如何在 Intune 中為 Android 裝置建立裝置合規性政策How to create a device compliance policy for Android devices in Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

在 Intune Azure 入口網站中,為每個平台建立裝置合規性政策。Device compliance policies are created for each platform form the Intune Azure portal.

建立裝置合規性政策To create a device compliance policy

  1. Intune 刀鋒視窗中,選擇 [設定裝置合規性]。From the Intune blade, choose Set Device compliance. 在 [管理] 中選擇 [All device compliance policies](所有裝置合規性政策) 及 [建立]。Under Manage, choose All device compliance policies, and choose Create.
  2. 輸入名稱及描述,然後選擇要套用此原則的平台。Type a name, description and choose the platform that you want this policy to apply to.
  3. 選擇 [合規性需求],以指定 [安全性]、[裝置健全狀況] 及 [裝置屬性] 設定。Choose Compliance requirements to specify the Security, Device health, and Device property settings. 完成後,請選擇 [確定]。When you are done, choose OK.

指派使用者群組To assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [合規性 - 政策] 刀鋒視窗中找到。Existing policies can be found in the Compliance –policies blade.

  1. 選擇原則,然後選擇 [指派]。Choose the policy and choose Assignments. 這會開啟刀鋒視窗讓您從中選取 [Azure Active Directory 安全性群組],並將其指派給原則。This opens the blade where you can select Azure Active Directory security groups and assign them to the policy.
  2. 選擇 [選取群組] 會開啟刀鋒視窗顯示 Azure AD 安全性群組。Choose Select groups to open the blade that displays the Azure AD security groups. 您可以從中尋找您 Azure Active Directory 中的安全性群組。Here you can find the security groups in your Azure Active Directory. 您可以選取要套用這項原則的使用者群組,然後選擇 [選取]。You can select the user groups you want this policy to apply to and choose Select. 選擇 [選取] 會將原則部署給使用者。Choosing Select deploys the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受合規性評估。The devices used by the users who are targeted by the policy will be evaluated for compliance.

裝置健全狀況和安全性設定Device health and security settings

  • 裝置不得經過越獄或 Root:如有啟用此設定,會將越獄的裝置評估為不符合規範。Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will be evaluated as noncompliant.
  • 裝置必須防止從不明來源安裝應用程式 (Android 4.0 或更新版本):若要封鎖啟用 [安全性] > [不明來源] 的裝置,請啟用此設定,並將其設為 [是]。Require that devices prevent installation of apps from unknown sources (Android 4.0 or later): To block devices that have Security >; Unknown sources enabled on the device, enable this setting and set it to Yes.

重要Important

側載應用程式時必須啟用 [不明來源] 設定。Side-loading applications require that the Unknown sources setting is enabled. 只有當您不會在裝置上側載 Android 應用程式時,才應該強制執行這項合規性政策。Enforce this compliance policy only if you are not side-loading Android apps on devices.

  • USB 偵錯需為停用 (Android 4.2 或更新版本)︰此設定指定是否要偵測已啟用 USB 偵錯選項的裝置。Require that USB debugging is disabled (Android 4.2 or later): This setting specifies whether to detect the USB debugging option on the device is enabled.
  • 裝置必須已啟用 [掃描裝置的安全性威脅 (Android 4.2-4.4)]︰此設定指定要在裝置上啟用 [驗證應用程式] 功能。Require devices have enabled Scan device for security threats (Android 4.2-4.4): This setting specifies that the Verify apps feature is enabled on the device.
  • Android 安全性修補程式等級下限 (Android 6.0 或更新版本)︰使用此設定可指定 Android 的最低修補程式等級。Minimum Android security patch level (Android 6.0 or later): Use this setting to specify the minimum Android patch level. 未至少達此修補程式等級的裝置將視為不相容。Devices that are not at least at this patch level will be noncompliant. 日期的格式必須指定為 YYYY-MM-DD。The date must be specified in the format YYYY-MM-DD.
  • 必須啟用裝置威脅防護:使用此設定作為合規性條件來評估 Lookout MTP 解決方案的風險。Require device threat protection to be enabled : Use this setting to take the risk assessment from the Lookout MTP solution as a condition for compliance. 選擇下列其中一項允許的最高威脅等級:Choose the maximum allowed threat level, which is one of the following:
    • 無 (受保護)︰這是最安全的選項。None (secured): This is the most secure. 這表示裝置不能受到任何威脅。This means that the device cannot have any threats. 如果在裝置上偵測到任何等級的威脅,則會評估為不相容。If the device is detected as having any level of threats, it will be evaluated as noncompliant.
    • ︰若只有低等級的威脅,會將裝置評估為符合規範。Low : The device is evaluated as compliant if only low-level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a noncompliant status.
    • ︰若裝置有低等級或中等級的威脅,會將裝置評估為符合規範。Medium : The device is evaluated as compliant if the threats that are present on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high-level threats, it is determined to be noncompliant.
    • :這是最不安全的選項。High : This is the least secure. 基本上,這會允許所有威脅等級,Essentially, this allows all threat levels. 若只將此解決方案用於報告,可能就還不錯。Perhaps it is useful if you are using this solution only for reporting purposes.

