对 Microsoft Intune 中使用设备配置文件的设备应用功能和设置Apply features and settings on your devices using device profiles in Microsoft Intune

Microsoft Intune 提供可在组织内的不同设备上启用或禁用的设置和功能。Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. 这些设置和功能将添加到“配置文件”。These settings and features are added to "configuration profiles". 可以为不同的设备和不同的平台(包括 iOS/iPadOS、Android 设备管理员、Android Enterprise 和 Windows)创建配置文件。You can create profiles for different devices and different platforms, including iOS/iPadOS, Android device administrator, Android Enterprise, and Windows. 然后,使用 Intune 应用配置文件或将其“分配”给设备。Then, use Intune to apply or "assign" the profile to the devices.

作为移动设备管理 (MDM) 解决方案的一部分,使用这些配置文件来完成不同的任务。As part of your mobile device management (MDM) solution, use these configuration profiles to complete different tasks. 一些配置文件示例如下:Some profile examples include:

  • 在 Windows 10 设备上,使用可阻止 Internet Explorer 中 ActiveX 控件的配置文件模板。On Windows 10 devices, use a profile template that blocks ActiveX controls in Internet Explorer.
  • 在 iOS/iPadOS 和 macOS 设备上,允许用户使用组织中的 AirPrint 打印机。On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
  • 允许或阻止访问设备上的蓝牙。Allow or prevent access to bluetooth on the device.
  • 创建 WiFi 或 VPN 配置文件,让不同设备访问公司网络。Create a WiFi or VPN profile that gives different devices access to your corporate network.
  • 管理软件更新,包括何时安装它们。Manage software updates, including when they're installed.
  • 将 Android 设备作为专用的展台设备运行,该设备可以运行一个或多个应用。Run an Android device as dedicated kiosk device that can run one app, or run many apps.

本文概述了可创建的不同类型的配置文件。This article gives an overview of the different types of profiles you can create. 使用这些配置文件来允许或阻止设备上的某些功能。Use these profiles to allow or prevent some features on the devices.

管理模板Administrative templates

管理模板包括数百个可针对 Internet Explorer、Microsoft Edge、OneDrive、远程桌面、Word、Excel 和其他 Office 程序配置的设置。Administrative templates include hundreds of settings that you can configure for Internet Explorer, Microsoft Edge, OneDrive, remote desktop, Word, Excel, and other Office programs. 这些模板为管理员提供了类似于组策略的简化设置视图,但它们是完全基于云的。These templates give administrators a simplified view of settings similar to group-policy, but they're 100% cloud-based.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

证书Certificates

证书配置分配到设备的受信任、SCEP 和 PKCS 证书。Certificates configure trusted, SCEP, and PKCS certificates that are assigned to devices. 这些证书会对 WiFi、VPN 和电子邮件配置文件进行身份验证。These certificates authenticate WiFi, VPN, and email profiles.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS
  • Windows 8.1Windows 8.1
  • Windows 10 及更高版本Windows 10 and later

自定义配置文件Custom profile

自定义设置可让管理员分配未在 Intune 中内置的设备设置。Custom settings let administrators assign device settings that aren't built in to Intune. 对于 Android 设备,可以输入 OMA-URI 值。On Android devices, you can enter OMA-URI values. 对于 iOS/iPadOS 设备,则可以导入在 Apple Configurator 中创建的配置文件。For iOS/iPadOS devices, you can import a configuration file you created in the Apple Configurator.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS

传递优化Delivery optimization

传递优化提供了更好的传递软件更新体验。Delivery optimization provides a better experience to delivery software updates. 这些设置将替换“软件更新” > “Windows 10 更新通道”设置。These settings are replacing the Software Updates > Windows 10 update ring settings.

使用这些设置来控制如何将软件更新下载到组织中的设备。Use these settings to control how software updates are downloaded to devices in your organization. 例如,可以允许用户获取其自己的更新,或使用设备配置文件中的传递优化云服务获取更新。For example, you can let users get their own updates, or get updates using the delivery optimization cloud services in a device profile.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

派生凭据Derived credential

派生凭据是智能卡上的证书,可用于身份验证、签名和加密。Derived credentials are certificates on smart cards that can authenticate, sign, and encrypt. 在 Intune 中,你可以创建具有这些凭据的配置文件,以便用于应用、电子邮件配置文件、连接到 VPN、S/MIME 和 Wi-Fi。In Intune, you can create profiles with these credentials to use in apps, email profiles, connecting to VPN, S/MIME, and Wi-Fi.

此功能支持:This feature supports:

  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS

设备功能Device features

设备功能控制 iOS/iPadOS 和 macOS 设备上的功能,例如 AirPrint、通知和锁屏消息。Device features controls features on iOS/iPadOS and macOS devices, such as AirPrint, notifications, and lock screen messages.

