便于使用 Intune 允许或限制功能的 iOS 和 iPadOS 设备设置iOS and iPadOS device settings to allow or restrict features using Intune

本文列出并介绍了可以在 iOS 和 iPadOS 设备上控制的各种设置。This article lists and describes the different settings you can control on iOS and iPadOS devices. 在移动设备管理 (MDM) 解决方案中,请通过这些设置允许使用或禁用功能、设置密码规则、允许使用或限制使用特定应用等。As part of your mobile device management (MDM) solution, use these settings to allow or disable features, set password rules, allow or restrict specific apps, and more.

我们将这些设置添加到 Intune 中的设备配置配置文件中,然后分配或部署到 iOS/iPadOS 设备。These settings are added to a device configuration profile in Intune, and then assigned or deployed to your iOS/iPadOS devices.

提示

这些设置使用 Apple 的 MDM 设置。These settings use Apple's MDM settings. 有关这些设置的详细信息,请参阅 Apple 的移动设备管理设置(打开 Apple 的网站)。For more information on these settings, see Apple's mobile device management settings (opens Apple's web site).

在开始之前Before you begin

创建 iOS/iPadOS 设备限制配置文件Create an iOS/iPadOS device restrictions configuration profile.

备注

这些设置适用于不同的注册类型,其中一些设置应用于所有注册选项。These settings apply to different enrollment types, with some settings applying to all enrollment options. 有关不同注册类型的详细信息,请参阅 iOS/iPadOS 注册For more information on the different enrollment types, see iOS/iPadOS enrollment.

常规General

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 共享使用情况数据:设置为“阻止”可阻止设备将诊断和使用情况数据发送到 Apple。Share usage data: Block prevents devices from sending diagnostic and usage data to Apple. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许发送此数据。By default, the OS might allow this data to be sent.

  • 屏幕捕获:设置为“阻止”可阻止在设备上进行屏幕截图或屏幕捕获。Screen capture: Block prevents screenshots or screen captures on devices. 在 iOS/iPadOS 9.0 和更高版本中,它还会阻止屏幕录制。In iOS/iPadOS 9.0 and newer, it also blocks screen recordings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户以图像或视频形式捕获屏幕内容。By default, the OS might let users capture the screen contents as an image or as a video.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 不受信任的 TLS 证书:设置为“阻止”可阻止设备使用不受信任的传输层安全性 (TLS) 证书。Untrusted TLS certificates: Block prevents untrusted Transport Layer Security (TLS) certificates on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 TLS 证书。By default, the OS might allow TLS certificates.

  • 阻止无线 PKI 更新:设置为“阻止”可阻止用户收到软件更新,除非设备已连接到计算机。Block over-the-air PKI updates: Block prevents your users from receiving software updates unless devices are connected to a computer. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备在未连接到计算机的情况下接收软件更新。By default, the OS might allow a device to receive software updates without being connected to a computer.

  • 限制广告跟踪:设置为“限制”可禁用设备广告标识符。Limit ad tracking: Limit disables the device advertising identifier. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能使其保持启用状态。By default, the OS might keep it enabled.

  • 企业应用信任:设置为“阻止”可删除设备上“设置”>“常规”>“配置文件和设备管理”中的“信任企业开发人员”按钮 。Enterprise app trust: Block removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会让用户选择信任不是从应用商店下载的应用。By default, the OS might let users choose to trust apps that aren't downloaded from the app store.

  • 阻止应用剪辑:“是”意味着阻止托管设备上的应用剪辑。Block App Clips: Yes blocks App Clips on managed devices. 具体而言,设置为“是”:Specifically, setting to Yes:

    • 阻止用户在设备上添加应用剪辑。Prevents users from adding App Clips on devices.
    • 删除设备上的现有应用剪辑。Removes existing App Clips on devices.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上添加和删除应用剪辑。By default, the OS might allow adding and removing App Clips on devices.

    此功能适用于:This feature applies to:

    • iOS 14.0 及更高版本iOS 14.0 and newer
    • iPadOS 14.0 及更高版本iPadOS 14.0 and newer

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 诊断数据提交:设置为“阻止”可阻止用户更改“诊断和使用情况”中的诊断提交和应用分析设置(设备设置) 。Diagnostics submission settings modification: Block prevents users from changing the diagnostic submission and app analytics settings in Diagnostics and Usage (device Settings). 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改这些设备设置。By default, the OS might allow users to change these device settings.

    若要使用此设置,请将“共享使用情况数据”设置设为“阻止” 。To use this setting, set the Share usage data setting to Block.

    此功能适用于:This feature applies to:

    • iOS 9.3.2 及更高版本iOS 9.3.2 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 通过 Classroom 应用观测远程屏幕:设置为“阻止”可阻止 Classroom 应用通过远程方式查看设备上的屏幕。Remote screen observation by Classroom app: Block prevents the Classroom app from remotely viewing the screen on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 Apple Classroom 应用查看屏幕。By default, the OS might allow the Apple Classroom app to view the screen.

    若要使用此设置,请将“屏幕捕获”设置设为“阻止” 。To use this setting, set the Screen capture setting to Block.

    此功能适用于:This feature applies to:

    • iOS 9.3 - iOS 12.x:需要受监管的设备iOS 9.3 - iOS 12.x: Requires supervised devices
    • iOS 13.0 及更高版本:不需要受监督的设备iOS 13.0 and newer: Doesn't require supervised devices
    • iPadOS 13.0 及更高版本:必须使用设备注册或自动设备注册 (ADE) 来注册设备iPadOS 13.0 and newer: Devices must be enrolled using Device Enrollment or Automated Device Enrollment (ADE)
  • 通过 Classroom 应用以静默方式观察屏幕:设置为“允许”可使教师使用 Classroom 应用以无提示方式查看学生 iOS/iPadOS 屏幕,学生不会察觉。Unprompted screen observation by Classroom app: Allow lets teachers silently observe students' iOS/iPadOS screens using the Classroom app without the students knowing. 使用 Classroom 应用在类中注册的学生设备自动向该课程的教师授予权限。Student devices enrolled in a class using the Classroom app automatically give permission to that course's teacher. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止此功能。By default, the OS might prevent this feature.

    若要使用此设置,请将“屏幕捕获”设置设为“阻止” 。To use this setting, set the Screen capture setting to Block.

  • 帐户修改:设置为“阻止”可阻止用户从 iOS/iPadOS 设置应用更新特定于设备的设置。Account modification: Block prevents users from updating device-specific settings from the iOS/iPadOS settings app. 例如,用户无法创建新的设备帐户,或更改用户名或密码。For example, users can't create new device accounts, or change the user name or password. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改这些设置。By default, the OS might allow users to change these settings.

    此功能同样适用于可从 iOS/iPadOS 设置应用(如邮件、联系人、日历、Twitter 等)进行访问的设置。This feature also applies to settings accessible from the iOS/iPadOS settings app, such as Mail, Contacts, Calendar, Twitter, and more. 此功能不适用于具备不可从 iOS/iPadOS 设置应用进行配置的帐户设置的应用,例如,Microsoft Outlook 应用。This feature doesn't apply to apps with account settings that aren't configurable from the iOS/iPadOS settings app, such as the Microsoft Outlook app.

  • 屏幕时间:设置为“阻止”可阻止用户在“屏幕时间”(设备设置)中设置自己的限制。Screen time: Block prevents users from setting their own restrictions in Screen Time (device settings). 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上配置设备限制(如家长控制或内容,以及隐私限制)。By default, the OS might allow users to configure device restrictions (such as parental controls or content, and privacy restrictions) on devices.

    此设置已从“在设备设置中启用限制”重命名。This setting was renamed from Enabling restrictions in the device settings. 此更改的影响:Impact of this change:

    • iOS 11.4.1 及更早版本:设置为“阻止”可阻止用户在设备设置中设置自己的限制。iOS 11.4.1 and older: Block prevents users from setting their own restrictions in the device settings. 此行为是相同的;且对于用户来说无更改。The behavior is the same; and there are no changes for users.
    • iOS 12.0 及更高版本:设置为“阻止”可阻止最终用户在设备设置中设置自己的“屏幕时间”(“设置”>“通用”>“屏幕时间”),包括内容和隐私限制 。iOS 12.0 and newer: Block prevents users from setting their own Screen Time in the device settings (Settings > General > Screen Time), including content and privacy restrictions. 更新到 iOS 12.0 的设备不会再看到设备设置中的该限制选项卡(“设置”>“通用”>“设备管理”>“管理配置文件”>“限制”)。Devices upgraded to iOS 12.0 won't see the restrictions tab in the device settings anymore (Settings > General > Device Management > Management Profile > Restrictions). 这些设置位于“屏幕时间”。These settings are in Screen Time.
  • 使用设备上的擦除所有内容和设置选项:设置为“阻止”可阻止在设备上使用“擦除所有内容和设置”选项。Use of the erase all content and settings option on the device: Block prevents using the erase all content and settings option on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户访问这些设置。By default, the OS might give users access to these settings.

  • 设备名称修改:设置为“阻止”可阻止更改设备名称。Device name modification: Block prevents changing the device name. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改设备的名称。By default, the OS might allow users to change the name of devices.

  • 修改通知设置:设置为“阻止”可阻止更改通知设置。Notification settings modification: Block prevents changing the notification settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改设备通知设置。By default, the OS might allow users to change the device notification settings.

  • 修改壁纸:选择“阻止”可阻止更改墙纸。Wallpaper modification: Block prevents the wallpaper from being changed. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会允许用户更改设备上的墙纸。By default, the OS might allow users to change the wallpaper on devices.

  • 配置文件更改:设置为“阻止”可阻止更改设备上的配置文件。Configuration profile changes: Block prevents configuration profile changes on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户安装配置文件。By default, the OS might allow users to install configuration profiles.

  • 激活锁:设置为“允许”可在受监管的 iOS/iPadOS 设备上启用“激活锁”。Activation Lock: Allow enables Activation Lock on supervised iOS/iPadOS devices. 激活锁让重新激活丢失或被盗设备变得很难。Activation Lock makes it harder for a lost or stolen device to be reactivated. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 阻止应用删除:设置为“阻止”可阻止删除应用。Block app removal: Block prevents removing apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户从设备中删除应用。By default, the OS might allow users to remove apps from devices.