如需詳細資訊,請參閱啟用合規性政策中的裝置威脅保護規則For more details, see Enable device threat protection rule in the compliance policy.

系統安全性設定System security settings

密碼Password

  • 需要密碼才可解除鎖定行動裝置:將此設定為 [是] 會要求使用者必須輸入密碼才能存取其裝置。Require a password to unlock mobile devices : Set this to Yes to require users to enter a password before they can access their device.
  • 最小密碼長度:指定使用者密碼中至少須包含的數字位數或字元數。Minimum password length : Specify the minimum number of digits or characters that the user's password must have.
  • 密碼品質︰此設定會偵測裝置是否設有您所指定的密碼需求。Password quality : This setting detects if the password requirements that you specify are set up on the device. 啟用此設定可要求使用者符合 Android 裝置的特定密碼需求。Enable this setting to require that users meet certain password requirements for Android devices. 從下列選項進行選擇:Choose from:
    • 低安全性摸生物特徵辨識Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 英數字元 (含符號)Alphanumeric with symbols
  • 停止活動幾分鐘後需要輸入密碼:指定閒置多久後使用者必須重新輸入密碼。Minutes of inactivity before password is required : Specify the idle time before the user must reenter their password.
  • 密碼到期 (天數):選取密碼到期前,必須建立新密碼的天數。Password expiration (days): Select the number of days before the password expires and they must create a new one.
  • 記住密碼歷程記錄:此設定必須搭配 [不得重複使用以前用過的密碼] 一起使用,才能禁止使用者建立之前用過的密碼。Remember password history : Use this setting together with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.
  • 不得重複使用以前用過的密碼:如有選取 [記住密碼歷程記錄],請指定不得重複使用的舊密碼數。Prevent reuse of previous passwords : If you selected Remember password history , specify the number of previously used passwords that cannot be reused.
  • 裝置從閒置狀態恢復時必須輸入密碼:此設定必須搭配 [停止活動幾分鐘後需要輸入密碼] 設定一起使用。Require a password when the device returns from an idle state : Use this setting together with the Minutes of inactivity before password is required setting. 如果裝置達到 [在非使用狀態幾分鐘後需要輸入密碼] 設定所指定的閒置時間,系統會提示使用者輸入密碼,才能存取該裝置。The user is prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

加密Encryption

  • 行動裝置需要加密︰將此項目設為 [是] 時,會要求裝置必須加密才能連線到資源。Require encryption on mobile device : Set this to Yes to require devices to be encrypted in order to connect to resources. 當您選擇 [需要密碼來將行動裝置解除鎖定] 的設定時,裝置會加密。Devices are encrypted when you choose the setting Require a password to unlock mobile devices.

裝置屬性設定Device property settings

  • Minimum OS required (需要的最低作業系統版本):當裝置不符合最低作業系統版本需求時,會回報為不符合規範。Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 您會看到如何升級的資訊連結。A link with information on how to upgrade is shown. 使用者可以選擇升級其裝置,之後便可以存取公司資源。The user can choose to upgrade their device, after which they can access company resources.
  • Maximum OS version allowed (允許的最高 OS 版本):當裝置使用的作業系統版本高於規則指定的版本時,會禁止存取公司資源,並要求使用者連絡其 IT 系統管理員。Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 除非將規則變更為允許該作業系統版本,否則此裝置無法用來存取公司資源。Until there is a change in rules to allow the OS version, this device cannot be used to access company resources.

如何將不合規設定用於條件式存取原則?How non-compliant settings work with conditional access policies?

下表說明搭配使用合規性政策與條件式存取原則時,如何管理不合規設定。The table below describes how non-compliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting Android 4.0 及更新版本、Samsung Knox Standard 4.0 及更新版本Android 4.0 and later, Samsung Knox Standard 4.0 and later
PIN 或密碼設定PIN or password configuration 已隔離Quarantined
裝置加密Device encryption 已隔離Quarantined
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔email profile 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如強制使用者設定 PIN 碼)。(For example, the user is forced to set a PIN.)+

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不合規範時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.
若要提交意見反應,請前往 Intune Feedback