建立設計Create a design

適用於︰IntuneApplies to: Intune
本主題適用於 Azure 入口網站和傳統主控台中的 Intune。This topic applies to Intune in both the Azure portal and the classic console.

本指南此節應與第 2 節中的其他主題一起使用。The section of the guide should be used in parallel with other topics in Section 2. 此設計以您完成本指南前面幾節時所收集的資訊及做出的決定為基礎。This design is based on the information you collect and decisions you make when completing previous sections of this guide. 這個設計部分會著重在 Intune 獨立版,也就是 Microsoft 雲端服務。In this design section, we focus on Intune standalone, which is a Microsoft cloud-based service.

雖然有基本的內部部署基礎結構需求,但您要有設計計畫,以確定您獲得符合目的、目標和需求的正確行動裝置管理解決方案。Although there’s minimal on-premises infrastructure requirements, work on a design plan to make sure you have the right mobile device management solution that meets your goals, objectives, and requirements.

此外,在實作和測試階段也常會發生設計變更,請務必記錄這些變更及其發生背後的原理。Additionally, it’s common to have design changes during the implementation and testing phases, make sure to document these changes, and the rationale behind it as they occur. 設計包含下列區域:The design includes the following areas:

  • 目前的環境The current environment

  • Intune 部署選項Intune deployment options

  • 外部相依性的身分識別需求Identity requirements for external dependencies

  • 裝置平台考量Device platform considerations

  • 要傳遞的需求Requirements to be delivered

讓我們詳細檢閱各個區域。Let’s review each of these areas in more detail.

記錄您的環境Record your environment

建立設計前的第一步,是記錄目前的環境。The first step before you can create your design is to record your current environment. 目前的環境會影響設計決策,應該記錄下以來在進行其他 Intune 設計決策時參考。The current environment can influence design decisions and should be documented and referenced when making other Intune design decisions. 以下是如何記錄目前環境的一些範例︰Below are few examples of how to record the current environment:

  • 雲端中的身分識別Identity in the cloud

    • 您使用 DirSync 還是 Azure Active Directory (Azure AD) 連線?Do you use DirSync or Azure Active Directory (Azure AD) Connect?

    • 您的環境是否為同盟?Is your environment Federated?

    • 是否啟用設定多重要素驗證?Is multi-factor authentication enabled?

  • 電子郵件環境Email environment

    • 是否使用 Exchange,內部部署或雲端?Is Exchange being used, is it on-premises or in the cloud?

    • 是否正在進行將 Exchange 移轉到雲端的專案?Are you in the middle of a project to migrate Exchange to the cloud?

  • 目前的 MDM 解決方案Current MDM solution

    • 您目前使用其他 MDM 解決方案嗎?Are you currently using other MDM solutions?

    • 公司和 BYOD 使用案例使用的 MDM 解決方案為何?What MDM solutions are you using for corporate and BYOD use case scenarios?

    • 現在使用哪些功能 (例如應用程式裝置設定、Wi-Fi 設定等等)?What capabilities are you using (e.g. app device settings, Wi-Fi configurations, etc.)?

    • 支援的裝置平台有哪些?What device platforms are supported?

    • 哪些群組和有多少使用者使用 MDM 方案?What groups and how many users are using the MDM solution?

  • 憑證解決方案Certificate Solution

    • 您實作過憑證解決方案嗎?Have you implemented a certificate solution?

    • 您使用何種類型的憑證?What type of certificates do you use?

  • 系統管理Systems Management

    • 您如何管理電腦和伺服器環境?How are you managing your PC and server environment?

    • 使用的是 System Center Configuration Manager 嗎?Is System Center Configuration Manager being used? 您使用的是協力廠商的系統管理平台嗎?Are you using a third-party system management platform?

  • VPN 解決方案VPN Solution

    • 您的 VPN 解決方案為何?What is your VPN solution?

    • 同時用於公司和 BYOD 使用案例嗎?Is it used for both corporate and BYOD use case scenarios?

