使用 Intune 為 macOS 裝置 (預覽) 建立裝置合規性政策Create a device compliance policy for macOS devices (preview) with Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

開始之前Before you begin

在建立和指派裝置合規性政策之前,請先檢閱 Intune 裝置合規性政策的概念。Before creating and assigning a device compliance policy, review the Intune device compliance policy concepts.


您需要為每個平台建立裝置合規性政策。You need to create device compliance policies for each platform. Intune 裝置合規性政策設定會隨平台功能而定,也就是那些透過 MDM 通訊協定公開的設定。Intune device compliance policy settings depend on platform capabilities which are settings exposed through the MDM protocol.

下表說明如何搭配使用合規性政策與條件式存取原則時,不合規設定的管理方式。The table below describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.

原則設定Policy setting macOS 10.11 及更新版本macOS 10.11 and later
PIN 或密碼設定PIN or password configuration 已修復Remediated
裝置加密Device encryption 已修復 (藉由設定 PIN 碼)Remediated (by setting PIN)
電子郵件設定檔Email profile 已隔離Quarantined
最低 OS 版本Minimum OS version 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined
Windows 健康情況證明Windows health attestation 不適用Not applicable

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

MacOS 合規性政策設定MacOS compliance policy settings

建立符合 Intune 規範的新裝置時,您可以在不同的類別中設定不同的選項:You have different categories with different settings to choose from when creating a new device compliance with Intune:

  • 裝置健全狀況Device Health

  • 裝置內容Device Properties

  • 系統安全性System Security

裝置健全狀況Device Health

  • 需要系統完整性保護:將此選項設為 [必要] 以檢查 macOS 裝置是否啟用系統完整性保護。Require a system integrity protection : Set this to Require to check if your macOS devices have system integrity protection enabled.

裝置內容Device properties

  • 最低作業系統版本︰當裝置不符合最低作業系統版本需求時,它會回報為不相容。Minimum OS version : When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 並顯示如何升級的資訊連結。A link with information on how to upgrade appears. 使用者可以選擇升級其裝置,The user can choose to upgrade their device. 之後即可存取公司資源。After that, they can access company resources.

  • 最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取,並要求使用者連絡其 IT 管理員。Maximum OS version : When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

系統安全性設定System security settings


  • 需要密碼來解除鎖定行動裝置︰將此選項設定為 [必要],讓使用者在存取其裝置前需要輸入密碼。Require a password to unlock mobile devices : Set this to Require so users need to enter a password before they can access their device.

  • 簡單密碼︰將此選項設為 [封鎖],不讓使用者建立如下的簡單密碼:12341111Simple passwords : Set this to Block so user can't create a simple password like 1234 or 1111.

  • 最小密碼長度:指定密碼至少須包含的數字位數或字元數。Minimum password length : Specify the minimum number of digits or characters that the password must have.

  • 密碼類型:指定使用者必須建立英數字元密碼或數字密碼。Password type : Specify whether the user must create an Alphanumeric password or a Numeric password.

  • 密碼的非英數字元數目︰若將 [需要的密碼類型] 設定為 [英數字元],請使用此設定指定密碼至少須包含的最少字元集數。Number of non-alphanumeric character in password : If you set Required password type to Alphanumeric , use this setting to specify the minimum number of character sets that the password must have.


    若要將此設定設為較高的數目,使用者必須建立更複雜的密碼。Setting a higher number will require the user to create a password that is more complex.


    若是 macOS 裝置,此設定是指密碼中必須包含的特殊字元數 (例如 !For macOS devices, this setting refers to the number of special characters (for example, ! #& )。, # , & ) that must be included in the password.

  • 停止活動幾分鐘後需要輸入密碼:指定閒置多久後使用者必須重新輸入密碼。Maximum minutes of inactivity before password is required : Specify the idle time before the user must reenter their password.

  • 密碼到期 (天數):選取密碼到期前,必須建立新密碼的天數 (1 到 250 之間)。Password expiration (days): Select the number of days (between 1 and 250) before the password expires and they must create a new one.

  • 避免重複使用前幾個密碼:指定不可重複使用先前使用的多少個密碼。Number of previous passwords to prevent reuse : Specify the number of previously used passwords that cannot be reused.


    如果 macOS 裝置上的密碼需求有所變更,在下次使用者變更其密碼之前不會生效。When the password requirement is changed on a macOS device it doesn’t take effect until the next time the user changes their password. 例如,如果您將密碼長度限制設定為 8 位數,而 macOS 裝置目前有 6 位數密碼,則在下次使用者更新裝置上的密碼之前,該裝置仍保持相容。For example, if you set the password length restriction to eight digits and the macOS device currently has a 6 digits password, the device remains compliant until the next time the user updates their password on the device.

建立裝置合規性政策To create a device compliance policy

  1. 移至 Azure 入口網站,並使用您的 Intune 認證登入。Go to the Azure portal, and sign in with your Intune credentials.

  2. 成功登入之後,您會看到 [Azure 儀表板]。After you've successfully signed in, you can see the Azure Dashboard.

  3. 選擇左功能表中的 [更多服務],然後在文字方塊篩選中輸入 IntuneChoose More services from the left menu, then type Intune in the text box filter.

  4. 選擇 [Intune],您會看到 [Intune 儀表板]。Choose Intune, you can see the Intune Dashboard.

  5. 選擇 [裝置合規性],然後選擇 [管理] 下的 [原則]。Choose Device compliance, then choose Policies under Manage.

  6. 選擇 [建立原則]。Choose Create Policy.

  7. 輸入名稱及描述,然後選擇要套用此原則的平台。Type a name, description and choose the platform that you want this policy to apply to.

  8. [MacOS 合規性政策] 刀鋒視窗隨即開啟,選擇裝置合規性設定的分類來指定設定:[安全性]、[裝置健全狀況] 和 [裝置屬性]。The macOS compliance policy blade opens, choose the device compliance setting categories Security, Device health, and Device property to specify your settings.

  9. 完成設定選擇後,請選擇每項裝置合規性設定類別下的 [確定]。Once you are done choosing your settings, choose OK under each device compliance setting category.

  10. 選擇 [確定],然後選擇 [建立]。Choose OK, then choose Create.

指派使用者群組Assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [合規性原則] 刀鋒視窗中找到。Existing policies can be found in the Compliance policies blade.

  1. 選擇您想要指派給使用者的裝置合規性政策,然後選擇 [指派]。Choose the device compliance policy you want to assign to users and choose Assignments. 這會開啟刀鋒視窗讓您從中選取 [Azure Active Directory 安全性群組],並將其指派給原則。This opens the blade where you can select Azure Active Directory security groups and assign them to the policy.

  2. 選擇 [選取群組] 會開啟刀鋒視窗顯示 Azure AD 安全性群組。Choose Select groups to open the blade that displays the Azure AD security groups.

  3. 依序選擇 [選取] 和 [儲存] 將裝置合規性政策指派給 Azure AD 安全性群組。Choose Select then Save to assign the device compliance policy to Azure AD security groups.

  4. 將裝置合規性政策指派給群組後,您就可以關閉 [指派] 刀鋒視窗。Once you're done assigning the device compliance policy to your groups, you can close the Assignments blade.


    裝置預設每 8 小時檢查一次合規性,但使用者可以透過 Intune 公司入口網站應用程式強制執行此程序。By default, devices check for compliance every 8 hours but users can force this process through the Intune company portal app.

後續步驟Next steps

如何監視裝置合規性政策How to monitor device compliance policies

若要提交意見反應,請前往 Intune Feedback