如何在 Intune 中為 iOS 裝置建立裝置合規性政策How to create a device compliance policy for iOS devices in Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

每個平台都會建立合規性政策。Compliance policies are created for each platform. 您可以在 Azure 入口網站中建立合規性政策。You can create a compliance policy in the Azure portal. 如需深入了解什麼是合規性政策,請參閱什麼是裝置合規性主題。To learn more about what compliance policy is see what is a device compliance topic. 如需了解建立合規性政策之前必須滿足的先決條件,請參閱裝置合規性入門主題。To learn about the prerequisites that you need to address before creating a compliance policy see Get started with device compliance topic.

下表說明如何搭配使用合規性政策與條件式存取原則時,不合規設定的管理方式。The table below describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting iOS 8.0 及更新版本iOS 8.0 and later
PIN 或密碼設定PIN or password configuration 已修復Remediated
裝置加密Device encryption 已修復 (藉由設定 PIN 碼)Remediated (by setting PIN)
已越獄或 Root 的裝置Jailbroken or rooted device 隔離 (非設定)Quarantined (not a setting)
電子郵件設定檔Email profile 已隔離Quarantined
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

在 Azure 入口網站中建立合規性政策Create a compliance policy in the Azure portal

  1. Intune 刀鋒視窗中,選擇 [設定裝置合規性]。From the Intune blade, choose Set Device compliance. 在 [管理] 中選擇 [All device compliance policies](所有裝置合規性政策) 及 [建立]。Under Manage, choose All device compliance policies and choose Create.
  2. 輸入名稱及描述,然後選擇要套用此原則的平台。Type a name, description and choose the platform that you want this policy to apply to.
  3. 選擇 [合規性需求],在此指定 [安全性]、[裝置健全狀況] 及 [裝置屬性]。完成設定後,請選擇 [確定]。Choose Compliance requirements to specify the Security, Device health, and Device property settings here, When you are done, choose Ok.

指派使用者群組Assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [合規性 - 政策] 刀鋒視窗中找到。Existing policies can be found in the Compliance –policies blade.

  1. 選擇您想要指派給使用者的原則,然後選擇 [指派]。Choose the policy you want to assign to users and choose Assignments. 這會開啟刀鋒視窗讓您從中選取 [Azure Active Directory 安全性群組],並將其指派給原則。This opens the blade where you can select Azure Active Directory security groups and assign them to the policy.
  2. 選擇 [選取群組] 會開啟刀鋒視窗顯示 Azure AD 安全性群組。Choose Select groups to open the blade that displays the Azure AD security groups. 選擇 [選取] 會將原則部署給使用者。Choosing Select deploys the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受合規性評估。The devices used by the users who are targeted by the policy will be evaluated for compliance.

系統安全性設定System security settings

密碼Password

  • 需要密碼才可解除鎖定行動裝置:將此設定為 [是] 會要求使用者必須輸入密碼才能存取其裝置。Require a password to unlock mobile devices : Set this to Yes to require the user to enter a password before they can access their device. 使用密碼的 iOS 裝置會予以加密。iOS devices that use a password are encrypted.
  • 允許簡單密碼︰將此項目設為 [是] 可允許使用者建立簡單密碼,例如 12341111Allow simple passwords : Set this to Yes to let the user create a simple password like 1234 or 1111.
  • 最小密碼長度:指定密碼至少須包含的數字位數或字元數。Minimum password length : Specify the minimum number of digits or characters that the password must have.
  • 需要的密碼類型:指定使用者必須建立英數字元密碼或數字密碼。Required password type : Specify whether the user must create an Alphanumeric password or a Numeric password.
  • 字元集數目下限︰若將 [需要的密碼類型] 設定為 [英數字元],請使用此設定指定密碼至少須包含的最少字元集數。Minimum number of character sets : If you set Required password type to Alphanumeric , use this setting to specify the minimum number of character sets that the password must have. 四個字元集為:The four character sets are:
    • 小寫字母Lowercase letters
    • 大寫字母Uppercase letters
    • 符號Symbols
    • 數字Numbers

若要將此設定設為較高的數目,使用者必須建立更複雜的密碼。Setting a higher number will require the user to create a password that is more complex.

