Intune 的工作裝置限制設定Work device restriction settings in Intune

本文會列出您可以為 Android 工作設定檔裝置設定的 Microsoft Intune 裝置限制設定。This article lists the Microsoft Intune device restrictions settings that you can configure for Android work profile devices.

工作設定檔設定Work profile settings

一般設定General Settings

  • 在工作與個人設定檔之間複製和貼上:控制工作和個人應用程式之間的複製和貼上。Copy and paste between work and personal profiles: Controls copy and paste between work and personal apps. 選擇 [封鎖] 啟用封鎖。Choose Block to enabling blocking. 選擇 [未設定] 停用封鎖。Choose Not configured to disable blocking.

  • 工作設定檔與個人設定檔之間的資料共用:控制工作設定檔中的應用程式是否可以和個人設定檔中的應用程式共用。Data sharing between work and personal profiles: Control whether apps in the work profile can share with apps in the personal profile. 此設定可控制應用程式內的共用動作 (例如,Chrome 瀏覽器應用程式中的 [共用...]This setting controls sharing actions within applications (for example, the Share… 選項),但不適用於複製/貼上剪貼簿行為。option in the Chrome browser app), and does not apply to copy/paste clipboard behavior. 不同於應用程式保護原則設定,裝置限制設定會從 Intune 入口網站加以管理,並使用 Android 工作設定檔分割區來隔離受控應用程式。Unlike app protection policy settings, device restriction settings are managed from the Intune portal, and use the Android work profile partition to isolate managed apps. 從下列選項進行選擇:Choose from:

    • 預設共用限制:這是裝置的預設共用行為,隨 Android 版本而異。Default sharing restrictions: The default sharing behavior of the device, which varies depending on the Android version. 預設允許從個人設定檔共用至工作設定檔。By default, sharing from the personal profile to the work profile is allowed. 預設也會封鎖從工作設定檔共用至個人設定檔。Also by default, sharing from the work profile to the personal profile is blocked. 此設定是為了防止資料從工作設定檔共用至個人設定檔。This setting prevents sharing of data from the work to the personal profile. Google 並未針對執行版本 6.0 和更新版本的裝置提供任何方式來封鎖從個人設定檔共用至工作設定檔。Google does not provide a way to block sharing from the personal profile to work profile on devices running versions 6.0 and later.
    • 工作設定檔中的應用程式可以處理來自個人設定檔的共用要求:啟用允許從個人設定檔共用至工作設定檔的內建 Android 功能。Apps in work profile can handle sharing request from personal profile: Enables the built-in Android feature that allows sharing from the personal to work profile. 啟用時,來自個人設定檔中應用程式的共用要求,可以與工作設定檔中的應用程式共用。When enabled, a sharing request from an app in the personal profile can share with apps in the work profile. 此設定是執行早於 6.0 版本之 Android 裝置的預設行為。This setting is the default behavior for Android devices running versions earlier than 6.0.
    • 允許跨界限進行共用:跨工作設定檔界限啟用雙向共用。Allow sharing across boundaries: Enables sharing across the work profile boundary in both directions. 當您選取此設定時,工作設定檔中的應用程式可以和個人設定檔中不具徽章的應用程式共用資料。When you select this setting, apps in the work profile can share data with unbadged apps in the personal profile. 請小心使用此設定,因為它可讓工作設定檔中受控的應用程式與裝置未受控端上的應用程式共用。Use this setting carefully, as it allows managed apps in the work profile to share with apps on the unmanaged side of the device.
  • 裝置鎖定時的工作設定檔通知:控制工作設定檔中的應用程式是否可以在裝置鎖定時顯示通知中的資料。Work profile notifications while device locked: Controls whether apps in the work profile can display data in notifications when the device is locked.

  • 預設應用程式權限:設定工作設定檔中所有應用程式的預設權限原則。Default app permissions: Sets the default permission policy for all apps in the work profile. 從 Android 6 開始,會在啟動應用程式時,提示使用者授與應用程式所需的特定權限。Starting with Android 6, the user is prompted to grant certain permissions required by apps when the app is launched. 此原則設定可讓您決定是否要提示使用者來為工作設定檔中的所有應用程式授與權限。This policy setting lets you decide if users are prompted to grant permissions for all apps in the work profile. 例如,您可以將應用程式指派至需要位置存取的工作設定檔。For example, you assign an app to the work profile that requires location access. 通常,該應用程式會提示使用者核准或拒絕對應用程式的位置存取。Normally that app prompts the user to approve or deny location access to the app. 此原則可讓您決定是否應自動授與所有權限而不提示、自動拒絕而不提示,或是讓終端使用者決定。This policy lets you decide if all permissions should be auto-granted without a prompt, auto-denied without a prompt, or let the end user decide. 從下列選項進行選擇:Choose from:

    • 裝置預設Device default

    • 提示Prompt

    • 自動授與Auto grant

    • 自動拒絕Auto deny

      您可以針對特定應用程式進一步定義權限的授與狀態,方法是使用個別應用程式的應用程式設定原則 (位於 [行動應用程式] > [應用程式設定原則] 下方)。The grant state for permissions can be further defined for specific apps by using an App Configuration policy for an individual app (under Mobile Apps > App configuration policies).

