便于使用 Intune 允许或限制功能的 Android Enterprise 设备设置Android Enterprise device settings to allow or restrict features using Intune

本文列出并介绍了可以在 Android Enterprise 设备上控制的各种设置。This article lists and describes the different settings you can control on Android Enterprise devices. 在移动设备管理 (MDM) 解决方案中,使用这些设置可允许或禁用功能、在专用设备上运行应用、控制安全等。As part of your mobile device management (MDM) solution, use these settings to allow or disable features, run apps on dedicated devices, control security, and more.

在开始之前Before you begin

创建 Android Enterprise 设备限制配置文件Create an Android Enterprise device restrictions profile:

  • 公司拥有的完全托管式专用工作配置文件Fully managed, dedicated, and corporate-owned work profile
  • 工作配置文件Work profile

公司拥有的完全托管式专用工作配置文件Fully Managed, Dedicated, and Corporate-Owned Work Profile

这些设置适用于使用 Intune 控制整个设备的 Android Enterprise 注册类型,如 Android Enterprise 公司拥有的完全托管式专用工作配置文件设备。These settings apply to Android Enterprise enrollment types where Intune controls the entire device, such as Android Enterprise fully managed, dedicated, and corporate-owned work profile devices.

并非所有注册类型都支持某些设置。Some settings are not supported by all enrollment types. 若要查看哪些设置受哪些注册类型支持,请参阅用户界面。To see which settings are supported by which enrollment types, see the user interface. 每个设置上方都有一个标题,指示哪些注册类型可以使用该设置。Each setting is under a heading that indicates the enrollment types that can use the setting.

在 Microsoft Intune 和 Endpoint Manager 中查看 Android Enterprise 用户和帐户设置标题,以及他们适用的注册类型。

某些设置仅在公司拥有的工作配置文件设备的工作配置文件级别适用。Some settings only apply at the work profile level for corporate-owned devices with a work profile. 对于完全托管式专用设备,这些设置在整个设备范围内应用。For fully managed and dedicated devices, these settings apply device-wide. 这些设置在用户界面中用“(工作配置文件级)”本文进行标记。These settings are marked with (work profile-level) text in the user interface.

在 Microsoft Intune 和 Endpoint Manager 中查看 Android Enterprise 用户和帐户设置标题,以及他们适用的注册类型。

常规General

  • 屏幕捕获:设置为“阻止”可阻止在设备上进行屏幕截图或屏幕捕获。Screen capture: Block prevents screenshots or screen captures on the device. 还会阻止在不具有安全视频输出的显示设备上显示内容。It also prevents the content from being shown on display devices that don't have a secure video output. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户以图像形式捕获屏幕内容。By default, the OS might let users capture the screen contents as an image.

  • 照相机:设置为“阻止”可阻止访问设备上的照相机。Camera: Block prevents access to the camera on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问照相机。By default, the OS might allow access to the camera.

    Intune 只管理对设备照相机的访问。Intune only manages access to the device camera. 它无法访问图片或视频。It doesn't have access to pictures or videos.

  • 默认权限策略:此设置定义运行时权限请求的默认权限策略。Default permission policy: This setting defines the default permission policy for requests for runtime permissions. 选项包括Your options

    • 设备默认值:使用设备的默认设置。Device default: Use the device's default setting.
    • 提示:系统会提示用户批准该权限。Prompt: Users are prompted to approve the permission.
    • 自动授予:自动授予权限。Auto grant: Permissions are automatically granted.
    • 自动拒绝:自动拒绝权限。Auto deny: Permissions are automatically denied.
  • 日期和时间更改:设置为“阻止”可阻止用户手动设置日期和时间。Date and Time changes: Block prevents users from manually setting the date and time. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上设置日期和时间。By default, the OS might allow users to the set date and time on the device.

  • 音量更改:若为“阻止”,则阻止用户更改设备的音量,同时使主音量静音。Volume changes: Block prevents users from changing the device's volume, and also mutes the main volume. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用设备上的音量设置。By default, the OS might allow using the volume settings on the device.

  • 恢复出厂设置:设置为“阻止”可阻止用户在设备设置中使用恢复出厂设置选项。Factory reset: Block prevents users from using the factory reset option in the device's settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上使用此设置。By default, the OS might allow users to use this setting on the device.

  • 安全启动:设置为“阻止”可阻止用户在安全模式下重启设备。Safe boot: Block prevents users from rebooting the device into safe mode. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在安全模式下重新启动设备。By default, the OS might allow users to reboot the device in safe mode.

  • 状态栏:设置为“阻止”可阻止访问状态栏,包括阻止通知和快速设置。Status bar: Block prevents access to the status bar, including notifications and quick settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户访问状态栏。By default, the OS might allow users access to the status bar.

  • 漫游数据服务:设置为“阻止”可阻止通过手机网络进行数据漫游。Roaming data services: Block prevents data roaming over the cellular network. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备通过手机网络进行数据漫游。By default, the OS might allow data roaming when the device is on a cellular network.

  • Wi-fi 设置更改:设置为“阻止”可阻止用户更改设备所有者创建的 Wi-Fi 设置。Wi-Fi setting changes: Block prevents users from changing Wi-Fi settings created by the device owner. 用户可以创建自己的 Wi-Fi 配置。Users can create their own Wi-Fi configurations. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改设备上的 Wi-Fi 设置。By default, the OS might allow users to change the Wi-Fi settings on the device.

  • Wi-Fi 接入点配置:设置为“阻止”可阻止用户创建或更改任何 Wi-Fi 配置。Wi-Fi access point configuration: Block prevents users from creating or changing any Wi-Fi configurations. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改设备上的 Wi-Fi 设置。By default, the OS might allow users to change the Wi-Fi settings on the device.

  • 蓝牙配置:设置为“阻止”可阻止用户配置设备上的蓝牙。Bluetooth configuration: Block prevents users from configuring Bluetooth on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上使用蓝牙。By default, the OS might allow using Bluetooth on the device.

  • 网络共享和访问热点:设置为“阻止”可阻止网络共享和访问移动热点。Tethering and access to hotspots: Block prevents tethering and access to portable hotspots. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 tethering 和访问便携式热点。By default, the OS might allow tethering and access to portable hotspots.

  • USB 存储:选择“允许”可访问设备上的 USB 存储。USB storage: Choose Allow to access USB storage on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止对 USB 存储的访问。By default, the OS might prevent access to USB storage.

  • USB 文件传输:设置为“阻止”可阻止通过 USB 传输文件。USB file transfer: Block prevents transferring files over USB. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许传输文件。By default, the OS might allow transferring files.

  • 外部媒体:设置为“阻止”可在设备上阻止使用或连接外部媒体。External media: Block prevents using or connecting any external media on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备上的外部媒体。By default, the OS might allow external media on the device.

  • 使用 NFC 无线收发数据:设置为“阻止”可阻止使用近场通信 (NFC) 技术从应用无线收发数据。Beam data using NFC: Block prevents using the Near Field Communication (NFC) technology to beam data from apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 NFC 在设备之间共享数据。By default, the OS might allow using NFC to share data between devices.

  • 调试功能:选择“允许”可允许用户在设备上使用调试功能。Debugging features: Choose Allow to let users use debugging features on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止用户使用设备上的调试功能。By default, the OS might prevent users from using the debugging features on the device.

  • 麦克风调节:设置为“阻止”可阻止用户取消麦克风静音和调节麦克风音量。Microphone adjustment: Block prevents users from unmuting the microphone and adjusting the microphone volume. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用和调整设备上麦克风的音量。By default, the OS might allow users to use and adjust the volume of the microphone on the device.

  • 恢复出厂设置保护电子邮件:选择“Google 帐户电子邮件地址”。Factory reset protection emails: Choose Google account email addresses. 输入设备管理员的电子邮件地址,该地址可以在擦除设备后解锁设备。Enter the email addresses of device administrators that can unlock the device after it's wiped. 请务必使用分号分隔电子邮件地址,例如 admin1@gmail.com;admin2@gmail.comBe sure to separate the email addresses with a semi-colon, such as admin1@gmail.com;admin2@gmail.com. 如果未输入电子邮件,则任何人都可以在设备恢复出厂设置后解锁设备。If an email isn't entered, anyone can unlock the device after it's restored to the factory settings. 这些电子邮件仅在运行非用户恢复出厂设置(例如使用恢复菜单运行恢复出厂设置)时适用。These emails only apply when a non-user factory reset is run, such as running a factory reset using the recovery menu.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 网络安全门:设置为“启用”可允许用户打开网络安全门功能。Network escape hatch: Enable allows users to turn on the network escape hatch feature. 如果设备启动时未建立网络连接,则安全门会要求临时连接到网络并刷新设备策略。If a network connection isn't made when the device boots, then the escape hatch asks to temporarily connect to a network and refresh the device policy. 应用策略之后,将忽略临时网络且设备将继续启动。After applying the policy, the temporary network is forgotten and the device continues booting. 在以下情况下,此功能会将设备连接到网络:This feature connects devices to a network if:

    • 上一个策略中没有合适的网络。There isn't a suitable network in the last policy.
    • 设备以锁定任务模式进入应用。The device boots into an app in lock task mode.
    • 用户无法访问设备设置。Users are unable to reach the device settings.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止用户打开设备上的网络安全门功能。By default, the OS might prevent users from turning on the network escape hatch feature on the device.

