Microsoft Intune 中的 Android for Work 裝置限制設定Android for Work device restriction settings in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

工作設定檔設定Work profile settings

  • 在工作與個人設定檔之間複製和貼上 - 控制工作和個人應用程式之間的複製和貼上。Copy and paste between work and personal profiles - Controls copy and paste between work and personal apps. 選擇 [封鎖] 啟用封鎖。Choose Block to enabling blocking. 選擇 [未設定] 停用封鎖。Choose Not configured to disable blocking.
  • 工作設定檔與個人設定檔之間的資料共用:使用此設定來控制工作設定檔中的應用程式是否可以和個人設定檔中的應用程式共用。Data sharing between work and personal profiles - Use this setting to control whether apps in the work profile can share with apps in the personal profile. 此設定可控制應用程式內的共用動作 (例如,Chrome 瀏覽器應用程式中的 [共用...]This setting controls sharing actions within applications (for example, the Share… 選項),但不適用於複製/貼上剪貼簿行為。option in the Chrome browser app) and does not apply to copy/paste clipboard behavior. 不同於應用程式保護原則設定,裝置限制設定會從 Intune 入口網站加以管理,並使用 Android for Work 工作設定檔分割區來隔離受管理的應用程式。Unlike app protection policy settings, device restriction settings are managed from the Intune portal and use the Android for Work work profile partition to isolate managed apps. 從下列選項進行選擇:Choose from:

    • 預設共用限制 - 此設定是裝置的預設共用行為,會視正在執行的 Android 版本而有所不同。Default sharing restrictions - This setting is the default sharing behavior of the device, which varies depending on the version of Android it is running. 預設允許從個人設定檔共用至工作設定檔。By default, sharing from the personal profile to the work profile is allowed. 預設也會封鎖從工作設定檔共用至個人設定檔。Also by default, sharing from the work profile to the personal profile is blocked. 此設定是為了防止資料從工作設定檔共用至個人設定檔。This setting prevents sharing of data from the work to the personal profile. Google 並未針對執行版本 6.0 和更新版本的裝置提供任何方式來封鎖從個人設定檔共用至工作設定檔。Google does not provide a way to block sharing from the personal profile to work profile on devices running versions 6.0 and later.
    • 工作設定檔中的應用程式可以處理來自個人設定檔的共用要求:使用此選項來啟用允許從個人設定檔共用至工作設定檔的內建 Android 功能。Apps in work profile can handle sharing request from personal profile - Use this option to enable the built-in Android feature that allows sharing from the personal to work profile. 啟用時,來自個人設定檔中應用程式的共用要求,可以與工作設定檔中的應用程式共用。When enabled, a sharing request from an app in the personal profile can share with apps in the work profile. 此設定是執行早於 6.0 版本之 Android 裝置的預設行為。This setting is the default behavior for Android devices running versions earlier than 6.0.
    • 允許跨界限進行共用:跨工作設定檔界限啟用雙向共用。Allow sharing across boundaries - Enables sharing across the work profile boundary in both directions. 當您選取此設定時,工作設定檔中的應用程式可以和個人設定檔中不具徽章的應用程式共用資料。When you select this setting, apps in the work profile can share data with unbadged apps in the personal profile. 請小心使用此設定,因為它可讓工作設定檔中受管理的應用程式與裝置未受管理端上的應用程式共用。Use this setting with care as it allows managed apps in the work profile to share with apps on the unmanaged side of the device.
  • 裝置鎖定時的工作設定檔通知:控制工作設定檔中的應用程式是否可以在裝置鎖定時顯示通知中的資料。Work profile notifications while device locked - Controls whether apps in the work profile can display data in notifications when the device is locked.

  • 預設應用程式權限:設定工作設定檔中所有應用程式的預設權限原則。Default app permissions - Sets the default permission policy for all apps in the work profile. 從 Android 6 開始,會在啟動應用程式時,提示使用者授與應用程式所需的特定權限。Starting with Android 6, the user is prompted to grant certain permissions required by apps when the app is launched. 此原則設定可讓您決定是否要提示使用者來為工作設定檔中的所有應用程式授與權限。This policy setting lets you decide whether users are prompted to grant permissions for all apps in the work profile. 例如,您可以將應用程式指派至需要位置存取的工作設定檔。For example, you assign an app to the work profile that requires location access. 通常,該應用程式會提示使用者核准或拒絕對應用程式的位置存取。Normally that app prompts the user to approve or deny location access to the app. 此原則可讓您決定是否應自動授與所有權限而不提示、自動拒絕而不提示,或是讓終端使用者決定。This policy lets you decide whether all permissions should be auto-granted without a prompt, auto-denied without a prompt, or let the end user decide. 從下列選項進行選擇:Choose from:

    • 裝置預設Device default
    • 提示Prompt
    • 自動授與Auto grant
    • 自動拒絕Auto deny

    您可以針對特定應用程式進一步定義權限的授與狀態,方法是定義個別應用程式的應用程式組態原則 (位於 [行動應用程式] > [應用程式組態原則] 下方)。The grant state for permissions can be further defined for specific apps by defining an App Configuration policy for an individual app (under Mobile Apps > App configuration policies).