  • 新增和移除帳戶Add and remove accounts

    防止終端使用者在工作設定檔中手動新增或移除帳戶。Prevents end users from manually adding or removing accounts in the work profile.

    例如,當您將 Gmail 應用程式部署到 Android 工作設定檔時,可以防止終端使用者新增或移除此工作設定檔中的帳戶。For example, when you deploy the Gmail app into an Android work profile, you can prevent end users from adding or removing accounts in this work profile.

  • 透過藍牙分享連絡人:允許存取來自使用藍芽配對之另一部裝置 (例如汽車) 的工作連絡人。Contact sharing via Bluetooth: Enables access to work contacts from another device, such as a car, that is paired using Bluetooth. 預設並未進行這項設定,因此不會顯示工作設定檔連絡人。By default, this setting is not configured, and work profile contacts aren't shown. 請選取 [啟用] 以允許此共用及顯示工作設定檔連絡人。Select Enable to allow this sharing, and show work profile contacts. 此設定適用於 Android OS 6.0 版和更新版本上的 Android 工作設定檔裝置。This setting applies to Android work profile devices on Android OS v6.0 and newer. 啟用此選項可能會允許某些藍芽裝置在第一次連接時,快取工作連絡人。Enabling this may allow certain Bluetooth devices to cache work contacts upon first connection. 初次配對/同步處理後停用此政策,可能不會從藍芽裝置移除工作連絡人。Disabling this policy after an initial pairing/sync may not remove work contacts from a Bluetooth device.

  • 螢幕擷取:封鎖工作設定檔中裝置上的螢幕擷取功能。Screen capture: Blocks the screen capture on the device in the work profile. 這同時會也防止在沒有安全視訊輸出的顯示裝置上顯示內容。It also prevents the content from being shown on display devices that don't have a secure video output.

  • 在個人設定檔中顯示工作連絡人的本機號碼 :啟用 (未設定) 時,工作連絡人的詳細資料會顯示在個人設定檔中。Display work contact caller-id in personal profile: When enabled (Not configured), the work contact caller details are displayed in the personal profile. 封鎖時,工作連絡呼叫者詳細資料不會顯示在個人設定檔中。When blocked, the work contact caller number is not displayed in the personal profile. 適用於 Android OS v6.0 和更新版本。Applies to Android OS v6.0 and newer versions.

  • 相機:封鎖工作設定檔中裝置上的相機。Camera: Blocks the camera on the device in the work profile. 個人端上的相機不受此設定影響。The camera on the personal side is not affected by the setting.

工作設定檔密碼Work profile password

  • 需要工作設定檔密碼:適用於啟用工作設定檔的 Android 7.0 和更新版本。Require Work Profile Password: Applies to Android 7.0 and above with work profile enabled. 定義只適用於工作設定檔中之應用程式的密碼原則。Define a passcode policy that applies only to the apps in the work profile. 根據預設,使用者可使用兩個個別定義的 PIN,或選擇將 PIN 結合為這兩個 PIN 的較強組合。By default, the end user can use the two separately defined PINs, or users can choose to combine the PINs into the stronger of the two PINs.
  • 密碼長度下限:輸入使用者密碼至少須包含的字元數 (從 4-16)Minimum password length: Enter the minimum number of characters the user's password must contain (from 4-16)
  • 在停止工作設定檔最多幾分鐘後鎖定螢幕:選取工作設定檔鎖定之前的時間長度。Maximum minutes of inactivity until work profile locks: Select the amount of time before the work profile locks. 然後,使用者必須輸入其認證,才能重新取得存取權。The user must then enter their credentials to regain access.
  • 登入失敗幾次後即抹除裝置:輸入將裝置上的工作設定檔抹除之前可輸入錯誤密碼的次數。Number of sign-in failures before wiping device: Enter the number of times an incorrect password can be entered before the work profile is wiped from the device.
  • 密碼到期 (天數):輸入使用者的密碼在多少天之後必須變更 (從 1-255)。Password expiration (days): Enter the number of days until an end user's password must be changed (from 1-255).
  • 必要的密碼類型:選取必須在裝置上設定的密碼類型。Required password type: Select the type of password that must be set on the device. 從下列選項進行選擇:Choose from:
    • 裝置預設Device default
    • 低安全性生物識別Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 複雜數字:不允許重複或連續的數字,例如 '1111' 或 '1234'Numeric complex: Repeating, or consecutive numbers like '1111' or '1234' are not allowed
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 至少包含英數字元和符號At least alphanumeric with symbols
  • 不得重複使用以前用過的密碼:輸入在舊密碼可以重新使用之前,必須使用新密碼的次數 (從 1-24)。Prevent reuse of previous passwords: Enter the number of new passwords that must be used before an old password can be reused (from 1-24).
  • 指紋解除鎖定:封鎖使用者使用裝置的指紋掃描器來解鎖裝置Fingerprint unlock: Blocks end users from using the device fingerprint scanner to unlock the device
  • Smart Lock 與其他信任代理程式:控制相容裝置上的 Smart Lock 功能。Smart Lock and other trust agents: Control the Smart Lock feature on compatible devices. 此電話功能 (有時稱為信任代理程式) 可讓您在裝置位於受信任的位置時,停用或略過工作設定檔密碼。This phone capability, sometimes known as a trust agent, lets you disable or bypass the work profile password if the device is in a trusted location. 例如,當裝置連線到特定的藍牙裝置或靠近 NFC 標記時。For example, when it's connected to a specific Bluetooth device, or when it's close to an NFC tag. 使用此設定可防止使用者設定 Smart Lock。Use this setting to prevent users from configuring Smart Lock.