  • 在设备锁定时允许使用 USB 附件:设置为“允许”可允许 USB 附件与锁定超过一个小时的设备交换数据。Allow USB accessories while device is locked: Allow lets USB accessories exchange data with devices that are locked for over an hour. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不更新设备的 USB 受限模式,如果设备锁定时间超过一个小时,将阻止 USB 附件从设备传输数据。By default, the OS might not update USB Restricted mode on devices, and USB accessories are blocked from transferring data from devices if locked for over an hour.

    此功能适用于:This feature applies to:

    • iOS/iPadOS 11.4.1 及更高版本iOS/iPadOS 11.4.1 and newer
  • 强制执行自动日期和时间:“要求”可强制受监管设备自动设置日期和时间。Force automatic date and time: Require forces supervised devices to set the Date & Time automatically. 当设备连接移动电话网络或启用了位置服务的 Wi-fi 时,将更新设备的时区。The device's time zone is updated when the device has cellular connections or has Wi-Fi with location services enabled. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 要求学生经批准方可离开 Classroom 课程:“要求”可强制使用 Classroom 应用加入非托管课程的学生在获得教师许可后离开课程。Require students to request permission to leave Classroom course: Require forces students enrolled in an unmanaged course using the Classroom app to request permission from the teacher to leave the course. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会强制学生请求权限。By default, the OS might not force the student to ask for permission.

    此功能适用于:This feature applies to:

    • iOS 11.3 及更高版本iOS 11.3 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 允许 Classroom 对应用锁定,且在无提示的情况下锁定设备:设置为“启用”可允许教师锁定应用或使用 Classroom 应用锁定设备,而无需提示学生。Allow Classroom to lock to an app and lock the device without prompting: Enable allows teacher to lock apps or lock devices using the Classroom app without prompting the student. 锁定应用意味着设备仅可访问教师指定的应用。Locking apps means devices can only access teacher specified apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止教师在不提示学生的情况下使用 Classroom 应用锁定应用或设备。By default, the OS might prevent teachers from locking apps or devices using the Classroom app without prompting the student.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 在不提示的情况下自动加入 Classroom 课程:设置为“启用”可在不提示教师的情况下,自动允许学生加入 Classroom 应用中的课程。Automatically join Classroom classes without prompting: Enable automatically allows students to join a class that's in the Classroom app without prompting the teacher. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会提示教师,学生想参加 Classroom 应用中的课程。By default, the OS might prompt the teacher that students want to join a class that's in the Classroom app.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 阻止 VPN 创建:“阻止”可阻止用户创建 VPN 配置设置。Block VPN creation: Block prevents users from creating VPN configuration settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上创建 VPN。By default, the OS might let users create VPNs on devices.

  • 修改 eSIM 设置:设置为“阻止”可阻止在设备上删除蜂窝网络计划或将其添加到 eSIM。Modifying eSIM settings: Block prevents removing or adding a cellular plan to the eSIM on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改这些设置。By default, the OS might allow users to change these settings.

    此功能适用于:This feature applies to:

    • iOS 12.1 及更高版本iOS 12.1 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 延迟软件更新:“启用”允许用户在设备上显示软件更新时,将更新时间延迟 0-90 天。Defer software updates: Enable allows you to delay when software updates are shown on devices, from 0-90 days. 此设置不会控制何时安装或不安装更新。This setting doesn't control when updates are or aren't installed.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,在 Apple 发布软件更新时,OS 可能会在设备上显示软件更新。By default, the OS might show software updates on devices as Apple releases them. 例如,如果 Apple 在特定日期发布了 iOS/iPadOS 更新,则该更新自然会大约在发布日期显示在设备上。For example, if an iOS/iPadOS update gets released by Apple on a specific date, then that update naturally shows up on devices around the release date.

    • 延迟软件更新的可见性:输入一个 0-90 天之间的值。Delay visibility of software updates: Enter a value from 0-90 days. 延迟到期时,用户会收到通知,通知更新到触发延迟时可用的最早版本的 OS。When the delay expires, users get notified to update to the earliest OS version available when the delay is triggered.

      例如,如果 iOS 12.a 在 1 月 1 日发布,“延迟可见性”设置为“5 天”,那么 iOS 12.a 在用户设备上不会显示为可用更新 。For example, if iOS 12.a is available on January 1, and Delay visibility is set to 5 days, then iOS 12.a isn't shown as an available update on user devices. 在发布后第六天,该更新可用,最终用户可进行安装。On the sixth day following the release, that update is available, and users can install it.

      此功能适用于:This feature applies to:

      • iOS 11.3 及更高版本iOS 11.3 and newer
      • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

PasswordPassword

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 密码:设置为“需要”时,用户必须输入密码才能访问设备。Password: Require users to enter a password to access devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户无需输入密码即可访问设备。By default, the OS might allow users to access devices without entering a password.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

重要

在用户注册设备上,如果配置任何密码设置,则“简单密码”设置将自动设置为“阻止”,并强制使用 6 位 PIN。On user-enrolled devices, if you configure any password setting, then the Simple passwords settings is automatically set to Block, and a 6 digit PIN is enforced.

例如,配置“密码过期”设置,并将此策略推送到用户注册的设备。For example, you configure the Password expiration setting, and push this policy to user-enrolled devices. 在设备上,会出现以下情况:On the devices, the following happens:

  • 将忽略“密码过期”设置。The Password expiration setting is ignored.
  • 不允许使用简单密码,如 11111234Simple passwords, such as 1111 or 1234, aren't allowed.
  • 强制使用 6 位 pin。A 6 digit pin is enforced.
  • 简单密码:设置为“阻止”表示需要更复杂的密码。Simple passwords: Block requires more complex passwords. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用简单密码,例如 00001234By default, the OS might allow simple passwords, such as 0000 and 1234.

  • 所需的密码类型:输入组织所需的密码复杂性级别。Required password type: Enter the required password complexity level your organization requires. 选项包括:Your options:

    • 设备默认值Device default
    • 数字:密码只能使用数字,例如 123456789。Numeric: Password must only be numbers, such as 123456789.
    • 字母数字:包括大写字母、小写字母和数字字符。Alphanumeric: Includes uppercase letters, lowercase letters, and numeric characters.

    备注

    选择字母数字可能会影响已配对的 Apple Watch。Selecting alphanumeric can impact a paired Apple Watch. 有关详细信息,请参阅为 Apple Watch 设置密码限制(将打开 Apple 的网站)。For more information, see Set passcode restrictions for an Apple Watch (opens Apple's web site).

  • 密码中的非字母数字字符数:输入密码中必须包含的符号字符(如 #@)数,范围从 1 到 4。Number of non-alphanumeric characters in password: Enter the number of symbol characters, such as # or @, that must be included in the password, from 1-4. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 最短密码长度:输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Minimum password length: Enter the minimum length the password must have, from 4-16 characters. 在用户注册的设备中,输入 4 到 6 个字符的长度。On user enrolled devices, enter a length between 4 and 6 characters.

    备注

    对于用户注册的设备,用户可以设置大于 6 位数字的 PIN。For devices that are user enrolled, users can set a PIN greater than 6 digits. 但设备上使用的数字不能超过 6 位。But, no more than 6 digits are enforced on devices. 例如,管理员将最小长度设置为 8For example, an administrator sets the minimum length to 8. 在用户注册的设备上,要求用户只设置一个 6 位的 PIN。On user-enrolled devices, users are only required to set a 6 digit PIN. Intune 在用户注册的设备上不强制使用大于 6 位的 PIN。Intune doesn't force a PIN greater than 6 digits on user-enrolled devices.

  • 擦除设备前的登录失败次数:输入在擦除设备前的登录失败次数(介于 2 到 11 之间)。Number of sign-in failures before wiping device: Enter the number of failed sign-ins before the device is wiped, from 2-11. 建议不要将此值设置为 23It's not recommended to set this value to 2 or 3. 输入错误的密码是很常见的。It's very common to enter the wrong password. 在两次或三次错误的密码尝试后擦除设备的情况经常发生。Wiping the device after two or three incorrect password attempts happens often. 建议将此值至少设置为 4It's recommended to set this value to at least 4.

    iOS/iPadOS 具有内置的安全性,这可能会影响此设置。iOS/iPadOS has built-in security that can impact this setting. 例如,iOS/iPadOS 可能会根据登录失败的次数来延迟触发策略。For example, iOS/iPadOS may delay triggering the policy depending on the number of sign in failures. 还可能会考虑一次重复输入相同的密码。It may also consider repeatedly entering the same passcode as one attempt. 如需深入了解关于密码的信息,请参阅 Apple 的 iOS/iPadOS 安全指南(打开 Apple 的网站)。Apple's iOS/iPadOS security guide (opens Apple's web site) is a good resource, and provides more specific details on passcodes.

  • 屏幕锁定后要求输入密码前的最大分钟数1:输入在用户必须重新输入密码前设备保持空闲状态的时间。Maximum minutes after screen lock before password is required1: Enter how long devices stay idle before users must reenter their password. 如果输入的时间大于设备上当前设置的时间,则设备将忽略输入的时间。If the time you enter is longer than what's currently set on the device, then the device ignores the time you enter.

    此功能适用于:This feature applies to:

    • iOS 8.0+iOS 8.0+
    • iPadOS 13.0+iPadOS 13.0+
  • 屏幕锁定前的最大非活动分钟数1:输入屏幕锁定前设备上允许的最大非活动分钟数。Maximum minutes of inactivity until screen locks1: Enter the maximum number of minutes of inactivity allowed on devices until the screen locks.

    iOS/iPadOS 选项iOS/iPadOS options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (Default): Intune doesn't change or update this setting.
    • 立即:屏幕处于不活动状态 30 秒后锁定。Immediately: Screen locks after 30 seconds of inactivity.
    • 1:屏幕处于不活动状态 1 分钟后锁定。1: Screen locks after 1 minute of inactivity.
    • 2:屏幕处于不活动状态 2 分钟后锁定。2: Screen locks after 2 minutes of inactivity.
    • 3:屏幕处于不活动状态 3 分钟后锁定。3: Screen locks after 3 minutes of inactivity.
    • 4:屏幕处于不活动状态 4 分钟后锁定。4: Screen locks after 4 minutes of inactivity.
    • 5:屏幕处于不活动状态 5 分钟后锁定。5: Screen locks after 5 minutes of inactivity.

    iPadOS 选项iPadOS options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (Default): Intune doesn't change or update this setting.
    • 立即:屏幕处于不活动状态 2 分钟后锁定。Immediately: Screen locks after 2 minutes of inactivity.
    • 2:屏幕处于不活动状态 2 分钟后锁定。2: Screen locks after 2 minutes of inactivity.
    • 5:屏幕处于不活动状态 5 分钟后锁定。5: Screen locks after 5 minutes of inactivity.
    • 10:屏幕处于不活动状态 10 分钟后锁定。10: Screen locks after 10 minutes of inactivity.
    • 15:屏幕处于不活动状态 15 分钟后锁定。15: Screen locks after 15 minutes of inactivity.