  • 系统更新:选择一个选项来定义设备处理无线更新的方式。System update: Choose an option to define how the device handles over-the-air updates. 选项包括Your options

    • 设备默认值:使用设备的默认设置。Device Default: Use the device's default setting.
    • 自动:无需用户交互即可自动安装更新。Automatic: Updates are automatically installed without user interaction. 设置此策略会立即安装任何挂起的更新。Setting this policy immediately installs any pending updates.
    • 已延迟:更新推迟 30 天。Postponed: Updates are postponed for 30 days. 在 30 天结束时,Android 会提示用户安装更新。At the end of the 30 days, Android prompts users to install the update. 设备制造商或运营商可能会阻止(免除)延迟重要的安全更新。It's possible for device manufacturers or carriers to prevent (exempt) important security updates from being postponed. 免除更新会在设备上显示系统对用户的通知。An exempted update shows a system notification to users on the device.
    • 维护时段:在 Intune 中设置的每日维护时段自动安装更新。Maintenance window: Installs updates automatically during a daily maintenance window that you set in Intune. 每天尝试安装,持续 30 天,如果空间不足或电池电量不足,则会导致安装失败。Installation tries daily for 30 days, and can fail if there's insufficient space or battery levels. 30 天后,Android 会提示用户进行安装。After 30 days, Android prompts users to install. 此时段还用于安装 Play 应用的更新。This window is also used to install updates for Play apps. 将此选项用于专用设备(例如展台),因为可以更新单个应用专用设备前台应用。Use this option for dedicated devices, such as kiosks, as single-app dedicated device foreground apps can be updated.
  • 通知窗口:设置为“禁用”时,设备上不显示窗口通知,包括 toast、传入呼叫、传出呼叫、系统警报和系统错误。Notification windows: When set to Disable, window notifications, including toasts, incoming calls, outgoing calls, system alerts, and system errors aren't shown on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会显示通知。By default, the OS might show notifications.

  • 跳过第一次使用提示:若为“启用”,则在运行逐步教程的应用中隐藏或跳过建议,或者在应用启动时隐藏或跳过提示。Skip first use hints: Enable hides or skips suggestions from apps that step through tutorials, or hints when the app starts. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会在应用启动时显示这些建议。By default, the OS might show these suggestions when the app starts.

系统安全System security

  • 对应用进行威胁扫描:选择“需要”(默认)可启用 Google Play 保护机制在应用安装前后对其进行扫描。Threat scan on apps: Require (default) enables Google Play Protect to scan apps before and after they're installed. 如果它检测到威胁,可能会警告用户从设备中删除该应用。If it detects a threat, it may warn users to remove the app from the device. 设置为“未配置”时,Intune 不会更改或更新此设置。When set to Not configured, Intune doesn't change or update this setting. 默认情况下,OS 可能无法启用或运行 Google Play 保护机制以扫描应用。By default, the OS might not enable or run Google Play Protect to scan apps.

设备体验Device experience

使用这些设置可在专用设备上配置展台样式的体验,或者可在完全受管理设备上自定义主屏幕体验。Use these settings to configure a kiosk-style experience on your dedicated devices, or to customize the home screen experiences on your fully managed devices. 可将设备配置为运行一个应用或运行多个应用。You can configure devices to run one app, or run many apps. 设备设置为展台模式时,只能使用你添加的应用。When a device is set with kiosk mode, only the apps you add are available.

注册配置文件类型:选择注册配置文件类型,以开始在设备上配置微软桌面或 Microsoft 托管主屏幕。Enrollment profile type: Select an enrollment profile type to start configuring Microsoft Launcher or the Microsoft Managed Home Screen on your devices. 选项包括:Your options:

  • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting. 默认情况下,用户可能会看到设备的默认主屏幕体验。By default, users might see the device's default home screen experience.

  • 专用设备:在专用设备上配置展台样式的体验。Dedicated device: Configure a kiosk-style experience on your dedicated devices. 在配置这些设置之前,请确保在设备上添加分配所需的应用。Before you configure these settings, be sure to add and assign the apps you want on the devices.

    • 展台模式:选择设备是运行一个应用还是运行多个应用。Kiosk mode: Choose if the device runs one app or runs multiple apps. 选项包括:Your options:

      • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.

      • 单个应用:用户只能访问设备上的一个应用。Single app: Users can only access a single app on the device. 设备启动时,仅特定应用启动。When the device starts, only the specific app starts. 限制用户打开新应用或更改正在运行的应用。Users are restricted from opening new apps or from changing the running app.

        • 用于展台模式的应用:从列表中选择托管的 Google Play 应用。Select an app to use for kiosk mode: Select the managed Google Play app from the list.

        重要

        使用单应用展台模式时,拨号器/电话应用可能无法正常工作。When using single-app kiosk mode, dialer/phone apps may not work properly.

      • 多应用:用户可访问设备上一组有限的应用。Multi-app: Users can access a limited set of apps on the device. 设备启动时,仅添加的应用启动。When the device starts, only the apps you add start. 还可以添加一些用户可以打开的 Web 链接。You can also add some web links that users can open. 应用策略后,用户会在主屏幕上看到允许应用的图标。When the policy is applied, users see icons for the allowed apps on the home screen.

        重要

        对于多应用专用设备,必须将 Google Play 的托管主屏幕应用For multi-app dedicated devices, the Managed Home Screen app from Google Play must be:

        “托管主屏幕”应用不需要位于配置文件中,但需要被添加为应用。The Managed Home Screen app isn't required to be in the configuration profile, but it's required to be added as an app. 添加“托管主屏幕”应用后,在配置文件中添加的任何其他应用都会在“托管主屏幕”应用中显示为图标 。When the Managed Home Screen app is added, any other apps you add in the configuration profile are shown as icons on the Managed Home Screen app.

        使用多应用展台模式时,拨号器/电话应用程序可能无法正常工作。When using multi-app kiosk mode, dialer/phone apps may not function properly.

        如需详细了解托管主屏幕,请参阅应用多应用展台模式在专用设备上设置 Microsoft 托管主屏幕For more information on the Managed Home screen, see setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode.

        • 添加:从列表中选择应用。Add: Select your apps from the list.

          如果未列出“托管主屏幕”应用,则从 Google Play 添加该应用If the Managed Home Screen app isn't listed, then add it from Google Play. 请确保将应用分配给为专用设备创建的设备组。Be sure to assign the app to the device group created for your dedicated devices.

          还可以将其他由组织创建的 Android 应用Web 应用添加到设备。You can also add other Android apps and web apps created by your organization to the device. 请确保将应用分配给为专用设备创建的设备组Be sure to assign the app to the device group created for your dedicated devices.

        • 文件夹图标:选择托管主屏幕上显示的文件夹图标的颜色和形状。Folder icon: Select the color and shape of the folder icon that's shown on the Managed Home Screen. 选项包括:Your options:

          • 未配置Not configured
          • 深色主题矩形Dark theme rectangle
          • 深色主题圆圈Dark theme circle
          • 浅色主题矩形Light theme rectangle
          • 浅色主题圆圈Light theme circle
        • 应用和文件夹图标大小:选择托管主屏幕上显示的文件夹图标的大小。App and Folder icon size: Select the size of the folder icon that's shown on the Managed Home Screen. 选项包括:Your options:

          • 未配置Not configured

          • 特小型Extra small

          • 小型Small

          • 平均值Average

          • 大型Large

          • 特大型Extra large

            根据屏幕大小,实际图标大小可能不同。Depending on the screen size, the actual icon size may be different.

        • 屏幕方向:选择托管主屏幕在设备上显示的方向。Screen orientation: Select the direction the Managed Home Screen is shown on devices. 选项包括:Your options:

          • 未配置Not configured
          • 纵向Portrait
          • 横向Landscape
          • 自动旋转Autorotate
        • 应用通知徽章:选择“启用”后可在应用图标上显示新的和未读通知的数量。App notification badges: Enable shows the number of new and unread notifications on app icons. 设置为“未配置”时,Intune 不会更改或更新此设置。When set to Not configured, Intune doesn't change or update this setting.

        • 虚拟主页按钮:一个软键按钮,它将用户返回到托管主屏幕,使用户可在应用之间切换。Virtual home button: A soft-key button that returns users to the Managed Home Screen so users can switch between apps. 选项包括:Your options:

          • 未配置(默认):不显示主页按钮。Not configured (default): A home button isn't shown. 用户必须使用“后退”按钮以在应用之间切换。Users must use the back button to switch between apps.
          • 向上轻扫:当用户在设备上向上轻扫时,显示主页按钮。Swipe-up: A home button shows when a user swipes up on the device.
          • 浮动:在设备上显示持久的浮动主页按钮。Floating: Shows a persistent, floating home button on the device.
        • 退出展台模式:设置为“启用”可允许管理员临时暂停展台模式以更新设备。Leave kiosk mode: Enable allows Administrators to temporarily pause kiosk mode to update the device. 要使用此功能,管理员需要:To use this feature, the administrator:

          1. 继续选择后退按钮,直到显示“退出展台”按钮。Continues to select the back button until the Exit kiosk button shows.
          2. 选择“退出展台”按钮后,输入“退出展台模式代码”PIN 。Selects the Exit kiosk button, and enters the Leave kiosk mode code PIN.
          3. 完成后,选择“托管主屏幕”应用。When finished, select the Managed Home Screen app. 此步骤会将设备重新锁定为多应用展台模式。This step relocks the device into multi-app kiosk mode.

