如何在 Intune 中為 Android 裝置建立裝置合規性政策How to create a device compliance policy for Android devices in Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

適用於 Android 的 Intune 裝置相容性原則指定 Android 設備必須符合的規則和設置,才能視為相。An Intune device compliance policy for Android specifies the rules and settings that Android devices must meet to be considered compliant. 您可以使用這些原則與條件式存取來允許或封鎖存取公司資源,並取得裝置報告、針對不符合規範來採取動作。You can use these policies with conditional access to allow or block access to company resources, and you can get device reports and take actions for non-compliance. 在 Intune Azure 入口網站中,為每個平台建立裝置相容性原則。You create device compliance policies for each platform in the Intune Azure portal. 若要更了解建立相容性原則之前必須滿足的先決條件,請參閱開始使用 Microsoft Intune 裝置相容性原則To learn more about compliance policies and the prerequisites you need to address before creating a compliance policy, see Get started with device compliance.

建立裝置合規性政策To create a device compliance policy

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 All services > [Intune]。Choose All services > Intune. Intune 位於 Monitoring + Management 區段。Intune is located in the Monitoring + Management section.
  3. 從 [Intune] 頁面中,選擇 [裝置相容性]。From the Intune pane, choose Device compliance. 在 [管理] 下選擇 [原則],然後選擇 [建立原則]。Under Manage, choose Policies and choose Create policy.
  4. 在此處選擇 [組態設定] 來指定 [系統安全性]、[裝置健康情況] 及 [裝置屬性] 設定。Choose Settings Configure to specify the System Security, Device Health, and Device Properties settings here. 完成後,請選擇 [確定]。When you are done, choose OK.

指派使用者群組To assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [裝置相容性 – 原則] 窗格中找到。Existing policies can be found in the Device compliance – Policies pane.

  1. 選擇原則,然後選擇 [指派]。Choose the policy and choose Assignments. 這會開啟窗格讓您選取 Azure Active Directory 安全性群組,並將其指派給原則。This opens the pane where you can select Azure Active Directory security groups and assign them to the policy.
  2. 選擇 [選取群組] 以開啟顯示 Azure AD 安全性群組的窗格。Choose Selected groups to open the pane that displays the Azure AD security groups. 您可以從中尋找您 Azure Active Directory 中的安全性群組。Here you can find the security groups in your Azure Active Directory. 您可以選取要套用這項原則的使用者群組,然後選擇 [儲存] 將原則部署給使用者。You can select the user groups you want this policy to apply to and choose Save to deploy the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受合規性評估。The devices used by the users who are targeted by the policy will be evaluated for compliance.

裝置健全狀況和安全性設定Device health and security settings

  • 不得破解裝置或刷機:如果您啟用這個設定,會將遭破解的裝置評估為不相容。Device must not be jailbroken or rooted: If you enable this setting, jailbroken devices will be evaluated as noncompliant.
  • 裝置必須防止從不明來源安裝應用程式 (Android 4.0 或更新版本):若要封鎖已啟用 [安全性] > [不明來源] 的裝置,請啟用此設定,並將其設為 [是]。Require that devices prevent installation of apps from unknown sources (Android 4.0 or later): To block devices that have Security > Unknown sources enabled on the device, enable this setting and set it to Yes.


側載應用程式時必須啟用 [不明來源] 設定。Side-loading applications require that the Unknown sources setting is enabled. 只有當您不會在裝置上側載 Android 應用程式時,才應該強制執行這項法務遵循政策。Enforce this compliance policy only if you are not side-loading Android apps on devices.

  • USB 偵錯需為停用 (Android 4.2 或更新版本)︰此設定指定是否要偵測已啟用 USB 偵錯選項的裝置。Require that USB debugging is disabled (Android 4.2 or later): This setting specifies whether to detect the USB debugging option on the device is enabled.
  • 裝置必須已啟用 [掃描裝置的安全性威脅 (Android 4.2-4.4)]︰此設定指定要在裝置上啟用 [驗證應用程式] 功能。Require devices have enabled Scan device for security threats (Android 4.2-4.4): This setting specifies that the Verify apps feature is enabled on the device.
  • Android 安全性修補程式等級下限 (Android 6.0 或更新版本)︰使用此設定可指定 Android 的最低修補程式等級。Minimum Android security patch level (Android 6.0 or later): Use this setting to specify the minimum Android patch level. 未至少達此修補程式等級的裝置將視為不相容。Devices that are not at least at this patch level will be noncompliant. 日期的格式必須指定為 YYYY-MM-DD。The date must be specified in the format YYYY-MM-DD.
  • 必須啟用裝置威脅防護:使用此設定進行來自 Lookout MTP 解決方案的風險評估,以做為相容的條件。Require device threat protection to be enabled: Use this setting to take the risk assessment from the Lookout MTP solution as a condition for compliance. 選擇下列其中一項允許的最高威脅等級:Choose the maximum allowed threat level, which is one of the following:
    • 無 (受保護)︰這是最安全的選項。None (secured): This is the most secure. 這表示裝置不能受到任何威脅。This means that the device cannot have any threats. 如果在裝置上偵測到任何等級的威脅,則會評估為不相容。If the device is detected as having any level of threats, it will be evaluated as noncompliant.
    • ︰如果只有低等級的威脅,則會將裝置評估為相容。Low: The device is evaluated as compliant if only low-level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a noncompliant status.
    • ︰如果裝置有低等級或中等級的威脅,則會將裝置評估為相容。Medium: The device is evaluated as compliant if the threats that are present on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high-level threats, it is determined to be noncompliant.
    • :這是最不安全的選項。High: This is the least secure. 基本上,這會允許所有威脅等級,Essentially, this allows all threat levels. 若只將此解決方案用於報告,可能就還不錯。Perhaps it is useful if you are using this solution only for reporting purposes.