記錄目前的 MDM 環境時,請務必記下目前可對環境進行變更的所有專案或任何其他計畫。Make sure to note any projects or any other plans in place to could make changes to your environment when recording the current MDM environment. 下例是一種記錄目前環境的方式,可在您建立 Intune 設計時提供協助︰Below is an example of a way to record the current environment to assist when creating your Intune design:

解決方案區域Solution area 目前的環境Current environment 註解Comments
身分識別Identity Azure AD、Azure AD Connect、未同盟、無 MFAAzure AD, Azure AD Connect, not federated, no MFA 專案就緒,年底可啟用 MFAProject in place to enable MFA by end of year
電子郵件環境Email environment Exchange 內部部署、Exchange OnlineExchange on-premises, Exchange online 目前從 Exchange 內部部署移轉至 Exchange Online。Currently migrating from Exchange on-premises to Exchange online. 信箱已移轉 75%。75% of mailboxes migrated. Intune 試驗開始之前,會移轉最後的 25%。Last 25% will be migrated before Intune Pilot begins.
SharePointSharePoint SharePoint 內部部署SharePoint on-premises 不打算移至 SharePoint OnlineNo plans to move to SharePoint online
目前的 MDMCurrent MDM Exchange ActiveSyncExchange ActiveSync
憑證解決方案Certificate solution Microsoft Server 2012 R2、AD 憑證服務Microsoft Server 2012 R2, AD Certificate Services 網站伺服器只使用 PKIOnly use PKI for Web Site Servers
系統管理System Management System Center Configuration Manager CB 1606System Center Configuration Manager CB 1606 想要調查 Intune 混合式解決方案Would like to investigate Intune hybrid solution
VPN 解決方案VPN solution Cisco AnyConnectCisco AnyConnect

選擇 Intune 部署選項Choose an Intune deployment option

Intune 提供兩種部署選項︰獨立和混合式。Intune offers two deployment options: standalone and hybrid. 決定哪一種符合您的業務需求。Decide which one fits your business requirements. 獨立是指 Intune 服務在雲端中執行,混合式則整合 Intune 與 System Center Configuration Manager。Standalone refers to Intune service running in the cloud, hybrid refers to the integration of Intune with System Center Configuration Manager.

Intune 租用戶位置Intune tenant location

如果您的組織有全球支援,請務必規劃租用戶訂閱服務時所在的位置。If your organization has global presence, make sure to plan where your tenant resides when subscribing to the service. 國家 (地區) 會在您第一次註冊 Intune 訂閱時定義,並對應至全球下列地區︰The country is defined when you sign up for an Intune subscription for the first time, and map to regions around the world which are listed below:

  • 北美North America

  • 歐洲、中東和非洲地區Europe, Middle East, and Africa

  • 亞洲及太平洋地區Asia and Pacific

重要

之後無法變更國家 (地區) 與租用戶位置。It’s not possible to change the country and tenant location later.

外部相依性External dependencies

外部相依性是和 Intune 分開的服務及產品,但卻是 Intune 需求或可能與 Intune 整合。External dependencies are services and products that are separate from Intune, but are either a requirement of Intune, or might integrate with Intune. 請務必找出任何外部相依性需求,以及其設定方式。It’s important to identify requirements for any external dependencies and how it is to be configured. 以下列出一些常見的外部相依性範例。Some examples of common external dependencies are listed below.

  • 權杖服務 (STS)Identity

  • 使用者和裝置群組User and device groups

  • PKIPKI

下面會更詳細地探索這些常見的外部相依性Let’s explore in more detail these common external dependencies below

權杖服務 (STS)Identity

身分識別是我們識別誰是貴組織使用者以及誰註冊裝置的方法。Identity is how we identify the users who belong to your organization and are enrolling a device. Intune 需要 Azure Active Directory (Azure AD) 作為使用者身分識別提供者。Intune requires Azure Active Directory (Azure AD) as the user identity provider. 如果您已使用這項服務,就可以運用您在雲端中現有的身分識別。If you already use this service, you’ll be able to leverage your existing identity already in the cloud. 此外,建議使用 Azure AD Connect 同步處理您內部部署的使用者身分識別與 Microsoft 雲端服務。In addition, Azure AD Connect is the recommended tool to synchronize your on-premises user identities with Microsoft cloud services. 如果貴組織已使用 Office 365,Intune 使用相同的 Azure Active Directory 環境極為重要。If your organization is already using Office 365, it’s important that Intune uses the same Azure Active Directory environment.

