如何在 Intune 中為 iOS 裝置新增裝置相容性原則Add a device compliance policy for iOS devices in Intune

Intune iOS 裝置相容性原則決定 iOS 設備必須符合的規則和設定,才能視為相容。An Intune iOS device compliance policy determines the rules and settings that iOS devices must meet to be compliant. 當您使用裝置相容性原則搭配條件式存取時,可以允許或封鎖公司資源的存取。When you use device compliance policies with conditional access, you can allow or block access to company resources. 您也可以取得裝置報表,並針對不相容採取動作。You can also get device reports and take actions for non-compliance. 在 Intune Azure 入口網站中,可以為每個平台建立裝置相容性原則。Device compliance policies for each platform can be created in the Intune Azure portal. 若要深入了解合規性原則,以及任何必要條件,請參閱開始使用裝置合規性To learn more about compliance policies, and any prerequisites, see Get started with device compliance.

下表描述搭配使用合規性政策與條件式存取原則時,不相容設定的管理方式。The following table describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting iOS 8.0 及更新版本iOS 8.0 and later
PIN 或密碼設定PIN or password configuration 已修復Remediated
裝置加密Device encryption 已修復 (藉由設定 PIN 碼)Remediated (by setting PIN)
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔Email profile 已隔離Quarantined
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the device is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

建立裝置合規性政策Create a device compliance policy

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 選取 [All services] (所有服務),篩選 [Intune],然後選取 [Microsoft Intune]。Select All services, filter on Intune, and select Microsoft Intune.
  3. 選取 [裝置相容性] > [原則] > [建立原則]。Select Device compliance > Policies > Create Policy.
  4. 輸入 [名稱] 和 [描述]。Enter a Name and Description.
  1. 針對 [平台],選取 [iOS]。For Platform, select iOS. 選擇 [進行設定]輸入 [電子郵件]、[裝置健全狀況]、[裝置屬性],以及 [系統安全性] 設定。Choose Settings Configure, and enter the Email, Device Health, Device Properties, and System Security settings. 完成後,請選取 [確定] 和 [建立]。When you're done, select OK, and Create.

電子郵件Email

  • 行動裝置必須擁有受控電子郵件設定檔:如果您將此項設定為 [要求],則裝置若沒有 Intune 管理的電子郵件設定檔,就會視為不合規範。Require mobile devices to have a managed email profile: If you set this to Require, then devices that don't have an email profile managed by Intune are considered not-compliant. 當裝置未正確設為目標時,或者如果使用者手動設定裝置上的電子郵件帳戶,則裝置可能沒有受控電子郵件設定檔。A device may not have a managed email profile when it's not correctly targeted, or if the user manually setup the email account on the device.

    在下列情況下,裝置視為不相容︰The device is considered noncompliant in the following situations:

    • 電子郵件設定檔部署到合規性政策的目標使用者群組以外的使用者群組。The email profile is deployed to a user group other than the user group that the compliance policy targets.
    • 使用者已經在裝置上設定符合部署到該裝置之 Intune 電子郵件設定檔的電子郵件帳戶。The user has already set up an email account on the device that matches the Intune email profile deployed to the device. Intune 無法覆寫使用者所佈建的設定檔,因此也無法加以管理。Intune cannot overwrite the user-provisioned profile, and therefore cannot manage it. 若要確保相容,使用者必須移除現有電子郵件設定。To ensure compliance, the user must remove the existing email settings. 然後 Intune 可以安裝受管理的電子郵件設定檔。Then, Intune can install the managed email profile.
  • 選取必須由 Intune 管理的電子郵件設定檔︰如果已選取 [必須由 Intune 管理電子郵件帳戶] 設定,請選擇 [選取] 以指定 Intune 電子郵件設定檔。Select the email profile that must be managed by Intune: If the Email account must be managed by Intune setting is selected, choose Select to specify the Intune email profile. 電子郵件設定檔必須在裝置上。The email profile must be present on the device.

如需電子郵件設定檔的詳細資訊,請參閱使用 Microsoft Intune 的電子郵件設定檔設定對公司電子郵件存取For details about email profile, see Configure access to corporate email using email profiles with Microsoft Intune.

