如何在 Intune 中為 Android for Work 裝置建立裝置合規性政策How to create a device compliance policy for Android for Work devices in Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

每個平台都會建立合規性政策。Compliance policies are created for each platform. 您可以在 Azure 入口網站中建立合規性政策。You can create a compliance policy in the Azure portal. 如需深入了解什麼是合規性政策,請參閱什麼是裝置合規性主題。To learn more about what compliance policy is see What is device compliance topic. 如需了解建立合規性政策之前必須滿足的先決條件,請參閱裝置合規性入門主題。To learn about the prerequisites that you need to address before creating a compliance policy see Get started with device compliance topic.

下表說明如何搭配使用合規性政策與條件式存取原則時,不合規設定的管理方式。The table below describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定policy setting Android for WorkAndroid for Work
PIN 或密碼設定PIN or password configuration 已隔離Quarantined
裝置加密Device encryption 已隔離Quarantined
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔email profile 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如強制使用者設定 PIN 碼)。(For example, the user is forced to set a PIN.)+

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

在 Azure 入口網站中建立合規性政策Create a compliance policy in the Azure portal

  1. Intune 刀鋒視窗中,選擇 [設定裝置合規性]。From the Intune blade, choose Set Device compliance. 在 [管理] 中選擇 [All device compliance policies](所有裝置合規性政策) 及 [建立]。Under Manage, choose All device compliance policies and choose Create.
  2. 輸入名稱及描述,然後選擇要套用此原則的平台。Type a name, description and choose the platform that you want this policy to apply to.
  3. 選擇 [合規性需求],在此指定 [安全性]、[裝置健全狀況] 及 [裝置屬性]。完成設定後,請選擇 [確定]。Choose Compliance requirements to specify the Security, Device health, and Device property settings here, When you are done, choose Ok.

指派使用者群組Assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [合規性 - 政策] 刀鋒視窗中找到。Existing policies can be found in the Compliance –policy blade.

  1. 選擇您想要指派給使用者的原則,然後選擇 [指派]。Choose the policy you want to assign to users and choose Assignments. 這會開啟刀鋒視窗讓您從中選取 [Azure Active Directory 安全性群組],並將其指派給原則。This opens the blade where you can select Azure Active Directory security groups and assign them to the policy.
  2. 選擇 [選取群組] 會開啟刀鋒視窗顯示 Azure AD 安全性群組。Choose Select groups to open the blade that displays the Azure AD security groups. 選擇 [選取] 會將原則部署給使用者。Choosing Select deploys the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受合規性評估。The devices used by the users who are targeted by the policy will be evaluated for compliance.

系統安全性設定System security settings

密碼Password

  • 需要密碼來解除鎖定行動裝置︰將此設定為 [是],以要求使用者在存取他們的裝置前輸入密碼。Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before they can access their device.
  • 最小密碼長度:指定密碼至少須包含的數字位數或字元數。Minimum password length: Specify the minimum number of digits or characters that the password must contain.
  • 密碼品質︰此設定會偵測是否已在裝置上設定您指定的密碼需求。Password quality: This setting detects if the password requirements you specify is configured on the device. 啟用此設定可要求使用者設定 Android 裝置的特定密碼需求。Enable this setting to require that users configure certain password requirements for Android devices. 從下列選項進行選擇:Choose from:
    • 低安全性摸生物特徵辨識Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 英數字元 (含符號)Alphanumeric with symbols
  • 停止活動幾分鐘後需要輸入密碼:指定閒置多久後使用者必須重新輸入密碼。Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter their password.
  • 密碼到期 (天數):選取使用者密碼到期,必須建立新密碼前的天數。Password expiration (days): Select the number of days before the user's password expires and they must create a new one.
  • 記住密碼歷程記錄:此設定請與 [不得重複使用以前用過的密碼] 一起使用,以限制使用者建立以前用過的密碼。Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.
  • 不得重複使用以前用過的密碼:如果已選取 [記住密碼歷程記錄],請指定不得重複使用的舊密碼數目。Prevent reuse of previous passwords: If Remember password history is selected, specify the number of previously used passwords that cannot be re-used.
  • 裝置從閒置狀態恢復時必須輸入密碼:這項設定應該與 [在非使用狀態多少分鐘後需要輸入密碼] 設定一起使用。Require a password when the device returns from an idle state: This setting should be used together with the in the Minutes of inactivity before password is required setting. 系統會提示終端使用者輸入密碼,以存取達到 [在非使用狀態幾分鐘後需要輸入密碼] 設定所指定的非使用中時間的裝置。The end-users are prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

加密Encryption

  • 行動裝置需要加密︰您不需要進行此設定,因為 Android for Work 裝置會強制執行加密。Require encryption on mobile device: You don't have to configure this setting since Android for Work devices enforce encryption.

裝置健全狀況和安全性設定Device health and security settings

  • 不得破解裝置或刷機:如果您啟用這個設定,破解的裝置會評估為不相容。Device must not be jailbroken or rooted: If you enable this setting, jailbroken devices will be evaluated as noncompliant.
  • 裝置必須防止從不明來源安裝應用程式︰您不需要進行此設定,因為 Android for Work 裝置一律會限制來自不明來源的安裝。Require that devices prevent installation of apps from unknown sources: You do not have to configure this setting as Android for Work devices always restrict installation from unknown sources. .
  • 需要停用 USB 偵錯︰因為 Android for Work 裝置已停用 USB 偵錯,所以您無須進行此設定。Require that USB debugging is disabled : You do not have to configure this settings as USB debugging is already disabled on Android for Work devices.
  • Android 安全性修補程式等級下限︰使用此設定可指定 Android 修補程式等級下限。Minimum Android security patch level: Use this setting to specify the minimum Android patch level. 未至少達此修補程式等級的裝置將視為不相容。Devices that are not at least at this patch level will be noncompliant. 日期的格式必須指定為︰ YYYY-MM-DD。The date must be specified the format: YYYY-MM-DD.
  • 必須啟用裝置威脅防護:使用此設定作為合規性條件來評估 Lookout MTP 解決方案的風險。Require device threat protection to be enabled : Use this setting to take the risk assessment from the Lookout MTP solution as a condition for compliance. 選取允許的最高威脅等級,這會是下列其中一項:Select the maximum allowed threat level, which is one of the following:
    • 無 (受保護):這是最安全的選項。None (secured) This is the most secure. 這表示裝置不能受到任何威脅。This means that the device cannot have any threats. 如果在裝置上偵測到任何等級的威脅,則會評估為不相容。If the device is detected as having any level of threats, it will be evaluated as non-compliant.
    • ︰如果只有低等級的威脅,則會將裝置評估為相容。Low: Device is evaluated as compliant if only low level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a non-compliant status.
    • ︰如果裝置有低等級或中等級的威脅,則會將裝置評估為相容。Medium: Device is evaluated as compliant if the threats that are present on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high level threats, it is determined as non-compliant.
    • :這是最不安全的選項。High: This is the least secure. 基本上,這會允許所有威脅等級,或許僅在此解決方案的用途只有報告時才適用。Essentially, this allows all threat levels, and perhaps only useful if you using this solution only for reporting purposes.

如需詳細資訊,請參閱啟用合規性政策中的裝置威脅保護規則For more details, see Enable device threat protection rule in the compliance policy.

裝置屬性設定Device property settings

  • 最低作業系統版本需求︰當裝置不符合最低作業系統版本需求時,它會回報為不相容。Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,之後便可以存取公司資源。The end-user can choose to upgrade their device after which they can access company resources.
  • 允許的最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取,並要求使用者連絡其 IT 管理員。在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.