Microsoft Intune 新增功能What's new in Microsoft Intune

了解 Microsoft Intune 每周新增功能。Learn what’s new each week in Microsoft Intune. 另外,你还可以找到即将发生的更改、有关服务的重要说明,以及有关过去版本的信息。You can also find out about upcoming changes, important notices about the service, and information about past releases. 某些功能可能会在数周内推出,第一周内可能不能供所有客户使用。Some features may roll out over several weeks and might not be available to all customers in the first week.

备注

有关混合移动设备管理 (MDM) 中新功能的信息,请参阅混合新增功能页面For information on new functionality in hybrid mobile device management (MDM), check out the hybrid What’s New page.

2018 年 9 月 24 日当周Week of September 24, 2018

Microsoft 365 设备管理管理中心 Microsoft 365 Device Management administration center

Microsoft 365 的承诺之一是简化管理,多年来我们整合了后端 Microsoft 365 服务,以提供端到端方案(如 Intune 和 Azure AD 条件访问)。One of the promises of Microsoft 365 is simplified administration, and over the years we’ve integrated the back-end Microsoft 365 services to deliver end-to-end scenarios such as Intune and Azure AD conditional access. Microsoft 365 管理中心整合、简化并集成了管理员体验。The new Microsoft 365 administration center is the place to consolidate, simplify, and integrate the admin experience. 借助设备管理的专家工作区,可轻松访问组织所需的所有设备和应用管理信息和任务。The specialist workspace for Device Management provides easy access to all of the device and app management information and tasks that your organization needs. 我们希望这能成为企业最终用户计算团队的主要云工作区。We expect this to become the primary cloud workspace for enterprise end user computing teams.

为更多第三方证书颁发机构支持 (CA) 提供支持 Support for more third-party certification authorities (CA)

通过简单证书注册协议 (SCEP),现在可以使用 Windows、iOS、Android 和 macOS 在移动设备上发布新证书和续订证书。By using the Simple Certificate Enrollment Protocol (SCEP), you can now issue new certificates and renew certificates on mobile devices using Windows, iOS, Android, and macOS.

2018 年 9 月 17 日当周Week of September 17, 2018

应用管理App management

删除应用保护状态磁贴的副本 Remove duplication of app protection status tiles

“iOS 用户状态”和“Android 用户状态”磁贴都会出现在“客户端应用 - 概述”页,以及“客户端应用 - 应用保护状态”页。The User status for iOS and the User status for Android tiles were present in both the Client Apps - Overview page, as well as the Client Apps - App protection status page. 已从“客户端应用 - 概述”页删除状态磁贴,以避免重复。The status tiles have been removed from the Client Apps - Overview page to avoid duplication.

2018 年 8 月 27 日当周Week of August 27, 2018

应用管理App management

针对自定义和 Pulse Secure 连接类型的 iOS 每应用 VPN 配置文件的数据包隧道支持 Packet tunnel support for iOS per-app VPN profiles for custom and Pulse Secure connection types

如果使用 iOS 每应用 VPN 配置文件,可选择使用应用层隧道(应用-代理)或数据包级别隧道(数据包-隧道)。When using iOS per-app VPN profiles, you can choose to use app-layer tunneling (app-proxy) or packet-level tunneling (packet-tunnel). 这些选项适用于以下连接类型:These options are available with the following connection types:

  • 自定义 VPNCustom VPN
  • Pulse Secure - 如果不确定使用哪个值,请查阅 VPN 提供商的文档。Pulse Secure If you are not sure which value to use, consult your VPN provider's documentation.

延迟 iOS 软件更新在设备上的显示时间 Delay when iOS software updates are shown on the device

在 Intune >“软件更新” > “适用于 iOS 的更新策略”中,可配置不希望设备安装任何更新的日期和时间段。In Intune > Software Updates > Update policies for iOS, you can configure the days and times when you don't want devices to install any updates. 在未来的某个更新中,可延迟软件更新在设备上的显示时间(1-90 天)。In a future update, you'll be able to delay when a software update is visibly shown on the device, from 1-90 days. 在 Microsoft Intune 中配置 iOS 更新策略列出了当前设置。Configure iOS update policies in Microsoft Intune lists the current settings.

Office 365 专业增强版 Office 365 ProPlus version

如果使用 Intune 将 Office 365 专业增强版应用分配到 Windows 10 设备,则可选择 Office 的版本。When assigning the Office 365 ProPlus apps to Windows 10 devices using Intune, you will be able to select the version of Office. 在 Azure 门户中,选择“Microsoft Intune” > “应用” > “添加应用”。In the Azure portal, select Microsoft Intune > Apps > Add App. 然后,从“类型”下拉列表中选择“Office 365 专业增强版套件(Windows 10)”。Then, select Office 365 ProPlus Suite (Windows 10) from the Type dropdown list. 选择“应用套件设置”以显示关联的边栏选项卡。Select App Suite Settings to display the associated blade. 将“更新通道”设置为一个值,如“每月”。Set the Update Channel to a value, such as Monthly. (可选)选择“是”,从最终用户设备中删除其他版本的 Office (msi)。Optionally, remove other version of Office (msi) from end user devices by selecting Yes. 选择“特定”,在最终用户设备上为所选通道安装特定的 Office 版本。Select Specific to install a specific version of Office for the selected channel on end user devices. 此时,可选择要使用的“特定版本”的 Office。At this point, you can select the Specific version of Office to use. 可用版本会随时间发生变化。The available versions will change over time. 因此,在创建新部署时,可用版本可能为更新的版本,而不再提供某些较旧版本。Therefore, when creating a new deployment, the versions available may be newer and not have certain older versions available. 当前部署会继续部署旧版本,但版本列表会持续按通道更新。Current deployments will continue to deploy the older version, but the version list will be continually updated per channel. 有关详细信息,请参阅 Office 365 专业增强版的更新频道概述For more information, see Overview of update channels for Office 365 ProPlus.

支持面向 Windows 10 VPN 的“注册 DNS”设置 Support for Register DNS setting for Windows 10 VPN

通过此次更新,可将 Windows 10 VPN 配置文件配置为使用内部 DNS 动态注册分配给 VPN 接口的 IP 地址,而无需使用自定义配置文件。With this update, you can configure Windows 10 VPN profiles to dynamically register the IP addresses assigned to the VPN interface with the internal DNS, without needing to use custom profiles. 有关当前可用的 VPN 配置文件设置的信息,请参阅 Windows 10 VPN 设置For information about the current VPN profile settings available, see Windows 10 VPN settings.

macOS 公司门户安装程序的安装程序文件名称中现在包含版本号 The macOS Company Portal installer now includes the version number in the installer file name

iOS 自动应用更新 iOS automatic app updates

自动应用更新适用于设备和用于 iOS 11.0 及更高版本的用户许可应用。Automatic app updates work for both device and user licensed apps for iOS Version 11.0 and above.

设备配置Device configuration

Windows Hello 面向用户和设备 Windows Hello will target users and devices

创建 Windows hello 企业版策略后,该策略会应用到组织中的所有用户(租户范围)。When you create a Windows Hello for Business policy, it applies to all users within the organization (tenant-wide). 进行此更新后,还可使用设备配置策略(“设备配置” > “配置文件” > “创建配置文件” > “标识保护” > “Windows Hello 企业版”),将此策略应用于特定用户或特定设备。With this update, the policy can also be applied to specific users or specific devices using a device configuration policy (Device Configuration > Profiles > Create profile > Identity Protection > Windows Hello for Business). 在 Intune Azure 门户中,Windows Hello 配置和设置现在同时存在于“设备注册”和“设备配置”中。In Intune in the Azure portal, the Windows Hello configuration and settings now exists in both Device enrollment and Device configuration. 设备注册面向整个组织(租户范围内),并支持 Windows AutoPilot (OOBE)。Device enrollment targets the entire organization (tenant-wide), and supports Windows AutoPilot (OOBE). 设备配置面向使用某种策略的设备和用户,该策略会在签入期间应用。Device configuration targets devices and users using a policy that's applied during check-in. 此功能适用于:This feature applies to:

  • Windows 10 及更高版本Windows 10 and later
  • Windows Holographic for BusinessWindows Holographic for Business

Zscaler 是适用于 iOS 上 VPN 配置文件的可用连接 Zscaler is an available connection for VPN profiles on iOS

创建 iOS VPN 设备配置文件时(“设备配置” > “配置文件” > “创建配置文件” > “iOS”“平台”>“VPN 配置文件类型”),有几种连接类型,包括 Cisco、Citrix 等。When you create an iOS VPN device configuration profile (Device configuration > Profiles > Create profile > iOS platform > VPN profile type), there are several connection types, including Cisco, Citrix, and more. 此次更新将 Zscaler 添加为一个连接类型。This update adds Zscaler as a connection type. 运行 iOS 的设备的 VPN 设置列出了可用的连接类型。VPN settings for devices running iOS lists the available connection types.

适用于 Windows 10 企业 Wi-Fi 配置文件的 FIPS 模式FIPS mode for Enterprise Wi-Fi profiles for Windows 10

现在可在 Intune Azure 门户中启用适用于 Windows 10 企业 Wi-Fi 配置文件的美国联邦信息处理标准 (FIPS) 模式。You can now enable Federal Information Processing Standards (FIPS) mode for Enterprise Wi-Fi profiles for Windows 10 in the Intune Azure portal. 如果在 Wi-Fi 配置文件中启用 FIPS 模式,请确保 Wi-Fi 基础结构上已启用该模式。Be sure FIPS mode is enabled on your Wi-Fi infrastructure if you enable it in your Wi-Fi profiles. 有关如何创建 Wi-Fi 配置文件,请参阅 Intune 中适用于 Windows 10 及更高版本设备的 Wi-Fi 设置Wi-Fi settings for Windows 10 and later devices in Intune shows you how to create a Wi-Fi profile.

在 Windows 10 和更高版本的设备上控制 S 模式 - 公共预览版 Control S-mode on Windows 10 and later devices - public preview

利用该功能更新,可创建一个设备配置文件,用于将 Windows 10 设备从 S 模式下切换出来,或用于防止用户将设备从 S 模式下切换出来。With this feature update, you can create a device configuration profile that switches a Windows 10 device out of S-mode, or prevent users from switching the device out of S-mode. 此功能的位置:Intune >“设备配置” > “配置文件” > “Windows 10 及更高版本” > “版本升级和模式切换”。This feature is in Intune > Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch. S 模式下的 Windows 10 简介提供了有关 S 模式的详细信息。Introducing Windows 10 in S mode provides more information on S mode. 适用于:最新的 Windows 预览体验版本(预览版)。Applies to: the most recent Windows Insider build (while in preview).

Windows Defender ATP 配置包自动添加到配置文件 Windows Defender ATP configuration package automatically added to configuration profile

在 Intune 中使用高级威胁防护和加入设备时,需要提前下载配置包并将其添加到配置文件。When using Advanced Threat Protection and onboarding devices in Intune, you previously had to download a configuration package, and add it to your configuration profile. 通过此次更新,Intune 可自动从 Windows Defender 安全中心获取该包,并将其添加到配置文件。With this update, Intune automatically gets the package from Windows Defender Security Center, and adds it to your profile. 适用于 Windows 10 和更高版本。Applies to Windows 10 and later.

要求用户在设备设置过程中进行连接Require users to connect during device setup

现在可以设置设备配置文件,要求设备在 Windows 10 设置过程中连接到网络,然后才能继续完成“网络”页面的操作。You can now set device profiles to require that the device connects to a network before proceeding past the Network page during Windows 10 setup. 虽然此功能处于预览状态,但 Windows 预览体验内部版本 1809 或更高版本需要使用此设置。While this feature is in preview, a Windows Insider build 1809 or later is required to use this setting. 适用于:最新的 Windows 预览体验版本(预览版)。Applies to: the most recent Windows Insider build (while in preview).

限制应用,并阻止对 iOS 和 Android Enterprise 设备上公司资源的访问Restricts apps, and block access to company resources on iOS and Android Enterprise devices

在“设备符合性” > “策略” > “创建策略” > “iOS” > “系统安全”中,有一个新的“受限制的应用程序”设置。In Device compliance > Policies > Create policy > iOS > System Security, there is a new Restricted applications setting. 如果设备上安装了某些应用,此新设置会使用符合性策略来阻止对公司资源的访问。This new setting uses a compliance policy to block access to company resources if certain apps are installed on the device. 除非从设备中删除受限制的应用,否则设备会一直被视为不符合要求。The device is considered non-compliant until the restricted apps are removed from the device. 适用于:iOSApplies to: iOS

适用于 iOS 的新式 VPN 支持更新 Modern VPN support updates for iOS

此次更新添加了对以下 iOS VPN 客户端的支持:This update adds support the following iOS VPN clients:

  • F5 Access(版本 3.0.1 及更高版本)F5 Access (version 3.0.1 and higher)
  • Citrix SSOCitrix SSO
  • 此次更新还包含 Palo Alto Networks GlobalProtect 版本 5.0 及更高版本:Palo Alto Networks GlobalProtect version 5.0 and higher Also in this update:
  • iOS 的现有“F5 访问”连接类型已重命名为“旧版 F5 访问”。Existing F5 Access connection type is renamed to F5 Access Legacy for iOS.
  • iOS 的现有“Palo Alto Networks GlobalProtect”连接类型已重命名为“旧版 Palo Alto Networks GlobalProtect”。Existing Palo Alto Networks GlobalProtect connection type is renamed to Palo Alto Networks GlobalProtect (legacy) for iOS. 使用这些连接类型的现有配置文件将继续使用其各自的旧版 VPN 客户端。Existing profiles with these connection types continue to work with their respective legacy VPN client. 如果要将 Cisco 旧式 AnyConnect、旧版 F5 访问、Citrix VPN 或 Palo Alto Networks GlobalProtect 4.1 及更早版本与 iOS 配合使用,则应改为使用新应用。If you're using Cisco Legacy AnyConnect, F5 Access Legacy, Citrix VPN, or Palo Alto Networks GlobalProtect version 4.1 and earlier with iOS, you should move to the new apps. 尽快执行此操作以确保可在更新到 iOS 12 的 iOS 设备上实现 VPN 访问。Do this as soon as possible to ensure that VPN access is available for iOS devices as they update to iOS 12. 有关 iOS 12 和 VPN 配置文件的详细信息,请参阅 Microsoft Intune 支持团队博客For more information about iOS 12 and VPN profiles, see the Microsoft Intune Support Team Blog.

