建立設計Create a design

您的 Intune 設計以您完成本指南其他章節時所收集的資訊及做出的決策為基礎,Your Intune design is based on the information you collect and decisions you make when completing other sections of this guide. 並協助您將下列各項結合在一起:It helps you bring together:

  • 目前的環境The current environment

  • Intune 部署選項Intune deployment options

  • 外部相依性的身分識別需求Identity requirements for external dependencies

  • 裝置平台考量Device platform considerations

  • 要傳遞的需求Requirements to be delivered

雖然有基本的內部部署基礎結構需求,但設計計劃仍有助於確定您獲得符合目的、目標和需求的正確行動裝置管理解決方案。Although there’s minimal on-premises infrastructure requirements, a design plan is still helpful to make sure you have the right mobile device management solution that meets your goals, objectives, and requirements.

讓我們詳細檢閱各個區域。Let’s review each of these areas in more detail.

記錄目前的環境Record your current environment

此外,在實作和測試階段期間經常會有設計變更。Additionally, it’s common to have design changes during the implementation and testing phases. 請在發生變更時,使用您的設計計劃來記錄這些變更及其背後的原理。Use your design plan to document these changes and the rationale behind them as they occur.

您目前的環境會影響設計決策,應該記錄下以來在進行其他 Intune 設計決策時參考。Your current environment can influence design decisions and should be documented and referenced when you make other Intune design decisions. 以下是如何記錄目前環境的一些範例︰Below are few examples of how to record the current environment:

  • 雲端中的身分識別Identity in the cloud

    • 您使用 DirSync 還是 Azure Active Directory (Azure AD) 連線?Do you use DirSync or Azure Active Directory (Azure AD) Connect?

    • 您的環境是否為同盟?Is your environment federated?

    • 是否啟用 Multi-Factor Authentication (MFA)?Is multi-factor authentication (MFA) enabled?

  • 電子郵件環境Email environment

    • 是否使用 Exchange?Do you use Exchange? 在內部部署或雲端?Is it on-premises or in the cloud?

    • 是否正在進行將 Exchange 移轉到雲端的專案?Are you in the middle of a project to migrate Exchange to the cloud?

  • 目前的行動裝置管理 (MDM) 解決方案Current mobile device management (MDM) solution

    • 您目前使用其他 MDM 解決方案嗎?Are you currently using other MDM solutions?

    • 公司和 BYOD 使用案例使用的 MDM 解決方案為何?What MDM solutions are you using for corporate and BYOD use-case scenarios?

    • 現在使用哪些功能 (例如:應用程式裝置設定、Wi-Fi 設定)?What capabilities are you using (for example: app device settings, Wi-Fi configurations)?

    • 支援的裝置平台有哪些?What device platforms are supported?

    • 哪些群組和有多少使用者使用 MDM 方案?What groups and how many users are using the MDM solution?

  • 憑證解決方案Certificate solution

    • 您實作過憑證解決方案嗎?Have you implemented a certificate solution?

    • 您使用何種類型的憑證?What type of certificates do you use?

  • 系統管理Systems management

    • 您如何管理電腦和伺服器環境?How are you managing your PC and server environment?

    • 您使用的是 System Center Configuration Manager 嗎?Are you using System Center Configuration Manager? 您使用的是協力廠商的系統管理平台嗎?Are you using a third-party system management platform?

  • VPN 解決方案VPN solution

    • 您的 VPN 解決方案為何?What is your VPN solution?

    • 您會將它同時用於公司和 BYOD 使用案例嗎?Do you use it for both corporate and BYOD use-case scenarios?

