Microsoft Intune 裝置設定檔的常見問題和解決方式Common issues and resolutions with device profiles in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

針對使用 Intune 裝置設定檔的一般問題進行疑難排解。Troubleshoot common issues using Intune device profiles.

在現有的 Wi-Fi 設定檔上變更密碼或複雜密碼時,為什麼使用者不會收到新的設定檔?Why doesn't a user get a new profile when changing a password or passphrase on an existing Wi-Fi profile?

建立公司的 Wi-Fi 設定檔、將設定檔部署到群組、變更密碼,以及儲存設定檔。You create a corporate Wi-Fi profile, deploy the profile to a group, change the password, and save the profile. 當設定檔變更時,某些使用者可能不會取得新的設定檔。When the profile changes, some users may not get the new profile.

若要解決這個問題,請設定訪客 Wi-Fi。To mitigate this issue, set up guest Wi-Fi. 如果公司 Wi-Fi 無法使用,使用者可以連線到訪客 Wi-Fi。If the corporate Wi-Fi fails, users can connect to the guest Wi-Fi. 請確認啟用任何自動連線設定。Be sure to enable any automatically connect settings. 將訪客 Wi-Fi 設定檔部署至所有使用者。Deploy the guest Wi-Fi profile to all users.

一些其他建議:Some additional recommendations:

  • 因為您正在連線的 Wi-Fi 網路使用了密碼或複雜密碼,請確認您可以直接連線到 Wi-Fi 路由器。Since the Wi-Fi network you're connecting to uses a password or passphrase, make sure you can connect to the Wi-Fi router directly. 您可以使用 iOS 裝置進行測試。You can test with an iOS device.
  • 成功連線至 Wi-Fi 端點 (Wi-Fi 路由器) 後,請注意使用的 SSID 和認證 (這個值是密碼或複雜密碼)。After you successfully connect to the Wi-Fi endpoint (Wi-Fi router), note the SSID and the credential used (this value is the password or passphrase).
  • 在 [預先共用金鑰] 欄位中輸入 SSID 和認證 (密碼或複雜密碼)。Enter the SSID and credential (password or passphrase) in the Pre-Shared Key field.
  • 部署到使用者數目有限的測試群組,建議僅限 IT 小組。Deploy to a test group that has limited number of users, preferably only the IT team.
  • 將您的 iOS 裝置同步處理到 Intune。Sync your iOS device to Intune. 如尚未註冊,請註冊。Enroll if you haven’t already enrolled.
  • 再次測試連線到相同的 Wi-Fi 端點 (如第一個步驟中所述)。Test connecting to the same Wi-Fi endpoint (as mentioned in the first step) again.
  • 推出較大的群組,最後是您組織中所有預期的使用者。Roll out to larger groups and eventually to all expected users in your organization.

指派原則或應用程式之後,行動裝置需要多久時間才能取得這些原則或應用程式?How long does it take for mobile devices to get a policy or apps after they have been assigned?

指派原則或應用程式後,Intune 會立即開始通知裝置簽入 Intune 服務。When a policy or an app is assigned, Intune immediately begins notifying the device to check in with the Intune service. 通知通常只需要不到五分鐘的時間。The notification typically takes less than five minutes.

如果在送出第一個通知之後,裝置未簽入以取得原則,Intune 還會另外嘗試三次。If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. 如果裝置處於離線狀態 (例如已關閉或未連線到網路),則可能不會收到通知。If the device is offline (for example, it is turned off, or not connected to a network), it might not receive the notifications. 在這種情況下,裝置會在其下次排定簽入 Intune 服務的時間取得原則,如下所示:In this case, the device gets the policy on its next scheduled check-in with the Intune service as follows:

  • iOS 和 macOS:每 6 小時iOS and macOS: Every six hours
  • Android:每 8 小時Android: Every eight hours
  • Windows Phone:每 8 小時Windows Phone: Every eight hours
  • 註冊為裝置的 Windows 8.1 和 Windows 10 電腦:每 8 小時Windows 8.1 and Windows 10 PCs enrolled as devices: Every eight hours

如果裝置最近剛註冊,簽入頻率會更頻繁,如下所示:If the device is recently enrolled, the check-in frequency is more frequent, as follows:

  • iOS 和 macOS:前 6 小時每 15 分鐘,之後每 6 小時iOS and macOS: Every 15 minutes for six hours, and then every six hours
  • Android:前 15 分鐘每 3 分鐘,之後 2 小時每 15 分鐘,再來每 8 小時Android: Every three minutes for 15 minutes, then every 15 minutes for two hours, and then every eight hours
  • Windows Phone:前 15 分鐘每 5 分鐘,之後 2 小時每 15 分鐘,再來每 8 小時Windows Phone: Every five minutes for 15 minutes, then every 15 minutes for two hours, and then every eight hours
  • 註冊為裝置的 Windows 電腦:前 30 分鐘每 3 分鐘,之後每 8 小時Windows PCs enrolled as devices: Every three minutes for 30 minutes, and then every eight hours

若要隨時立即檢查原則,使用者可以開啟公司入口網站應用程式並同步處理裝置。To immediately check for the policy anytime, users can open the Company Portal app, and sync the device.