          设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止管理员暂停展台模式。By default, the OS might prevent administrators from pausing kiosk mode. 如果管理员继续选择后退按钮,并选择“退出展台”按钮,则会显示一条消息,要求输入密码。If the administrator keeps selecting the back button, and selects the Exit kiosk button, then a message states that a passcode is required.

        • 退出展台模式代码:输入 4-6 位数字 PIN。Leave kiosk mode code: Enter a 4-6 digit numeric PIN. 管理员使用此 PIN 临时暂停展台模式。The administrator uses this PIN to temporarily pause kiosk mode.

        • 设置自定义 URL 背景:输入 URL 以自定义专用设备上的背景屏幕。Set custom URL background: Enter a URL to customize the background screen on the dedicated device. 例如,输入 http://contoso.com/backgroundimage.jpgFor example, enter http://contoso.com/backgroundimage.jpg.

          备注

          对于大多数情况,建议先开始使用不小于以下大小的图像:For most cases, we recommend starting with images of at least the following sizes:

          • 电话:1080x1920 像素Phone: 1080x1920 px
          • 平板电脑:1920x1080 像素Tablet: 1920x1080 px

          为获得最佳体验和清晰的细节,建议按显示器规格和设备创建图像资产。For the best experience and crisp details, it's suggested that per device image assets be created to the display specifications.

          新式显示器具有更高的像素密度,并且可以显示等效的 2K/4K 清晰度的图像。Modern displays have higher pixel densities and can display equivalent 2K/4K definition images.

        • “设置”菜单的快捷方式:选择“禁用”后可在托管主屏幕上隐藏托管设置快捷方式。Shortcut to settings menu: Disable hides the Managed Settings shortcut on the Managed Home Screen. 用户仍可向下轻扫来访问设置。Users can still swipe down to access the settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,“托管设置”快捷方式显示在设备上。By default, the Managed Settings shortcut is shown on devices. 用户仍可向下轻扫来访问这些设置。Users can also swipe down to access these settings.

        • “调试”菜单的快速访问:此设置控制用户访问“调试”菜单的一些方法。Quick access to debug menu: This setting controls how users access the debug menu. 选项包括:Your options:

          • 启用:用户可以更轻松地访问调试菜单。Enable: Users can access the debug menu easier. 具体来说,他们可以向下轻扫,或使用“托管设置”快捷方式。Specifically, they can swipe down, or use the Managed Settings shortcut. 他们可以一如既往继续选择“后退”按钮 15 次。As always, they can continue to select the back button 15 times.
          • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting. 默认情况下,对“调试”菜单的轻松访问将关闭。By default, easy access to the debug menu is turned off. 用户必须选择“后退”按钮 15 次才能打开“调试”菜单。Users must select the back button 15 times to open the debug menu.

          使用“调试”菜单,用户可以执行以下操作:Using the debug menu, users can:

          • 查看和上传托管主屏幕日志See and upload Managed Home Screen logs
          • 打开 Google 的 Android 设备策略管理器应用Open Google's Android Device Policy Manager app
          • 打开 Microsoft Intune 应用Open the Microsoft Intune app
          • 退出展台模式Exit kiosk mode
        • Wi-Fi 配置:若为“启用”,则在托管主屏幕上显示 Wi-Fi 控件,并允许用户将设备连接到不同的 Wi-Fi 网络。Wi-Fi configuration: Enable shows the Wi-Fi control on the Managed Home Screen, and allows users to connect the device to different WiFi networks. 启用此功能还会开启设备的位置。Enabling this feature also turns on device location. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在托管的主屏幕上显示 Wi-Fi 控件。By default, the OS might not show the Wi-Fi control on the Managed Home Screen. 它阻止用户在使用托管主屏幕时连接到 Wi-Fi 网络。It prevents users from connecting to Wi-Fi networks while using the Managed Home Screen.

          • Wi-Fi 允许列表:创建有效的无线网络名称列表,也称为服务集标识符 (SSID)。Wi-Fi allow list: Create a list of valid wireless network names, also known as the service set identifier (SSID). 托管主屏幕用户只能连接到你输入的 SSID。Managed Home Screen users can only connect to the SSIDs you enter.

            如果留空,Intune 将不会更改或更新此设置。When left blank, Intune doesn't change or update this setting. 默认情况下,允许所有可用的 Wi-Fi 网络。By default, all available Wi-Fi networks are allowed.

            导入包括有效 SSID 列表的 .csv 文件。Import a .csv file that includes a list of valid SSIDs.

            将当前列表导出到 .csv 列表。Export your current list to a .csv file.

          • SSID:你还可以输入托管主屏幕用户可以连接到的 Wi-Fi 网络名称 (SSID)。SSID: You can also enter the Wi-Fi network names (SSID) that Managed Home Screen users can connect to. 确保输入有效 SSID。Be sure to enter valid SSIDs.

        • 蓝牙配置:设置为“启用”时,可在托管的主屏幕上显示蓝牙控件,并允许用户通过蓝牙对设备进行配对。Bluetooth configuration: Enable shows the Bluetooth control on the Managed Home Screen, and allows users to pair devices over Bluetooth. 启用此功能还会开启设备的位置。Enabling this feature also turns on device location. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在托管的主屏幕上显示蓝牙控件。By default, the OS might not show the Bluetooth control on the Managed Home Screen. 它阻止用户在使用托管的主屏幕时配置蓝牙和配对设备。It prevents users from configuring Bluetooth and pairing devices while using the Managed Home Screen.

        • 闪光灯访问权限:设置为“启用”时,可在托管的主屏幕上显示闪光灯控件,并允许用户打开或关闭闪光灯。Flashlight access: Enable shows the flashlight control on the Managed Home Screen, and allows users to turn the flashlight on or off. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在托管的主屏幕上显示闪光灯。By default, the OS might not show the flashlight control on Managed Home Screen. 它阻止用户在使用托管主屏幕时使用闪光灯。It prevents users from using the flashlight while using the Managed Home Screen.

        • 媒体音量控制:设置为“启用”时,可在托管的主屏幕上显示媒体音量控件,并允许用户使用滑块调整设备的媒体音量。Media volume control: Enable shows the media volume control on the Managed Home Screen, and allows users to adjust the device's media volume using a slider. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在托管的主屏幕上显示媒体音量控制。By default, the OS might not show the media volume control on Managed Home Screen. 它阻止用户在使用托管主屏幕时调整设备的媒体音量,除非用户的硬件按钮支持此操作。It prevents users from adjusting the device's media volume while using the Managed Home Screen, unless their hardware buttons support it.

        • 快速访问设备信息:选择“启用”后,用户可以向下轻扫以查看托管主屏幕上的设备信息,如序列号、名称和型号以及 SDK 级别。Quick access to device information: Enable allows users to swipe down to see the device information on the Managed Home Screen, such as the serial number, make and model number, and SDK level. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,可能不会显示设备信息。By default, the device information might not be shown.

        • 屏幕保护模式:若为“启用”,则当设备锁定或超时时,托管主屏幕上会显示屏幕保护程序。设置为“未配置”(默认)时,Intune 不会更改或更新此设置。Screen saver mode: Enable shows a screensaver on the Managed Home Screen when the device is locked or times out. When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在托管的主屏幕上显示屏幕保护。By default, the OS might not show a screensaver on the Managed Home Screen.

          启用后,还需配置:When enabled, also configure:

          • 设置自定义屏幕保护图像:输入自定义 PNG、JPG、JPEG、GIF、BMP、WebP 或 ICOIMAGE 的 URL。Set custom screen saver image: Enter the URL to a custom PNG, JPG, JPEG, GIF, BMP, WebP, or ICOimage. 如果未输入 URL,则使用设备的默认图像(如果存在默认图像)。If you don't enter a URL, then the device's default image is used, if there's a default image.

            例如,输入:For example, enter:

            • http://www.contoso.com/image.jpg
            • www.contoso.com/image.bmp
            • https://www.contoso.com/image.webp

            提示

            任何可转换为位图的文件资源 URL 均受支持。Any file resource URL that can be turned into a bitmap is supported.

          • 在关闭屏幕之前设备显示屏幕保护程序的秒数:选择设备显示屏幕保护程序的时长。Number of seconds the device shows screen saver before turning off screen: Choose how long the device shows the screensaver. 请输入一个介于 0 到 9999999 秒之间的值。Enter a value between 0-9999999 seconds. 默认值 0 秒。Default is 0 seconds. 当为空或设置为 0 (0) 时,屏幕保护程序将处于活动状态,直到用户与设备交互。When left blank, or set to zero (0), the screen saver is active until a user interacts with the device.

          • 在显示屏幕保护之前设备处于非活动状态的秒数:选择在显示屏幕保护程序之前设备处于空闲状态的时长。Number of seconds the device is inactive before showing screen saver: Choose how long the device is idle before showing the screensaver. 请输入一个介于 1 到 9999999 秒之间的值。Enter a value between 1-9999999 seconds. 默认值为 30 秒。Default is 30 seconds. 必须输入一个大于零 (0) 的数字。You must enter a number greater than zero (0).