导出 Azure 经典门户的符合性策略,以在 Intune Azure 门户中重新创建这些策略Export Azure classic portal compliance policies to recreate these policies in the Intune Azure portal

将弃用 Azure 经典门户中创建的符合性策略。Compliance policies created in the Azure classic portal will be deprecated. 可查看和删除任何现有符合性策略,但无法更新它们。You can review and delete any existing compliance policies, however you can't update them. 如果需要将任何符合性策略迁移到最新的 Intune Azure 门户,可将策略导出为逗号分隔的文件(.csv 文件)。If you need to migrate any compliance policies to the current Intune Azure portal, you can export the policies as a comma-separated file (.csv file). 然后使用文件中的详细信息在 Intune Azure 门户中重新创建这些策略。Then, use the details in the file to recreate these policies in the Intune Azure portal.

重要

Azure 经典门户停用后,将无法访问或查看符合性策略。When the Azure classic portal retires, you will no longer be able to access or view your compliance policies. 因此,在 Azure 经典门户停用之前,务必导出策略并在 Azure 门户中重新创建这些策略。Therefore, be sure to export your policies and recreate them in the Azure portal before the Azure classic portal retires.

Better Mobile - 新移动威胁防御合作伙伴Better Mobile - New Mobile Threat Defense partner

可根据 Better Mobile 进行的风险评估,使用条件访问控制移动设备对公司资源的访问,Better Mobile 是与 Microsoft Intune 集成的移动威胁防御解决方案。You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Better Mobile, a Mobile Threat Defense solution that integrates with Microsoft Intune.

设备注册Device enrollment

将公司门户锁定在单应用模式下,直至用户登录 Lock the Company Portal in single app mode until user sign-in

如果在 DEP 注册过程中通过公司门户而非“设置助理”来对用户进行身份验证,那么现在可选择在单应用模式下运行公司门户。You now have the option to run the Company Portal in Single App mode if you authenticate a user through the Company Portal instead of Setup Assistant during DEP enrollment. 此选项会在“设置助手”操作完成后立即锁定设备,这样用户须登录才能访问设备。This option locks the device immediately after Setup Assistant completes so that a user must sign in to access the device. 此过程可确保设备完成载入,且不会进入无任何用户绑定的孤立状态。This process makes sure that the device completes onboarding and is not orphaned in a state without any user tied.

为 Autopilot 设备分配一个用户和友好名称 Assign a user and friendly name to an Autopilot device

现在可将用户分配到单独的 Autopilot 设备You can now assign a user to a single Autopilot device. 在使用 Autopilot 为用户设置设备时,管理员还可提供友好名称来问候用户。Admins will also be able to give friendly names to greet the user when setting up their device with Autopilot. 适用于:最新的 Windows 预览体验版本(预览版)。Applies to: the most recent Windows Insider build (while in preview).

在 DEP 注册期间,使用 VPP 设备许可证预先设置公司门户 Use VPP device licenses to pre-provision the Company Portal during DEP enrollment

现可在设备注册计划 (DEP) 注册期间,使用批量采购计划 (VPP) 设备许可证预先设置公司门户。You can now use Volume Purchase Program (VPP) device licenses to pre-provision the Company Portal during Device Enrollment Program (DEP) enrollments. 若要完成此操作,在创建或编辑注册配置文件时,指定要用于安装公司门户的 VPP 令牌。To do so, when you create or edit an enrollment profile, specify the VPP token that you want to use to install the Company Portal. 请确保令牌没有过期,并且具有足够的公司门户应用许可证。Make sure that your token doesn't expire and that you have enough licenses for the Company Portal app. 如果令牌过期或许可证用完,Intune 将改为推送 App Store 公司门户(这将提示输入 Apple ID)。In cases where the token expires or runs out of licenses, Intune will push the App Store Company Portal instead (this will prompt for an Apple ID).

需要确认才能删除正用于公司门户预先设置的 VPP 令牌 Confirmation required to delete VPP token that is being used for Company Portal pre-provisioning

如果在 DEP 注册期间正在使用批量购买计划 (VPP) 预先设置公司门户,则现在需要确认是否删除此令牌。A confirmation is now required to delete a Volume Purchase Program (VPP) token if it is being used to pre-provision the Company Portal during DEP enrollment.

阻止 Windows 个人设备注册 Block Windows personal device enrollments

可通过 Intune 中的移动设备管理阻止 Windows 个人设备进行注册。You can block Windows personal devices from enrolling with mobile device management in Intune. 无法使用此功能阻止注册了 Intune PC 代理的设备。Devices enrolled with Intune PC agent can't be blocked with this feature. 这一功能将在随后几周内推出,因此你可能无法立即在用户界面中看到此功能。This feature is rolling out over the next couple weeks so you might not see it immediately in the user interface.

在 Autopilot 配置文件中指定计算机名称模式 Specify machine name patterns in an Autopilot profile

指定一个计算机名称模板,用于在 Autopilot 注册过程中生成和设置计算机名You can specify a computer name template to generate and set the computer name during Autopilot enrollment. 适用于:最新的 Windows 预览体验版本(预览版)。Applies to: the most recent Windows Insider build (while in preview).

对于 Windows Autopilot 配置文件,隐藏公司登录页和域错误页上的“更改帐户”选项 For Windows Autopilot profiles, hide the change account options on the company sign-in page and domain error page

提供新的 Windows Autopilot 配置文件选项,允许管理员隐藏公司登录页和域错误页上的更改帐户选项。There are new Windows Autopilot profile options for admins to hide the change account options on the company sign-in and domain error pages. 要隐藏这些选项,需在 Azure Active Directory 中配置公司品牌。Hiding these options requires Company Branding to be configured in Azure Active Directory. 适用于:最新的 Windows 预览体验版本(预览版)。Applies to: the most recent Windows Insider build (while in preview).

设备管理Device management

删除 Jamf 设备 Delete Jamf devices

通过转到“设备”>“选择 Jamf 设备”>“删除”,可以删除 JAMF 托管的设备。You can delete JAMF-managed devices by going to Devices > choose the Jamf device > Delete.

将术语更改为“停用”和“擦除”Change terminology to "retire" and "wipe"

为了与 Graph API 保持一致,Intune 用户界面和文档已更改以下术语:To be consistent with the Graph API, the Intune user interface and documentation has changed the following terms:

  • “删除公司数据”更改为“停用”Remove company data will be changed to "retire"
  • “恢复出厂设置”将更改为“擦除”Factory reset will be changed to wipe

管理员尝试删除 MDM 推送证书时出现的确认对话框 Confirmation dialog if admin tries to delete MDM Push Certificate

如果有人尝试删除 Apple MDM 推送证书,确认对话框会显示相关的 iOS 和 macOS 设备数。If anyone tries to delete an Apple MDM Push certificate, a confirmation dialog box displays the number of related iOS and macOS devices. 删除证书后,需要重新注册这些设备。If the certificate is deleted, these devices will need to be re-enrolled.

Windows Installer 的其他安全设置 Additional security settings for Windows installer

可允许用户控制应用安装。You can allow users to control app installs. 如果启用,则允许因安全冲突而停止的安装继续进行。If enabled, installations that may otherwise be stopped due to a security violation would be permitted to continue. 当 Windows Installer 在系统上安装任何程序时,可指示它使用提升的权限。You can direct the Windows installer to use elevated permissions when it installs any program on a system. 此外,还可以对 Windows 信息保护 (WIP) 项目编制索引,并将有关这些项目的元数据存储在未加密的位置。Additionally, you can enabled Windows Information Protection (WIP) items to be indexed and the metadata about them stored in an unencrypted location. 禁用策略后,不会索引受 WIP 保护的项,也不会在 Cortana 或文件资源管理器的结果中显示这些项。When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. 默认情况下禁用这些选项的功能。The functionality for these options are disabled by default.

公司门户网站的新用户体验更新New user experience update for the Company Portal website

我们已根据客户反馈向公司门户网站添加新功能。We’ve added new features, based on feedback from customers, to the Company Portal website. 可从设备上体验到现有功能和可用性的重大改进。You'll experience a significant improvement in existing functionality and usability from your devices. 该网站的各个区域(如设备详细信息、反馈与支持以及设备概述)都采用了全新的现代化快速响应设计。Areas of the site–such as device details, feedback and support, and device overview–have received a new, modern, responsive design. 你还会看到:You'll also see:

  • 简化了所有设备平台上的工作流Streamlined workflows across all device platforms
  • 改进了设备识别和注册流Improved device identification and enrollment flows
  • 提供了更多有用的错误消息More helpful error messages
  • 更友好的语言,减少了专业技术性术语Friendlier language, less tech jargon
  • 能够共享指向应用的直接链接Ability to share direct links to apps
  • 改善了大型应用目录的性能Improved performance for large app catalogs
  • 为所有用户增加了辅助功能Increased accessibility for all users

已更新 Intune 公司门户网站文档以体现这些更改。The Intune Company Portal website documentation has been updated to reflect these changes. 若要查看应用增强功能的示例,请参阅Intune 最终用户应用的 UI 更新To view an example of the app enhancements, see UI updates for Intune end-user apps.

监视和故障排除Monitor and troubleshoot

符合性报告中的强化型越狱检测Enhanced jailbreak detection in compliance reporting

现在,强化型越狱检测设置状态将显示在管理员控制台中的所有符合性报告中。The enhanced jailbreak detection setting states now appears in all compliance reporting in the admin console.

基于角色的访问控制Role-based access control

策略的作用域标记 Scope tags for policies

创建作用域标记来限制对 Intune 资源的访问。You can create scope tags to limit access to Intune resources. 将作用域标记添加到某个角色分配,然后将作用域标记添加到某个配置文件。Add a scope tag to a role assignment and then add the scope tag to a configuration profile. 角色将仅有权访问符合后列条件的资源:其资源配置文件的作用域标记与角色标记匹配或无作用域标记。The role will only have access to resources with configuration profiles that have matching scope tags (or no scope tag).

2018 年 8 月 14 日当周Week of August 14, 2018

Apple 设备注册计划支持注册 macOS 设备 macOS support for Apple Device Enrollment Program

Intune 现支持将 macOS 设备注册到 Apple 设备注册计划 (DEP) 中。Intune now supports enrolling macOS devices into the Apple Device Enrollment Program (DEP). 有关详细信息,请参阅通过 Apple 设备注册计划自动注册 macOS 设备For more information, see Automatically enroll macOS devices with Apple's Device Enrollment Program.

2018 年 7 月 23 日的这一周Week of July 23, 2018

应用管理App management

对 macOS 的业务线 (LOB) 应用支持 Line-of-business (LOB) app support for macOS

Microsoft Intune 允许将 macOS LOB 应用部署为“必需”或“注册时可用”。Microsoft Intune allows macOS LOB apps to be deployed as Required or Available with enrollment. 最终用户可通过适用于 macOS 公司门户或公司门户网站获得部署为“可用”的应用。End users can get apps deployed as Available using the Company Portal for macOS or the Company Portal website.

iOS 内置应用支持展台模式 iOS built-in app support for kiosk mode

除了应用商店应用和托管应用,现在可以选择在 iOS 设备上以展台模式运行的内置应用(例如 Safari)。In addition to Store Apps and Managed Apps, you can now select a Built-In App (such as Safari) that runs in kiosk mode on an iOS device.

编辑 Office 365 Pro Plus 应用部署 Edit your Office 365 Pro Plus app deployments

作为 Microsoft Intune 管理员,现在可以对 Office 365 专业增强版应用部署进行更多编辑。As the Microsoft Intune admin, you have greater ability to edit your Office 365 Pro Plus app deployments. 此外,不再需要删除部署以更改任何套件属性。Additionally, you no longer have to delete your deployments to change any of the suite’s properties. 在 Azure 门户中,选择“Microsoft Intune” > “客户端应用” > “应用”。In the Azure portal, select Microsoft Intune > Client apps > Apps. 从应用列表中选择你的 Office 365 Pro Plus 套件。From the list of apps, select your Office 365 Pro Plus Suite.

现在提供更新的 Intune App SDK for Android Updated Intune App SDK for Android is now available

现在提供 Intune App SDK for Android 的更新版本,以支持 Android P 版本。An updated version of the Intune App SDK for Android is available to support the Android P release. 如果你是应用开发人员并使用 Intune SDK for Android,则必须安装 Intune app SDK 的更新版本,以确保 Android 应用中的 Intune 功能在 Android P 设备上运行正常。If you are an app developer and use the Intune SDK for Android, you must install the updated version of the Intune app SDK to ensure that Intune functionality within your Android apps continue to work as expected on Android P devices. 此版本的 Intune App SDK 提供执行 SDK 更新的内置插件。This version of the Intune App SDK provides a built-in plugin that performs the SDK updates. 你无需重写集成的任何现有代码。You do not need to rewrite any existing code that’s integrated. 有关详细信息,请参阅 Intune SDK for AndroidFor details, see Intune SDK for Android. 如果你使用的是 Intune 的旧标记样式,我们建议你使用公文包图标。If you are using the old badging style for Intune, we recommend that you use the briefcase icon. 有关品牌打造的详细信息,请参阅此 GitHub 存储库For branding details, see this GitHub repository.

设备配置Device configuration

使用 S/MIME 对用户的多个设备进行加密和签名 Use S/MIME to encrypt and sign a user's multiple devices

此更新包括使用新导入的证书配置文件进行 S/MIME 电子邮件加密(“设备配置” > “配置文件” > “创建配置文件”>“选择平台”>“PKCS 导入的证书”配置文件类型)。This update includes S/MIME email encryption using a new imported certificate profile (Device configuration > Profiles > Create profile > select the platform > PKCS imported certificate profile type). 在 Intune 中,可以 PFX 格式导入证书。In Intune, you can import certificates in PFX format. 然后 Intune 可以将这些相同的证书传递给单个用户注册的多个设备。Intune can then deliver those same certificates to multiple devices enrolled by a single user. 还包括:This also includes:

  • 本机 iOS 电子邮件配置文件支持使用 PFX 格式的导入证书启用 S/MIME 加密。The native iOS email profile supports enabling S/MIME encryption using imported certificates in PFX format.
  • Windows Phone 10 设备上的本机电子邮件应用自动使用 S/MIME 证书。The native mail app on Windows Phone 10 devices automatically use the S/MIME certificate.
  • 可以跨多个平台传递私有证书。The private certificates can be delivered across multiple platforms. 但并非所有电子邮件应用都支持 S/MIME。But, not all email apps support S/MIME.
  • 在其他平台上,可能需要手动配置电子邮件应用以启用 S/MIME。On other platforms, you may need to manually configure the mail app to enable S/MIME.
  • 支持 S/MIME 加密的电子邮件应用可能以 MDM 不支持的方式(例如从发布者的证书存储读取)处理对 S/MIME 电子邮件加密的证书检索。Email apps that support S/MIME encryption may handle retrieving certificates for S/MIME email encryption in a way that an MDM cannot support, such as reading from their publisher's certificate store.

