Intune。Additionally, the devices must be discovered and added to Intune.

组关系规则Group relationship rules

  • 创建的每个组都必须具有父组。Each group you create must have a parent group. 在你创建组后,便无法更改该组的父组。You cannot change a group’s parent group after you've created the group.

  • 当你向子组中添加用户或设备时:When you add users or devices to a child group:

    • 子组始终是父组的子集。The child group is always a subset of the parent group.

    • 你添加到子组的新成员会自动添加到该组的父组。New members you add to a child group are automatically added to that group’s parent group.

    • 如果某个成员已从父组中排除,则无法将该成员添加到子组。You cannot add a member to a child group when that member is excluded from the parent group.

  • 父组的成员资格定义子组的可用成员资格。The membership of a parent group defines the available membership for the child group.

  • 如果删除父组,则所有子组也将被删除。When you delete a parent group, all child groups are deleted.

  • 可以将内容和策略部署到父组,同时排除到子组的部署。You can deploy content and policies to a parent group but exclude the deployment to child groups.

  • 如果用户或设备尚不是父组的成员,可以将特定用户或设备添加到子组。You can add a specific user or device to a child group if the user or device is not already a member of the parent group. 如果执行此操作,子组的新成员将会添加到父组。If you do this, the new member of the child group will be added to the parent group.

    但是,如果某个成员已从父组中排除,则无法将该成员添加到子组。However, you cannot add a member to a child group if the member is excluded from the parent group.

  • 组成员资格是递归的。Group membership is recursive. 例如:For example:

    • Pat 是“便携式计算机用户” 安全组的唯一成员。Pat is a member of only one group, the Laptop Users security group.

    • “便携式计算机用户” 组是“已批准用户” 安全组的成员。The Laptop Users group is a member of the Approved Users security group.

    • 在 Intune 中创建一个组,该组使用包括已批准用户组的成员的动态成员资格查询。You create a group in Intune that uses a dynamic membership query that includes the members of the Approved Users group. 结果是,Intune 用户组包括 PatThe result is that your Intune user group includes Pat.

提示

在创建组时,考虑将如何应用策略。When you create groups, think about how you will apply policy. 例如,你可能有特定于设备操作系统的策略、或特定于已在 Active Directory 服务中定义的不同角色或组织单位的策略。For example, you might have policies that are specific to device operating systems, or policies that are specific to different roles or organizational units you've already defined in your Active Directory service. 有些管理员发现创建特定于 iOS、Android 和 Windows 的设备组非常有用。Some admins find it useful to create device groups that are specific to iOS, Android, and Windows. 这是对为每个组织角色创建用户组的补充。This is in addition to creating user groups for each organizational role.

内置组Built-in groups

Intune 提供九个无法编辑或删除的内置组:Intune has nine built-in groups that you cannot edit or delete:

  • 所有用户All Users
    • 取消组合的用户Ungrouped Users
  • 所有设备All Devices
    • 所有计算机All Computers
    • 所有移动设备All Mobile Devices
      • 所有直接管理的设备All Direct Managed Devices
      • 所有 Exchange ActiveSync 管理的设备All Exchange ActiveSync Managed Devices
    • 所有企业所拥有的设备All Corporate-owned Devices
    • 取消组合的设备Ungrouped Devices

备注

让你的座右铭成为:简单为美Let your motto be: keep it simple. 如果你的组织没有特定的需求(例如下面所述的需求),则保持简单并采用默认组结构和策略。If your organization does not have specific needs like those described in the following sections, keep it simple and go with the default group structure and policies. 从长远来看,这将使服务更易于管理。This will make the service more manageable in the long term. 如果能统一处理你的用户,维护便会更加方便。Maintenance will be easier if you can treat your users uniformly. 因为组之间只存在细微差异,因此你需要维护的策略更少。With little differentiation by group, you'll have fewer policies to maintain.

