使用 Intune 将设备标记为符合或不符合的 Android Enterprise 设置Android Enterprise settings to mark devices as compliant or not compliant using Intune

本文列出并描述了在 Intune 中可针对 Android Enterprise 设备配置的不同符合性设置。This article lists and describes the different compliance settings you can configure on Android Enterprise devices in Intune. 作为移动设备管理 (MDM) 解决方案的一部分,请使用这些设置将获得 root 权限的(已越狱)设备标记为不符合要求,设置允许的威胁级别,启用 Google Play Protect 等。As part of your mobile device management (MDM) solution, use these settings to mark rooted (jailbroken) devices as not compliant, set an allowed threat level, enable Google Play Protect, and more.

此功能适用于:This feature applies to:

  • Android EnterpriseAndroid Enterprise

作为 Intune 管理员,请使用这些符合性设置来帮助保护组织资源。As an Intune administrator, use these compliance settings to help protect your organizational resources. 若要详细了解符合性策略及其作用,请参阅设备符合性入门To learn more about compliance policies, and what they do, see get started with device compliance.

重要

合规性策略还会应用到 Android Enterprise 专用设备。Compliance policies also apply Android Enterprise dedicated devices. 如果将合规性策略分配给专用设备,则设备可能会显示为“不合规” 。If a compliance policy is assigned to a dedicated device, the device may show as Not compliant. 在专用设备上无法进行条件访问和强制执行合规性策略。Conditional Access and enforcing compliance isn't available on dedicated devices. 请务必完成任何任务或操作,以确保专用设备符合分配的策略。Be sure to complete any tasks or actions to get dedicated devices compliant with your assigned policies.

在开始之前Before you begin

创建合规性策略Create a compliance policy. 对于“平台”,选择“Android Enterprise” 。For Platform, select Android Enterprise.

公司拥有的完全托管式专用工作配置文件Fully Managed, Dedicated, and Corporate-Owned Work Profile

Microsoft Defender ATPMicrosoft Defender ATP

  • 要求设备不超过计算机风险评分Require the device to be at or under the machine risk score

    为 Microsoft Defender ATP 评估的设备选择允许的最高计算机风险分数。Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender ATP. 超过此分数的设备将标记为不合规。Devices which exceed this score get marked as noncompliant.

    • 未配置(默认)Not configured (default)
    • 清除Clear
    • Low
    • 中等Medium
    • High

设备运行状况Device Health

  • 要求设备不高于设备威胁级别Require the device to be at or under the Device Threat Level
    选择移动威胁防御服务评估的允许的最大设备威胁级别。Select the maximum allowed device threat level evaluated by your mobile threat defense service. 超过此威胁级别的设备将被标记为不符合策略。Devices that exceed this threat level are marked noncompliant. 要使用此设置,请选择允许的威胁级别:To use this setting, choose the allowed threat level:

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 安全 - 此选项是最安全的,意味着设备不能具有任何威胁。Secured - This option is the most secure, and means that the device can't have any threats. 如果设备被检测到具有任一级别的威胁,则会被评估为不符合。If the device is detected with any level of threats, it's evaluated as noncompliant.
    • - 若设备上仅存在低级威胁,则将其评为合规。Low: - The device is evaluated as compliant if only low-level threats are present. 低级以上的任意威胁都将使设备不合规。Anything higher puts the device in a noncompliant status.
    • - 若设备上存在的威胁为低级或中级,则将其评为合规。Medium - The device is evaluated as compliant if the threats that are present on the device are low or medium level. 如果设备被检测到存在高级威胁,则会被确定为不符合要求。If the device is detected to have high-level threats, it's determined to be noncompliant.
    • - 此选项是最不安全的,因为它允许所有威胁级别。High - This option is the least secure, as it allows all threat levels. 如果将此解决方案仅用作报告目的,则可能有用。It may be useful if you're using this solution only for reporting purposes.

备注

使用应用配置的 Android Enterprise 公司拥有的完全托管式专用工作配置文件部署支持所有移动威胁防御 (MTD) 提供程序。All the Mobile Threat Defense (MTD) providers are supported on Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile deployments using app configuration. 请与 MTD 提供商联系,获取支持 Intune 上的 Android Enterprise 公司拥有的完全托管式专用工作配置文件平台所需的确切配置。Check with your MTD provider for the exact configuration needed to support Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile platforms on Intune.

