Intune 中的裝置合規性原則入門Get started with device compliance policies in Intune

合規性需求基本上就是一些規則,例如要求裝置 PIN 或要求加密。Compliance requirements are essentially rules, such as requiring a device PIN, or requiring encryption. 裝置合規性原則會定義裝置必須符合才能被視為符合規範的規則和設定。Device compliance policies define these rules and settings that a device must follow to be considered compliant. 這些規則包括:These rules include:

  • 使用密碼才能存取裝置Use a password to access devices

  • 加密Encryption

  • 裝置為越獄或取得根權限破解Whether the device is jail-broken or rooted

  • 所需的最低 OS 版本Minimum OS version required

  • 允許的最高 OS 版本Maximum OS version allowed

  • 要求裝置層級不得高於 Mobile Threat Defense 層級Require the device to be at, or under the Mobile Threat Defense level

您也可以使用裝置合規性政策,來監視裝置的合規性狀態。You can also use device compliance policies to monitor the compliance status in your devices.

必要條件Prerequisites

若要使用裝置合規性原則,必須符合下列條件:To use device compliance policies, the following are required:

  • 使用下列訂用帳戶:Use the following subscriptions:

    • IntuneIntune
    • Azure Active Directory (AD) PremiumAzure Active Directory (AD) Premium
  • 使用支援的平台:Use a supported platform:

    • AndroidAndroid
    • iOSiOS
    • macOS (預覽)macOS (preview)
    • Windows 8.1Windows 8.1
    • Windows Phone 8.1Windows Phone 8.1
    • Windows 10Windows 10
  • 若要回報裝置的合規性狀態,裝置必須已在 Intune 註冊To report their compliance status, devices must be enrolled in Intune

  • 不支援註冊至一位使用者的裝置或者沒有主要使用者的裝置。Devices enrolled to one user or devices with no primary user are supported. 不支援多個使用者內容。Multiple user contexts are not supported.

Intune 裝置合規性政策如何與 Azure AD 一起運作How Intune device compliance policies work with Azure AD

當裝置在 Intune 中註冊之後,Azure AD 註冊程序便會開始,並將裝置屬性更新至 Azure AD。When a device is enrolled in Intune, the Azure AD registration process starts, and updates the device attributes into Azure AD. 其中一項關鍵的資訊就是裝置合規性狀態。One key piece of information is the device compliance status. 條件式存取原則會使用此合規性狀態,來封鎖或允許對電子郵件及其他公司資源的存取。This compliance status is used by conditional access policies to block or allow access to e-mail and other corporate resources.

Azure AD 註冊程序提供了更多資訊。Azure AD registration process provides more information.

指派最終裝置組態設定檔狀態Assign a resulting device configuration profile status

如果裝置有多個組態設定檔,且裝置的兩個或更多個已指派的組態設定檔具有不同的合規性狀態,系統就會指派單一的最終合規性狀態。If a device has multiple configuration profiles, and the device has different compliance statuses for two or more of the assigned configuration profiles, then a single resulting compliance status is assigned. 此指派會以指派至各合規性狀態的概念嚴重性等級為準。This assignment is based on a conceptual severity level assigned to each compliance status. 每個合規性狀態均具下列嚴重性等級:Each compliance status has the following severity level:

狀態Status 嚴重性Severity
PendingPending 11
已成功Succeeded 22
FailedFailed 33
錯誤Error 44

當裝置具有多個組態設定檔時,系統就會將所有設定檔的最高嚴重性等級指派給該裝置。When a device has multiple configuration profiles, then the highest severity level of all the profiles is assigned to that device.

舉例來說,假設裝置有三個設定檔指派,分別為:Pending 狀態 (嚴重性 = 1)、Succeeded 狀態 (嚴重性 = 2)、Error 狀態 (嚴重性 = 4)。For example, say a device has three profiles assigned to it: one Pending status (severity = 1), one Succeeded status (severity = 2), and one Error status (severity = 4). 由於 Error 狀態的嚴重性等級最高,因此全部三個設定檔的合規性狀態都會是 Error。The Error status has the highest severity level, so all three profiles have the Error compliance status.

指派 InGracePeriod 狀態Assign an InGracePeriod status

合規性原則的 InGracePeriod 狀態是一個值。The InGracePeriod status for a compliance policy is a value. 此值會由裝置寬限期與裝置該合規性原則實際狀態的組合來決定。This value is determined by the combination of a device’s grace period, and a device’s actual status for that compliance policy.

