设置注册限制Set enrollment restrictions

作为 Intune 管理员,可创建和管理注册限制,这些限制可以定义注册接受 Intune 的管理的设备,其中包括:As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the:

  • 设备数。Number of devices.
  • 操作系统和版本。Operating systems and versions.

可创建多个限制并将其应用于不同用户组。You can create multiple restrictions and apply them to different user groups. 可为不同限制设置优先级顺序You can set the priority order for your different restrictions.

备注

注册限制不是安全功能。Enrollment restrictions are not security features. 遭到入侵的设备可能会误报字符。Compromised devices can misrepresent their character. 这些限制是针对非恶意用户的最合适的障碍。These restrictions are a best-effort barrier for non-malicious users.

可创建的特定注册限制包括:The specific enrollment restrictions that you can create include:

  • 最大设备注册数。Maximum number of enrolled devices.
  • 可注册的设备平台:Device platforms that can enroll:
    • Android 设备管理员Android device administrator
    • Android Enterprise 工作配置文件Android Enterprise work profile
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
    • WindowsWindows
  • 适用于 iOS/iPadOS、Android 设备管理员、Android Enterprise 工作配置文件和 Windows 的平台操作系统版本。Platform operating system version for iOS/iPadOS, Android device administrator, Android Enterprise work profile, and Windows.
    • 最低版本。Minimum version.
    • 最高版本。Maximum version.
  • 限制个人拥有的设备(仅限 iOS、Android 设备管理员、Android Enterprise 工作配置文件、macOS 和 Windows)。Restrict personally owned devices (iOS, Android device administrator, Android Enterprise work profile, macOS, and Windows).

默认限制Default restrictions

为设备类型和设备限制注册限制自动提供默认限制。Default restrictions are automatically provided for both device type and device limit enrollment restrictions. 更改默认选项。You can change the options for the defaults. 默认限制适用于所有用户和无用户注册。Default restrictions apply to all user and userless enrollments. 可通过创建优先级更高的新限制来替代这些默认值。You can override these defaults by creating new restrictions with higher priorities.

创建设备类型限制Create a device type restriction

  1. 登录 Microsoft Endpoint Manager 管理中心 > “设备” > “注册限制” > “创建限制” > “设备类型限制” 。Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction > Device type restriction.

  2. 在“基本信息”页上,为限制提供名称和可选说明 。On the Basics page, give the restriction a Name and optional Description.

  3. 选择“下一步”,转到“平台设置”页。Choose Next to go to the Platform settings page.

  4. 在“平台”中,对想要此限制允许的平台选择“允许”。Under Platform, choose Allow for the platforms that you want this restriction to allow. 选择平台设置的屏幕截图Screen cap for choosing platform settings

  5. 在“版本”中,选择想要允许的平台支持的最低版本和最高版本。Under Versions, choose the minimum and maximum versions that you want the allowable platforms to support. 对于 iOS 和 Android,版本限制仅适用于向公司门户注册的设备。For iOS and Android, version restrictions only apply to devices enrolled with the Company Portal. 支持的版本格式包括:Supported version formats include:

    • Android 设备管理员和 Android Enterprise 工作配置文件支持 major.minor.rev.build。Android device administrator and Android Enterprise work profile support major.minor.rev.build.
    • iOS/iPadOS 支持 major.minor.rev。操作系统版本不会应用于使用设备注册计划、Apple School Manager 或 Apple Configurator 应用注册的 Apple 设备。iOS/iPadOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
    • Windows 仅对 Windows 10 支持 major.minor.build.rev。Windows supports major.minor.build.rev for Windows 10 only.

