Microsoft Intune 的新功能What's new in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

了解每週的 Microsoft Intune 新功能Learn what’s new each week in Microsoft Intune. 您也可以了解即將推出的變更、關於服務的重要通知,以及過去版本的相關資訊。You can also find out about upcoming changes, important notices about the service, and information about past releases. 某些功能在首度發行時可能會花費數週的時間,而可能無法在第一週就提供給所有客戶。Some features may roll out over several weeks and might not be available to all customers in the first week.

注意

如需混合式行動裝置管理 (MDM) 的新功能資訊,請參閱混合式新功能頁面For information on new functionality in hybrid mobile device management (MDM), check out the hybrid What’s New page.

2018 年 5 月 7 日當週Week of May 7, 2018

應用程式管理App management

Samsung Knox Mobile Enrollment 支援 Samsung Knox mobile enrollment support

當 Intune 與 Samsung Knox Mobile Enrollment (KME) 搭配使用時,您可以註冊大量公司擁有的 Android 裝置。When using Intune with Samsung Knox Mobile Enrollment (KME), you can enroll large numbers of company-owned Android devices. 使用 WiFi 或行動電話通訊網路的使用者第一次開啟其裝置時,只需輕點幾下即可註冊。Users on WiFi or cellular networks can enroll with just a few taps when they turn on their devices for the first time. 使用 Knox 部署應用程式時,可以使用藍牙或 NFC 註冊裝置。When using the Knox Deployment App, devices can be enrolled using Bluetooth or NFC. 如需詳細資訊,請參閱使用 Samsung Knox Mobile Enrollment 自動註冊 Android 裝置For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.

要求 Windows 10 版公司入口網站中的說明 Requesting help in the Company Portal for Windows 10

當使用者啟動工作流程以取得有關問題的說明時,Windows 10 版公司入口網站現在會將應用程式記錄檔直接傳送給 Microsoft。The Company Portal for Windows 10 will now send app logs directly to Microsoft when the user initiates the workflow to get help with an issue. 這樣可以更輕鬆地進行疑難排解並解決向 Microsoft 提出的問題。This will make it easier to troubleshoot and resolve issues that are raised to Microsoft.

2018 年 4 月 23 日當週Week of April 23, 2018

應用程式管理App management

在 Android 上針對 MAM PIN 提供密碼支援Passcode support for MAM PIN on Android

Intune 系統管理員可以將應用程式的啟動要求設定為使用密碼,而不是使用數字型的 MAM PIN 碼。Intune admins can set an application launch requirement to enforce a passcode instead of a numeric MAM PIN. 如上進行設定後,使用者就必須在出現提示時設定並使用密碼,才能存取啟用 MAM 的應用程式。If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. 密碼的定義為數字 PIN 和至少一個特殊字元或大寫/小寫字母。A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. Intune 支援密碼的方式與數字 PIN 類似,能夠透過管理主控台設定長度下限、允許重複的字元及順序。Intune supports passcode in a similar way to the existing numeric PIN... being able to set a minimum length, allowing repeat characters and sequences through the admin console. 若要使用此功能,Android 上必須要有最新版的公司入口網站。This feature requires the latest version of Company Portal on Android. 此功能已經可供 iOS 使用。This feature is already available for iOS.

macOS 的企業營運 (LOB) 應用程式支援 Line-of-business (LOB) app support for macOS

Microsoft Intune 將可讓您從 Azure 入口網站安裝 macOS LOB 應用程式。Microsoft Intune will provide the capability to install macOS LOB apps from the Azure portal. 您將能夠在以 GitHub 中提供的工具對 macOS LOB 應用程式進行前處理之後,將其新增至 Intune。You will be able to add a macOS LOB app to Intune after it has been pre-processed by the tool available in GitHub. 在 Azure 入口網站中,從 [Intune] 刀鋒視窗上選擇 [行動應用程式]。In the Azure portal, choose Mobile apps from the Intune blade. 在 [行動應用程式] 刀鋒視窗上,選擇 [應用程式] > [新增]。On the Mobile apps blade, choose Apps > Add. 在 [新增應用程式] 刀鋒視窗上,選取 [企業營運應用程式]。On the Add App blade, select Line-of-business app.

適用於 Android for Work (AFW) 應用程式指派的內建所有使用者和所有裝置群組 Built-in All Users and All Devices Group for Android for Work (AFW) app assignment

您可以使用內建的 [所有使用者] 與 [所有裝置] 群組指派 AFW 應用程式。You can leverage the built-in All Users and All Devices groups for AFW app assignment. 如需詳細資訊,請參閱 Microsoft Intune 的包含與排除應用程式指派For more information, see Include and exclude app assignments in Microsoft Intune.

Intune 會重新安裝被使用者解除安裝的必要應用程式 Intune will reinstall required apps that are uninstalled by users

當使用者解除安裝必要的應用程式之後,Intune 會在 24 小時內自動重新安裝,而不會等待 7 天的重新評估週期。If an end user uninstalls a required app, Intune automatically reinstalls the app within 24 hours rather than waiting for the 7 day re-evaluation cycle.

裝置設定Device configuration

裝置設定檔圖表和狀態清單顯示群組中的所有裝置 Device profile chart and status list show all devices in a group

當您設定裝置設定檔 ([裝置設定] > [設定檔]) 時,可以選擇裝置設定檔,例如 iOS。When you configure a device profile (Device configuration > Profiles), you choose the device profile, such as iOS. 您會將這個設定檔指派給包含 iOS 裝置和非 iOS 裝置的群組。You assign this profile to a group that includes iOS devices and non-iOS devices. 圖形化圖表計數會顯示設定檔已套用至 iOS「和」非 iOS 裝置 ([裝置設定] > [設定檔] > 選取現有的設定檔 > [概觀])。The graphical chart count shows that the profile is applied to the iOS and the non-iOS devices (Device configuration > Profiles > select an existing profile > Overview). 當您在 [概觀] 索引標籤中選取圖形化圖表時,[裝置狀態] 會列出群組中的所有裝置,而不是只列出 iOS 裝置。When you select the graphical chart in the Overview tab, the Device status lists all the devices in the group, instead of only the iOS devices.

在此更新中,圖形化圖表 ([裝置設定] > [設定檔] > 選取現有的設定檔 > [概觀]) 只會顯示特定裝置設定檔的計數。With this update, the graphical chart (Device configuration > Profiles > select an existing profile > Overview) only shows the count for the specific device profile. 例如,如果設定裝置設定檔適用於 iOS 裝置,圖表只會列出 iOS 裝置的計數。For example, if the configuration device profile applies to iOS devices, the chart only lists the count of the iOS devices. 選取圖形化圖表和開啟 [裝置狀態] 只會列出 iOS 裝置。Selecting the graphical chart, and opening the Device status only lists the iOS devices.

進行此更新時,會暫時移除圖形化使用者圖表。While this update is being made, the graphical user chart is temporarily removed.

適用於 Windows 10 的一律開啟 VPNAlways On VPN for Windows 10

目前,可藉由使用以 OMA-URI 建立的自訂虛擬私人網路 (VPN) 設定檔,在 Windows 10 裝置上使用一律開啟Currently, Always On can be used on Windows 10 devices by using a custom virtual private network (VPN) profile created using OMA-URI.

在此更新中,系統管理員將能夠直接在 Azure 入口網站的 Intune 中,為 Windows 10 VPN 設定檔啟用 Always On。With this update, admins can enable Always On for Windows 10 VPN profiles directly in Intune in the Azure portal. 「一律開啟」VPN 設定檔會在下列情況下自動連線:Always On VPN profiles will automatically connect when:

  • 使用者登入其裝置Users sign into their devices
  • 裝置上的網路發生變更The network on the device changes
  • 裝置上的螢幕在關閉後恢復開啟The screen on the device turns back on after being turned off

教育版設定檔的新印表機設定 New printer settings for education profiles

教育版設定檔的新設定位於 [印表機] 類別下:[印表機]、[預設印表機]、[Add new printers] (新增印表機)。For education profiles, new settings are available under the Printers category: Printers, Default printer, Add new printers.

在個人的設定檔中顯示呼叫者識別碼 - Android for Work Show caller ID in personal profile - Android for Work

在裝置上使用個人設定檔時,使用者可能無法從工作連絡人看到呼叫者識別碼詳細資料。When using a personal profile on a device, end-users may not see the caller ID details from a work contact.

在此更新中,[Android for Work] > [裝置限制] > [工作設定檔設定] 會有一個新的設定:With this update, there is a new setting in Android for Work > Device restrictions > Work profile settings:

  • 在個人設定檔中顯示工作連絡人呼叫者識別碼Display work contact caller-id in personal profile

啟用 (未設定) 時,工作連絡呼叫者詳細資料會顯示在個人設定檔中。When enabled (not configured), the work contact caller details are displayed in the personal profile. 封鎖時,工作連絡呼叫者詳細資料不會顯示在個人設定檔中。When blocked, the work contact caller number is not displayed in the personal profile.

適用於:Android OS 6.0 版和更新版本上的 Android 工作設定檔裝置Applies to: Android work profile devices on Android OS v6.0 and newer

在 Endpoint Protection 設定中新增新的 Windows Defender Credential Guard 設定 New Windows Defender Credential Guard settings added to endpoint protection settings

在此更新中,Windows Defender Credential Guard ([裝置設定] > [設定檔] > [端點保護]) 包含下列設定:With this update, Windows Defender Credential Guard (Device configuration > Profiles > Endpoint protection) includes the following settings:

  • Windows Defender Credential Guard:開啟搭載虛擬化安全性的 Credential Guard。Windows Defender Credential Guard: Turns on Credential Guard with virtualization-based security. 若同時啟用了安全開機的平台安全性層級虛擬化安全性,啟用此功能將有助於在下次重新開機時保護認證。Enabling this feature helps protect credentials at the next reboot when Platform Security Level with Secure Boot and Virtualization Based Security are both enabled. 這些選項包括:Options include:
    • 已停用:若先前開啟 Credential Guard 時也啟用了 [在不含鎖定情況下啟用] 選項,將會從遠端關閉 Credential Guard。Disabled: If Credential Guard was previously turned on with the Enabled without lock" option, then it turns off Credential Guard remotely.

    • Enabled with UEFI lock (啟用並鎖定 UEFI):確保無法使用登錄機碼或群組原則停用 Credential Guard。Enabled with UEFI lock: Ensures that Credential Guard cannot be disabled using a registry key or using Group Policy. 若要在使用此設定後停用 Credential Guard,必須將群組原則設為 [已停用]。To disable Credential Guard after using this setting, you must set the Group Policy to "Disabled". 接著移除每位真實存在之使用者每部電腦的安全性功能。Then, remove the security functionality from each computer, with a physically present user. 下列步驟會清除 UEFI 中保存的設定。These steps clear the configuration persisted in UEFI. 只要 UEFI 設定持續存在,就會啟用 Credential Guard。As long as the UEFI configuration persists, Credential Guard is enabled.

    • 在不含鎖定情況下啟用:允許使用群組原則從遠端停用 Credential Guard。Enabled without lock: Allows Credential Guard to be disabled remotely using Group Policy. 使用此設定的裝置至少必須執行 Windows 10 (1511 版)。The devices that use this setting must be running at least Windows 10 (Version 1511).

設定 Credential Guard 時會自動啟用下列相關技術:The following dependent technologies are automatically enabled when configuring Credential Guard:

  • 啟用虛擬化安全性 (VBS):於下次重新開機時開啟虛擬化安全性 (VBS)。Enable Virtualization-based Security (VBS): Turns on virtualization-based security (VBS) at next reboot. 虛擬化安全性使用 Windows Hypervisor 支援安全性服務,需要安全開機功能。Virtualization-based security uses the Windows Hypervisor to provide support for security services, and requires Secure Boot.
  • 安全開機與直接記憶體存取 (DMA):開啟安全開機的 VBS 及直接記憶體存取。Secure Boot with Direct Memory Access (DMA): Turns on VBS with Secure Boot and direct memory access. DMA 保護需要硬體支援,而且只可在設定正確的裝置上使用。DMA protections require hardware support, and is only enabled on properly configured devices.

在 SCEP 憑證上使用自訂主體名稱 Use a custom subject name on SCEP certificate

您可以使用在 SCEP 憑證設定檔中,使用自訂主體常見的名稱 OnPremisesSamAccountNameYou can use the OnPremisesSamAccountName the common name in a custom subject on an SCEP certificate profile. 例如,您可以使用 CN={OnPremisesSamAccountName})For example, you can use CN={OnPremisesSamAccountName}).

在 Android for Work 上封鎖相機和螢幕擷取 Block camera and screen captures on Android for Work

當您為 Android 裝置設定裝置限制時,有兩個新屬性可用於封鎖:Two new properties are available to block when you configure device restrictions for Android devices:

  • 相機:封鎖對裝置上所有相機的存取Camera: Blocks access to all cameras on the device
  • 螢幕擷取:封鎖螢幕擷取,同時也防止在沒有安全視訊輸出的顯示裝置上顯示內容Screen capture: Blocks the screen capture, and also prevents the content from being shown on display devices that don't have a secure video output

適用於 Android for Work。Applies to Android for Work.

裝置註冊Device enrollment

適用於具有 macOS High Sierra 10.13.2+ 之裝置上使用者的新註冊步驟 New enrollment steps for users on devices with macOS High Sierra 10.13.2+

macOS High Sierra 10.13.2 引進了「使用者核准的」MDM 註冊概念。macOS high Sierra 10.13.2 introduced the concept of "User Approved" MDM enrollment. 核准的註冊讓 Intune 可以管理一些高度安全性的設定。Approved enrollments allow Intune to manage some security-sensitive settings. 如需詳細資訊,請參閱以下的 Apple 支援文件:https://support.apple.com/HT208019。For more information, see Apple's support documentation here: https://support.apple.com/HT208019.

除非使用者開啟 [系統偏好設定] 手動提供核准,否則使用 macOS 公司入口網站註冊的裝置會被視為「未經使用者核准」。Devices enrolled using the macOS Company Portal are considered "Not User Approved" unless the end user opens System Preferences and manually provides approval. 為此,macOS 公司入口網站現在會在註冊程序結尾,將 macOS 10.13.2 和更新版本的使用者導向以供他們手動核准其註冊。To this end, the macOS Company Portal now directs users on macOS 10.13.2 and above to go and manually approve their enrollment at the end of the enrollment process. Intune 管理主控台將會針對已註冊裝置是否獲得使用者核准進行回報。The Intune admin console will report on if an enrolled device is user approved.

裝置管理Device management

進階威脅防護 (ATP) 和 Intune 已完全整合Advanced Threat Protection (ATP) and Intune are fully integrated

進階威脅防護 (ATP) 會顯示 Windows 10 裝置的風險層級。Advanced Threat Protection (ATP) shows the risk level of Windows 10 devices. 在 Windows Defender 資訊安全中心 (ATP 入口網站),您可以建立與 Microsoft Intune 的連線。In Windows Defender Security Center (ATP portal), you can create a connection to Microsoft Intune. 一旦建立之後,Intune 合規性原則會用來判斷可接受的威脅層級。Once created, an Intune compliance policy is used to determine an acceptable threat level. 如果超過威脅層級時,那麼 Azure Active Directory (AD) 條件存取原則可封鎖存取組織內的不同應用程式。If the threat level is exceeded, an Azure Active Directory (AD) conditional access policy can then block access to different apps within your organization.

這項功能可讓 ATP 掃描檔案、偵測威脅,以及報告 Windows 10 裝置上的任何風險。This feature allows ATP to scan files, detect threats, and report any risk on your Windows 10 devices.

請參閱在 Intune 中啟用具有條件存取的 ATPSee Enable ATP with conditional access in Intune.

支援無使用者裝置 Support for user-less devices

Intune 可以評估不具使用者之裝置 (例如 Microsoft Surface Hub) 的合規性。Intune supports the ability to evaluate compliance on a user-less device, such as the Microsoft Surface Hub. 合規性原則可以針對特定裝置。Compliance policy can target specific devices. 因此,可以針對沒有相關使用者的裝置判斷是否符合規範 (和不符合規範)。So compliance (and noncompliance) can be determined for devices that don't have an associated user.

刪除 AutoPilot 裝置 Delete Autopilot devices

Intune 系統管理員可以刪除 Autopilot 裝置Intune admins can delete Autopilot devices.

改進的裝置刪除體驗 Improved device deletion experience

您現在無須移除公司資料,或是將裝置重設為原廠預設值,就能從 Intune 刪除裝置You're no longer be required to remove company data or factory reset a device before deleting a device from Intune.

若要查看新體驗,請登入 Intune,然後選取 [裝置] > [所有裝置] > 裝置的名稱 > [刪除]。To see the new experience, sign in to Intune and select Devices > All devices > the name of the device > Delete.

如果您仍然想要確認抹除/淘汰,可以使用標準裝置生命週期途徑,方法是先發出 [移除公司資料] 和 [重設成出廠預設值],再進行 [刪除]。If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a Remove company data and Factory Reset prior to Delete.