具體來說,若裝置的已指派合規性政策為 NonCompliant 狀態,且:Specifically, if a device has a NonCompliant status for an assigned compliance policy, and:

  • 裝置沒有已指派的寬限期,則為合規性原則指派的值會是 NonCompliantthe device has no grace period assigned to it, then the assigned value for the compliance policy is NonCompliant
  • 裝置的寬限期已過,則為合規性原則指派的值會是 NonCompliantthe device has a grace period that is expired, then the assigned value for the compliance policy is NonCompliant
  • 裝置的寬限期未到,則為合規性規則指派的值會是 InGracePeriodthe device has a grace period that is in the future, then the assigned value for the compliance policy is InGracePeriod

下表摘要說明這些選項:The following table summarizes these points:

實際合規性狀態Actual compliance status 指派的寬限期值Value of assigned grace period 有效合規性狀態Effective compliance status
NonCompliantNonCompliant 未指派任何寬限期No grace period assigned NonCompliantNonCompliant
NonCompliantNonCompliant 昨天的日期Yesterday’s date NonCompliantNonCompliant
NonCompliantNonCompliant 明天的日期Tomorrow’s date InGracePeriodInGracePeriod

如需有關監視裝置合規性政策的詳細資訊,請參閱監視 Intune 裝置合規性政策For more information about monitoring device compliance policies, see Monitor Intune Device compliance policies.

指派最終合規性規則狀態Assign a resulting compliance policy status

如果裝置有多個合規性原則,且裝置的兩個或更多個已指派的合規性原則具有不同的合規性狀態,系統就會指派單一的最終合規性狀態。If a device has multiple compliance policies, and the device has different compliance statuses for two or more of the assigned compliance policies, then a single resulting compliance status is assigned. 此指派會以指派至各合規性狀態的概念嚴重性等級為準。This assignment is based on a conceptual severity level assigned to each compliance status. 每個合規性狀態均具下列嚴重性等級:Each compliance status has the following severity level:

狀態Status 嚴重性Severity
UnknownUnknown 11
NotApplicableNotApplicable 22
符合標準Compliant 33
InGracePeriodInGracePeriod 44
NonCompliantNonCompliant 55
錯誤Error 66

當裝置具有多個合規性原則時,系統就會將所有原則的最高嚴重性等級指派給該裝置。When a device has multiple compliance policies, then the highest severity level of all the policies is assigned to that device.

例如,假設裝置有三個合規性原則指派,分別為:Unknown 狀態 (嚴重性 = 1)、Compliant 狀態 (嚴重性 = 3)、InGracePeriod 狀態 (嚴重性 = 4)。For example, say a device has three compliance policies assigned to it: one Unknown status (severity = 1), one Compliant status (severity = 3), and one InGracePeriod status (severity = 4). 由於 InGracePeriod 狀態的嚴重性等級最高,因此全部三個原則的合規性狀態都會是 InGracePeriod。The InGracePeriod status has the highest severity level, so all three policies have the InGracePeriod compliance status.

使用裝置合規性政策的方式Ways to use device compliance policies

使用條件式存取With conditional access

針對符合原則規則的裝置,您可以將電子郵件及其他公司資源的存取權提供給它們。For devices that comply to policy rules, you can give those devices access to email and other corporate resources. 如果裝置不符合原則規則,它們便無法存取公司資源。If the devices don't comply to policy rules, then they don't get access to corporate resources. 這就是條件式存取。This is conditional access.

不使用條件式存取Without conditional access

您也可以使用裝置合規性原則而不搭配任何條件式存取。You can also use device compliance policies without any conditional access. 單獨使用合規性政策時,將會評估目標裝置,並回報其合規狀態。When you use compliance policies independently, the targeted devices are evaluated and reported with their compliance status. 例如,您可以取得報告,列出未加密的裝置數,或是列出已遭越獄或取得根權限破解的裝置。For example, you can get a report on how many devices are not encrypted, or which devices are jail-broken or rooted. 當您使用合規性原則而不搭配條件式存取時,對公司資源不會有任何存取限制。When you use compliance policies without conditional access, there are no access restrictions to company resources.

部署裝置合規性原則的方式Ways to deploy device compliance policies

您可以將合規性政策部署至使用者群組中的使用者,或是裝置群組中的裝置。You can deploy compliance policy to users in user groups or devices in device groups. 將合規性政策部署到使用者時,即會檢查使用者所有裝置的相容性。When a compliance policy is deployed to a user, all of the user's devices are checked for compliance.