記錄目前的 MDM 環境時,請務必記下可能影響您環境的任何專案或任何其他計劃。Make sure to note any projects or any other plans in place that could affect your environment when recording the current MDM environment. 以下示範如何在建立 Intune 設計時記錄目前的環境:Below is an example of a way to record the current environment when creating your Intune design:

解決方案區域Solution area 目前的環境Current environment 註解Comments
身分識別Identity Azure AD、Azure AD Connect、未同盟、無 MFAAzure AD, Azure AD Connect, not federated, no MFA 專案就緒,年底可啟用 MFAProject in place to enable MFA by end of year
電子郵件環境Email environment Exchange 內部部署、Exchange OnlineExchange on-premises, Exchange online 目前從 Exchange 內部部署移轉至 Exchange Online。Currently migrating from Exchange on-premises to Exchange online. 信箱已移轉 75%。75% of mailboxes migrated. Intune 試驗開始之前,會移轉最後的 25%。Last 25% will be migrated before Intune Pilot begins.
SharePointSharePoint SharePoint 內部部署SharePoint on-premises 不打算移至 SharePoint OnlineNo plans to move to SharePoint online
目前的 MDMCurrent MDM Exchange ActiveSyncExchange ActiveSync
憑證解決方案Certificate solution Microsoft Server 2012 R2、AD 憑證服務Microsoft Server 2012 R2, AD Certificate Services 網站伺服器只使用 PKIOnly use PKI for Web Site Servers
系統管理System Management System Center Configuration Manager CB 1606System Center Configuration Manager CB 1606 想要調查 Intune 混合式解決方案Would like to investigate Intune hybrid solution
VPN 解決方案VPN solution Cisco AnyConnectCisco AnyConnect

您可以下載上述資料表的範本來開發 Intune 設計計劃。You can download a template of the above table to develop your Intune design plan.

選擇 Intune 部署選項Choose an Intune deployment option

Intune 提供兩種部署選項︰獨立和混合式。Intune offers two deployment options: standalone and hybrid. 獨立是指 Intune 服務在雲端中執行,混合式則整合 Intune 與 System Center Configuration Manager。Standalone refers to Intune service running in the cloud, hybrid refers to the integration of Intune with System Center Configuration Manager. 本指南主要用於獨立選項。This guide is intended primarily for using the standalone option. 決定哪一個選項符合您的商務需求Decide which option fits your business requirements.

Intune 租用戶位置Intune tenant location

如果您的組織有全球支援,請務必在訂閱服務時規劃租用戶所在的位置。If your organization has global presence, make sure to plan where your tenant resides when you subscribe to the service. 國家 (地區) 會在您第一次註冊 Intune 訂閱時定義,並對應至全球下列地區:The country is defined when you sign up for an Intune subscription for the first time, and map to regions around the world, which are listed below:

  • 北美North America

  • 歐洲、中東和非洲地區Europe, Middle East, and Africa

  • 亞洲及太平洋地區Asia and Pacific

重要

之後無法變更國家 (地區) 與租用戶位置。It’s not possible to change the country and tenant location later.

外部相依性External dependencies

外部相依性是和 Intune 分開的服務及產品,但卻是 Intune 需求或可能與 Intune 整合。External dependencies are services and products that are separate from Intune, but are either a requirement of Intune, or might integrate with Intune. 請務必找出任何外部相依性需求,以及其設定方式。It’s important to identify requirements for any external dependencies and how to configure them. 一些常見的外部相依性範例包括:Some examples of common external dependencies are:

  • 權杖服務 (STS)Identity

  • 使用者和裝置群組User and device groups

  • 公開金鑰基礎結構 (PKI)Public key infrastructure (PKI)

下面會更詳細地探索這些常見的外部相依性Let’s explore in more detail these common external dependencies below

權杖服務 (STS)Identity

身分識別是我們識別誰是貴組織使用者以及誰註冊裝置的方法。Identity is how we identify the users who belong to your organization and are enrolling a device. Intune 需要 Azure Active Directory (Azure AD) 作為使用者身分識別提供者。Intune requires Azure Active Directory (Azure AD) as the user identity provider. 如果您已使用這項服務,就可以使用您在雲端中現有的身分識別。If you already use this service, you can use your existing identity already in the cloud. 此外,建議使用 Azure AD Connect 同步處理您內部部署的使用者身分識別與 Microsoft 雲端服務。In addition, Azure AD Connect is the recommended tool to synchronize your on-premises user identities with Microsoft cloud services. 如果您的組織已使用 Office 365,請務必讓 Intune 使用相同的 Azure AD 環境。If your organization is already using Office 365, it’s important for Intune to use the same Azure AD environment.

