为 Intune 中不符合要求的设备配置操作Configure actions for noncompliant devices in Intune

对于不满足符合性策略或规则的设备,可添加针对非符合性的操作。For devices that don't meet your compliance policies or rules, you can add Actions for noncompliance. 此功能会配置一系列按时间顺序排列的操作,例如向最终用户发送电子邮件等。This feature configures a time-ordered sequence of actions, such as emailing the end user, and more.

概述Overview

默认情况下,每个符合性策略都包括针对不符合性的操作(即“将设备标记为不符合”),计划为零 (0) 天 。By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days (0). 此默认设置使得在 Intune 检测到不符合的设备时,会立即将它标记为“不符合”。The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. 设备标记为不合规后,Azure Active Directory (AD) 条件访问会阻止设备。After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

通过配置针对不符合性的操作,你可灵活决定如何处理不符合的设备以及何时处理。By configuring Actions for noncompliance you gain flexibility to decide what to do about noncompliant devices, and when to do it. 例如,你可选择不立即阻止设备,并给予用户宽限期以使其符合要求。For example, you might choose to not block the device immediately, and give the user a grace period to become compliant.

对于设置的每个操作,都可以配置一个确定该操作何时生效的计划。For each action you set, you can configure a schedule that determines when that action takes effect. 计划是在将设备标记为不合规之后的天数。The schedule is a number of days after the device is marked as noncompliant. 你还可配置一个操作的多个实例。You can also configure multiple instances of an action. 在策略中设置一个操作的多个实例时,如果设备仍然不符合要求,则该操作将在稍后的计划时间再次运行。When you set multiple instances of an action in a policy, the action runs again at that later scheduled time if the device remains non-compliant.

并非所有操作都适用于所有平台。Not all actions are available for all platforms.

可用于处理不符合性的操作Available actions for noncompliance

下面是可用于处理不合规的操作:Following are the available actions for noncompliance:

  • 将设备标记为不符合:默认情况下,此操作针对每个符合性策略进行设置,且计划为零 (0) 天,也就是立即将设备标记为“不符合”。Mark device non-compliant: By default, this action is set for each compliance policy and has a schedule of zero (0) days, marking devices as noncompliant immediately.

    更改默认计划时,会提供一个宽限期。在此期间,用户可修正问题,或者变得符合要求而不是被标记为“不符合”。When you change the default schedule, you provide a grace period in which a user can remediate issues or become compliant without being marked as non-compliant.

    Intune 支持的所有平台都支持此操作。This action is supported on all platforms supported by Intune.

  • 向最终用户发送电子邮件:此操作将向用户发送电子邮件通知。Send email to end user: This action sends an email notification to the user. 启用此操作时:When you enable this action:

    • 选择此操作发送的通知消息模板。Select a Notification message template that this action sends. 需要先创建通知消息模板,然后才能将其分配给此操作。You Create a notification message template before you can assign one to this action. 创建自定义通知时,可自定义主题和邮件正文,还可包含公司徽标、公司名称和其他联系信息。When you create the custom notification, you customize the subject, message body, and can include the company logo, company name, and additional contact information.
    • 通过选择一个或多个 Azure AD 组,选择将邮件发送给其他收件人。Choose to send the message to additional recipients by selecting one or more of your Azure AD Groups.

    发送电子邮件时,Intune 会在电子邮件通知中附上不符合设备的详细信息。When the email is sent, Intune includes details about the noncompliant device in the email notification.

    Intune 支持的所有平台都支持此操作。This action is supported on all platforms supported by Intune.

  • 远程锁定不符合要求的设备:使用此操作可发出设备的远程锁定指令。Remotely lock the noncompliant device: Use this action to issue a remote lock of a device. 然后提示用户输入 PIN 或密码以解锁设备。The user is then prompted for a PIN or password to unlock the device. 远程锁定功能的详细信息。More on the Remote Lock feature.