支持的设备:Windows、Windows Phone 10、macOS、iOS、AndroidSupported on: Windows, Windows Phone 10, macOS, iOS, Android

在 macOS 设备上使用防火墙设置创建设备符合性策略 Create device compliance policy using Firewall settings on macOS devices

创建新的 macOS 符合性策略(“设备符合性” > “策略” > “创建策略” > “平台: macOS” > “系统安全性”)时,有一些新的可用“防火墙”设置:When you create a new macOS compliance policy (Device compliance > Policies > Create policy > Platform: macOS > System security), there are some new Firewall settings available:

  • 防火墙:配置环境对传入连接的处理方式。Firewall: Configure how incoming connections are handled in your environment.
  • 传入连接:阻止所有传入连接,DHCP、Bonjour 和 IPSec 等基本 Internet 服务需要的连接除外。Incoming connections: Block all incoming connections except those required for basic internet services, such as DHCP, Bonjour, and IPSec. 此设置还会阻止所有共享服务。This setting also blocks all sharing services.
  • 隐藏模式:启用隐藏模式以防止设备响应探测请求。Stealth Mode: Enable stealth mode to prevent the device from responding to probing requests. 设备会继续回应已授权应用的传入请求。The device continues to answer incoming requests for authorized apps.

适用于:macOS 10.12 及更高版本Applies to: macOS 10.12 and later

Windows 10 及更高版本的新 Wi-Fi 设备配置文件 New Wi-Fi device configuration profile for Windows 10 and later

目前,可以使用 XML 文件导入和导出 Wi-Fi 配置文件。Currently, you can import and export Wi-Fi profiles using XML files. 通过此次更新,能够直接在 Intune 中创建 Wi-Fi 设备配置文件,与在某些其他平台上的操作一样。With this update, you can create a Wi-Fi device configuration profile directly in Intune, just like some other platforms.

若要创建配置文件,打开“设备配置” > “配置文件” > “创建配置文件” > “Windows 10 及更高版本” > “Wi-Fi”。To create the profile, open Device configuration > Profiles > Create Profile > Windows 10 and later > Wi-Fi.

适用于 Windows 10 和更高版本。Applies to Windows 10 and later.

Kiosk - 已过时显示为灰色,无法更改 Kiosk - obsolete is grayed out, and can't be changed

展台功能(“设备配置” > “配置文件” > “创建配置文件” > “Windows 10 及更高版本” > “设备限制”)已过时,并替换为适用于 Windows 10 和更高版本的展台设置The Kiosk feature (Device configuration > Profiles > Create profile > Windows 10 and later > Device restrictions) is obsolete, and replaced with Kiosk settings for Windows 10 and later. 更新后,“展台 - 已过时”功能显示为灰色,并且无法更改或更新用户界面。With this update, the Kiosk - Obsolete feature is grayed out, and the user interface can't be changed or updated.

若要启用展台模式,请参阅 Windows 10 及更高版本的 Kiosk 设置To enable kiosk mode, see Kiosk settings for Windows 10 and later.

应用于 Windows 10 及更高版本、Windows Holographic for BusinessApplies to Windows 10 and later, Windows Holographic for Business

使用第 3 方证书颁发机构的 API APIs to use 3rd party certification authorities

此更新中有一个 Java API,能实现第三方证书颁发机构与 Intune 和 SCEP 的集成。In this update, there is a Java API that enables third-party certificate authorities to integrate with Intune and SCEP. 然后用户可以将 SCEP 证书添加到配置文件,并使用 MDM 将其应用于设备。Then, users can add the SCEP certificate to a profile, and apply it to devices using MDM.

目前 Intune 支持使用 Active Directory 证书服务的 SCEP 请求Currently, Intune supports SCEP requests using Active Directory Certificate Services.

切换以显示或不显示 Kiosk 浏览器上的“结束会话”按钮 Toggle to show or not show the End Session button on a Kiosk browser

现可配置展台浏览器是否显示“结束会话”按钮。You can now configure whether or not Kiosk browsers show the End Session button. 可以在“设备配置” > “Kiosk(预览)” > “Kiosk Web 浏览器”中看到控件。You can see the control at Device configuration > Kiosk (preview) > Kiosk Web Browser. 若关闭,用户单击按钮时,应用会提示是否结束会话。If turned on, when a user clicks the button, the app prompts for confirmation to end the session. 确定结束时,浏览器清除所有浏览数据并导航回到默认 URL。When confirmed, the browser clears all browsing data and navigates back to the default URL.

创建 eSIM 卡移动电话配置文件 Create an eSIM cellular configuration profile

在“设备配置”中,可创建 eSIM 手机网络配置文件。In Device configuration, you can create an eSIM cellular profile. 可以导入包含移动运营商提供的移动电话激活码的文件。You can import a file that contains cellular activation codes provided by your mobile operator. 然后,可以将这些配置文件部署到支持 eSIM LTE 的 Windows 10 设备,例如 Surface Pro LTE 和其他支持 eSIM 卡的设备。You can then deploy these profiles to your eSIM LTE enabled Windows 10 devices, such as the Surface Pro LTE and other eSIM capable devices.

检查设备是否支持 eSIM 卡配置文件Check to see if your devices support eSIM profiles.

适用于 Windows 10 和更高版本。Applies to Windows 10 and later.

设备注册Device enrollment

自动标记使用 Samsung Knox 移动注册为“公司”注册的 Android 设备。Automatically mark Android devices enrolled by using Samsung Knox Mobile Enrollment as "corporate".

默认情况下,使用 Samsung Knox 移动注册的 Android 设备现在标记为“设备所有权”下的“公司”。By default, Android devices enrolled using Samsung Knox Mobile Enrollment are now marked as corporate under Device Ownership. 使用 Knox 移动注册之前,不需要使用 IMEI 或序列号手动识别公司设备。You don't need to manually identify corporate devices using IMEI or serial numbers prior to enrolling using Knox Mobile Enrollment.

设备管理Device management

在设备边栏选项卡上批量删除设备 Bulk delete devices on devices blade

现在可在“设备”边栏选项卡上一次删除多个设备。You can now delete multiple devices at a time on the Devices blade. 选择“设备” > “所有设备”>“选择要删除的设备”>“删除”。Choose Devices > All devices > select the devices you want to delete > Delete. 对于无法删除的设备,会出现警告。For devices that can't be deleted, an alert will be displayed.

2018 年 7 月 16 日所在的一周Week of July 16, 2018

适用于 Windows 的公司门户应用中的更多同步机会More opportunities to sync in the Company portal app for Windows

适用于 Windows 的公司门户应用现在允许直接从 Windows 任务栏和“开始”菜单启动同步。The Company Portal app for Windows now lets you initiate a sync directly from the Windows taskbar and Start menu. 如果唯一任务是同步设备并访问公司资源,那么此功能特别有用。This feature is especially useful if your only task is to sync devices and get access to corporate resources. 要访问新功能,请右键单击固定到任务栏或“开始”菜单的公司门户图标。To access the new feature, right-click the Company portal icon that's pinned to your taskbar or Start menu. 在菜单选项(也称为跳转列表)中,选择“同步此设备”。In the menu options (also referred to as a jump list), select Sync this device. 公司门户将打开“设置”页面并启动同步。若要了解新功能,请参阅 UI 中的新增功能The Company Portal will open to the Settings page and initiate your sync. For a look at the new functionality see What's new in the UI.

适用于 Windows 的公司门户应用中的新浏览体验New browsing experiences in the Company portal app for Windows

现在,在适用于 Windows 的公司门户应用中浏览或搜索应用时,用户能在现有的“磁贴”视图和新添加的“详细信息”视图之间切换。Now when browsing or searching for apps in the Company Portal app for Windows, you can toggle between the existing Tiles view and the newly added Details view. 新视图列出应用程序详细信息,如名称、发布服务器、发布日期和安装状态。The new view lists application details such as name, publisher, publication date and installation status.

通过“应用”页的“已安装”视图可查看已完成和正在进行的应用安装的详细信息。The Apps page's Installed view lets you see details about completed and in-progress app installations. 若要查看新视图的外观,请参阅 UI 中的新增功能To see what the new view looks like, see What's new in the UI.

针对设备注册管理员,改进了公司门户应用体验Improved Company Portal app experience for device enrollment managers

现在,当设备注册管理员 (DEM) 登录到适用于 Windows 的公司门户应用时,该应用将仅列出 DEM 当前正在运行的设备。When a device enrollment manager (DEM) signs in to the Company Portal app for Windows, the app will now only list the DEM's current, running device. 以前应用尝试显示所有 DEM 注册设备,会出现较长的超时,此改进则将减少超时时间。This improvement will reduce timeouts that previously occurred when the app tried to show all DEM-enrolled devices.

2018 年 7 月 9 日所在的一周Week of July 9, 2018

应用管理App management

基于未批准的设备供应商和型号阻止应用的访问 Block app access based on unapproved device vendors and models

Intune IT 管理员可通过 Intune 应用保护策略强制实施指定的 Android 制造商和/或 iOS 型号列表。The Intune IT admin can enforce a specified list of Android manufacturers, and/or iOS models through Intune App Protection Policies. IT 管理员可以提供适用于 Android 策略的供应商列表和适用于 iOS 策略的设备型号列表,列表以分号分隔。The IT admin can provide a semicolon separated list of manufacturers for Android policies and device models for iOS policies. Intune App 保护策略仅适用于 Android 和 iOS。Intune App Protection Policies are for Android and iOS only. 可针对此指定列表执行两个单独的操作:There are two separate actions that can be performed on this specified list:

  • 阻止应用访问未指定的设备。A block from app access on devices that are not specified.
  • 或者,选择性地擦除未指定的设备上的企业数据。Or, a selective wipe of corporate data on devices that are not specified.

如果未满足策略要求,则用户将无法访问目标应用程序。The user will be unable to access the targeted application if the requirements through the policy are not met. 根据设置,用户可能会被阻止或选择性地删除应用中的用户企业数据。Based on settings, the user may either be blocked, or selectively wiped of their corporate data within the app. 在 iOS 设备上,需使用一些应用程序(例如 WXP、Outlook、Managed Browser 和 Yammer)与 Intune APP SDK 进行集成,才能在目标应用程序中强制实施此功能。On iOS devices, this feature requires the participation of applications (such as WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for this feature to be enforced with the targeted applications. 此集成陆续进行,取决于特定应用程序团队。This integration happens on a rolling basis and is dependent on the specific application teams. 在 Android 上,此功能需要使用最新的公司门户。On Android, this feature requires the latest Company Portal.

在最终用户设备上,Intune 客户端将根据 Intune 边栏选项卡中针对应用程序保护策略所指定的字符串的简单匹配来执行操作。On end-user devices, the Intune client will take action based on a simple matching of the strings specified in the Intune blade for Application Protection Policies. 这完全取决于设备报告的值。This depends entirely on the value that the device reports. 为此,建议 IT 管理员确保预期行为的准确性。As such, the IT administrator is encouraged to ensure that the intended behavior is accurate. 这可以通过根据面向较小规模用户组的各种设备制造商和型号对此设置进行测试来实现。This can be accomplished by testing this setting based on a variety of device manufacturers and models targeted to a small user group. 在 Microsoft Intune 中,选择“客户端应用” > “应用保护策略”,可查看和添加应用保护策略。In Microsoft Intune, select Client apps > App protection policies to view and add app protection policies. 有关应用保护策略的详细信息,请参阅什么是应用保护策略在 Intune 中使用应用保护策略访问操作选择性地擦除数据For more information about app protection policies, see What are app protection policies and Selectively wipe data using app protection policy access actions in Intune.

访问 macOS 公司门户预发布版本 Access to macOS Company Portal pre-release build

借助 Microsoft 自动更新,可通过加入预览体验计划注册抢先收到内部版本。Using Microsoft AutoUpdate, you can sign up to receive builds early by joining the Insider program. 注册后,即可在公司门户更新版向最终用户推出前使用它。Signing up will enable you to use the updated Company Portal before it’s available to your end users. 有关详细信息,请参阅 Microsoft Intune 博客For more information, see the Microsoft Intune blog.

2018 年 7 月 2 日的这一周Week of July 2, 2018

应用管理App management

监控每个设备的 iOS 应用配置状态 Monitor iOS app configuration status per device

作为 Microsoft Intune 管理员,可监控每个受管理设备的 iOS 应用配置状态。As the Microsoft Intune admin, you can monitor iOS app configuration status for each managed device. 从 Azure 门户的“Microsoft Intune”中,选择“设备” > “所有设备”。From Microsoft Intune in the Azure portal, select Devices > All devices. 从受管理设备列表中选择特定设备,以显示该设备的边栏选项卡。From the list of managed devices, select a specific device to display a blade for the device. 在该设备的边栏选项卡上,选择“应用配置”。On the device blade, select App configuration.

应用保护策略操作的访问权限 Access actions for app protection policies

可配置应用保护策略,显式擦除、阻止或警告不符合要求的设备。You can configure app protection policies to explicitly wipe, block, or warn non-compliant devices. “擦除”操作将从设备中删除贵公司的企业数据。The wipe action removes your company’s corporate data from a device. 当出现擦除操作时,系统将会通知设备的用户擦除原因和修正步骤。If a wipe occurs, the device's user is notified of both the reason for the wipe and remediation steps. 对于某些设置(例如,最低操作版本),你将能够应用多个操作,例如阻止和擦除。For some settings, like minimum OS version, you will be able to apply multiple actions, such as block and wipe. 注意,启动应用时会触发这些操作。Note that these actions are triggered when the app is launched.

选择性擦除组织的应用数据 Selective wipe of organization's app data

当不满足应用程序保护策略 (APP) 访问设置的条件时,管理员现可配置一项新操作,即选择性擦除组织数据配置。Administrators can now configure a selective wipe of the organization's data as a new action when the conditions of Application Protection Policies (APP) Access settings are not met. 此功能可帮助管理员根据预先配置的标准自动保护和删除应用程序中的敏感组织数据。This feature helps administrators automatically protect and remove sensitive organization data from applications based on pre-configured criteria.