在處於遺失模式時於 iOS 上播放音效 Play sounds on iOS when in Lost mode

當受監督的 iOS 裝置處於「行動裝置管理」(MDM) 的遺失模式時,您可以播放音效 ([裝置] > [所有裝置] > 選取 iOS 裝置 > [概觀] > [更多])。When supervised iOS devices are in Mobile Device Management (MDM) Lost mode, you can play a sound (Devices > All devices > select an iOS device > Overview > More). 此音效會持續播放,直到裝置解除遺失模式,或使用者停用了裝置上的音效。The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. 適用於 iOS 裝置 9.3 和更新版本。Applies to iOS devices 9.3 and newer.

禁止或允許在 Intune 裝置上執行的搜尋中出現 Web 結果 Block or allow web results in searches made on an Intune device

系統管理員現在可以禁止裝置上的搜尋出現 Web 結果。Admins can now block web results from searches made on a device.

改進 Apple MDM Push Certificate 上傳失敗的錯誤訊息傳遞 Improved error messaging for Apple MDM Push Certificate upload failure

錯誤訊息將會說明更新現有的 MDM 憑證時,必須使用相同的 Apple ID。The error message explains that the same Apple ID must be used when renewing an existing MDM certificate.

在虛擬機器上的 macOS 測試公司入口網站 Test the Company Portal for macOS on virtual machines

我們已發佈指導,協助 IT 系統管理員在 Parallels Desktop 與 VMware Fusion 之虛擬機器上的 macOS 中測試公司入口網站應用程式。We've published guidance to help IT admins test the Company Portal app for macOS on virtual machines in Parallels Desktop and VMware Fusion. 深入了解如何虛擬 macOS 機器進行測試Find out more in enroll virtual macOS machines for testing.

使用者介面User interface

改進 Windows 10 公司入口網站中的裝置磚 Improved device tiles in the Windows 10 Company Portal

這些磚在更新之後將更方便視障使用者使用,而且可以為螢幕閱讀工具提供更好的效能。The tiles have been updated to be more accessible to low-vision users and to perform better for screen reading tools.

在 macOS 版公司入口網站應用程式中傳送診斷報告 Send diagnostic reports in Company Portal app for macOS

macOS 裝置版的公司入口網站應用程式在更新之後,改進了使用者回報 Intune 相關錯誤的方式。The Company Portal app for macOS devices was updated to improve how users report Intune-related errors. 您的員工可以透過公司入口網站應用程式,進行下列作業:From the Company Portal app, your employees can:

  • 將診斷報告直接上傳給 Microsoft 開發人員小組。Upload diagnostic reports directly to the Microsoft developer team.
  • 透過電子郵件將事件識別碼傳送給 IT 支援小組。Email an incident ID to your company's IT support team.

如需詳細資訊,請參閱傳送 macOS 的錯誤For more information see Send errors for macOS.

Intune 在 Windows 10 版的公司入口網站中,採用了 Fluent Design System Intune adapts to Fluent Design System in the Company Portal app for Windows 10

Windows 10 版的 Intune 公司入口網站應用程式已更新為使用 Fluent Design System's navigation view (Fluent Design System 的瀏覽檢視)。The Intune Company Portal app for Windows 10 has been updated with the Fluent Design System's navigation view. 您會發現應用程式側邊多了一個垂直靜態清單,列有最上層的所有頁面。Along the side of the app, you'll notice a static, vertical list of all top-level pages. 按一下任何連結都能快速檢視及來回切換頁面。Click any link to quickly view and switch between pages. 我們仍持續努力為 Intune 建立適應性更好、更彈性、更直觀及更加容易上手的體驗,而這只是好幾個更新中的第一個。This is the first of several updates you'll see as part of our ongoing effort to create a more adaptive, empathetic, and familiar experience in Intune. 若要查看更新後的外觀,請參閱應用程式 UI 的新功能To see the updated look, go to What's new in the app UI.

2018 年 4 月 16 日當週Week of April 16, 2018

使用適用於 iOS 的 Cisco AnyConnect 用戶端 Use Cisco AnyConnect client for iOS

當您建立適用於 iOS 的新 VPN 設定檔時,現在有兩個選項:[Cisco AnyConnect] 和 [Cisco Legacy AnyConnect]。When you create a new VPN profile for iOS, there are now two options: Cisco AnyConnect and Cisco Legacy AnyConnect. Cisco AnyConnect 設定檔支援 4.0.7x 和較新版本。Cisco AnyConnect profiles support 4.0.7x and newer versions. 現有的 iOS Cisco AnyConnect VPN 設定檔會標記為 Cisco Legacy AnyConnect,但仍會繼續以目前的方式搭配 Cisco AnyConnect 4.0.5x 和較舊版本運作。Existing iOS Cisco AnyConnect VPN profiles are labeled Cisco Legacy AnyConnect, and continue to work with Cisco AnyConnect 4.0.5x and older versions, as they do today.

注意

這項變更只適用於 iOS。This change only applies to iOS. Android、Android for Work 及 macOS 平台仍然只有一個 Cisco AnyConnect 選項。There continues to be only one Cisco AnyConnect option for Android, Android for Work, and macOS platforms.

現在可以使用 Intune 註冊 Jamf 註冊的 macOS 裝置 Jamf-enrolled macOS devices can now register with Intune

版本 1.3 和 1.4 的 macOS 公司入口網站並未使用 Intune 成功註冊 Jamf 裝置。Versions 1.3 and 1.4 of the macOS company portal did not successfully register Jamf devices with Intune. 版本 1.4.2 的 macOS 入口網站已修正此問題。Version 1.4.2 of the macOS portal fixes this issue.

2018 年 4 月 9 日當週Week of April 9, 2018

更新 Android 版公司入口網站應用程式的說明體驗 Updated help experience in Company Portal app for Android

我們已更新 Android 公司入口應用程式的說明體驗,以符合 Android 平台的最佳做法。We've updated the help experience in the Company Portal app for Android to align with best practices for the Android platform. 現在,當使用者在應用程式中遇到問題時,可以點選 [功能表] > [說明],然後:Now when users encounter a problem in the app, they can tap Menu > Help and:

  • 向 Microsoft 傳送診斷記錄。Upload diagnostic logs to Microsoft.
  • 傳送描述問題和事件識別碼的電子郵件給公司支援人員。Send an email that describes the problem and incident ID to a company support person.

若要了解已更新的說明體驗,請參閱使用電子郵件來傳送記錄將錯誤傳送給 MicrosoftTo check out the updated help experience go to Send logs using email and Send errors to Microsoft.

新註冊失敗趨勢圖和失敗原因表 New enrollment failure trend chart and failure reasons table

在 [註冊概觀] 頁面上,您可以檢視註冊失敗趨勢和前五大失敗原因。On the Enrollment Overview page, you can view the trend of enrollment failures and the top five causes of failures. 按一下圖表或資料表,即可向下鑽研至詳細資料來尋找疑難排解建議和補救建議。By clicking on the chart or table,you can drill into details to find troubleshooting advice and remediation suggestions.

更新設定應用程式保護原則的位置 Update where to configure your app protection policies

在 Azure 入口網站的 Microsoft Intune 服務內,我們會暫時將您從 [Intune 應用程式防護] 服務刀鋒視窗重新導向至 [行動應用程式] 刀鋒視窗。In the Azure portal within the Microsoft Intune service, we’re going to temporarily redirect you from the Intune App Protection service blade to the Mobile app blade. 請注意,您所有的應用程式防護原則都已經在 Intune 中應用程式組態底下的 [行動應用程式] 刀鋒視窗上。Note that all of your app protection policies are already on the Mobile app blade in Intune under app configuration. 若前往 Intune 應用程式防護,您就會直接前往 Intune。Instead of going to Intune App Protection, you’ll just go to Intune. 在 2018 年 4 月,我們將停止重新導向,並完全移除 [Intune 應用程式防護] 服務刀鋒視窗,如此一來 Intune 中的應用程式防護原則只會有一個位置。In April 2018, we will stop the redirection and fully remove the Intune App Protection service blade, so that there's only one location for app protection policies within Intune.

此變更會對我造成什麼影響?How does this affect me? 這項變更會影響 Intune 獨立部署客戶和混合部署 (Intune 搭配 Configuration Manager) 客戶。This change will affect both Intune standalone customers and hybrid (Intune with Configuration Manager) customers. 此整合將有助於簡化您的雲端管理。This integration will help simplify your cloud management administration.

我需要為這項變更做什麼準備?What do I need to do to prepare for this change? 請將 [Intune] 標記為我的最愛,而不是 [Intune 應用程式防護] 服務刀鋒視窗,並確定您熟悉 Intune 內 [行動應用程式] 刀鋒視窗中的應用程式保護原則工作流程。Please tag Intune as a favorite instead of the Intune App Protection service blade and ensure you’re familiar with the App protection policy workflow in the Mobile app blade within Intune. 在短時間內,我們會進行重新導向,然後就會移除 [應用程式保護] 刀鋒視窗。We’ll redirect for a short period of time and then remove the App Protection blade. 請記住,所有應用程式保護原則都已經在 Intune 中,而您可以修改任何條件式存取原則。Remember, all app protection policies are already in Intune and you can modify any of your conditional access policies. 如需有關修改條件式存取原則詳細資訊,請參閱 Azure Active Directory 中的條件式存取For more information about modifying conditional access policies, see Conditional access in Azure Active Directory. 如需其他資訊,請參閱什麼是應用程式保護原則?For additional information, see What are app protection policies?

2018 年 4 月 2 日當週Week of April 2, 2018

Intune 應用程式Intune apps

iOS 版公司入口網站應用程式的使用者體驗更新 User experience update for the Company Portal app for iOS

我們已經發行 iOS 版 公司入口網站應用程式的主要使用者經驗更新。We've released a major user experience update to the Company Portal app for iOS. 此更新採用全新現代化外觀的視覺設計。The update features a complete visual redesign that includes a modernized look and feel. 應用程式的功能不變,但強化了可用性與協助工具功能。We've maintained the functionality of the app, but increased its usability and accessibility.

此外還包括:You'll also see:

  • iPhone X 的支援。Support for iPhone X.
  • 應用程式啟動速度與載入回應的速度變快,可以節省使用者寶貴的時間。Faster app launch and loading responses, to save users time.
  • 增加更多的進度列,方便使用者掌握最新旳狀態資訊。Additional progress bars to provide users with the most up-to-date status information.
  • 改善使用者上傳記錄的方式,方便在發生問題時回報。Improvements to the way users upload logs, so if something goes wrong, it's easier to report.

若要查看更新後的外觀,請參閱應用程式 UI 的新功能To see the updated look, go to What's new in the app UI.

使用 Intune APP 和 CA 來保護內部部署 Exchange 資料 Protect on-premise Exchange data using Intune APP and CA

您現在可以搭配 Outlook Mobile 使用 Intune「應用程式原則保護」(APP) 和「條件式存取」(CA) 來保護對內部部署 Exchange 資料的存取。You can now use Intune App Policy Protection (APP) and Conditional Access (CA) to protect access to on-premise Exchange data with Outlook Mobile. 若要在 Azure 入口網站內新增或修改應用程式保護原則,請選取 [Microsoft Intune] > [行動應用程式] > [應用程式保護原則]。To add or modify an app protection policy within the Azure portal, select Microsoft Intune > Mobile apps > App protection policies. 開始使用此功能之前,請確定您符合 iOS 版和 Android 版 Outlook 的需求Before using this feature, make sure you meet the Outlook for iOS and Android requirements.

2018 年 3 月 26 日當週Week of March 26, 2018

應用程式管理App management

Microsoft Intune 即將到期的 iOS 企業營運 (LOB) 應用程式警示 Alerts for expiring iOS line-of-business (LOB) apps for Microsoft Intune

在 Azure 入口網站中,Intune 會提醒您有即將到期的 iOS 企業營運應用程式。In the Azure portal, Intune will alert you to iOS line-of-business apps that are about to expire. 上傳新版 iOS 企業營運應用程式之後,Intune 就會從應用程式清單中移除到期通知。Upon uploading a new version of the iOS line-of-business app, Intune removes the expiration notification from the app list. 此到期通知只對新上傳的 iOS 企業營運應用程式有效。This expiration notification will only be active for newly uploaded iOS line-of-business apps. 在 iOS LOB 應用程式佈建設定檔到期前 30 天會出現警告。A warning appears 30 days before the iOS LOB app provisioning profile expires. 到期時,警示就會變更為 [已到期]。When it expires, the alert changes to Expired.

以十六進位碼自訂您的公司入口網站佈景主題 Customize your Company Portal themes with hex codes

您可以使用十六進位碼自訂公司入口網站應用程式的佈景主題色彩。You can customize theme color in the Company Portal apps using hex codes. 當您輸入您的十六進位碼時,Intune 會判斷可在文字色彩與背景色彩之間提供最高程度對比的文字色彩。When you enter your hex code, Intune determines the text color that provides the highest level of contrast between the text color and the background color. 您可以在 [Mobile Apps] > [公司入口網站] 中預覽文字色彩和公司標誌的色彩。You can preview both the text color and your company logo against the color in Mobile apps > Company Portal.

Android Enterprise 依據群組來包含和排除應用程式指派 Including and excluding app assignment based on groups for Android Enterprise

Android Enterprise (先前稱為 Android for Work) 支援包含及排除群組,但不支援預先建立的 [所有使用者] 和 [所有裝置] 內建群組。Android Enterprise (formerly known as Android for Work) supports including and excluding groups, but does not support the pre-created All Users and All Devices built-in groups. 如需詳細資訊,請參閱 Microsoft Intune 的包含與排除應用程式指派For more information, see Include and exclude app assignments in Microsoft Intune.

裝置管理Device management

Intune 服務中的新安全性增強功能 New security enhancements in the Intune service

我們已在 Azure 上的 Intune 中導入一個切換,可供 Intune 獨立客戶用來將沒有任何已指派原則的裝置視為 [符合規範] (關閉安全性功能),或將這些裝置視為 [不符合規範] (開啟安全性功能)。We’ve introduced a toggle in Intune on Azure that Intune standalone customers can use to treat devices without any policy assigned as Compliant (security feature off) or treat these devices as Not compliant (security feature on). 這將可確保只有在評估裝置合規性之後,才能存取資源。This will ensure access to resources only after device compliance has been evaluated.

此功能影響您的方式會依您是否已經指派合規性原則而有所不同。This feature affects you differently depending on whether you already have compliance policies assigned or not.

  • 如果您是新的或現有的帳戶,而且未將任何合規性原則指派給裝置,則此切換自動設定為 [符合規範]。If you are a new or existing account, and don't have any compliance policies assigned to your devices, then the toggle is automatically set to Compliant. 在主控台中,預設是將此功能設定為關閉。The feature is off as a default setting in the console. 這不會影響任何使用者。There is no end-user impact.
  • 如果您是現有的帳戶,而且有任何已獲指派合規性原則的裝置,則此切換會自動設定為 [不符合規範]。If you are an existing account, and you have any devices with a compliance policy assigned to them, then the toggle is automatically set to Not compliant. 隨著三月更新的首度發行,預設就會將此功能設定為開啟。The feature is on as a default setting, as the March update rolls out.

如果您使用合規性原則搭配「條件式存取」(CA),並且開啟此功能,CA 現在就會封鎖任何未至少已獲指派一個合規性原則的裝置。If you use compliance policies with Conditional Access (CA), and have the feature turned on, any devices without at least one compliance policy assigned are now be blocked by CA. 除非您至少將一個合規性原則指派給所有裝置,否則與這些裝置關聯且先前已獲允許存取電子郵件的使用者將會失去其存取權。End-users associated with these devices, who were previously allowed access to email, lose their access unless you assign at least one compliance policy to all devices.

請注意,雖然預設切換狀態隨著 Intune 服務的三月更新而立即顯示在 UI 中,但系統並不會立即實施此切換狀態。Note that although the default toggle status is displayed in the UI immediately with the Intune service March updates, this toggle status is not enforced right away. 在我們讓您的帳戶擁有可運作的切換以進行正式發行前的小眾測試之前,您對此切換進行的任何變更將不會影響裝置合規性。Any changes you make to the toggle will not impact device compliance until we flight your account to have a working toggle. 當我們完成您帳戶的正式發行前小眾測試之後,會透過「訊息中心」通知您。We’ll inform you via the Message center when we finish flighting your account. 在您的 Intune 服務進行三月更新之後,這可能會花費幾天的時間。This could take up to a few days after your Intune service is updated for March.

其他資訊https://aka.ms/compliance_policiesAdditional Information: https://aka.ms/compliance_policies

增強的越獄偵測 Enhanced jailbreak detection

加強的越獄偵測是一項新的合規性設定,可改進 Intune 評估已越獄裝置的方式。Enhanced jailbreak detection is a new compliance setting that improves how Intune evaluates jailbroken devices. 此設定會使裝置更頻繁地簽入 Intune ,這會使用裝置的位置服務並影響電池使用量。The setting causes the device to check-in with Intune more frequently, which uses the device’s location services and impacts battery usage.

