在 Intune 中為 Android 裝置建立裝置合規性原則Add a device compliance policy for Android devices in Intune

適用於 Android 的 Intune 裝置相容性原則指定 Android 設備必須符合的規則和設置,才能視為相。An Intune device compliance policy for Android specifies the rules and settings that Android devices must meet to be considered compliant. 您可以使用這些原則搭配條件式存取,以允許或封鎖存取公司資源。You can use these policies with conditional access to allow or block access to company resources. 您也可以取得裝置報表,並針對不相容採取動作。You can also get device reports and take actions for non-compliance. 在 Intune Azure 入口網站中,為每個平台建立裝置相容性原則。You create device compliance policies for each platform in the Intune Azure portal. 若要深入了解合規性原則,以及任何必要條件,請參閱開始使用裝置合規性To learn more about compliance policies, and any prerequisites, see Get started with device compliance.

下表描述搭配使用合規性政策與條件式存取原則時,不相容設定的管理方式。The following table describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting Android 4.0 及更新版本、Samsung Knox Standard 4.0 及更新版本Android 4.0 and later, Samsung Knox Standard 4.0 and later
PIN 或密碼設定PIN or password configuration 已隔離Quarantined
裝置加密Device encryption 已隔離Quarantined
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔email profile 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the device is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

建立裝置合規性政策Create a device compliance policy

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 選取 [All services] (所有服務),篩選 [Intune],然後選取 [Microsoft Intune]。Select All services, filter on Intune, and select Microsoft Intune.
  3. 選取 [裝置相容性] > [原則] > [建立原則]。Select Device compliance > Policies > Create Policy.
  4. 輸入 [名稱] 和 [描述]。Enter a Name and Description.
  1. 針對 [平台],選取 [Android]。For Platform, select Android. 選擇 [組態設定],並輸入 [裝置健全狀況]、[裝置屬性],以及 [系統安全性] 設定。Choose Settings Configure, and enter the Device Health, Device Properties, and System Security settings. 完成後,請選取 [確定] 和 [建立]。When done, select OK, and Create.

Device healthDevice health

  • 已刷機的裝置:如果您啟用此設定,已越獄的裝置會評估為不合規範。Rooted devices: If you enable this setting, jailbroken devices are evaluated as noncompliant.

  • 裝置層級需要不高於裝置威脅層級:使用此設定進行來自 Lookout MTP 解決方案的風險評估,以作為合規性的條件。Require the device to be at or under the Device Threat Level: Use this setting to take the risk assessment from the Lookout MTP solution as a condition for compliance. 選擇允許的最高威脅層級:Choose the maximum allowed threat level:

    • 安全:此選項最安全,因為裝置不能有任何威脅。Secured: This option is the most secure, as the device can't have any threats. 如果在裝置上偵測到任何等級的威脅,即評估為不符合規範。If the device is detected as having any level of threats, it is evaluated as noncompliant.
    • ︰如果只有低等級的威脅,則會將裝置評估為相容。Low: The device is evaluated as compliant if only low-level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a noncompliant status.
    • ︰如果裝置上的現有威脅是低等級或中等級,則會將裝置評估為符合規範。Medium: The device is evaluated as compliant if existing threats on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high-level threats, it is determined to be noncompliant.
    • :此選項最不安全,且允許所有威脅層級。High: This option is the least secure, and allows all threat levels. 如果此解決方案只用於報告用途,則此設定可能很實用。It may be useful if you're using this solution only for reporting purposes.
  • 已設定 Google Play 服務:需要安裝並啟用「Google Play 服務」應用程式。Google Play Services is configured: Require that the Google Play services app is installed and enabled. Google Play 服務可允許安全性更新,而且是 Google 認證裝置上許多安全性功能的基層相依服務。Google Play services allows security updates, and is a base-level dependency for many security features on certified-Google devices.

  • 最新安全性提供者:需要最新安全性提供者,以保護裝置已知的漏洞。Up-to-date security provider: Require that an up-to-date security provider can protect a device from known vulnerabilities.

  • 對應用程式進行威脅掃描:需要啟用 Android 驗證應用程式功能。Threat scan on apps: Require that the Android Verify Apps feature is enabled.