撤销通过 VPP 购买的 iOS 应用 Revoking an iOS app purchased through VPP

作为 Microsoft Intune 管理员,可撤销通过批量采购计划 (VPP) 购买的选定 iOS 应用的所有许可证。As the Microsoft Intune admin, you can revoke all the licenses for a selected iOS app purchased through the volume-purchase program (VPP). 可在取消向用户分配用户许可的应用时向其发出通知。You can notify users when a user licensed app is no longer assigned to them. 撤销应用许可证将不会从设备中卸载相关的 VPP 应用。Revoking an app license will not uninstall the related VPP app from the device. 若要卸载 VPP 应用,必须将分配操作更改为“卸载”。To uninstall a VPP app, you must change the assignment action to Uninstall. 回收的许可证计数将反映在 Intune“应用”工作负荷的“许可应用”节点中。The reclaimed license count will be reflected in Licensed Apps node in the App workload of Intune. 有关 iOS VPP 应用的详细信息,请参阅如何使用 Microsoft Intune 管理通过批量采购计划购买的 iOS 应用For more information related to iOS VPP apps, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

公司门户应用中不合规消息的更新Updates to out-of-compliance messages in Company Portal app

我们修改了设备用户在设备不合规时看到的消息。We revised the messages that device users see when a device is out-of-compliance. 消息保留其原始含义,但已使用更友好的语言和更少的技术术语进行了更新。Messages retain their original meanings but have been updated with friendlier language and less technical jargon. 我们还刷新了文档和修正步骤的链接,使其保持最新状态。We also refreshed links to documentation and remediation steps to keep them up-to-date. 以下修改前后的内容是将看到的消息改进的一个示例:The following before and after text is one example of the improvements in messaging you'll see:

  • 修改前:此设备未在 IT 管理员要求的指定时间内联系 Intune 服务。要解决此问题,请打开设备上的公司门户应用,单击“检查符合性”按钮。Before: This device hasn’t contacted the Intune service in the specified time period required by your IT admin. To resolve this issue, please open the company portal app on your device and click on the Check Compliance button.
  • 修改后:设备在一段时间内未签入组织。要重新建立连接,请打开设备上的公司门户应用并点击设备的“检查设置”。After: Your device has not checked in with your organization in a while. To reestablish a connection, open the Company Portal app on your device and tap Check Settings for your device.

撤消 iOS VPP 应用许可证 Revoke iOS VPP app license

作为管理员,可回收分配给用户或设备的 iOS VPP 应用许可证。As the admin, you can reclaim an iOS VPP app license assigned to a user or device. 也可通过卸载 iOS VPP 应用回收应用许可证。Uninstalling an iOS VPP app will also allow you to reclaim the app license. 卸载应用前,需要将用户或设备从应用的目标组中删除。Before uninstalling the app, the user or the device needs to be removed from the group to which the app is targeted. 从该组中删除用户或设备可避免重新安装该应用。Removing the user or the device from the group avoids a reinstall of the app. 完成这些步骤后,可选择将该应用许可证分配给其他用户或设备。Once these steps are complete, you can choose to assign the app license to another user or device. 有关 iOS VPP 应用许可证的详细信息,请参阅在 Microsoft Intune 中管理 iOS 批量购买的应用For more information about iOS VPP app licenses, see Manage iOS volume-purchased apps in Microsoft Intune.

设备配置Device configuration

使用“访问工作或学校帐户”设置选择设备类别 Select device categories by using the Access Work or School settings

如果已启用设备组映射,Windows 10 用户现将在通过“设置” > “帐户” > “访问工作或学校帐户”中的“连接”按钮注册后,看到选择设备类别的提示。If you've enabled device group mapping, users on Windows 10 will now be prompted to select a device category after enrolling through the Connect button in Settings > Accounts > Access work or school.

使用 sAMAccountName 作为电子邮件配置文件的帐户用户名 Use sAMAccountName as the account username for email profiles

可使用本地“sAMAccountName”作为 Android、iOS 和 Windows 10 的电子邮件配置文件的帐户用户名。You can use the on-premises sAMAccountName as the account username for email profiles for Android, iOS, and Windows 10. 还可从 Azure Active Directory (Azure AD) 中的 domainntdomain 属性获取域。You can also get the domain from the domain or ntdomain attribute in Azure Active Directory (Azure AD). 或者,输入自定义静态域。Or, enter a custom static domain.

若要使用此功能,必须将本地 Active Directory 环境中的 sAMAccountName 属性同步到 Azure AD。To use this feature, you must sync the sAMAccountName attribute from your on-premises Active Directory environment to Azure AD.

适用于 AndroidiOSWindows 10 及更高版本Applies to Andoid, iOS, Windows 10 and later

查看冲突的设备配置文件See device configuration profiles in conflict

“设备配置”中将显示现有配置文件列表。In Device Configuration, a list of the existing profiles is shown. 此更新中添加了新列,用于提供有冲突的配置文件的详细信息。With this update, a new column is added that provides details on profiles that have a conflict. 可选中冲突的行以查看存在冲突的设置和配置文件。You can select a conflicting row to see the setting and profile that has the conflict.

可在管理配置文件中查看详细信息。More on manage configuration profiles.

设备符合性中的设备新状态 New status for devices in device compliance

在“设备符合性” > “策略”>“选择策略”>“概述”中,添加以下新状态:In Device compliance > Policies > select a policy > Overview, the following new states are added:

  • 成功succeeded
  • 错误error
  • 冲突conflict
  • 挂起pending
  • 不适用 还显示了图像,展示其他平台的设备计数。not-applicable An image that shows the device count of a different platform is also shown. 例如,如果正在查看 iOS 配置文件,则新磁贴会显示同时分配给到配置文件的非 iOS 设备数。For example, if you're looking at an iOS profile, the new tile shows the count of non-iOS devices that are also assigned to this profile. 请参阅设备符合性策略See Device compliance policies.

设备符合性支持第三方防病毒解决方案 Device compliance supports 3rd party anti-virus solutions

当创建设备符合性策略(“设备符合性” > “策略” > “创建策略” > “平台: Windows 10 及更高版本” > “设置” > “系统安全”)时,会出现新的设备安全性选项:When you create a device compliance policy (Device compliance > Policies > Create policy > Platform: Windows 10 and later > Settings > System Security), there are new Device Security options:

  • 防病毒:当设置为“需要”时,可使用在 Windows 安全中心注册的防病毒解决方案(如 Symantec 和 Windows Defender)来检查符合性。Antivirus: When set to Require, you can check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.
  • 反间谍软件:当设置为“需要”时,可以使用在 Windows 安全中心注册的反间谍软件解决方案(如 Symantec 和 Windows Defender)来检查符合性。AntiSpyware: When set to Require, you can check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Windows Defender.

适用于:Windows 10 及更高版本Applies to: Windows 10 and later

设备注册Device enrollment

注册计划令牌列表中没有配置文件列的设备 Devices without profiles column in the list of enrollment program tokens

注册计划令牌列表中存在一个新列,显示未分配配置文件的设备数量。In the enrollment program tokens list, there is a new column showing the number of devices without a profile assigned. 这有助于管理员在将配置文件分发给用户之前,先为这些设备分配配置文件。This helps admins assign profiles to these devices before handing them out to users. 若要查看新列,请转到“设备注册” > “Apple 注册” > “注册计划令牌”。To see the new column, go to Device enrollment > Apple enrollment > Enrollment program tokens.

设备管理Device management

停用 Android for Work 和 Play for Work 以反映 Google 名称更改 Google name changes for Android for Work and Play for Work

Intune 已更新“Android for Work”术语,以反映 Google 品牌的更改。Intune has updated "Android for Work" terminology to reflect Google branding changes. 不再使用术语“Android for Work”和“Play for Work”。The terms "Android for Work" and "Play for Work" are no longer be used. 根据上下文使用不同的术语:Different terminology is used depending on the context:

  • “Android 企业”指整个现代 Android 管理堆栈。"Android enterprise" refers to the overall modern Android management stack.
  • “工作配置文件”或“配置文件所有者”指使用工作配置文件管理的 BYOD 设备。"Work profile" or "Profile Owner" refers to BYOD devices managed with work profiles.
  • “托管的 Google Play”指 Google 应用商店。"Managed Google Play" refers to the Google app store.

删除设备的规则Rules for removing devices

提供新规则,用于自动删除未在设置天数内进行签入的设备。New rules are available that let you automatically remove devices that haven't checked in for a number of days that you set. 要查看新规则,请转到“Intune”窗格,依次选择“设备”和“设备清理规则”。To see the new rule, go to the Intune pane, select Devices, and select Device cleanup rules.

支持公司拥有的单一用途 Android 设备 Corporate-owned, single use support for Android devices

Intune 现支持受到高度管控的锁定展台式 Android 设备。Intune now supports highly-managed, locked-down, kiosk-style Android devices. 这使管理员可以将设备的使用进一步锁定到单个应用或一小组应用,并阻止用户在设备上启用其他应用或执行其他操作。This allows admins to further lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps or performing other actions on the device. 若要设置 Android 展台,请转到 Intune >“设备注册” > “Android 注册” > “展台和任务设备注册”。To set up Android kiosk, go to Intune > Device enrollment > Android enrollment > Kiosk and task device enrollments. 有关详细信息,请参阅设置 Android 企业展台设备的注册For more information, see Set up enrollment of Android enterprise kiosk devices.

逐行查看上传的重复公司设备标识符 Per-row review of duplicate corporate device identifiers uploaded

上传企业 ID 时,Intune 现提供重复项列表,你可以选择替换或保留现有信息。When uploading corporate IDs, Intune now provides a list of any duplicates and gives you the option to replace or keep the existing information. 选择“设备注册” > “公司设备标识符” > “添加标识符”后,如果有重复项,将显示报告。The report will appear if there are duplicates after you choose Device enrollment > Corporate Device Identifiers > Add Identifiers.

手动添加公司设备标识符 Manually add corporate device identifiers

现在可以手动添加公司设备 ID。You can now manually add corporate device IDs. 选择“设备注册” > “公司设备标识符” > “添加”。Choose Device enrollment > Corporate Device Identifiers > Add.

2018 年 6 月 25 日的这一周Week of June 25, 2018

Pradeo - 新移动威胁防御合作伙伴Pradeo - New Mobile Threat Defense partner

可根据 Pradeo 给出的风险评估,使用条件访问控制移动设备对公司资源的访问,Pradeo 是与 Microsoft Intune 集成的移动威胁防御解决方案。You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Pradeo, a Mobile Threat Defense solution that integrates with Microsoft Intune.

2018 年 6 月 18 日的这一周Week of June 18, 2018

Intune 应用保护策略的 Microsoft Edge 移动设备支持 Edge mobile support for Intune app protection policies

移动设备的 Microsoft Edge 浏览器现在支持在 Intune 中定义的应用保护策略。The Microsoft Edge browser for mobile devices now supports app protection policies defined in Intune.

2018 年 6 月 11 日的这一周Week of June 11, 2018

将 FIPS 模式用于 NDES 证书连接器Use FIPS mode with the NDES Certificate connector

在已启用美国联邦信息处理标准 (FIPS) 模式的计算机上安装 NDES 证书连接器时,颁发和吊销证书不能按预期工作。When you install the NDES Certificate connector on a computer with Federal Information Processing Standard (FIPS) mode enabled, issuing and revoking certificates didn't work as expected. 在此更新中,NDES 证书连接器中包含 FIPS 支持。With this update, support for FIPS is included with the NDES Certificate connector.

此更新还包括:This update also includes:

  • NDES 证书连接器需要 .NET 4.5 Framework,Windows Server 2016 和 Windows Server 2012 R2 中自动包含此内容。The NDES Certificate connector requires .NET 4.5 Framework, which is automatically included with Windows Server 2016 and Windows Server 2012 R2. 以前,.NET 3.5 Framework 是最低要求版本。Previously, .NET 3.5 Framework was the minimum required version.
  • NDES 证书连接器中包含 TLS 1.2 支持。TLS 1.2 support is included with the NDES Certificate connector. 因此,如果已安装 NDES 证书连接器的服务器支持 TLS 1.2,则使用 TLS 1.2。So if the server with NDES Certificate connector installed supports TLS 1.2, then TLS 1.2 is used. 如果服务器不支持 TLS 1.2,则使用 TLS 1.1。If the server doesn't support TLS 1.2, then TLS 1.1 is used. 目前,TLS 1.1 用于设备和服务器之间的身份验证。Currently, TLS 1.1 is used for authentication between the devices and server.

有关详细信息,请参阅配置和使用 SCEP 证书配置和使用 PKCS 证书For more information, see Configure and use SCEP certificates and Configure and use PKCS certificates.

2018 年 6 月 4 日的这一周Week of June 4, 2018

应用管理App management

在展台模式下检索适用于企业的 Microsoft Store 应用相关联的应用用户模型 ID (AUMID) Retrieve the associated app user model ID (AUMID) for Microsoft Store for Business apps in kiosk mode

Intune 现在可以检索适用于企业的 Microsoft Store (WSfB) 应用的应用用户模型 ID,以改进展台配置文件的配置。Intune can now retrieve the app user model ids (AUMIDs) for Microsoft Store for Business (WSfB) apps to provide improved configuration of the kiosk profile.

有关适用于企业的 Microsoft Store 应用的详细信息,请参阅管理来自适用于企业的 Microsoft Store 应用For more information about Microsoft Store for Business apps, see Manage apps from Microsoft Store for Business.

新的公司门户品牌页 New Company Portal branding page

公司门户品牌页拥有新的布局、消息和工具提示。The Company Portal branding page has a new layout, messages, and tooltips.

设备配置Device configuration

支持 Palo Alto Networks GlobalProtect VPN 配置文件Support for Palo Alto Networks GlobalProtect VPN profiles

通过此更新,可选择 Palo Alto Networks GlobalProtect 作为 Intune 中 VPN 配置文件的 VPN 连接类型(“设备配置” > “配置文件” > “创建配置文件” > “配置文件类型” > “VPN”)。With this update, you can choose Palo Alto Networks GlobalProtect as a VPN connection type for VPN profiles in Intune (Device configuration > Profiles > Create profile > Profile type > VPN). 在此版本中,支持以下平台:In this release, the following platforms are supported:

  • iOSiOS
  • Windows 10Windows 10

新增本地设备安全选项设置Additions to Local Device Security Options settings

现在可以配置适用于 Windows 10 设备的其他本地设备安全选项设置。You can now configure additional Local Device Security Options settings for Windows 10 devices. 其他设置在 Microsoft 网络客户端、Microsoft 网络服务器、网络访问和安全性和交互式登录的区域内可用。Additional settings are available in the areas of Microsoft Network Client, Microsoft Network Server, Network access and security, and Interactive logon. 创建 Windows 10 设备配置策略时,可以在终结点保护类别中查找这些设置。Find these settings in the Endpoint Protection category when you create a Windows 10 device configuration policy.