此功能支持:This feature supports:

  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS

设备固件配置接口Device firmware configuration interface

设备固件配置接口 (DFCI) 允许管理员使用 Intune 启用或禁用 UEFI (BIOS) 设置。Device firmware configuration interface (DFCI) allows administrators to enable or disable UEFI (BIOS) settings using Intune. 使用这些设置增强固件级别的安全性,这样通常可以更好地抵抗恶意攻击。Use these settings to enhance security at the firmware-level, which is typically more resilient to malicious attacks.

此功能支持:This feature supports:

  • 支持固件上的 Windows 10 1809 及更高版本Windows 10 1809 and later on supported firmware

设备限制Device restrictions

设备限制控制设备上的安全性、硬件、数据共享,以及更多设置。Device restrictions controls security, hardware, data sharing, and more settings on the devices. 例如,创建一个可阻止 iOS/iPadOS 设备用户使用设备相机的设备限制配置文件。For example, create a device restriction profile that prevents iOS/iPadOS device users from using the device camera.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS
  • Windows 10 及更高版本Windows 10 and later
  • Windows 10 协同版Windows 10 Team

域加入Domain join

域加入配置本地 Active Directory 域信息。Domain join configures on-premises Active Directory domain information. 使用 Windows Autopilot 和 Intune 预配混合 Azure AD 联接设备时,此信息将部署到这些设备。This information is deployed to hybrid Azure AD joined devices when provisioned using Windows Autopilot and Intune. 此配置文件告诉设备要加入的域和 OU。This profile tells devices which domain and OU to join.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

版本升级和模式切换Edition upgrade and mode switch

Windows 10 版本升级将运行某些 Windows 10 版本的设备自动升级到较新的版本。Windows 10 edition upgrades automatically upgrades devices that run some versions of Windows 10 to a newer edition.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

教育水平Education

教育设置 - Windows 10 配置针对 Windows 参加测验应用的选项。Education settings - Windows 10 configure options for the Windows Take a Test app. 在配置这些选项时,直到测试完成才可以在设备上运行其他应用。When you configure these options, no other apps can run on the device until the test is complete.

教育设置 - iOS/iPadOS 使用 iOS/iPadOS Classroom 应用来指导学习,并控制课堂中的学生设备。Education settings - iOS/iPadOS uses the iOS/iPadOS Classroom app to guide learning, and control student devices in the classroom. 可以将 iPad 设备配置为多名学生可以共享一台设备。You can configure iPad devices so many students can share a single device.

电子邮件Email

电子邮件设置创建、分配和监视设备上的 Exchange ActiveSync 电子邮件设置。Email settings creates, assigns, and monitors Exchange ActiveSync email settings on the devices. 邮件配置文件可帮助确保一致性、减少支持呼叫,并让最终用户能够在不进行任何所需设置的情况下在其个人设备上访问公司电子邮件。Email profiles help with consistency, reduce support calls, and let end-users access company email on their personal devices, without any required setup on their part.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • Windows 10 及更高版本Windows 10 and later

Endpoint ProtectionEndpoint protection

Endpoint Protection 可配置适用于 Windows 10 设备的 BitLocker 和 Microsoft Defender 设置。Endpoint protection configures BitLocker and Microsoft Defender settings for Windows 10 devices. 还可在 macOS 设备上配置防火墙、网关和其他资源。And, configure the firewall, gateway, and other resources on macOS devices.

若要使用 Microsoft Intune 载入 Microsoft Defender 高级威胁防护 (WDATP),请参阅使用移动设备管理 (MDM) 工具配置终结点To onboard Microsoft Defender Advanced Threat Protection (WDATP) with Microsoft Intune, see Configure endpoints using Mobile Device Management (MDM) tools.

此功能支持:This feature supports:

  • macOSmacOS
  • Windows 10 及更高版本Windows 10 and later

eSIM 手机网络 - 公共预览版eSIM cellular - Public preview

eSIM 手机网络配置文件可让管理员在受管理设备上配置手机网络流量套餐以进行 Internet 和数据访问。eSIM cellular profiles lets administrators configure cellular data plans on your managed devices for internet and data access. 从移动运营商处获取激活码后,使用 Intune 导入这些激活码,然后分配给支持 eSIM 的设备。After getting activation codes from your mobile operator, use Intune to import these activation codes, and then assign to your eSIM capable devices.