    重要

    Android Enterprise(工作配置文件)和 Android 设备管理员平台具有以下行为:Android Enterprise (work profile) and Android device administrator platforms have the following behavior:

    • 如果两个平台都允许用于同一组,则如果用户的设备支持工作配置文件,则用户将使用该工作配置文件注册,否则他们将注册为 DA。If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device supports it, otherwise they will enroll as DA.
    • 如果两个平台都允许用于一个组,且针对特定非重叠版本进行了改进,那么用户将收到为其 OS 版本定义的注册流。If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will receive the enrollment flow defined for their OS version.
    • 如果两个平台都是允许的,但阻止同时用于相同的版本,那么在具有受阻止版本的设备上,将按 Android 设备管理员注册流程注册用户,然后阻止其注册并提示其注销。If both platforms are allowed, but blocked for the same versions, then users on devices with the blocked versions will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and prompted to sign out.

    值得注意的是,除非在 Android 中完成了适当的先决条件,否则工作配置文件或设备管理员注册都无法成功。Worth noting that neither work profile or device administrator enrollment will work unless the appropriate prequisites have been completed in Android Enrollment.

    备注

    Windows 10 注册过程中不提供修订号,因此对于实例,如果输入 10.0.17134.100 而设备是 10.0.17134.174,则在注册过程中将阻止该实例。Windows 10 does not provide the rev number during enrollment so for instance if you enter in 10.0.17134.100 and the device is 10.0.17134.174 it will be blocked during enrollment.

  6. 在“个人拥有”中,对想要允许作为个人拥有的设备的平台选择“允许”。Under Personally owned, choose Allow for the platforms that you want to permit as personally owned devices.

  7. 在“设备制造商”下,输入要阻止的以逗号分隔的制造商列表。Under Device manufacturer, enter a comma-separated list of the manufacturers that you want to block.

  8. 选择“下一步”,转到“作用域标记”页。Choose Next to go to the Scope tags page.

  9. 在“作用域标记”页上,可选择添加要应用到此限制的作用域标记。On the Scope tags page, optionally add the scope tags you want to apply to this restriction. 若要详细了解作用域标记,请参阅将基于角色的访问控制和作用域标记用于分布式 ITFor more information about scope tags, see Use role-based access control and scope tags for distributed IT. 使用具有注册限制的作用域标记时,用户只能对具有作用域的策略重新排序。When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. 而且,他们只能对具有作用域的策略位置重新排序。Also, they can only reorder for the policy positions for which they have scope. 用户可以看到每个策略的真实优先级编号。Users see the true policy priority number on each policy. 作用域的用户可以判断其策略的相对优先级,即使他们看不到所有其他策略。A scoped user can tell the relative priority of their policies even if they can't see all the other policies.

  10. 选择“下一步”,转到“分配”页。Choose Next to go to the Assignments page.

  11. 选择“选择要包含的组”,然后使用搜索框找到想要此限制包含的组。Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. 限制仅适用于它分配到的组。The restriction applies only to groups to which it's assigned. 如果连一个组都没有分配限制,则不会产生任何影响。If you don't assign a restriction to at least one group, it won't have any effect. 然后选取“选择” 。Then choose Select. 选择平台设置的屏幕截图Screen cap for choosing platform settings

  12. 选择“下一步”,以转到“查看 + 创建”页。Select Next to go to the Review + create page.

  13. 选择“创建”以创建限制。Select Create to create the restriction.

  14. 使用高于默认值的优先级创建新限制。The new restriction is created with a priority just above the default. 更改优先级You can change the priority.