Device healthDevice health

  • 已進行 JB 破解的裝置:如果您啟用此設定,已進行 JB 破解的裝置即不相容。Jailbroken devices: If you enable this setting, jailbroken devices are not compliant.
  • 裝置層級需要不高於裝置威脅層級(iOS 8.0 或更新版本):選擇將裝置標記為不合規範的最高威脅層級。Require the device to be at or under the Device Threat Level (iOS 8.0 and newer): Choose the maximum threat level to mark devices as noncompliant. 超過此威脅層級的裝置會標示為不合規範:Devices that exceed this threat level get marked as noncompliant:
    • 安全:此選項最安全,因為裝置不能有任何威脅。Secured: This option is the most secure, as the device can't have any threats. 如果在裝置上偵測到任何等級的威脅,即評估為不符合規範。If the device is detected as having any level of threats, it is evaluated as noncompliant.
    • ︰如果只有低等級的威脅,則會將裝置評估為相容。Low: The device is evaluated as compliant if only low-level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a noncompliant status.
    • ︰如果裝置上的現有威脅是低等級或中等級,則會將裝置評估為符合規範。Medium: The device is evaluated as compliant if existing threats on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high-level threats, it is determined to be noncompliant.
    • :此選項最不安全,且允許所有威脅層級。High: This option is the least secure, and allows all threat levels. 如果此解決方案只用於報告用途,則此設定可能很實用。It may be useful if you're using this solution only for reporting purposes.

裝置內容Device properties

  • 最低作業系統版本需求︰當裝置不符合最低作業系統版本需求時,它會回報為不相容,Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 您會看到如何升級的資訊連結。A link with information on how to upgrade is shown. 使用者可以選擇升級其裝置,The user can choose to upgrade their device. 之後即可存取公司資源。After that, they can access company resources.
  • 允許的最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取。Maximum OS version allowed: When a device uses an OS version later than the version specified in the rule, access to company resources is blocked. 然後要求使用者連絡其 IT 管理員。在將規則變更為允許該 OS 版本之前,此裝置無法存取公司資源。The user is then asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot access company resources.

系統安全性System security

密碼Password

注意

將相容性或設定原則套用至 iOS 裝置之後,系統每 15 分鐘會提示使用者設定密碼。After a compliance or configuration policy is applied to an iOS device, users are prompted to set a passcode every 15 minutes. 在設定密碼之前,使用者會一直收到系統提示。Users are continually prompted until a passcode is set.

  • 需要密碼才可解除鎖定行動裝置要求使用者必須輸入密碼以存取其裝置。Require a password to unlock mobile devices: Require users to enter a password before they can access their device. 使用密碼的 iOS 裝置會予以加密。iOS devices that use a password are encrypted.

  • 簡單密碼:設定為 [封鎖] 時,使用者將無法建立 12341111 之類的簡單密碼。Simple passwords: Set to Block so users can't create simple passwords, such as 1234 or 1111. 設定為 [未設定] 時,使用者可以建立 12341111 之類的密碼。Set to Not configured to let users create passwords like 1234 or 1111.

  • 最小密碼長度:輸入密碼至少須包含的位數或字元數。Minimum password length: Enter the minimum number of digits or characters that the password must have.

  • 所需的密碼類型:選擇密碼是否應該只有數值字元,或是否應該混合數字和其他字元 (英數字元)。Required password type: Choose if a password should have only Numeric characters, or if there should be a mix of numbers and other characters (Alphanumeric).

  • 密碼中的非英數字元數目:輸入密碼中必須包含的最少特殊字元 (&、#、%、! 等等) 數目。Number of non-alphanumeric characters in password: Enter the minimum number of special characters (&, #, %, !, and so on) that must included in the password.

    若設定較高的數目,使用者就必須建立較複雜的密碼。Setting a higher number requires the user to create a password that is more complex.

  • 停止活動幾分鐘後需要輸入密碼:輸入在閒置多久後,使用者必須重新輸入密碼。Maximum minutes of inactivity before password is required: Enter the idle time before the user must reenter their password.

  • 密碼到期 (天數):選取密碼到期且必須建立新密碼前的天數。Password expiration (days): Select the number of days before the password expires, and they must create a new one.

  • 避免重複使用前幾個密碼:輸入不可使用先前所使用的多少個密碼。Number of previous passwords to prevent reuse: Enter the number of previously used passwords that cannot be used.

指派使用者群組Assign user groups

  1. 選擇您已設定的原則。Choose a policy that you've configured. 現有的原則位於 [裝置合規性] > [原則]。Existing policies are in Device compliance > Policies.
  2. 選擇原則,然後選擇 [指派]。Choose the policy, and choose Assignments. 您可以包含或排除 Azure Active Directory (AD) 安全性群組。You can include or exclude Azure Active Directory (AD) security groups.
  3. 選擇 [選取的群組] 以查看您的 Azure AD 安全性群組。Choose Selected groups to see your Azure AD security groups. 選取要套用這項原則的使用者群組,然後選擇 [儲存] 將原則部署給使用者。Select the user groups you want this policy to apply, and choose Save to deploy the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受相容性評估。The devices used by the users who are targeted by the policy are evaluated for compliance.

接下來的步驟Next steps

將電子郵件自動化,並為不符合規範的裝置新增動作Automate email and add actions for noncompliant devices
監視 Intune 裝置合規性原則Monitor Intune Device compliance policies