此功能支持:This feature supports:

  • Windows 10 Fall Creators Update 及更高版本Windows 10 Fall Creators Update and later

扩展Extensions

macOS 系统扩展和内核扩展都允许管理员添加可扩展操作系统本机功能的功能或程序。macOS system extensions and kernel extensions allows administrators to add features or programs that extend the native capabilities of the operating system. 配置这些设置以信任来自特定开发人员或合作伙伴的所有扩展,或允许使用特定扩展。Configure these settings to trust all extensions from a specific developer or partner, or allow specific extensions.

此功能支持:This feature supports:

  • macOSmacOS

标识保护Identity protection

标识保护控制 Windows 10 设备上的 Windows Hello 企业版体验。Identity protection controls the Windows Hello for Business experience on Windows 10 devices. 配置这些设置,使 Windows Hello 企业版可供用户和设备使用,以及指定设备 PIN 和手势的要求。Configure these settings to make Windows Hello for Business available to users and devices, and to specify requirements for device PINs and gestures.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later
  • Windows Holographic for BusinessWindows Holographic for Business

KioskKiosk

展台设置配置文件可将设备配置为运行一个应用,或运行多个应用。Kiosk settings profile configures a device to run one app, or run many apps. 还可以自定义展台的其他功能,包括“开始”菜单和 Web 浏览器。You can also customize other features on your kiosk, including a start menu and a web browser.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

展台设置也可用作适用于 AndroidAndroid EnterpriseiOS/iPadOS 的设备限制。Kiosk settings also available as device restrictions for Android, Android Enterprise, and ios/iPadOS.

MX 配置文件 (Zebra)MX profile (Zebra)

移动性扩展 (MX) 阐述了内置 Intune 设置,这些设置可用于自定义或添加更多特定于 Zebra 设备的设置。Mobility extensions (MX) expand on the built-in Intune settings to customize or add more settings specific to Zebra devices. Zebra 设备通常用于工厂车间和零售环境。Zebra devices are commonly used on factory floors, and retail environments. 如果你有数百或数千台 Zebra 设备,则可以使用 Intune 来配置和管理这些设备。If you have hundreds or thousands of Zebra devices, you can use Intune to configure and manage these devices.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator

Microsoft Defender ATPMicrosoft Defender ATP

Microsoft Defender 高级威胁防护 (ATP) 与 Intune 集成以监视和保护设备。Microsoft Defender advanced threat protection (ATP) integrates with Intune to monitor and help protect devices. 设置风险级别,并确定设备超过该级别时会发生的情况。You set risk levels, and determine what happens if devices exceed that level. 与条件访问结合使用时,可帮助防止组织中的恶意活动。When combined with conditional access, you can help prevent malicious activity in your organization.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later

OEMConfigOEMConfig

在 Android Enterprise 设备上,OEMConfig 标准允许 OEM(原始设备制造商)和 EMM(企业移动性管理)按照标准方式构建和支持特定于 OEM 的功能。On Android Enterprise devices, OEMConfig is a standard that allows OEMs (original equipment manufacturers) and EMMs (enterprise mobility management) to build and support OEM-specific features in a standardized way. OEM 使用 OEMConfig 创建架构来定义特定于 OEM 的管理功能,并将其嵌入上传到 Google Play 的应用。With OEMConfig, an OEM creates a schema that defines OEM-specific management features, and embeds it in an app uploaded to Google Play. Intune 从该应用读取此架构,并允许 Intune 管理员配置架构中的设置。Intune reads the schema from the app, and allows Intune administrators to configure the settings in the schema.

此功能支持:This feature supports:

  • Android Enterprise (OEMConfig)Android Enterprise (OEMConfig)

PowerShell 脚本PowerShell scripts

PowerShell 脚本使用 Intune 管理扩展从 Intune 上传 PowerShell 脚本,然后在设备上运行这些脚本。PowerShell scripts use the Intune Management Extension to upload your PowerShell scripts in Intune, and then run these scripts on your devices. 另请参阅使用此扩展所需的条件、如何将它们添加到 Intune,以及其他重要信息。Also see what's required to use the extension, how to add them to Intune, and other important information.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later
  • Windows Holographic for BusinessWindows Holographic for Business

首选项文件Preference file

macOS 设备上的首选项文件包括有关应用的信息。Preference files on macOS devices include information about apps. 例如,可使用首选项文件来控制 Web 浏览器设置、自定义应用等。For example, you can use preference files to control web browser settings, customize apps, and more.

此功能支持:This feature supports:

  • macOSmacOS

共享的多用户设备Shared multi-user device

Windows 10Windows Holographic for Business 包括用于管理多用户设备(也称为共享设备或共享电脑)的设置。Windows 10 and Windows Holographic for Business includes settings to manage devices with multiple users, also known as shared devices or shared PCs. 当用户登录设备时,你可选择用户是否可更改睡眠选项,或在设备上保存文件。When a user signs in to the device, you choose if the user can change the sleep options, or save files on the device. 在其他示例中,为节省空间,可以创建可删除 Windows HoloLens 设备中非活动凭据的配置文件。In another example, to save space, you can create a profile that deletes inactive credentials from Windows HoloLens devices.