组织中的所有用户和设备All users and devices in your organization

定义组织中所有用户和设备的父组。Define a parent group for all users and devices in your organization. 你可能希望拥有应用到所有用户和设备的策略。You are likely to have policies that will apply to all. 为此,可以使用 Intune 默认的所有用户所有设备组。You can use the Intune default All Users and All devices groups for this purpose. 按特定条件组织设备的子组,如自带设备办公 (BYOD) 组和企业所拥有的 (CO) 设备组,可以是所有用户所有设备父组的子组。Sub-groups that organize devices by specifics, like a group for bring your own device (BYOD) and one for corporate-owned (CO) devices, can be child groups of the All Users and All devices parent groups.

为你的组织自定义组Customize groups for your organization

BYOD 和企业所拥有的设备BYOD and corporate-owned devices

如果组织允许员工使用自己的设备办公、提供公司所拥有的设备,或者两种情况同时存在,我们建议分别为这两种类别的设备应用单独的策略。If your organization allows employees to use their own devices, provides company-owned devices, or has a combination of both, we recommend that you apply separate policies for these categories of devices.

若是在 BYOD 或两者结合的情况下,请注意规划不侵犯本地隐私规则的策略。In the case of BYOD or a mix, be careful to plan policies that do not infringe on local privacy regulations. 为所有将自带设备办公的用户创建父组。Create a parent group for all users who will be bringing their own devices. 你可以将该组用于应用适用于此类别中所有用户的策略。You can use this group to apply policies that are applicable to all users in this category.

创建 BYOD 父组

同样,你可以为组织中的 CO 设备用户创建组:Similarly, you can create a group for the CO device users in your organization:

BYOD 和 CO 设备的同级用户组

针对地理区域的组Groups for geographic regions

如果你的组织需要针对特定区域的策略,则可以创建基于地理区域的组。If your organization needs policies for specific regions, you can create groups based on geographic region. 可以将已在 Active Directory 的实例中创建的区域组作为它们的基础,并将它们与 Azure Active Directory 服务同步。You can base them on regional groups that you might have already created in your instance of Active Directory, and sync them with your Azure Active Directory service. 还可以直接在 Azure Active Directory 中创建区域组。You also can create regional groups directly in Azure Active Directory.

接下来的屏幕截图演示了如何基于与本地 Active Directory 实例同步的组创建 Intune 组。The next screenshots show you how to create Intune groups based on groups synced with your on-premises Active Directory instance. 这些示例假定你已有一个名为“美国用户组”的 Active Directory 安全组。These examples assume that you have an Active Directory security group called US Users Group.

首先,提供常规信息。First, provide general information.

“编辑组”区域的屏幕快照

在“成员资格条件”下,选择与 Active Directory 同步的“美国用户组”作为在成员资格规则下使用的安全组。Under Membership criteria, select US Users Group, synced with Active Directory, as the security group to use under membership rules.

“编辑组”对话框的屏幕截图

查看你的条目,然后选择“完成”以创建组。Review your entries, and then choose Finish to create the group.

“编辑组”对话框的屏幕截图

在我们的示例中,我们还为中东和亚洲创建了名为“MEA”的组。In our example, we’ve also created a group called MEA, for the Middle East and Asia.

备注

如果组成员身份不是基于安全组成员资格填充的,则确保已将 Intune 许可证分配给了这些组成员。If group membership is not populated based on security group membership, make sure that you have assigned Intune licenses to group members.

针对特定硬件的组Groups for specific hardware

如果你的组织要求应用于特定硬件类型的策略,你可以创建基于此要求的组。If your organization requires policies that apply to specific hardware types, you can create groups based on this requirement. 可以将已在 Active Directory 的本地实例中创建的特定组作为策略的基础,并将它们与 Azure Active Directory 同步。You can base the policies on specific groups that you have already created in your on-premises instance of Active Directory, and then sync them with Azure Active Directory. 还可以直接在 Azure Active Directory 中创建组。You also can create groups directly in Azure Active Directory. 在此示例中,我们使用“美国用户组”作为“笔记本电脑用户”组的父组。In this example, we use US Users Group as the parent group for the Laptop Users group.