深入了解下列 Intune 身分識別需求:Learn more about the following Intune identity requirements:

使用者和裝置群組User and device groups

使用者和裝置群組決定部署的目標,包括原則、應用程式和設定檔。User and device groups determine the target of a deployment, including policies, applications, and profiles. 您必須判斷需要哪些使用者和裝置群組。You need to determine what user and device groups will be required.

建議在內部部署 Active Directory 中建立所有群組,再同步處理至 Azure AD。We recommend that you create all groups in the on-premises Active Directory, then synchronize to Azure AD. 深入了解使用者和裝置群組的規劃和建立:Learn more about user and device group planning and creation:

公開金鑰基礎結構 (PKI)Public key infrastructure (PKI)

公開金鑰基礎結構向裝置或使用者提供憑證,以安全的方式向服務進行驗證。Public key infrastructure supplies certificates to devices or users to securely authenticate to a service. Intune 支援 Microsoft PKI 基礎結構。Intune supports a Microsoft PKI infrastructure. 裝置和使用者憑證可以核發給行動裝置,以滿足憑證式驗證的需求。Device and user certificates can be issued to a mobile device to satisfy certificate-based authentication requirements. 使用憑證之前,您必須先判斷是否需要憑證、網路基礎結構可否支援憑證式驗證,以及現有環境目前是否使用憑證。Before you use certificates, you need to determine if you need them, if the network infrastructure can support certificate-based authentication, and if certificates are currently used in the existing environment.

如果您打算使用 VPN、Wi-Fi 或電子郵件設定檔憑證和 Intune,請確定您有受支援的 PKI 基礎結構就緒,隨時可建立及部署憑證設定檔。If you're planning to use certificates with VPN, Wi-Fi, or e-mail profiles with Intune, make sure you have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.

此外,如果要核發 SCEP 憑證,您需要判斷哪部伺服器會裝載網路裝置註冊服務 (NDES) 功能,以及通訊進行的方式。In addition, if SCEP certificates will be issued, you need to determine which server will host the Network Device Enrollment Service (NDES) feature, and how the communication will happen.

深入了解:Learn more about:

裝置平台考量Device platform considerations

請進一步檢閱您裝置的下列層面,以了解如何正確地進行管理。Take a closer look at the following aspects of your devices to understand how to manage them correctly.

  • 支援的裝置平台Supported device platforms

  • 裝置Devices

  • 裝置擁有權Device ownership

  • 大量註冊Bulk enrollment

讓我們更詳細地檢閱這些區域。Let’s review these areas in more detail.

判斷支援的裝置平台Determine supported device platforms

您需要知道哪些裝置會放在環境中,並確認 Intune 是否會在建立您的設計時支援它們。You need to know what devices will be in the environment and verify whether they are supported or not by Intune when creating your design. Intune 支援 iOS、Android 和 Windows 平台。Intune supports iOS, Android, and Windows platforms.

Intune 支援裝置的完整清單Complete list of Intune supported devices.

裝置Devices

Intune 管理行動裝置以保護公司資料,讓終端使用者能夠從更多地點工作。Intune manages mobile devices to secure corporate data and allow end users to work from more locations. Intune 支援許多裝置平台,因此建議您記錄貴組織設計中支援的裝置及作業系統平台和版本。Intune supports many device platforms, so we recommend that you document the devices and the OS platforms and the versions that will be supported in your organization’s design. 例如:For example:

裝置平台Device platform 作業系統版本OS Versions
iOS - iPhoneiOS - iPhone 9.0+9.0+
iOS - iPadiOS - iPad 8.0+8.0+
Android – Samsung Knox StandardAndroid – Samsung Knox Standard 4.0+4.0+
Windows 10 平板電腦Windows 10 tablet 10+10+

您可以下載上述資料表的範本來開發裝置清單。You can download a template of the above table to develop your list of devices.