重設 Android O 裝置的密碼 Reset passwords for Android O devices

您將能夠使用工作設定檔重設已註冊 Android 8.0 裝置的密碼。You'll be able to reset the passwords for enrolled Android 8.0 devices with Work profiles. 當您向 Android 8.0 裝置傳送「重設密碼」要求時,它會將新的裝置解除鎖定密碼或受控設定檔查問設定成目前的使用者。When you send a "Reset password" request to an Android 8.0 device, it sets a new device unlock password or a managed profile challenge to the current user. 這會傳送密碼或查問,並立即生效。The password or challenge is sent and immediately takes effect.

讓合規性原則以裝置群組中的裝置為目標 Targeting compliance policies to devices in device groups

您可以讓合規性原則以使用者群組中的使用者為目標。You can target compliance policies to users in user groups. 在此更新中,您可以讓合規性原則以裝置群組中的裝置為目標。With this update, you can target compliance policies to devices in device groups. 隨著裝置群組一起作為目標的裝置不會收到任何合規性動作。Devices targeted as part of device groups will not receive any compliance actions.

新的管理名稱資料行 New Management name column

[裝置] 刀鋒視窗中會提供名為 [管理名稱] 的新資料行。A new column named Management name is available on the devices blade. 此名稱會依照下列公式自動產生且不可編輯,並會指派給每一個裝置:This is an auto-generated, non-editable name assigned per device, based on the following formula:

  • 所有裝置的預設名稱:Default name for all devices:
  • 針對大量新增裝置:<PackageId/ProfileId>For bulk added devices: <PackageId/ProfileId>

這是在 [裝置] 刀鋒視窗中的可選資料行。This is an optional column in the devices blade. 預設並不會提供此資料行,您只能藉由使用資料行選取器來存取它。It isn't available by default and you can only access it by using the column selector. 裝置名稱不會受到這個新資料行影響。The device name is not affected by this new column.

每 15 分鐘都會提示 iOS 裝置輸入PIN iOS devices are prompted for a PIN every 15 minutes

將合規性或設定原則套用至 iOS 裝置之後,系統會每隔 15 分鐘提示使用者設定 PIN。After a compliance or configuration policy is applied to an iOS device, users are prompted to set a PIN every 15 minutes. 系統會持續提示使用者,直到設定 PIN 為止。Users are continually prompted until a PIN is set.

排程自動更新 Schedule your automatic updates

Intune 可讓您使用 Windows Update Ring 設定來控制自動更新安裝。Intune gives you control on installing automatic updates using Windows Update Ring settings. 在此更新中,您可以排定重複發生的更新,包括週、日及時間。With this update, you can schedule reoccurring updates, including the week, the day, and the time.

使用完整辨別名稱作為 SCEP 憑證的主體 Use fully distinguished name as subject for SCEP certificate

當您建立 SCEP 憑證設定檔時,會輸入主體名稱。When you create a SCEP certificate profile, you enter the Subject Name. 在此更新中,您可以使用完整辨別名稱作為主體。With this update, you can use the fully distinguished name as the subject. 針對 [主體名稱],選取 [自訂],然後輸入 CN={{OnPrem_Distinguished_Name}}For Subject Name, select Custom, and then enter CN={{OnPrem_Distinguished_Name}}. 若要使用 {{OnPrem_Distinguished_Name}} 變數,請務必將使用 Azure Active Directory (AD) Connectonpremisesdistingishedname 使用者屬性與 Azure AD 同步。To use the {{OnPrem_Distinguished_Name}} variable, be sure to sync the onpremisesdistingishedname user attribute using Azure Active Directory (AD) Connect to your Azure AD.

裝置設定Device configuration

啟用藍牙連絡人共用 - Android for Work Enable Bluetooth contact sharing - Android for Work

Android 預設會防止工作設定檔中的連絡人與藍牙裝置同步。By default, Android prevents contacts in the work profile from syncing with Bluetooth devices. 因此,工作設定檔連絡人不會顯示在藍牙裝置的呼叫者識別碼上。As a result, work profile contacts are not displayed on caller ID for Bluetooth devices.

在此更新中,[Android for Work] > [裝置限制] > [工作設定檔設定] 會有一個新的設定:With this update, there is a new setting in Android for Work > Device restrictions > Work profile settings:

  • 透過藍牙的連絡人共用Contact sharing via Bluetooth

Intune 系統管理員可以設定這些設定,以啟用共用。The Intune administrator can configure these settings to enable sharing. 將裝置與汽車藍牙裝置配對時,這十分有用,而汽車藍牙裝置顯示免持式使用的呼叫者識別碼。This is useful when pairing a device with a car-based Bluetooth device that displays caller ID for hands-free usage. 啟用時,會顯示工作設定檔連絡人。When enabled, work profile contacts are displayed. 未啟用時,不會顯示工作設定檔連絡人。When not enabled, work profile contacts won't display.

設定閘道管理員以控制 macOS 應用程式下載來源 Configure Gatekeeper to control macOS app download source

您可以藉由控制可下載應用程式的位置,以設定 Gatekeeper 來為您的裝置提供應用程式安全防護。You can configure Gatekeeper to protect your devices from apps by controlling where the apps can be downloaded from. 您可以設定下列下載來源:[Mac App Store]、[Mac App Store 和已識別的開發人員]或 [任何位置]。You can configure the following download sources: Mac App Store, Mac App Store and identified developers, or Anywhere. 您可以藉由按住 Control 並同時按一下來覆寫這些 Gatekeeper 控制措施,以設定使用者是否可以安裝應用程式。You can configure whether users can install an app using control-click to override these Gatekeeper controls.

您可以在裝置設定 -> 建立設定檔 -> macOS -> Endpoint Protection 中找到這些設定。These settings can be found under Device configuration -> Create profile -> macOS -> Endpoint protection.

設定 Mac 應用程式防火牆 Configure the Mac application firewall

您可以設定 Mac 應用程式防火牆。You can configure the Mac application firewall. 您可以利用此項目以每一應用程式為單位控制連線,而非以每一連接埠為單位。You can use this to control connections on a per-application basis, rather than on a per-port basis. 這讓您能更輕鬆地取得防火牆保護的優點,也可協助防止不想要的應用程式控制為合法應用程式開啟之網路連接埠。This makes it easier to get the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.

您可以在裝置設定 -> 建立設定檔 -> macOS -> Endpoint Protection 中找到此功能。This feature can be found under Device configuration -> Create profile -> macOS -> Endpoint protection.

啟用防火牆設定後,您可以使用兩種策略來設定防火牆:Once you enable the Firewall setting, you can configure the firewall using two strategies:

  • 封鎖所有連入連線Block all incoming connections

    您可以為目標裝置封鎖所有連入連線。You can block all incoming connections for the targeted devices. 如果您選擇這樣做,系統就會針對所有應用程式封鎖連入連線。If you choose to do this, incoming connections are blocked for all apps.

  • 允許或封鎖特定應用程式Allow or block specific apps

    您可以允許或封鎖特定的應用程式,使其無法接收連入連線。You can allow or block specific apps from receiving incoming connections. 您也可以啟用隱形模式,以避免回應探查要求。You can also enable stealth mode to prevent responses to probing requests.

詳細的錯誤碼和訊息Detailed error codes and messages

在您的 [裝置設定] 中,可以檢視更詳細的錯誤碼和錯誤訊息。In your Device Configuration, there is more detailed error codes and error messages available to see. 這項改良的報告功能會顯示設定、這些設定的狀態,以及有關疑難排解的詳細資料。This improved reporting shows the settings, the state of these settings, and details on troubleshooting.

詳細資訊More information
  • 封鎖所有連入連線Block all incoming connections

    這會封鎖所有共用服務 (例如檔案共用和螢幕共用),使其無法接收連入連線。This blocks all sharing services (such as File Sharing and Screen Sharing) from receiving incoming connections. 仍允許接收連入連線的系統服務是:The system services that are still allowed to receive incoming connections are:

    • configd - 實作 DHCP 與其他網路設定服務configd - implements DHCP and other network configuration services

    • mDNSResponder - 實作 BonjourmDNSResponder - implements Bonjour

    • racoon - 實作 IPSecracoon - implements IPSec

      若要使用共用服務,請確認連入連線設定為未設定 (而不是封鎖)。To use sharing services, ensure Incoming connections is set to Not configured (not Block).

  • 隱形模式Stealth mode

    啟用此模式來防止電腦回應探查要求。Enable this to prevent the computer from responding to probing requests. 電腦仍然會回應已授權應用程式的連入要求。The computer still answers incoming requests for authorized apps. ICMP (ping) 等未預期的要求都會予以忽略。Unexpected requests, such as ICMP (ping), are ignored.

停用裝置重新啟動的檢查 Disable checks on device restart

Intune 可提供您控制權來管理軟體更新Intune gives you control to [manage software updates]](windows-update-for-business-configure.md). 在此更新中,預設會提供並啟用 [重新啟動檢查] 屬性。With this update, the Restart checks property is available, and enabled by default. 若要跳過重新啟動裝置時進行的典型檢查 (如作用中使用者、電池電量等等) 時,請選取 [跳過]。To skip the typical checks that occur when you restart a device (such as active users, battery levels, and so on), select Skip.

可供部署通道使用的新 Windows 10 Insider Preview 通道 New Windows 10 Insider Preview channels available for deployment rings

現在,當您建立 Windows 10 部署通道時,可以選擇選取下列 Windows 10 Insider Preview 維護通道:You now have the option to select the following Windows 10 Insider Preview servicing channels when you create a Windows 10 deployment ring:

  • Windows 測試人員組建 ‐ 快Windows Insider build ‐ Fast
  • Windows 測試人員組建 ‐ 慢Windows Insider build ‐ Slow
  • 發行 Windows 測試人員組建Release Windows Insider build

如需有關這些通道的詳細資訊,請參閱管理 Insider Preview 組建For more information about these channels, see Manage Insider Preview Builds.
如需有關在 Intune 中建立部署通道的詳細資訊,請參閱管理 Intune 中的軟體更新For more information about creating deployment channels in Intune, see Manage software updates in Intune.

Intune 應用程式Intune apps

改善的公司入口網站註冊 Company Portal enrollment improved

使用者如果是在 Windows 10 1703 組建或更新版本上使用公司入口網站來註冊裝置,現在將能夠在不離開應用程式的情況下,完成第一個註冊步驟。Users enrolling a device by using the Company Portal on Windows 10 build 1703 and up are now able to complete the first step of enrollment without leaving the app.

HoloLens 和 Surface Hub 現在會出現在裝置清單 HoloLens and Surface Hub now appear in device lists

我們已新增支援,可向 Android 版公司入口網站應用程式顯示已在 Intune 註冊的 HoloLens 和 Surface Hub 裝置。We added support for showing Intune-enrolled HoloLens and Surface Hub devices to the Company Portal app for Android.

為大量採購方案 (VPP) 電子書自訂書籍類別 Custom Book categories for volume-purchase progream (VPP) eBooks

您可以建立自訂電子書類別,然後將 VPP 電子書指派給這些自訂電子書類別。You can create custom eBook categories and then assign VPP eBooks to those custom eBook categories. 終端使用者便可以看見新建立的電子書類別,以及指派給這些類別的書籍。End users can then see the newly created eBook categories and books assigned to the categories. 如需詳細資訊,請參閱使用 Microsoft Intune 管理大量採購的應用程式與書籍For more information, see Manage volume-purchased apps and books with Microsoft Intune.

針對 Windows 版公司入口網站應用程式傳送意見反應選項的支援已變更 Support changes for Company Portal app for Windows send feedback option

從 2018 年 4 月 30 日起,Windows 版公司入口網站應用程式中的 [傳送意見反應] 選項僅可在執行 Windows 10 年度更新 (1607) 及更新版本的裝置上執行。Starting April 30, 2018, the Send Feedback option in the Company Portal app for Windows will only work on devices running the Windows 10 Anniversary Update (1607) and later. 搭配下列版本使用 Windows 版公司入口網站應用程式時,不再支援傳送意見反應的選項:The option to send feedback is no longer supported when using the Company Portal app for Windows with:

  • Windows 10,1507 版本Windows 10, 1507 release
  • Windows 10,1511 版本Windows 10, 1511 release
  • Windows Phone 8.1Windows Phone 8.1

如果您的裝置執行的是 Windows 10 RS1 或更新版本,請從市集下載最新的 Windows 版公司入口網站應用程式。If your device is running on Windows 10 RS1 or later, download the latest version of the Windows Company Portal app from the Store. 如果您執行的是不支援的版本,請繼續透過下列通道傳送意見反應:If you are running an unsupported version, please continue to send feedback through the following channels:

  • Windows 10 上的 [意見反應中樞] 應用程式The Feedback Hub app on Windows 10
  • 電子郵件 WinCPfeedback@microsoft.comEmail WinCPfeedback@microsoft.com

新的 Windows Defender 應用程式防護設定 New Windows Defender Application Guard settings

  • 啟用圖形加速:系統管理員可以啟用「Windows Defender 應用程式防護」的虛擬圖形處理器。Enable graphics acceleration: Administrators can enable a virtual graphics processor for Windows Defender Application Guard. 此設定可讓 CPU 將圖形轉譯卸載至 vGPU。This setting allows the CPU to offload graphics rendering to the vGPU. 使用圖形運算密集的網站或觀賞容器內的影片時,這可以改善效能。This can improve performance when working with graphics intense websites or watching video within the container.

  • SaveFilestoHost:系統管理員可以讓檔案經由在容器中執行的 Microsoft Edge 到主機檔案系統。SaveFilestoHost: Administrators can enable files to pass from Microsoft Edge running in the container to the host file system. 開啟這個功能可讓使用者從容器中的 Microsoft Edge 將檔案下載到主機檔案系統。Turning this on allows users to download files from Microsoft Edge in the container to the host file system.

根據管理狀態將 MAM 保護原則設為目標 MAM protection policies targeted based on management state

您可以根據裝置管理狀態將 MAM 原則設為目標:You can target MAM policies based on the management state of the device:

  • Android 裝置 - 您可以將非受控裝置、受 Intune 管理的裝置及受 Intune 管理的 Android Enterprise 設定檔 (先前稱為 Android for Work) 設為目標。Android devices - You can target unmanaged devices, Intune managed devices, and Intune managed Android Enterprise Profiles (formerly Android for Work).

  • iOS 裝置 - 您可以將非受控裝置 (僅限 MAM) 或受 Intune 管理的裝置設為目標。iOS devices - You can target unmanaged devices (MAM only) or Intune managed devices.

    注意

    • 此功能的 iOS 支援會在 2018 年的整個 4 月首度發行。iOS support for this functionality is rolling out throughout April 2018.

如需詳細資訊,請參閱根據裝置管理狀態將應用程式保護原則設為目標For more information, see Target app protection policies based on device management state.

改進 Windows 版公司入口網站應用程式中的語言 Improvements to the language in the Company Portal app for Windows

我們已改進 Windows 10 版公司入口網站中的語言,不僅對使用者來說更簡單明瞭,也更專屬於您的公司。We've improved the language in the Company Portal for Windows 10 to be more user-friendly and specific to your company. 若要查看我們所做改進的範例影像,請參閱應用程式 UI 的新功能To see some sample images of what we've done, see what's new in app UI.

在我們的文件中新增有關使用者隱私權的部分 New additions to our docs about user privacy

我們努力讓使用者對其資料和隱私權有更多的控制,因此我們發佈了文件更新,說明如何檢視及移除公司入口網站應用程式儲存在本機的資料。As part of our effort to give end users more control over their data and privacy, we've published updates to our docs that explain how to view and remove data stored locally by the Company Portal apps. 您可以在下列位置找到這些更新:You can find these updates at:

2018 年 3 月 19 日當週Week of March 19, 2018

在 IE、Edge 或 Chrome 中將所有裝置匯出成 CSV 檔案 Export all devices into CSV files in IE, Edge, or Chrome

在 [裝置] > [所有裝置] 中,您可以將裝置匯出成 CSV 格式的清單。In Devices > All devices, you can Export the devices into a CSV formatted list. 裝置超過 10,000 部的 Internet Explorer (IE) 使用者可以成功將其裝置匯出成多個檔案。Internet Explorer (IE) users with >10,000 devices can successfully export their devices into multiple files. 每個檔案最多可包含 10,000 部裝置。Each file has up to 10,000 devices.

裝置超過 30,000 部的 Edge 和 Chrome 使用者可以成功將其裝置匯出成多個檔案。Edge and Chrome users with >30,000 devices can successfully export their devices into multiple files. 每個檔案最多可包含 30,000 部裝置。Each file has up to 30,000 devices.

管理裝置可以針對您可以對所管理裝置執行的操作,提供更多的詳細資料。Manage devices provides more details on what you can do with devices you manage.