    如果值不适用于 iOS 和 iPadOS,则 Apple 使用最接近的最小值。If a value doesn't apply to iOS and iPadOS, then Apple uses the closest lowest value. 例如,如果输入 4 分钟,则 iPadOS 设备使用 2 分钟。For example, if you enter 4 minutes, then iPadOS devices use 2 minutes. 如果输入 10 分钟,则 iOS 设备使用 5 分钟。If you enter 10 minutes, then iOS devices use 5 minutes. 此行为是 Apple 的一种限制。This behavior is an Apple limitation.

    备注

    此设置的 Intune UI 不会分隔 iOS 和 iPadOS 支持的值。The Intune UI for this setting doesn't separate the iOS and iPadOS supported values. 未来版本可能会更新该 UI。The UI might be updated in a future release.

  • 密码过期(天) :输入在用户必须更改设备密码前设备密码保持有效的天数(介于 1-65535 天之间)。Password expiration (days): Enter the number of days before the device password must be changed, from 1-65535.

  • 防止重用以前的密码:使用此设置可限制用户创建以前用过的密码。Prevent reuse of previous passwords: Use this setting to restrict users from creating previously used passwords. 输入以前用过的不能重用的密码数,从 1 到 24。Enter the number of previously used passwords that can't be used, from 1-24. 例如,输入 5 意味着用户不能将其新密码设置为当前密码或以前四个密码中的任何一个。For example, enter 5 so users can't set a new password to their current password or any of their previous four passwords. 如果该值为空,Intune 不会更改或更新此设置。When the value is blank, Intune doesn't change or update this setting.

  • Touch ID 和 Face ID 解锁:设置为“阻止”可阻止使用指纹或人脸解锁设备。Touch ID and Face ID unlock: Block prevents using a fingerprint or face to unlock devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用生物识别来解锁设备。By default, the OS might allow users to unlock devices using biometrics.

    阻止此设置还会阻止使用 FaceID 身份验证来解锁设备。Blocking this setting also prevents using FaceID authentication to unlock devices.

    Face ID 适用范围:Face ID applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 密码修改:设置为“阻止”可阻止更改、添加或删除密码。Passcode modification: Block stops the passcode from being changed, added, or removed. 阻止此功能后,受监督设备上对密码限制的更改将被忽略。After blocking this feature, changes to passcode restrictions are ignored on supervised devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许添加、更改或删除密码。By default, the OS might allow passcodes to be added, changed, or removed.

    • Touch ID 和 Face ID 修改:选择“阻止”可阻止用户更改、添加或删除 TouchID 指纹和 Face ID。Touch ID and Face ID modification: Block stops users from changing, adding, or removing TouchID fingerprints and Face ID. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上更新 TouchID 指纹和 Face ID。By default, the OS might allow users to update the TouchID fingerprints and Face ID on devices.

      阻止此设置还会阻止用户更改、添加或删除 FaceID 身份验证。Blocking this setting also stops users from changing, adding, or removing FaceID authentication.

      Face ID 适用范围:Face ID applies to:

      • iOS 11.0 及更高版本iOS 11.0 and newer
      • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 阻止密码自动填充:设置为“阻止”可阻止在 iOS/iPadOS 上使用“自动填充密码”功能。Block password AutoFill: Block prevents using the AutoFill Passwords feature on iOS/iPadOS. 选择“阻止”还有以下影响:Choosing Block also has the following impact:

    • 系统不会提示用户在 Safari 或任何应用中使用已保存的密码。Users aren't prompted to use a saved password in Safari or in any apps.
    • 自动强密码处于禁用状态,不建议用户使用强密码。Automatic Strong Passwords are disabled, and strong passwords aren't suggested to users.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用这些功能。By default, the OS might allow these features.

  • 阻止密码临近感应请求:设置为“阻止”可阻止设备从附近的设备请求密码。Block password proximity requests: Block prevents devices from requesting passwords from nearby devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许这些密码请求。By default, the OS might allow these password requests.

  • 阻止密码共享:“阻止”可阻止使用 AirDrop 在设备之间共享密码。Block password sharing: Block prevents sharing passwords between devices using AirDrop. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许共享密码。By default, the OS might allow passwords to be shared.

  • 需要 Touch ID 或 Face ID 身份验证来自动填充密码或信用卡信息:当设置为“需要”时,用户必须先使用 TouchID 或 FaceID 进行身份验证,然后密码或信用卡信息才能在 Safari 或其他应用中自动填充。Require Touch ID or Face ID authentication for password or credit card information AutoFill: Require forces users to authenticate using TouchID or FaceID before passwords or credit card information can be auto filled in Safari and other apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备设置中控制此功能。By default, the OS might allow users to control this feature in the device settings.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

1 配置“屏幕锁定前的非活动状态最大分钟数”和“屏幕锁定后要求提供密码前的最大分钟数”时,它们会依次应用 。1 When you configure the Maximum minutes of inactivity until screen locks and Maximum minutes after screen lock before password is required settings, they're applied in sequence. 例如,如果设置的两个设置的值均为“5”分钟,屏幕在五分钟后将自动关闭,然后再过五分钟后该设备将锁定。For example, if you set the value for both settings to 5 minutes, the screen turns off automatically after five minutes, and devices are locked after an additional five minutes. 但是,如果用户手动关闭屏幕,系统将立即应用第二个设置。However, if users turn off the screen manually, the second setting is immediately applied. 在相同的示例中,用户关闭屏幕后,设备将在五分钟后锁定。In the same example, after users turn off the screen, the device locks five minutes later.

锁定屏幕体验Locked Screen Experience

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 在设备锁定时访问控制中心:设置为“阻止”可阻止在设备锁定时访问控制中心应用。Control Center access while device locked: Block prevents access to the Control Center app while device is locked. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备锁定时访问控制中心应用。By default, the OS might allow access to the Control Center app when devices are locked.
  • 在设备锁定时访问通知:设置为“阻止”可阻止在设备锁定时访问通知。Notifications while device locked: Block prevents access to notifications when devices are locked. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在不解锁设备的情况下访问通知。By default, the OS might allow access to notifications without unlocking devices.
  • 在设备锁定时访问“今日”视图:设置为“阻止”可阻止在设备锁定时访问“今日”视图。Today view while device locked: Block prevents access to the Today view when devices are locked. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备锁定时查看“今日”视图。By default, the OS might allow users to see the Today view when devices are locked.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 在设备锁定时访问钱包通知:设置为“阻止”可阻止在设备锁定时访问“钱包”应用。Wallet notifications while device locked: Block prevents access to the Wallet app when devices are locked. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备锁定时访问“钱包”应用。By default, the OS might allow access to the Wallet app while devices are locked.

App Store、文档查看和游戏App Store, Doc Viewing, Gaming

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 在非托管应用中查看企业文档:“阻止”可阻止在非托管应用中查看企业文档。Viewing corporate documents in unmanaged apps: Block prevents viewing corporate documents in unmanaged apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在任何应用中查看企业文档。By default, the OS might allow corporate documents to be viewed in any app.

    例如,你想要阻止用户将文件从 OneDrive 应用保存到 Dropbox。For example, you want to prevent users from saving files from the OneDrive app to Dropbox. 将此设置配置为“阻止”。Configure this setting as Block. 设备收到策略后(例如在重新启动后),将不再允许保存。After devices receive the policy (for example, after a restart), it no longer allows saving.

    备注

    如果阻止此设置,则还会阻止从 App Store 安装的第三方键盘。When this setting is blocked, third party keyboards installed from the App Store are also blocked.

    • 允许非托管应用读取托管联系人帐户中的内容:设置为“允许”时,非托管应用(例如内置的 iOS/iPadOS“通讯录”应用)可以读取和访问托管应用(包括 Outlook 移动应用)中的联系人信息。Allow unmanaged apps to read from managed contacts accounts: Allow lets unmanaged apps, such as the built-in iOS/iPadOS Contacts app, to read and access contact information from managed apps, including the Outlook mobile app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止对设备内置的“通讯录”应用进行读取(包括删除副本)。By default, the OS might prevent reading, including removing duplicates, from the built-in Contacts app on devices.

      此设置允许或禁止读取联系人信息。This setting allows or prevents reading contact information. 它不控制应用之间的联系人同步。It doesn't control syncing contacts between the apps.

      若要使用此设置,请将“在非托管应用中查看企业文档”设置设为“阻止” 。To use this setting, set the Viewing corporate documents in unmanaged apps setting to Block.

    如需深入了解这两个设置及其对 Outlook for iOS/Outlook for iPadOS 联系人导出同步的影响,请参阅支持提示:将 Intune 自定义配置文件设置用于 iOS/iPadOS 本机“联系人”应用For more information about these two settings, and their impact on Outlook for iOS/iPadOS contact export synchronization, see Support Tip: Use Intune custom profile settings with the iOS/iPadOS Native Contacts App.

  • 将 AirDrop 视为非托管目标:“要求”强制将 AirDrop 视为非托管放置目标。Treat AirDrop as an unmanaged destination: Require forces AirDrop to be considered an unmanaged drop target. 它将阻止托管应用使用 Airdrop 发送数据。It stops managed apps from sending data using Airdrop. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 在企业应用中查看非企业文档:“阻止”可阻止在企业应用中查看非企业文档。Viewing non-corporate documents in corporate apps: Block prevents viewing non-corporate documents in corporate apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在公司托管的应用中查看任何文档。By default, the OS might allow any document to be viewed in corporate managed apps.