    以下平台支持此操作:The following platforms support this action:

    • Android:Android:
      • Android 设备管理员Android device administrator
      • Android 公司拥有的完全托管式专用工作配置文件Android Fully Managed, Dedicated, and Corporate-Owned Work Profile
      • Android Enterprise 工作配置文件Android Enterprise Work Profile
      • Android 企业展台设备Android Enterprise kiosk devices
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
  • 停用不符合要求的设备:此操作将从设备中删除所有公司数据并从 Intune 管理中删除设备。Retire the noncompliant device: This action removes all company data off the device and removes the device from Intune management. 为防止意外擦除设备,此操作支持的最短计划时间为 30 天。To prevent accidental wipe of a device, this action supports a minimum schedule of 30 days.

    以下平台支持此操作:The following platforms support this action:

    • Android:Android:
      • Android 设备管理员Android device administrator
      • Android Enterprise 设备所有者Android Enterprise Device Owner
      • Android Enterprise 工作配置文件Android Enterprise Work Profile
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS

    了解有关停用设备的详细信息。Learn more about retiring devices.

  • 向最终用户发送推送通知:配置此操作,以通过设备上的公司门户应用或 Intune 应用向该设备发送有关不符合性的推送通知。Send push notification to end user: Configure this action to send a push notification about non-compliance to a device through the Company Portal app or Intune App on the device.

    以下平台支持此操作:The following platforms support this action:

    • Android:Android:
      • Android 设备管理员Android device administrator
      • Android Enterprise 设备所有者Android Enterprise Device Owner
      • Android Enterprise 工作配置文件Android Enterprise Work Profile
    • iOS/iPadOSiOS/iPadOS

    设备首次向 Intune 签入并被发现不遵守符合性性策略时,系统会发送推送通知。The push notification is sent the first time a device checks in with Intune and is found to be non-compliant to the compliance policy. 当用户选择通知时,公司门户应用或 Intune 应用会打开并显示不符合原因的相关信息。When a user selects the notification, the Company Portal app or Intune app opens and displays information about why they're non-compliant. 用户随后可采取操作来解决问题。The user can then take action to resolve the issue. 有关不符合性的消息详细信息由 Intune 生成,无法自定义。The message details about non-compliance are generated by Intune and can't be customized.

    重要

    Intune、公司门户应用和 Microsoft Intune 应用无法保证发送推送通知。Intune, the Company Portal app, and the Microsoft Intune app, can't guarantee delivery of a push notification. 通知可能会延迟几小时后显示(若有)。Notifications might show up after several hours of delay, if at all. 例如,如果用户关闭了推送通知,则可能会延迟。This includes when users have turned off push notifications.

    不要依靠这种通知方法来获取紧急消息。Do not rely on this notification method for urgent messages.

    操作的每个实例一次发送一个通知。Each instance of the action sends a notification a single time. 若要从策略再次发送相同的通知,请在该策略中配置该操作的其他实例,每个实例具有不同的计划。To send the same notification again from a policy, configure additional instances of the action in that policy, each with a different schedule.

    例如,你可将第一个操作计划为零天,然后添加该操作的第二个实例并将其计划设为三天。For example, you might schedule the first action for zero days and then add a second instance of the action set to three days. 在第二次通知之前出现的这种延迟会给用户几天时间来解决问题,从而避免第二次通知。This delay before the second notification gives the user a few days to resolve the issue, and avoid the second notification.

    为了避免向用户发送过多的重复消息,请检查哪些合规性策略包括关于不合规的推送通知并进行简化,同时检查计划,避免过于频繁地重复通知。To avoid spamming users with too many duplicate messages, review and streamline which compliance policies include a push notification for non-compliance, and review the schedules to avoid repeat notifications for the same too often.

    请注意以下几点:Consider:

    • 如果一个策略的多个实例设为同一天发送推送通知,则当天只发送一则通知。For a single policy that includes multiple instances of a push notification set for the same day, only a single notification is sent for that day.

    • 如果多个合规性策略包含相同的合规性条件,并包含具有相同计划的推送通知操作,Intune 会在同一天向同一台设备发送多个通知。When multiple compliance policies include the same compliance conditions, and include the push notification action with the same schedule, Intune sends multiple notifications to the same device on the same day.

在开始之前Before you begin

可在配置设备符合性策略时添加针对不符合性的操作为,也可稍后通过编辑策略来添加操作。You can add actions for noncompliance when you configure device compliance policy, or later by editing the policy. 可向每个策略添加额外的操作来满足你的需求。You can add additional actions to each policy to meet your needs. 请记住,每个符合性策略都自动包含针对不符合性的默认操作(即“将设备标记为不符合”),计划设置为零天。Keep in mind that each compliance policy automatically includes the default action for noncompliance that marks devices as noncompliant, with a schedule set to zero days.