          • 启动屏幕保护程序前检测媒体:若为“启用”(默认值),则当音频或视频在设备上播放时,不会显示屏幕保护程序。Detect media before starting screen saver: Enable (default) doesn't show the screen saver if audio or video is playing on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会显示屏幕保护,即使正在播放音频或视频也是如此。By default, the OS might show the screen saver, even if audio or video is playing.

  • 完全托管:在完全托管的设备上配置微软桌面应用。Fully managed: Configures the Microsoft Launcher app on fully managed devices.

    • 将微软桌面设置为默认桌面:选择“启用”可将微软桌面设置为主屏幕上的默认桌面。Make Microsoft Launcher the default launcher: Enable sets Microsoft Launcher as the default launcher on the home screen. 如果将微软桌面设置为默认桌面,则用户不能使用其他桌面。If you make Launcher the default, users can't use another launcher. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,不会强制将微软桌面作为默认桌面。By default, the Microsoft Launcher isn't forced as the default launcher.

    • 配置自定义壁纸:在微软桌面应用中,选择“启用”后,你可以将自己的图像应用为主屏幕壁纸,并选择是否允许用户更改该图像。Configure custom wallpaper: In the Microsoft Launcher app, Enable lets you apply your own image as the home screen wallpaper, and choose if users can change the image. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,设备将保留其当前壁纸。By default, the device keeps its current wallpaper.

      • 输入壁纸图像的 URL:输入壁纸图像的 URL。Enter URL of wallpaper image: Enter the URL of your wallpaper image. 此图像在设备主屏幕上显示。This image shows on the device home screen. 例如,输入 http://www.contoso.com/image.jpgFor example, enter http://www.contoso.com/image.jpg.
      • 允许用户修改壁纸:选择“启用”后,用户可以更改壁纸图像。Allow user to modify wallpaper: Enable allows users to change the wallpaper image. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,用户无法更改壁纸。By default, users are prevented from changing the wallpaper.
    • 启用启动器源:选择“启用”后将启动启动器源,其中显示日历、文档和最近活动。Enable launcher feed: Enable turns on the launcher feed, which shows calendars, documents, and recent activities. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,不显示此源。By default, this feed isn't shown.

      • 允许用户启动/禁用源:选择“启用”后,用户可以启用或禁用启动器源。Allow user to enable/disable feed: Enable lets users enable or disable the launcher feed. 选择“启用”后,仅在首次分配配置文件时强制执行此设置。Enable only forces this setting the first time the profile is assigned. 任何将来的配置文件分配都不会强制执行此设置。Any future profile assignments don't force this setting. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,用户无法更改启动器源设置。By default, users are prevented from changing the launcher feed settings.
    • 停靠状态:通过停靠,用户可以快速访问他们的应用和工具。Dock presence: The dock gives users quick access to their apps and tools. 选项包括:Your options:

      • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
      • 显示:停靠在设备上显示。Show: The dock is shown on devices.
      • 隐藏:停靠处于隐藏状态。Hide: The dock is hidden. 用户必须向上轻扫才能访问停靠。Users must swipe up to access the dock.
      • 已禁用:停靠不显示在设备上,并且阻止用户显示它。Disabled: The dock isn't shown on devices, and users are prevented from showing it.
    • 允许用户更改停靠状态:选择“启用”后,用户可以显示或隐藏停靠。Allow user to change dock presence: Enable allows users to show or hide the dock. 选择“启用”后,仅在首次分配配置文件时强制执行此设置。Enable only forces this setting the first time the profile is assigned. 任何将来的配置文件分配都不会强制执行此设置。Any future profile assignments don't force this setting. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,不允许用户更改设备停靠配置。By default, users aren't allowed to change the device dock configuration.

    • 搜索栏放置:选择要放置搜索栏的位置。Search bar replacement: Choose where to put the search bar. 选项包括:Your options:

      • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
      • 顶部:搜索栏显示在设备的顶部。Top: Search bar is shown at the top of devices.
      • 底部:搜索栏显示在设备的底部。Bottom: Search bar is shown at the bottom of devices.
      • 隐藏:搜索栏处于隐藏状态。Hide: Search bar is hidden.

设备密码Device password

  • 禁用锁屏界面:选择“禁用”以阻止用户在设备上使用锁屏及锁屏界面功能。Disable lock screen: Choose Disable to prevent users from using Keyguard lock screen feature on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用锁屏功能。By default, the OS might allow users to use the Keyguard features.

  • 已禁用的锁屏界面功能:在设备上启用了锁屏功能时,选择要禁用的功能。Disabled lock screen features: When keyguard is enabled on the device, choose which features to disable. 例如,勾选“安全照相机”会禁用设备上的照相机功能。For example, when Secure camera is checked, the camera feature is disabled on the device. 所有未勾选的功能均在设备上保持启用状态。Any features not checked are enabled on the device.

    设备锁定时,用户可以使用这些功能。These features are available to users when the device is locked. 用户将无法查看或访问已勾选的功能。Users won't see or access features that are checked.

  • 所需的密码类型:输入所需的密码复杂性级别以及是否可以使用生物识别设备。Required password type: Enter the required password complexity level, and whether biometric devices can be used. 选项包括:Your options:

    • 设备默认值Device default

    • 需要密码,无限制Password required, no restrictions

    • 弱生物识别强与弱生物识别(打开 Android 的网站)Weak biometric: Strong vs. weak biometrics (opens Android's web site)

    • 数字:密码只能使用数字,例如 123456789Numeric: Password must only be numbers, such as 123456789. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 数字复杂度:不允许使用重复或连续数字(例如,“1111”或“1234”)。Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 字母:需使用字母表中的字母。Alphabetic: Letters in the alphabet are required. 不使用数字和符号。Numbers and symbols aren't required. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 字母数字:包括大写字母、小写字母和数字字符。Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 带符号的字母数字:包括大写字母、小写字母、数字字符、标点和符号。Alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
      • 所需字符数:输入密码必须包含的字符数(介于 0 到 16 个字符之间)。Number of characters required: Enter the number of characters the password must have, between 0 and 16 characters.
      • 所需小写字符数:输入的密码必须包含的小写字符数(介于 0 到 16 个字符之间)。Number of lowercase characters required: Enter the number of lowercase characters the password must have, between 0 and 16 characters.
      • 所需大写字符数:输入的密码必须包含的大写字符数(介于 0 到 16 个字符之间)。Number of uppercase characters required: Enter the number of uppercase characters the password must have, between 0 and 16 characters.
      • 所需非字母字符数:输入密码必须具有的非字母字符数(除字母表中字母以外的任何字符),介于 0 到 16 个字符之间。Number of non-letter characters required: Enter the number of non-letters (anything other than letters in the alphabet) the password must have, between 0 and 16 characters.
      • 所需数值字符数:输入密码必须具有的数值字符数(123 等),介于 0 到 16 个字符之间。Number of numeric characters required: Enter the number of numeric characters (1, 2, 3, and so on) the password must have, between 0 and 16 characters.
      • 所需符号字符数:输入密码必须具有的符号字符数(&#% 等),介于 0 到 16 个字符之间。Number of symbol characters required: Enter the number of symbol characters (&, #, %, and so on) the password must have, between 0 and 16 characters.
  • 密码到期前的天数:输入在用户必须更改设备密码前,设备密码保持有效的天数(介于 1-365 天之间)。Number of days until password expires: Enter the number of days, until the device password must be changed, from 1-365. 例如,要使密码在 90 天后过期,请输入 90For example, enter 90 to expire the password after 90 days. 密码到期后,系统会提示用户创建新密码。When the password expires, users are prompted to create a new password. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 用户可重用某个密码前需使用的密码数:使用此设置可限制用户创建以前用过的密码。Number of passwords required before user can reuse a password: Use this setting to restrict users from creating previously used passwords. 输入以前用过的不能重用的密码数,从 1 到 24。Enter the number of previously used passwords that can't be used, from 1-24. 例如,输入 5 意味着用户不能将其新密码设置为当前密码或以前四个密码中的任何一个。For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 擦除设备前的登录失败次数:输入设备擦除前允许的错误密码数,范围为 4-11 个。Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the device is wiped, from 4-11. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

    备注

    系统不会提示公司拥有的完全托管式专用工作配置文件设备设置密码。Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. 该设置是必需的,但可能不会通知用户。The settings are required, but users might not be notified. 用户需要手动设置密码。Users need to set the password manually. 除非用户设置的密码符合你的要求,否则该策略将报告为失败。The policy reports as failed until the user sets a password that meets your requirements.

电源设置Power settings

  • 定时锁定屏幕:输入用户可设置的设备锁定前的最长时间。Time to lock screen: Enter the maximum time a user can set until the device locks. 例如,如果将此设置设置为 10 minutes,则用户可将时间设置为 15 秒到 10 分钟。For example, if you set this setting to 10 minutes, then users can set the time from 15 seconds up to 10 minutes. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 设备接通电源时屏幕亮起:选择接通电源时使设备屏幕保持亮起的电源。Screen on while device plugged in: Choose which power sources cause the device's screen to stay on when plugged in.

用户和帐户Users and Accounts

  • 添加新用户:设置为“阻止”可阻止用户添加新用户。Add new users: Block prevents users from adding new users. 每个用户都在设备上拥有个人空间,用于自定义主屏幕、帐户、应用和设置。Each user has a personal space on the device for custom Home screens, accounts, apps, and settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户将其他用户添加到设备。By default, the OS might allow users to add other users to the device.