    如果设置为“阻止”,则还会阻止在 Outlook for iOS/Outlook for iPadOS 中进行联系人导出同步。Block also prevents contact export synchronization in Outlook for iOS/iPadOS. 有关详细信息,请参阅支持提示:使用 iOS12 MDM 控件启用 Outlook iOS/iPadOS 联系人同步For more information, see Support Tip: Enabling Outlook iOS/iPadOS Contact Sync with iOS12 MDM Controls.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 要求每项购买都提供 iTunes Store 密码:设置为“需要”会要求用户为每项应用内或 iTunes 购买输入 Apple ID 密码。Require iTunes Store password for all purchases: Require users to enter the Apple ID password for each in-app or ITunes purchase. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许无需每次购买都提示输入密码。By default, the OS might allow purchases without prompting for a password every time.

  • 应用内购买:设置为“阻止”可阻止从应用商店进行应用内购买。In-app purchases: Block prevents in-app purchases from the store. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在运行的应用中产生应用商店购买行为。By default, the OS might allow store purchases within a running app.

  • 从 iBooks 商店下载标记为“成人作品”的内容:设置为“阻止”可阻止用户从 iBook 商店下载标记为“成人作品”的媒体。Download content from iBook store flagged as 'Erotica': Block prevents users from downloading media from the iBook store that's tagged as erotica. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户下载类别为“成人作品”的书籍。By default, the OS might allow users to download books with the "Erotica" category.

  • 允许托管应用将联系人写入非托管联系人帐户:设置为“允许”时,托管应用(如 Outlook 移动应用)可以将联系人信息(包括业务和企业联系人)保存或同步到内置的 iOS/iPadOS“通讯录”应用。Allow managed apps to write contacts to unmanaged contacts accounts: Allow lets managed apps, such as the Outlook mobile app, to save or sync contact information, including business and corporate contacts, to the built-in iOS/iPadOS Contacts app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止托管应用将联系人信息保存或同步到设备上的内置 iOS/iPadOS“通讯录”应用。By default, the OS might prevent managed apps from saving or syncing contact information to the built-in iOS/iPadOS Contacts app on devices.

    若要使用此设置,请将“在非托管应用中查看企业文档”设置设为“阻止” 。To use this setting, set the Viewing corporate documents in unmanaged apps setting to Block.

  • 分级区域:选择要用于允许的下载的分级区域。Ratings region: Select the ratings region you want to use for allowed downloads. 然后,选择“电影”、“电视节目”和“应用”的允许分级 。And then select the allowed ratings for Movies, TV Shows, and Apps.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • App Store:“阻止”可阻止访问受监管设备上的 App Store。App store: Block prevents access to the app store on supervised devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问。By default, the OS might allow access.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

    • 从 App Store 安装应用:设置为“阻止”不会在设备主屏幕上显示应用商店。Installing apps from App Store: Block doesn't show the app store on the device home screen. 用户可以继续使用 iTunes 或 Apple Configurator 安装应用。Users can continue to use iTunes or the Apple Configurator to install apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在主屏幕使用 App Store。By default, the OS might allow the app store on the home screen.
    • 自动下载应用:设置为“阻止”可阻止在其他设备上购买的应用的自动下载和新应用的自动更新。Automatic app downloads: Block prevents automatic downloading of apps bought on other devices and automatic updates to new apps. 它不会影响对现有应用的更新。It doesn't affect updates to existing apps. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会允许在其他 iOS/iPadOS 设备上购买的应用在设备上下载和更新。By default, the OS might allow apps bought on other iOS/iPadOS devices to download and update on the device.
  • iTunes 限制级音乐、播客或新闻内容:设置为“阻止”可阻止 iTunes 限制级音乐、播客或新闻内容。Explicit iTunes music, podcast, or news content: Block prevents explicit iTunes music, podcast, or news content. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备访问应用商店中认定为成人的内容。By default, the OS might allow the device to access content rated as adult from the store.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • 添加 Game Center 好友:“阻止”可阻止用户添加 Game Center 好友。Adding Game Center friends: Block prevents users from adding Game Center friends. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在 Game Center 中添加好友。By default, the OS might allow users to add friends in Game Center.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • Game Center:“阻止”使用 Game Center 应用。Game Center: Block using the Game Center app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上使用 Game Center 应用。By default, the OS might allow using the Game Center app on devices.

  • 多玩家游戏:设置为“阻止”可阻止多玩家游戏。Multiplayer gaming: Block prevents multiplayer gaming. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在设备上玩多玩家游戏。By default, the OS might allow users to play multiplayer games on devices.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • 在“文件”应用中访问网络驱动器:使用服务器消息块 (SMB) 协议,设备可以访问网络服务器上的文件或其他资源。Access to network drive in Files app: Using the Server Message Block (SMB) protocol, devices can access files or other resources on a network server. “禁用”可阻止访问网络 SMB 驱动器上的文件。Disable prevents accessing files on a network SMB drive. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问。By default, the OS might allow access.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

内置应用Built-in Apps

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • Siri:“阻止”可阻止访问 Siri。Siri: Block prevents access to Siri. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用设备上的 Siri 语音助手。By default, the OS might allow using the Siri voice assistant on devices.

    • 在设备锁定时访问 Siri:设置为“阻止”可阻止在设备锁定时访问 Siri。Siri while device is locked: Block prevents access to Siri when devices are locked. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备锁定时使用 Siri 语音助手。By default, the OS might allow using the Siri voice assistant on devices when they're locked.
  • Safari 欺诈警告:设置为“需要”时,需要在设备上的 Web 浏览器中显示欺诈警告。Safari fraud warnings: Require fraud warnings to be shown in the web browser on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁用此功能。By default, the OS might disable this feature.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • Spotlight 搜索从 Internet 返回结果:“阻止”阻止 Spotlight 从 Internet 搜索返回任何结果。Spotlight search to return results from internet: Block stops Spotlight from returning any results from an Internet search. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 Spotlight 搜索连接到 Internet 以提供搜索结果。By default, the OS might allow Spotlight search connect to the Internet to provide search results.

    此设置在 UI 中重复,此问题将在即将发布的版本中得到修复。This setting is duplicated in the UI, and will be fixed in an upcoming release. 目前,此设置适用于受监督的设备。Currently, this setting applies to supervised devices. 在将来的版本中,此设置适用于“设备注册”设备和“自动设备注册”设备,无需监督。In a future release, this setting applies to device enrolled and automated device enrolled devices, and won't require supervision.

  • Safari cookie:选择在设备上处理 Cookie 的方式。Safari cookies: Select how cookies are handled on devices. 选项包括:Your options:

    • AllowAllow
    • 阻止所有 cookieBlock all cookies
    • 允许访问的网站的 cookieAllow cookies from visited web sites
    • 允许当前网站的 cookieAllow cookies from current web site
  • Safari JavaScript:设置为“阻止”可阻止在设备上运行浏览器中的 Java 脚本。Safari JavaScript: Block prevents Java scripts in the browser from running on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 Java 脚本。By default, the OS might allow Java scripts.

  • Safari 弹出窗口:设置为“阻止”可阻止 Safari Web 浏览器中的所有弹出窗口。Safari Pop-ups: Block blocks all pop-ups in the Safari web browser. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许弹出窗口阻止程序。By default, the OS might allow the pop-up blocker.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 照相机:设置为“阻止”可阻止访问设备上的照相机。Camera: Block prevents access to the camera on the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问设备的照相机。By default, the OS might allow access to the device's camera.

    Intune 只管理对设备照相机的访问。Intune only manages access to the device camera. 它无法访问图片或视频。It doesn't have access to pictures or videos.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

    • FaceTime:设置为“阻止”可阻止访问 FaceTime 应用。FaceTime: Block prevents access to the FaceTime app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问设备上的 FaceTime 应用。By default, the OS might allow access to the FaceTime app on devices.

      从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • Siri 猥亵语言筛选器:“要求”可阻止 Siri 听写或说出猥亵语言。Siri profanity filter: Require prevents Siri from dictating, or speaking profane language. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

    若要使用此设置,请将“Siri”设置设为“阻止” 。To use this setting, set the Siri setting to Block.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
  • Siri 从 Internet 查询用户生成的内容:“阻止”可阻止 Siri 通过访问网站回答问题。Siri to query user-generated content from the internet: Block prevents Siri from accessing websites to answer questions. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 Siri 从 Internet 访问用户生成的内容。By default, the OS might allow Siri to access user-generated content from the internet.

    若要使用此设置,请将“Siri”设置设为“阻止” 。To use this setting, set the Siri setting to Block.

  • Apple News:设置为“阻止”可阻止访问设备上的 Apple News 应用。Apple News: Block prevents access to the Apple News app on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 Apple News 应用。By default, the OS might allow using the Apple News app.

  • iBooks Store:“阻止”可阻止访问 iBooks 商店。iBooks store: Block prevents access to the iBooks store. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户从 iBooks Store 浏览和购买书籍。By default, the OS might allow users to browse and buy books from the iBooks store.

  • 设备上的“邮件”应用:选择“阻止”可阻止用户使用“邮件”应用收发 iMessage。Messages app on the device: Block prevents users from using the Messages app for iMessage. 如果设备支持文本消息传递,则用户仍然可以使用短信发送和接收文本消息。If devices support text messaging, users can still send and receive text messages using SMS. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用“信息”应用通过 Internet 发送和读取消息。By default, the OS might allow using the Messages app to send and read messages over the internet.

  • 播客:“阻止”可阻止用户使用播客应用。Podcasts: Block prevents users using the Podcasts app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用“播客”应用。By default, the OS might allow using the Podcasts app.

  • Music 服务:“阻止”可将音乐应用还原为经典模式并禁用音乐服务。Music service: Block reverts the Music app to classic mode and disables the Music service. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 Apple“音乐”应用。By default, the OS might allow using the Apple Music app.

  • iTunes Radio 服务:设置为“阻止”可阻止使用 iTunes Radio 应用。iTunes Radio service: Block prevents using the iTunes Radio app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 iTunes Radio 应用。By default, the OS might allow using the iTunes Radio app.