裝置密碼Device password

  • 最小密碼長度:輸入使用者密碼至少須包含的字元數 (從 4-14)Minimum password length: Enter the minimum number of characters the users password must contain (from 4-14)
  • 在停止活動最多幾分鐘後鎖定螢幕:選取非作用中裝置自動鎖定之前的時間長度Maximum minutes of inactivity until screen locks: Select the amount of time before an inactive device automatically locks
  • 登入失敗幾次後即抹除裝置:輸入將裝置上的所有資料抹除之前可輸入錯誤密碼的次數Number of sign-in failures before wiping device: Enter the number of times an incorrect password can be entered before all data is wiped from the device
  • 密碼到期 (天數):輸入使用者的密碼在多少天之後必須變更 (從 1-255)Password expiration (days): Enter the number of days until an end user's password must be changed (from 1-255)
  • 必要的密碼類型:選取必須在裝置上設定的密碼類型。Required password type: Select the type of password that must be set on the device. 從下列選項進行選擇:Choose from:
    • 裝置預設Device default
    • 低安全性生物識別Low security biometric
    • 必要Required
    • 至少包含數字At least numeric
    • 複雜數字:不允許重複或連續的數字,例如 '1111' 或 '1234'Numeric complex: Repeating, or consecutive numbers like '1111' or '1234' are not allowed
    • 至少包含字母At least alphabetic
    • 至少包含英數字元At least alphanumeric
    • 至少包含英數字元和符號At least alphanumeric with symbols
  • 不得重複使用以前用過的密碼:輸入在舊密碼可以重新使用之前,必須使用新密碼的次數 (從 1-24)。Prevent reuse of previous passwords: Enter the number of new passwords that must be used before an old password can be reused (from 1-24).
  • 指紋解除鎖定:封鎖使用者使用裝置的指紋掃描器來解鎖裝置Fingerprint unlock: Blocks an end user from using the device fingerprint scanner to unlock the device
  • Smart Lock 與其他信任代理程式:控制相容裝置上的 Smart Lock 功能。Smart Lock and other trust agents: Control the Smart Lock feature on compatible devices. 此電話功能 (有時稱為信任代理程式) 可讓您在裝置位於受信任的位置時,停用或略過裝置鎖定畫面密碼。This phone capability, sometimes known as a trust agent, lets you disable or bypass the device lock screen password if the device is in a trusted location. 例如,當裝置連線到特定的藍牙裝置或靠近 NFC 標記時。For example, when it's connected to a specific Bluetooth device, or when it's close to an NFC tag. 使用此設定可防止使用者設定 Smart Lock。Use this setting to prevent users from configuring Smart Lock.

系統安全性System security

  • 對應用程式進行威脅掃描:針對工作與個人設定檔,強制開啟 [驗證應用程式] 設定。Threat scan on apps: Enforce the Verify Apps setting is on for work and personal profiles.

    注意

    此設定僅適用於 Android O 或更新版本的裝置。This setting only works for devices that are Android O and above.

後續步驟Next step

若要儲存設定檔並將它指派給使用者和裝置,請參閱設定裝置限制設定To save and assign the profile to users and devices, see Configure device restriction settings.