您可以在下文找到有關 Intune 身分識別需求的詳細資訊。You can find more information regarding Intune’s identity requirements below.

使用者和裝置群組User and device groups

使用者和裝置群組決定部署的目標。User and device groups determines the target of a deployment. 這可能包括原則、應用程式和設定檔的部署目標。This could include deployment targeting for policies, applications, and profiles. 僅限雲端的 Intune 支援使用者和裝置群組 - 您必須判斷需要哪些使用者和裝置群組。Intune cloud-only supports user and device groups – you’ll need to determine what user and device groups will be required. 建議在內部部署 Active Directory 中建立所有群組,再同步處理至 Azure Active Directory。It’s recommended that all groups are created in the on-premises Active Directory, then synchronized to Azure Active Directory. 您可以在下文中找到有關使用者和裝置群組規劃和建立的詳細資訊。You can find more information about user and device group planning and creation below.

公開金鑰基礎結構 (PKI)Public Key Infrastructure (PKI)

公開金鑰基礎結構向裝置或使用者提供憑證,以安全的方式向服務進行驗證。Public Key Infrastructure supplies certificates to devices or users to securely authenticate to a service. Intune 支援 Microsoft PKI 基礎結構。Intune supports a Microsoft PKI infrastructure. 裝置和使用者憑證可以核發給行動裝置,以滿足憑證式驗證的需求。Device and user certificates can be issued to a mobile device to satisfy certificate based authentication requirements. 實作憑證之前,您必須先判斷是否需要憑證、網路基礎結構可否支援憑證式驗證,以及現有環境目前是否使用憑證。Before implementing certificates, you need to determine if certificates are needed, whether the network infrastructure can support certificate based authentication, and whether certificates are currently used in the existing environment.

如果您打算使用 VPN、Wi-Fi 或電子郵件設定檔憑證和 Intune,您必須確定有受支援的PKI 基礎結構就緒,隨時可建立及部署憑證設定檔。If you're planning to use certificates with VPN, Wi-Fi, or e-mail profiles with Intune, you need to make sure you have a supported PKI infrastructure in place, ready to create and deploy certificate profiles.

此外,如果要核發 SCEP 憑證,您需要判斷哪部伺服器會裝載網路裝置註冊服務 (NDES) 功能,以及通訊進行的方式。In addition, If SCEP certificates will be issued, you need to determine which server will host the Network Device Enrollment Service (NDES) feature, and how the communication will happen.

在 Intune 中設定憑證的詳細資訊:More information about configuring certificates in Intune:

裝置平台考量Device Platform Considerations

您需要進一步了解您的裝置,才能正確了解它們。You need to take a closer look at your devices to understand how them correctly.

  • 判斷支援的裝置平台Determine supported device platforms

  • 裝置Devices

  • 裝置擁有權Device ownership

  • 大量註冊Bulk enrollment

讓我們更詳細地檢閱這些區域。Let’s review these areas in more detail.

判斷支援的裝置平台Determine supported device platforms

您需要知道哪些裝置會放在環境中,並確認 Intune 是否會在建立您的設計時支援它們。You need to know what devices will be in the environment and verify whether they are supported or not by Intune when creating your design. Intune 支援 iOS、Android 和 Windows 平台。Intune supports iOS, Android, and Windows platforms.

裝置Devices

Intune 管理行動裝置以保護公司資料,讓終端使用者能夠從更多地點工作。Intune manages mobile devices to secure corporate data and allow end users to work from more locations. Intune 支援多重裝置平台,因此建議您記錄貴組織設計中支援的裝置及作業系統平台。Intune supports multiple device platforms, so it’s recommended to document the devices and the OS platforms that will be supported in your organization’s design. 這會擴及<使用案例需求>一節中建立的裝置與平台。This will expand on the devices and platforms created in section (use case requirements).