  • iTunes Store:设置为“阻止”可阻止在设备上使用 iTunes。iTunes store: Block prevents using iTunes on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 iTunes。By default, the OS might allow iTunes.

    此功能适用于:This feature applies to:

    • iOS 4.0 及更高版本iOS 4.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 查找我的 iPhone阻止:在“查找我的应用”中阻止此功能。Find my iPhone: Block prevents this feature in the Find My app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此“查找我的”应用功能获取设备的大致位置。By default, the OS might allow using this Find My app feature to get the approximate location of the device.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 查找我的好友阻止:在“查找我的应用”中阻止此功能。Find my Friends: Block prevents this feature in the Find My app. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此“查找我的”应用功能从 Apple 设备或 iCloud.com 查找家人和好友。By default, the OS might allow using this Find My app feature to find family and friends from an Apple device or iCloud.com.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 对“查找我的好友”应用设置的更改:“阻止”可阻止更改“查找我的好友”应用的设置。Changes to the Find My Friends app settings: Block prevents changes to the Find My Friends app settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改”查找我的好友”应用的设置。By default, the OS might allow users to change settings for the Find My Friends app.

  • Spotlight 搜索从 Internet 返回结果:“阻止”阻止 Spotlight 从 Internet 搜索返回任何结果。Spotlight search to return results from internet: Block stops Spotlight from returning any results from an Internet search. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许 Spotlight 搜索连接到 Internet 以提供搜索结果。By default, the OS might allow Spotlight search connect to the Internet to provide search results.

    此设置在 UI 中重复,此问题将在即将发布的版本中得到修复。This setting is duplicated in the UI, and will be fixed in an upcoming release. 目前,此设置适用于受监督的设备。Currently, this setting applies to supervised devices. 在将来的版本中,此设置适用于“设备注册”设备和“自动设备注册”设备,无需监督。In a future release, this setting applies to device enrolled and automated device enrolled devices, and won't require supervision.

  • 阻止从设备中删除系统应用:设置为“阻止”可禁用从设备上删除系统应用的功能。Block removal of system apps from device: Block disables the ability to remove system apps from devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户删除系统应用。By default, the OS might allow users to remove system apps.

  • Safari:设置为“阻止”可阻止在设备上使用 Safari 浏览器。Safari: Block using the Safari browser on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用 Safari 浏览器。By default, the OS might allow users to use the Safari browser.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • Safari 自动填充:设置为“阻止”可禁用设备上 Safari 中的自动填充功能。Safari Autofill: Block disables the autofill feature in Safari on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改 Web 浏览器中的自动完成设置。By default, the OS might allow users to change autocomplete settings in the web browser.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

受限制的应用Restricted apps

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 受限应用类型列表:创建不允许用户安装或使用的应用的列表。Type of restricted apps list: Create a list of apps that users aren't allowed to install or use. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问分配的应用和内置应用。By default, the OS might allow access to apps you assign, and built-in apps.
    • 禁止的应用:列出不允许用户安装和运行的应用(未由 Intune 托管)。Prohibited apps: List the apps (not managed by Intune) that users aren't allowed to install and run. 不阻止用户安装禁止的应用。Users aren't prevented from installing a prohibited app. 如果用户安装了此列表中的应用,则“带受限应用的设备”(位于“Endpoint Manager 管理中心 > 设备 > 监视 > 带受限应用的设备”) 报告中将报告该设备。If a user installs an app from this list, the device is reported in the Devices with restricted apps report (Endpoint Manager admin center > Devices > Monitor > Devices with restricted apps).
    • 允许的应用: 列出允许用户安装的应用。Approved apps: List the apps that users are allowed to install. 为了保持兼容性,用户不得安装其他应用。To stay compliant, users must not install other apps. 系统会自动允许由 Intune 管理的应用,包括公司门户应用。Apps that are managed by Intune are automatically allowed, including the Company Portal app. 不会阻止用户安装不在已批准列表中的应用。Users aren't prevented from installing an app that isn't on the approved list. 但如果有,则会在 Intune 中报告。But if they do, it's reported in Intune.

若要将应用添加到这些列表,可以:To add apps to these lists, you can:

  • 添加所需应用的 iTunes App Store URL。Add the iTunes App store URL of the app you want. 例如,若要添加 Microsoft 工作文件夹应用,请输入 https://itunes.apple.com/us/app/work-folders/id950878067?mt=8https://apps.apple.com/us/app/work-folders/id950878067?mt=8For example, to add the Microsoft Work Folders app, enter https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or https://apps.apple.com/us/app/work-folders/id950878067?mt=8.

    若要查找应用的 URL,请打开 iTunes App Store,并搜索该应用。To find the URL of an app, open the iTunes App Store, and search for the app. 例如,搜索 Microsoft Remote DesktopMicrosoft WordFor example, search for Microsoft Remote Desktop or Microsoft Word. 选择应用并复制 URL。Select the app, and copy the URL.

    还可使用 iTunes 查找应用,然后使用“复制链接”任务获取应用 URL。You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.

  • 导入包含应用详细信息的 CSV 文件,包括 URL。Import a CSV file with details about the app, including the URL. 使用 <app url>, <app name>, <app publisher> 格式。Use the <app url>, <app name>, <app publisher> format. 或,导出包含相同格式的受限应用列表的现有列表。Or, Export an existing list that includes the restricted apps list in the same format.

重要

必须将使用受限制的应用设置的设备配置文件分配到用户组。Device profiles that use the restricted app settings must be assigned to groups of users.

共用的 iPadShared iPad

此功能适用于:This feature applies to:

  • iPadOS 13.4 及更高版本iPadOS 13.4 and newer
  • 共用的 iPadShared iPad

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 阻止“共用的 iPad”临时会话:临时会话允许用户以来宾身份登录,并且不要求用户输入管理式 Apple ID 或密码。Block Shared iPad temporary sessions: Temporary sessions allow users to sign in as Guest, and users aren't required to enter a Managed Apple ID or password.

    如果设置为“是”:When set to Yes:

    • “共用的 iPad”用户不能使用临时会话。Shared iPad users can't use temporary sessions.
    • 用户必须使用其管理式 Apple ID 和密码才能登录设备。Users must sign in to the device with their Managed Apple ID and password.
    • “来宾帐户”选项不会显示在设备的锁屏界面上。The Guest account option isn't shown on the lock screen on the devices.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 允许“共用的 iPad”用户使用“来宾”帐户登录设备。By default, the OS allows a Shared iPad user to sign in to the device with the Guest account. 用户注销时,用户的任何数据都不会保存或同步到 iCloud。When the user signs out, none of the user’s data is saved or synced to iCloud.

显示或隐藏应用Show or hide apps

此功能适用于:This feature applies to:

  • iOS 9.3 及更高版本iOS 9.3 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 应用类型列表:创建要显示或隐藏的应用列表。Type of apps list: Create a list of apps to show or hide. 可以显示或隐藏内置应用和业务线应用。You can show or hide built-in apps and line-of-business apps. 可在 Apple 网站上查看内置的 Apple 应用列表。Apple's web site has a list of built-in Apple apps. 选项包括:Your options:

    • 隐藏的应用:输入对用户隐藏的应用的列表。Hidden apps: Enter a list of apps that are hidden from users. 用户无法查看,或打开这些应用。Users can't view, or open these apps.

      Apple 会阻止隐藏某些本机应用。Apple prevents hiding some native apps. 例如,不能在设备上隐藏“设置”应用。For example, you can't hide the Settings app on the device. 删除内置 Apple 应用:列出了可以隐藏的应用。Delete built-in Apple apps lists the apps that can be hidden.

    • 可见应用:输入用户可以查看和启动的应用的列表。Visible apps: Enter a list of apps that users can view and launch. 无法查看或启动其他应用。No other apps can be viewed or launched.

  • 应用 URL:输入要显示或隐藏的应用的商店应用 URL。App URL: Enter the store app URL of the app you want to show or hide. 例如:For example:

    • 若要添加 Microsoft 工作文件夹应用,请输入 https://itunes.apple.com/us/app/work-folders/id950878067?mt=8https://apps.apple.com/us/app/work-folders/id950878067?mt=8To add the Microsoft Work Folders app, enter https://itunes.apple.com/us/app/work-folders/id950878067?mt=8 or https://apps.apple.com/us/app/work-folders/id950878067?mt=8.

    • 若要添加 Microsoft Word 应用,请输入 https://itunes.apple.com/de/app/microsoft-word/id586447913https://apps.apple.com/de/app/microsoft-word/id586447913To add the Microsoft Word app, enter https://itunes.apple.com/de/app/microsoft-word/id586447913 or https://apps.apple.com/de/app/microsoft-word/id586447913.

    若要查找应用的 URL,请打开 iTunes App Store,并搜索该应用。To find the URL of an app, open the iTunes App Store, and search for the app. 例如,搜索 Microsoft Remote DesktopMicrosoft WordFor example, search for Microsoft Remote Desktop or Microsoft Word. 选择应用并复制 URL。Select the app, and copy the URL.

    还可使用 iTunes 查找应用,然后使用“复制链接”任务获取应用 URL。You can also use iTunes to find the app, and then use the Copy Link task to get the app URL.

  • 应用捆绑 ID:输入所需的应用的应用捆绑 IDApp Bundle ID: Enter the app bundle ID of the app you want. 可以显示或隐藏内置应用和业务线应用。You can show or hide built-in apps and line-of-business apps. 可在 Apple 网站上查看内置的 Apple 应用列表。Apple's web site has a list of built-in Apple apps.

  • 应用名称:输入所需应用的应用名称。App name: Enter the app name of the app you want. 可以显示或隐藏内置应用和业务线应用。You can show or hide built-in apps and line-of-business apps. 可在 Apple 网站上查看内置的 Apple 应用列表。Apple's web site has a list of built-in Apple apps.

  • 发布者:输入所需应用的发布者。Publisher: Enter the publisher of the app you want.

若要添加应用,可以:To add apps, you can:

  • 添加:选择以创建应用列表。Add: Select to create your list of apps.
  • 导入包含应用详细信息的 CSV 文件,包括 URL。Import a CSV file with details about the app, including the URL. 使用 <app url>, <app name>, <app publisher> 格式。Use the <app url>, <app name>, <app publisher> format. 或者,选择“导出”,使用相同的格式创建所添加的受限制应用列表。Or, Export to create a list of the restricted apps you added, in the same format.

