在 Microsoft Intune 中使用组来管理用户和设备Use groups to manage users and devices in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本主题介绍如何在 Intune 中创建组。This topic describes how to create groups in Intune. 其中还提供了有关在未来数月将如何更改组的管理的信息。It also provides information about how the management of groups is going to change over the coming months.

重要

在 Intune 门户中打开“组”工作区时,若显示 Azure Active Directory (Azure AD) 门户的链接,则表明你正在使用新的 Azure AD 安全组方法在 Intune 中进行组管理,如将组迁移到 Azure Active Directory 中所述。If you open the Groups workspace in the Intune portal and see a link to the Azure active directory (Azure AD) portal, then you are using the new Azure AD security groups approach to group management in Intune, described in Migrating groups to Azure Active Directory. 单击 Azure AD 门户链接以创建并管理组。Click the link to the Azure AD portal to create and manage your groups.

Azure 组管理链接的屏幕截图

若未显示 Azure AD 门户链接,则表明正在使用当前组管理方法,如本主题的创建组部分所述。If you do not see the link to the Azure AD portal, you are still using the current approach to group management, described in Create groups in this topic.

本主题介绍如何在 Intune 管理控制台中创建 Intune 组。This topic describes how to create Intune groups in the Intune administration console.

可在 Microsoft Intune 管理控制台中的“组”工作区创建和管理组。You can create and manage groups in the Groups workspace in the Microsoft Intune admin console. “组概述”页显示了状态摘要,可帮助你确定需要关注的问题并划分其优先级。The Groups Overview page shows status summaries that can help you identify and prioritize issues that require your attention. 状态摘要包含以下方面:Status summaries cover these areas:

  • 警报Alerts
  • 软件更新Software updates
  • Endpoint ProtectionEndpoint Protection
  • 策略Policy
  • 软件管理Software management

你的组层次结构也会显示状态摘要,帮助你确定和解决所选组的相关成员问题。Your group hierarchy also shows status summaries to help you identify and resolve problems for members of a selected group.

创建组Create groups

提示

在创建组时,请考虑将如何应用策略。When you create groups, consider how you will apply policies. 例如,你可能有特定于设备操作系统的策略、特定于组织中不同角色的策略或特定于已在 Active Directory 中定义的组织单位的策略。For example, you might have policies that are specific to a device operating system, and policies that are specific to different roles in your organization, or to organizational units that you've already defined in Active Directory. 分别设置 iOS、Android 和 Windows 设备组,并为每个组织角色分别设置用户组,可能会很有用。It might be useful to have separate device groups for iOS, Android, and Windows, as well as a user group for each organizational role.

还可创建适用于所有组和设备的默认策略,以建立组织的基本合规性要求。You'll probably also want to create a default policy that applies to all groups and devices, to establish the basic compliance requirements of your organization. 然后,可针对范围最广泛的用户和设备创建更具体的策略。Then, you can create more specific policies for the broadest categories of users and devices. 例如,可为每个设备操作系统创建电子邮件策略。For example, you might create email policies for each of the device operating systems.

请注意为策略命名,以便稍后可以轻松识别。Be careful when you name your policies so that you can easily identify them later. 例如,一个好的描述性策略名称是“整个公司的 WP 电子邮件策略”For example, a good descriptive policy name is WP Email Policy for Entire Company.

每次创建严格策略时,请将其传达给用户。Each time you create a restrictive policy, you'll want to communicate it to your users. 在创建更多常规组和策略后,请关注如何创建更小的组,以便减少不必要的通信。After you create the more general groups and policies, pay attention to how you create smaller groups, so that you can reduce unnecessary communication.

创建设备组To create a device group

  1. 在 Intune 管理员控制台中,依次选择“组”>“概述”>“创建组”。In the Intune admin console, choose Groups > Overview > Create Group.

  2. 输入组名称和描述(可选),然后选择一个设备组作为父组。Enter a name and a description (optional) for the group, and then select a device group as the parent group. 选择下一步Choose Next.

  3. 在“定义成员资格条件”页上,选择组内要包含的设备类型。On the Define Membership Criteria page, select the type of devices to include in the group. 根据要包含的设备类型,可选择其他组配置:You have additional group configuration options based on the types of devices you choose to include:

    • 计算机Computer. 选择是否添加父组中的所有成员;想添加或排除的组织单元和域。Select whether to include all members of the parent group; the organizational units you want to include or exclude; and domains you want to include or exclude. 可从清单中获取计算机的组织单位和域信息。You can get organizational unit and domain information for a computer from inventory.