若要使用设备符合性策略来阻止设备使用公司资源,必须设置 Azure AD 条件访问。To use device compliance policies to block devices from corporate resources, Azure AD Conditional Access must be set up. 请参阅 Azure Active Directory 中的条件访问使用 Intune 条件访问的常见方式以获取指南。See Conditional Access in Azure Active Directory or common ways to use Conditional Access with Intune for guidance.

要创建设备符合性策略,请查看下面的平台特定指南:To create a device compliance policy, see the following platform-specific guidance:

创建通知邮件模板Create a notification message template

要向用户发送电子邮件,请创建通知消息模板。To send email to your users, create a notification message template. 设备不符合要求时,在模板中输入的详细信息将显示在发送给用户的电子邮件中。When a device is noncompliant, the details you enter in the template is shown in the email sent to your users.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“终结点安全性” > “设备合规性” > “通知” > “创建通知” 。Select Endpoint security > Device compliance > Notifications > Create notification.

  3. 在“基本”下,指定以下信息:Under Basics, specify the following information:

    • NameName
    • 主题Subject
    • MessageMessage
  4. 此外,在“基本”下,配置以下通知选项:Also under Basics, configure the following options for the notification:

    • 电子邮件标头 - 包括公司徽标(默认 = 启用) - 作为公司门户品牌的一部分上传的徽标可用于电子邮件模板。Email header – Include company logo (default = Enable) - The logo you upload as part of the Company Portal branding is used for email templates. 有关公司门户品牌的详细信息,请参阅公司标识品牌自定义For more information about Company Portal branding, see Company identity branding customization.
    • 电子邮件页脚 - 包括公司名称(默认 = 启用)Email footer – Include company name (default = Enable)
    • 电子邮件页脚 - 包括联系人信息(默认 = 启用)Email footer – Include contact information (default = Enable)
    • 公司门户网站链接(默认 = 禁用)- 当设置为“启用”时,电子邮件将包括一个指向公司门户网站的链接 。Company Portal Website Link (default = Disable) - When set to Enable, the email includes a link to the Company Portal website.

    Intune 中合规性通知邮件的示例Example of a compliant notification message in Intune

    选择“下一步”继续操作。Select Next to continue.

  5. 在“查看 + 创建”下,查看你的配置以确保通知消息模板已准备就绪可供使用。Under Review + create, review your configurations to ensure the notification message template is ready to use. 选择“创建”以成功创建通知。Select Create to complete creation of the notification.

查看和编辑通知View and edit notifications

已创建的通知在“合规性策略” > “通知”页中提供。 Notifications that have been created are available in the Compliance policies > Notifications page. 从此页中,可以选择要查看其配置的通知,并执行以下操作:From the page you can select a notification to view its configuration and:

  • 选择“发送预览电子邮件”将通知电子邮件的预览发送到已用于登录 Intune 的帐户。Select Send preview email to send a preview of the notification email to the account you've used to sign in to Intune.

    若要成功发送预览电子邮件,你的帐户必须具有与以下 Azure AD 组或 Intune 角色相同的权限:Azure AD 全局管理员、Intune 管理员(Intune Azure AD Intune 服务管理员)或 Intune 策略和配置文件管理员。To successfully send the preview email, your account must have permissions equal to those of the following Azure AD groups or Intune roles: Azure AD Global Administrator, Intune Administrator (Intune Azure AD Intune Service Administrator), or Intune Policy and Profile Manager.

  • 为“基本”或“作用域标签”选择“编辑”以进行更改。 Select Edit for Basics or Scope tags to make a change.

添加针对非符合性的操作Add actions for noncompliance

创建设备符合性策略时,Intune 会自动为非符合性创建操作。When you create a device compliance policy, Intune automatically creates an action for noncompliance. 如果设备不满足符合性策略的要求,此操作会将设备标记为不符合。If a device isn't meeting your compliance policy, this action marks the device as not compliant. 可自定义将设备标记为不符合的时长。You can customize how long the device is marked as not compliant. 此操作不可撤消。This action can't be removed.