无线Wireless

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 数据漫游:设置为“阻止”可阻止通过手机网络进行数据漫游。Data roaming: Block prevents data roaming over the cellular network. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备通过手机网络进行数据漫游。By default, the OS might allow data roaming when the device is on a cellular network.

    重要

    此设置视为远程设备操作。This setting is treated as a remote device action. 因此,此设置不会显示在设备上的管理配置文件中。So, this setting isn't shown in the management profile on devices. 每次在设备上更改数据漫游状态时,Intune 服务都会阻止“数据漫游”。Every time the data roaming status changes on the device, Data roaming is blocked by the Intune service. 在 Intune 中,如果报告状态显示为成功,则即使该设置未在设备的管理配置文件中显示,也知道此设置有效。In Intune, if the reporting status shows a success, then know that it's working, even though the setting isn't shown in the management profile on the device.

  • 漫游时进行全局后台获取:“阻止”可阻止在通过移动电话网络漫游时使用全局后台获取功能。Global background fetch while roaming: Block prevents using the global background fetch feature when roaming over the cellular network. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备在通过蜂窝网络漫游时提取数据,例如电子邮件。By default, the OS might allow devices to fetch data, such as email, when it's roaming on a cellular network.

  • 语音拨号:设置为“阻止”可阻止在设备上使用语音拨号功能。Voice dialing: Block prevents using the voice dialing feature on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上使用语音拨号功能。By default, the OS might allow voice dialing on devices.

  • 语音漫游:设置为“阻止”可阻止通过手机网络进行语音漫游。Voice roaming: Block prevents voice roaming over the cellular network. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备在使用手蜂窝网络时进行语音漫游。By default, the OS might allow voice roaming when devices are on a cellular network.

  • 个人热点:设置为“阻止”可关闭每次设备同步时用户设备上的个人热点。此设置可能与某些运营商不兼容。Personal Hotspot: Block turns off the personal hotspot on devices with every device sync. This setting might not be compatible with some carriers. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能将个人热点配置保留为用户的默认设置。By default, the OS might keep the personal hotspot configuration as the default set by users.

    重要

    此设置视为远程设备操作。This setting is treated as a remote device action. 因此,此设置不会显示在设备上的管理配置文件中。So, this setting isn't shown in the management profile on devices. 每次设备上的个人热点状态更改时,Intune 服务都将阻止“个人热点”。Every time the personal hotspot status changes on the device, Personal Hotspot is blocked by the Intune service. 在 Intune 中,如果报告状态显示为成功,则即使该设置未在设备的管理配置文件中显示,也知道此设置有效。In Intune, if the reporting status shows a success, then know that it's working, even though the setting isn't shown in the management profile on the device.

  • 移动电话网络的使用规则(仅限托管应用) :设置为“允许”可定义托管应用可在蜂窝网络中使用的数据类型。Cellular usage rules (managed apps only): Allow defines the data types that managed apps can use when on cellular networks. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 选项包括:Your options:

    • 阻止使用移动电话网络数据:对“所有托管应用”或“选择特定应用”阻止使用移动电话网络数据 。Block use of cellular data: Block using cellular data for All managed apps or Choose specific apps.
    • 阻止漫游时使用移动电话网络数据: 对“所有托管应用”或“选择特定应用”阻止漫游时使用移动电话网络数据 。Block use of cellular data when roaming: Block using cellular data when roaming for All managed apps or Choose specific apps.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 对应用手机网络数据使用情况设置的更改:设置为“阻止”可阻止更改应用的手机网络数据使用情况设置。Changes to app cellular data usage settings: Block prevents changes to the app cellular data usage settings. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户控制允许哪些应用使用手机网络数据。By default, the OS might allow users to control which apps are allowed to use cellular data.

  • 更改手机网络计划设置:设置为“阻止”可阻止更改蜂窝网络计划中的任何设置。Changes to cellular plan settings: Block prevents changing any settings in the cellular plan. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户进行更改。By default, the OS might allow users to make changes.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 用户修改个人热点:设置为“阻止”可阻止更改个人热点设置。User modification of Personal Hotspot: Block prevents changing the personal hotspot setting. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户启用或禁用其个人热点。By default, the OS might allow users to enable or disable their personal hotspot.

    如果阻止此设置并且阻止“个人热点”设置,则会关闭个人热点。If you block this setting and block the Personal Hotspot setting, the personal hotspot is turned off.

    此功能适用于:This feature applies to:

    • iOS 12.2 及更高版本iOS 12.2 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 仅使用配置文件联接 Wi-Fi 网络:设置为“需要”可强制设备仅使用通过 Intune 配置文件设置的 Wi-Fi 网络。Join Wi-Fi networks only using configuration profiles: Require forces devices to use only Wi-Fi networks set up through Intune configuration profiles. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备使用其他 Wi-Fi 网络。By default, the OS might allow devices to use other Wi-Fi networks.

    如果设置为“需要”,请确保设备具有 Wi-Fi 配置文件。When set to Require, be sure the device has a Wi-Fi profile. 如果未分配 Wi-Fi 配置文件,此设置可能会阻止设备连接到 Internet。If you don't assign a Wi-Fi profile, this setting could prevent devices from connecting to the internet. 换句话说,如果在 Wi-Fi 配置文件之前分配了此设备限制配置文件,则可能会阻止设备连接到 Internet。In other words, if this device restrictions profile is assigned before a Wi-Fi profile, the device might be blocked from connecting to the internet.

    如果无法连接,请取消注册设备,并使用 Wi-Fi 配置文件重新注册。If it can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. 然后,在设备限制配置文件中将此设置设为“需要”,并将配置文件分配给设备。Then, set this setting to Require in a device restrictions profile, and assign the profile to the device.

  • Wi-Fi 始终打开:设置为“需要”可在设置应用中保持 Wi-Fi 打开。Wi-Fi always turned on: Require keeps Wi-Fi on in the Settings app. 即使在设备处于飞行模式下,也不能在“设置”或“控制中心”中将其关闭。It can't be turned off in Settings or in the Control Center, even when the device is in airplane mode. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户打开或关闭 Wi-Fi。By default, the OS might allow users to turn on or turn off Wi-Fi.

    配置此设置不会阻止用户选择 Wi-Fi 网络。Configuring this setting doesn't prevent users from selecting a Wi-Fi network.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

连接的设备Connected Devices

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 已配对 Apple Watch 的手腕感应:“要求”会强制已配对的 Apple watch 使用手腕感应。Wrist detection for paired Apple watch: Require forces a paired Apple watch to use wrist detection. 在需要时,Apple Watch 在未穿戴时不会显示通知。When required, the Apple Watch won't display notifications when it's not being worn. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 需要 AirPlay 传出请求配对密码:如果设置为“需要”,在使用 AirPlay 将内容流式传输到其他 Apple 设备时,需要提供配对密码。Require AirPlay outgoing requests pairing password: Require a pairing password when using AirPlay to stream content to other Apple devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在不输入密码的情况下使用 AirPlay 流式传输内容。By default, the OS might allow users to stream content using AirPlay without entering a password.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • AirDrop:设置为“阻止”可阻止在设备上使用 AirDrop。AirDrop: Block prevents using AirDrop on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 AirDrop 功能与附近的设备交换内容。By default, the OS might allow using the AirDrop feature to exchange content with nearby devices.

  • Apple Watch 配对:“阻止”可阻止与 Apple Watch 配对。Apple Watch pairing: Block prevents pairing with an Apple Watch. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备与 Apple Watch 配对。By default, the OS might allow devices to pair with an Apple Watch.

  • 修改蓝牙:设置为“阻止”可阻止用户更改设备上的蓝牙设置。Bluetooth modification: Block stops users from changing Bluetooth settings on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户更改这些设置。By default, the OS might allow users to change these settings.

  • 通过主机配对来控制 iOS/iPadOS 设备可与之配对的设备:“阻止”则阻止主机配对。Host pairing to control the devices an iOS/iPadOS device can pair with: Block prevents host pairing. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许主机配对,使管理员能够控制 iOS/iPadOS 设备可以与哪些设备配对。By default, the OS might allow host pairing to let the administrator control which devices an iOS/iPadOS device can pair with.

  • 阻止 AirPrint:设置为“阻止”可阻止在设备上使用 AirPrint 功能。Block AirPrint: Block prevents using the AirPrint feature on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用 AirPrint 功能。By default, the OS might allow users to use AirPrint.

    • 阻止在密钥链中存储 AirPrint 凭据:设置为“阻止”可阻止在设备上为用户名和密码使用密钥链存储。Block storage of AirPrint credentials in Keychain: Block prevents using Keychain storage for username and password on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许将 AirPrint 用户名和密码存储在密钥链应用中。By default, the OS might allow storing the AirPrint username and password in the Keychain app.
    • 针对 AirPrint 要求受信任 TLS 证书:设置为“需要”会强制设备为 TLS 打印通信使用受信任的证书。Require a trusted TLS certificate for AirPrint: Require forces devices to use trusted certificates for TLS printing communication. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.
    • 阻止 iBeacon 发现 AirPrint 打印机:“阻止”阻止恶意的 AirPrint 蓝牙信标对网络流量进行网络钓鱼。Block iBeacon discovery of AirPrint printers: Block prevents malicious AirPrint Bluetooth beacons from phishing for network traffic. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上公布 AirPrint 打印机。By default, the OS might allow advertising AirPrint printers on devices.
  • 阻止设置新的附近设备:“阻止”可禁用设置附近新设备的提示。Block setting up new nearby devices: Block disables the prompt to set up new devices that are nearby. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许提示用户连接到附近的其他 Apple 设备。By default, the OS might allow prompts for users to connect to other nearby Apple devices.

