設定裝置合規性與應用程式管理原則Configure device compliance and app management policies

移轉至 Intune 時的主要目標,是在 Intune 中註冊所有裝置,並使它們符合自身原則的規範。The main goal when migrating to Intune is to have all devices enrolled in Intune and compliant with its policies. 裝置原則不僅可協助您管理公司擁有的單一使用者裝置,還包括個人 (BYOD) 和共用裝置,例如 Kiosk、銷售點的電腦、教室裡多個學生共用的平板電腦或無使用者裝置 (僅限 iOS)。Device policies not only help you to manage corporate-owned single-user devices, but also personal (BYOD), and shared devices such as kiosks, point-of-sales machines, tablets shared by multiple students in a classroom, or user-less devices (iOS only).

每個裝置平台可能會提供不同的設定,但 Intune 裝置原則由於提供下列行動裝置管理功能,因而可適用每個裝置平台︰Each device platform may offer different settings, but Intune device policies work with each device platform by providing the following mobile device management capabilities:

  • 管理每個使用者註冊的裝置數目。Regulate numbers of devices each user enrolls.

  • 管理裝置設定 (例如裝置層級加密、密碼長度、相機使用方式)。Manage devices settings (for example, device-level encryption, password length, camera usage).

  • 提供應用程式、電子郵件設定檔、VPN 設定檔等。Deliver apps, email profiles, VPN profiles, and so on.

  • 評估安全性合規性原則的裝置層級準則。Evaluate device-level criteria for security compliance policies.

重要

裝置管理原則不會直接指派給個別的裝置或使用者,而是指派給使用者群組。Device management policies are not assigned directly to individual devices or users, but instead are assigned to user groups. 原則可直接套用到使用者群組,從而套用到使用者的裝置;或原則可套用到裝置群組,從而套用到群組成員。The policies may be directly applied to a user group, and thereby to the user's device, or the policies may be applied to a device group, and thereby to group members.

裝置合規性原則的工作清單Task list for device compliance policies

工作 1:新增裝置群組 (選用)Task 1: Add device groups (optional)

當您需要執行以裝置身分識別 (而非使用者身分識別) 為基礎的管理工作時,可以建立裝置群組。You can create device groups when you need to perform administrative tasks based on device identity instead of user identity.

裝置群組適合用於管理無專任使用者的裝置 (如 Kiosk 裝置)、輪班工作人員共用的裝置,或指派給特定位置的裝置。Device groups are useful for managing devices that do not have dedicated users, such as kiosk devices, devices shared by shift workers, or devices assigned to a specific location.

在裝置註冊前先設定裝置群組,就能在註冊時使用裝置類別將裝置自動加入群組。By configuring device groups ahead of device enrollment, you can use device categories to automatically join devices to groups upon enrollment. 接著它們會自動接收其群組的裝置原則。Then they will receive their group’s device policies automatically. 開始使用群組Get started with groups.

工作 2︰使用資源存取設定檔 (Wi-Fi、VPN 和電子郵件憑證)Task 2: Use resource access profiles (Wi-Fi, VPN, and email certificates)

資源存取設定檔會將憑證和存取設定提供給註冊的裝置。Resource access profiles supply certificates and access configurations to enrolled devices. 如果您使用憑證式驗證,請設定憑證If you are using certificate-based authentication, configure certificates.

工作 3:建立和部署裝置組態設定檔Task 3: Create and deploy device configuration profiles

您必須建立裝置組態設定檔以強制執行裝置層級設定,例如︰停用相機、App Store、設定單一應用程式模式及主畫面等。You need to create a device configuration profile to enforce device-level settings, for example: disable camera, app-store, configure single-app mode, home screen, and so on. 了解裝置設定檔Learn about device profiles.

直接匯入 iOS 組態設定檔 (選用)Directly import iOS configuration profiles (optional)

  • Apple Configurator iOS 設定檔 (iOS 7.1 及更新版本):如果您現有的 MDM 解決方案使用 Apple Configurator 設定檔 (.mobileconfig 檔案),Intune 可直接將它們匯入為自訂組態原則。Apple Configurator iOS profiles (iOS 7.1 and later): If your existing MDM solution uses Apple Configurator profiles (.mobileconfig files), Intune can directly import them as custom configuration policies.

  • iOS 行動應用程式組態原則︰如果您現有的 MDM 解決方案使用 iOS 行動應用程式組態原則,只要它們符合 Apple 指定之屬性清單的 XML 格式,Intune 即可直接匯入它們。iOS Mobile Application Configuration policies: If your existing MDM solution uses iOS Mobile Application Configuration policies, Intune can directly import them as long as they meet the XML format specified by Apple for property lists.

  • 了解如何新增 iOS 的自訂原則。Learn how to add a custom policy for iOS.

工作 4:建立和部署裝置合規性原則 (選用)Task 4: Create and deploy device compliance policies (optional)

裝置相容性原則可評估安全性導向設定,並提供顯示裝置是否符合公司標準規範的報告。Device compliance policies evaluate security-oriented settings, and provide reporting that shows whether the devices are compliant with corporate standards or not. 這類設定包括:Such settings include:

  • PIN 長度PIN length

  • JB 破解狀態Jail-broken status

  • OS 版本OS version

請參閱裝置合規性設定的其他資源︰See additional resources for device compliance settings:

工作 5︰發佈和部署應用程式Task 5: Publish and deploy apps

使用 Intune MDM 時,您可以透過要求應用程式自動安裝或以在公司入口網站提供的方式來提供應用程式。When using Intune MDM, you can supply apps by either requiring their automatic installation, or making them available in the Company Portal.

工作 6:啟用裝置註冊Task 6: Enable device enrollment

您必須註冊裝置才能管理裝置。Device enrollment is necessary to manage the device. 了解如何準備好註冊公司擁有和使用者個人的裝置Learn how to get ready to enroll corporate-owned and user personal's devices.

後續步驟Next steps

設定應用程式保護原則 (選用)Configure app protection policies (optional).

若要提交意見反應,請前往 Intune Feedback