2018 年 3 月 12 日當週Week of March 12, 2018

Azure Active Directory 網站可以要求使用 Intune Managed Browser 應用程式,並支援 Managed Browser (公開預覽) 的單一登入 Azure Active Directory web sites can require the Intune Managed Browser app and support Single Sign-On for the Managed Browser (Public Preview)

使用 Azure Active Directory (Azure AD) 時,您現在可在行動裝置上限制只有 Intune Managed Browser 應用程式可以存取網站。Using Azure Active Directory (Azure AD), you can now restrict access to web sites on mobile devices to the Intune Managed Browser app. 在 Managed Browser 中,網站資料會受到保護,而且會與使用者個人資料分開管理。In the Managed Browser, web site data will remain secure and separate from end-user personal data. 此外,針對受 Azure AD 保護的網站,Managed Browser 也支援單一登入功能。In addition, the Managed Browser will support Single Sign-On capabilities for sites protected by Azure AD. 當使用者登入 Managed Browser,或在裝置上搭配使用 Managed Browser 與受 Intune 管理的其他應用程式時,即可在不需輸入認證的情況下,讓 Managed Browser 存取受 Azure AD 保護的公司網站。Signing in to the Managed Browser, or using the Managed Browser on a device with another app managed by Intune, allows the Managed Browser to access corporate sites protected by Azure AD without the user having to enter their credentials. 這項功能適用於 Outlook Web Access (OWA) 和 SharePoint Online 等網站,以及透過 Azure App Proxy 存取的內部網路資源等其他公司網站。This functionality applies to sites like Outlook Web Access (OWA) and SharePoint Online, as well as other corporate sites like intranet resources accessed through the Azure App Proxy.

Android 版公司入口網站的視覺效果更新 Company Portal app for Android visual updates

我們已更新 Android 版公司入口網站應用程式,以遵循 Android 的 Material Design 指導方針。We've updated the Company Portal app for Android to follow Android's Material Design guidelines. 您可以在應用程式 UI 最新內容一文中看到新圖示的影像。You can see the images of the new icons in the What's new in app UI article.

新的 Windows Defender 惡意探索防護設定 New Windows Defender Exploit Guard settings

有六項新的 [攻擊面縮減] 設定和擴充的 [受控資料夾存取權: 資料夾保護] 功能可用。Six new Attack Surface Reduction settings and expanded Controlled folder access: Folder protection capabilities are now available. 這些設定位在:Device configuration\Profiles\These settings can be found at: Device configuration\Profiles\ 建立 profile\Endpoint protection\Windows Defender 惡意探索防護。Create profile\Endpoint protection\Windows Defender Exploit Guard.

攻擊表面縮減Attack Surface Reduction

設定名稱Setting name 設定選項Setting options 說明Description
進階勒索軟體防護Advanced ransomware protection 啟用、稽核、未設定Enabled, Audit, Not configured 使用積極的勒索軟體防護。Use aggressive ransomware protection.
從 Windows 本機安全性授權子系統設立認證竊取旗標Flag credential stealing from the Windows local security authority subsystem 啟用、稽核、未設定Enabled, Audit, Not configured 從 Windows 本機安全性授權子系統設立認證竊取旗標 (lsass.exe)。Flag credential stealing from the Windows local security authority subsystem (lsass.exe).
從 PSExec 和 WMI 命令建立處理程序Process creation from PSExec and WMI commands 封鎖、稽核、未設定Block, Audit, Not configured 封鎖源自 PSExec 和 WMI 命令的處理程序建立。Block process creations originating from PSExec and WMI commands.
從 USB 執行的不受信任和不帶正負號的處理程序Untrusted and unsigned processes that run from USB 封鎖、稽核、未設定Block, Audit, Not configured 封鎖從 USB 執行的不受信任和不帶正負號的處理程序。Block untrusted and unsigned processes that run from USB.
不符合普遍性、存留期或受信任清單條件的可執行檔Executables that don’t meet a prevalence, age, or trusted list criteria 封鎖、稽核、未設定Block, Audit, Not configured 封鎖執行可執行檔,除非它們符合普遍性、存留期或受信任清單的條件。Block executable files from running unless they meet a prevalence, age, or trusted list criteria.

受控資料夾存取權Controlled folder access

設定名稱Setting name 設定選項Setting options 說明Description
資料夾防護 (已實作)Folder protection (already implemented) 未設定、啟用、僅稽核 (已實作)Not configured, Enable, Audit only (already implemented)

新增New
封鎖磁碟修改、稽核磁碟修改Block disk modification, Audit disk modification

保護檔案和資料夾免於惡意應用程式未經授權的變更。Protect files and folders from unauthorized changes by unfriendly apps.

啟用:免於不受信任的應用程式修改或刪除受保護資料夾中的檔案,也不讓這些應用程式在磁碟磁區寫入資料。Enable: Prevent untrusted apps from modifying or deleting files in protected folders and from writing to disk sectors.

僅封鎖磁碟修改Block disk modification only:
封鎖不受信任的應用程式在磁碟磁區寫入資料。Block untrusted apps from writing to disk sectors. 不受信任的應用程式仍然可以修改或刪除受保護資料夾中的檔案。|Untrusted apps can still modify or delete files in protected folders.|

2018 年 2 月 19 日這週Week of February 19, 2018

裝置註冊Device enrollment

Intune 支援多個 Apple DEP / Apple School Manager 帳戶 Intune support for multiple Apple DEP / Apple School Manager accounts

Intune 現在支援註冊最多達 100 個來自不同 Apple 裝置註冊計劃 (DEP)Apple School Manager 帳戶的裝置。Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple School Manager accounts. 每個上傳的權杖可以針對註冊設定檔和裝置來個別管理。Each token uploaded can be managed separately for enrollment profiles and devices. 不同的註冊設定檔可以根據上傳的 DEP/School Manager 權杖來自動指派。A different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. 如果上傳了多個 School Manager 權杖,則一次只能與 Microsoft School Data Sync 共用一個權杖。If multiple School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.

移轉之後,透過 Graph 來管理 Apple DEP 或 ASM 的搶鮮版 (Beta) Graph API 與發佈的指令碼將無法再運作。After migration, the beta Graph APIs and published scripts for managing Apple DEP or ASM over Graph will no longer work. 新的搶鮮版 (Beta) Graph API 正在開發,將會在移轉後發行。New beta Graph APIs are in development and will be released after the migration.

查看每位使用者的註冊限制 See enrollment restrictions per user

在 [疑難排解] 刀鋒視窗中,您現在可以從 [指派] 清單中選取 [註冊限制],以查看對每位使用者有效的註冊限制On the Troubleshoot blade, you can now see the enrollment restrictions that are in effect for each user by selecting Enrollment restrictions from the Assignments list.

裝置管理Device management

Windows Defender 健全狀況狀態和威脅狀態報告 Windows defender health status and threat status reports

瞭解 Windows Defender 的健全狀況狀態是管理 Windows 電腦的關鍵。Understanding Windows Defender's health and status is key to managing Windows PCs. 使用此更新,Intune 會在 Windows Defender 代理程式的健全狀況狀態中新增報告和動作。With this update, Intune adds new reports and actions to the status and health of the Windows Defender agent. 裝置合規性工作負載中使用狀態積存報表,即可看到需要下列任一項的裝置:Using a status roll up report in the Device Compliance workload, you can see devices that need any of the following:

  • 簽章更新signature update
  • [重新啟動],Restart
  • 手動介入manual intervention
  • 完整掃描full scan
  • 需要介入的其他代理程式狀態other agent states requiring intervention

每個狀態類別的鑽研報表都會列出需要注意的個別電腦,或那些回報為清除的電腦。A drill-in report for each status category lists the individual PCs that need attention, or those that report as Clean.

裝置限制的新隱私權設定 New privacy settings for device restrictions

裝置現在有兩項新的隱私權設定可用:Two new privacy settings are now available for devices:

  • 發佈使用者活動:設定此項以封鎖防止共用體驗以及在工作切換器中探索最近使用的資源。Publish user activities: Set this to Block to prevent shared experiences and discovery of recently used resources in the task switcher.
  • 僅限本機活動:設定此項以封鎖防止共用體驗,以及僅根據本機活動,在工作切換器中探索最近使用的資源。Local activities only: Set this to Block to prevent shared experiences and discovery of recently used resources in task switcher based only on local activity.

Edge 瀏覽器的新設定 New settings for the Edge browser

現在使用 Edge 瀏覽器的裝置有兩項新設定可用:[我的最愛檔案路徑] 和 [我的最愛的變更]。Two new settings are now available for devices with the Edge browser: Path to favorites file and Changes to Favorites.

應用程式管理App management

應用程式的通訊協定例外狀況 Protocol exceptions for applications

您現在可以建立 Intune 行動應用程式管理 (MAM) 資料傳輸原則的例外狀況,開啟特定的非受控應用程式。You can now create exceptions to the Intune Mobile Application Management (MAM) data transfer policy to open specific unmanaged applications. 這類應用程式必須為 IT 所信任。Such applications must be trusted by IT. 當資料傳輸原則設為僅限受管理應用程式 時,除您建立的例外狀況,資料傳輸仍僅限於受 Intune 管理的應用程式。Other than the exceptions you create, data transfer is still restricted to applications that are managed by Intune when your data transfer policy is set to managed apps only. 您可以使用通訊協定 (iOS) 或套件 (Android) 來建立限制。You can create the restrictions by using protocols (iOS) or packages (Android).

例如,您可以將 Webex 套件新增為 MAM 資料傳輸原則的例外狀況。For example, you can add the Webex package as an exception to the MAM data transfer policy. 這樣可以直接在 Webex 應用程式中開啟受控 Outlook 電子郵件訊息中的 Webex 連結。This will allow Webex links in a managed Outlook email message to open directly in the Webex application. 其他非受控應用程式中的資料傳輸仍會受到限制。Data transfer will still be restricted in other unmanaged applications. 如需詳細資訊,請參閱應用程式的資料傳輸原則例外狀況For more information, see Data transfer policy exceptions for apps.

Windows 搜尋結果中的 Windows 資訊保護 (WIP) 加密資料 Windows Information Protection (WIP) encrypted data in Windows search results

Windows 資訊保護 (WIP) 原則中的設定現在可讓您控制 Windows 搜尋結果是否包含 WIP 加密資料。A setting in the Windows Information Protection (WIP) policy now allows you to control whether WIP-encrypted data is included in Windows search results. 在 Windows 資訊保護原則的 [進階設定] 中,選取 [允許 Windows 搜尋索引子搜尋加密項目] 來設定此應用程式保護原則選項。Set this app protection policy option by selecting Allow Windows Search Indexer to search encrypted items in the Advanced settings of the Windows Information Protection policy. 應用程式保護原則必須設為 Windows 10 平台,且應用程式原則 [註冊狀態] 必須設為 [註冊]。The app protection policy must be set to the Windows 10 platform and the app policy Enrollment state must be set to With enrollment. 如需詳細資訊,請參閱允許 Windows 搜尋索引子搜尋加密項目For more information, see Allow Windows Search Indexer to search encrypted items.

設定自行更新的行動 MSI 應用程式 Configuring a self-updating mobile MSI app

您可以設定已知的自行更新行動 MSI 應用程式略過版本檢查程序。You can configure a known self-updating mobile MSI app to ignore the version check process. 這項功能對於不陷入競爭狀況很有用。This capability is useful to avoid getting into a race condition. 例如,當應用程式開發人員正在執行自動更新的應用程式,也正被 Intune 更新時,就可能發生這種競爭狀況。For instance, this type of race condition could occur when the app being auto-updated by the app developer is also being update by Intune. 雙方都可能嘗試在 Windows 用戶端上強制執行某個版本的應用程式,這可能造成衝突。Both could try to enforce a version of the app on a Windows client, which could create a conflict. 對於這些自動更新的 MSI 應用程式,您可以在 [應用程式資訊] 刀鋒視窗中設定 [略過應用程式版本] 設定。For these automatically updated MSI apps, you can configure the Ignore app version setting in the App information blade. 當此設定切換為 [是] 時,Microsoft Intune 將會忽略 Windows 用戶端上安裝的應用程式版本。When this setting is switched to Yes, Microsoft Intune will ignore the app version installed on the Windows client.

Azure 入口網站中的 Intune 現在支援相關的應用程式授權集,作為 UI 中單一應用程式項目。Intune in the Azure portal now supports related sets of app licenses as a single app item in the UI. 此外,從商務用 Microsoft Store 同步處理的任何離線授權應用程式都會合併到單一應用程式項目,而個別套件的所有部署詳細資料都會移轉至單一項目。In addition, any Offline Licensed apps synced from Microsoft Store for Business will be consolidated into a single app entry and any deployment details from the individual packages will be migrated over to the single entry. 若要在 Azure 入口網站中檢視相關的應用程式授權集,請選取 [Mobile Apps] 刀鋒視窗中的 [應用程式授權]。To view related sets of app licenses in the Azure portal, select App licenses from the Mobile apps blade.

裝置設定Device configuration

自動加密的 Windows 資訊保護 (WIP) 檔案副檔名 Windows Information Protection (WIP) file extensions for automatic encryption

Windows 資訊保護 (WIP) 原則中的設定現在可讓您指定,哪些檔案副檔名會在從公司界限內的伺服器訊息區塊 (SMB) 共用 (如 WIP 原則中所定義) 複製時自動加密。A setting in the Windows Information Protection (WIP) policy now lets you specify which file extensions are automatically encrypted when copying from a Server Message Block (SMB) share within the corporate boundary, as defined in the WIP policy.

設定 Surface Hub 的資源帳戶設定Configure resource account settings for Surface Hubs

您現在可以從遠端設定 Surface Hub 的資源帳戶設定。You can now remotely configure resource account settings for Surface Hubs.

Surface Hub 會使用資源帳戶驗證 Skype/Exchange 以加入會議。The resource account is used by a Surface Hub to authenticate against Skype/Exchange so it can join a meeting. 您會想要建立唯一的資源帳戶,使 Surface Hub 在會議中顯示為會議室。You will want to create a unique resource account so the Surface Hub can show up in the meeting as the conference room. 例如,像會議室 B41/6233 的資源帳戶。For example, a resource account such as Conference Room B41/6233.

注意

  • 如果欄位留白,您會覆寫先前在裝置上設定的屬性。If you leave fields blank you will override previously configured attributes on the device.

  • Surface Hub 的資源帳戶內容可以動態變更。Resource Account properties can change dynamically on the Surface Hub. 例如,開啟密碼輪換。For example, if password rotation is on. 因此,Azure 主控台中的這些值很可能需要一些時間才能反映裝置的實際狀況。So, it's possible that the values in the Azure console will take some time to reflect the reality on the device.

    若要了解 Surface Hub 目前的設定內容,資源帳戶資訊可以包含在硬體清查 (已有 7 天間隔) 中,或當成唯讀屬性。To understand what is currently configured on the Surface Hub, the Resource Account information can be included in hardware inventory (which already has a 7 day interval) or as read-only properties. 為在採取遠端動作後強化精確度,您可以立即在執行動作後取得參數狀態,更新 Surface Hub 上的帳戶/參數。To enhance the accuracy after the remote action has taken place, you can get the state of the parameters immediately after running the action to update the account/parameters on the Surface Hub.

攻擊表面縮減Attack Surface Reduction
設定名稱Setting name 設定選項Setting options 說明Description
執行電子郵件中受密碼保護的可執行檔內容Execution of password-protected executable content from email 封鎖、稽核、未設定Block, Audit, Not configured 避免執行透過電子郵件下載的受密碼保護可執行檔。Prevent password-protected executable files downloaded over email from running.
進階勒索軟體防護Advanced ransomware protection 啟用、稽核、未設定Enabled, Audit, Not configured 使用積極的勒索軟體防護。Use aggressive ransomware protection.
從 Windows 本機安全性授權子系統設立認證竊取旗標Flag credential stealing from the Windows local security authority subsystem 啟用、稽核、未設定Enabled, Audit, Not configured 從 Windows 本機安全性授權子系統設立認證竊取旗標 (lsass.exe)。Flag credential stealing from the Windows local security authority subsystem (lsass.exe).
從 PSExec 和 WMI 命令建立處理程序Process creation from PSExec and WMI commands 封鎖、稽核、未設定Block, Audit, Not configured 封鎖源自 PSExec 和 WMI 命令的處理程序建立。Block process creations originating from PSExec and WMI commands.
從 USB 執行的不受信任和不帶正負號的處理程序Untrusted and unsigned processes that run from USB 封鎖、稽核、未設定Block, Audit, Not configured 封鎖從 USB 執行的不受信任和不帶正負號的處理程序。Block untrusted and unsigned processes that run from USB.
不符合普遍性、存留期或受信任清單條件的可執行檔Executables that don’t meet a prevalence, age, or trusted list criteria 封鎖、稽核、未設定Block, Audit, Not configured 封鎖執行可執行檔,除非它們符合普遍性、存留期或受信任清單的條件。Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
受控資料夾存取權Controlled folder access
設定名稱Setting name 設定選項Setting options 說明Description
資料夾防護 (已實作)Folder protection (already implemented) 未設定、啟用、僅稽核 (已實作)Not configured, Enable, Audit only (already implemented)

新增New
封鎖磁碟修改、稽核磁碟修改Block disk modification, Audit disk modification

保護檔案和資料夾免於惡意應用程式未經授權的變更。Protect files and folders from unauthorized changes by unfriendly apps.

啟用:免於不受信任的應用程式修改或刪除受保護資料夾中的檔案,也不讓這些應用程式在磁碟磁區寫入資料。Enable: Prevent untrusted apps from modifying or deleting files in protected folders and from writing to disk sectors.