裝置擁有權Device ownership

Intune 支援公司擁有的裝置和個人裝置。Intune supports both corporate-owned devices and personal devices. 如果您透過裝置註冊管理員或裝置註冊計劃註冊裝置,該裝置即視為公司擁有的。A device is considered corporate-owned if your enroll it by a device enrollment manager, or device enrollment program. 例如,裝置透過 Apple 裝置註冊計劃 (DEP) 註冊,標記為公司,然後放在會接收目標公司原則和應用程式的裝置群組中。For example, a device is enrolled with the Apple Device Enrollment Program (DEP), marked as corporate, and placed in a device group that receives targeted corporate policies and apps.

如需公司與 BYOD 使用案例的詳細資訊,請參閱第 3 節︰決定使用案例的需求Refer to Section 3: Determine use case scenario requirements for more information about corporate and BYOD use cases.

大量註冊Bulk enrollment

您可以根據平台透過不同的方式來註冊大量的裝置。You can enroll devices in bulk in different ways depending on the platform. 如果您需要大量註冊,請先決定大量註冊方法並將它納入設計中。If you require bulk enrollment, first determine the bulk enrollment method and incorporate it in to your design.

功能需求Feature requirements

我們會在這些章節中檢視下列符合您使用案例需求的功能:In these sections, we review the following features and capabilities that are aligned with your use case scenario requirements:

  • 條款和條件原則Terms and conditions policies

  • 設定原則Configuration policies

  • 資源設定檔Resource profiles

  • 應用程式Apps

  • 相容性原則Compliance policy

  • 條件式存取Conditional access

讓我們詳細檢閱各個區域。Let’s review each of these areas in more detail.

條款和條件原則Terms and conditions policies

您可以使用條款及條件來說明終端使用者必須接受才能註冊其裝置的原則或條件。You can use terms and conditions to explain policies or conditions that an end user must accept before they can enroll their device. Intune 支援將多項條款與條件原則新增及部署到使用者群組的能力。Intune supports the ability to add and deploy multiple terms and conditions policies to user groups.

您需要決定是否需要條款和條件原則。You need to determine if terms and condition policies are needed. 如果是的話,組織中由誰負責提供這項資訊。If so, who will be responsible for providing this information in the organization. 下例說明如何記錄條款與條件原則。An example of how to document the terms and conditions policy is below.

條款及條件名稱Terms and Conditions name 使用案例Use case 目標群組Targeted group
公司條款與條件Corporate T&C 公司Corporate 公司使用者Corporate users
BYOD 條款與條件BYOD T&C BYODBYOD BYOD 使用者BYOD users

您可以下載上述資料表的範本將條款與條件對應至使用者群組。You can download a template of the above table to map your terms and conditions to your user groups.

設定原則Configuration policies

您可以使用設定原則來管理裝置的安全性設定和功能。Use configuration policies to manage security settings and features on a device. 設計設定原則時,請參閱<使用案例需求>一節,決定 Intune 裝置所需的設定。When designing your configuration policies, refer to the use case requirements section to determine the configurations required for Intune devices. 記錄設定值及應設定的方式。Document the settings and how they should be configured. 另外記錄其目標使用者或裝置群組。Also document which user or device groups they will be targeted to.

每個平台應該至少建立一個設定原則。You should create at least one configuration policy per platform. 如有需要,每個平台可以建立數個設定原則。You can create several configuration policies per platform if needed. 下例是用於不同平台和使用案例之四個不同設定原則的設計。Below is an example of designing four different configuration policies for different platforms and use-case scenarios.

原則名稱Policy name 裝置平台Device platform 設定Settings 目標群組Target group
公司 - iOSCorporate - iOS iOSiOS PIN 是必要項,長度︰6,限制雲端備份PIN is required, Length: 6, Restrict Cloud Backup 公司裝置Corporate Devices
公司 - AndroidCorporate - Android AndroidAndroid PIN 是必要項,長度︰6,限制雲端備份PIN is required, Length: 6, Restrict Cloud Backup 公司裝置Corporate Devices
BYOD – iOSBYOD – iOS iOSiOS PIN 是必要項,長度︰4PIN is required, Length: 4 BYOD 裝置BYOD devices
BYOD – AndroidBYOD – Android AndroidAndroid PIN 是必要項,長度︰4PIN is required, Length: 4 BYOD 裝置BYOD devices

您可以下載上述資料表的範本來識別設定原則需求。You can download a template of the above table to identify your configuration policy needs.