若是 iOS 裝置,此設定是指密碼中必須包含的特殊字元數 (例如 !For iOS devices, this setting refers to the number of special characters (for example, ! #& )。, # , & ) that must be included in the password.

  • 停止活動幾分鐘後需要輸入密碼:指定閒置多久後使用者必須重新輸入密碼。Minutes of inactivity before password is required : Specify the idle time before the user must reenter their password.
  • 密碼到期 (天數):選取密碼到期前,必須建立新密碼的天數。Password expiration (days): Select the number of days before the password expires and they must create a new one.
  • 記住密碼歷程記錄:此設定必須搭配 [不得重複使用以前用過的密碼] 一起使用,才能禁止使用者建立之前用過的密碼。Remember password history : Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.
  • 不得重複使用以前用過的密碼:如有選取 [記住密碼歷程記錄],請指定不得重複使用的舊密碼數。Prevent reuse of previous passwords : If you selected Remember password history , specify the number of previously used passwords that cannot be reused.
  • 裝置從閒置狀態恢復時必須輸入密碼:此設定必須搭配 [停止活動幾分鐘後需要輸入密碼] 設定一起使用。Require a password when the device returns from an idle state : Use this setting together with the in the Minutes of inactivity before password is required setting. 如果裝置達到 [在非使用狀態幾分鐘後需要輸入密碼] 設定所指定的閒置時間,系統會提示使用者輸入密碼,才能存取該裝置。The user is prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

電子郵件設定檔Email profile

  • 電子郵件帳戶必須由 Intune 管理:當此選項設定為 [是] 時,裝置必須使用部署到裝置的電子郵件設定檔。Email account must be managed by Intune : When this option is set to Yes , the device must use the email profile deployed to the device. 在下列情況下,裝置視為不相容︰The device is considered noncompliant in the following situations:
    • 電子郵件設定檔部署到合規性政策的目標使用者群組以外的使用者群組。The email profile is deployed to a user group other than the user group that the compliance policy targets.
    • 使用者已經在裝置上設定符合部署到該裝置之 Intune 電子郵件設定檔的電子郵件帳戶。The user has already set up an email account on the device that matches the Intune email profile deployed to the device. Intune 無法覆寫使用者所佈建的設定檔,因此也無法加以管理。Intune cannot overwrite the user-provisioned profile, and therefore cannot manage it. 若要確保相容,使用者必須移除現有電子郵件設定。To ensure compliance, the user must remove the existing email settings. 然後 Intune 可以安裝受管理的電子郵件設定檔。Then, Intune can install the managed email profile.
  • 選取必須由 Intune 管理的電子郵件設定檔︰如有選取 [必須由 Intune 管理電子郵件帳戶] 設定,請選擇 [選取],以指定 Intune 電子郵件設定檔。Select the email profile that must be managed by Intune : If the Email account must be managed by Intune setting is selected, choose Select to specify the Intune email profile. 電子郵件設定檔必須在裝置上。The email profile must be present on the device.

如需電子郵件設定檔的詳細資訊,請參閱使用 Microsoft Intune 的電子郵件設定檔設定對公司電子郵件存取For details about email profile, see Configure access to corporate email using email profiles with Microsoft Intune.

裝置健全狀況設定Device health settings

  • 裝置不得經過越獄或 Root︰如有啟用此設定,經過越獄的裝置將視為不符合規範。Device must not be jailbroken or rooted : If you enable this setting, jailbroken devices will not be compliant.

裝置內容Device properties

  • Minimum OS required (需要的最低作業系統版本):當裝置不符合最低作業系統版本需求時,會回報為不符合規範。Minimum OS required : When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 並顯示如何升級的資訊連結。A link with information on how to upgrade appears. 使用者可以選擇升級其裝置,The user can choose to upgrade their device. 之後即可存取公司資源。After that, they can access company resources.
  • Maximum OS version allowed (允許的最高 OS 版本):當裝置使用的作業系統版本高於規則指定的版本時,會禁止存取公司資源,並要求使用者連絡其 IT 系統管理員。在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。Maximum OS version allowed : When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.