[合規性政策設定] (Azure 入口網站 > [裝置合規性]) 包括:The Compliance policy settings (Azure portal > Device compliance) include:

  • 將未指派合規性原則的裝置標記為此屬性有兩個值:Mark devices with no compliance policy assigned as: This property has two values:

    • 符合規範:關閉安全性功能Compliant: security feature off
    • 不符合規範 (預設值):開啟安全性功能Not compliant (default): security feature on

    如果裝置沒有已指派的合規性原則,系統就會將此裝置視為不符合規範。If a device doesn't have a compliance policy assigned, then this device is considered not compliant. 預設會將這些裝置標示為 [符合規範]。By default, devices are marked as Compliant. 如果您使用條件式存取,建議您將設定變更為 [不符合規範]。If you use conditional access, we recommended you change the setting to Not compliant. 如果使用者是因為沒有已指派的原則而不符合規範,公司入口網站就會列出 No compliance policies have been assignedIf an end user is not compliant because a policy isn't assigned, then Company Portal lists No compliance policies have been assigned.

  • 加強的越獄偵測已啟用時,此設定會使 iOS 裝置更頻繁地簽入 Intune。Enhanced jailbreak detection: When enabled, this setting causes iOS devices to check-in with Intune more frequently. 啟用此屬性會使用裝置的位置服務,並影響電池使用量。Enabling this property uses the device’s location services, and impacts battery usage. Intune 不會儲存使用者位置資料。The user location data is not stored by Intune.

    啟用此設定會要求裝置:Enabling this setting requires devices to:

    • 啟用 OS 層級的位置服務Enable location services at the OS level
    • 允許公司入口網站使用位置服務Allow the company portal to use location services
    • 至少每隔 72 小時對其越獄狀態進行一次評估並回報給 Intune。Evaluate and report its jailbreak status to Intune at least once every 72 hours. 否則,會將裝置標示為不符合規範。Otherwise, the device is marked not compliant.
  • 合規性狀態有效期限 (天):輸入裝置針對所有收到的合規性原則回報狀態的期間。Compliance status validity period (days): Enter the time period that devices report the status for all received compliance policies. 未在此期間內傳回狀態的裝置將被視為不相容。Devices that don't return the status within this time period are treated as noncompliant. 預設值是 30 天。The default value is 30 days.

所有裝置都有 [預設裝置合規性原則] (Azure 入口網站 > [裝置合規性] > [原則合規性])。All devices have a Default Device Compliance Policy (Azure portal > Device compliance > Policy compliance). 您可以使用此預設原則來監視這些設定。Use this default policy to monitor these settings.

若要了解在部署原則之後,行動裝置需要多久才能取得原則,請參閱針對裝置設定檔問題進行疑難排解To learn the time it takes for mobile devices to get a policy after the policy is deployed, see Troubleshooting device profiles.

合規性報告是檢查裝置狀態的絕佳方式。Compliance reports are a great way to check the status of devices. 如需相關指引,請參閱監視合規性原則See Monitor compliance policies for guidance.

不符合標準時所採取的動作Actions for noncompliance

您可以設定一系列依時間排序的動作,以套用至未符合合規性原則準則的裝置。You can configure a time-ordered sequence of actions that apply to devices that don't meet the compliance policy criteria. 這些在不符合規範時執行的動作可以自動化,如將不符合規範時執行的動作自動化所述。These actions for noncompliance can be automated, as described in Automate actions for noncompliance.

Azure 傳統入口網站與Azure 入口網站Azure classic portal vs. Azure portal

在 Azure 入口網站中使用裝置合規性原則時的主要差異:The main difference when using device compliance policies in the Azure portal:

  • 在 Azure 入口網站中,會針對每個支援的平台個別建立合規性原則In the Azure portal, the compliance policies are created separately for each supported platform
  • 在 Azure 傳統入口網站中,所有支援的平台會使用一個通用的合規性原則In the Azure classic portal, one device compliance policy is common to all supported platforms

傳統入口網站與 Azure 入口網站中的裝置合規性原則Device compliance policies in the classic portal and Azure portal

傳統入口網站中建立的裝置合規性原則不會出現在 Azure 入口網站中。Device compliance policies created in the classic portal don't appear in the Azure portal. 不過,它們仍會以使用者作為目標,並可透過傳統入口網站管理。However, they’re still targeted to users and manageable using the classic portal.

若要在 Azure 入口網站中使用裝置合規性相關功能,您必須在 Azure 入口網站中建立新的裝置合規性原則。To use the device compliance-related features in the Azure portal, you must create new device compliance policies in the Azure portal. 若您在 Azure 入口網站中將某個裝置合規性原則指派給已從傳統入口網站獲指派裝置合規性原則的使用者,則來自 Azure 入口網站之裝置合規性原則的優先順序會高於在傳統入口網站中建立的原則。If you assign a device compliance policy in the Azure portal to a user who is also assigned a device compliance policy from the classic portal, then the device compliance policies from the Azure portal take precedence over the policies created in the classic portal.

接下來的步驟Next steps