Google Play ProtectGoogle Play Protect

  • SafetyNet 设备证明SafetyNet device attestation
    输入必须满足的 SafetyNet 证明级别。Enter the level of SafetyNet attestation that must be met. 选项包括:Your options:
    • 未配置(默认)- 不会评估设置的符合性和不符合性。Not configured (default) - Setting isn't evaluated for compliance or non-compliance.
    • 检查基本完整性Check basic integrity
    • 检查基本完整性和已认证的设备Check basic integrity & certified devices

设备属性Device Properties

操作系统版本Operating System Version

  • 最低操作系统版本Minimum OS version
    设备不满足最低操作系统版本要求时,它将被报告为不符合要求。When a device doesn't meet the minimum OS version requirement, it's reported as non-compliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is shown. 最终用户可以先升级其设备,然后再访问组织资源。The end user can upgrade their device, and then access organization resources.

    默认情况下,没有配置任何版本 。By default, no version is configured.

  • 最高操作系统版本Maximum OS version
    当设备使用的操作系统版本高于规则中的版本时,将阻止其对组织资源的访问。When a device is using an OS version later than the version in the rule, access to organization resources is blocked. 系统会要求用户联系其 IT 管理员。The user is asked to contact their IT administrator. 除非将规则更改为允许该操作系统版本,否则此设备无法访问组织资源。Until a rule is changed to allow the OS version, this device can't access organization resources.

    默认情况下,没有配置任何版本 。By default, no version is configured.

  • 最低安全修补程序级别Minimum security patch level
    选择设备可具有的最旧的安全修补程序级别。Select the oldest security patch level a device can have. 不满足此修补程序级别的设备将不符合要求。Devices that aren't at least at this patch level are noncompliant. 日期必须以“YYYY-MM-DD”格式输入。The date must be entered in the YYYY-MM-DD format.

    默认情况下,没有配置任何日期 。By default, no date is configured.

系统安全System Security

  • 需要密码才可解锁移动设备Require a password to unlock mobile devices

    • 未配置(默认)- 不会评估此设置的符合性和不符合性。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 用户必须输入密码后才能访问其设备。Require - Users must enter a password before they can access their device.
  • 所需的密码类型Required password type
    选择密码是应仅包含数值字符,还是应混合使用数字和其他字符。Choose if a password should include only numeric characters, or a mix of numerals and other characters. 选项包括:Your options:

    • 设备默认值 - 若要评估密码合规性,请确保选择除设备默认值 之外的密码强度。Device default - To evaluate password compliance, be sure to select a password strength other than Device default.
    • 需要密码,无限制Password required, no restrictions
    • 弱生物识别 - 强与弱生物识别(打开 Android 的网站)Weak biometric - Strong vs. weak biometrics (opens Android's web site)
    • 数字(默认值) :密码只能使用数字,例如 123456789Numeric (default): Password must only be numbers, such as 123456789. 输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 数字复杂度 - 不允许使用重复或连续数字(例如,“1111”或“1234”)。Numeric complex - Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. 输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 字母 - 需使用字母表中的字母。Alphabetic - Letters in the alphabet are required. 不使用数字和符号。Numbers and symbols aren't required. 输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 字母数字 - 包括大写字母,小写字母和数字字符。Alphanumeric - Includes uppercase letters, lowercase letters, and numeric characters. 输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 带符号的字母数字 - 包括大写字母、小写字母、数字字符、标点和符号。Alphanumeric with symbols - Includes uppercase letters, lowercase letters, numeric characters, punctuation marks, and symbols.

    根据选择的密码类型,可以使用以下设置 :Depending on the password type you select, the following settings are available:

    • 最短密码长度Minimum password length
      输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Enter the minimum length the password must have, between 4 and 16 characters.

    • 所需字符数Number of characters required
      输入密码必须包含的字符数(介于 0 到 16 个字符之间)。Enter the number of characters the password must have, between 0 and 16 characters.

    • 所需小写字符数Number of lowercase characters required
      输入的密码必须包含的小写字符数(介于 0 到 16 个字符之间)。Enter the number of lowercase characters the password must have, between 0 and 16 characters.