还可在创建符合性策略或更新现有策略时添加可选操作。You can add optional actions when you create a compliance policy, or update an existing policy.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “符合性策略” > “策略”,选择其中一个策略,然后选择“属性”。Select Devices > Compliance policies > Policies, select one of your policies, and then select Properties.

    尚没有策略?Don't have a policy yet? 创建 AndroidiOSWindows 或其他平台策略。Create an Android, iOS, Windows, or other platform policy.

    备注

    此时,JAMF 设备和面向设备组的设备无法接收符合性操作。JAMF devices and devices targeted with device groups cannot receive compliance actions at this time.

  3. 选择“针对非符合性的操作” > “添加” 。Select Actions for noncompliance > Add.

  4. 选择“操作”:Select your Action:

    • 向最终用户发送电子邮件:当设备不符合要求时,选择给用户发送电子邮件。Send email to end users: When the device is noncompliant, choose to email the user. 此外:Also:

      • 选择此前创建的“消息模板”Choose the Message template you previously created
      • 通过选择组输入任何“其他收件人”Enter any Additional recipients by selecting groups
    • 远程锁定不符合要求的设备:当设备不符合要求时,锁定设备。Remotely lock the noncompliant device: When the device is noncompliant, lock the device. 该操作会强制用户输入 PIN 或密码来解锁设备。This action forces the user to enter a PIN or passcode to unlock the device.

    • 停用不符合要求的设备:当设备不符合要求时,从设备中删除所有公司数据并从 Intune 管理中删除设备。Retire the noncompliant device: When the device is noncompliant, remove all company data off the device and remove the device from Intune management.

    • 向最终用户发送推送通知:配置此操作,以通过设备上的公司门户应用或 Intune 应用向该设备发送有关不符合性的推送通知。Send push notification to end user: Configure this action to send a push notification about non-compliance to a device through the Company Portal app or Intune App on the device.

  5. 配置计划:输入非符合性状态触发用户设备操作之后的宽限天数(0 到 365 天)。Configure a Schedule: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. (停用不合规的设备支持的最短时间为 30 天。)在此宽限期后,可以强制执行条件访问策略。(Retire the noncompliant device supports a minimum of 30 days.) After this grace period, you can enforce a conditional access policy. 如果输入“0”(零)天,则条件访问将立即生效 。If you enter 0 (zero) number of days, then conditional access takes effect immediately. 例如,如果设备不合规,请使用条件访问来立即阻止对电子邮件、SharePoint 和其他组织资源的访问。For example, if a device is noncompliant, use conditional access to block access to email, SharePoint, and other organization resources immediately.

    在你创建合规性策略时,“标记不合规设备”操作会自动创建,并自动设置为“0”天(即立即执行)。When you create a compliance policy, the Mark device noncompliant action is automatically created, and automatically set to 0 days (immediately). 通过此操作,当设备签入时,系统会立即将设备评估为不合规。With this action, when the device checks-in, the device is evaluated as non-compliant immediately. 如果还使用条件访问,条件访问会立即生效。If also using conditional access, then conditional access kicks in immediately. 若要给予宽限期,请更改“标记不合规设备”操作中的“计划”。If you want to allow a grace period, then change the Schedule on the Mark device noncompliant action.

    在合规性策略中,假设还想要通知用户。In your compliance policy, for example, you also want to notify the user. 可以添加“向最终用户发送电子邮件”操作。You can add the Send email to end user action. 在此“发送电子邮件”操作中,将“计划”设置为“2”天。On this Send email action, you set the Schedule to two days. 如果设备或最终用户在第 2 天仍被评估为不合规,系统就会在第 2 天发送电子邮件。If the device or end user is still evaluated as non-compliant on day two, then your email is sent on day two. 若要在被评估为不合规的第 5 天再次向用户发送电子邮件,请添加另一个操作,并将“计划”设置为“5”天。If you want to email the user again on day five of noncompliance, then add another action, and set the Schedule to five days.

    若要详细了解合规性和内置操作,请参阅合规性概述For more information on compliance, and the built-in actions, see the compliance overview.

  6. 完成后,选择“添加” > “确定”,保存所做更改 。When finished, select Add > OK to save your changes.

后续步骤Next steps

监视策略Monitor your policies.