  • 删除用户:设置为“阻止”可阻止用户删除用户。User removal: Block prevents users from removing users. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户从设备中删除其他用户。By default, the OS might allow users to remove other users from the device.

  • 帐户更改(仅限专用设备):设置为“阻止”可阻止用户修改帐户。Account changes (dedicated devices only): Block prevents users from modifying accounts. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更新设备上的用户帐户。By default, the OS might allow users to update user accounts on the device.

    备注

    这些设置不适用于公司拥有的完全托管式专用工作配置文件设备。This setting isn't honored on fully managed, dedicated, and corporate-owned work profile devices. 如果你配置了此设置,则此设置将被忽略,且不会产生任何影响。If you configure this setting, then the setting is ignored, and has no impact.

  • 用户可配置凭据:若为“阻止”,则阻止用户配置分配给设备(甚至包括不与用户帐户关联的设备)的证书。User can configure credentials: Block prevents users from configuring certificates assigned to devices, even devices that aren't associated with a user account. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在密钥存储中访问凭据时配置或更改其凭据。By default, the OS might make it possible for users to configure or change their credentials when they access them in the keystore.

  • 个人 Google 账号:若为“阻止”,则阻止用户将其个人 Google 帐户添加到其设备。Personal Google Accounts: Block prevents users from adding their personal Google account to the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户添加其个人 Google 帐户。By default, the OS might allow users to add their personal Google account.

应用程序Applications

  • 允许从未知源安装:设置为“允许”可让用户启用“未知源” 。Allow installation from unknown sources: Allow lets users turn on Unknown sources. 此设置允许从未知的来源安装应用,包括 Google Play 商店以外的来源。This setting allows apps to install from unknown sources, including sources other than the Google Play Store. 它允许用户使用除 Google Play 商店以外的其他方式在设备上旁加载应用。It allows users to side-load apps on the device using means other than the Google Play Store. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止用户启用“未知源”。By default, the OS might prevent users from turning on Unknown sources.

  • 允许访问 Google Play 商店中的所有应用:设置为“允许”后,用户可访问 Google Play 商店中的所有应用。Allow access to all apps in Google Play store: When set to Allow, users get access to all apps in Google Play store. 他们无法访问管理员在客户端应用中阻止的应用。They don't get access to the apps the administrator blocks in Client Apps.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会:By default, the OS might:

    • 强制用户仅访问管理员在 Google Play 商店中提供的应用,或客户端应用中所需的应用。Force users to only access the apps the administrator makes available in the Google Play store, or apps required in Client Apps.
    • 自动卸载检测到由用户在 Google Play 商店之外安装的任何应用。Automatically uninstall any apps that are detected as being installed by users outside of the Google Play store.

    如果要启用旁加载,请将“允许安装来自未知源的项”和“允许访问 Google Play 商店中的所有应用”设置设为“允许” 。If you want to enable side-loading, set the Allow installation from unknown sources and Allow access to all apps in Google Play store settings to Allow.

  • 应用自动更新:设备每天检查应用更新。App auto-updates: Devices check for app updates daily. 在安装自动更新时,选中此项。Choose when automatic updates are installed. 选项包括:Your options:

    • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting.
    • 用户选择:OS 可能默认为此选项。User choice: The OS might default to this option. 用户可以在托管的 Google Play 应用中设置其首选项。Users can set their preferences in the managed Google Play app.
    • 从不:从不安装更新。Never: Updates are never installed. 不建议使用此选项。This option isn't recommended.
    • 仅 Wi-Fi:仅当设备连接到 Wi-Fi 网络时,才会安装更新。Wi-Fi only: Updates are installed only when the device is connected to a Wi-Fi network.
    • 始终:更新会在可用时安装。Always: Updates are installed when they're available.

连接性Connectivity

  • 始终可用 VPN:如果设置为“启用”,会将 VPN 客户端设置为自动连接并重新连接到 VPN。Always-on VPN: Enable sets the VPN client to automatically connect and reconnect to the VPN. Always On VPN 连接保持连接。Always-on VPN connections stay connected. 或者,在用户锁定设备、设备重启或无线网络更改时立即连接。Or, immediately connect when users lock their device, the device restarts, or the wireless network changes.

    选择“未配置”以禁用所有 VPN 客户端的始终可用 VPN。Choose Not configured to disable always-on VPN for all VPN clients.

    重要

    请务必将只有一个始终可用 VPN 策略部署到单个设备。Be sure to deploy only one Always-on VPN policy to a single device. 不支持将多个始终可用 VPN 策略部署到单个设备。Deploying multiple Always-on VPN policies to a single device isn't supported.

  • VPN 客户端:选择支持始终可用的 VPN 客户端。VPN client: Choose a VPN client that supports Always On. 选项包括:Your options:

    • Cisco AnyConnectCisco AnyConnect
    • F5 AccessF5 Access
    • 帕洛阿尔托网络全局保护Palo Alto Networks GlobalProtect
    • 脉冲安全Pulse Secure
    • 自定义Custom
      • 包 ID:在 Google Play 商店中输入应用的包 ID。Package ID: Enter the package ID of the app in the Google Play store. 例如,如果 Play 商店中应用的 URL 为 https://play.google.com/store/details?id=com.contosovpn.android.prod,则包 ID 为com.contosovpn.android.prodFor example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod, then the package ID is com.contosovpn.android.prod.

    重要

    • 所选的 VPN 客户端必须安装在设备上,并且必须支持工作配置文件中的按应用 VPN。The VPN client you choose must be installed on the device, and it must support per-app VPN in work profiles. 否则将会出错。Otherwise, an error occurs.
    • 需要批准“托管 Google Play 商店”中的 VPN 客户端应用,将应用同步到 Intune,然后将应用部署到设备。You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and deploy the app to the device. 执行此操作后,应用将安装在用户的工作配置文件中。After you do this, then the app is installed in the user's work profile.
    • 你仍需要使用 配置文件或通过应用配置文件配置 VPN 客户端。You still need to configure the VPN client with a VPN profile, or through an app configuration profile.
    • 将每应用 VPN 与适用于 Android 3.0.4 的 F5 Access 结合使用时,可能存在已知问题。There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. 有关详细信息,请参阅适用于 Android 3.0.4 的 F5 Access 的 F5 发行说明For more information, see F5's release notes for F5 Access for Android 3.0.4.
  • 锁定模式:设置为“启用”可强制所有流量使用 VPN 隧道。Lockdown mode: Enable forces all network traffic to use the VPN tunnel. 如果未建立与 VPN 的连接,则设备将无法访问网络。If a connection to the VPN isn't established, then the device won't have network access. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许流量通过 VPN 隧道或移动网络流动。By default, the OS might allow traffic to flow through the VPN tunnel or through the mobile network.

  • 建议的全局代理:设置为“启用”可将全局代理添加到设备。Recommended global proxy: Enable adds a global proxy to the devices. 启用后,HTTP 和 HTTPS 流量(包括设备上的某些应用)使用你输入的代理。When enabled, HTTP and HTTPS traffic, including some apps on the device, use the proxy you enter. 此代理只是一个建议。This proxy is only a recommendation. 有些应用可能不使用该代理。It's possible some apps won't use the proxy. 若为“未配置”(默认),则不添加推荐的全局代理。Not configured (default) doesn't add a recommended global proxy.

    有关此功能的详细信息,请参阅setRecommendedGlobalProxy(打开 Android 站点)。For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

    启用后,还需输入代理的类型。When enabled, also enter the Type of proxy. 选项包括:Your options:

    • 直接:手动输入代理服务器详细信息,包括:Direct: Manually enter the proxy server details, including:

      • 主机:输入代理服务器的主机名或 IP 地址。Host: Enter the hostname or IP address of your proxy server. 例如,输入 proxy.contoso.com127.0.0.1For example, enter proxy.contoso.com or 127.0.0.1.
      • 端口号:输入代理服务器使用的 TCP 端口号。Port number: Enter the TCP port number used by the proxy server. 例如,输入 8080For example, enter 8080.
      • 排除的主机:输入不使用该代理的主机名或 IP 地址的列表。Excluded hosts: Enter a list of host names or IP addresses that won't use the proxy. 此列表可包含一个星号 (*) 通配符和多个主机,这些主机用分号 (;) 分隔且不含空格。This list can include an asterisk (*) wildcard and multiple hosts separated by semicolons (;) with no spaces. 例如,输入 127.0.0.1;web.contoso.com;*.microsoft.comFor example, enter 127.0.0.1;web.contoso.com;*.microsoft.com.
    • 代理自动配置:输入代理自动配置脚本的 PAC URL。Proxy Auto-Config: Enter the PAC URL to a proxy autoconfiguration script. 例如,输入 https://proxy.contoso.com/proxy.pacFor example, enter https://proxy.contoso.com/proxy.pac.

      有关 PAC 文件的详细信息,请参阅代理自动配置 (PAC) 文件(将打开非 Microsoft 网站)。For more information on PAC files, see Proxy Auto-Configuration (PAC) file (opens a non-Microsoft site).

    有关此功能的详细信息,请参阅setRecommendedGlobalProxy(打开 Android 站点)。For more information on this feature, see setRecommendedGlobalProxy (opens an Android site).