僅封鎖磁碟修改Block disk modification only:
封鎖不受信任的應用程式在磁碟磁區寫入資料。Block untrusted apps from writing to disk sectors. 不受信任的應用程式仍然可以修改或刪除受保護資料夾中的檔案。|Untrusted apps can still modify or delete files in protected folders.|

Windows 10 和更新版本系統安全性設定新增項目的相容性原則 Additions to System Security settings for Windows 10 and later compliance policies

Windows 10 相容性設定的新增項目現在已可供使用,但需要防火牆及 Windows Defender 防毒軟體才能包含此內容。Additions to the Windows 10 compliance settings are now available, including requiring Firewall and Windows Defender Antivirus.

以角色為基礎的存取控制Role-based access control

Intune 應用程式Intune apps

支援來自商務用 Microsoft 網上商店的離線應用程式 Support for offline apps from the Microsoft Store for Business

您從商務用 Microsoft Store 購買的離線應用程式現在會同步處理至 Azure 入口網站。Offline apps that you purchased from the Microsoft Store for Business are now synchronized to the Azure portal. 您可以將這些應用程式部署至裝置群組或使用者群組。You can deploy these apps to device groups or user groups. 離線應用程式會透過 Intune 安裝,而不透過市集。Offline apps are installed by Intune, not by the store.

防止終端使用者在工作設定檔中手動新增或移除帳戶 Prevent end users from manually adding or removing accounts in the work profile

當您將 Gmail 應用程式部署到 Android for Work 設定檔時,現在可以使用 Android for Work 裝置限制設定檔中的 [Add and remove accounts] (新增與移除帳戶) 設定,防止終端使用者在工作設定檔中手動新增或移除帳戶。When you deploy the Gmail app into an Android for Work profile, you can now prevent end users from manually adding or removing accounts in the work profile by using the Add and remove accounts setting in the Android for Work Device restrictions profile.

2018 年 2 月 5 日這週Week of February 5, 2018

裝置註冊Device enrollment

適用於 Apple 大量註冊的使用者驗證新選項 New option for user authentication for Apple bulk enrollment

注意

新的租用戶會立即看到此項目。New tenants see this right away. 現有租用戶的這項功能會在 4 月推出。For existing tenants, this feature is being rolled out through April. 全部推出之後,您可能無法存取這些新功能。Until this roll out is complete, you might not have access to these new features.

Intune 現在可讓您將公司入口網站應用程式用於下列註冊方法,以對裝置進行驗證:Intune now gives you the option to authenticate devices by using the Company Portal app for the following enrollment methods:

  • Apple 裝置註冊方案Apple Device Enrollment Program
  • Apple School ManagerApple School Manager
  • Apple Configurator 註冊Apple Configurator Enrollment

使用 [公司入口網站] 選項時,可以強制執行 Azure Active Directory 多重要素驗證,而不會封鎖這些註冊方法。When using the Company Portal option, Azure Active Directory multi-factor authentication can be enforced without blocking these enrollment methods.

使用 [公司入口網站] 選項時,針對使用者親和性註冊,Intune 會跳過 iOS 設定輔助程式中的使用者驗證。When using the Company Portal option, Intune skips user authentication in the iOS Setup Assistant for user affinity enrollment. 這表示該裝置一開始會註冊為無使用者的裝置,因此不會收到使用者群組的設定或原則。This means that the device is initially enrolled as a userless device, and so doesn't receive configurations or policies of user groups. 它只會接收裝置群組的設定和原則。It only receives configurations and policies for device groups. 不過,Intune 會自動在裝置上安裝公司入口網站應用程式。However, Intune will automatically install the Company Portal app on the Device. 第一位啟動並登入公司入口網站應用程式的使用者,將會在 Intune 中與該裝置產生關聯。The first user to launch and sign in to the Company Portal app will be associated with the device in Intune. 此時,使用者將會收到其使用者群組的設定和原則。At this point, the user will receive configurations and policies of their user groups. 使用者關聯需要重新註冊才可以變更。The user association cannot be changed without re-enrollment.

Intune 支援多個 Apple DEP / Apple School Manager 帳戶 Intune support for multiple Apple DEP / Apple School Manager accounts

Intune 現在支援註冊最多達 100 個來自不同 Apple 裝置註冊計劃 (DEP) 或 Apple School Manager 帳戶的裝置。Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple School Manager accounts. 每個上傳的權杖可以針對註冊設定檔和裝置來個別管理。Each token uploaded can be managed separately for enrollment profiles and devices. 不同的註冊設定檔可以根據上傳的 DEP/School Manager 權杖來自動指派。A different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. 如果上傳了多個 School Manager 權杖,則一次只能與 Microsoft School Data Sync 共用一個權杖。If multiple School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.

移轉之後,透過 Graph 來管理 Apple DEP 或 ASM 的搶鮮版 (Beta) Graph API 與發佈的指令碼將無法再運作。After migration, the beta Graph APIs and published scripts for managing Apple DEP or ASM over Graph will no longer work. 新的搶鮮版 (Beta) Graph API 正在開發,將會在移轉後發行。New beta Graph APIs are in development and will be released after the migration.

透過安全網路進行遠端列印 Remote printing over a secure network

PrinterOn 的無線行動列印方案,可讓使用者隨時隨地透過安全的網路來進行遠端列印。PrinterOn’s wireless mobile printing solutions will enable users to remotely print from anywhere at any time over a secure network. PrinterOn 將與適用於 iOS 和 Android 的 Intune APP SDK 整合。PrinterOn will integrate with the Intune APP SDK for both iOS and Android. 您將能透過管理主控台中的 [應用程式保護原則] 刀鋒視窗,讓應用程式保護原則以此應用程式為目標。You will be able to target app protection policies to this app through the Intune App protection policies blade in the admin console. 終端使用者將能夠透過 Play 商店或 iTunes 下載 'PrinterOn for Microsoft' 應用程式,以在其 Intune 生態系統內使用。End users will be able to download the app 'PrinterOn for Microsoft' through the Play Store or iTunes to use within their Intune ecosystem.

macOS 公司入口網站支援使用裝置註冊管理員註冊 macOS Company Portal support for enrollments that use the Device Enrollment Manager

使用者現在於使用 macOS 公司入口網站進行註冊時,已可以使用裝置註冊管理員。Users can now use the Device Enrollment Manager when enrolling with the macOS Company Portal.

2018 年 1 月 29 日當週Week of January 29, 2018

裝置註冊Device enrollment

過期的權杖與即將過期之權杖的警示 Alerts for expired tokens and tokens that will soon expire

概觀頁面現在會針對過期的權杖與即將過期的權杖顯示警示。The overview page now shows alerts for expired tokens and tokens that will soon expire. 當您按一下單一權杖的警示時,將會移至權杖的詳細資料頁面。When you click on an alert for a single token, you'll go to the token's details page. 當您按一下多個權杖的警示時,將會移至所有權杖的清單,其中包含權杖的狀態。If you click on alert with multiple tokens, you'll go to a list of all tokens with their status. 系統管理員應該在到期日之前更新其權杖。Admins should renew their tokens before the expiration date.

裝置管理Device management

macOS 裝置的遠端「清除」命令支援 Remote "Erase" command support for macOS devices

系統管理員可以針對 macOS 裝置遠端發出「清除」命令。Admins can issue an Erase command remotely for macOS devices.

重要

清除命令無法回復,應該謹慎使用。The erase command can’t be reversed and should be used with caution.

清除命令會從裝置移除所有資料,包括作業系統。The erase command removes all data, including the operating system, from a device. 這樣做也會從 Intune 管理移除裝置。It also removes the device from Intune management. 系統不會向使用者發出任何警告,且將在發出命令之際,立即開始清除。No warning is issued to the user and the erasure occurs immediately upon issuing the command.

您必須設定 6 位數的復原 PIN。You must configure a 6-digit recovery PIN. 此 PIN 可用來將已清除的裝置解除鎖定,並開始重新安裝作業系統。This PIN can be used to unlock the erased device, at which point reinstallation of the operating system will begin. 開始進行清除後,PIN 會出現在 Intune 中裝置 [概觀] 刀鋒視窗的狀態列上。After erasure has started, the PIN appears in a status bar on the device’s overview blade in Intune. 在清除進行期間,PIN 會持續顯示。The PIN will remain as long as the erasure is underway. 完成清除後,裝置會完全從 Intune 管理中消失。After erasure is complete, the device disappears entirely from Intune management. 請務必記錄復原 PIN,以供還原裝置的人員來使用。Be sure to record the recovery PIN so that whoever is restoring the device can use it.

撤銷 iOS 大量採購方案權杖的授權 Revoke licenses for an iOS Volume Purchasing Program token

您可針對指定的 VPP 權杖,撤銷所有 iOS Volume Purchasing Program (VPP) 應用程式的授權。You can revoke the license of all iOS Volume Purchasing Program (VPP) apps for a given VPP Token.

應用程式管理App management

撤銷 iOS 大量採購方案應用程式 Revoking iOS Volume-Purchase Program apps

對於具有一或多個 iOS Volume Purchasing Program (VPP) 應用程式的指定裝置,您可將裝置撤銷與其建立關聯的裝置應用程式授權。For a given device that has one or more iOS Volume-Purchase Program (VPP) apps, you can revoke the associated device-based app license for the device. 撤銷應用程式授權將不會從該裝置解除安裝相關聯的 VPP 應用程式。Revoking an app license will not uninstall the related VPP app from the device. 若要解除安裝 VPP 應用程式,您必須將指派動作變更為 [解除安裝]。To uninstall a VPP app, you must change the assignment action to Uninstall. 如需詳細資訊,請參閱如何使用 Microsoft Intune 管理透過大量採購方案購買的 iOS 應用程式For more information, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

將 Office 365 行動應用程式指派給使用內建應用程式類型的 iOS 和 Android 裝置 Assign Office 365 mobile apps to iOS and Android devices using built-in app type

內建應用程式類型讓您可更輕鬆地建立 Office 365 應用程式,並將其指派給您管理的 iOS 及 Android 裝置。The Built-in app type makes it easier for you to create and assign Office 365 apps to the iOS and Android devices that you manage. 這些應用程式包括 0365 應用程式,例如 Word、Excel、PowerPoint 和 OneDrive。These apps include 0365 apps such as Word, Excel, PowerPoint, and OneDrive. 您可以將特定的應用程式指派給應用程式類型,並編輯應用程式資訊設定。You can assign specific apps to the app type and edit the app information configuration.

依據群組來包含和排除應用程式指派 Including and excluding app assignment based on groups

在應用程式指派期間和選取指派類型後,您可選取要包含的群組及要排除的群組。During app assignment and after selecting an assignment type, you can select the groups to include, as well as the groups to exclude.

裝置設定Device configuration

您可包含和排除指派,將應用程式設定原則指派給群組 You can assign an application configuration policy to groups by including and excluding assignments

您可使用包含和排除指派的組合,將應用程式設定原則指派給一群使用者和裝置。You can assign an application configuration policy to a group of users and devices by using a combination of including and excluding assignments. 您可選擇自選群組或虛擬群組作為指派。Assignments can be chosen as either a custom selection of groups or as a virtual group. 虛擬群組可以包括 [所有使用者]、[所有裝置] 或 [所有使用者及所有裝置]。A virtual group can include All users, All Device, or All Users + All Devices.

支援 Windows 10 版本升級原則 Support for Windows 10 edition upgrade policy

您可以建立 Windows 10 版本升級原則,以將 Windows 10 裝置升級至 Windows 10 教育版、Windows 10 教育版 N、Windows 10 專業版、Windows 10 專業版 N、Windows 10 專業教育版和 Windows 10 專業教育版 N。如需 Windows 10 版本升級的詳細資料,請參閱如何設定 Windows 10 版本升級You can create a Windows 10 edition upgrade policy that upgrades Windows 10 devices to Windows 10 Education, Windows 10 Education N, Windows 10 Professional, Windows 10 Professional N, Windows 10 Professional Education, and Windows 10 Professional Education N. For details about Windows 10 edition upgrades, see How to configure Windows 10 edition upgrades.

Intune 的條件式存取原則只能從 Azure 入口網站使用 Conditional Access policies for Intune is only available from the Azure portal

自此版開始,您必須在 Azure 入口網站Azure Active Directory > 條件式存取中設定及管理您的條件式存取原則。Starting with this release, you must configure and manage your Conditional Access policies in the Azure portal from Azure Active Directory > Conditional Access. 為了方便起見,您也可以在 [Intune] > [條件式存取],從 Azure 入口網站的 Intune 存取此刀鋒視窗。For your convenience, you can also access this blade from Intune in the Azure portal at Intune > Conditional Access.

更新合規性電子郵件 Updates to compliance emails

當傳送電子郵件回報不相容的裝置時,電子郵件會包含不相容之裝置的詳細資料。When an email is sent to report a noncompliant device, details about the noncompliant device are included.

2018 年 1 月 22 日當週Week of January 22, 2018

Intune 應用程式Intune apps

Android 裝置之「解決」動作的新功能 New functionality for the "Resolve" action for Android devices

Android 版公司入口網站應用程式正在擴充 [更新裝置設定] 的「解決」動作,以解決裝置加密問題The Company Portal app for Android is expanding the "Resolve" action for Update device settings to resolve device encryption issues.

Windows 10 的公司入口網站應用程式提供遠端鎖定 Remote lock available in Company Portal app for Windows 10

使用者現在可以從 Windows 10 的公司入口網站應用程式遠端鎖定其裝置。End users can now remotely lock their devices from the Company Portal app for Windows 10. 這不會顯示在他們正使用的本機裝置上。This will not be displayed for the local device they're actively using.

針對 Windows 10 公司入口網站應用程式,可以更容易解決合規性問題 Easier resolution of compliance issues for the Company Portal app for Windows 10

使用 Windows 裝置的終端使用者將可在公司入口網站應用程式中點選不相容的原因。End users with Windows devices will be able to tap the noncompliance reason in the Company Portal app. 如此一來,系統會盡可能將使用者直接移至設定應用程式的正確位置,以修正問題。When possible, this will take them directly to the correct location in the settings app to fix the issue.

2017 年 12 月 11 日當週Week of December 11, 2017

裝置設定Device configuration

新的自動重新部署設定 New automatic redeployment setting

自動重新部署設定允許具有系統管理權限的使用者,在裝置鎖定畫面上使用 CTRL + Win + R 來刪除所有使用者資料和設定。The Automatic redeployment setting allows users with administrative rights to delete all user data and settings using CTRL + Win + R at the device lock screen. 裝置會自動重新設定並重新註冊以納入管理。The device is automatically reconfigured and reenrolled into management. 您可以在 [Windows 10] > [裝置限制] > [一般] > [自動重新部署] 下找到此設定。This setting can be found under Windows 10 > Device restrictions > General > Automatic redeployment. 如需詳細資料,請參閱 Windows 10 的 Intune 裝置限制設定For details, see Intune device restriction settings for Windows 10.

支援 Windows 10 版本升級原則中的其他來源版本 Support for additional source editions in the Windows 10 edition upgrade policy

您現在可以使用 Windows 10 版本升級原則,從其他 Windows 10 版本 (Windows 10 專業版、Windows 10 專業教育版、Windows 10 Cloud 等) 進行升級。You can now use the Windows 10 edition upgrade policy to upgrade from additional Windows 10 editions (Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Cloud, etc.). 在此版本之前,支援的版本升級路徑十分有限。Prior to this release, the supported edition upgrade paths were more limited. 如需詳細資訊,請參閱如何設定 Windows 10 版本升級For details, see How to configure Windows 10 edition upgrades.

新的 Windows Defender 資訊安全中心 (WDSC) 裝置組態設定檔設定 New Windows Defender Security Center (WDSC) device configuration profile settings

Intune 在 [端點保護] 下新增了新的裝置組態設定檔設定區段,名為 [Windows Defender 資訊安全中心]。Intune adds a new section of device configuration profile settings under the Endpoint protection named Windows Defender Security Center. IT 系統管理員可以設定使用者可存取的 Windows Defender 資訊安全中心應用程式方針。IT admins can configure which pillars of the Windows Defender Security Center app end-users can access. 如果 IT 系統管理員在 Windows Defender 資訊安全中心應用程式中隱藏某個方針,則與該隱藏方針相關聯的所有通知都不會顯示在使用者的裝置上。If an IT admin hides a pillar in the Windows Defender Security Center app, all notifications related to the hidden pillar do not display on the user's device.

以下是系統管理員可從 Windows Defender 資訊安全中心裝置組態設定檔設定中隱藏的方針:These are the pillars admins can hide from the Windows Defender Security Center device configuration profile settings:

  • 病毒與威脅防護Virus and threat protection
  • 裝置效能與健康情況Device performance and health
  • 防火牆與網路保護Firewall and network protections
  • 應用程式與瀏覽器控制App and browser control
  • 家長監護選項Family options

IT 系統管理員也可以自訂使用者可接收的通知。IT admins can also customize which notifications users receive. 例如,您可以設定是否讓使用者接收由 WDSC 中可見方針所產生的所有通知,或僅接收重要通知。For example, you can configure whether the users receive all notifications generated by visible pillars in the WDSC, or only critical notifications. 非重大通知包括 Windows Defender 防毒軟體活動的定期摘要,以及掃描完成時的通知。Non-critical notifications include periodic summaries of Windows Defender Antivirus activity and notifications when scans have completed. 所有其他通知都被視為重大通知。All other notifications are considered critical. 此外,您也可以自訂通知內容本身,例如,您可以在顯示於使用者裝置上的通知中內嵌 IT 連絡資訊。Additionally, you can also customize the notification content itself, for example, you can provide the IT contact information to embed in the notifications that appear on the users' devices.