创建设备限制Create a device limit restriction

  1. 登录 Microsoft Endpoint Manager 管理中心 > “设备” > “注册限制” > “创建限制” > “设备限制” 。Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction > Device limit restriction.
  2. 在“基本信息”页上,为限制提供名称和可选说明 。On the Basics page, give the restriction a Name and optional Description.
  3. 选择“下一步”,转到“设备限制”页。Choose Next to go to the Device limit page.
  4. 对于“设备限制”,选择用户可以注册的最大设备数量。For Device limit, select the maximum number of devices that a user can enroll. 选择设备限制的屏幕截图Screen cap for choosing device limit
  5. 选择“下一步”,转到“作用域标记”页。Choose Next to go to the Scope tags page.
  6. 在“作用域标记”页上,可选择添加要应用到此限制的作用域标记。On the Scope tags page, optionally add the scope tags you want to apply to this restriction. 若要详细了解作用域标记,请参阅将基于角色的访问控制和作用域标记用于分布式 ITFor more information about scope tags, see Use role-based access control and scope tags for distributed IT. 使用具有注册限制的作用域标记时,用户只能对具有作用域的策略重新排序。When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. 而且,他们只能对具有作用域的策略位置重新排序。Also, they can only reorder for the policy positions for which they have scope. 用户可以看到每个策略的真实优先级编号。Users see the true policy priority number on each policy. 作用域的用户可以判断其策略的相对优先级,即使他们看不到所有其他策略。A scoped user can tell the relative priority of their policies even if they can't see all the other policies.
  7. 选择“下一步”,转到“分配”页。Choose Next to go to the Assignments page.
  8. 选择“选择要包含的组”,然后使用搜索框找到想要此限制包含的组。Choose Select groups to include and then use the search box to find groups that you want to include in this restriction. 限制仅适用于它分配到的组。The restriction applies only to groups to which it's assigned. 如果连一个组都没有分配限制,则不会产生任何影响。If you don't assign a restriction to at least one group, it won't have any effect. 然后选取“选择” 。Then choose Select. 选择组的屏幕截图Screen cap for selecting groups
  9. 选择“下一步”,以转到“查看 + 创建”页。Select Next to go to the Review + create page.
  10. 选择“创建”以创建限制。Select Create to create the restriction.
  11. 使用高于默认值的优先级创建新限制。The new restriction is created with a priority just above the default. 更改优先级You can change the priority.

在 BYOD 注册期间,用户会看到一条通知,告知他们何时达到了已注册的设备限制。During BYOD enrollments, users see a notification that tells them when they've met their limit of enrolled devices. 例如,在 iOS 上:For example, on iOS:

iOS 设备限制通知

重要

设备限制不适用于以下 Windows 注册类型:Device limit restrictions don't apply for the following Windows enrollment types:

  • 共同托管的注册Co-managed enrollments
  • GPO 注册GPO enrollments
  • 加入 Azure Active Directory 的注册Azure Active Directory joined enrollments
  • 加入 Bulk Active Directory 的注册Bulk Azure Active Directory joined enrollments
  • Autopilot 注册Autopilot enrollments
  • 设备注册管理员注册Device Enrollment Manager enrollments

不对这些注册类型强制执行设备限制,因为它们被视为共享设备方案。Device limit restrictions are not enforced for these enrollment types because they're considered shared device scenarios. 可以在 Azure Active Directory 中为这些注册类型设置硬性限制。You can set hard limits for these enrollment types in Azure Active Directory.

更改注册限制Change enrollment restrictions

通过执行以下步骤可更改注册限制的设置。You can change the settings for an enrollment restriction by following the steps below. 这些限制不会影响已注册的设备。These restrictions don't effect devices that have already been enrolled. 无法使用此功能阻止注册了 Intune PC 代理的设备。Devices enrolled with Intune PC agent can't be blocked with this feature.

  1. 登录 Microsoft Endpoint Manager 管理中心 > “设备” > “注册限制” > 选择要更改的限制 >“属性” 。Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > choose the restriction that you want to change > Properties.
  2. 选择要更改的设置旁边的“编辑”。Choose Edit next to the settings that you want to change.
  3. 在“编辑”页上,根据需要进行更改,继续转到“查看 + 保存”页,然后选择“保存”。On the Edit page, make the changes that you want and proceed to the Review + save page, then choose Save.