也建議您掌握版本參考清單,以便依作業系統平台和版本檢查裝置功能。It’s also recommended to know the versions to reference the list when checking for device capabilities by OS platform and version. 範例如下:Here’s an example:

裝置平台Device platform 作業系統版本OS Versions
iOS - iPhoneiOS - iPhone 9.0+9.0+
iOS - iPadiOS - iPad 8.0+8.0+
Android – Samsung Knox StandardAndroid – Samsung Knox Standard 4.0+4.0+
Windows 10 平板電腦Windows 10 tablet 10+10+

裝置擁有權Device ownership

Intune 支援公司擁有的和 BYOD 擁有權。Intune supports both corporate owned and BYOD ownership. 裝置如果是由裝置註冊管理員或裝置註冊程式所註冊,即視為公司擁有的。A Device is considered corporate owned if enrolled by a device enrollment manager, or device enrollment program. 例如,裝置可以透過 Apple DEP 註冊,標記為公司,然後放在會接收目標公司原則和應用程式的裝置群組中。As an example, a device could be enrolled via Apple DEP, marked as corporate, and placed in a device group that receives targeted corporate policies and apps.

如需公司與 BYOD 使用案例的詳細資訊,請參閱第 3 節︰決定使用案例的需求Refer to Section 3: Determine use case scenario requirements for more information about Corporate and BYOD use cases.

大量註冊Bulk enrollment

有多個註冊選項可在 Intune 中註冊裝置,透過公司入口網站輔助自助註冊。There are multiple enrollment options available for enrolling a device in Intune to complement the self-service enrollment through the company portal. 有多種方式可以完成大量註冊,視平台而定。Bulk enrollment can be accomplished different ways depending on the platform. 如需大量註冊,請先決定大量註冊方法並納入設計中。If bulk enrollment will be required, first determine the bulk enrollment method and incorporate in to your design. 請在下文中尋找不同大量註冊方法的詳細資訊。Find more information about different methods of bulk enrollment below.

功能需求Feature requirements

我們會在這些章節中檢視下列符合您使用案例需求的功能︰In these sections, we’ll review the following features and capabilities that are aligned with your use case scenario requirements:

  • 條款和條件原則Terms and Conditions Policies

  • 設定原則Configuration Policies

  • 資源設定檔Resource Profiles

  • 應用程式Apps

  • 相容性原則Compliance Policy

  • 條件式存取Conditional Access

讓我們詳細檢閱各個區域。Let’s review each of these areas in more detail.

條款和條件原則Terms and Conditions policies

條款和條件可用以說明終端使用者註冊前必須同意的原則或條件。Terms and Conditions can be used to explain policies or conditions that an end user must accept before enrollment. Intune 支援將多項條款與條件原則新增及部署到使用者群組的能力。Intune supports the ability to add and deploy multiple terms and conditions policies to user groups. 您需要決定是否需要條款和條件原則。You need to determine if terms and condition policies are needed. 如果是的話,組織中由誰負責提供這項資訊。If so, who will be responsible for providing this information in the organization.

條款及條件名稱Terms and Conditions name 使用案例Use case 目標群組Targeted group
公司條款與條件Corporate T&C 公司Corporate 公司使用者Corporate users
BYOD 條款與條件BYOD T&C BYODBYOD BYOD 使用者BYOD users

設定原則Configuration policies

設定原則用來管理裝置的安全性設定和功能。Configuration policies are used to manage security settings and features on a device. 設計設定原則時,請參閱<使用案例需求>一節,決定 Intune 裝置所需的設定。When designing your configuration policies, refer to the use case requirements section to determine the configurations required for Intune devices. 記錄應設定的設定值及方式,同時記錄它們的目標使用者或裝置群組。Document which settings, and how they should be configured, also document which user, or device groups they will be targeted to.