    • 所需大写字符数Number of uppercase characters required
      输入的密码必须包含的大写字符数(介于 0 到 16 个字符之间)。Enter the number of uppercase characters the password must have, between 0 and 16 characters.

    • 所需非字母字符数Number of non-letter characters required
      输入密码必须具有的非字母字符数(除字母表中字母以外的任何字符),介于 0 到 16 个字符之间。Enter the number of non-letters (anything other than letters in the alphabet) the password must have, between 0 and 16 characters.

    • 所需数值字符数Number of numeric characters required
      输入密码必须具有的数值字符数(123 等),介于 0 到 16 个字符之间。Enter the number of numeric characters (1, 2, 3, and so on) the password must have, between 0 and 16 characters.

    • 所需符号字符数Number of symbol characters required
      输入密码必须具有的符号字符数(&#% 等),介于 0 到 16 个字符之间。Enter the number of symbol characters (&, #, %, and so on) the password must have, between 0 and 16 characters.

    • 需要提供密码之前处于非活动状态的最大分钟数Maximum minutes of inactivity before password is required
      输入用户必须重新输入密码前的空闲时间。Enter the idle time before the user must reenter their password. 选项包括默认值“未配置”和 1 分钟到 8 小时之间的值 。Options include the default of Not configured, and from 1 Minute to 8 hours.

    • 密码到期前的天数Number of days until password expires
      输入必须更改设备密码前,密码的有效天数(介于 1-365 天之间)。Enter the number of days, between 1-365, until the device password must be changed. 例如,要在 60 天后更改密码,请输入 60For example, to change the password after 60 days, enter 60. 密码到期后,系统会提示用户创建新密码。When the password expires, users are prompted to create a new password.

      默认情况下,没有配置任何值。By default, no value is configured.

    • 用户可重用某个密码前需使用的密码数Number of passwords required before user can reuse a password
      输入最近使用的不能重用的密码数(介于 1-24 之间)。Enter the number of recent passwords that can't be reused, between 1-24. 使用此设置限制用户创建以前用过的密码。Use this setting to restrict the user from creating previously used passwords.

      默认情况下,没有配置任何版本 。By default, no version is configured.

加密Encryption

  • 加密设备上的数据存储Encryption of data storage on device

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 要求 - 加密设备上的数据存储。Require - Encrypt data storage on your devices.

    不必配置此设置,因为 Android Enterprise 设备会强制进行加密。You don't have to configure this setting because Android Enterprise devices enforce encryption.

工作配置文件Work profile

Microsoft Defender ATP - 针对工作配置文件Microsoft Defender ATP - for work profile

  • 要求设备不超过计算机风险评分Require the device to be at or under the machine risk score
    为 Microsoft Defender ATP 评估的设备选择允许的最高计算机风险分数。Select the maximum allowed machine risk score for devices evaluated by Microsoft Defender ATP. 超过此分数的设备将标记为不合规。Devices which exceed this score get marked as noncompliant.
    • 未配置(默认)Not configured (default)
    • 清除Clear
    • Low
    • 中等Medium
    • High

设备运行状况 - 针对工作配置文件Device Health - for work profile

  • 取得 root 权限的设备Rooted devices

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 阻止 - 将已取得 Root 权限(已越狱)的设备标记为不符合。Block - Mark rooted (jailbroken) devices as not compliant.
  • 要求设备不高于设备威胁级别Require the device to be at or under the Device Threat Level
    选择移动威胁防御服务评估的允许的最大设备威胁级别。Select the maximum allowed device threat level evaluated by your mobile threat defense service. 超过此威胁级别的设备将被标记为不符合策略。Devices that exceed this threat level are marked noncompliant. 要使用此设置,请选择允许的威胁级别:To use this setting, choose the allowed threat level:

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 安全 - 此选项是最安全的,意味着设备不能具有任何威胁。Secured - This option is the most secure, and means that the device can't have any threats. 如果设备被检测到具有任一级别的威胁,则会被评估为不符合。If the device is detected with any level of threats, it's evaluated as noncompliant.
    • - 若设备上仅存在低级威胁,则将其评为合规。Low - The device is evaluated as compliant if only low-level threats are present. 低级以上的任意威胁都将使设备不合规。Anything higher puts the device in a noncompliant status.
    • - 若设备上存在的威胁为低级或中级,则将其评为合规。Medium - The device is evaluated as compliant if the threats that are present on the device are low or medium level. 如果设备被检测到存在高级威胁,则会被确定为不符合要求。If the device is detected to have high-level threats, it's determined to be noncompliant.
    • - 此选项是最不安全的,因为它允许所有威胁级别。High - This option is the least secure, as it allows all threat levels. 如果将此解决方案仅用作报告目的,则可能有用。It may be useful if you're using this solution only for reporting purposes.