工作配置文件密码Work profile password

  • 所需的密码类型:输入所需的密码复杂性级别以及是否可以使用生物识别设备。Required password type: Enter the required password complexity level, and whether biometric devices can be used. 选项包括:Your options:

    • 设备默认值Device default

    • 需要密码,无限制Password required, no restrictions

    • 弱生物识别强与弱生物识别(打开 Android 的网站)Weak biometric: Strong vs. weak biometrics (opens Android's web site)

    • 数字:密码只能使用数字,例如 123456789Numeric: Password must only be numbers, such as 123456789. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 数字复杂度:不允许使用重复或连续数字(例如,“1111”或“1234”)。Numeric complex: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 字母:需使用字母表中的字母。Alphabetic: Letters in the alphabet are required. 不使用数字和符号。Numbers and symbols aren't required. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 字母数字:包括大写字母、小写字母和数字字符。Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
    • 带符号的字母数字:包括大写字母、小写字母、数字字符、标点和符号。Alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols. 此外请输入:Also enter:

      • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.
      • 所需字符数:输入密码必须包含的字符数(介于 0 到 16 个字符之间)。Number of characters required: Enter the number of characters the password must have, between 0 and 16 characters.
      • 所需小写字符数:输入的密码必须包含的小写字符数(介于 0 到 16 个字符之间)。Number of lowercase characters required: Enter the number of lowercase characters the password must have, between 0 and 16 characters.
      • 所需大写字符数:输入的密码必须包含的大写字符数(介于 0 到 16 个字符之间)。Number of uppercase characters required: Enter the number of uppercase characters the password must have, between 0 and 16 characters.
      • 所需非字母字符数:输入密码必须具有的非字母字符数(除字母表中字母以外的任何字符),介于 0 到 16 个字符之间。Number of non-letter characters required: Enter the number of non-letters (anything other than letters in the alphabet) the password must have, between 0 and 16 characters.
      • 所需数值字符数:输入密码必须具有的数值字符数(123 等),介于 0 到 16 个字符之间。Number of numeric characters required: Enter the number of numeric characters (1, 2, 3, and so on) the password must have, between 0 and 16 characters.
      • 所需符号字符数:输入密码必须具有的符号字符数(&#% 等),介于 0 到 16 个字符之间。Number of symbol characters required: Enter the number of symbol characters (&, #, %, and so on) the password must have, between 0 and 16 characters.
  • 密码到期前的天数:输入在用户必须更改设备密码前,设备密码保持有效的天数(介于 1-365 天之间)。Number of days until password expires: Enter the number of days, until the device password must be changed, from 1-365. 例如,要使密码在 90 天后过期,请输入 90For example, enter 90 to expire the password after 90 days. 密码到期后,系统会提示用户创建新密码。When the password expires, users are prompted to create a new password. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 用户可重用某个密码前需使用的密码数:使用此设置可限制用户创建以前用过的密码。Number of passwords required before user can reuse a password: Use this setting to restrict users from creating previously used passwords. 输入以前用过的不能重用的密码数,从 1 到 24。Enter the number of previously used passwords that can't be used, from 1-24. 例如,输入 5 意味着用户不能将其新密码设置为当前密码或以前四个密码中的任何一个。For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 擦除设备前的登录失败次数:输入设备擦除前允许的错误密码数,范围为 4-11 个。Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the device is wiped, from 4-11. 如果为 0(零),可能会禁用设备擦除功能。0 (zero) might disable the device wipe functionality. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

    备注

    系统不会提示公司拥有的完全托管式专用工作配置文件设备设置密码。Fully managed, dedicated, and corporate-owned work profile devices are not prompted to set a password. 该设置是必需的,但可能不会通知用户。The settings are required, but users might not be notified. 用户需要手动设置密码。Users need to set the password manually. 除非用户设置的密码符合你的要求,否则该策略将报告为失败。The policy reports as failed until the user sets a password that meets your requirements.

个人配置文件Personal profile

  • 照相机:设置为“阻止”将阻止在个人使用期间访问相机。Camera: Block prevents access to the camera during personal use. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在个人配置文件中使用相机。By default, the OS might allow using the camera in the personal profile.
  • 屏幕捕获:设置为“阻止”将阻止在个人使用期间捕获屏幕。Screen capture: Block prevents screen captures during personal use. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在个人配置文件中捕获屏幕或获取屏幕截图。By default, the OS might allow users to get screen captures or screenshots in the personal profile.
  • 允许用户在个人配置文件中安装来自未知来源的应用:选择“允许”使用户可以在个人配置文件中安装来自未知来源的应用。Allow users to enable app installation from unknown sources in the personal profile: Select Allow so users can install apps from unknown sources in the personal profile. 它允许用户安装来自 Google Play 商店以外来源的应用。It allows users to install apps from sources other than the Google Play Store. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止用户在个人配置文件中安装来自未知来源的应用。By default, the OS might prevent users from installing apps from unknown sources in the personal profile.

仅工作配置文件Work profile only

这些设置适用于 Intune 仅控制工作配置文件的 Android Enterprise 注册类型,例如个人设备或自带设备 (BYOD) 上的 Android Enterprise 工作配置文件注册。These settings apply to Android Enterprise enrollment types where Intune controls only the Work Profile, such as Android Enterprise Work profile enrollment on a personal or bring-your-own device (BYOD).

工作配置文件设置Work profile settings

  • 限制在工作和个人配置文件之间执行复制和粘贴操作:设置为“阻止”可阻止在工作和个人应用之间执行复制和粘贴操作。Copy and paste between work and personal profiles: Block prevents copy-and-paste between work and personal apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在个人资料中使用应用的复制和粘贴来共享数据。By default, the OS might allow users to share data using copy-and-paste with apps in the personal profile.

  • 工作和个人配置文件之间的数据共享:如果工作配置文件中的应用可以与个人配置文件中的应用共享,则选中此项。Data sharing between work and personal profiles: Choose if apps in the work profile can share with apps in the personal profile. 例如,可以控制应用程序中的共享操作(例如,“共享...”)For example, you can control sharing actions within applications, such as the Share… Chrome 浏览器应用中的选项。option in the Chrome browser app. 此设置不适用于复制/粘贴剪贴板行为。This setting doesn't apply to copy/paste clipboard behavior. 选项包括:Your options:

    • 设备默认值:设备的默认共享行为因 Android 版本而异:Device default: The default sharing behavior of the device varies depending on the Android version:
      • 在运行 Android 6.0 及更高版本的设备上,已阻止从工作配置文件到个人配置文件的共享。On devices running Android 6.0 and newer, sharing from the work profile to the personal profile is blocked. 允许从个人配置文件到工作配置文件的共享。Sharing from the personal profile to the work profile is allowed.
      • 在运行 Android 5.0 及更低版本的设备上,工作配置文件和个人配置文件之间的共享在两个方向都被阻止。On devices running Android 5.0 and older, sharing between the work profile and the personal profile is blocked in both directions.
    • 工作配置文件中的应用可以处理来自个人配置文件的共享请求:启用内置 Android 功能,以允许从个人配置文件到工作配置文件的共享。Apps in work profile can handle sharing request from personal profile: Enables the built-in Android feature that allows sharing from the personal to work profile. 启用此功能后,从个人配置文件中的应用发起的共享请求将能与工作配置文件中的应用共享。When enabled, a sharing request from an app in the personal profile can share with apps in the work profile. 此设置是运行 6.0 之前的版本的 Android 设备的默认行为。This setting is the default behavior for Android devices running versions earlier than 6.0.
    • 无共享限制:将双向启用跨工作配置文件边界共享。No restrictions on sharing: Enables sharing across the work profile boundary in both directions. 选择此设置时,工作配置文件中的应用可以将数据与个人配置文件中未标记的应用共享。When you select this setting, apps in the work profile can share data with unbadged apps in the personal profile. 该设置允许工作配置文件中托管的应用与设备未托管一侧上的应用共享。This setting allows managed apps in the work profile to share with apps on the unmanaged side of the device. 因此,谨慎使用此设置。So, use this setting carefully.
  • 在设备锁定时显示工作配置文件通知:设置为“阻止”时,可阻止窗口通知(包括 Toast、传入呼叫、传出呼叫、系统警报和系统错误)显示在锁定的设备上。Work profile notifications while device locked: Block prevents window notifications, including toasts, incoming calls, outgoing calls, system alerts, and system errors from showing on locked devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会显示通知。By default, the OS might show notifications.

  • 默认应用权限:为工作配置文件中的所有应用设置默认权限策略。Default app permissions: Sets the default permission policy for all apps in the work profile. 从 Android 6 开始,启动应用时,系统会提示用户授予应用所需的特定权限。Starting with Android 6, users are prompted to grant certain permissions required by apps when the app is launched. 此策略设置可让你决定:用户是否会收到为工作配置文件中的所有应用授予权限的提示。This policy setting lets you decide if users are prompted to grant permissions for all apps in the work profile. 例如,将应用指派给需要位置访问权限的工作配置文件。For example, you assign an app to the work profile that requires location access. 通常,应用会提示用户批准或拒绝应用的位置访问权限。Normally that app prompts users to approve or deny location access to the app. 使用此策略可以在没有提示的情况下自动授予权限、在没有提示的情况下自动拒绝权限,或让用户决定。Use this policy to automatically grant permissions without a prompt, automatically deny permissions without a prompt, or let users decide. 选项包括:Your options:

    • 设备默认值Device default
    • 提示Prompt
    • 自动授予Auto grant
    • 自动拒绝Auto deny

    此外,还可以使用应用配置策略为各个应用授予权限(“客户端应用” > “应用配置策略”) 。You can also use an app configuration policy to grant permissions for individual apps (Client Apps > App configuration policies).