每個平台應該至少建立一個設定原則。You should create at least one Configuration Policy per platform. 如有需要,每個平台可以建立多個設定原則。You can create multiple Configuration Policies per platform if needed. 下例是用於不同平台和使用案例的四個不同設定原則的設計。Below is an example of designing four different configuration policies for different platforms and use case scenarios.

原則名稱Policy name 裝置平台Device platform 設定Settings 目標群組Target group
公司 - iOSCorporate - iOS iOSiOS PIN 是必要項,長度︰6,限制雲端備份PIN is required, Length: 6, Restrict Cloud Backup 公司裝置Corporate Devices
公司 - AndroidCorporate - Android AndroidAndroid PIN 是必要項,長度︰6,限制雲端備份PIN is required, Length: 6, Restrict Cloud Backup 公司裝置Corporate Devices
BYOD – iOSBYOD – iOS iOSiOS PIN 是必要項,長度︰4PIN is required, Length: 4 BYOD 裝置BYOD devices
BYOD – AndroidBYOD – Android AndroidAndroid PIN 是必要項,長度︰4PIN is required, Length: 4 BYOD 裝置BYOD devices

ProfilesProfiles

設定檔用來協助終端使用者連線到公司資料。Profiles are used to help the end user connect to company data. Intune 支援許多類型的設定檔。Intune supports many types of profiles. 請參考使用案例和需求,以判斷何時設定設定檔Refer to the use cases and requirements to determine when the profiles will be configured. 所有裝置設定檔依平台類型分類,應該納入設計文件中。All device profiles are categorized per platform type, and should be included in the design documentation.

  • 憑證設定檔Certificate profiles

  • Wi-Fi 設定檔Wi-Fi profile

  • VPN 設定檔VPN profile

  • 電子郵件設定檔Email profile

讓我們詳細檢閱每種設定檔類型。Let’s review each type of profile in more detail.

憑證設定檔Certificate profiles

憑證設定檔可讓 Intune 向使用者或裝置核發憑證。Certificate profiles allow Intune to issue a certificate to a user or device. Intune 支援下列項目:Intune supports the following:

  • 簡單憑證註冊通訊協定 (SCEP)Simple Certificate Enrollment Protocol (SCEP)

  • 受信任的根憑證Trusted Root Certificate

  • PFX 憑證。PFX certificate.

建議您記錄哪個使用者群組需要憑證、需要多少憑證設定檔,以及將它們部署到哪些使用者群組。It’s recommended to document which user group needs a certificate, how many certificate profiles will be needed, and which user groups to deploy them to.

注意

請記住,SCEP 憑證需要受信任的根憑證,因此請確保所有 SCEP 憑證的目標使用者也會收到受信任的根憑證。Remember that the trusted root certificate is required for the SCEP certificate, so make sure all users targeted for the SCEP certificate also receive a trusted root certificate. 如果需要 SCEP 憑證,請設計與記錄需要哪些 SCEP 憑證範本。If SCEP certificates are needed, design and document what SCEP certificate templates will be needed.

下例說明如何在設計期間記錄憑證︰Here’s an example how you can document the certificates during the design:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
根 CARoot CA 公司根 CACorporate Root CA Android、iOS、Windows MobileAndroid, iOS, Windows mobile 公司、BYODCorporate, BYOD
SCEPSCEP 使用者憑證User Certificate Android、iOS、Windows MobileAndroid, iOS, Windows mobile 公司、BYODCorporate, BYOD
Wi-Fi 設定檔Wi-Fi profile

Wi-Fi 設定檔用來自動將行動裝置連接到無線網路。Wi-Fi Profiles are used to automatically connect a mobile device to a wireless network. Intune 支援將 Wi-Fi 設定檔部署到所有支援的平台。Intune supports deploying Wi-Fi profiles to all supported platforms.