若為無使用者親和性的裝置,註冊後立即進行的同步處理頻率則為數小時到一或多天不等。For devices without user affinity, the sync frequency immediately following enrollment can vary from hours to a day or more. Intune 會以不同的時間間隔傳送要求,讓裝置簽入服務。Intune sends requests at various intervals for a device to check in with the service. 不過,仍會以裝置簽入為準。However it is still up to the device to check in. 起始註冊之後,根據裝置註冊類型以及指派給裝置的原則和設定檔會有所不同,因此無法預測裝置完成簽入所需的時間。After initial enrollment, depending on the type of device enrollment and the policies and profiles assigned to a device, the time it takes a device to complete the check-in is unpredictable. 不過,一旦裝置完成註冊且套用所有初始原則,裝置通常會約每六小時檢查一次新原則。However, once the device is enrolled, and all initial policies are applied, the device typically checks for new policies about every six hours.

哪些動作會致使 Intune 立即傳送通知給裝置?What actions cause Intune to immediately send a notification to a device?

裝置可在收到簽入通知時簽入 Intune,或在其排定簽入時間定期簽入。Devices check in with Intune when they receive a notification to check in, or during their regularly scheduled check-in. 當您對目標裝置或使用者執行抹除、鎖定、密碼重設、應用程式指派、設定檔指派或原則指派等動作時,Intune 會立即通知裝置簽入 Intune 服務以接收這些更新。When you target a device or user with an action, such as wipe, lock, passcode reset, app assignment, profile assignment, or policy assignment, then Intune immediately notifies the device to check in with the Intune service to receive these updates.

修訂公司入口網站中的連絡資訊等其他變更,則不會對裝置傳送立即通知。Other changes, such as revising the contact information in the company portal, do not cause an immediate notification to devices.

如果有多個原則指派到同一個使用者或同一部裝置,如何得知會套用哪些設定?If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

如有兩個或多個原則指派到同一個使用者或同一部裝置時,哪些設定會套用於個別設定層級:If two or more policies are assigned to the same user or device, then which settings apply occur at the individual setting level:

  • 相容性原則設定一律優先於組態原則設定Compliance policy settings always have precedence over configuration policy settings

  • 如果合規性政策中與不同合規性政策中的相同設定一起評估,則會套用限制最嚴格的合規性政策設定。If a compliance policy is evaluated against the same setting in a different compliance policy, then the most restrictive compliance policy setting applies.

  • 如果設定原則的設定與不同設定原則中的設定衝突,這項衝突會顯示在 Azure 入口網站中。If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict displays in the Azure portal. 在此狀況中,請手動解決這些衝突。In this scenario, manually resolve these conflicts.

應用程式保護原則互相衝突時,會發生什麼情況?What happens when app protection policies conflict with each other? 哪一項原則會套用至應用程式?Which one is applied to the app?

除了數字輸入欄位 (例如重設前的 PIN 嘗試次數) 之外,衝突值是應用程式保護原則中限制最嚴格的設定。Conflict values are the most restrictive settings available in an app protection policy, except for the number entry fields (like PIN attempts before reset). 數字輸入欄位會設定為相同的值,如同您在主控台中使用建議的設定選項建立 MAM 原則一樣。The number entry fields are set the same as the values, as if you created a MAM policy in the console by using the recommended settings option.

當兩個設定檔設定相同時,就會發生衝突。Conflicts occur when two profile settings are the same. 例如,您設定了兩項 MAM 原則,其中除了複製/貼上設定之外,這兩項原則完全相同。For example, you configured two MAM policies that are identical except for the copy/paste setting. 在這種情況下,複製/貼上設定會設定為限制最嚴格的值,但其餘設定則會依照設定來套用。In this scenario, the copy/paste setting is set to the most restrictive value, but the rest of the settings is applied as configured.

如果其中一個設定檔指派到應用程式並生效,然後指派第二個設定檔,則會優先使用並持續套用第一個設定檔,而第二個設定檔會顯示為處於衝突狀態。If one profile is assigned to the app and takes effect, and then a second one is assigned, the first one takes precedence and stays applied, while the second shows in conflict. 如果同時套用這兩個設定檔,代表沒有優先的設定檔,則兩者皆處於衝突狀態。If they are both applied at the same time, meaning that there is no preceding profile, then they are both in conflict. 任何衝突的設定都會設為限制最嚴格的值。Any conflicting settings are set to the most restrictive values.

iOS 自訂原則衝突時,會發生什麼情況?What happens when iOS custom policies conflict?