在 Windows 10 设备上启用展台模式 Enable kiosk mode on Windows 10 devices

在 Windows 10 设备上,可以创建配置文件并启用展台模式(“设备配置” > “配置文件” > “创建配置文件” > “Windows 10” > “设备限制” > “展台”)。On Windows 10 devices, you can create a configuration profile and enable kiosk mode (Device Configuration > Profiles > Create profile > Windows 10 > Device Restrictions > Kiosk). 在此更新中,“展台(预览版)”设置被重命名为“展台(旧版)”。In this update, the Kiosk (preview) setting is renamed to Kiosk (obsolete). 不再推荐使用“展台(旧版)”,但该版本在 7 月更新之前仍能正常使用。Kiosk (obsolete) is no longer recommended for use, but will continue to function until the July update. “展台(旧版)”被替换为新的“展台”配置文件类型(“创建配置文件” > “Windows 10” > “展台(预览版)”),该类型将包含配置 Windows 10 RS4 和更高版本上的展台的设置。Kiosk (obsolete) is replaced by the new Kiosk profile type (Create profile > Windows 10 > Kiosk (preview)), which will contain the settings to configure Kiosks on Windows 10 RS4 and later.

适用于 Windows 10 和更高版本。Applies to Windows 10 and later.

设备配置文件图形用户图表已恢复 Device profile graphical user chart is back

为了改进设备配置文件图形图表上显示的计数(“设备配置” > “配置文件”> 选择现有配置文件 >“概述”),图形用户图表曾被暂时删除。While improving the numeric counts shown on the device profile graphical chart (Device configuration > Profiles > select an existing profile > Overview), the graphical user chart was temporarily removed.

在此更新中,图形用户图表得到恢复,并显示在 Azure 门户中。With this update, the graphical user chart is back, and shown in the Azure portal.

设备注册Device enrollment

支持无需用户身份验证的 Windows Autopilot 注册 Support for Windows Autopilot enrollment without user authentication

Intune 现在支持无需用户身份验证的 Windows Autopilot 注册。Intune now supports Windows Autopilot enrollment without user authentication. 这是 Windows Autopilot 部署配置文件中的新选项,“Autopilot 部署模式”设置为“自部署”。This is a new option in the Windows Autopilot deployment profile "Autopilot Deployment mode" set to "Self-Deploying". 设备必须运行 Windows 10 Insider Preview 内部版本 17672 或更高版本并且具有 TPM 2.0 芯片,才能成功完成此类型的注册。The device must be running Windows 10 Insider Preview Build 17672 or later and possess a TPM 2.0 chip to successfully complete this type of enrollment. 由于不需要用户身份验证,因此应仅将此选项分配给你具有物理控制权限的设备。Since no user authentication is required, you should only assign this option to devices that you have physical control over.

配置 Autopilot 的 OOBE 时的新语言/区域设置 New language/region setting when configuring OOBE for Autopilot

在 Out of Box Experience 期间,会提供新的配置设置,以设置 Autopilot 配置文件的语言和区域。A new configuration setting is available to set the language and region for Autopilot profiles during the Out of Box Experience. 要查看新设置,请选择“设备注册” > “Windows 注册” > “部署配置文件” > “创建配置文件” > “部署模式” = “自部署” > “默认配置”。To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

配置设备键盘的新设置 New setting for configuring device keyboard

在 Out of Box Experience 期间,将提供新的设置,以配置 Autopilot 配置文件的键盘。A new setting will be available to configure the keyboard for Autopilot profiles during the Out of Box Experience. 要查看新设置,请选择“设备注册” > “Windows 注册” > “部署配置文件” > “创建配置文件” > “部署模式” = “自部署” > “默认配置”。To see the new setting, choose Device enrollment > Windows enrollment > Deployment profiles > Create profile > Deployment mode = Self-deploying > Defaults configured.

将 AutoPilot 配置文件移动到组目标Autopilot profiles moving to group targeting

AutoPilot 部署配置文件可以分配给包含 AutoPilot 设备的 Azure AD 组。AutoPilot deployment profiles can be assigned to Azure AD groups containing AutoPilot devices.

设备管理Device management

按设备位置设置符合性 Set compliance by device location

在某些情况下,你可能想要将访问企业资源的权限限制到某个特定位置(该位置由网络连接定义)。In some situations, you may want to restrict access to corporate resources to a specific location, defined by a network connection. 现在可以基于设备的 IP 地址来创建符合性策略(“设备符合性” > “位置”)。You can now create a compliance policy (Device compliance > Locations) based on the IP address of the device. 如果设备移动到 IP 范围以外,则该设备将无法访问企业资源。If the device moves outside the IP range, then the device cannot access corporate resources.

适用于:拥有更新的公司门户应用的 Android 设备 6.0 及更高版本Applies to: Android devices 6.0 and higher, with the updated Company Portal app

在 Windows 10 企业版 RS4 AutoPilot 设备上阻止使用者应用和体验Prevent consumer apps and experiences on Windows 10 Enterprise RS4 Autopilot devices

你将能够阻止在 Windows 10 企业版 RS4 AutoPilot 设备上安装使用者应用和体验。You will be able to prevent the installation of consumer apps and experiences on your Windows 10 Enterprise RS4 AutoPilot devices. 要查看此功能,请转到“Intune” > “设备配置” > “配置文件” > “创建配置文件” > “平台” = “Windows 10 或更高版本” > “配置文件类型” = “设备限制” > “配置” > “Windows 聚焦” > “使用者功能”。To see this feature, go to Intune > Device configuration > Profiles > Create profile > Platform = Windows 10 or later > Profile type = Device restrictions > Configure > Windows Spotlight > Consumer features.

从 Windows 10 软件更新中卸载最新版本 Uninstall the latest from Windows 10 software updates

如果发现 Windows 10 计算机上存在重大问题,则可以选择卸载(回滚)最新的功能更新或最新的质量更新。Should you discover a breaking issue on your Windows 10 machines, you can choose to uninstall (rollback) the latest feature update or the latest quality update. 卸载某功能或质量更新仅适用于设备所在的服务通道。Uninstalling a feature or quality update is only available for the servicing channel the device is on. 卸载将触发恢复 Windows 10 计算机上的先前更新的策略。Uninstalling will trigger a policy to restore the previous update on your Windows 10 machines. 特别是对于功能更新,可以限制卸载最新版本的时间(2-60 天)。For feature updates specifically, you can limit the time from 2-60 days that an uninstall of the latest version can be applied. 要设置软件更新卸载选项,请从 Azure 门户中的“Microsoft Intune ”边栏选项卡中选择“软件更新”。To set software update uninstall options, select Software updates from the Microsoft Intune blade within the Azure portal. 然后,从“软件更新”边栏选项卡中选择“Windows 10 更新通道”。Then, select Windows 10 Update Rings from the Software updates blade. 然后,可以从“概述”部分选择“卸载”选项。You can then choose the Uninstall option from the Overview section.

搜索所有设备以获取 IMEI 和序列号 Search all devices for IMEI and serial number

现在可以在“所有设备”边栏选项卡上搜索 IMEI 和序列号(电子邮件、UPN、设备名称和管理名称仍然可用)。You can now search for IMEI and serial numbers on the All devices blade (email, UPN, device name, and management name are still available). 在 Intune 中,选择“设备” > “所有设备”> 在搜索框中输入你的搜索。In Intune, choose Devices > All devices > enter your search in the search box.

管理名称字段将可编辑 Management name field will be editable

现在可以在设备的“属性”边栏选项卡上编辑管理名称字段。You can now edit the management name field on a device’s Properties blade. 若要编辑此字段,请选择“设备” > “所有设备”> 选择设备 >“属性”。To edit this field, choose Devices > All devices > choose the device > Properties. 可以使用管理名称字段来唯一标识设备。You can use the management name field to uniquely identify a device.

新建所有设备筛选器:设备类别 New All devices filter: Device category

现在可以按设备类别筛选“所有设备”列表。You can now filter the All devices list by device category. 为此,请选择“设备” > “所有设备” > “筛选器” > “设备类别”。To do so, choose Devices > All devices > Filter > Device category.

使用 TeamViewer 共享 iOS 和 MacOS 设备的屏幕 Use TeamViewer to screen share iOS and MacOS devices

管理员现在可以连接到 TeamViewer,并启动与 iOS 和 macOS 设备之间的屏幕共享会话。Administrators can now connect to TeamViewer, and start a screen sharing session with iOS and macOS devices. iPhone、iPad 和 macOS 用户可以与任何其他桌面或移动设备实时共享其屏幕。iPhone, iPad, and macOS users can share their screens live with any other desktop or mobile device.

多个 Exchange Connector 支持Multiple Exchange Connector support

你不再受到每租户一个 Microsoft Intune Exchange Connector 的限制。You're no longer limited to one Microsoft Intune Exchange Connector per tenant. Intune 现在支持多个 Exchange Connector,你可以设置多个本地 Exchange 组织的 Intune 条件访问。Intune now supports multiple Exchange Connectors so that you can set up Intune conditional access with multiple on-premises Exchange organizations.

凭借 Intune 本地 Exchange 连接器,可以根据设备是否已在 Intune 中注册且是否符合 Intune 设备符合性策略来管理设备对本地 Exchange 邮箱的访问。With an Intune on-premises Exchange connector, you can manage device access to your on-premises Exchange mailboxes based on whether a device is enrolled in Intune and complies with Intune device compliance policies. 若要设置连接器,请从 Azure 门户下载 Intune 本地 Exchange 连接器,并将它安装在 Exchange 组织中的服务器上。To set up a connector, you download the Intune on-premises Exchange connector from the Azure portal and install it on a server in your Exchange organization. 在 Microsoft Intune 仪表板上,选择“本地访问”,然后在“设置”下选择“Exchange ActiveSync 连接器”。On the Microsoft Intune dashboard, choose On-premises access, and then under Setup, choose Exchange ActiveSync connector. 下载 Exchange 本地连接器,并将它安装在 Exchange 组织中的服务器上。Download the Exchange on-premises connector and install it on a server in your Exchange organization. 由于你已经不再受到每租户一个 Exchange 连接器的限制,因此,如果拥有其他的 Exchange 组织,则可以按照此相同的过程为其他每个 Exchange 组织下载并安装连接器。Now that you're no longer limited to one Exchange connector per tenant, if you have additional Exchange organizations, you can follow this same process to download and install a connector for each additional Exchange organization.

新的设备硬件详细信息:CCID New device hardware detail: CCID

现在每台设备均包含芯片卡接口设备 (CCID) 信息。The Chip Card Interface Device (CCID) information is now included for each device. 要查看该信息,请选择“设备” > “所有设备”> 选择一台设备 >“硬件”> 在“网络详情”下查看>To see it, choose Devices > All devices > choose a device > Hardware> check under Network details>

将所有用户和所有设备分配为范围组 Assign all users and all devices as scope groups

现在可以分配所有用户、所有设备,以及范围组中的所有用户和所有设备。You can now assign all users, all devices, and all users and all devices in scope groups. 要执行此操作,请选择“Intune 角色” > “所有角色” > “策略和配置文件管理器” > “分配”> 选择一项分配 >“范围(组)”。To do this, choose Intune roles > All roles > Policy and profile manager > Assignments > choose an assignment > Scope (groups).

现包括 iOS 和 macOS 设备的 UDID 信息 UDID information now included for iOS and macOS devices

要查看适用于 iOS 和 macOS 设备的唯一设备标识符 (UDID),请转到“设备” > “所有设备”> 选择一台设备 >“硬件”。To see the Unique Device Identifier (UDID) for iOS and macOS devices, go to Devices > All devices > choose a device > Hardware. UDID 仅适用于公司设备(如“设备” > “所有设备”> 选择一台设备 >“属性” > “设备所有权”下的设置)。UDID is only available for corporate devices (as set under Devices > All devices > choose a device > Properties > Device ownership).

Intune 应用Intune apps

改进了对应用安装的故障排除 Improved troubleshooting for app installation

在 Microsoft Intune MDM 托管的设备上,有时应用安装可能会失败。On Microsoft Intune MDM-managed devices, sometimes app installations can fail. 当这些应用安装失败时,可能难以了解失败原因或解决此问题。When these app installs fail, it can be challenging to understand the failure reason or troubleshoot the issue. 我们将发布我们的应用疑难解答功能的公共预览版。We're shipping a Public Preview of our App Troubleshooting features. 你将在每个设备下注意到名为“托管应用”的新节点。You will notice a new node under each individual device called Managed Apps. 该节点列出了通过 Intune MDM 提供的应用。This lists the apps that have been delivered via Intune MDM. 在该节点内,将看到应用安装状态的列表。Inside the node, you'll see a list of app install states. 如果选择单个应用,将看到该特定应用的疑难解答视图。If you select an individual app, you'll see the troubleshooting view for that specific app. 在疑难解答视图中,将看到应用的端到端生命周期,例如,应用创建、修改、设为目标和提供给设备的时间。In the troubleshooting view, you'll see the end-to-end lifecycle of the app, such as when the app was created, modified, targeted, and delivered to a device. 此外,如果应用安装失败,将向你显示错误代码以及有有助于了解错误原因的消息。Additionally, if the app install was not successful, you'll be presented with the error code and a helpful message about the cause of the error.

Intune 应用保护策略和 Microsoft Edge Intune app protection policies and Microsoft Edge

移动设备(iOS 和 Android)的 Microsoft Edge 浏览器现在支持 Microsoft Intune 应用保护策略。The Microsoft Edge browser for mobile devices (iOS and Android) now supports Microsoft Intune app protection policies. 在 Microsoft Edge 应用程序中使用其企业 Azure AD 帐户登录的 iOS 和 Android 设备用户将受 Intune 保护。Users of iOS and Android devices who sign in with their corporate Azure AD accounts in the Edge application will be protected by Intune. 在 iOS 设备上,“Web 内容需要托管的浏览器”策略允许用户在管理 Microsoft Edge 时打开其中的链接。On iOS devices, the Require managed browser for web content policy will allow users to open links in Edge when it is managed.

2018 年 5 月 14 日当周Week of May 14, 2018

应用管理App management

需要安装策略、应用、证书和网络配置文件Require installation of policies, apps, certificate and network profiles

除非 Intune 在 AutoPilot 设备预配期间安装策略、应用、证书和网络配置文件,否则管理员将能够阻止最终用户访问 Windows 10 RS4 桌面。Admins can block end users from accessing the Windows 10 RS4 desktop until Intune installs policies, apps, and certificate and network profiles during the provisioning of AutoPilot devices. 有关详细信息,请参阅设置注册状态页For more info, see Set up an enrollment status page.