    此功能适用于:This feature applies to:

    • iOS 11.0 及更高版本iOS 11.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • 访问 USB 驱动器上的文件:设备可以连接并打开 USB 驱动器上的文件。Access to files on USB drive: Devices can connect and open files on a USB drive. 禁用:当 U 盘连接到设备时,阻止设备访问“文件存储”应用中的 U 盘。Disable prevents device access to the USB drive in the Files app when a USB is connected to the device. 禁用此功能还会阻止用户将文件传输到已连接到 iPad 的 USB 驱动器。Disabling this feature also blocks users from transferring files onto a USB drive connected to an iPad. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在“文件”应用中访问 USB 驱动器。By default, the OS might allow access to a USB drive in the Files app.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

键盘和字典Keyboard and Dictionary

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 查找词语定义:设置为“阻止”可阻止突出显示某个字词,然后查找其定义。Word definition lookup: Block prevents highlighting a word, and then looking up its definition. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许访问定义查找功能。By default, the OS might allow access to the definition lookup feature.

  • 输入预测:设置为“阻止”可阻止使用预测键盘建议用户可能想要使用的字词。Predictive keyboards: Block prevents using predictive keyboards to suggest words users might want. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此功能。By default, the OS might allow this feature.

  • 自动更正:“阻止”则阻止使用自动更正。Auto-correction: Block prevents using autocorrection. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许设备自动更正拼写错误的词。By default, the OS might allow devices to automatically correct misspelled words.

  • 键盘拼写检查:设置为“阻止”可阻止使用拼写检查器。Keyboard spell-check: Block prevents spell checker. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用拼写检查器。By default, the OS might allow using spellchecker.

  • 键盘快捷方式:设置为“阻止”可阻止用户使用键盘快捷方式。Keyboard shortcuts: Block stops users from using keyboard shortcuts. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许在设备上使用键盘快捷方式。By default, the OS might allow using keyboard shortcuts on devices.

  • 听写:设置为“阻止”可阻止用户通过语音输入来输入文本。Dictation: Block stops users from using voice input to enter text. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用听写输入功能。By default, the OS might allow users to use dictation input.

  • QuickPath阻止:阻止用户使用 QuickPath。QuickPath: Block prevents users from using QuickPath. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用 QuickPath 在设备键盘上进行连续输入。By default, the OS might allow users to use QuickPath, which allows a continuous input on the device's keyboard. 用户可以通过在各个键之间滑动来输入文字。Users can type by swiping across the keys to create words.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

云和存储Cloud and Storage

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • 加密的备份:“必需”,则设备备份必须加密。Encrypted backup: Require so device backups must be encrypted. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.
  • 通过托管的应用同步到云:设置为“阻止”可阻止 Intune 托管的应用将数据同步到用户的 iCloud 帐户。Managed apps sync to cloud: Block prevents Intune-managed apps to sync data to the user's iCloud account. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会允许此数据同步到 iCloud。By default, the OS might allow this data sync to iCloud.
  • 阻止企业簿备份:设置为“阻止”可阻止备份企业簿。Block Enterprise Book Backup: Block prevents backing up enterprise books. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户备份这些企业簿。By default, the OS might allow users to back up these books.
  • 阻止企业簿元数据同步(备注和重要内容) :“阻止”可阻止同步企业簿中的备注和重要内容。Block enterprise book metadata sync (notes and highlights): Block prevents syncing notes and highlights in enterprise books. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许同步。By default, the OS might allow the syncing.

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 将照片流同步到 iCloud:“阻止”则阻止将照片流同步到 iCloud。Photo stream syncing to iCloud: Block prevents photo stream syncing to iCloud. 阻止此功能可能会导致数据丢失。Blocking this feature may cause data loss. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户在其设备上启用“我的照片流”,以将照片同步到 iCloud 并在所有用户设备上可用。By default, the OS might let users enable My Photo Stream on their device to sync to iCloud, and have photos available on all the user's devices.
  • iCloud 照片库:设置为“阻止”可禁止使用 iCloud 照片库将照片和视频存储在云端。iCloud Photo Library: Block disables using iCloud photo library to store photos and videos in the cloud. 会从设备中删除尚未从 iCloud 照片库完全下载到设备的所有照片。Any photos not fully downloaded from iCloud Photo Library to devices are removed from the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用 iCloud 照片库。By default, the OS might allow using the iCloud photo library.
  • 共享照片流:设置为“阻止”可禁用设备上的“iCloud 照片共享” 。Shared photo stream: Block disables iCloud Photo Sharing on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许共享照片流。By default, the OS might allow shared photo streaming.
  • 切换:设置为“阻止”可阻止用户在 iOS/iPadOS 设备上开始工作,然后在另一个 iOS/iPadOS 或 macOS 设备上继续工作。Handoff: Block prevents users from starting work on an iOS/iPadOS device, and then continuing the work on another iOS/iPadOS or macOS device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此切换。By default, the OS might allow this handoff.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 备份到 iCloud:设置为“阻止”可阻止用户将设备备份到 iCloud。Backup to iCloud: Block stops users from backing up devices to iCloud. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会允许用户将设备备份到 iCloud。By default, the OS might allow users to back up devices to iCloud.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • 阻止 iCloud 文档同步:“阻止”则阻止 iCloud 同步文档和数据。Block iCloud Document sync: Block prevents iCloud from syncing documents and data. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许将文档和键值同步到 iCloud 存储空间。By default, the OS might allow document and key-value synchronization to your iCloud storage space.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

  • 阻止 iCloud 密钥链同步:设置为“阻止”可禁止将密钥链中存储的凭据同步到 iCloud。Block iCloud Keychain sync: Block disables syncing credentials stored in the Keychain to iCloud. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户同步这些凭据。By default, the OS might allow users to sync these credentials.

    从 iOS/iPadOS 13.0 开始,此设置需要受监督的设备。Starting with iOS/iPadOS 13.0, this setting requires supervised devices.

自治单应用模式 (ASAM)Autonomous single app mode (ASAM)

使用这些设置配置 iOS/iPadOS 设备,使其以自治单应用模式 (ASAM) 运行特定应用。Use these settings to configure iOS/iPadOS devices to run specific apps in autonomous single app mode (ASAM). 如果配置了 ASAM 且用户启动了一个已配置的应用,则设备将锁定到该应用。When ASAM is configured, and users start one of the configured apps, then the device is locked to that app. 在用户退出允许的应用前,禁用应用/任务切换。App/task switching is disabled until users exit the allowed app.

若要应用 ASAM 配置,用户必须手动打开特定应用。For the ASAM configuration to apply, users must manually open the specific app. 此任务也适用于公司门户应用。This task also applies to the Company Portal app.

  • 例如,在学校或大学环境中,添加一个允许用户在设备上进行测试的应用。For example, in a school or university environment, add an app that lets users take a test on the device. 或者,在用户进行身份验证前,将设备锁定在公司门户应用中。Or, lock the device into the Company Portal app until the user authenticates. 在用户完成应用操作或你删除此策略时,设备将恢复正常状态。When the apps actions are completed by users, or you remove this policy, the device returns to its normal state.

  • 并非所有应用都支持自治单应用模式。Not all apps support autonomous single app mode. 若要将应用置于 ASAM,通常需要应用配置策略提供的捆绑 ID 或键值对。To put an app in ASAM, a bundle ID or a key value pair delivered by an app config policy are typically required. 有关详细信息,请参阅 Apple 的 MDM 文档中的autonomousSingleAppModePermittedAppIDs限制For more information, see the autonomousSingleAppModePermittedAppIDs restriction in Apple's MDM documentation. 有关正在配置的应用所需的特定设置的详细信息,请参阅供应商文档。For more information on the specific settings required for the app you're configuring, see the vendor documentation.

    例如,若要在自治单应用模式下配置 Zoom Room,Zoom 将指示使用 us.zoom.zpcontroller 捆绑 ID。For example, to configure Zoom Rooms in autonomous single app mode, Zoom says to use the us.zoom.zpcontroller bundle ID. 在此实例中,还会在缩放 Web 门户中进行更改。In this instance, you also make a change in the Zoom web portal. 有关详细信息,请参阅 Zoom 帮助中心For more information, see the Zoom help center.

  • 在 iOS/iPadOS 设备上,公司门户应用支持 ASAM。On iOS/iPadOS devices, the Company Portal app supports ASAM. 公司门户应用处于 ASAM 时,用户必须手动打开公司门户应用。When the Company Portal app is in ASAM, users must manually open the Company Portal app. 然后,在公司门户应用中锁定设备,直至用户进行身份验证。Then the device is locked in the Company Portal app until the user authenticates. 当用户登录到公司门户应用时,他们可以使用设备上的其他应用和”主屏幕”按钮。When users sign in to the Company Portal app, they can use other apps and the Home screen button on the device. 当用户注销公司门户应用时,设备将返回到单应用模式,并在公司门户应用上锁定。When they sign out of the Company Portal app, the device returns to single app mode, and locks on the Company Portal app.

    若要将公司门户应用转换为“登录/注销”应用(启用 ASAM),请在这些设置中输入公司门户应用名称(如 Microsoft Intune Company Portal)和捆绑 ID (com.microsoft.CompanyPortal)。To turn the Company Portal app into a 'sign in/sign out' app (enable ASAM), enter the Company Portal app name, such as Microsoft Intune Company Portal, and the bundle ID (com.microsoft.CompanyPortal) in these settings. 分配此配置文件后,必须打开公司门户应用以锁定该应用,以便用户可以登录和注销该应用。After this profile is assigned, you must open the Company Portal app to lock the app so users can sign in and sign out of it. 若要应用 ASAM 配置,用户必须手动打开公司门户应用。For the ASAM configuration to apply, users must manually open the Company Portal app.

    删除设备配置文件并且用户注销后,设备不会在公司门户应用中锁定。When the device configuration profile is removed, and the user signs out, the device isn't locked in the Company Portal app.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 应用名称:输入所需的应用名称。App name: Enter the name of the app you want.
  • 应用捆绑 ID:输入所需应用的程序包 IDApp Bundle ID: Enter the bundle ID of the app you want.
  • 添加:选择以创建应用列表。Add: Select to create your list of apps.

还可以导入包含应用名称及其程序包 ID 的列表的 CSV 文件。You can also Import a CSV file with the list of app names and their bundle IDs. 或,导出包含应用的现有列表。Or, Export an existing list that includes the apps.