  • 添加和删除帐户:设置为“阻止”可阻止最终用户手动添加或删除工作配置文件中的帐户。Add and remove accounts: Block prevents users from manually adding or removing accounts in the work profile. 例如,将 Gmail 应用部署到 Android 工作配置文件时,可阻止用户添加或删除此工作配置文件中的帐户。For example, when you deploy the Gmail app into an Android work profile, you can prevent users from adding or removing accounts in this work profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在工作配置文件中添加帐户。By default, the OS might allow adding accounts in the work profile.

    备注

    无法将 Google 帐户添加到工作配置文件。Google accounts can't be added to a work profile.

  • 通过蓝牙共享联系人:设置为“启用”可允许共享和访问使用蓝牙配对的另一台设备(包括汽车)的工作配置文件联系人。Contact sharing via Bluetooth: Enable allows sharing and access to work profile contacts from another device, including a car, that's paired using Bluetooth. 启用此设置可允许某些蓝牙设备在首次连接后即缓存工作联系人。Enabling this setting may allow certain Bluetooth devices to cache work contacts upon first connection. 在初始配对/同步后禁用此策略不会从蓝牙设备中删除工作联系人。Disabling this policy after an initial pairing/sync may not remove work contacts from a Bluetooth device.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会共享工作联系人。By default, the OS might not share work contacts.

    此设置适用于:This setting applies to:

    • 运行 Android OS v6.0 和更高版本的 Android 工作配置文件设备Android work profile devices running Android OS v6.0 and newer
  • 屏幕捕获:设置为“阻止”可阻止在工作配置文件的设备上进行屏幕截图或屏幕捕获。Screen capture: Block prevents screenshots or screen captures on the device in the work profile. 还会阻止在不具有安全视频输出的显示设备上显示内容。It also prevents the content from being shown on display devices that don't have a secure video output. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许获取屏幕。By default, the OS might allow getting screenshots.

  • 在个人资料中显示工作联系人呼叫方 ID:设置为“阻止”时,不会在个人资料中显示工作联系人的呼叫方号码。Display work contact caller-id in personal profile: Block doesn't show the work contact caller number in the personal profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会显示工作联系人的呼叫方详细信息。By default, the OS might show work contact caller details.

    此设置适用于:This setting applies to:

    • Android OS v6.0 版和更高版本Android OS v6.0 and newer versions
  • 从个人配置文件搜索工作联系人:设置为“阻止”可阻止用户在个人资料中搜索应用中的工作联系人。Search work contacts from personal profile: Block prevents users from searching for work contacts in apps in the personal profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在个人资料中搜索工作联系人。By default, the OS might allow searching for work contacts in the personal profile.

  • 照相机:设置为“阻止”可阻止在工作配置文件中访问设备上的照相机。Camera: Block prevents access to the camera on the device in the work profile. 该设置不会影响供个人使用的照相机。The camera on the personal side is not affected by the setting. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问照相机。By default, the OS might allow access to the camera.

  • 允许来自工作配置文件应用的小组件:设置为“启用”时,用户可在主屏幕上放置应用公开的小组件。Allow widgets from work profile apps: Enable allows users to put widgets exposed by apps on the home screen. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁用此功能。By default, the OS might disable this feature.

    例如,Outlook 安装在用户的工作配置文件中。For example, Outlook is installed on your users' work profiles. 如果设置为“启用”,则用户可将议程小组件置于设备主页屏幕上。When set to Enable, users can put the agenda widget on the device home screen.

  • 需要工作配置文件密码:设置为“需要”会强制密码策略仅适用于工作配置文件中的应用。Require Work Profile Password: Require forces a passcode policy that only applies to apps in the work profile. 默认情况下,用户可以使用两个单独定义的 PIN。By default, users can use the two separately defined PINs. 或者,用户可以将 PIN 合并到两个更强的 PIN。Or, users can combine the PINs into the stronger of the two PINs. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在不输入密码的情况下使用工作应用。By default, the OS might allow users to use work apps without entering a password.

    此设置适用于:This setting applies to:

    • 启用了工作配置文件的 Android 7.0 及更高版本Android 7.0 and newer with the work profile enabled

    还需配置:Also configure:

    • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.

    • 工作配置文件锁定前的最大非活动分钟数:输入设备在屏幕自动锁定前必须处于空闲状态的时间长度。Maximum minutes of inactivity until work profile locks: Enter the length of time devices must be idle before the screen is automatically locked. 用户必须输入凭据才能重获访问权限。Users must enter their credentials to regain access. 例如,输入 5 可在空闲 5 分钟后锁定设备。For example, enter 5 to lock the device after 5 minutes of being idle. 值为空或设置为“未配置”时,Intune 不会更改或更新此设置。When the value is blank or set to Not configured, Intune doesn't change or update this setting.

      在设备上,用户设置的时间值不能大于在配置文件中配置的时间。On devices, users can't set a time value greater than the configured time in the profile. 用户可以设置更低的时间值。Users can set a lower time value. 例如,如果配置文件设置为 15 分钟,则用户可将值设置为 5 分钟。For example, if the profile is set to 15 minutes, users can set the value to 5 minutes. 用户不得将值设置为 30 分钟。Users can't set the value to 30 minutes.

    • 擦除设备前的登录失败次数:输入设备中工作配置文件擦除前允许的错误密码数,范围为 4-11 个。Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the work profile in the device is wiped, from 4-11. 如果为 0(零),可能会禁用设备擦除功能。0 (zero) might disable the device wipe functionality. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

    • 密码过期(天) :输入必须更改用户密码前,密码保持有效的天数 (1-365 )。Password expiration (days): Enter the number of days until user passwords must be changed (from 1-365).

    • 所需的密码类型:输入所需的密码复杂性级别以及是否可以使用生物识别设备。Required password type: Enter the required password complexity level, and whether biometric devices can be used. 选项包括:Your options:

      • 设备默认值Device default
      • 低安全性生物识别强与弱生物识别(打开 Android 的网站)Low security biometric: Strong vs. weak biometrics (opens Android's web site)
      • 必需Required
      • 至少包含数字:包含数字字符,如 123456789At least numeric: Includes numeric characters, such as 123456789.
      • 数字复杂度:不允许使用重复或连续数字,如 11111234Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234, aren't allowed.
      • 至少为字母:包含字母表中的字母。At least alphabetic: Includes letters in the alphabet. 不使用数字和符号。Numbers and symbols aren't required.
      • 至少包含字母数字:包括大写字母、小写字母和数字字符。At least alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.
      • 至少为包含符号的字母数字:包括大写字母、小写字母、数字字符、标点和符号。At least alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols.
    • 防止重用以前的密码:使用此设置可限制用户创建以前用过的密码。Prevent reuse of previous passwords: Use this setting to restrict users from creating previously used passwords. 输入以前用过的不能重用的密码数,从 1 到 24。Enter the number of previously used passwords that can't be used, from 1-24. 例如,输入 5 意味着用户不能将其新密码设置为当前密码或以前四个密码中的任何一个。For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

    • 人脸解锁:设置为 “阻止” 可阻止用户使用设备的面部识别对工作配置文件解锁。Face unlock: Block prevents users from using the device's facial recognition to unlock the work profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用面部识别对设备解锁。By default, the OS might allow users to unlock the device using facial recognition.

    • 指纹解锁:设置为 “阻止” 可阻止最终用户使用设备指纹扫描程序对工作配置文件解锁。Fingerprint unlock: Block prevents users from using the device's fingerprint scanner to unlock the work profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用指纹对设备解锁。By default, the OS might allow users to unlock the device using a fingerprint.

    • 虹膜解锁:设置为 “阻止” 可阻止最终用户使用设备虹膜扫描程序对工作配置文件解锁。Iris unlock: Block prevents users from using the device's iris scanner to unlock the work profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用虹膜扫描程序对设备解锁。By default, the OS might allow users to unlock the device using the iris scanner.

    • Smart Lock 和其他信任代理:设置为“阻止”可阻止 Smart Lock 或其他信任代理在兼容设备上调整锁屏界面设置。Smart Lock and other trust agents: Block prevents Smart Lock or other trust agents from adjusting lock screen settings on compatible devices. 此功能(也称为“信任代理”)可以在设备处于可信任位置时禁用或绕过设备锁屏界面密码。If devices are in a trusted location, then this feature, also known as a trust agent, lets you disable or bypass the device lock screen password. 例如,当设备连接到特定的蓝牙设备时或靠近 NFC 标签时,可以绕过工作配置文件密码。For example, bypass the work profile password when devices are connected to a specific Bluetooth device, or when devices are close to an NFC tag. 使用此设置防止用户配置 Smart Lock。Use this setting to prevent users from configuring Smart Lock.

      设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

PasswordPassword

这些密码设置适用于使用工作配置文件的设备上的个人配置文件。These password settings apply to personal profiles on devices that use a work profile.

  • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, between 4 and 16 characters.