配置应用保护策略Configuring your app protection policies

在 Azure 门户中,现在只需转到 Intune,而不是转到 Intune 应用保护服务边栏选项卡。In the Azure portal, instead of going to the Intune App Protection service blade, you now just go to Intune. Intune 中现在只有一个应用保护策略位置。There is now only one location for app protection policies within Intune. 请注意,所有应用保护策略都位于 Intune 中“移动应用”边栏选项卡上的“应用保护策略”下。Note that all of your app protection policies are on the Mobile app blade in Intune under App protection policies. 此集成将有助于简化云管理。This integration helps to simplify your cloud management administration. 请记住,Intune 中已具备所有应用保护策略,并且你可以修改先前配置的任何策略。Remember, all app protection policies are already in Intune and you can modify any of your previously configured policies. Intune 应用策略保护 (APP) 和条件访问 (CA) 策略现在位于“Microsoft Intune”边栏选项卡中“管理”部分的“条件访问”下,或“Azure Active Directory”边栏选项卡中“安全性”部分的“条件访问”下。Intune App Policy Protection (APP) and Conditional Access (CA) policies are now under Conditional access, which can be found under the Manage section in the Microsoft Intune blade or under the Security section in the Azure Active Directory blade. 有关修改条件访问策略的详细信息,请参阅 Azure Active Directory 中的条件性访问For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. 有关其他信息,请参阅什么是应用保护策略?For additional information, see What are app protection policies?

2018 年 5 月 7 日的这一周Week of May 7, 2018

应用管理App management

Samsung Knox 移动注册支持 Samsung Knox mobile enrollment support

将 Intune 与 Samsung Knox 移动注册 (KME) 结合使用时,可以注册大量公司拥有的 Android 设备。When using Intune with Samsung Knox Mobile Enrollment (KME), you can enroll large numbers of company-owned Android devices. 使用 WiFi 或移动电话网络的用户在第一次打开他们的设备时,只需几次点击即可进行注册。Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices for the first time. 在使用 Knox 部署应用时,可使用蓝牙或 NFC 注册设备。When using the Knox Deployment App, devices can be enrolled using Bluetooth or NFC. 有关详细信息,请参阅使用 Samsung 的 Knox 移动注册自动注册 Android 设备For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.

在 Windows 10 公司门户上请求帮助Requesting help in the Company Portal for Windows 10

当用户启动获取问题的帮助的工作流时,Windows 10 公司门户现在将直接向 Microsoft 发送应用日志。The Company Portal for Windows 10 will now send app logs directly to Microsoft when the user initiates the workflow to get help with an issue. 这样一来,可以更为轻松地排除和解决向 Microsoft 提出的问题。This will make it easier to troubleshoot and resolve issues that are raised to Microsoft.

2018 年 4 月 23 日当周Week of April 23, 2018

应用管理App management

Android 上对 MAM PIN 的密码支持Passcode support for MAM PIN on Android

Intune 管理员能够设置应用程序启动要求以强制使用密码而不是数字 MAM PIN。Intune admins can set an application launch requirement to enforce a passcode instead of a numeric MAM PIN. 如果进行此配置,在访问启用 MAM 的应用程序前,用户需要在出现提示时设置并使用密码。If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. 密码是至少包含一个特殊字符或大写/小写字母的数字 PIN。A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. Intune 对密码的支持与支持现有数字 PIN 类似,可通过管理员控制台设置最短长度并且允许重复字符和序列。Intune supports passcode in a similar way to the existing numeric PIN... being able to set a minimum length, allowing repeat characters and sequences through the admin console. 此功能需要最新版 Android 公司门户。This feature requires the latest version of Company Portal on Android. 此功能已可应用于 iOS。This feature is already available for iOS.

对 macOS 的业务线 (LOB) 应用支持 Line-of-business (LOB) app support for macOS

Microsoft Intune 将提供从 Azure 门户安装 macOS LOB 应用的功能。Microsoft Intune will provide the capability to install macOS LOB apps from the Azure portal. 使用 GitHub 中提供的工具对 macOS LOB 应用进行预处理后,可以将该应用添加到 Intune。You will be able to add a macOS LOB app to Intune after it has been pre-processed by the tool available in GitHub. 在 Azure 门户的“Intune”边栏选项卡中,选择“客户端应用”。In the Azure portal, choose Client apps from the Intune blade. 在“客户端应用”边栏选项卡上,选择“应用” > “添加”。On the Client apps blade, choose Apps > Add. 在“添加应用”边栏选项卡,选择“业务线应用”。On the Add App blade, select Line-of-business app.

面向 Android for Work (AFW) 应用分配的内置“所有用户”和“所有设备”组Built-in All Users and All Devices Group for Android for Work (AFW) app assignment

你可以利用面向 AFW 应用分配的内置“所有用户”和“所有设备”。You can leverage the built-in All Users and All Devices groups for AFW app assignment. 有关详细信息,请参阅在 Microsoft Intune 中包括和排除应用分配For more information, see Include and exclude app assignments in Microsoft Intune.

Intune 将重新安装用户卸载的所需应用 Intune will reinstall required apps that are uninstalled by users

如果最终用户卸载所需应用,Intune 将在 24 小时内自动重新安装该应用,而不是等待 7 天的重新评估周期。If an end user uninstalls a required app, Intune automatically reinstalls the app within 24 hours rather than waiting for the 7-day re-evaluation cycle.

设备配置Device configuration

设备配置文件图表和状态列表将显示组中的所有设备Device profile chart and status list show all devices in a group

配置设备配置文件(“设备配置” > “配置文件”)时,选择设备配置文件,如 iOS。When you configure a device profile (Device configuration > Profiles), you choose the device profile, such as iOS. 将此配置文件分配到包括 iOS 设备和非 iOS 设备的组。You assign this profile to a group that includes iOS devices and non-iOS devices. 图形图表显示应用到 iOS 和非 iOS 设备的配置文件计数(“设备配置” > “配置文件”> 选择一个现有配置文件 >“概述”)。The graphical chart count shows that the profile is applied to the iOS and the non-iOS devices (Device configuration > Profiles > select an existing profile > Overview). 选择“概述”选项卡中的图形图表时,“设备状态”将列出组中的所有设备,而不仅仅是 iOS 设备。When you select the graphical chart in the Overview tab, the Device status lists all the devices in the group, instead of only the iOS devices.

此次更新后,图形图表(“设备配置” > “配置文件”>选择一个现有配置文件>“概述”)将仅显示特定设备配置文件的计数。With this update, the graphical chart (Device configuration > Profiles > select an existing profile > Overview) only shows the count for the specific device profile. 例如,如果配置设备配置文件应用于 iOS 设备,则图表仅列出 iOS 设备的计数。For example, if the configuration device profile applies to iOS devices, the chart only lists the count of the iOS devices. 选中图形图表并打开“设备状态”后,将仅列出 iOS 设备。Selecting the graphical chart, and opening the Device status only lists the iOS devices.

当此更新正在进行时,用户图形图表将暂时删除。While this update is being made, the graphical user chart is temporarily removed.

适用于 Windows 10 的 Always On VPNAlways On VPN for Windows 10

目前,通过使用自定义虚拟专用网络 (VPN) 配置文件(使用 OMA-URI 创建),可在 Windows 10 设备上使用 Always OnCurrently, Always On can be used on Windows 10 devices by using a custom virtual private network (VPN) profile created using OMA-URI.

此次更新后,管理员可以在 Azure 门户中的 Intune 中直接面向 Windows 10 VPN 配置文件启用 Always On。With this update, admins can enable Always On for Windows 10 VPN profiles directly in Intune in the Azure portal. Always On VPN 配置文件将在以下情况下自动连接:Always On VPN profiles will automatically connect when:

  • 用户登录其设备Users sign into their devices
  • 设备上的网络发生更改The network on the device changes
  • 设备屏幕在关闭后重新打开The screen on the device turns back on after being turned off

教育配置文件的新打印机设置 New printer settings for education profiles

对于教育配置文件,新的设置在“打印机”类别下可用:“打印机”、“默认打印机”、“添加新的打印机”。For education profiles, new settings are available under the Printers category: Printers, Default printer, Add new printers.

在个人资料中显示呼叫方 ID - Android for Work Show caller ID in personal profile - Android for Work

在设备上使用个人资料时,最终用户可能不会看到工作联系人的呼叫方 ID 详细信息。When using a personal profile on a device, end users may not see the caller ID details from a work contact.

进行此更新后,“Android for Work” > “设备限制” > “Work 配置文件设置”中将出现新设置:With this update, there is a new setting in Android for Work > Device restrictions > Work profile settings:

  • 在个人资料中显示工作联系人呼叫方 IDDisplay work contact caller-id in personal profile

启用(不配置)后,工作联系人的呼叫方详细信息将显示在个人资料中。When enabled (not configured), the work contact caller details are displayed in the personal profile. 阻止后,工作联系人的呼叫方号码不会显示在个人资料中。When blocked, the work contact caller number is not displayed in the personal profile.

适用范围:Android OS v6.0 和更高版本的 Android 工作配置文件设备Applies to: Android work profile devices on Android OS v6.0 and newer

添加到 Endpoint Protection 设置的新 Windows Defender Credential Guard 设置New Windows Defender Credential Guard settings added to endpoint protection settings

此次更新后,Windows Defender Credential Guard(“设备配置” > “配置文件” > “Endpoint Protection”)将包括以下设置:With this update, Windows Defender Credential Guard (Device configuration > Profiles > Endpoint protection) includes the following settings:

  • Windows Defender Credential Guard:以基于虚拟化的安全性启用 Credential Guard。Windows Defender Credential Guard: Turns on Credential Guard with virtualization-based security. 启用此功能可帮助在下次同时启用“使用安全启动的平台安全级别”和“基于虚拟化的安全性”而重新启动时保护凭据。Enabling this feature helps protect credentials at the next reboot when Platform Security Level with Secure Boot and Virtualization Based Security are both enabled. 选项包括:Options include:
    • 禁用:如果之前已使用“无锁启用”选项启用 Credential Guard,则会远程关闭 Credential Guard。Disabled: If Credential Guard was previously turned on with the Enabled without lock" option, then it turns off Credential Guard remotely.

    • 使用 UEFI 锁启用:可确保 Credential Guard 不能使用注册表项或使用组策略禁用。Enabled with UEFI lock: Ensures that Credential Guard cannot be disabled using a registry key or using Group Policy. 若要使用此设置来禁用 Credential Guard,必须将组策略设置为“禁用”。To disable Credential Guard after using this setting, you must set the Group Policy to "Disabled". 然后,与实际存在的用户一起,从每台计算机中删除安全功能。Then, remove the security functionality from each computer, with a physically present user. 这些步骤清除保留在 UEFI 中的配置。These steps clear the configuration persisted in UEFI. 只要 UEFI 配置仍然存在,Credential Guard 就会保持启用状态。As long as the UEFI configuration persists, Credential Guard is enabled.

    • 无锁启用:允许使用组策略远程禁用 Credential Guard。Enabled without lock: Allows Credential Guard to be disabled remotely using Group Policy. 使用此设置的设备必须至少在 Windows 10(版本 1511)上运行。The devices that use this setting must be running at least Windows 10 (Version 1511).

配置 Credential Guard 时,会自动启用以下相关技术:The following dependent technologies are automatically enabled when configuring Credential Guard:

  • 启用基于虚拟化的安全性 (VBS):在下次重新启动时启用基于虚拟化的安全性 (VBS)。Enable Virtualization-based Security (VBS): Turns on virtualization-based security (VBS) at next reboot. 基于虚拟化的安全性使用 Windows 虚拟机监控程序提供对安全服务的支持,并要求“安全启动”。Virtualization-based security uses the Windows Hypervisor to provide support for security services, and requires Secure Boot.
  • 安全启动和直接内存访问 (DMA):通过“安全启动”和直接内存访问启用 VBS。Secure Boot with Direct Memory Access (DMA): Turns on VBS with Secure Boot and direct memory access. DMA 保护需要硬件支持,并且仅在正确配置的设备上启用。DMA protection require hardware support, and is only enabled on properly configured devices.

对 SCEP 证书使用自定义使用者名称Use a custom subject name on SCEP certificate

可以使用“OnPremisesSamAccountName”作为 SCEP 证书配置文件中自定义使用者的公用名称。You can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate profile. 例如,你可以使用 CN={OnPremisesSamAccountName})For example, you can use CN={OnPremisesSamAccountName}).

在 Android for Work 上阻止照相机和屏幕捕获Block camera and screen captures on Android for Work

配置 Android 设备的设备限制时,可以阻止两个新属性:Two new properties are available to block when you configure device restrictions for Android devices:

  • 照相机:阻止访问设备上的所有照相机Camera: Blocks access to all cameras on the device
  • 屏幕捕获:阻止屏幕捕获,还会阻止在不具有安全视频输出的显示设备上显示内容Screen capture: Blocks the screen capture, and also prevents the content from being shown on display devices that don't have a secure video output

适用于 Android for Work。Applies to Android for Work.

设备注册Device enrollment

用户在使用 macOS High Sierra 10.13.2+ 的设备上的新注册步骤New enrollment steps for users on devices with macOS High Sierra 10.13.2+

macOS High Sierra 10.13.2 引入了“用户批准的”MDM 注册的概念。macOS high Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. 批准的注册将允许 Intune 管理某些安全敏感设置。Approved enrollments allow Intune to manage some security-sensitive settings. 有关详细信息,请参阅此处的 Apple 支持文档: https://support.apple.com/HT208019。For more information, see Apple's support documentation here: https://support.apple.com/HT208019.

如果最终用户未打开“系统首选项”并手动批准,使用 macOS 公司门户注册的设备将被视为“未经用户批准”。Devices enrolled using the macOS Company Portal are considered "Not User Approved" unless the end user opens System Preferences and manually provides approval. 为此,macOS 公司门户现直接在注册过程末尾指示使用 macOS 10.13.2 及以上版本的用户手动批准注册。To this end, the macOS Company Portal now directs users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment process. Intune 管理员控制台将就注册设备的用户批准情况进行报告。The Intune admin console will report on if an enrolled device is user approved.