这些共享多用户设备设置允许管理员控制部分设备功能,并使用 Intune 管理这些共享设备。These shared multi-user device settings allow an administrator to control some of the device features, and manage these shared devices using Intune.

此功能支持:This feature supports:

  • Windows 10 及更高版本Windows 10 and later
  • Windows Holographic for BusinessWindows Holographic for Business

更新策略Update policies

iOS/iPadOS 更新策略展示了创建和分配 iOS/iPadOS 策略以在 iOS/iPadOS 设备上安装软件更新的方式。iOS/iPadOS update policies shows you how to create and assign iOS/iPadOS policies to install software updates on your iOS/iPadOS devices. 你还可以查看安装状态。You can also review the installation status.

有关 Windows 设备上的更新策略,请参阅传递优化For update policies on Windows devices, see Delivery optimization.

此功能支持:This feature supports:

  • iOS/iPadOSiOS/iPadOS

VPNVPN

VPN 设置将配置文件分配到组织中的用户和设备,从而使其方便安全地连接到网络。VPN settings assigns VPN profiles to users and devices in your organization, so they can easily and securely connect to the network.

虚拟专用网络 (VPN) 可让用户安全地远程访问公司网络。Virtual private networks (VPNs) give users secure remote access to your company network. 设备使用 VPN 连接配置文件来初始化与 VPN 服务器的连接。Devices use a VPN connection profile to start a connection with your VPN server.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS
  • Windows 8.1Windows 8.1
  • Windows 10 及更高版本Windows 10 and later

Wi-FiWi-Fi

Wi-Fi 设置将无线网络设置分配给用户和设备。Wi-Fi settings assigns wireless network settings to users and devices. 分配 WiFi 配置文件后,用户无需自行配置即可访问公司 Wi-Fi。When you assign a WiFi profile, users get access to your corporate WiFi without having to configure it themselves.

此功能支持:This feature supports:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS
  • Windows 8.1 (仅限导入)Windows 8.1 (import only)
  • Windows 10 及更高版本Windows 10 and later

有线网络Wired networks

有线网络可用于为 macOS 桌面计算机创建和管理 802.1x 有线连接。Wired networks let you create and manage 802.1x wired connections for macOS desktop computers. 在配置文件中,选择网络接口,选择接受的 EAP 类型,并输入服务器信任设置,包括 PKCS 和 SCEP 证书。In your profile, you choose the network interface, select the accepted EAP types, and enter the server trust settings, including PKCS and SCEP certificates.

分配配置文件时,macOS 桌面用户无需自行配置即可访问公司有线网络。When you assign the profile, macOS desktop users get access to your corporate wired network without having to configure it themselves.

此功能支持:This feature supports:

  • macOSmacOS

Zebra 移动性扩展 (MX)Zebra Mobility Extensions (MX)

通过 Zebra 移动性扩展 (MX),管理员可以在 Intune 中使用和管理 Zebra 设备。Zebra Mobility Extensions (MX) allows administrators to use and manage Zebra devices in Intune. 创建具有你的设置的 StageNow 配置文件,然后使用 Intune 将这些配置文件分配并部署到 Zebra 设备。You create StageNow profiles with your settings, and then use Intune to assign and deploy these profiles to your Zebra devices. StageNow 日志及常见问题是一个不错的资源,有助于在使用 StageNow 时对配置文件进行故障排除并查看一些潜在问题。The StageNow logs and common issues is a great resource to troubleshoot profiles, and see some potential issues when using StageNow.

此功能支持:This feature supports:

  • Android 设备管理员(移动性扩展)Android device administrator (Mobility Extensions)

管理和故障排除Manage and troubleshoot

管理配置文件以检查设备的状态和分配的配置文件。Manage your profiles to check the status of devices, and the profiles assigned. 还可以通过查看导致冲突的设置以及包含这些设置的配置文件来帮助解决冲突。Also help resolve conflicts by seeing the settings that cause a conflict, and the profiles that include these settings. 常见问题和解决方法可帮助管理员处理配置文件。Common issues and resolutions helps administrators work with profiles. 它介绍了删除配置文件时发生的情况,导致将通知发送到设备的原因等等。It describes what happens when deleting a profile, what causes notifications to be sent to devices, and more.

后续步骤Next steps

选择平台开始使用。Choose your platform, and get started.