Google Play 保护机制 - 针对工作配置文件Google Play Protect - for work profile

  • 配置 Google Play ServicesGoogle Play Services is configured

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 要求安装并启用 Google Play Services 应用程序。Require - Require that the Google Play services app is installed and enabled. 可通过 Google Play Services 进行安全更新,它是已获得认证的 Google 设备上的很多安全功能的基本依赖项。Google Play services allows security updates, and is a base-level dependency for many security features on certified-Google devices.
  • 最新的安全提供程序Up-to-date security provider

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 要求最新的安全提供程序可以保护设备免受已知的漏洞攻击。Require - Require that an up-to-date security provider can protect a device from known vulnerabilities.
  • SafetyNet 设备证明SafetyNet device attestation
    输入必须满足的 SafetyNet 证明级别。Enter the level of SafetyNet attestation that must be met. 选项包括:Your options:

    • 未配置(默认)- 不会评估设置的符合性和不符合性。Not configured (default) - Setting isn't evaluated for compliance or non-compliance.
    • 检查基本完整性Check basic integrity
    • 检查基本完整性和已认证的设备Check basic integrity & certified devices

备注

在 Android Enterprise 设备上,“对应用进行威胁扫描”是一种设备配置策略 。On Android Enterprise devices, Threat scan on apps is a device configuration policy. 使用配置策略,管理员可在设备上启用设置。Using a configuration policy, administrators can enable the setting on a device. 请参阅 Android Enterprise 设备限制设置See Android Enterprise device restriction settings.

设备属性 - 针对工作配置文件Device Properties - for work profile

操作系统版本 - 针对工作配置文件Operating System Version - for work profile

  • 最低操作系统版本Minimum OS version
    设备不满足最低操作系统版本要求时,它将被报告为不符合要求。When a device doesn't meet the minimum OS version requirement, it's reported as non-compliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is shown. 最终用户可以先升级其设备,然后再访问组织资源。The end user can upgrade their device, and then access organization resources.

    默认情况下,没有配置任何版本 。By default, no version is configured.

  • 最高操作系统版本Maximum OS version
    当设备使用的操作系统版本高于规则中的版本时,将阻止其对组织资源的访问。When a device is using an OS version later than the version in the rule, access to organization resources is blocked. 系统会要求用户联系其 IT 管理员。The user is asked to contact their IT administrator. 除非将规则更改为允许该操作系统版本,否则此设备无法访问组织资源。Until a rule is changed to allow the OS version, this device can't access organization resources.

    默认情况下,没有配置任何版本 。By default, no version is configured.

系统安全 - 针对工作配置文件System security - for work profile

  • 需要密码才可解锁移动设备Require a password to unlock mobile devices

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 用户必须输入密码后才能访问其设备。Require - Users must enter a password before they can access their device.

    在设备级别应用此设置。This setting applies at the device level. 如果只需要在工作配置文件级别要求密码,则使用配置策略。If you only need to require a password at the work profile level, then use a configuration policy. 请参阅 Android Enterprise 设备配置设置See Android Enterprise device configuration settings.

  • 所需的密码类型Required password type
    选择密码是应仅包含数值字符,还是应混合使用数字和其他字符。Choose if a password should include only numeric characters, or a mix of numerals and other characters. 选项包括:Your options:

    • 设备默认值Device Default
    • 低安全性生物识别Low security biometric
    • 至少为数字(默认值) :输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。At least numeric (default): Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 数字复杂度:输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。Numeric complex: Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 至少为字母:输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。At least alphabetic: Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 至少包含字母数字:输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。At least alphanumeric: Enter the minimum password length a user must enter, between 4 and 16 characters.
    • 至少为包含符号的字母数字:输入所需的“最短密码长度”(介于 4 到 16 个字符之间) 。At least alphanumeric with symbols: Enter the minimum password length a user must enter, between 4 and 16 characters.