设备管理Device management

高级威胁防护 (ATP) 和 Intune 完全集成 Advanced Threat Protection (ATP) and Intune are fully integrated

高级威胁防护 (ATP) 显示 Windows 10 设备的风险级别。Advanced Threat Protection (ATP) shows the risk level of Windows 10 devices. 在 Windows Defender 安全中心(ATP 门户)中,可以创建到 Microsoft Intune 的连接。In Windows Defender Security Center (ATP portal), you can create a connection to Microsoft Intune. 创建后,将使用 Intune 符合性策略确定可接受的威胁级别。Once created, an Intune compliance policy is used to determine an acceptable threat level. 如果超出威胁级别,则 Azure Active Directory (AD) 条件访问策略可以阻止访问组织内的不同应用。If the threat level is exceeded, an Azure Active Directory (AD) conditional access policy can then block access to different apps within your organization.

此功能使 ATP 能够扫描文件、检测威胁并报告 Windows 10 设备上的任何风险。This feature allows ATP to scan files, detect threats, and report any risk on your Windows 10 devices.

请参阅在 Intune 中启用具有条件访问的 ATPSee Enable ATP with conditional access in Intune.

对无用户设备的支持Support for user-less devices

Intune 支持在无用户设备(如 Microsoft Surface Hub)上评估符合性的功能。Intune supports the ability to evaluate compliance on a user-less device, such as the Microsoft Surface Hub. 符合性策略可以面向特定设备。Compliance policy can target specific devices. 这样可以确定不具有关联用户的设备的符合性(和不符合性)。So compliance (and noncompliance) can be determined for devices that don't have an associated user.

删除 AutoPilot 设备Delete Autopilot devices

Intune 管理员可以删除 AutoPilot 设备Intune admins can delete Autopilot devices.

设备删除体验改进Improved device deletion experience

删除 Intune 中的设备前,将不再需要删除公司数据或将设备恢复出厂设置。You're no longer be required to remove company data or factory reset a device before deleting a device from Intune.

要感受新体验,请登录 Intune,选择“设备” > “所有设备”> 设备的名称 >“删除”。To see the new experience, sign in to Intune and select Devices > All devices > the name of the device > Delete.

如果仍希望确认擦除/停用,可使用标准设备生命周期流程,即在“删除”前执行“删除公司数据”和“恢复出厂设置”。If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a Remove company data and Factory Reset prior to Delete.

“丢失”模式下在 iOS 上播放声音Play sounds on iOS when in Lost mode

当受监督的 iOS 设备处于移动设备管理 (MDM)丢失模式时,可以播放声音(“设备” > “所有设备”>选择一个 iOS 设备 >“概述” > “更多”)。When supervised iOS devices are in Mobile Device Management (MDM) Lost mode, you can play a sound (Devices > All devices > select an iOS device > Overview > More). 声音将持续播放,直到将该设备移除“丢失”模式或用户在该设备上禁用声音。The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. 适用于 iOS 9.3 和更高版本的设备。Applies to iOS devices 9.3 and newer.

阻止或允许在 Intune 设备上所执行的搜索中出现 Web 结果 Block or allow web results in searches made on an Intune device

管理员现在可以阻止在设备上所执行的搜索中出现 Web 结果。Admins can now block web results from searches made on a device.

针对 Apple MDM Push Certificate 上传失败的错误消息改进Improved error messaging for Apple MDM Push Certificate upload failure

错误消息说明,续订现有 MDM 证书时必须使用相同 Apple ID。The error message explains that the same Apple ID must be used when renewing an existing MDM certificate.

测试虚拟机上的 macOS 公司门户 Test the Company Portal for macOS on virtual machines

我们已发布指南来帮助 IT 管理员在 Parallels Desktop 和 VMware Fusion 的虚拟机上测试 macOS 公司门户应用。We've published guidance to help IT admins test the Company Portal app for macOS on virtual machines in Parallels Desktop and VMware Fusion. 有关详细信息,请参阅注册用于测试的虚拟 macOS 计算机Find out more in enroll virtual macOS machines for testing.

用户界面User interface

改进了 Windows 10 公司门户中的设备磁贴 Improved device tiles in the Windows 10 Company Portal

已对这些磁贴进行了更新,以便弱视用户更易于访问,并且可以更好地为屏幕阅读工具提供服务。The tiles have been updated to be more accessible to low-vision users and to perform better for screen reading tools.

在 macOS 公司门户应用中发送诊断报告Send diagnostic reports in Company Portal app for macOS

更新了适用于 macOS 设备的公司门户应用,以改进用户报告 Intune 相关错误的方式。The Company Portal app for macOS devices was updated to improve how users report Intune-related errors. 员工可从公司门户应用中:From the Company Portal app, your employees can:

  • 将诊断报告直接上传给 Microsoft 开发人员团队。Upload diagnostic reports directly to the Microsoft developer team.
  • 通过电子邮件将事件 ID 发送给公司的 IT 支持团队。Email an incident ID to your company's IT support team.

有关详细信息,请参阅发送 macOS 错误For more information see Send errors for macOS.

Intune 适用于 Windows 10 公司门户应用中的 Fluent 设计系统 Intune adapts to Fluent Design System in the Company Portal app for Windows 10

Windows 10 Intune 公司门户应用已更新 Fluent 设计系统的导航视图The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation view. 在这款应用旁边,你会注意到一个静态、垂直的所有顶级页面列表。Along the side of the app, you'll notice a static, vertical list of all top-level pages. 单击任意链接,可以快速查看页面并在其之间进行切换。Click any link to quickly view and switch between pages. 这是你将看到的众多更新中的第一个更新,是我们持续不断努力成果的一部分,以便在 Intune 中创造更具适应性、更能感同身受且更为熟悉的体验。This is the first of several updates you'll see as part of our ongoing effort to create a more adaptive, empathetic, and familiar experience in Intune. 若要查看更新后的外观,请转到应用 UI 中的新增功能To see the updated look, go to What's new in the app UI.

2018 年 4 月 16 日当周Week of April 16, 2018

对 iOS 使用 Cisco AnyConnect 客户端 Use Cisco AnyConnect client for iOS

为 iOS 创建新的 VPN 配置文件时,现在提供两个选项:Cisco AnyConnect 和 Cisco Legacy AnyConnect。When you create a new VPN profile for iOS, there are now two options: Cisco AnyConnect and Cisco Legacy AnyConnect. Cisco AnyConnect 配置文件支持 4.0.7x 和更新版本。Cisco AnyConnect profiles support 4.0.7x and newer versions. 现有 iOS Cisco AnyConnect VPN 配置文件将被标记为“Cisco Legacy AnyConnect”,并将继续适用于 Cisco AnyConnect 4.0.5x 和较旧版本,如现在一样。Existing iOS Cisco AnyConnect VPN profiles are labeled Cisco Legacy AnyConnect, and continue to work with Cisco AnyConnect 4.0.5x and older versions, as they do today.

备注

此更改仅适用于 iOS。This change only applies to iOS. 将继续只提供一个适用于 Android、Android for Work 和 macOS 平台的 Cisco AnyConnect 选项。There continues to be only one Cisco AnyConnect option for Android, Android for Work, and macOS platforms.

Jamf 注册的 macOS 设备现在可以向 Intune 注册Jamf-enrolled macOS devices can now register with Intune

macOS 公司门户版本 1.3 和 1.4 未成功向 Intune 注册 Jamf 设备。Versions 1.3 and 1.4 of the macOS company portal did not successfully register Jamf devices with Intune. macOS 门户版本 1.4.2 可修复此问题。Version 1.4.2 of the macOS portal fixes this issue.

2018 年 4 月 9 日当周Week of April 9, 2018

更新了 Android 适用的公司门户应用的帮助体验Updated help experience in Company Portal app for Android

我们更新了 Android 适用的公司门户应用中的帮助体验,使其符合 Android 平台的最佳做法。We've updated the help experience in the Company Portal app for Android to align with best practices for the Android platform. 现在如果在使用应用时遇到问题,用户可以点击“菜单” > “帮助”,然后进行以下操作:Now when users encounter a problem in the app, they can tap Menu > Help and:

  • 将诊断日志上传到 Microsoft。Upload diagnostic logs to Microsoft.
  • 向公司支持人员发送内含问题描述和事件 ID 的电子邮件。Send an email that describes the problem and incident ID to a company support person.

如需查看更新后的帮助体验,请转到使用电子邮件发送日志向 Microsoft 发送错误To check out the updated help experience go to Send logs using email and Send errors to Microsoft.

新的注册失败趋势图表和失败原因表New enrollment failure trend chart and failure reasons table

“注册概述”页中会显示注册失败趋势和前五个失败原因。On the Enrollment Overview page, you can view the trend of enrollment failures and the top five causes of failures. 单击图表或表可查看详细信息,以查找故障排除建议和修正建议。By clicking on the chart or table, you can drill into details to find troubleshooting advice and remediation suggestions.

更新配置应用保护策略的位置Update where to configure your app protection policies

在 Microsoft Intune 服务的 Azure 门户中,我们会将“Intune 应用保护”服务边栏选项卡暂时重定向到“移动应用”边栏选项卡。In the Azure portal within the Microsoft Intune service, we’re going to temporarily redirect you from the Intune App Protection service blade to the Mobile app blade. 请注意,Intune 中“应用配置”下的“移动应用”边栏选项卡已包括所有应用保护策略。Note that all of your app protection policies are already on the Mobile app blade in Intune under app configuration. 直接转到 Intune 即可,无需转到“Intune 应用保护”。Instead of going to Intune App Protection, you’ll just go to Intune. 在 2018 年 4 月,我们将停止重定向并将完全删除“Intune 应用保护服务”边栏选项卡,以便在 Intune 中只存在应用保护策略的一个位置。In April 2018, we will stop the redirection and fully remove the Intune App Protection service blade, so that there's only one location for app protection policies within Intune.

这会对我产生哪些影响?How does this affect me? 此更改将同时影响 Intune 独立版客户和混合版(带 Configuration Manager 的 Intune)客户。This change will affect both Intune standalone customers and hybrid (Intune with Configuration Manager) customers. 此集成将有助于简化云管理。This integration will help simplify your cloud management administration.

我需要如何准备应对此项变化?What do I need to do to prepare for this change? 请将 Intune 标记为收藏(而不是“Intune 应用保护”服务边栏选项卡),并确保熟悉 Intune 的“移动应用”边栏选项卡中的应用保护策略工作流。Please tag Intune as a favorite instead of the Intune App Protection service blade and ensure you’re familiar with the App protection policy workflow in the Mobile app blade within Intune. 我们将重定向一小段时间,然后删除“应用保护”边栏选项卡。We’ll redirect for a short period of time and then remove the App Protection blade. 请记住,Intune 中已具备所有应用保护策略,并且你可以修改任何条件访问策略。Remember, all app protection policies are already in Intune and you can modify any of your conditional access policies. 有关修改条件访问策略的详细信息,请参阅 Azure Active Directory 中的条件性访问For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. 有关其他信息,请参阅什么是应用保护策略?For additional information, see What are app protection policies?

2018 年 4 月 2 日当周Week of April 2, 2018

Intune 应用Intune apps

iOS 版公司门户应用的用户体验更新User experience update for the Company Portal app for iOS

我们向 iOS 版公司门户应用发布了用户体验主要更新。We've released a major user experience update to the Company Portal app for iOS. 此更新具有经过完全重新设计的视觉效果,包括现代化的外观。The update features a complete visual redesign that includes a modernized look and feel. 我们保留了应用的功能,但提高了其可用性和可访问性。We've maintained the functionality of the app, but increased its usability and accessibility.

你还会看到:You'll also see:

  • 对 iPhone X 的支持。Support for iPhone X.
  • 应用启动速度和响应加载速度更快,可节省用户时间。Faster app launch and loading responses, to save users time.
  • 可为用户提供最新状态信息的附加进度条。Additional progress bars to provide users with the most up-to-date status information.
  • 改进了用户上传日志的方式,因此可在出现问题时更轻松地报告该问题。Improvements to the way users upload logs, so if something goes wrong, it's easier to report.

若要查看更新后的外观,请转到应用 UI 中的新增功能To see the updated look, go to What's new in the app UI.

使用 Intune APP 和 CA 保护本地 Exchange 数据Protect on-premises Exchange data using Intune APP and CA

现在可以使用 Intune 应用策略保护 (APP) 和条件访问 (CA) 保护通过 Outlook Mobile 对本地 Exchange 数据的访问权限。You can now use Intune App Policy Protection (APP) and Conditional Access (CA) to protect access to on-premises Exchange data with Outlook Mobile. 若要在 Azure 门户中添加或修改应用保护策略,请选择“Microsoft Intune” > “客户端应用” > “应用保护策略”。To add or modify an app protection policy within the Azure portal, select Microsoft Intune > Client apps > App protection policies. 使用此功能之前,请确保满足适用于 iOS 和 Android 的 Outlook 要求Before using this feature, make sure you meet the Outlook for iOS and Android requirements.

通知Notices

更改计划:Intune 将于 12 月支持 macOS 10.12 及更高版本 Plan for Change: Intune will move to support macOS 10.12 and higher in December

Apple 刚刚发布了 macOS 10.14。Apple has just released macOS 10.14. 随后,Intune 将于 2018 年 12 月支持 macOS 10.12 及更高版本。Subsequently, Intune will move to support macOS 10.12 and higher in December 2018.

这对我有何影响?How does this affect me?

从 12 月开始,使用 macOS 10.11 及更早版本的设备上的最终用户将无法使用公司门户注册 Intune。Starting in December, end users on devices with macOS 10.11 and prior won’t be able to use the Company Portal to enroll into Intune. 他们需要将设备升级到 macOS 10.12 或更高版本,并将公司门户应用升级到最新版本,以继续获得支持和新功能。They will need to upgrade their device to macOS 10.12 or higher and upgrade the Company Portal app to the latest version to continue to receive support and new features.

当前支持 macOS 10.12 和更高版本的设备有:macOS versions 10.12 and higher are currently supported on:

  • MacBook(2009 后期版本或更高版本)。MacBook (late 2009 or newer).
  • iMac(2009 后期版本或更高版本)iMac (late 2009 or newer)
  • MacBook Air(2010 后期版本或更高版本)。MacBook Air (late 2010 or newer).
  • MacBook Pro(2010 后期版本或更高版本)。MacBook Pro (late 2010 or newer).
  • Mac Mini(2010 后期版本或更高版本)。Mac Mini (late 2010 or newer).
  • Mac Pro(2010 后期版本或更高版本)。Mac Pro (late 2010 or newer).

12 月以后,未使用上述设备的最终用户将无法访问最新版本的 macOS 公司门户应用。After December, end users who have devices other than the ones listed above will not be able to access the latest version of the Company Portal app for macOS. 运行 macOS 10.12 以下不受支持版本的现有已注册设备将继续由 Intune 管理控制台进行管理并在其中列出。Existing enrolled devices running unsupported versions below macOS 10.12 will continue to be managed and listed in the Intune Admin Console.

