使用 Intune 创建移动威胁防御 (MTD) 设备符合性策略Create Mobile Threat Defense (MTD) device compliance policy with Intune

搭载 MTD 的 Intune 可帮助检测移动设备上存在的威胁和评估相关风险。Intune with MTD helps you detect threats and assess risk on mobile devices. 可创建评估风险的 Intune 设备符合性策略规则,确定设备是否合规。You can create an Intune device compliance policy rule that assesses risk to determine if the device is compliant or not. 然后可使用条件访问策略,根据设备符合性阻止对服务的访问。You can then use a Conditional Access policy to block access to services based on device compliance.

备注

此信息适用于所有移动威胁防御合作伙伴。This information applies to all Mobile Threat Defense partners.

在开始之前Before you begin

在 MTD 设置过程中,需在 MTD 合作伙伴控制台中创建一个将各种威胁分类为高、中和低的策略。As part of the MTD setup, in the MTD partner console, you created a policy that classifies various threats as high, medium, and low. 接下来,将在 Intune 设备合规性策略中设置移动威胁防御级别。Next you'll set the Mobile Threat Defense level in the Intune device compliance policy.

MTD 设备符合性策略先决条件:Prerequisites for device compliance policy with MTD:

  • 使用 Intune 设置 MTD 集成Set up MTD integration with Intune

创建 MTD 设备符合性策略To create an MTD device compliance policy

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“终结点安全性” > “设备合规性” > “创建策略”。Select Endpoint security > Device Compliance > Create Policy.

  3. 选择“平台”,然后选择“创建”。Select the Platform, and then Create.

  4. 在“基本”上,指定设备合规性策略“名称”和“描述”(可选)。On Basics, specify a device compliance policy Name, and Description (optional). 选择“下一步”继续操作。Select Next to continue.

  5. 在“符合性设置”上,展开并配置“设备运行状况”。On Compliance settings, expand and configure Device Health. 从“要求设备不超过设备威胁级别”的下拉列表中选择“移动威胁级别”。Choose the Mobile Threat Level from the drop-down list for Require the device to be at or under the Device Threat Level.

    • 安全:此级别是最安全的。Secured: This level is the most secure. 设备不能存在任何威胁,且仍可访问公司资源。The device can't have any threats present and still access company resources. 如果发现了任何威胁,设备都会被评估为不符合。If any threats are found, the device is evaluated as noncompliant.

    • :如果设备上仅存在低级威胁,则该设备符合要求。Low: The device is compliant if only low-level threats are present. 低级以上的任意威胁都将使设备不合规。Anything higher puts the device in a noncompliant status.

    • :如果有低级别或中等级别威胁,则设备符合要求。Medium: The device is compliant if the threats found on the device are low or medium level. 如果检测到高级别威胁,则设备会被确定为不合规。If high-level threats are detected, the device is determined as noncompliant.

    • :此威胁级别的安全性最低并且允许所有威胁级别,且仅将移动威胁防御用作报告目的。High: This threat level is the least secure as it allows all threat levels and uses Mobile Threat Defense for reporting purposes only. 设备必须使用此设置激活 MTD 应用。Devices are required to have the MTD app activated with this setting.

  6. 选择“下一步”前进到“分配”。Select Next to advance through to Assignments. 选择将接收此配置文件的组。Select the groups that will receive this profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  7. 完成后,在“查看 + 创建”页上,选择“创建” 。On the Review + create page, when you're done, choose Create. 为创建的配置文件选择策略类型时,新配置文件将显示在列表中。The new profile is displayed in the list when you select the policy type for the profile you created.

重要

如果为 Microsoft 365 或其他服务创建条件访问策略,系统将评估设备的合规性,并阻止不合规的设备访问公司资源,直到设备中的威胁解除为止。If you create Conditional Access policies for Microsoft 365 or other services, the device compliance evaluation is assessed and noncompliant devices are blocked from accessing corporate resources until the threat is resolved in the device.

分配 MTD 设备符合性策略To assign an MTD device compliance policy

若要将设备合规性策略分配给用户或更改其分配,请执行以下操作:To assign, or change the assignment of a device compliance policy to users:

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“终结点安全性” > “设备合规性”。Select Endpoint security > Device compliance.

  3. 选择要分配给用户的策略,然后选择“属性”。Select the policy you want to assign to users, and then select Properties.

  4. 选择“编辑”进行分配,然后使用可用选项包括和排除组以接收此策略。 Select Edit for Assignments, and then use the available options to Include and Exclude groups to receive this policy.

  5. 选择“查看 + 保存”以完成分配。Select Review + save to complete the assignment. 保存分配时,会将策略部署到所选用户,并评估其设备的符合性。When you save the assignment, the policy deploys to your selected users and their devices are evaluated for compliance.

后续步骤Next steps

通过 Intune 启用 MTDEnable MTD with Intune