    注意

    在舊版的 Android 平台上,此功能為合規性設定。On the legacy Android platform, this feature is a compliance setting. Intune 只能在裝置層級檢查是否已啟用此設定。Intune can only check whether this setting is enabled at the device level. 在具有工作設定檔的裝置上 (Android for Work),此設定為組態原則設定。On devices with work profiles (Android for Work), this setting can be found as a configuration policy setting. 如此可讓系統管理員啟用裝置的設定。This allows administrators to enable the setting for a device.

    如果您的企業使用 Android 工作設定檔,則您可以在已註冊的裝置上啟用 [對應用程式進行威脅掃描]。If your enterprise uses Android work profiles, you can enable Threat scan on apps for your enrolled devices. 建立裝置設定檔,並要求系統安全性設定。Establish a device profile and require the system security setting. 如需詳細資訊,請參閱 Intune 中的 Android for Work 裝置限制設定For more information, see Android for Work device restriction settings in Intune.

  • SafetyNet 裝置證明:輸入必須符合的 SafetyNet 證明層級。SafetyNet device attestation: Enter the level of SafetyNet attestation that must be met. 選項包括:Your options:

    • 未設定Not configured
    • 檢查基本完整性Check basic integrity
    • 檢查基本完整性與經過認證的裝置Check basic integrity & certified devices

裝置屬性設定Device property settings

  • 最低作業系統版本︰當裝置不符合最低作業系統版本需求時,它會回報為不符合規範。Minimum OS version: When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. 會顯示如何升級的資訊連結。A link with information about how to upgrade is shown. 終端使用者可以選擇升級其裝置,然後便可存取公司資源。The end user can choose to upgrade their device, and then get access to company resources.
  • 最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取。Maximum OS version: When a device is using an OS version later than the version specified in the rule, access to company resources is blocked. 系統會要求使用者連絡其 IT 管理員。在規則變更為允許該作業系統版本之前,此裝置將無法存取公司資源。The user is asked to contact their IT admin. Until there is a rule change to allow the OS version, this device can't access company resources.

系統安全性設定System security settings

密碼Password

  • 需要密碼才可解除鎖定行動裝置要求使用者必須輸入密碼以存取其裝置。Require a password to unlock mobile devices: Require users to enter a password before they can access their device.
  • 最小密碼長度:輸入使用者密碼至少須包含的位數或字元數。Minimum password length: Enter the minimum number of digits or characters that the user's password must have.
  • 所需的密碼類型:選取密碼是否應該只有數值字元,或者應該混合數字和其他字元。Required password type: Select whether a password should have only numeric characters, or there should be a mix of numbers and other characters. 從下列選項進行選擇:Choose from:
    • 裝置預設Device Default
    • 低安全性生物識別Low security biometric
    • 至少包含數字At least numeric
    • 複雜數字:不允許重複或連續的數字 (例如 '1111' 或 '1234')。Numeric complex: Repeated or consecutive numerals (such as "1111" or "1234") are not allowed.
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 至少包含英數字元和符號At least alphanumeric with symbols
  • 停止活動幾分鐘後需要輸入密碼:輸入在閒置多久後,使用者必須重新輸入密碼。Maximum minutes of inactivity before password is required: Enter the idle time before the user must reenter their password.
  • 密碼到期日 (天數):選取使用者的密碼到期,而必須建立新密碼前的天數。Password expiration (days): Select the number of days before the password expires and the user must create a new password.
  • 避免重複使用前幾個密碼:輸入不可使用最近的多少個密碼。Number of previous passwords to prevent reuse: Enter the number of recent passwords that can't be reused. 使用此設定以限制使用者建立先前使用過的密碼。Use this setting to restrict the user from creating previously used passwords.

加密Encryption

  • 裝置上的資料存放區加密 (Android 4.0 及更新版本,或 KNOX 4.0 及更新版本):選擇 [需要] 以加密裝置上的資料存放區。Encryption of data storage on a device (Android 4.0 and above, or KNOX 4.0 and above): Choose Require to encrypt data storage on your devices. 當您選擇 [需要密碼來將行動裝置解除鎖定] 設定時,裝置便會加密。Devices are encrypted when you choose the Require a password to unlock mobile devices setting.