我需要针对此更改做什么准备?What do I need to do to prepare for this change?

要求最终用户在 2018 年 12 月前将其设备升级到支持的 OS 版本。Request your end users to upgrade their devices to a supported OS version before December 2018.

  • 检查 Azure 控制台上的 Intune 中的 Intune 报告,查看哪些设备或用户可能会受到影响。Check your Intune reporting in the Intune on Azure console, to see what devices or users may be affected. 转到“设备”>“所有设备”并按 OS 进行筛选。Go to Devices > All devices and filter by OS. 可以添加其他列,帮助确定组织中哪些人员拥有运行 macOS 10.11 的设备。You can add in additional columns to help identify who in your organization has devices running macOS 10.11.
  • 如果使用的是混合移动设备管理 (MDM),请转到 Configuration Manager 控制台中的“资产和符合性”>“设备”,右键单击这些列以添加“操作系统”和“客户端版本”列,然后按 OS 排序。If you are using hybrid mobile device management (MDM), go to Assets and Compliance > Devices in the Configuration Manager console, right-click the columns to add the Operating System and Client Version columns, and sort by OS. 请注意,混合 MDM 现已弃用,应尽快迁移到 Azure 上的 Intune。Note that hybrid MDM is now deprecated, and you should move to Intune on Azure as soon as possible.

其他信息 https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cpAdditional Information https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp

更改计划:针对顶级客户的新 Intune 支持体验Plan for Change: New Intune support experience for Premier customers

作为 Microsoft 顶级客户,你当前可以使用 Microsoft Premier Online (MPO) 门户 (premier.microsoft.com) 和 Intune on Azure (portal.azure.com) 为 Intune 创建支持请求。As a Microsoft Premier customer, you can currently use the Microsoft Premier Online (MPO) portal (premier.microsoft.com) and Intune on Azure (portal.azure.com) to create support requests for Intune. 从 2018 年 12 月 3 日起,为了继续增强顶级支持体验,你将仅能在 Intune on Azure 中创建支持请求。Starting on December 3, 2018, to continue enhancing the Premier support experience, you will be able to create support requests only in Intune on Azure.

这对我有何影响?How does this affect me?

在 12 月 3 日后,你将无法在 MPO 中创建支持请求。After December 3, you will be not be able to create support requests in MPO. 当你尝试执行此操作时,你将看到一个不能解除的提示,以重定向到 Intune on Azure。When you try to do this, you’ll see a prompt that you will not be able to dismiss, to be redirected to Intune on Azure. 在此处,你可以创建一个将被路由到 Intune 专用的 Microsoft 支持的支持请求,以及时诊断和解决你的问题。Here, you can create a support request which will be routed to Intune-dedicated Microsoft Support, to diagnose and resolve your issue in a timely manner. 无法在 Azure 门户中查看在 MPO 门户中创建的支持请求,因此,应停止在 MPO 中创建支持请求。Support requests created in the MPO portal cannot be viewed in the Azure portal, so you should stop creating support requests in MPO.

如果你使用混合移动设备管理(混合 MDM)或使用共同管理,你可以继续使用 MPO 为 ConfigMgr 创建支持请求,但使用 Azure 门户为 Intune 创建支持请求。If you use hybrid mobile device management (hybrid MDM) or use co-management, you can continue to use MPO to create support requests for ConfigMgr but use the Azure portal to create support requests for Intune. 提醒一下,混合 MDM 已被弃用,应计划尽快移动到 Intune on Azure。As a reminder, hybrid MDM is deprecated, and you should plan to move to Intune on Azure as soon as possible. 有关详细信息,请参阅“从混合移动设备管理移动到 Intune on Azure”。For more information, see Move from Hybrid Mobile Device Management to Intune on Azure.

请注意,只有具有全局管理员、Intune 服务管理员和服务支持管理员角色的用户才能在 Azure 门户中创建支持票证。Note that only users with Global Administrator, Intune Service Administrator and Service Support Administrator roles can create support tickets in the Azure portal.

我能够针对此更改做什么准备?What can I do to prepare for this change?

  • 停止使用 MPO,并使用 Intune on Azure 来创建和管理所有你的 Intune 支持请求。Stop using MPO and use Intune on Azure to create and manage all your Intune support requests.
  • 如有必要,请通知你的支持人员并更新文档。Notify your helpdesk and update documentation if necessary.
  • 如果你有用户(不具有全局管理员或 Intune 服务管理员角色)当前正在 MPO 中创建支持请求,则在 Azure Active Directory 中向其分配服务支持管理员角色,以使其能够在 Azure 门户中继续创建支持票证。If you have users without Global administrator or Intune Service Administrator roles currently creating support requests in MPO, assign them the Service Support Administrator role in Azure Active Directory, so they can continue to create support tickets in the Azure portal.
  • 单击“其他信息”以获取详细信息和有用的链接。Click on Additional Information for more information and helpful links.

其他信息Additional Information

https://aka.ms/IntuneSupport_MPO_to_Azure

执行操作:请在 Intune 中更新 Android 设备限制或符合性策略密码设置Take action: Please update your Android device restriction or compliance policy password settings in Intune

Intune 将删除 Android 4.4 及更高版本设备的可用密码类型“设备默认值”。Intune will be removing the available password type “device default” for Android 4.4 and higher devices. 由于 Android 平台和设备默认值的差异,该策略通常被设备视为可选策略。Due to differences in Android platforms and device defaults, that policy is often treated as optional by the device. 为了消除在 Android 上强制执行此设置时造成的混淆,我们会在即将发布的版本中将此设置从 UI 中删除。To clear up confusion on when this setting is enforced on Android, we’ll remove this setting from the UI in an upcoming release.

这对我有何影响?How does this affect me?

  • 如果要求必须在设备上输入密码,我们建议编辑 Android 平台配置文件来清楚表达所需的密码类型,而不是使用“设备默认值”。If your intent is to require a password on the devices, we recommend instead of using “device default” you edit your Android platform profile(s) to clearly articulate the required password type.
  • 如果打算让最终用户决定是否创建密码,请选择“未配置”按钮。If your intent is to let your end user to decide on whether to create a password, select the “Not configured” button. 我们从 UI 删除此设置时,如果仍设置了该设置,系统会在下次编辑配置文件时提示选择“设备默认值”以外的值。When we remove this setting from the UI, if the setting is still set, you will be prompted to choose a value other than “Device default” on your next edit of the profile. 我需要针对此更改做什么准备?What do I need to do to prepare for this change? 查看 Android 和 Android 企业设备限制和符合性策略中的密码设置。Review the password settings in your Android and Android enterprise device restriction and compliance policies. 这些设置列于“符合性策略的系统安全性”下以及“设备密码”或“设备限制的工作配置文件设置”下。These are listed under System security for Compliance policies and under either Device password or Work profile settings for Device restrictions. 其他信息包含一个链接,指向配置这些设置的位置的详细信息和屏幕截图。Additional information has a link to more details and screenshots for where these settings are configured.

其他信息Additional information

https://aka.ms/PasswordSettings

更改计划:向 Intune 中添加“在下一次身份验证时更改密码”Plan for Change: Change Password at Next Auth added to Intune

在 9 月服务版本中,Intune 计划纳入 Apple 新发布的“在下一次身份验证时更改密码”设置,该设置适用于运行 macOS 10.13 版和更高版本的设备。In the September service release, Intune plans to integrate Apple’s newly-released Change Password at Next Auth setting for devices running macOS versions 10.13 and newer. 在纳入此设置之前,MDM 提供商无法验证设备密码是否已更改为符合规定的密码。Before this setting, MDM providers can't verify that the device passcode was changed to be compliant. Intune 的配置和符合性策略只验证在下一次更改设备密码后是否将其标记为符合规定。Intune’s configuration and compliance policies only validate that the next time a device password is changed, that it's marked as compliant. 添加此新的 Apple 功能后,macOS 用户会收到更新密码的请求,即使其密码已符合规定。When this new Apple feature is added, your macOS users will receive a request to update their password, even if their password is compliant.

这对我有何影响?How does this affect me?

这会影响使用 macOS 设备策略并使用 Intune 或混合 MDM 的环境。This impacts environments with a macOS device policy using Intune or a hybrid MDM. 现在 Apple 增添了此项“在下一次身份验证时更改密码”设置,Intune 可在推送密码策略时强制用户更新其密码。Now that Apple has this Change Password at New Auth setting, Intune can force users to update their password when a password policy is pushed. 如果设置为阻止访问公司资源直到访问设备被标记为符合规定为止,那么最终用户可能需要在重置密码以后才能访问公司资源,如电子邮件或 SharePoint 站点。If you block company resources until the device is marked compliant, then your end users may be blocked from accessing company resources, such as email or SharePoint sites, until they reset their password. 在将来,每当更新配置和符合性密码策略时,都会强制目标用户更新其密码。In the future, all updates to configuration and compliance password policies force targeted users to update their passwords.

我需要针对此更改做什么准备?What do I need to do to prepare for this change?

让支持人员知晓。Let your helpdesk know. 如果不想强制实施此 macOS 设备策略,建议取消分配或删除现有 macOS 策略。If you don't want to enforce this macOS device policy, we recommend you un-assign or delete your existing macOS policy. 客户研究表明,大多数客户不受此更改影响。Customer research suggests most customers aren't affected by this change. 大多数最终用户在收到“使用密码进行注册或重置其密码以保持符合性”的请求后都会更新其密码。Most end users update their password after receiving a request to enroll with a password, or reset their password to remain compliant.

更改计划:Intune 将移动到 TLS 1.2Plan for Change: Intune moving to TLS 1.2

从 2018 年 10 月 31 日 开始,Intune 将支持可提供同类最佳加密的传输层安全性 (TLS) 协议版本 1.2,以确保我们的服务在默认情况下更加安全,并与 Microsoft Office 365 等其他 Microsoft 服务保持一致。Starting on October 31, 2018, Intune will support Transport Layer Security (TLS) protocol version 1.2 to provide best-in-class encryption, to ensure our service is more secure by default, and to align with other Microsoft services such as Microsoft Office 365. Office 已在 MC128929 中传达了此更改。Office communicated this change in MC128929.

公司门户也将于 2018 年 10 月 31 日支持 TLS 1.2。The Company Portal will also move to support TLS 1.2 on October 31, 2018.

这对我有何影响?How does this affect me?

从 2018 年 10 月 31 日开始,Intune 将不再支持 TLS 协议版本 1.0 或 1.1。As of October 31, 2018, Intune will no longer support TLS protocol versions 1.0 or 1.1. 所有客户端-服务器和浏览器-服务器组合应使用 TLS 版本 1.2,以确保顺利连接到 Intune。All client-server and browser-server combinations should use TLS version 1.2 to ensure connection without issues to Intune. 请注意,此更改将影响不再受 Intune 支持但仍可通过 Intune 接收策略以及不能使用 TLS 版本 1.2 的最终用户设备。Note that this change will impact end-user devices that are no longer supported by Intune but are still receiving policy through Intune, and that cannot use TLS version 1.2. 其中包括运行 Android 4.3 及更低版本的设备。This includes devices such as those running Android 4.3 and earlier. 有关受影响设备和浏览器的列表,请参阅下面的“其他信息”。For a list of affected devices and browsers, see Additional Information below.

2018 年 10 月 31 日之后,如果遇到与使用旧版 TLS 相关的问题,将需要更新到 TLS 1.2,或使用支持 TLS 1.2 的设备才可解决。After October 31, 2018, if you experience an issue related to the use of an old TLS version, you will be required to update to TLS 1.2 or to a device that supports TLS 1.2 as part of the resolution.

我需要针对此更改做什么准备?What do I need to do to prepare for this change?

我们建议主动删除环境中的 TLS 1.0 和 1.1 依赖项,并尽量在操作系统级别禁用 TLS 1.0 和 1.1。We recommend that you proactively remove TLS 1.0 and 1.1 dependencies in your environments and disable TLS 1.0 and 1.1 at the operating system level where possible. 立即开始针对迁移到 TLS 1.2 进行规划。Begin planning your migration to TLS 1.2 today. 请查看下面的支持博客文章,获取 Intune 现在不支持但仍可接收策略以及未来将无法使用 TLS 版本 1.2 进行通信的设备的列表。Check the support blog post below for the list of devices that are not supported by Intune today but might still be receiving policy, and that will not be able to communicate using TLS version 1.2. 可能需要通知那些最终用户,他们即将失去对公司资源的访问权限。You might need to notify those end users that they’ll lose access to corporate resources.

其他信息Intune moving to TLS 1.2 for encryption(将 Intune 移动到 TLS 1.2 以进行加密)Additional Information: Intune moving to TLS 1.2 for encryption

更改计划:立刻使用 Azure 上的 Intune 进行 MDM 管理Plan for Change: Use Intune on Azure now for your MDM management

一年前,我们推出了 Azure 上 Intune 的公共预览版,六个月前,我们推出了 Intune 新管理员体验的正式版Over a year ago, we announced public preview of Intune on Azure and followed up six months ago with general availability of the new admin experience for Intune. 自 2018 年 8 月 31 日起,我们将面向使用 Intune 独立版的客户关闭经典 Silverlight 控制台中的移动设备管理 (MDM)。Starting on August 31, 2018, we will turn off mobile device management (MDM) in the classic Silverlight console for those customers using Intune standalone. 但客户可以使用 Azure 上的 Intune 满足 MDM 需求。Instead, you can use Intune on Azure for your MDM needs. 如果仍在使用经典控制台进行 MDM,请停止此做法并开始熟悉 Azure 上的 Intune。If you're still using the classic console for MDM, please stop and familiarize yourself with Intune on Azure. 我们不希望任何最终用户受到此次更改的影响。We do not expect any end user impact with this change. Silverlight 中将保留经典电脑管理。Classic PC management will remain in Silverlight. 可在此处详细了解此次更改及其带来的影响。You can learn more about this change and how it affects you here.

即将推出What's coming

Apple 将要求更新应用传输安全Apple to require updates for Application Transport Security

Apple 宣布他们将强制对应用程序传输安全 (ATS) 实施特定要求。Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). 使用 ATS 对所有通过 HTTPS 的应用通信实施更严格的安全措施。ATS is used to enforce stricter security on all app communications over HTTPS. 此更改会影响使用 iOS 公司门户应用的 Intune 客户。This change impacts Intune customers using the iOS Company Portal apps. 我们将在 Intune 支持博客中介绍详细信息。We'll keep our Intune support blog with details.

另请参阅See also