    根据选择的密码类型,可以使用以下设置 :Depending on the password type you select, the following settings are available:

    • 需要提供密码之前处于非活动状态的最大分钟数Maximum minutes of inactivity before password is required
      输入用户必须重新输入密码前的空闲时间。Enter the idle time before the user must reenter their password. 选项包括默认值“未配置”和 1 分钟到 8 小时之间的值 。Options include the default of Not configured, and from 1 Minute to 8 hours.

    • 密码到期前的天数Number of days until password expires
      输入必须更改设备密码前,密码的有效天数(介于 1-365 天之间)。Enter the number of days, between 1-365, until the device password must be changed. 例如,要在 60 天后更改密码,请输入 60For example, to change the password after 60 days, enter 60. 密码到期后,系统会提示用户创建新密码。When the password expires, users are prompted to create a new password.

    • 最短密码长度Minimum password length
      输入密码必须具有的最小长度(介于 4 到 16 个字符之间)。Enter the minimum length the password must have, between 4 and 16 characters.

    • 阻止重用的曾用密码数Number of previous passwords to prevent reuse
      输入最近使用的不能重用的密码数。Enter the number of recent passwords that can't be reused. 使用此设置限制用户创建以前用过的密码。Use this setting to restrict the user from creating previously used passwords.

加密 - 针对工作配置文件Encryption - for work profile

  • 加密设备上的数据存储Encryption of data storage on device

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 要求 - 加密设备上的数据存储。Require - Encrypt data storage on your devices.

    不必配置此设置,因为 Android Enterprise 设备会强制进行加密。You don't have to configure this setting because Android Enterprise devices enforce encryption.

设备安全 - 针对工作配置文件Device Security - for work profile

  • 阻止来自未知源的应用Block apps from unknown sources

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 阻止 - 阻止启用了“安全性” > “未知源”源的设备(在 Android 4.0 到 Android 7.x 中受支持。 在 Android 8.0 及更高版本中不受支持)。Block - Block devices with Security > Unknown Sources enabled sources (supported on Android 4.0 through Android 7.x. Not supported by Android 8.0 and later).

    若要旁加载应用,必须允许未知源。To side-load apps, unknown sources must be allowed. 如果没有旁加载 Android 应用,请将此功能设置为“阻止”以启用此符合性策略 。If you're not side-loading Android apps, then set this feature to Block to enable this compliance policy.

    重要

    旁加载应用程序需要启用“阻止来自未知源的应用” 设置。Side-loading applications require that the Block apps from unknown sources setting is enabled. 仅未在设备上旁加载 Android 应用时,才强制执行此符合性策略。Enforce this compliance policy only if you're not side-loading Android apps on devices.

    无需配置此设置,因为 Android Enterprise 设备始终限制来自未知源的安装。You don't have to configure this setting as Android Enterprise devices always restrict installation from unknown sources.

  • 公司门户应用运行时完整性Company portal app runtime integrity

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 选择“必需” 以确认公司门户应用满足以下所有要求:Require - Choose Require to confirm the Company Portal app meets all the following requirements:
      • 已安装默认运行时环境Has the default runtime environment installed
      • 已正确签名Is properly signed
      • 未处于调试模式Isn't in debug-mode
      • 已从已知源安装Is installed from a known source
  • 在设备上阻止进行 USB 调试Block USB debugging on device

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 阻止 - 阻止设备使用 USB 调试功能。Block - Prevent devices from using the USB debugging feature.

    无需配置此设置,因为已在 Android Enterprise 设备上禁用 USB 调试。You don't have to configure this setting because USB debugging is already disabled on Android Enterprise devices.

  • 最低安全修补程序级别Minimum security patch level
    选择设备可具有的最旧的安全修补程序级别。Select the oldest security patch level a device can have. 不满足此修补程序级别的设备将不符合要求。Devices that aren't at least at this patch level are noncompliant. 日期必须以“YYYY-MM-DD”格式输入。The date must be entered in the YYYY-MM-DD format.

    默认情况下,没有配置任何日期 。By default, no date is configured.

后续步骤Next steps