选择“安全组”对话框

此时,你的组层次结构的外观应与下面的屏幕截图相似。At this point, your group's hierarchy should look similar to the next screenshot. 你可以看到现在 Intune 组“笔记本电脑用户”内有了成员。You can see that there are now members in the Intune group Laptop Users. 任何应用到此组的策略将应用到来自美国地区的 BYOD 笔记本电脑用户。Any policies applied to this group will be applied to BYOD laptop users from the U.S. region.

笔记本电脑用户组的显示

针对特定操作系统的组Groups for specific operating systems

如果你的组织要求应用于特定操作系统(如 Android、iOS 或 Windows)的策略,则可以基于此要求创建组。If your organization requires policies that apply to specific operating systems like Android, iOS, or Windows, you can create groups based on this requirement. 与先前的示例相同,可以将已在 Active Directory 的实例中创建的特定于操作系统的组作为它们的基础,并将它们与 Azure Active Directory 同步。As in earlier examples, you can base them on OS-specific groups that you have already created in your on-premises instance of Active Directory, and sync them with Azure Active Directory. 还可以直接在 Azure Active Directory 的实例中创建它们。You also can create them directly in your instance of Azure Active Directory.

通过使用先前示例中相同的方法,可以基于使用特定操作系统平台的用户 创建组。By using the same method from earlier examples, you can create groups based on users who use specific operating system platforms.

备注

如果有用户使用多个移动平台或操作系统且没有自动将用户分类为 Android 用户、iOS 用户或 Windows 用户的方法,那么请考虑在设备级别应用策略。If you have users who use multiple mobile platforms or operating systems and you do not have an automated way to categorize users as Android users, iOS users, or Windows users, consider applying policies at the device level. 这将使你能够更加灵活地应用特定于操作系统的策略。This will give you more flexibility to apply policies that are specific to an operating system.

不能基于设备的操作系统动态预配组。You cannot provision groups dynamically based on the operating system of the device. 相反,可使用 Active Directory 或 Azure Active Directory 安全组执行此操作。Instead, do this by using Active Directory or Azure Active Directory security groups.

笔记本电脑用户组

在所有的用户组都基于你的组织需求填充后,组层次结构应该如下所示:After all of your user groups are populated based on your organizational requirements, your group hierarchy should look something like this:

组层次结构视图

可以使用此层次结构应用组织的策略。You can use this hierarchy to apply the organization's policies.

设备组Device groups

如下所示,还可以为设备创建相似的组,首先以一个针对 BYOD 方案、包括所有员工拥有的设备的广泛组为例。You also can create similar groups for devices as shown here, starting with a broad group that includes all employee-owned devices, for the BYOD scenario.

“创建组”对话框

确保选择“所有设备(计算机和移动设备)”以使组包括所有 BYO 设备:Make sure that you select All devices (computers and mobile) so that the group will include all BYO devices:

“定义成员资格条件”页

查看你的条目,然后选择“完成”以创建 BYOD 组。Review your entries, and then choose Finish to create the BYOD group.

“创建组”对话框

继续创建设备组,直到你的设备组层次结构与用户组层次结构相似。Continue to create device groups until you have a device group hierarchy that is similar to the user group hierarchy. 在 Intune 控制台中你的组节点应该如下所示:Your group node in the Intune console will look similar to this:

Intune 组层次结构视图

组层次结构和命名约定Group hierarchies and naming conventions

为了使策略管理更轻松,我们建议根据用途、平台和应用范围来命名每个策略。To make policy management easier, we recommend that you name each policy according to the purpose, platform, and scope to which you apply it. 使用遵循在准备应用策略时创建的组结构的命名标准。Use a naming standard that follows the group structure that you created when you prepared to apply your policies.

例如,对于在美国地区级别应用到所有企业、Android、移动设备的 Android 策略,可将该策略命名为 CO_US_Mob_Android_GeneralFor instance, for an Android policy that applies to all corporate, Android, mobile devices at the U.S. regional level, you might name the policy CO_US_Mob_Android_General.

创建适用于 Android 的策略

在通过这种方式命名策略时,你可以在“策略”节点中快速识别策略以其预期用途和应用范围,如下所示:When you name your policies this way, you can quickly identify policies and their intended use and scope in the Policies node, like this:

Intune 策略列表

后续步骤Next steps

创建组Create groups