針對 Microsoft Intune 中的裝置設定檔問題進行疑難排解Troubleshooting device profiles in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題中的資訊可協助您針對 Intune 裝置設定檔的常見問題進行疑難排解。The information in this topic can be used to help you troubleshoot common issues around Intune device profiles.

指派原則或應用程式之後,行動裝置需要多久時間才能取得這些原則或應用程式?How long does it take for mobile devices to get a policy or apps after they have been assigned?

指派原則或應用程式後,Intune 會立即開始嘗試通知裝置,指出裝置應該簽入 Intune 服務。When a policy or an app is assigned, Intune immediately begins attempting to notify the device that it should check in with the Intune service. 這通常只需要不到 5 分鐘的時間。This typically takes less than five minutes.

如果在送出第一個通知之後,裝置未簽入以取得原則,Intune 還會另外嘗試三次。If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. 如果裝置處於離線狀態 (例如已關閉或未連線到網路),則可能不會收到通知。If the device is offline (for example, it is turned off or not connected to a network), it might not receive the notifications. 在這種情況下,裝置會在其下次排定簽入 Intune 服務的時間取得原則,如下所示:In this case, the device will get the policy on its next scheduled check-in with the Intune service as follows:

  • iOS 和 macOS:每 6 小時。iOS and macOS: Every 6 hours.
  • Android:每 8 小時。Android: Every 8 hours.
  • Windows Phone:每 8 小時。Windows Phone: Every 8 hours.
  • 註冊為裝置的 Windows 8.1 和 Windows 10 電腦:每 8 小時。Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.

如果裝置剛註冊,簽入頻率會更頻繁,如下所示:If the device has just enrolled, the check-in frequency will be more frequent, as follows:

  • iOS 和 macOS:前 6 小時每 15 分鐘,之後每 6 小時。iOS and macOS: Every 15 minutes for 6 hours, and then every 6 hours.
  • Android:前 15 分鐘每 3 分鐘,之後 2 小時每 15 分鐘,再來每 8 小時。Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
  • Windows Phone:前 15 分鐘每 5 分鐘,之後 2 小時每 15 分鐘,再來每 8 小時。Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
  • Windows 電腦註冊為裝置:前 30 分鐘每 3 分鐘,之後每 8 小時。Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours.

使用者也可以開啟公司入口網站應用程式並同步處理裝置,以隨時立即檢查是否有原則。Users can also open the Company Portal app and sync the device to immediately check for the policy anytime.

哪些動作會致使 Intune 立即傳送通知給裝置?What actions cause Intune to immediately send a notification to a device?

裝置可在收到簽入通知時簽入 Intune,或在它們的排定簽入時間定期簽入。Devices check in with Intune either when they receive a notification that tells them to check in or during their regularly scheduled check-in. 當您對目標裝置或使用者執行抹除、鎖定、密碼重設、應用程式指派、設定檔指派 (Wi-Fi、VPN、電子郵件等) 或原則指派等特定動作時,Intune 會立即開始嘗試通知裝置,指出裝置應該簽入 Intune 服務才能接收這些更新。When you target a device or user specifically with an action such as a wipe, lock, passcode reset, app assignment, profile assignment (Wi-Fi, VPN, email, etc.), or policy assignment, Intune will immediately begin trying to notify the device that it should check in with the Intune service to receive these updates.

修訂公司入口網站中的連絡資訊等其他變更,則不會對裝置傳送立即通知。Other changes, such as revising the contact information in the company portal, do not cause an immediate notification to devices.

如果有多個原則指派到同一個使用者或同一部裝置,如何得知將套用哪些設定?If multiple policies are assigned to the same user or device, how do I know which settings will get applied?

請注意,當有兩個或多個原則指派到同一個使用者或同一部裝置時,會在個別設定層級評估要套用哪個設定:When two or more policies are assigned to the same user or device, the evaluation for which setting is applied happens at the individual setting level:

  • 合規性政策設定一律優先於設定原則設定。Compliance policy settings always have precedence over configuration policy settings.

  • 如果與不同合規性政策中的相同設定一起評估,則會套用限制最嚴格的合規性政策設定。The most restrictive compliance policy setting is applied if it is evaluated against the same setting in a different compliance policy.

  • 如果設定原則的設定與不同設定原則中的設定衝突,這項衝突會顯示在 Azure 入口網站中。If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict will be displayed in the Azure portal. 您必須以手動方式解決此類衝突。You must manually resolve such conflicts.

應用程式保護原則互相衝突時,會發生什麼情況?What happens when app protection policies conflict with each other? 哪一個原則會套用至應用程式?Which one will be applied to the app?

除了數字輸入欄位 (例如重設前的 PIN 嘗試次數) 之外,衝突值是應用程式保護原則中限制最嚴格的設定。Conflict values are the most restrictive settings available in an app protection policy, except for the number entry fields (like PIN attempts before reset). 數字輸入欄位會設定為相同的值,如同您在主控台中使用建議的設定選項建立 MAM 原則一樣。The number entry fields will be set the same as the values, as if you created a MAM policy in the console by using the recommended settings option.

當兩個設定檔設定相同時,就會發生衝突。Conflicts occur when two profile settings are the same. 例如,您設定了兩項 MAM 原則,其中除了複製/貼上設定之外,這兩項原則完全相同。For example, you configured two MAM policies that are identical except for the copy/paste setting. 在這種情況下,複製/貼上設定會設定為限制最嚴格的值,但其餘設定則會依照設定來套用。In this scenario, the copy/paste setting will be set to the most restrictive value, but the rest of the settings will be applied as configured.