ProfilesProfiles

您可以使用設定檔來協助終端使用者連線到公司資料。Use profiles to help the end user connect to company data. Intune 支援許多類型的設定檔。Intune supports many types of profiles. 請參考使用案例和需求,以判斷何時設定設定檔。Refer to the use cases and requirements to determine when the profiles will be configured. 所有裝置設定檔依平台類型分類,應該納入設計文件中。All device profiles are categorized by platform type and should be included in the design documentation.

  • 憑證設定檔Certificate profiles

  • Wi-Fi 設定檔Wi-Fi profile

  • VPN 設定檔VPN profile

  • 電子郵件設定檔Email profile

讓我們詳細檢閱每種設定檔類型。Let’s review each type of profile in more detail.

憑證設定檔Certificate profiles

憑證設定檔可讓 Intune 向使用者或裝置核發憑證。Certificate profiles allow Intune to issue a certificate to a user or device. Intune 支援下列項目:Intune supports the following:

  • 簡單憑證註冊通訊協定 (SCEP)Simple Certificate Enrollment Protocol (SCEP)

  • 受信任的根憑證Trusted Root Certificate

  • PFX 憑證。PFX certificate.

建議您記錄哪個使用者群組需要憑證、您需要多少憑證設定檔,以及將它們部署到哪些使用者群組。We recommend that you document which user group needs a certificate, how many certificate profiles you need, and which user groups to deploy them to.

注意

請記住,SCEP 憑證需要受信任的根憑證,因此請確保所有 SCEP 憑證的目標使用者也會收到受信任的根憑證。Remember that the trusted root certificate is required for the SCEP certificate, so make sure all users targeted for the SCEP certificate also receive a trusted root certificate. 如果您需要 SCEP 憑證,請設計與記錄您需要哪些 SCEP 憑證範本。If you need SCEP certificates, design and document what SCEP certificate templates you need.

下例說明如何在設計期間記錄憑證︰Here’s an example how you can document the certificates during the design:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
根 CARoot CA 公司根 CACorporate Root CA Android、iOS、Windows MobileAndroid, iOS, Windows mobile 公司、BYODCorporate, BYOD
SCEPSCEP 使用者憑證User Certificate Android、iOS、Windows MobileAndroid, iOS, Windows mobile 公司、BYODCorporate, BYOD

您可以下載上述資料表的範本來識別憑證設定檔需求。You can download a template of the above table to identify your certificate profile needs.

Wi-Fi 設定檔Wi-Fi profile

Wi-Fi 設定檔用來自動將行動裝置連線到無線網路。Wi-Fi profiles are used to automatically connect a mobile device to a wireless network. Intune 支援將 Wi-Fi 設定檔部署到所有支援的平台。Intune supports deploying Wi-Fi profiles to all supported platforms. 深入了解將裝置設為連接至您的公司 Wi-Fi 網路Learn more about how Intune supports Wi-Fi profiles.

下例是 Wi-Fi 設定檔的設計︰Below is an example of a design for a Wi-Fi profile:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
Wi-FiWi-Fi 亞洲 Wi-Fi 設定檔Asia Wi-Fi profile AndroidAndroid 公司、BYOD 亞洲地區Corporate, BYOD Asia region
Wi-FiWi-Fi 北美地區 Wi-Fi 設定檔North America Wi-Fi profile Android、iOS、Windows 10 MobileAndroid, iOS, Windows 10 Mobile 公司、BYOD 北美地區Corporate, BYOD North America region

您可以下載上述資料表的範本來識別 Wi-Fi 設定檔需求。You can download a template of the above table to identify your Wi-Fi profile needs.

VPN 設定檔VPN profile

VPN 設定檔讓使用者從遠端位置安全存取您的網路。VPN profiles let users securely access your network from remote locations. Intune 支援原生行動 VPN 連線和協力廠商的 VPN 設定檔。Intune supports VPN profiles from native mobile VPN connections and third-party vendors. 深入了解 Microsoft Intune 中的 VPN 連線Learn more about VPN profiles and vendors supported by Intune.