下例是 Wi-Fi 設定檔的設計︰Below is an example of a design for a Wi-Fi profile:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
Wi-FiWi-Fi 亞洲 Wi-Fi 設定檔Asia Wi-Fi profile AndroidAndroid 公司、BYOD 亞洲地區Corporate, BYOD Asia region
Wi-FiWi-Fi 北美地區 Wi-Fi 設定檔North America Wi-Fi profile Android、iOS、Windows 10 MobileAndroid, iOS, Windows 10 Mobile 公司、BYOD 北美地區Corporate, BYOD North America region
VPN 設定檔VPN profile

VPN 設定檔讓使用者從遠端位置安全存取您的網路。VPN profiles let users securely access your network from remote locations. Intune 支援原生行動 VPN 連線和協力廠商的 VPN 設定檔。Intune supports VPN profiles from native mobile VPN connections and third party vendors.

下例說明記錄 VPN 設定檔的設計。Below is an example of documenting the design of a VPN profile.

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
VPNVPN VPN Cisco 任何連線設定檔VPN Cisco any connect Profile Android、iOS、Windows 10 MobileAndroid, iOS, Windows 10 Mobile 公司、BYOD 北美地區及德國Corporate, BYOD North America and Germany
VPNVPN Pulse SecurePulse Secure AndroidAndroid 公司、BYOD 亞洲地區Corporate, BYOD Asia region
電子郵件設定檔Email profile

電子郵件設定檔允許電子郵件用戶端自動設定連線資訊與安裝電子郵件設定。Email profiles allow an email client to be automatically setup with connection information and setup email configuration. Intune 支援某些裝置上的電子郵件設定檔。Intune supports email profiles on some devices.

下例說明記錄電子郵件設定檔的設計:Below is an example of documenting the design of email profiles:

類型Type 設定檔名稱Profile name 裝置平台Device platform 使用案例Use cases
電子郵件設定檔Email profile iOS 電子郵件設定檔iOS email profile iOSiOS 公司 – 資訊工作者 BYODCorporate – Information worker BYOD
電子郵件設定檔Email profile Android Knox 電子郵件設定檔Android Knox email profile Android KnoxAndroid Knox BYODBYOD

應用程式Apps

Intune 支援以多種方式向使用者或裝置遞送應用程式。Intune supports delivering apps to the users or devices in multiple ways. 遞送的應用程式類型可能是軟體安裝程式應用程式、公用應用程式市集的應用程式、外部連結,或受管理的 iOS 應用程式。The type of application delivered could be software installer apps, apps from a public app store, external links, or managed iOS apps. 除了個別的應用程式部署,您可以透過 iOS 和 Windows 的大量採購方案管理和部署大量採購的應用程式。In addition to individual app deployments, volume-purchased apps can be managed and deployed through the volume-purchase programs for iOS and Windows. 下文是 Intune 如何支援應用程式和大量採購方案的詳細資訊。Below is more information about how Intune supports apps and the volume purchase programs.

應用程式類型需求App type requirements

因為可以將應用程式部署至使用者和裝置,所以建議您決定哪些應用程式會由 Intune 管理。Since apps can be deployed to users and devices, it’s recommended to decide which applications will be managed by Intune. 收集清單時,請嘗試回答下列問題︰While gathering the list, try to answer the following questions:

  • 應用程式是否需要與雲端服務整合?Do the apps require integration with cloud services?

  • 所有應用程式都可供 BYOD 使用者使用嗎?Will all apps be available to BYOD users?

  • 這些應用程式有哪些部署選項可用?What are the deployment options available for these apps?

  • 貴公司需要為協力廠商提供軟體即服務 (SaaS) 應用程式資料的存取權嗎?Does your company need to provide access to Software as a service (SaaS) apps data for their partners?

  • 應用程式是否需要從使用者裝置存取網際網路?Do the apps require internet access from user’s devices?

  • 應用程式是從應用程式市集公開取得,還是自訂的企業營運應用程式?Are the apps publicly available in an app store, or are they custom Line of Business Apps?