    • 移动设备Mobile. 指定是否要包含 Intune 管理的移动设备、Exchange ActiveSync 管理的移动设备,还是包含两者。Select whether to include mobile devices that are managed by Intune, mobile devices that are managed by Exchange ActiveSync, or both.

    • 所有设备All devices. 该选项可添加符合条件的所有设备。This option includes all devices, with no exclusions based on any criteria.

  4. 在“定义直属成员资格”页上,选择“浏览”,选择要包含或排除的单独设备。On the Define Direct Membership page, choose Browse to select individual devices to include or exclude. 如果选择的设备不在指定的父组中,Intune 会将其自动添加到父组。If you select devices that are not in the parent group that you specified, Intune automatically adds those devices to the parent group.

  5. 在“摘要”页上,查看所做的选择,然后选择“完成”。On the Summary page, review your selections, and then choose Finish.

在“父组”下的“组”工作区中的“组”列表中,可找到新建的组。The newly created group is shown in the Groups list, in the Groups workspace, under the parent group. 还可以从此处编辑或删除组。That's also where you can edit or delete the group.

创建用户组To create a user group

  1. 在 Intune 管理员控制台中,依次选择“组”>“概述”>“创建组”。In the Intune admin console, choose Groups > Overview > Create Group.

  2. 输入组名称和描述(可选),然后选择一个用户组作为父组。Enter a name and a description (optional) for the group, and then select a user group as the parent group. 选择下一步Choose Next.

  3. 在“定义成员资格条件”页上,选择是包括父组的所有成员还是从一个空组开始。On the Define Membership Criteria page, choose whether to include all members of the parent group or to start with an empty group. 然后,可以根据你在 Office 365 管理中心手动配置的或从 Active Directory 同步的用户安全组包括或排除成员。Then, include or exclude members based on the security groups of users that you either manually configure in the Office 365 admin center, or sync from Active Directory. 如果安全组的成员资格更改,则基于该安全组的用户组的成员资格也可能更改。If the membership of a security group changes, the membership of user groups based on that security group also might change.

    重要

    目前,如果你的组包括特定安全组或管理员组中的成员,同时排除某些组中的成员将删除最初包括的成员。Currently, if your group includes members from specific security groups or manager groups and you exclude members from some groups, the members you initially included will be removed. 若要创建既有包含成员又有排除成员的组,建议先创建具有包含成员的父组。To create a group that has both included members and excluded members, we recommend that first you create a parent group that has the included members. 然后为该父组创建子组。Then, create a child group for that parent group. 在新建子组中,列出排除成员。In the new child group, list the excluded members. 然后,使用该子组管理 Intune 策略、配置文件和应用分发。Then, use that child group to manage Intune policies, profiles, and app distribution.

    备注

    在 Azure 门户中,可基于用户的直接管理员创建组。In the Azure portal, you can create groups based on the managers who users report to. 此类组为动态组,当向 Azure Active Directory 中的管理者团队添加或从中删除员工时,该组将随之变化。This type of group is dynamic, and it will change as employees are added to or removed from a manager's team in Azure Active Directory. 将组配置为“管理员”组部分,使用属性创建高级规则介绍了如何基于管理员名称创建 Azure 组。How to create an Azure group based on manager name is described in Using attributes to create advanced rules, in the section To configure a group as a “Manager” group.

  4. 在“定义直属成员资格”页上,选择“浏览”,选择要包含或排除的单独用户。On the Define Direct Membership page, choose Browse to select individual users to include or exclude. 如果选择的用户不在指定的父组中,这些设备将自动添加到父组。If you select users that are not in the parent group that you specified, those devices are automatically added to the parent group. “手动添加用户”选项位于“选择成员”对话框的底部。The option to manually add a user is at the bottom of the Select Members dialog box. 如果你想要添加尚无已注册设备的用户,可使用此选项。This is helpful if you want to add a user who does not yet have an enrolled device.

  5. 在“摘要”页上,查看所做的选择,然后选择“完成”。On the Summary page, review your selections, and then choose Finish.

在“父组”下的“组”工作区中的“组”列表中,可找到新建的组。The newly created group is shown in the Groups list, in the Groups workspace, under the parent group. 还可以从此处编辑或删除组。That's also where you can edit or delete the group.

提示

安全组是用于填充用户组的绝佳资源。Security groups are a good resource to use when you populate user groups. 由于安全组定义谁有权访问哪些资源,因此可顺利地转换到 Intune 用户组。Because security groups define who can access which resources, security groups can translate well to Intune user groups. 从 Active Directory 同步到 Azure Active Directory 的安全组,或者在 Azure Active Directory 中通过 Office 365 管理中心或 Azure 门户直接创建的安全组,都可用于在 Intune 中创建用户组。Security groups that are synced from Active Directory to Azure Active Directory, or which you create directly in Azure Active Directory through the Office 365 admin center or the Azure portal are available to you to use when you create user groups in Intune.