裝置安全性Device Security

  • 封鎖來自不明來源的應用程式:選擇封鎖啟用了 [安全性 > 不明來源] 來源的裝置 (Android 4.0 - Android 7.x。Block apps from unknown sources: Choose to block devices with "Security > Unknown Sources" enabled sources (Android 4.0 – Android 7.x. Android 8.0 和更新版本不支援)。Not supported by Android 8.0 and later). 若要側載應用程式,則必須允許未知的來源。To side-load apps, unknown sources must be allowed. 如果您不會側載 Android 應用程式,那麼請啟用這項合規性原則。If you're not side-loading Android apps, then enable this compliance policy.

    重要

    側載應用程式必須啟用 [封鎖來自不明來源的應用程式] 設定。Side-loading applications require that the Block apps from unknown sources setting is enabled. 只有當您不會在裝置上側載 Android 應用程式時,才應該強制執行這項法務遵循政策。Enforce this compliance policy only if you are not side-loading Android apps on devices.

  • 公司入口網站應用程式執行階段完整性:檢查公司入口網站應用程式是否已安裝預設執行階段環境、是否已適當地簽署、是否不處於偵錯模式,以及是否是從已知來源安裝。Company portal app runtime integrity: Checks if the Company Portal app has the default runtime environment installed, is properly signed, is not in debug-mode, and is installed from a known source.

  • 封鎖裝置上的 USB 偵錯 (Android 4.2 或更新版本):選擇以防止裝置使用 USB 偵錯功能。Block USB debugging on device (Android 4.2 or later): Choose to prevent deviceS from using the USB debugging feature.

  • 安全性修補程式等級下限 (Android 6.0 或更新版本):選取裝置可擁有的安全性修補程式等級下限。Minimum security patch level (Android 6.0 or later): Select the oldest security patch level a device can have. 未至少達此修補程式等級的裝置將視為不合規範。Devices that are not at least at this patch level are noncompliant. 日期必須以 YYYY-MM-DD 格式輸入。The date must be entered in the YYYY-MM-DD format.

位置Locations

在您的原則中,從現有的位置進行選擇。In your policy, choose from existing locations. 還沒有位置?Don't have a location yet? 使用 Intune 中的位置 (網路範圍)可提供一些指引。Use Locations (network fence) in Intune provides some guidance.

  1. 選擇 [選取位置]。Choose Select locations.
  2. 從清單中檢查您的位置,然後選擇 [選取]。From the list, check your location, and choose Select.
  3. [儲存] 原則。Save the policy.
  4. 選取 [不符合規範時所採取的動作]。Select Actions for noncompliance. 預設動作會立即將裝置標示為不符合規範。The default action marks the device as noncompliant immediately. 這個動作適用於至少選取一個位置,而且裝置未連線到所選取位置的狀況。This action applies when you select at least one location, and if the device isn't connected to the selected locations.

您可以變更此動作,在裝置標示為不符合規範時 (例如一天之後) 更新排程。You can change this action to update the schedule when the device is marked non-compliant, such as after one day. 您也可以設定第二個動作,在裝置不再符合您的位置時,傳送電子郵件給使用者。You can also configure a second action that sends an email to the user when the device is no longer compliant with your locations.

指派使用者群組Assign user groups

  1. 選擇您已設定的原則。Choose a policy that you've configured. 現有的原則位於 [裝置合規性] > [原則]。Existing policies are in Device compliance > Policies.
  2. 選擇原則,然後選擇 [指派]。Choose the policy, and choose Assignments. 您可以包含或排除 Azure Active Directory (AD) 安全性群組。You can include or exclude Azure Active Directory (AD) security groups.
  3. 選擇 [選取的群組] 以查看您的 Azure AD 安全性群組。Choose Selected groups to see your Azure AD security groups. 選取要套用這項原則的使用者群組,然後選擇 [儲存] 將原則部署給使用者。Select the user groups you want this policy to apply, and choose Save to deploy the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受相容性評估。The devices used by the users who are targeted by the policy are evaluated for compliance.

接下來的步驟Next steps

將電子郵件自動化,並為不符合規範的裝置新增動作Automate email and add actions for noncompliant devices
監視 Intune 裝置合規性原則Monitor Intune Device compliance policies