系統安全性設定System security settings


  • 需要密碼來解除鎖定行動裝置︰將此項目設為 [是] 時,可要求使用者必須輸入密碼才能存取其裝置。Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before they can access their device.
  • 最小密碼長度:指定使用者密碼中至少須包含的數字或字元數。Minimum password length: Specify the minimum number of digits or characters that the user's password must have.
  • 密碼品質︰此設定會偵測裝置是否已設定您所指定的密碼需求。Password quality: This setting detects if the password requirements that you specify are set up on the device. 啟用此設定可要求使用者符合 Android 裝置的特定密碼需求。Enable this setting to require that users meet certain password requirements for Android devices. 從下列選項進行選擇:Choose from:
    • 低安全性摸生物特徵辨識Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 英數字元 (含符號)Alphanumeric with symbols
  • 在非使用狀態幾分鐘後需要輸入密碼:指定使用者在經過多久閒置時間之後必須重新輸入密碼。Minutes of inactivity before password is required: Specify the idle time before the user must reenter their password.
  • 密碼到期 (天數):選取密碼到期前,必須建立新密碼的天數。Password expiration (days): Select the number of days before the password expires and they must create a new one.
  • 記住密碼歷程記錄:此設定請搭配 [不得重複使用以前用過的密碼] 一起使用,以限制使用者不得建立之前用過的密碼。Remember password history: Use this setting together with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.
  • 不得重複使用以前用過的密碼:如果已選取 [記住密碼歷程記錄],請指定不得重複使用的舊密碼數目。Prevent reuse of previous passwords: If you selected Remember password history, specify the number of previously used passwords that cannot be reused.
  • 當裝置從閒置狀態返回時,需要密碼:請搭配使用這項設定與 [在非使用狀態幾分鐘後需要輸入密碼] 設定。Require a password when the device returns from an idle state: Use this setting together with the Minutes of inactivity before password is required setting. 如果裝置達到 [在非使用狀態幾分鐘後需要輸入密碼] 設定所指定的閒置時間,系統會提示使用者輸入密碼,才能存取該裝置。The user is prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.


  • 行動裝置需要加密︰將此項目設為 [是] 時,可要求裝置必須加密才能連線到資源。Require encryption on mobile device: Set this to Yes to require devices to be encrypted in order to connect to resources. 當您選擇 [需要密碼來將行動裝置解除鎖定] 的設定時,裝置會加密。Devices are encrypted when you choose the setting Require a password to unlock mobile devices.

裝置屬性設定Device property settings

  • 最低作業系統版本需求︰當裝置不符合最低作業系統版本需求時,它會回報為不相容,Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 您會看到如何升級的資訊連結。A link with information on how to upgrade is shown. 使用者可以選擇升級其裝置,之後便可以存取公司資源。The user can choose to upgrade their device, after which they can access company resources.
  • 允許的最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取,並要求使用者連絡其 IT 系統管理員。除非將規則變更為允許該作業系統版本,否則此裝置無法用來存取公司資源。Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rules to allow the OS version, this device cannot be used to access company resources.

如何將不相容設定用於條件式存取原則?How noncompliant settings work with conditional access policies?

下表說明如何搭配使用合規性政策與條件式存取原則時,不合規設定的管理方式。The table below describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.

原則設定Policy setting Android 4.0 及更新版本、Samsung Knox Standard 4.0 及更新版本Android 4.0 and later, Samsung Knox Standard 4.0 and later
PIN 或密碼設定PIN or password configuration 已隔離Quarantined
裝置加密Device encryption 已隔離Quarantined
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔email profile 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the device is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.