使用策略集对管理对象集合进行分组Use policy sets to group collections of management objects

策略集允许创建对现有管理实体的一系列引用,这些实体需要作为单个概念单元进行标识、定位和监视。Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. 策略集是你创建的应用、策略和其他管理对象的可分配集合。A policy set is an assignable collection of apps, policies, and other management objects you've created. 创建策略集使你能够同时选择许多不同的对象,并从单个位置分配它们。Creating a policy set enables you to select many different objects at once, and assign them from a single place. 随着组织变动,可以重新访问策略集,添加或删除其对象和分配。As your organization changes, you can revisit a policy set to add or remove its objects and assignments. 可以使用策略集来关联和分配单个包中的现有对象,如应用、策略和 VPN。You can use a policy set to associate and assign existing objects, such as apps, policies, and VPNs in a single package.

重要

与策略集相关的已知问题列表见策略集已知问题For a list of known issues related to policy sets, Policy sets known issues.

策略集不会替换现有的概念或对象。Policy sets do not replace existing concepts or objects. 你可以继续分配各个对象,也可以将各个对象作为策略集的一部分进行引用。You can continue to assign individual objects and you can also reference individual objects as part of a policy set. 因此,对各对象的任何更改都将反映在策略集中。Therefore, any changes to those individual objects will be reflected in the policy set.

可使用策略集执行以下操作:You can use policy sets to:

  • 组合需要一起分配的对象Group objects that need to be assigned together
  • 在所有受管理设备上分配组织的最低配置要求Assign your organization's minimum configuration requirements on all managed devices
  • 将常用或相关应用分配到所有用户Assign commonly used or relevant apps to all users

可以在策略集中包含以下管理对象:You can include the following management objects in a policy set:

  • 应用Apps
  • 应用配置策略App configuration policies
  • 应用保护策略App protection policies
  • 设备配置文件Device configuration profiles
  • 设备合规性策略Device compliance policies
  • 设备类型限制Device type restrictions
  • Windows Autopilot 部署配置文件Windows autopilot deployment profiles
  • 注册状态页Enrollment status page

创建策略集时,将创建单个分配单元,并管理不同对象之间的关联。When you create a policy set, you create a single unit of assignment, and manage associations between different objects. 策略集将是对其外部对象的引用。A policy set will be a reference to objects external to it. 所包含对象中的任何更改也将影响策略集。Any changes in the included objects will affect the policy set as well. 创建策略集后,可以重复查看和编辑其对象和分配。After you create a policy set, you can repeatedly view and edit its objects and assignments.

备注

策略集支持 Windows、Android、macOS 和 iOS/iPadOS 设置,并且可跨平台进行分配。Policy sets support Windows, Android, macOS, and iOS/iPadOS settings, and can be assigned cross-platform.

如何创建策略集How to create a policy set

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “策略集” > “策略集” > “创建”。 Select Devices > Policy Sets > Policy sets > Create.

  3. 在“基本信息”页上,添加以下值 :On the Basics page, add the following values:

    • 策略集名称 - 提供此策略集的名称。Policy set name - Provide a name for this policy set.
    • 说明 -(可选)提供策略集的说明。Description - Optionally, provide a description for the policy set.

    Create policy set - Basics

  4. 单击“下一步: 应用程序管理”。Click Next: Application management.
    在“应用程序管理”页面,可以选择添加应用应用配置策略应用保护策略到策略集 。On the Application management page you can optionally add apps, app configuration policies, and app protection policies to your policy set. 有关应用管理的信息,请参阅什么是 Microsoft Intune 应用管理?For information about app management, see What is Microsoft Intune app management?.

  5. 单击“下一步: 设备管理”。Click Next: Device management.
    通过“设备管理”页面,可以将设备管理对象添加到策略集,例如设备配置文件设备符合性策略The Device management page allows you to add device management objects to your policy set, such as device configuration profiles and device compliance policies. 请确保包含所有关联的对象,例如其他策略、证书和安全基线配置文件。Be sure to include all associated objects, such as other policies, certificates, and security baseline profiles.

  6. 单击“下一步: 设备注册”。Click Next: Device enrollment.
    通过“设备注册”页面,可以将设备注册对象添加到策略集,例如设备类型限制Windows Autopilot 部署配置文件注册状态页配置文件The Device enrollment page allows you to add device enrollment objects to your policy set, such as device type restrictions, Windows Autopilot deployment profiles, and enrollment status page profiles.

  7. 单击“下一步: 分配”。Click Next: Assignments.
    通过“分配”页面,可以将策略集分配到用户和设备 。The Assignments page allows you can assign the policy set to users and devices. 值得注意的是,无论设备是否由 Intune 管理,都可以将策略集分配到设备。It is important to note that you can assign a policy set to a device whether or not the device is managed by Intune.