應用程式保護原則App protection policies

應用程式保護原則透過定義應用程式管理公司資料的方式,減少資料遺失。App protection policies minimize data loss by defining how the application manages the corporate data. Intune 支援為配合行動裝置應用程式管理而建置的任何應用程式的應用程式保護原則。Intune supports app protection policies for any application built to function with mobile app management. 在設計應用程式保護原則時,您需要決定在指定的應用程式中對公司資料設置的限制。When designing the app protection policy, you need to determine what restrictions you will place on corporate data in a given app. 建議您檢閱應用程式保護原則如何運作。It’s recommended to review how app protection policies work. 下例說明如何記錄現有的應用程式以及需要何種保護。Below is an example of how to document the existing applications and what protection is needed.

應用程式Application 目的Purpose 平台Platforms 使用案例Use case 應用程式保護原則App protection policy
Outlook MobileOutlook mobile 可用Available iOSiOS 公司 - 主管Corporate - Executives 不可破解、加密檔案Cannot be jail broken, encrypt files
WordWord 可用Available iOS、Android - Samsung Knox、非 Knox、Windows 10 MobileiOS, Android - Samsung Knox, non-Knox, Windows 10 mobile 公司、BYODCorporate, BYOD 不可破解、加密檔案Cannot be jail broken, encrypt files

相容性原則Compliance policies

相容性原則決定裝置是否符合特定需求。Compliance policies determine whether a device conforms to certain requirements. Intune 使用相容性原則判斷裝置視為相容或不相容。Intune uses compliance policies to determine if a device is considered compliant or non-compliant. 相容性狀態也可用來限制存取公司資源。The compliance status can then be used to restrict access to company resources. 如果需要條件式存取,建議設計 Microsoft Intune 的裝置相容性原則If conditional access is required, it is recommended to design a device compliance policy. 請參考需求和使用案例,判斷需要多少裝置相容性原則以及哪些使用者群組是目標使用者群組。Refer to requirements and use cases to determine how many device compliance policies are needed and which user groups are the target user groups. 此外,您還需要決定,裝置離線多久不簽入,才會視為不相容。Additionally, you need to determine how long a device can be offline without checking in before it’s considered non-compliant.

下例說明如何設計相容性原則︰Below is an example of how to design a compliance policy:

原則名稱Policy name 裝置平台Device platform 設定Settings 目標群組Target group
相容性原則Compliance policy iOS、Android - Samsung Knox、非 Knox、Windows 10 MobileiOS, Android - Samsung Knox, non-Knox, Windows 10 mobile PIN - 必要項、不能破解PIN - required, cannot be jail broken 公司、BYODCorporate, BYOD

條件式存取原則Conditional access policies

條件式存取用於僅允許相容裝置存取公司資源。Conditional Access is used to allow only compliant devices to access company resources. Intune 適合整個 Enterprise Mobility + Security (EMS) 控制對公司資源的存取。Intune works with the entire Enterprise Mobility + Security (EMS) to control access to company resources. 您必須判斷條件式存取是否必要,以及必須保護的項目。You’ll need to determine if conditional access is required, and what must be secured.

為線上存取,判斷哪些平台和使用者群組會是條件式存取原則的目標。For online access, determine what platforms, and user groups will be targeted by conditional access policies.

此外,您需要判斷 Exchange Online 或 Exchange 內部部署是否需要安裝/設定 Intune 服務對服務連接器。Additionally, you need to determine whether you need to install/configure the Intune service-to-service connector for Exchange Online or Exchange on-premises.

深入了解如何安裝及設定 Intune 服務對服務連接器︰Learn more how to install and configure the Intune service-to-service connectors:

下例說明如何記錄條件式存取原則︰Here’s an example of how to document conditional access policies:

服務Service 新式驗證的平台Platforms for Modern Authentication 基本驗證Basic Authentication 使用案例Use cases
Exchange OnlineExchange online iOS、AndroidiOS, Android 封鎖 Intune 支援平台上不相容的裝置Block non-compliant devices on platforms supported by Intune 公司、BYODCorporate, BYOD
SharePoint OnlineSharePoint online iOS、AndroidiOS, Android 公司、BYODCorporate, BYOD

下一節Next Section

下一節提供有關 Intune 實作程序的指引。The next section provides guidance on the Intune implementation process.

若要提交意見反應,請前往 Intune Feedback