工作設定檔密碼Work profile password

  • 需要工作設定檔密碼:(已啟用工作設定檔的 Android 7.0 和更新版本) 定義只適用於工作設定檔中之應用程式的密碼原則。Require Work Profile Password - (Android 7.0 and above with work profile enabled) Define a passcode policy that applies just to the apps in the work profile. 根據預設,終端使用者能選擇使用這兩個個別定義的 PIN,或選擇結合兩者,並使用兩者中的較強者。By default, the end user has the option to use the two separately defined PINs or they can elect to combine them into the stronger of the two.
  • 密碼長度下限:輸入使用者密碼至少須包含的字元數 (從 4-16)Minimum password length - Enter the minimum number of characters the user's password must contain (from 4-16)
  • 在停止活動最多幾分鐘後鎖定螢幕 - 選取工作設定檔鎖定之前的時間長度。Maximum minutes of inactivity until screen locks - Select the amount of time before the work profile locks. 然後,使用者必須輸入其認證,才能重新取得存取權。The user must then enter their credentials to regain access.
  • 登入失敗幾次後即抹除裝置:輸入將裝置上的工作設定檔抹除之前可輸入錯誤密碼的次數。Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be entered before the work profile is wiped from the device.
  • 密碼到期 (天數):輸入使用者的密碼在多少天之後必須變更 (從 1-255)。Password expiration (days) - Enter the number of days until an end user's password must be changed (from 1-255).
  • 必要的密碼類型:選取必須在裝置上設定的密碼類型。Required password type - Select the type of password that must be set on the device. 從下列選項進行選擇:Choose from:
    • 裝置預設Device default
    • 低安全性生物識別Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 複雜數字:(不允許重複或連續的數字,例如 '1111' 或 '1234')Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 至少包含英數字元和符號At least alphanumeric with symbols
  • 不得重複使用以前用過的密碼:輸入在舊密碼可以重新使用之前,必須使用新密碼的次數 (從 1-24)。Prevent reuse of previous passwords - Enter the number of new passwords that must have been used before an old one can be reused (from 1-24).
  • 指紋解除鎖定:封鎖使用者使用裝置的指紋掃描器來解鎖裝置。Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
  • Smart Lock 與其他信任代理程式:可讓您控制相容裝置上的 Smart Lock 功能。Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. 此電話功能 (有時也稱為信任代理程式) 可讓您在裝置位於受信任的位置 (例如連線到特定的藍牙裝置或靠近 NFC 標記) 時,停用或略過工作設定檔密碼。This phone capability, sometimes known as a trust agent, lets you disable or bypass the work profile password if the device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's close to an NFC tag). 您可以使用此設定來防止使用者設定 Smart Lock。You can use this setting to prevent users from configuring Smart Lock.

裝置密碼Device password

  • 最小密碼長度:輸入使用者密碼至少須包含的字元數 (從 4-14)Minimum password length - Enter the minimum number of characters the users password must contain (from 4-14)
  • 在停止活動最多幾分鐘後鎖定螢幕:選取非作用中裝置自動鎖定之前的時間長度。Maximum minutes of inactivity until screen locks - Select the amount of time before an inactive device automatically locks.
  • 登入失敗幾次後即抹除裝置:輸入將裝置上的所有資料抹除之前可輸入錯誤密碼的次數。Number of sign-in failures before wiping device - Enter the number of times an incorrect password can be entered before all data is wiped from the device.
  • 密碼到期 (天數):輸入使用者的密碼在多少天之後必須變更 (從 1-255)。Password expiration (days) - Enter the number of days until an end user's password must be changed (from 1-255).
  • 必要的密碼類型:選取必須在裝置上設定的密碼類型。Required password type - Select the type of password that must be set on the device. 從下列選項進行選擇:Choose from:
    • 裝置預設Device default
    • 低安全性生物識別Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 複雜數字:(不允許重複或連續的數字,例如 '1111' 或 '1234')Numeric complex - (repeating, or consecutive numbers like '1111' or '1234' are not allowed)
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 至少包含英數字元和符號At least alphanumeric with symbols
  • 不得重複使用以前用過的密碼:輸入在舊密碼可以重新使用之前,必須使用新密碼的次數 (從 1-24)。Prevent reuse of previous passwords - Enter the number of new passwords that must have been used before an old one can be reused (from 1-24).
  • 指紋解除鎖定:封鎖使用者使用裝置的指紋掃描器來解鎖裝置。Fingerprint unlock - Blocks an end user from using the device fingerprint scanner to unlock it.
  • Smart Lock 與其他信任代理程式:可讓您控制相容裝置上的 Smart Lock 功能。Smart Lock and other trust agents - Lets you control the Smart Lock feature on compatible devices. 此電話功能 (有時也稱為信任代理程式) 可讓您在裝置位於受信任的位置 (例如連線到特定的藍牙裝置或靠近 NFC 標記) 時,停用或略過裝置鎖定畫面密碼。This phone capability, sometimes known as a trust agent, lets you disable or bypass the device lock screen password if the device is in a trusted location (for example, when it's connected to a specific Bluetooth device, or when it's close to an NFC tag). 您可以使用此設定來防止使用者設定 Smart Lock。You can use this setting to prevent users from configuring Smart Lock.

系統安全性System security

  • 對應用程式進行威脅掃描:針對工作與個人設定檔,強制開啟 [驗證應用程式] 設定。Threat scan on apps - Enforce that the Verify Apps setting is on for work and personal profiles.

    注意

    此設定僅適用於 Android O 或更新版本的裝置。This setting will only work for devices that are Android O and above.

後續步驟Next steps

使用如何設定裝置限制設定主題中的資訊進行儲存,並將設定檔指派給使用者和裝置。Use the information in the topic, How to configure device restriction settings to save, and assign the profile to users and devices.