如果其中一個設定檔指派到應用程式並生效,然後再指派第二個設定檔,則會優先使用並持續套用第一個設定檔,而第二個設定檔會顯示為處於衝突狀態。If one profile is assignedd to the app and takes effect, and then a second one is assigned, the first one will take precedence and stay applied, while the second shows in conflict. 如果同時套用這兩個設定檔,代表沒有優先的設定檔,則兩者皆處於衝突狀態。If they are both applied at the same time, meaning that there is no preceding profile, then they will both be in conflict. 任何衝突的設定將設為限制最嚴格的值。Any conflicting settings will be set to the most restrictive values.

iOS 自訂原則衝突時,會發生什麼情況?What happens when iOS custom policies conflict?

Intune 不會評估 Apple 設定檔或自訂開放行動聯盟的統一資源識別項 (OMA-URI) 設定檔的承載。Intune does not evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) profile. 它只做為傳遞機制。It merely serves as the delivery mechanism.

當您指派自訂設定檔時,請確定所進行的設定未與合規性、組態或其他自訂原則衝突。When you assign a custom profile, ensure that the configured settings do not conflict with compliance, configuration, or other custom policies. 如果是具有設定衝突的自訂設定檔案例,則會依隨機順序來套用設定。In the case of a custom profile with settings conflicts, the order in which settings are applied is random.

當設定檔已刪除或不再適用時,會發生什麼情況?What happens when a profile is deleted or no longer applicable?

當您刪除設定檔,或從群組中移除已經指派設定檔的裝置時,將會根據以下清單,從裝置移除該設定檔及設定。When you delete a profile, or you remove a device from a group to which a profile was assigned, the profile and settings will be removed from the device according to the following lists.

已註冊的裝置Enrolled devices

  • Wi-Fi、VPN、憑證及電子郵件設定檔:這些設定檔會從所有支援的已註冊裝置中移除。Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.
  • 所有其他設定檔類型:All other profile types:

    • [Windows 和 Android 裝置]:設定不會從裝置中移除。Windows and Android devices: Settings are not removed from the device.
    • [Windows Phone 8.1 裝置]:會移除下列設定:Windows Phone 8.1 devices: The following settings are removed:

      • 需要密碼來解除鎖定行動裝置Require a password to unlock mobile devices
      • 允許簡單密碼Allow simple passwords
      • 最小密碼長度Minimum password length
      • 所需的密碼類型Required password type
      • 密碼到期 (天數)Password expiration (days)
      • 記住密碼歷程記錄Remember password history
      • 抹除裝置前允許的重複登入失敗次數Number of repeated sign-in failures to allow before the device is wiped
      • 要求密碼前的閒置分鐘數Minutes of inactivity before password is required
      • 需要的密碼類型 – 最小字元集數Required password type – minimum number of character sets
      • 允許相機Allow camera
      • 在行動裝置上要求加密Require encryption on mobile device
      • 允許卸除式存放裝置Allow removable storage
      • 允許網頁瀏覽器Allow web browser
      • 允許應用程式市集Allow application store
      • 允許螢幕擷取Allow screen capture
      • 允許地理位置Allow geolocation
      • 允許 Microsoft 帳戶Allow Microsoft account
      • 允許複製並貼上Allow copy and paste
      • 允許 Wi-Fi 網際網路共用功能Allow Wi-Fi tethering
      • 允許自動連線到免費的 Wi-Fi 熱點Allow automatic connection to free Wi-Fi hotspots
      • 允許 Wi-Fi 熱點回報Allow Wi-Fi hotspot reporting
      • 允許原廠重設Allow factory reset
      • 允許藍芽Allow Bluetooth
      • 允許 NFCAllow NFC
      • 允許 Wi-FiAllow Wi-Fi
    • [iOS]:移除所有設定,除了︰iOS: All settings are removed, except:

      • 允許語音漫遊Allow voice roaming
      • 允許數據漫遊Allow data roaming
      • 允許漫遊時自動同步處理Allow automatic synchronization while roaming

我變更了裝置限制設定檔,但變更一直沒有作用I changed a device restriction profile, but the changes haven't taken effect

當您透過 MDM 或 EAS 設定安全性原則之後,Windows Phone 裝置不允許降低這些原則的安全性。Windows Phone devices do not allow security policies set via MDM or EAS to be reduced in security once you've set them. 例如,您將 [字元密碼數目下限] 設定為 8,然後嘗試減少為 4。For example, you set a Minimum number of character password to 8 then try to reduce it to 4. 裝置已套用較嚴格的設定檔。The more restrictive profile has already been applied to the device.

視裝置平台而定,如果您要將設定檔變更為較不安全的值,您可能需要重設安全性原則。Depending on the device platform, if you want to change the profile to a less secure value you may need to reset security policies. 例如,在 Windows 的桌面上,從右向內撥動以開啟 [快速鍵] 列,然後選擇 [設定] > [控制台]。For example, in Windows, on the desktop swipe in from right to open the Charms bar and choose Settings > Control Panel. 選取 [使用者帳戶] 小程式。Select the User Accounts applet. 左導覽功能表底部有一個 [重設安全性原則] 連結。In the left hand navigation menu, there is a Reset Security Policies link at the bottom. 選擇該連結,然後選擇 [重設原則] 按鈕。Choose it and then choose the Reset Policies button. 您可能需要停用 Android、Windows Phone 8.1 與更新版本及 iOS 等其他 MDM 裝置,再重新註冊到服務中,才能套用較不嚴格的設定檔。Other MDM devices, such as Android, Windows Phone 8.1 and later, and iOS, may need to be retired and re-enrolled back into the service for you to be able to apply a less restrictive profile.

後續步驟Next steps

如果此疑難排解資訊對您沒有幫助,請連絡 Microsoft 支援服務 (如如何取得 Microsoft Intune 支援中所述)。If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support for Microsoft Intune.