  8. 单击“下一步:查看 + 创建”以查看你为配置文件输入的值。Click Next: Review + create to review the values you entered for the profile.

  9. 完成后,单击“创建”以在 Intune 中创建策略集 。When you are done, click Create to create the policy set in Intune.

策略设置已知问题Policy sets known issues

策略集是 1910 版本的新增内容,存在以下已知问题。Policy sets, new to 1910, have the following known issues.

  • 创建策略集时,如果作用域管理员尝试在未选择任何作用域标记的情况下创建策略集,则在到达“查看 + 创建”页面时,验证将失败,并在状态栏上显示错误 。When creating a policy set, if an scoped admin tries to create a policy set without any scope tags selected, upon reaching the Review + Create page, validation will fail and an error will be displayed on the status bar. 管理员必须在过程中切换到其他页面,然后返回“查看 + 创建”页面 。The admin must switch to a different page in the process, then return to the Review + Create page. 这将启用“创建”选项 。This will enable the Create option.

  • 策略集当前支持以下应用类型:The following app types are currently supported by policy sets:

    • iOS/iPadOS 应用商店应用iOS/iPadOS store app
    • iOS/iPadOS 业务线应用iOS/iPadOS line-of-business app
    • 托管 iOS/iPadOS 业务线应用Managed iOS/iPadOS line-of-business app
    • Android 应用商店应用Android store app
    • Android 业务线应用Android line-of-business app
    • 托管 Android 业务线应用Managed Android line-of-business app
    • Microsoft 365 应用版 (Windows 10)Microsoft 365 Apps (Windows 10)
    • Web 链接Web link
    • 内置 iOS/iPadOS 应用Built-in iOS/iPadOS app
    • 内置的 Android 应用Built-in Android app
  • 不支持将“所有用户”的策略集分配设置为“Autopilot 配置文件” 。Setting a policy set assignment of All Users to Autopilot Profile is unsupported.

  • 策略集具有以下注册限制和注册状态页 (ESP) 问题:Policy sets have the following enrollment restrictions and Enrollment Status Page (ESP) issues:

    • 限制和 ESP 不支持虚拟组分配。Restrictions and ESP do not support virtual group assignments.
    • 限制和 ESP 不严格支持排除组分配。Restrictions and ESP do not strictly support exclusion group assignments.
    • 限制和 ESP 使用基于优先级的冲突解决。Restrictions and ESP use priority-based conflict resolution. 如果限制和 ESP 也是更高优先级限制和 ESP 的目标,则限制和 ESP 可能不会应用于与策略集的其余有效负载相同的用户。Restrictions and ESP might not be applied to the same users as the rest of a policy set's payloads if the Restrictions and ESP are also targeted by a higher priority Restrictions and ESP.
    • 无法将默认限制和 ESP 添加到策略集。The default Restrictions and ESP cannot be added to a policy set.
  • 支持策略集的 MAM 策略类型包括:MAM policy types that support policy sets include the following:

    • MAM WIP (Windows) MDM 目标托管应用保护MAM WIP( Windows) MDM targeted managed app protection
    • MAM iOS/iPadOS 目标托管应用保护MAM iOS/iPadOS targeted managed app protection
    • MAM Android 目标托管应用保护MAM Android targeted managed app protection
    • MAM iOS/iPadOS 目标托管应用配置MAM iOS/iPadOS targeted managed app configuration
    • MAM Android 目标托管应用配置MAM Android targeted managed app configuration
  • 不支持策略集的 MAM 策略类型包括:MAM policy types that do not support policy sets include the following:

    • MAM WIP (Windows) 目标托管应用保护MAM WIP (Windows) targeted managed app protection
  • MAM 将策略集分配作为以下策略类型的直接分配进行处理:MAM processes policy set assignments as direct assignments for the following policy types:

    • MAM iOS/iPadOS 目标托管应用保护MAM iOS/iPadOS targeted managed app protection

    • MAM Android 目标托管应用保护MAM Android targeted managed app protection

    • MAM iOS/iPadOS 目标托管应用配置MAM iOS/iPadOS targeted managed app configuration

    • MAM Android 目标托管应用配置MAM Android targeted managed app configuration

      如果将策略添加到部署到组的策略集中,则该组将显示为在工作负荷中直接分配,而不是“通过策略集分配”。If a policy is added to a policy set that is deployed to a group, the group would show as directly assigned in in the workload, not "assigned via the policy set". 因此,MAM 不处理来自策略集的组分配删除。As a result of this, MAM does not process group assignment deletions coming from policy sets.

  • 对于任何策略类型,MAM 不支持部署到“所有用户”和“所有设备”虚拟组 。MAM does not support deployment to All Users and All Devices virtual groups for any policy types.

  • 无法选择“管理模板”类型的设备配置文件作为策略集的一部分。The Device Configuration Profile of type "Administrative Templates" cannot be selected as part of a policy set.

后续步骤Next steps