KioskKiosk

单应用模式在 Intune 中称为“展台模式”。Single App Mode is referred to as Kiosk mode in Intune.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 要在展台模式下运行的应用:选择要在展台模式下运行的应用的类型。App to run in kiosk mode: Select the type of apps you want to run in kiosk mode. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting. 默认情况下,OS 可能不会应用展台设置。By default, the OS might not apply kiosk settings. 设备不会在展台模式下运行。The device doesn't run in kiosk-mode.
    • 应用商店应用:输入 iTunes App Store 中的应用的 URL。Store App: Enter the URL to an app in the iTunes App store.
    • 托管应用:选择以前添加到 Intune 的应用。Managed App: Select an app you previously added to Intune.
    • 内置应用:输入内置应用的 IDBuilt-In App: Enter the bundle ID of the built-in app.
  • 辅助触控:设置为“需要”时,需要在设备上启用“辅助触控”辅助功能设置。Assistive touch: Require the Assistive Touch accessibility setting be on devices. 此功能可帮助用户执行可能难以执行的屏幕手势。This feature helps users with on-screen gestures that might be difficult for them. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在展台模式下运行或启用此功能。By default, the OS might not run or enable this feature in kiosk mode.

  • 反色:“必需”,需要启用“反色”辅助功能设置,以便视力残障人士可以更改显示屏幕。Invert colors: Require the Invert Colors accessibility setting so users with visual impairments can change the display screen. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在展台模式下运行或启用此功能。By default, the OS might not run or enable this feature in kiosk mode.

  • 单声道音频:设置为“需要”时,需要在设备上启用“单声道音频”辅助功能设置。Mono audio: Require the Mono audio accessibility setting be on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在展台模式下运行或启用此功能。By default, the OS might not run or enable this feature in kiosk mode.

  • 语音控件:选择“需要”可在设备上启用语音控制,并允许用户使用 Siri 命令完全控制 OS。Voice control: Require enables voice control on devices, and allows users to fully control the OS using Siri commands. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能禁用语音控制。By default, the OS might disable voice control.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

    提示

    如果你的组织有可用的 LOB 应用,并且在 iOS 13.0 发行的第 0 天时,它们尚不支持“语音控制”,那么我们建议将此设置保留为“未配置” 。If you have LOB apps available for your organization, and they're not Voice Control ready on day 0 when iOS 13.0 releases, then we recommend you leave this setting as Not configured.

  • VoiceOver:设置为“需要”时,需要启用“VoiceOver”辅助功能设置,以便朗读屏幕上的文本。VoiceOver: Require the VoiceOver accessibility setting to read text on the screen out loud. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在展台模式下运行或启用此功能。By default, the OS might not run or enable this feature in kiosk mode.

  • 缩放:设置为“需要”时可使用缩放设置,以便用户可以触摸放大屏幕。Zoom: Require the Zoom setting so users can touch to zoom in on the screen. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不会在展台模式下运行或启用此功能。By default, the OS might not run or enable this feature in kiosk mode.

  • 自动锁定:设置为“阻止”可阻止自动锁定设备。Auto lock: Block prevents automatic locking of devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此功能。By default, the OS might allow this feature.

  • 响铃开关:设置为“阻止”可禁用设备上的响铃(静音)开关。Ringer switch: Block disables the ringer (mute) switch on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此功能。By default, the OS might allow this feature.

  • 屏幕旋转:设置为“阻止”可防止在用户旋转设备时更改屏幕方向。Screen rotation: Block prevents changing the screen orientation when users rotate the device. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此功能。By default, the OS might allow this feature.

  • 屏幕睡眠按钮:设置为“阻止”可禁用设备上的屏幕睡眠唤醒按钮。Screen sleep button: Block disables the screen sleep wake button on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用此功能。By default, the OS might allow this feature.

  • 触控:设置为“阻止”可禁用设备上的触摸屏。Touch: Block disables the touchscreen on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许用户使用触摸屏。By default, the OS might allow users to use the touchscreen.

  • 音量按钮:设置为“阻止”可阻止使用设备上的音量按钮。Volume buttons: Block prevents using the volume buttons on devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许使用音量按钮。By default, the OS might allow the volume buttons.

  • 辅助触控:设置为“允许”可允许用户使用辅助触控功能。Assistive touch control: Allow lets users use the assistive touch function. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁用此功能。By default, the OS might disable this feature.

  • 反色控制:设置为“允许”可启用反色更改,以允许用户调整反色功能。Invert colors control: Allow inverts color changes to let users adjust the invert colors function. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁用此功能。By default, the OS might disable this feature.

  • 朗读所选文本:设置为“允许”可在设备上启用“朗读所选文本”辅助功能设置。Speak on selected text: Allow the Speak Selection accessibility settings be on devices. 此功能可朗读用户选择的文本。This feature reads text out loud that users select. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁用此功能。By default, the OS might disable this feature.

  • 语音控件修改:选择“允许”可允许用户在其设备上更改语音控件的状态。Voice control modification: Allow users to change the state of voice control on their devices. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会阻止用户更改其设备上语音控制的状态。By default, the OS might block users from changing the state of voice control on their devices.

    此功能适用于:This feature applies to:

    • iOS 13.0 及更高版本iOS 13.0 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • VoiceOver 控制:“允许”可允许更改画外音,从而使用户能够更新 VoiceOver 功能,例如朗读屏幕上文本的速度。VoiceOver control: Allow voiceover changes to let users update the VoiceOver function, such as how fast on-screen text is read out loud. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁止更改 VoiceOver。By default, the OS might prevent voiceover changes.

  • 缩放控件:设置为“允许”可允许用户所做的缩放更改。Zoom control: Allow zoom changes by users. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能会禁止缩放更改。By default, the OS might prevent zoom changes.

备注

必须使用 Apple Configurator 工具或 Apple 设备注册计划将设备置于监督模式后才能为 iOS/iPadOS 设备配置展台模式。Before you can configure an iOS/iPadOS device for kiosk mode, you must use the Apple Configurator tool or the Apple Device Enrollment Program to put devices into supervised mode. 有关如何使用 Apple 配置器工具,请参阅 Apple 的指南。See Apple's guide on using the Apple Configurator tool. 如果在分配配置文件之后安装输入的 iOS/iPadOS 应用,则设备将在重新启动后才会进入展台模式。If the iOS/iPadOS app you enter is installed after you assign the profile, then the device doesn't enter kiosk mode until the device is restarted.

Domains

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 未标记的电子邮件域 > 电子邮件域 URL :向列表添加一个或多个 URL。Unmarked email domains > Email Domain URL: Add one or more URLs to the list. 当用户从你输入的域以外的域接收电子邮件时,该电子邮件在 iOS/iPadOS“邮件”应用中被标记为不受信任。When users receive an email from a domain other than the domains you enter, the email is marked as untrusted in the iOS/iPadOS Mail app.

  • 托管 Web 域 > Web 域 URL:向列表添加一个或多个 URL。Managed web domains > Web Domain URL; Add one or more URLs to the list. 从所输入的域下载文档时,这些文档会被视为托管。When documents are downloaded from the domains you enter, they're considered managed. 此设置仅适用于使用 Safari 浏览器下载的文档。This setting applies only to documents downloaded using the Safari browser.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • Safari 密码自动填充域 > 域 URL :向列表添加一个或多个 URL。Safari password autofill domains > Domain URL: Add one or more URLs to the list. 用户仅能保存来自此列表中的 URL 的 Web 密码。Users can only save web passwords from URLs in this list. 此设置仅适用于 Safari 浏览器以及监督模式下的设备。This setting applies only to the Safari browser, and devices in supervised mode. 如未输入任何 URL,则可从所有网站保存密码。If you don't enter any URLs, then passwords can be saved from all web sites.

    此功能适用于:This feature applies to:

    • iOS 9.3 及更高版本iOS 9.3 and newer
    • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

需要监管模式的设置Settings that require supervised mode

仅在通过 Apple 设备注册计划或使用 Apple Configurator 初次设置设备时,才可启用 iOS/iPadOS 受监督模式。iOS/iPadOS supervised mode can only be enabled during initial device setup through Apple's Device Enrollment Program, or by using Apple Configurator. 启用受监督模式后,Intune 可使用以下功能配置设备:Once supervised mode is enabled, Intune can configure a device with the following functionality:

  • 展台模式(单应用模式):在 Apple 开发人员文档中称为“应用锁定”。Kiosk Mode (Single App Mode): Referred to as "app lock" in the Apple developer documentation.
  • 禁用激活锁Disable Activation Lock
  • 自治单应用模式Autonomous Single App Mode
  • Web 内容筛选器Web Content Filter
  • 设置背景和锁屏界面Set background and lock screen
  • 无提示应用推送Silent App Push
  • 始终可用 VPNAlways-On VPN
  • 允许以独占方式安装托管应用Allow managed app installation exclusively
  • iBookstoreiBookstore
  • iMessageiMessages
  • 游戏中心Game Center
  • AirDropAirDrop
  • AirPlayAirPlay
  • 主机配对Host pairing
  • 云同步Cloud Sync
  • Spotlight 搜索Spotlight search
  • HandoffHandoff
  • 擦除设备Erase device
  • 限制 UIRestrictions UI
  • 通过 UI 安装配置文件Installation of configuration profiles by UI
  • 新闻News
  • 键盘快捷键Keyboard shortcuts
  • 密码修改Passcode modifications
  • 设备名更改Device name changes
  • 自动应用下载Automatic app downloads
  • Apple MusicApple Music
  • Mail DropMail Drop
  • 与 Apple Watch 配对Pair with Apple Watch

备注

Apple 已确认某些设置于 2019 年迁移到“仅受监督”模式。Apple confirmed that certain settings move to supervised-only in 2019. 我们建议在使用这些设置时即考虑此更改,而不是等待 Apple 将它们迁移到“仅受监督”模式:We recommend taking this into consideration when using these settings, instead of waiting for Apple to migrate them to supervised-only:

  • 由最终用户安装的应用App installation by end users
  • 应用删除App removal
  • FaceTimeFaceTime
  • SafariSafari
  • iTunesiTunes
  • 成人内容Explicit content
  • iCloud 文档和数据iCloud documents and data
  • 多玩家游戏Multiplayer gaming
  • 添加 Game Center 好友Add Game Center friends
  • SiriSiri

后续步骤Next steps

分配配置文件监视其状态Assign the profile and monitor its status.

还可以在 macOS 设备上限制设备功能和设置。You can also restrict device features and settings on macOS devices.