  • 屏幕锁定前的最大非活动分钟数:输入设备在屏幕自动锁定前必须处于空闲状态的时间长度。Maximum minutes of inactivity until screen locks: Enter the length of time devices must be idle before the screen is automatically locked. 用户必须输入凭据才能重获访问权限。Users must enter their credentials to regain access. 例如,输入 5 可在空闲 5 分钟后锁定设备。For example, enter 5 to lock the device after 5 minutes of being idle. 值为空或设置为“未配置”时,Intune 不会更改或更新此设置。When the value is blank or set to Not configured, Intune doesn't change or update this setting.

    在设备上,用户设置的时间值不能大于在配置文件中配置的时间。On devices, users can't set a time value greater than the configured time in the profile. 用户可以设置更低的时间值。Users can set a lower time value. 例如,如果配置文件设置为 15 分钟,则用户可将值设置为 5 分钟。For example, if the profile is set to 15 minutes, users can set the value to 5 minutes. 用户不得将值设置为 30 分钟。Users can't set the value to 30 minutes.

  • 擦除设备前的登录失败次数:输入设备中工作配置文件擦除前允许的错误密码数,范围为 4-11 个。Number of sign-in failures before wiping device: Enter the number of wrong passwords allowed before the work profile in the device is wiped, from 4-11. 如果为 0(零),可能会禁用设备擦除功能。0 (zero) might disable the device wipe functionality. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 密码过期(天) :输入在用户必须更改设备密码前,设备密码保持有效的天数(介于 1-365 天之间)。Password expiration (days): Enter the number of days, until the device password must be changed, from 1-365. 例如,要使密码在 90 天后过期,请输入 90For example, enter 90 to expire the password after 90 days. 密码到期后,系统会提示用户创建新密码。When the password expires, users are prompted to create a new password. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 所需的密码类型:输入所需的密码复杂性级别以及是否可以使用生物识别设备。Required password type: Enter the required password complexity level, and whether biometric devices can be used. 选项包括:Your options:

    • 设备默认值Device default
    • 低安全性生物识别强与弱生物识别(打开 Android 的网站)Low security biometric: Strong vs. weak biometrics (opens Android's web site)
    • 必需Required
    • 至少包含数字:包含数字字符,如 123456789At least numeric: Includes numeric characters, such as 123456789.
    • 数字复杂度:不允许使用重复或连续数字,如 11111234Numeric complex: Repeated or consecutive numbers, such as 1111 or 1234, aren't allowed.
    • 至少为字母:包含字母表中的字母。At least alphabetic: Includes letters in the alphabet. 不使用数字和符号。Numbers and symbols aren't required.
    • 至少包含字母数字:包括大写字母、小写字母和数字字符。At least alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.
    • 至少为包含符号的字母数字:包括大写字母、小写字母、数字字符、标点和符号。At least alphanumeric with symbols: Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols.
  • 防止重用以前的密码:使用此设置可限制用户创建以前用过的密码。Prevent reuse of previous passwords: Use this setting to restrict users from creating previously used passwords. 输入以前用过的不能重用的密码数,从 1 到 24。Enter the number of previously used passwords that can't be used, from 1-24. 例如,输入 5 意味着用户不能将其新密码设置为当前密码或以前四个密码中的任何一个。For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • 指纹解锁:设置为 “阻止” 可阻止最终用户使用设备指纹扫描程序对设备解锁。Fingerprint unlock: Block prevents users from using the device's fingerprint scanner to unlock the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用指纹对设备解锁。By default, the OS might allow users to unlock the device using a fingerprint.

  • 人脸解锁:设置为 “阻止” 可阻止用户使用设备的面部识别对设备解锁。Face unlock: Block prevents users from using the device's facial recognition to unlock the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用面部识别对设备解锁。By default, the OS might allow users to unlock the device using facial recognition.

  • 虹膜解锁:设置为 “阻止” 可阻止最终用户使用设备虹膜扫描程序对设备解锁。Iris unlock: Block prevents users from using the device's iris scanner to unlock the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用虹膜扫描程序对设备解锁。By default, the OS might allow users to unlock the device using the iris scanner.

  • Smart Lock 和其他信任代理:设置为“阻止”可阻止 Smart Lock 或其他信任代理在兼容设备上调整锁屏界面设置。Smart Lock and other trust agents: Block prevents Smart Lock or other trust agents from adjusting lock screen settings on compatible devices. 此功能(也称为“信任代理”)可以在设备处于可信任位置时禁用或绕过设备锁屏界面密码。If devices are in a trusted location, then this feature, also known as a trust agent, lets you disable or bypass the device lock screen password. 例如,当设备连接到特定的蓝牙设备时或靠近 NFC 标签时,可以绕过工作配置文件密码。For example, bypass the work profile password when devices are connected to a specific Bluetooth device, or when devices are close to an NFC tag. 使用此设置防止用户配置 Smart Lock。Use this setting to prevent users from configuring Smart Lock.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

系统安全System security

  • 对应用进行威胁扫描:“必需”,强制为工作和个人配置文件启用“验证应用”设置。Threat scan on apps: Require enforces that the Verify Apps setting is enabled for work and personal profiles. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

    此设置适用于:This setting applies to:

    • Android 8 (Oreo) 及更高版本Android 8 (Oreo) and above
  • 防止在个人配置文件中安装来自未知源的应用:根据设计,Android Enterprise 工作配置文件设备无法安装除 Play Store 外的其他源的应用。Prevent app installations from unknown sources in the personal profile: By design, Android Enterprise work profile devices can't install apps from sources other than the Play Store. 通过此设置,管理员可更好地控制来自未知源的应用安装。This setting allows administrators more control of app installations from unknown sources. 选择“阻止”,则阻止在个人资料中安装来自 Google Play Store 以外的源的应用。Block prevents app installations from sources other than the Google Play Store in the personal profile. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在个人资料中安装来自未知来源的应用。By default, the OS might allow app installations from unknown sources in the personal profile. 本质上,工作配置文件设备应为双重配置文件:By nature, work profile devices are intended to be dual-profile:

    • 使用 MDM 管理的工作配置文件。A work profile managed using MDM.
    • 独立于 MDM 管理的个人配置文件。A personal profile that's isolated from MDM management.

连接性Connectivity

  • 始终可用 VPN:如果设置为“启用”,会将 VPN 客户端设置为自动连接并重新连接到 VPN。Always-on VPN: Enable sets a VPN client to automatically connect and reconnect to the VPN. Always On VPN 连接保持连接。Always-on VPN connections stay connected. 或者,在用户锁定设备、设备重启或无线网络更改时立即连接。Or, immediately connect when users lock their device, the device restarts, or the wireless network changes.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能禁用所有 VPN 客户端的 Always On VPN。By default, the OS might disable always-on VPN for all VPN clients.

    重要

    请务必将只有一个始终可用 VPN 策略部署到单个设备。Be sure to deploy only one Always On VPN policy to a single device. 不支持将多个始终可用 VPN 策略部署到单个设备。Deploying multiple Always VPN policies to a single device isn't supported.

  • VPN 客户端:选择支持始终可用的 VPN 客户端。VPN client: Choose a VPN client that supports Always On. 选项包括:Your options:

    • Cisco AnyConnectCisco AnyConnect
    • F5 AccessF5 Access
    • 帕洛阿尔托网络全局保护Palo Alto Networks GlobalProtect
    • 脉冲安全Pulse Secure
    • 自定义Custom
      • 包 ID:在 Google Play 商店中输入应用的包 ID。Package ID: Enter the package ID of the app in the Google Play store. 例如,如果 Play 商店中应用的 URL 为 https://play.google.com/store/details?id=com.contosovpn.android.prod,则包 ID 为com.contosovpn.android.prodFor example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contosovpn.android.prod, then the package ID is com.contosovpn.android.prod.

    重要

    • 所选的 VPN 客户端必须安装在设备上,并且必须支持工作配置文件中的按应用 VPN。The VPN client you choose must be installed on the device, and it must support per-app VPN in work profiles. 否则将会出错。Otherwise, an error occurs.
    • 需要批准“托管 Google Play 商店”中的 VPN 客户端应用,将应用同步到 Intune,然后将应用部署到设备。You do need to approve the VPN client app in the Managed Google Play Store, sync the app to Intune, and deploy the app to the device. 执行此操作后,应用将安装在用户的工作配置文件中。After you do this, then the app is installed in the user's work profile.
    • 将每应用 VPN 与适用于 Android 3.0.4 的 F5 Access 结合使用时,可能存在已知问题。There may be known issues when using per-app VPN with F5 Access for Android 3.0.4. 有关详细信息,请参阅适用于 Android 3.0.4 的 F5 Access 的 F5 发行说明For more information, see F5's release notes for F5 Access for Android 3.0.4.
  • 锁定模式:设置为“启用”可强制所有流量使用 VPN 隧道。Lockdown mode: Enable forces all network traffic to use the VPN tunnel. 如果未建立与 VPN 的连接,则设备将无法访问网络。If a connection to the VPN isn't established, then the device won't have network access.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许流量通过 VPN 隧道或移动网络流动。By default, the OS might allow traffic to flow through the VPN tunnel or through the mobile network.

后续步骤Next steps

分配配置文件监视其状态Assign the profile and monitor its status.

还可以为 AndroidWindows 10 设备创建专用设备展台配置文件。You can also create dedicated device kiosk profiles for Android and Windows 10 devices.

对 Microsoft Intune 中的 Android 企业设备进行配置和故障排除Configure and troubleshoot Android enterprise devices in Microsoft Intune.