按角色筛选管理员视图Filter admin views by role

在已筛选的组视图中,可以管理员角色为基础,定制 IT 管理员可查看的内容。In filtered group views, you can tailor what an IT admin can see based on the admin's role. 还可以限制每个 IT 管理员可以管理的组。You also can restrict which groups each IT admin can manage. 在以下情况下有用:This can be useful when:

  • 希望 IT 管理员仅能够将项目部署到特定用户和设备You want your IT admins to be able to deploy items only to specific users and devices
  • 希望 IT 管理员只能查看与该管理员相关的组You want your IT admins to see only the groups that are relevant to that admin

在 Intune 管理控制台中,可为服务管理员配置已筛选的组视图。You can configure filtered group views for service admins in the Intune admin console. 有关详细信息,请参阅使用 Microsoft Intune 前须知For details, see What to know before you start Microsoft Intune.

为服务管理员部署设置已筛选的组后,该管理员在部署软件/策略或运行报表时只能查看和选择指定的组。After you set up filtered group views for a service admin, when the admin deploys software or policies, or runs reports, the admin can view and select only the groups that you specified. 该管理员还无法在管理控制台的以下页面上查看状态信息:The admin also doesn't see status information on these pages of the admin console:

  • 系统概述System Overview
  • 组概述Groups Overview
  • Endpoint Protection 概述Endpoint Protection Overview
  • 警报概述Alerts Overview
  • 软件概述Software Overview
  • 策略概述Policy Overview

创建已筛选组视图To create a filtered group view

  1. 在 Intune 管理控制台中,依次选择“管理员”>“管理员管理”>“服务管理员”。In the Intune admin console, choose Admin > Administrator Management > Service Administrators.

  2. 选择要为其创建已筛选组视图的管理员,然后选择“管理组”。Select the service admin who you want to create a filtered group view for, and then choose Manage Groups.

  3. 在“选择将对此服务管理员可见的组”对话框中,添加服务管理员将能够访问的组,然后选择“确定”。In the Select the groups that will be visible to this service administrator dialog box, add the groups that the service admin will be able to access, and then choose OK.

设置已筛选组视图后,IT 管理员就只能够查看和选择选定的组。After you've set up the filtered group views, the IT admin will be able to view and select only the groups you've indicated.

管理组Manage your groups

创建组后,可继续根据组织的需求对其进行管理。After you create your groups, you can continue to manage them according to the needs of your organization.

可以编辑组,更改它的名称或说明或是属于该组的成员。You can edit your group to change its name or description, or who belongs to the group.

你可以删除不再能够满足组织需求的组。You can delete a group that no longer serves the needs of your organization. 删除组的不会删除属于该组的用户。Deleting a group does not delete the users that belong to that group.

后续步骤Next steps

设置组和策略后,查看“预期值”和“状态”检查设计的实际含义。After you set up your groups and policies, review Intended Value and Status to check the practical implications of your design.

检查你的设计To check your design

  1. 从一个设备组中选择任何设备,并浏览页面顶部的信息类别。Select any device from a device group and browse through the categories of information at the top of the page.
  2. 选择“策略”。Choose Policy. 你将看到的内容类似于此屏幕截图中的 Android 设备的策略设置。You'll see something like this screenshot of an Android device's policy settings.

Android 设置策略示例

每个策略都有 “预期值”“状态”Each policy has an Intended Value and a Status. 预期值是指在分配策略时想要获得的值。The intended value is what you intended to achieve when you assigned the policy. 状态是指综合考虑应用于设备的所有策略,以及硬件和操作系统的限制及要求时,获得的内容。The status is what you achieve when all of the policies that apply to the device, as well as the restrictions and requirements of the hardware and operating system are considered together. 在此屏幕截图中可以看到两个清晰的示例:In this screenshot you can see two clear examples:

  • “允许简单密码” 设置为 “是”(如 “预期值” 列中所示),但其 “状态”“不适用”Allow simple passwords is set to Yes, as shown in the Intended Value column, but its Status is Not applicable. 这是因为 Android 设备不支持简单密码。This is because simple passwords are not supported for Android devices.
  • 同样,扩展的策略项 iOS 设备的电子邮件设置不适用于此设备,因为这是 Android 设备。Similarly, the expanded policy item Email settings for iOS devices is not applied to this device because it is an Android device.

备注

请记住,当具有不同限制级别的两个策略应用于同一个设备或用户时,实际会使用限制更严格的策略。Remember that when two policies that have different levels of restriction apply to the same device or user, the more restrictive policy applies in practice.