阻止个人 Android 设备Blocking personal Android devices

  • 如果阻止个人拥有的 Android 设备管理员设备进行注册,个人拥有的 Android Enterprise 工作配置文件设备仍可注册。If you block personally owned Android device administrator devices from enrollment, personally owned Android Enterprise work profile devices can still enroll.
  • 默认情况下,Android Enterprise 工作配置文件设备的设置与 Android 设备管理员设备的设置相同。By default, your Android Enterprise work profile devices settings are the same as your settings for your Android device administrator devices. 更改 Android Enterprise 工作配置文件或 Android 设备管理员设置后,将不再如此。After you change your Android Enterprise work profile or your Android device administrator settings, that's no longer the case.
  • 如果阻止个人 Android Enterprise 工作配置文件注册,那么仅公司拥有的 Android 设备可使用 Android Enterprise 工作配置文件注册。If you block personal Android Enterprise work profile enrollment, only corporate-owned Android devices can enroll with Android Enterprise work profiles.

阻止个人 Windows 设备Blocking personal Windows devices

如果阻止个人 Windows 设备注册,Intune 将进行检查以确保每个新 Windows 注册请求都已授权为企业注册。If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. 将阻止未经授权的注册。Unauthorized enrollments will be blocked.

如果符合以下条件,则视为已授权为 Windows 企业注册:The following methods qualify as being authorized as a Windows corporate enrollment:

以下注册被 Intune 标记为企业。The following enrollments are marked as corporate by Intune. 但由于它们不提供 Intune 管理员每设备控制,因此将被阻止:But since they don't offer the Intune administrator per-device control, they'll be blocked:

以下个人注册方法也将被阻止:The following personal enrollment methods will also be blocked:

* 如果通过 Autopilot 注册,则不会受到阻止。* These won't be blocked if registered with Autopilot.

阻止个人 iOS/iPadOS 设备Blocking personal iOS/iPadOS devices

默认情况下,Intune 将 iOS/iPadOS 设备分类为个人拥有的设备。By default, Intune classifies iOS/iPadOS devices as personally-owned. 若要分类为公司拥有的设备,iOS/iPadOS 设备必须满足以下条件之一:To be classified as corporate-owned, an iOS/iPadOS device must fulfill one of the following conditions:

更改注册限制优先级Change enrollment restriction priority

当用户在分配有限制的多个组中时,则使用优先级。Priority is used when a user exists in multiple groups that are assigned restrictions. 用户仅遵循其所在组分配到的最高优先级的限制。Users are subject only to the highest priority restriction assigned to a group that they are in. 例如,Joe 位于优先级为 5 的限制的 A 组,也位于优先级为 2 的限制的 B 组。For example, Joe is in group A assigned to priority 5 restrictions and also in group B assigned to priority 2 restrictions. Joe 仅受优先级为 2 的限制约束。Joe is subject only to the priority 2 restrictions.

创建限制时,将其添加到默认值正上方的列表中。When you create a restriction, it's added to the list just above the default.

设备注册同时包括设备类型和设备限制的默认限制。Device enrollment includes default restrictions for both device type and device limit restrictions. 这两个限制应用于所有用户,除非由更高优先级的限制替代。These two restrictions apply to all users unless they're overridden by higher-priority restrictions.

备注

用户受注册限制约束。Enrollment restrictions are applied to users. 在非用户驱动的注册场景(例如 Windows Autopilot 自部署模式或白手套预配)中,仅实施默认优先级限制(针对“所有用户”)。In enrollment scenarios that are not user-driven (e.g. Windows Autopilot self-deploying mode or white glove provisioning), only the Default priority restrictions (targeted to "All Users") will be enforced.

可更改任何非默认限制的优先级。You can change the priority of any non-default restriction.

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 选择“更多服务”,搜索“Intune”,然后选择“Intune” 。Select More Services, search for Intune, and then choose Intune.
  3. 选择“设备注册” > “注册限制” 。Select Device enrollment > Enrollment restrictions.
  4. 将鼠标悬停在优先级列表中的限制上。Hover over the restriction in the priority list.
  5. 使用三个垂直点,将优先级拖到列表中的所需位置。Using the three vertical dots, drag the priority to the desired position in the list.