針對 SCEP 和 PFX 憑證處理的多連接器支援 Multiple connector support for SCEP and PFX certificate handling

使用內部部署 NDES 連接器將憑證傳遞至裝置的客戶,現在可在單一租用戶上設定多個連接器。Customers who use the on-premise NDES connector to deliver certificates to devices can now configure multiple connectors in a single tenant.

此新功能支援下列案例:This new capability supports the following scenario:

  • 高可用性High availability

每個 NDES 連接器都會從 Intune 提取憑證要求。Each NDES connector pulls certificate requests from Intune. 如果有某個 NDES 連接器離線,其他連接器將可以繼續處理要求。If one NDES connector goes offline, the other connector can continue to process requests.

客戶主體名稱可以使用 AAD_DEVICE_ID 變數 Customer subject name can use AAD_DEVICE_ID variable

當您在 Intune 中建立 SCEP 憑證設定檔時,現在可在建置自訂的主體名稱時使用 AAD_DEVICE_ID 變數。When you create a SCEP certificate profile in Intune, you can now use the AAD_DEVICE_ID variable when you build the custom subject name. 當使用此 SCEP 設定檔要求憑證時,該變數會以要求憑證之裝置的 AAD 裝置識別碼來取代。When the certificate is requested using this SCEP profile, the variable is replaced with the AAD device ID of the device making the certificate request.

裝置管理Device management

使用 Intune 的裝置合規性引擎管理 Jamf 註冊的 macOS 裝置 Manage Jamf-enrolled macOS devices with Intune's device compliance engine

您現在可以使用 Jamf 將 macOS 裝置狀態資訊傳送到 Intune,然後 Intune 會評估裝置是否符合 Intune 主控台中定義的合規性原則。You can now use Jamf to send macOS device state information to Intune, which will then evaluate it for compliance with policies defined in the Intune console. 根據裝置合規性狀態以及其他條件 (例如位置、使用者風險等),條件式存取將會針對存取雲端的 macOS 裝置和與 Azure AD 連線之內部部署應用程式 (包括 Office 365) 強制執行合規性檢查。Based on the device compliance state as well as other conditions (such as location, user risk, etc.), conditional access will enforce compliance for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365. 深入了解設定 Jamf 整合強制執行 Jamf 受控裝置的合規性Find out more about setting up Jamf integration and enforcing compliance for Jamf-managed devices.

新的 iOS 裝置動作 New iOS device action

您現在可以關閉 iOS 10.3 受監督的裝置。You can now shut down iOS 10.3 supervised devices. 這個動作會立即關閉裝置,而不會警告使用者。This action shuts down the device immediately without warning to the end user. 您可以在 [裝置] 工作負載中選取裝置時,於裝置屬性中找到 [關機 (僅限受監督)] 動作。The Shut down (supervised only) action can be found at the device properties when you select a device in the Device workload.

不允許 Samsung Knox 裝置的日期/時間變更 Disallow date/time changes to Samsung Knox devices

我們已加入新的功能,可讓您封鎖 Samsung Knox 裝置上的日期與時間變更。We've added a new feature that allows you to block date and time changes on Samsung Knox devices. 您可以在 [裝置組態設定檔] > [裝置限制 (Android)] > [一般] 中找到此功能。You can find this in Device configuration profiles > Device restrictions (Android) > General.

支援 Surface Hub 資源帳戶 Surface Hub resource account supported

已加入新的裝置動作,以便系統管理員對與 Surface Hub 相關聯的資源帳戶進行定義及更新。A new device action has been added so administrators can define and update the resource account associated with a Surface Hub.

Surface Hub 會使用資源帳戶向 Skype/Exchange 進行驗證以加入會議。The resource account is used by a Surface Hub to authenticate with Skype/Exchange so it can join a meeting. 您可以建立唯一的資源帳戶,使 Surface Hub 在會議中顯示為會議室。You can create a unique resource account so the Surface Hub appears in the meeting as the conference room. 例如,資源帳戶可能會顯示為會議室 B41/6233For example, the resource account might appear as Conference Room B41/6233. Surface Hub 的資源帳戶 (也稱為裝置帳戶) 通常需要針對會議室位置,以及在其他資源帳戶參數需要被變更時進行設定。The resource account (known as the device account) for the Surface Hub typically needs to be configured for the conference room location and when other resource account parameters need to be changed.

當系統管理員想要更新裝置上的資源帳戶時,他們必須提供目前與裝置相關聯的 Active Directory/Azure Active Directory 認證。When administrators want to update the resource account on a device, they must provide the current Active Directory/Azure Active Directory credentials associated with the device. 如果裝置有開啟密碼輪換,則系統管理員必須移至 Azure Active Directory 以找出密碼。If password rotation is on for the device, administrators must go to Azure Active Directory to find the password.

注意

所有的欄位會以組合方式向下傳送,並覆寫先前設定的所有欄位。All fields get sent down in a bundle and overwrite all fields that were previously configured. 空白欄位也會覆寫現有欄位。Empty fields also overwrite existing fields.

以下是系統管理員可以設定的設定:The following are the settings administrators can configure:

  • 資源帳戶Resource account

    • Active Directory 使用者Active Directory user

      Domainname\username 或使用者主體名稱 (UPN):user@domainname.comDomainname\username or User Principle Name (UPN): user@domainname.com

    • 密碼Password

  • 選擇性資源帳戶參數 (必須使用指定的資源帳戶進行設定)Optional resource account parameters (must be set using the specified resource account)

    • 密碼輪換期間Password rotation period

      確保帳戶密碼每週會由 Surface Hub 基於安全性考量進行自動更新。Ensures the account password is updated automatically by the Surface Hub every week for security reasons. 若要在啟用此設定後設定任何參數,必須先將 Azure Active Directory 中的帳戶進行密碼重設。To configure any parameters after this has been enabled, the account in Azure Active Directory must have the password reset first.

    • SIP (工作階段初始通訊協定) 位址SIP (Session Initiation Protocol) address

      只有在自動探索失敗時才會使用。Only used when autodiscovery fails.

    • 電子郵件Email

      裝置/資源帳戶的電子郵件地址。Email address of the device/resource account.

    • Exchange 伺服器Exchange server

      只有自動探索失敗時才需要。Only required when autodiscovery fails.

    • 行事曆同步處理Calendar sync

      指定是否啟用行事曆同步處理和其他 Exchange 伺服器服務。Specifies whether calendar sync and other Exchange server services are enabled. 例如:會議同步處理。For example: meeting sync.

在 macOS 裝置上安裝 Office 應用程式 Install Office apps on macOS devices

您現在可在 macOS 裝置上安裝 Office 應用程式。You will now be able to install Office apps on macOS devices. 這個新的應用程式類型可讓您安裝 Word、Excel、PowerPoint、Outlook 及 OneNote。This new app type will allow you to install Word, Excel, PowerPoint, Outlook, and OneNote. 這些應用程式也會隨附於 Microsoft AutoUpdate (MAU),以協助保護您的應用程式並使它保持在最新狀態。These apps also come with the Microsoft AutoUpdate (MAU), to help keep your apps secure and up-to-date.

應用程式管理App management

刪除 iOS 大量採購方案權杖 Delete an iOS Volume Purchasing Program token

您可以使用主控台來刪除 iOS 大量採購方案 (VPP) 權杖。You can delete the iOS Volume Purchasing Program (VPP) token using the console. 當您擁有重複的 VPP 權杖執行個體時,這可能是必要的。This may be necessary when you have duplicate instances of a VPP token.

Intune 應用程式Intune apps

以角色為基礎的存取控制Role-based access control

名為 Current User 的新實體集合限於目前作用中的使用者資料 A new entity collection named Current User is limited to currently active user data

User 實體集合包含企業中具有所指派授權的所有 Azure Active Directory (Azure AD) 使用者。The Users entity collection contains all the Azure Active Directory (Azure AD) users with assigned licenses in your enterprise. 例如,某個使用者可能在上個月內被新增到 Intune 然後又被移除。For example, a user may be added to Intune and then removed during the course of the last month. 雖然在報告的時候這個使用者不會出現,但使用者和狀態會出現在資料中。While this user is not present at the time of the report, the user and state are present in the data. 您可以建立一個報告,其中顯示使用者的歷程記錄在您資料中出現的期間。You could create a report that would show the duration of the user's historic presence in your data.

相較之下,新的 Current User 實體集合只包含尚未被移除的使用者。In contrast, the new Current User entity collection only contains users who have not been removed. Current User 實體集合只包含目前作用中的使用者。The Current User entity collection only contains currently active users. 如需 Current User 實體的詳細資訊,請參閱 Current User 實體的參考For information about the current user entity collection, see Reference for current user entity.

更新的 Graph API Updated Graph APIs

在此版本中,我們已更新一些 Intune 的搶鮮版 (Beta) Graph API。In this release, we've updated a few of the Graph API's for Intune that are in beta. 如需詳細資訊,請查看每月 Graph API 變更記錄 (英文)。Please check out the monthly Graph API changelog for more information.

2017 年 12 月 4 日當週Week of December 4, 2017

監視及疑難排解Monitor and troubleshoot

Intune 支援 Windows 資訊保護 (WIP) 拒絕應用程式 Intune supports Windows Information Protection (WIP) denied apps

您可以在 Intune 中指定拒絕的應用程式。You can specify denied apps in Intune. 如果應用程式遭到拒絕,它會被封鎖而無法存取公司資訊,效果與允許的應用程式清單相反。If an app is denied, it is blocked from accessing corporate information, effectively the opposite of the allowed apps list. 如需詳細資訊,請參閱 Recommended deny list for Windows Information Protection (Windows 資訊保護的建議拒絕清單)。For more information, see Recommended deny list for Windows Information Protection.

2017 年 11 月 27 日當週Week of November 27, 2017

裝置註冊Device enrollment

對註冊問題進行疑難排解 Troubleshoot enrollment issues

[疑難排解] 工作區現在會顯示使用者註冊問題。The Troubleshoot workspace now shows user enrollment issues. 其中包含問題的詳細資料與建議的補救步驟,可協助系統管理員和技術服務人員針對相關問題進行疑難排解。Details about the issue and suggested remediation steps can help administrators and help desk operators troubleshoot problems. 未擷取特定註冊問題,某些錯誤可能也沒有補救建議。Certain enrollment issues aren't captured and some errors might not have remediation suggestions.

群組指派註冊限制 Group-assigned enrollment restrictions

身為 Intune 系統管理員,您現在可以為使用者群組建立自訂的裝置類型和裝置限制註冊限制As an Intune administrator, you can now create custom Device Type and Device Limit enrollment restrictions for user groups.

Intune Azure 入口網站可讓您每種限制類型最多建立 25 個執行個體,以指派給使用者群組。The Intune Azure portal lets you create up to 25 instances of each restriction type, which can then be assigned to user groups. 群組指派的限制會覆寫預設的限制。Group-assigned restrictions override the default restrictions.

限制類型的所有執行個體都使用嚴格排序的清單維護。All the instances of a restriction type are maintained in a strictly ordered list. 此順序會定義衝突解決方法的優先順序值。This order defines a priority value for conflict resolution. 受到多個限制執行個體影響的使用者,只受擁有最高優先順序值的執行個體限制。A user impacted by more than one restriction instance is only restricted by the instance with the highest priority value. 您可以變更指定的執行個體優先順序,只要將它拖曳到清單中的不同位置即可。You can change a given instance's priority by dragging it to a different position in the list.

當 Android for Work 設定從 [Android For Work 註冊] 功能表移轉到 [註冊限制] 功能表時,即發佈這項功能。This functionality will be released with the migration of Android for Work settings from the Android For Work enrollment menu to the Enrollment Restrictions menu. 因為這項移轉可能需要花費數天,而您的帳戶可能要升級 11 月版本的其他組件後,您才會看到 [註冊限制] 的群組指派成為啟用狀態。Since this migration may take several days, your account may be upgraded for other parts of the November release before you see group assignment become enabled for Enrollment Restrictions.

支援多個網路裝置註冊服務 (NDES) 連接器Support for multiple Network Device Enrollment Service (NDES) connectors

NDES 可讓行動裝置依據簡單憑證註冊通訊協定 (SCEP) 在沒有網域認證的情況下取得憑證。NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). 使用這項更新,可支援多個 NDES 連接器。With this update, multiple NDES connectors are supported.

從 Android 裝置獨立管理 Android for Work 裝置Manage Android for Work devices independently from Android devices

Intune 支援從 Android 平台獨立管理 Android for Work 裝置的註冊。Intune supports managing enrollment of Android for Work devices independently from the Android platform. 這些設定在 [裝置註冊] > [註冊限制] > [裝置類型限制] 下管理。These settings are managed under Device Enrollment > Enrollment restrictions > Device Type Restrictions. (原位於 [裝置註冊] > [Android for Work 註冊] > [Android for Work 註冊設定] 下。)(They were previously located under Device Enrollment > Android for Work Enrollment > Android for Work Enrollment Settings.)

根據預設,Android for Work 裝置設定與您的 Android 裝置設定相同。By default, your Android for Work devices settings are the same as your settings for your Android devices. 不過,變更 Android for Work 設定後,就不再是那麼回事了。However, after you change your Android for Work settings that will no longer be the case.

如果您封鎖個人的 Android for Work 註冊,只有公司的 Android 裝置可以註冊為 Android for Work。If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for Work.

使用新設定時,請考慮下列各點:When working with the new settings, consider the following points:

之前是否從未啟動 Android for Work 註冊If you have never previously onboarded Android for Work enrollment

在預設的裝置類型限制中封鎖新的 Android for Work 平台。The new Android for Work platform is blocked in the default Device Type Restrictions. 啟動功能後,您可以允許裝置註冊 Android for Work。After you onboard the feature, you can allow devices to enroll with Android for Work. 若要這樣做,請變更預設值,或建立新的裝置類型限制來取代預設的裝置類型限制。To do so, change the default or create a new Device Type Restriction to supersede the default Device Type Restriction.

是否曾啟動 Android for Work 註冊If you have onboarded Android for Work enrollment

如果曾經啟動過,您的情況會隨您選擇的設定而異:If you’ve previously onboarded, your situation depends on the setting you chose:

設定Setting 預設裝置類型限制中的 Android for Work 狀態Android for Work status in default Device Type Restriction 附註Notes
將所有裝置當成 Android 管理Manage all devices as Android 封鎖Blocked 所有 Android 裝置都必須註冊,但不是 Android for Work。All Android devices must enroll without Android for Work.
將支援的裝置當成 Android for Work 管理Manage supported devices as Android for Work 允許Allowed 所有支援 Android for Work 的裝置都必須註冊 Android for Work。All Android devices that support Android for Work must enroll with Android for Work.
將這些群組中僅限使用者的受支援裝置當成 Android for Work 管理Manage supported devices for users only in these groups as Android for Work 封鎖Blocked 已建立不同的裝置類型限制原則,以覆寫預設值。A separate Device Type Restriction policy was created to override the default. 此原則會定義您先前選取的群組,以允許 Android for Work 註冊。This policy defines the groups you previously selected to allow Android for Work enrollment. 所選群組內的使用者仍可以繼續註冊他們的 Android for Work 裝置。Users within the selected groups will continue to be allowed to enroll their Android for Work devices. 所有其他使用者則限制不能註冊 Android for Work。All other users are restricted from enrolling with Android for Work.

無論什麼情況,都會保留您預期的法規。In all cases, your intended regulation is preserved. 您不需要執行任何動作,即能維持您環境中 Android for Work 的全域或各群組額度。No action is required on your part to maintain the global or per-group allowance of Android for Work in your environment.

應用程式管理App management

已更新應用程式安裝報表,以包含安裝擱置中狀態 App install report updated to include Install Pending status

透過 [行動應用程式] 工作負載中的 [應用程式] 清單,每個應用程式可存取的應用程式安裝狀態報告,現在包含使用者和裝置的安裝擱置中計數。The App install status report, accessible for each app through the App list in the Mobile apps workload, now contains an Install Pending count for Users and Devices.

適用於行動裝置威脅偵測的 iOS 11 應用程式清查 API iOS 11 app inventory API for Mobile Threat Detection

Intune 會從個人和公司擁有的裝置收集應用程式清查資訊,並供 Lookout for Work 等行動裝置威脅偵測 (MTD) 提供者來擷取。Intune collects app inventory information from both personal and corporate-owned devices and makes it available for Mobile Threat Detection (MTD) providers to fetch, such as Lookout for Work. 您可以收集 iOS 11+ 裝置使用者的應用程式清查。You can collect an app inventory from the users of iOS 11+ devices.