下例說明記錄 VPN 設定檔的設計。Below is an example of documenting the design of a VPN profile.

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
VPNVPN VPN Cisco 任何連線設定檔VPN Cisco any connect Profile Android、iOS、Windows 10 MobileAndroid, iOS, Windows 10 Mobile 公司、BYOD 北美地區及德國Corporate, BYOD North America and Germany
VPNVPN Pulse SecurePulse Secure AndroidAndroid 公司、BYOD 亞洲地區Corporate, BYOD Asia region

您可以下載上述資料表的範本來識別 VPN 設定檔需求。You can download a template of the above table to identify your VPN profile needs.

電子郵件設定檔Email profile

電子郵件設定檔允許電子郵件用戶端自動設定連線資訊與電子郵件設定。Email profiles allow an email client to be automatically set up with connection information and email configuration. Intune 支援某些裝置上的電子郵件設定檔。Intune supports email profiles on some devices. 深入了解電子郵件設定檔和支援的平台Learn more about email profiles and what platforms are supported.

下例說明記錄電子郵件設定檔的設計:Below is an example of documenting the design of email profiles:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
電子郵件設定檔Email profile iOS 電子郵件設定檔iOS email profile iOSiOS 公司 – 資訊工作者 BYODCorporate – Information worker BYOD
電子郵件設定檔Email profile Android Knox 電子郵件設定檔Android Knox email profile Android KnoxAndroid Knox BYODBYOD

您可以下載上述資料表的範本來識別電子郵件設定檔需求。You can download a template of the above table to identify your email profile needs.

應用程式Apps

您可以使用 Intune 透過數種方式向使用者或裝置遞送應用程式。You can use Intune to deliver apps to the users or devices in several ways. 應用程式類型包括軟體安裝程式應用程式、公用應用程式市集的應用程式、外部連結,或受管理的 iOS 應用程式。The type of application includes software installer apps, apps from a public app store, external links, or managed iOS apps. 除了個別的應用程式部署,您可以透過 iOS 和 Windows 的大量採購方案管理和部署大量採購的應用程式。In addition to individual app deployments, you can manage and deploy volume-purchased apps obtained through the volume-purchase programs for iOS and Windows. 深入了解:Learn more about:

應用程式類型需求App type requirements

因為可以將應用程式部署至使用者和裝置,所以建議您決定哪些應用程式會由 Intune 管理。Since apps can be deployed to users and devices, we recommend that you decide which applications will be managed by Intune. 收集清單時,請嘗試回答下列問題︰While gathering the list, try to answer the following questions:

  • 應用程式是否需要與雲端服務整合?Do the apps require integration with cloud services?

  • 所有應用程式都可供 BYOD 使用者使用嗎?Will all apps be available to BYOD users?

  • 這些應用程式有哪些部署選項可用?What are the deployment options available for these apps?

  • 貴公司需要為協力廠商提供軟體即服務 (SaaS) 應用程式資料的存取權嗎?Does your company need to provide access to Software-as-a-service (SaaS) apps data for their partners?

  • 應用程式是否需要從使用者裝置存取網際網路?Do the apps require internet access from user’s devices?

  • 應用程式是從應用程式市集公開取得,還是自訂的企業營運 (LOB) 應用程式?Are the apps publicly available in an app store, or are they custom line-of-business (LOB) apps?

應用程式保護原則App protection policies

應用程式保護原則透過定義應用程式管理公司資料的方式,減少資料遺失。App protection policies minimize data loss by defining how the application manages the corporate data. Intune 支援為配合行動裝置應用程式管理而建置的任何應用程式的應用程式保護原則。Intune supports app protection policies for any application built to function with mobile app management. 當您設計應用程式保護原則時,您需要決定想在指定的應用程式中對公司資料設置的限制。When you design the app protection policy, you need to decide what restrictions you want to place on corporate data in a given app. 建議您檢閱應用程式保護原則如何運作。We recommend that you review how app protection policies work. 下例說明如何記錄現有的應用程式以及需要何種保護。Below is an example of how to document the existing applications and what protection is needed.