Intune 不會評估 Apple 設定檔或自訂開放行動聯盟的統一資源識別項 (OMA-URI) 設定檔的承載。Intune does not evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) profile. 它只做為傳遞機制。It merely serves as the delivery mechanism.

當您指派自訂設定檔時,請確定所進行的設定未與合規性、組態或其他自訂原則衝突。When you assign a custom profile, ensure that the configured settings do not conflict with compliance, configuration, or other custom policies. 如果自訂的設定檔與其設定衝突,則設定會隨機套用。If a custom profile and its settings conflicts, then the settings are applied randomly.

當設定檔已刪除或不再適用時,會發生什麼情況?What happens when a profile is deleted or no longer applicable?

當您刪除設定檔,或從具有該設定檔的群組中移除裝置時,會根據以下清單,從裝置移除該設定檔及設定:When you delete a profile, or you remove a device from a group that has the profile, the profile and settings are removed from the device according to the following lists:

  • Wi-Fi、VPN、憑證及電子郵件設定檔:這些設定檔會從所有支援的已註冊裝置中移除。Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.
  • 所有其他設定檔類型:All other profile types:
    • [Windows 和 Android 裝置]:設定不會從裝置中移除Windows and Android devices: Settings are not removed from the device

    • [Windows Phone 8.1 裝置]:會移除下列設定:Windows Phone 8.1 devices: The following settings are removed:

      • 需要密碼來解除鎖定行動裝置Require a password to unlock mobile devices
      • 允許簡單密碼Allow simple passwords
      • 密碼長度下限Minimum password length
      • 所需的密碼類型Required password type
      • 密碼到期 (天數)Password expiration (days)
      • 記住密碼歷程記錄Remember password history
      • 抹除裝置前允許的重複登入失敗次數Number of repeated sign-in failures to allow before the device is wiped
      • 要求密碼前的閒置分鐘數Minutes of inactivity before password is required
      • 需要的密碼類型 – 最小字元集數Required password type – minimum number of character sets
      • 允許相機Allow camera
      • 在行動裝置上要求加密Require encryption on mobile device
      • 允許卸除式存放裝置Allow removable storage
      • 允許網頁瀏覽器Allow web browser
      • 允許應用程式市集Allow application store
      • 允許螢幕擷取Allow screen capture
      • 允許地理位置Allow geolocation
      • 允許 Microsoft 帳戶Allow Microsoft account
      • 允許複製並貼上Allow copy and paste
      • 允許 Wi-Fi 網際網路共用功能Allow Wi-Fi tethering
      • 允許自動連線到免費的 Wi-Fi 熱點Allow automatic connection to free Wi-Fi hotspots
      • 允許 Wi-Fi 熱點回報Allow Wi-Fi hotspot reporting
      • 允許原廠重設Allow factory reset
      • 允許藍牙Allow Bluetooth
      • 允許 NFCAllow NFC
      • 允許 Wi-FiAllow Wi-Fi
    • [iOS]:移除所有設定,除了︰iOS: All settings are removed, except:

      • 允許語音漫遊Allow voice roaming
      • 允許數據漫遊Allow data roaming
      • 允許漫遊時自動同步處理Allow automatic synchronization while roaming

我變更了裝置限制設定檔,但變更一直沒有作用I changed a device restriction profile, but the changes haven't taken effect

當您使用 MDM 或 EAS 設定安全性原則之後,Windows Phone 裝置不允許降低這些原則的安全性。Windows Phone devices do not allow security policies set using MDM or EAS to be reduced in security once you've set them. 例如,您將 [字元密碼字元數下限] 設定為 8 個,然後嘗試減少為 4 個。For example, you set a Minimum number of character password to 8 then try to reduce it to 4. 裝置已套用較嚴格的設定檔。The more restrictive profile has already been applied to the device.

視裝置平台而定,如果您要將設定檔變更為較不安全的值,則請重設安全性原則。Depending on the device platform, if you want to change the profile to a less secure value, then reset security policies. 例如,在 Windows 的桌面上從右向內撥動,然後按一下 [設定] > [控制台]。For example, in Windows, on the desktop, swipe in from right, and select Settings > Control Panel. 選取 [使用者帳戶] 小程式。Select the User Accounts applet.

左導覽功能表底部有一個 [重設安全性原則] 連結。In the left-hand navigation menu, there is a Reset Security Policies link (toward the bottom). 請加以選取,然後選擇 [重設原則]。Select it, and then choose Reset Policies. 您可能需要停用 Android、Windows Phone 8.1 與更新版本及 iOS 等其他 MDM 裝置,再重新註冊到服務中,以套用較不嚴格的設定檔。Other MDM devices, such as Android, Windows Phone 8.1 and later, and iOS, may need to be retired, and re-enrolled back into the service to apply a less restrictive profile.

後續步驟Next steps

需要額外說明嗎?Need extra help? 請參閱如何取得 Microsoft Intune 支援See How to get support for Microsoft Intune.