應用程式清查App inventory
個人擁有和公司擁有的 iOS 11+ 裝置清查都會傳送給您的 MTD 服務提供者。Inventories from both corporate-owned iOS 11+ and personally owned devices are sent to your MTD service provider. 應用程式清查中的資料包括:Data in the app inventory includes:

  • 應用程式識別碼App ID
  • 應用程式版本App Version
  • 應用程式簡短版本App Short Version
  • 應用程式名稱App Name
  • 應用程式套件組合大小App Bundle Size
  • 應用程式動態大小App Dynamic Size
  • 應用程式是否已驗證App is validated or not
  • 應用程式是否受管理App is managed or not

裝置管理Device management

將混合式 MDM 使用者和裝置移轉至 Intune 獨立版 Migrate hybrid MDM users and devices to Intune standalone

Azure 入口網站中現在提供新的程序和工具,以將使用者和其裝置從混合式 MDM 移至 intune,讓您可以執行下列工作:New processes and tools are now available for moving users and their devices from hybrid MDM to Intune in the Azure portal, allowing you to do the following tasks:

  • 將原則與設定檔從 Configuration Manager 主控台複製到 Azure 入口網站的 IntuneCopy policies and profiles from the Configuration Manager console to Intune in the Azure portal
  • 將使用者子集移至 Azure 入口網站的 Intune,同時將其餘部分保留在混合式 MDM 中Move a subset of users to Intune in the Azure portal, while keeping the rest in hybrid MDM
  • 將裝置移轉至 Azure 入口網站的 Intune 但不需要重新註冊Migrate devices to Intune in the Azure portal without needing to re-enroll them

如需詳細資料,請參閱將混合式 MDM 使用者和裝置移轉至 Intune 獨立版For details, see Migrate hybrid MDM users and devices to Intune standalone.

內部部署 Exchange Connector 高可用性支援On-premises Exchange connector high availability support

在 Exchange Connector 使用指定的 CAS 建立與 Exchange 的連線之後,連接器現在便能夠探索其他 CAS。After the Exchange connector creates a connection to Exchange using the specified CAS, the connector now has the ability to discovery other CASs. 如果無法使用主要的 CAS,連接器將容錯移轉至另一個 CAS (如果有的話),直到有可用的主要 CAS 為止。If the primary CAS becomes unavailable, the connector will fail over to another CAS, if available, until the primary CAS becomes available. 如需詳細資訊,請參閱內部部署 Exchange Connector 高可用性支援For details, see On-premises Exchange connector high availability support.

從遠端重新啟動 iOS 裝置 (僅受監督) Remotely restart iOS device (supervised only)

您現在可以使用裝置動作觸發受監督的 iOS 10.3+ 裝置,令它重新啟動。You can now trigger a supervised iOS 10.3+ device to restart using a device action. 如需使用裝置重新啟動動作的詳細資訊,請參閱使用 Intune 從遠端重新啟動裝置For more information on using the device restart action, see Remotely restart devices with Intune.

注意

此命令需要受監督的裝置和裝置鎖定存取權限。This command requires a supervised devices and the Device Lock access right. 裝置隨即重新啟動。The device restarts immediately. 密碼鎖定的 iOS 裝置重新啟動後,不會重新加入 Wi-Fi 網路;重新啟動後,它們可能無法與伺服器通訊。Passcode-locked iOS devices will not rejoin a Wi-Fi network after restart; after restart, they may not be able to communicate with the server.

iOS 的單一登入支援 Single Sign-on support for iOS

您可以讓 iOS 使用者使用單一登入。You can use Single Sign-on for iOS users. 編碼成在單一登入裝載中尋找使用者認證的 iOS 應用程式,因為有此裝載設定更新,所以很實用。The iOS apps that are coded to look for user credentials in the Single Sign-on payload are functional with this payload configuration update. 您也可以使用 UPN 和 Intune 裝置識別碼來設定主體名稱和領域。You can also use UPN and Intune Device ID to configure the Principal Name and Realm. 如需詳細資料,請參閱設定 Intune 以進行 iOS 裝置單一登入For details, see Configure Intune for iOS device single sign-on.

新增個人裝置的「尋找我的 iPhone」Add "Find my iPhone" for personal devices

您現在可以檢視 iOS 裝置是否開啟 [啟用鎖定]。You can now view whether iOS devices have Activation Lock turned on. 這項功能以前位在 intune 傳統入口網站。This feature previously could be found in the Intune in the classic portal.

使用 Intune 從遠端鎖定受管理的 macOS 裝置 Remotely lock managed macOS device with Intune

您可以鎖定遺失的 macOS 裝置,並設定 6 位數的復原 PIN。You can lock a lost macOS device, and set a 6-digit recovery PIN. 鎖定時,[裝置概觀] 刀鋒視窗會顯示 PIN,直到傳送另一個裝置動作為止。When locked, the Device overview blade displays the PIN until another device action is sent.

如需詳細資訊,請參閱使用 Intune 從遠端鎖定受管理的裝置For more information, see Remotely lock managed devices with Intune.

支援新的 SCEP 設定檔詳細資料 New SCEP profile details supported

現在於 Windows、iOS、macOS 和 Android 平台上建立 SCEP 設定檔時,系統管理員可以設定其他設定。Administrators are now able to set additional settings when creating a SCEP profile on Windows, iOS, macOS, and Android platforms. 系統管理員可以設定 IMEI、序號或一般名稱,包括使用主體名稱格式的電子郵件。Administrators can set IMEI, serial number, or common name including email in the subject name format.

重設為原廠設定時保留資料 Retain data during a factory reset

將 Windows 10 1709 版和更新版本恢復出廠預設值時,有一項新的功能可以使用。When resetting Windows 10 version 1709 and later to factory settings, a new capability is available. 管理員可以指定是否透過恢復出廠預設值將裝置註冊及其他佈建資料保留在裝置上。Admins can specify if device enrollment and other provisioned data are retained on a device through a factory reset.

下列資料會透過原廠重設保留:The following data is retained through a factory reset:

  • 與裝置建立關聯的使用者帳戶User accounts associated with the device
  • 電腦狀態 (網域加入,已加入 Azure Active Directory)Machine state (domain join, Azure Active Directory-joined)
  • MDM 註冊MDM enrollment
  • OEM 安裝的應用程式 (市集和 Win32 應用程式)OEM installed apps (store and Win32 apps)
  • 使用者設定檔User profile
  • 使用者設定檔外的使用者資料User data outside of user profile
  • 使用者自動登入User autologon

不保留下列資料:The following data is not retained:

  • 使用者檔案User files
  • 使用者安裝的應用程式 (市集和 Win32 應用程式)User installed apps (store and Win32 apps)
  • 非預設的裝置設定Non-default device settings

監視及疑難排解Monitor and troubleshoot

顯示 Windows 10 更新通道指派 Window 10 update ring assignments are displayed

當要針對您正在檢視的使用者進行疑難排解時,您會看到所有 Windows 10 更新通道指派。When you are Troubleshooting, for the user you are viewing, you are able to see any Windows 10 update rings assignments.

Windows Defender 進階威脅防護回報頻率設定 Windows Defender Advanced Threat Protection reporting frequency settings

Windows Defender 進階威脅防護 (WDATP) 服務允許管理員管理受管理裝置的回報頻率。Windows Defender Advanced Threat Protection (WDATP) service allows admins to manage reporting frequency for managed devices. 使用新的 [加速遙測回報頻率] 選項,WDATP 可以更頻繁地收集資料及評估風險。With the new Expedite telemetry reporting frequency option, WDATP collects data and assesses risks more frequently. 回報預設值最佳化速度及效能。The default for reporting optimizes speed and performance. 增加回報頻率對高風險裝置很重要。Increasing the frequency of reporting can be valuable for high-risk devices. 此設定位在裝置設定Windows Defender ATP 設定檔中。This setting can be found in the Windows Defender ATP profile in Device configurations.

稽核更新 Audit updates

Intune 稽核會提供與 Intune 相關的變更作業記錄。Intune auditing provides a record of change operations related to Intune. 擷取所有建立、更新、刪除和遠端工作作業,並保留一年。All create, update, delete, and remote task operations are captured and retained for one year. Azure 入口網站提供每個工作負載過去 30 天的稽核資料檢視,且可篩選。The Azure portal provides a view of the last 30 days of audit data in each workload, and is filterable. 對應的圖形 API 可讓您擷取去年儲存的稽核資料。A corresponding Graph API allows retrieval of the auditing data stored for the last year.

[稽核] 位在監視器群組下。Auditing is found under the MONITOR group. 每個工作負載都有 [稽核記錄檔] 功能表項目。There is an Audit Logs menu item for each workload.

2017 年 11 月 20 日當週Week of November 20, 2017

應用程式管理App management

Android 中的 Google Play Protect 支援 Google Play Protect support on Android

在 Android Oreo 版本中,Google 引進名為 Google Play Protect 的安全性功能套件,可讓使用者和組織執行安全的應用程式和保護 Android 映像。With the release of Android Oreo, Google introduces a suite of security features called Google Play Protect that allow users and organizations to run secure apps and secure Android images. Intune 現在支援 Google Play Protect 功能,包括 SafetyNet 遠端證明。Intune now supports Google Play Protect features, including SafetyNet remote attestation. 系統管理員可以設定合規性原則需求,藉此要求設定 Google Play Protect 且其狀況良好。Admins can set compliance policy requirements that require Google Play Protect to be configured and healthy. [SafetyNet 裝置證明] 設定可要求裝置連線至 Google 服務,以驗證裝置狀況良好且未遭入侵。The SafetyNet device attestation setting requires the device to connect with a Google service to verify that the device is healthy and is not compromised. 系統管理員也可以設定 Android for Work 的組態設定檔設定,以要求已安裝的應用程式必須經過 Google Play 服務驗證。Admins can also set a configuration profile setting for Android for Work to require that installed apps are verified by Google Play services. 如果裝置不符合 Google Play Protect 需求的規範,條件式存取可能會禁止使用者存取公司資源。If a device is not compliant with Google Play Protect requirements, conditional access might block users from accessing corporate resources.

允許來自受管理應用程式的文字通訊協定 Text protocol allowed from managed Apps

受 Intune App SDK 管理的應用程式可以傳送簡訊。Apps managed by the Intune App SDK are able to send SMS messages.

2017 年 11 月 13 日當週Week of November 13, 2017

Intune 應用程式Intune Apps

macOS 版公司入口網站應用程式已推出 Company Portal app for macOS is available

macOS 版 Intune 公司入口網站有已經最佳化的更新體驗,可完全顯示使用者註冊之所有裝置所需的所有資訊與合規性通知。The Intune Company Portal on macOS has an updated experience, which has been optimized to cleanly display all the information and compliance notifications your users need for all the devices they have enrolled. 此外,「Intune 公司入口網站」部署至裝置之後,適用於 macOS 的 Microsoft AutoUpdate 會提供其更新。And, once the Intune Company Portal has been deployed to a device, Microsoft AutoUpdate for macOS will provide updates to it. 您可以透過從 macOS 裝置登入「Intune 公司入口網站」來下載新的 macOS 版「Intune 公司入口網站」。You can download the new Intune Company Portal for macOS by logging into the Intune Company Portal website from a macOS device.

Microsoft Planner 現在是已核准應用程式的行動裝置應用程式管理 (MAM) 清單的一部分 Microsoft Planner is now part of the mobile app management (MAM) list of approved apps

iOS 版和 Android 版的 Microsoft Planner 應用程式現在是行動裝置應用程式管理 (MAM) 已核准的應用程式的一部分。The Microsoft Planner app for iOS and Android is now part of the approved apps for mobile app management (MAM). 可以透過 Azure 入口網站中的 [Intune 應用程式防護] 刀鋒視窗,將應用程式設定至所有租用戶。The app can be configured through the Intune App Protection blade in the Azure portal to all tenants.

iOS 裝置上的個別 App VPN 的需求更新頻率 Per-App VPN requirement update frequency on iOS devices

系統管理員現在可能會移除 iOS 裝置上應用程式的個別 App VPN 需求;受影響的裝置將在它們下一次 Intune 簽入後 (通常在 15 分鐘內發生)。Administrators may now remove Per-App VPN requirements for apps on iOS devices; affected devices will after their next Intune check-in, which generally occurs within 15 minutes.

監視及疑難排解Monitor and troubleshoot

適用於 Exchange 連接器的 System Center Operations Manager 管理組件支援 Support for System Center Operations Manager management pack for Exchange connector

適用於 Exchange 連接器的 System Center Operations Manager (SCOM) 管理組件現在可協助您剖析 Exchange 連接器記錄。The System Center Operations Manager (SCOM) management pack for Exchange connector is now available to help you parse the Exchange connector logs. 此功能可在您需要針對問題進行疑難排解時,為您提供不同方式來監視服務。This feature gives you different ways of monitoring the service when you need to troubleshoot issues.

2017 年 11 月 6 日當週Week of November 6, 2017

裝置註冊Device enrollment

Windows 10 裝置的共同管理 Co-management for Windows 10 devices

共同管理是一種可讓您從傳統管理過渡到現代化管理的解決方案,並提供您使用分段式方法的轉換過程。Co-management is a solution that provides a bridge from traditional to modern management, and it provides you with a path to make the transition using a phased approach. 本質上來說,共同管理解決方案可讓 Windows 10 裝置同時受 Configuration Manager 和 Microsoft Intune 管理,並聯結到 Active Directory (AD) 和 Azure Active Directory (Azure AD)。At its foundation, co-management is a solution where Windows 10 devices are concurrently managed by Configuration Manager and Microsoft Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD). 如果您無法一次到位,此設定提供隨時間逐步實行現代化的轉換過程,讓您依據組織進展的步調來進行。This configuration provides you with a path to modernize over time, at the pace that’s right for your organization if you can’t move all at once.

依 OS 版本限制 Windows 註冊 Restrict Windows Enrollment by OS version

您現在能夠以 Intune 系統管理員的身分指定裝置註冊的 Windows 10 最低與最高版本。As an Intune administrator, you can now specify a minimum and maximum version of Windows 10 for device enrollments. 您現可在 [平台設定] 刀鋒視窗設定這些限制。You can set these restrictions in the Platform Configurations blade.

Intune 會繼續支援註冊 Windows 8.1 電腦與手機。Intune will continue to support enrolling Windows 8.1 PCs and phones. 不過,只有 Windows 10 版本能夠設定最低與最高限制。However, only Windows 10 versions can be set with minimum and maximum limits. 若要允許 8.1 裝置的註冊,請在最低限制留空。To permit enrollment of 8.1 devices, leave the minimum limit empty.

Windows AutoPilot 未指派裝置的警示 Alerts for Windows AutoPilot unassigned devices

在 [Microsoft Intune] > [裝置註冊] > [概觀] 頁面上,有新的警示可供 Windows AutoPilot 未指派的裝置使用。A new alert is available for Windows AutoPilot unassigned devices on the Microsoft Intune > Device enrollment > Overview page. 此警示能夠顯示有多少 AutoPilot 方案的裝置未指派 AutoPilot 部署設定檔。This alert shows how many devices from the AutoPilot program do not have AutoPilot deployment profiles assigned. 您可以使用警示中的資訊來建立設定檔,並加以指派至未指派的裝置。Use the information in the alert to create profiles and assign them to the unassigned devices. 當您按一下警示時,會看到 Windows AutoPilot 裝置的完整清單,以及這些裝置的詳細資訊。When you click the alert, you see a full list of Windows AutoPilot devices and detailed information about them. 如需詳細資訊,請參閱使用 Windows AutoPilot 部署方案註冊 Windows 裝置For more information, see Enroll Windows devices using Windows AutoPilot deployment program.

裝置管理Device management

裝置清單的 [重新整理] 按鈕 Refresh button for Devices list

因為裝置清單並不會自動重新整理,所以您可以使用新的 [重新整理] 按鈕來更新清單中顯示的裝置。Because the Device list does not refresh automatically, you can use the new Refresh button to update the devices that display in the list.

支援 Symantec 雲端憑證授權單位 (CA) Support for Symantec Cloud Certification Authority (CA)

Intune 現在支援 Symantec 雲端 CA,因此 Intune 憑證連接器可以將來自 Symantec 雲端 CA 的 PKCS 憑證簽發給受 Intune 管理的裝置。Intune now supports Symantec Cloud CA, which allows the Intune Certificate Connector to issue PKCS certificates from the Symantec Cloud CA to Intune managed devices. 如果您已經使用 Intune 憑證連接器與 Microsoft 憑證授權單位 (CA),則可以使用現有的 Intune 憑證連接器安裝程式來新增 Symantec CA 支援。If you're already using the Intune Certificate Connector with Microsoft Certification Authority (CA), you can use the existing Intune Certificate Connector setup to add the Symantec CA support.

新增至裝置清查的項目 New items added to device inventory

下列新項目現在可用於已註冊裝置執行的清查The following new items are now available to the inventory taken by enrolled devices:

  • Wi-Fi Mac 位址Wi-Fi MAC address
  • 儲存空間總計Total storage space
  • 可用空間總計Total free space
  • MEIDMEID
  • 用戶載波Subscriber carrier

應用程式管理App management

依據裝置的 Android 安全性修補程式下限,來設定應用程式的存取權Set access for apps by minimum Android security patch on the device

系統管理員可以定義裝置必須安裝的 Android 安全性修補程式下限,才能以受管理帳戶來存取受管理的應用程式。An administrator is able to define the minimum Android security patch that must be installed on the device in order to gain access to a managed application under a managed account.