應用程式Application 目的Purpose 平台Platforms 使用案例Use case 應用程式保護原則App protection policy
Outlook MobileOutlook mobile 可用Available iOSiOS 公司 - 主管Corporate - Executives 不可破解、加密檔案Cannot be jail broken, encrypt files
WordWord 可用Available iOS、Android - Samsung Knox、非 Knox、Windows 10 MobileiOS, Android - Samsung Knox, non-Knox, Windows 10 mobile 公司、BYODCorporate, BYOD 不可破解、加密檔案Cannot be jail broken, encrypt files

您可以下載上述資料表的範本來識別應用程式保護原則需求。You can download a template of the above table to identify your app protection policy needs.

相容性原則Compliance policies

相容性原則決定裝置是否符合特定需求。Compliance policies determine whether a device conforms to certain requirements. Intune 使用相容性原則判斷裝置視為相容或不相容。Intune uses compliance policies to determine if a device is considered compliant or non-compliant. 相容性狀態也可用來限制或允許存取公司資源。The compliance status can then be used to restrict or allow access to company resources. 如果需要條件式存取,建議您設計裝置相容性原則If conditional access is required, we recommend that you design a device compliance policy.

請參考需求和使用案例,判斷您需要多少裝置相容性原則以及哪些使用者群組是目標使用者群組。Refer to requirements and use cases to determine how many device compliance policies you need and which user groups are the target user groups. 此外,您還需要決定,裝置離線多久不簽入,才會視為不相容。Additionally, you need to decide how long a device can be offline without checking in before it’s considered non-compliant.

下例說明如何設計相容性原則︰Below is an example of how to design a compliance policy:

原則名稱Policy name 裝置平台Device platform 設定Settings 目標群組Target group
相容性原則Compliance policy iOS、Android - Samsung Knox、非 Knox、Windows 10 MobileiOS, Android - Samsung Knox, non-Knox, Windows 10 mobile PIN - 必要項、不能破解PIN - required, cannot be jail broken 公司、BYODCorporate, BYOD

您可以下載上述資料表的範本來識別合規性政策需求。You can download a template of the above table to identify your compliance policy needs.

條件式存取原則Conditional access policies

條件式存取用於僅允許相容裝置存取電子郵件和其他公司資源。Conditional access is used to allow only compliant devices to access email and other company resources. Intune 可搭配 Enterprise Mobility + Security (EMS) 控制對公司資源的存取。Intune works with Enterprise Mobility + Security (EMS) to control access to company resources. 您必須決定條件式存取是否必要,以及必須保護的項目。You need to decide if conditional access is required and what must be secured. 深入了解使用 Microsoft Intune 限制電子郵件、Office 365 和其他服務的存取Learn more about conditional access.

為線上存取,決定哪些平台和使用者群組會是條件式存取原則的目標。For online access, decide what platforms, and user groups will be targeted by conditional access policies. 此外,請判斷您是否需要針對 Exchange Online 或 Exchange 內部部署安裝或設定 Intune 服務對服務連接器。Also, determine whether you need to install or configure the Intune service-to-service connector for Exchange Online or Exchange on-premises. 深入了解如何安裝及設定 Intune 服務對服務連接器︰Learn more how to install and configure the Intune service-to-service connectors:

下例說明如何記錄條件式存取原則︰Here’s an example of how to document conditional access policies:

服務Service 新式驗證的平台Platforms for Modern Authentication 基本驗證Basic Authentication 使用案例Use cases
Exchange OnlineExchange online iOS、AndroidiOS, Android 封鎖 Intune 支援平台上不相容的裝置Block non-compliant devices on platforms supported by Intune 公司、BYODCorporate, BYOD
SharePoint OnlineSharePoint online iOS、AndroidiOS, Android 公司、BYODCorporate, BYOD

您可以下載上述資料表的範本來識別條件式存取原則需求。You can download a template of the above table to identify your conditional access policy needs.

後續步驟Next steps

下一節提供有關 Intune 實作程序的指引。The next section provides guidance on the Intune implementation process.