注意

這項功能只能限制 Android 6.0+ 裝置上由 Google 發行的安全性修補程式。This feature only restricts security patches released by Google on Android 6.0+ devices.

支援條件式啟動應用程式 App-conditional launch support

現在,IT 系統管理員可以透過 Azure 管理入口網站,設定在應用程式啟動時強制執行密碼,而不是透過行動裝置應用程式管理 (MAM) 的數字 PIN。IT admins can now set a requirement through the Azure admin portal to enforce a passcode instead a numeric PIN through the mobile app management (MAM) when the application launch. 如上進行設定後,使用者就必須在出現提示時設定並使用密碼,才能存取啟用 MAM 的應用程式。If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. 密碼的定義為數字 PIN 和至少一個特殊字元或大寫/小寫字母。A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. 此版 Intune 將僅在 iOS 上啟用這項功能。This release of Intune will enable this feature on iOS only. Intune 支援密碼的方式與數字 PIN 類似,它會設定長度下限,並允許重複的字元和順序。Intune supports passcode in a similar way to numeric PIN, it sets a minimum length, allowing repeat characters and sequences. 此功能需要應用程式 (亦即,WXP、Outlook、Managed Browser、Yammer) 的參與來就地整合 Intune App SDK 與此功能的程式碼,以在目標應用程式中強制執行密碼設定。This feature requires the participation of applications (that is, WXP, Outlook, Managed Browser, Yammer) to integrate the Intune App SDK with the code for this feature in place for the passcode settings to be enforced in the targeted applications.

裝置安裝狀態報告中的企業營運應用程式版本號碼 App Version number for line-of-business in device install status report

在此版本中,裝置安裝狀態報告會顯示適用於 iOS 和 Android 的企業營運應用程式版本號碼。With this release, the Device install status report displays the app version number for the line-of-business apps for iOS and Android. 您可以使用這些資訊來針對應用程式進行疑難排解,或找出執行過時應用程式版本的裝置。You may use this information to troubleshoot your apps, or find devices that are running outdated app versions.

裝置設定Device configuration

系統管理員現在可以使用裝置組態設定檔來設定裝置的防火牆設定 Admins can now configure the Firewall settings on a device using a device configuration profile

系統管理員可以開啟裝置的防火牆,並針對網域、私用網路和公用網路設定各種通訊協定。Admins can turn on firewall for devices, and also configure various protocols for domain, private, and public networks. 您可以在 "Endpoint Protection" 設定檔中找到這些防火牆設定。These firewall settings can be found in the "Endpoint protection" profile.

Windows Defender 應用程式防護可依據組織的定義,協助保護裝置避免不受信任網站的威脅 Windows Defender Application Guard helps protect devices from untrusted websites, as defined by your organization

系統管理員可以使用 Windows 資訊保護工作流程,或裝置設定下方的全新「網路界限」設定檔,將網站定義為「受信任」網站或「公司」網站。Admins can define sites as "trusted" or "corporate" using a Windows Information Protection workflow or the new "Network boundary" profile under device configurations. 如果使用 Microsoft Edge 進行檢視,則會開啟任何未列在 64 位元 Windows 10 裝置受信任網路界限上的網站,而不是在 Hyper-V 虛擬電腦的瀏覽器中開啟。If they are viewed with Microsoft Edge, any sites that aren't listed in on a 64-bit Windows 10 device’s trusted network boundary open instead in a browser within a Hyper-V virtual computer.

您可以在 "Endpoint Protection" 設定檔的裝置組態設定檔中,找到應用程式防護。Application Guard can be found in the device configuration profiles, in the "Endpoint protection" profile. 系統管理員可以從該處設定虛擬瀏覽器和主機電腦之間的互動、不受信任的網站和信任網站之間的互動,並儲存虛擬瀏覽器中產生的資料。From there, admins can configure interaction between the virtualized browser and the host machine, nontrusted sites and trusted sites, and storing data generated in the virtualized browser. 若要在裝置上使用應用程式防護,您必須先設定網路界限。To use Application Guard on a device, a network boundary first must be configured. 每部裝置都只能定義一個網路界限。It's important to define only one network boundary for a device.

Windows 10 Enterprise 的 Windows Defender 應用程式控制具有僅信任已獲授權應用程式的模式 Windows Defender Application Control on Windows 10 Enterprise provides mode to trust only authorized apps

每天有高達數千種的惡意檔案流竄出來,單純使用防毒特徵偵測來對抗惡意程式碼時,可能再也無法有效抵禦新的攻擊。With thousands of new malicious files created every day, using antivirus signature-based detection to fight against malware might no longer provide an adequate defense against new attacks. 使用 Windows 10 Enterprise 的 Windows Defender 應用程式控制時,您可以將裝置設定的模式,從信任防毒軟體或其他安全性解決方案未封鎖的應用程式,變更為讓作業系統僅信任獲得企業授權的應用程式。Using Windows Defender Application Control on Windows 10 Enterprise, you can change device configuration from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. 您可以將 Windows Defender 應用程式控制中的應用程式指派為信任。You assign trust to apps in Windows Defender Application Control.

使用 Intune 時,您可以在「僅限稽核」模式或「強制執行」模式中設定應用程式控制原則。Using Intune, you can configure the application control policies either in "audit only" mode or enforce mode. 在「僅限稽核」模式中執行時,不會封鎖應用程式。Apps aren't blocked when running in “audit only” mode. 「僅限稽核」模式會在本機用戶端記錄檔中記錄所有事件。“Audit only” mode logs all events in local client logs. 您也可以設定是否只允許執行 Windows 元件和 Microsoft Store 應用程式,或允許依據智慧型安全性圖表的定義,執行評價良好的其他應用程式。You can also configure whether only Windows components and Microsoft Store apps are allowed to run or whether additional apps with good reputations as defined by the Intelligent Security Graph are allowed to run.

Window Defender 惡意探索防護是 Windows 10 的全新入侵偵測功能 Window Defender Exploit Guard is a new set of intrusion prevention capabilities for Windows 10

Window Defender 惡意探索防護包含自訂規則,可降低擅用應用程式的可能性、避免巨集和指令碼的威脅、自動封鎖評價不良的 IP 位址網路連線,並協助資料抵禦勒索軟體和未知的威脅。Window Defender Exploit Guard includes custom rules to reduce the exploitability of applications, prevents macro and script threats, automatically blocks network connections to low reputation IP addresses, and can secure data from ransomware and unknown threats. Window Defender 惡意探索防護是由下列元件所組成:Windows Defender Exploit Guard consists of the following components:

  • 降低攻擊介面 (ASR) 提供的規則可讓您避免巨集、指令碼和電子郵件的威脅。Attack Surface Reduction (ASR) provides rules that allow you to prevent macro, script, and email threats.
  • 控制存取資料夾會自動封鎖對受保護資料夾內容的存取。Controlled Folder access automatically blocks access to content to protected folders.
  • 網路篩選會封鎖任何應用程式與評價不良 IP/網域的輸出連線。Network Filter blocks outbound connection from any app to low rep IP/domain
  • 惡意探索保護可提供記憶體限制、控制流程限制和原則限制,以用來保護應用程式不受惡意探索的威脅。Exploit Protection provides memory, control flow, and policy restrictions that can be used to protect an application from exploits.

在 Intune 中管理適用於 Windows 10 裝置的 PowerShell 指令碼Manage PowerShell scripts in Intune for Windows 10 devices

Intune 管理延伸模組可讓您在 Intune 中上傳 PowerShell 指令碼,以便在 Windows 10 裝置上執行。The Intune management extension lets you upload PowerShell scripts in Intune to run on Windows 10 devices. 延伸模組可補充 Windows 10 的行動裝置管理 (MDM) 功能,讓您更輕鬆地轉移至新式管理。The extension supplements Windows 10 mobile device management (MDM) capabilities and makes it easier for you to move to modern management. 如需詳細資料,請參閱在 Intune 中管理適用於 Windows 10 裝置的 PowerShell 指令碼For details, see Manage PowerShell scripts in Intune for Windows 10 devices.

Windows 10 的新裝置限制設定 New device restriction settings for Windows 10

  • 傳訊 (僅限行動裝置) - 停用測試或 MMS 訊息Messaging (mobile only) - disable testing or MMS messages
  • 密碼 - 可啟用 FIPS 和使用 Windows Hello 次要裝置以進行驗證的設定Password - settings to enable FIPS and the use of Windows Hello devices secondary devices for authentication
  • 顯示 - 可開啟或關閉舊版應用程式 GDI 縮放比例的設定Display - settings to turn on or off GDI Scaling for legacy apps

Windows 10 Kiosk 模式的裝置限制 Windows 10 kiosk mode device restrictions

您可以將 Windows 10 裝置使用者限制在 kiosk 模式中,使其僅可使用一組預先定義的應用程式。You can restrict Windows 10 device users to kiosk mode, which limits users to a set of predefined apps. 若要這樣做,請建立 Windows 10 裝置限制設定檔,然後進行 Kiosk 設定。To do so, create a Windows 10 device restriction profile and set the Kiosk settings.

Kiosk 模式支援兩種模式:單一應用程式 (只允許使用者執行一個應用程式) 或多重應用程式 (允許存取一組應用程式)。Kiosk mode supports two modes: single app (allows a user to run just one app) or multi app (permits access to a set of apps). 您可定義使用者帳戶和裝置名稱,以決定支援的應用程式。You define the user account and device name, which determines the supported apps). 當使用者登入時,就只能使用定義的應用程式。When the user is logged in, they're limited to the defined apps. 若要進一步了解,請參閱 AssignedAccess CSPTo learn more, see AssignedAccess CSP.

Kiosk 模式具有下列要求:Kiosk mode requires:

  • Intune 必須為 MDM 授權單位。Intune must be the MDM authority.
  • 目標裝置上必須已安裝應用程式。The apps must already be installed on the target device.
  • 裝置必須已正確佈建The device must be properly provisioned.

可建立網路界限的新裝置組態設定檔 New device configuration profile for creating network boundaries

稱為網路界限的新裝置組態設定檔可以與其他裝置組態設定檔一起找到。A new device configuration profile called Network boundary can be found with your other device configuration profiles. 您可以使用這個設定檔,將線上資源定義為公司資源和受信任的資源。Use this profile to define online resources that you want to be considered corporate and trusted. 您必須先定義裝置的網路界限之後,裝置才可以使用 Windows Defender 應用程式防護和 Windows 資訊保護等功能。You must define a network boundary for a device before features such as Windows Defender Application Guard and Windows Information Protection can be used on the device. 每部裝置都只能定義一個網路界限。It’s important to define only one network boundary for each device.

您可以定義要信任的企業雲端資源、IP 位址範圍和內部 Proxy 伺服器。You can define enterprise cloud resources, IP address ranges, and internal proxy servers that you want to be considered trusted. 定義好之後,Windows Defender 應用程式防護和 Windows 資訊保護等其他功能才可以使用網路界限。Once defined, the network boundary can be consumed by other features such as Windows Defender Application Guard and Windows Information Protection.

Windows Defender 防毒軟體的兩個其他設定 Two additional settings for Windows Defender Antivirus

檔案封鎖層級File blocking level

尚未設定Not Configured [尚未設定] 會使用預設的 Windows Defender 防毒軟體封鎖層級,並提供強式偵測,而不會增加偵測合法檔案的風險。Not Configured uses the default Windows Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files.
High [高] 適用於強力偵測層級。High applies a strong level of detection.
高 +High + [高 +] 可提供 [高] 層級與額外的保護措施,但可能會影響用戶端效能。High + provides the High level with additional protection measures that might impact client performance.
零容錯Zero tolerance [零容錯] 會封鎖所有未知的可執行檔。Zero tolerance blocks all unknown executables.

雖然可能性很低,但設定為 [高] 有可能會導致部分合法檔案受到偵測。While unlikely, setting to High may cause some legitimate files to be detected. 建議您將檔案封鎖層級設為預設值 [尚未設定]。We recommend you set File blocking level to the default, Not configured.

延長掃描檔案的逾時 (依雲端)Time out extension for file scanning by the cloud

秒數 (0-50)Number of seconds (0-50) 指定 Windows Defender 防毒軟體在封鎖檔案前應等候雲端結果的時間上限。Specify the maximum amount of time that Windows Defender Antivirus should block a file while waiting for a result from the cloud. 預設時間量為 10 秒:此處所指定的任何額外時間 (最多 50 秒) 均會加上預設的 10 秒。The default amount is 10 seconds: any additional time specified here (up to 50 seconds) is added to those 10 seconds. 在大部分情況下,掃描需要的時間遠比最大值少很多。In most cases, the scan takes much less time than the maximum. 延長的時間可讓雲端徹底調查可疑的檔案。Extending the time allows the cloud to thoroughly investigate suspicious files. 建議您啟用此設定,並至少多指定 20 秒。We recommend that you enable this setting and specify at least 20 additional seconds.

為 Windows 10 裝置新增 Citrix VPN Citrix VPN added for Windows 10 devices

您可為其所擁有的 Windows 10 裝置設定 Citrix VPN。You can configure Citrix VPN for their Windows 10 devices. 設定 Windows 10 和更新版本的 VPN 時,您可以在 [基本 VPN] 刀鋒視窗的 [選取連線類型] 清單中,選擇 Citrix VPN。You can choose the Citrix VPN in the Select a connection type list in the Base VPN blade when configuring a VPN for Windows 10 and later.

注意

iOS 和 Android 中已有 Citrix 設定。Citrix configuration existed for iOS and Android.

iOS 上的 Wi-Fi 連線支援預先共用金鑰Wi-Fi connections support pre-shared keys on iOS

客戶可在 iOS 裝置上設定 Wi-Fi 設定檔,以使用預先共用金鑰 (PSK) 進行 WPA/WPA2 個人連線。Customers can configure Wi-Fi profiles to use pre-shared keys (PSK) for WPA/WPA2 Personal connections on iOS devices. 當裝置註冊到 Intune 時,會將這些設定檔推送到使用者的裝置。These profiles are pushed to user's device when the device is enrolled into Intune.

將設定檔推送到裝置後,下一個步驟則取決於設定檔設定。When the profile has been pushed to the device, the next step depends on the profile configuration. 若設定為自動連線,就會在下次需要網路時這麼做。If set to connect automatically, it does so when the network is next needed. 若設定為手動連線,使用者就必須手動啟用連線。When the profile is connects manually, the user must activate the connection manually.

Intune 應用程式Intune apps

存取 iOS 的受管理應用程式記錄檔Access to managed app logs for iOS

安裝 Managed Browser 的使用者現在可以檢視所有 Microsoft 所發行應用程式的管理狀態,並傳送記錄檔來針對受管理的 iOS 應用程式進行疑難排解。End users with the managed Browser installed can now view the management status of all Microsoft published apps and send logs for troubleshooting their managed iOS apps.

深入了解如何在 iOS 裝置上的 Managed Browser 啟用疑難排解模式,請參閱 How to access to managed app logs using the Managed Browser on iOS (如何在 iOS 上使用 Managed Browser 存取受管理應用程式記錄檔)。Learn how to enable the troubleshooting mode in the Managed Browser on an iOS device, see How to access to managed app logs using the Managed Browser on iOS.

iOS 版公司入口網站 2.9.0 版中裝置設定工作流程的改善 Improvements to device setup workflow in the Company Portal for iOS in version 2.9.0

已改善 iOS 版公司入口網站應用程式中的裝置設定工作流程。The device setup workflow has been improved in the Company Portal app for iOS. 語言對使用者來說更簡單明瞭,而且我們已盡量將可以合併的畫面合併。The language is more user-friendly and we've combined screens where possible. 透過在整個設定文字中使用您的公司名稱,讓語言更特定於您的公司。The language is more specific to your company by using your company name throughout the setup text. 您可以在 [應用程式 UI 中的新增功能]  頁面中看到這個更新的工作流程。You can see this updated workflow on the what's new in app UI page.

監視及疑難排解Monitor and troubleshoot

使用者實體包含資料倉儲資料模型中的最新使用者資料User entity contains latest user data in Data Warehouse data model

Intune 資料倉儲資料模型的第一個版本只包含最新的歷程 Intune 資料。The first version of the Intune Data Warehouse data model only contained recent, historical Intune data. 報表製作者無法擷取使用者的目前狀態。Report makers could not capture the current state of a user. 在這項更新中,使用者實體會填入最新的使用者資料。In this update, the User entity is populated with the latest user data.

通知Notices

為變更做規劃:適用於 Intune 中 Kiosk 設定的新 Windows 10 設定 Plan for Change: New Windows 10 Setting for Kiosk Configuration in Intune

我們正在變更您在 Intune Azure 入口網站中設定 Windows 10 1709 和更新版本 (RS3 和更新版本) 桌面的方式和位置。We’re changing how and where you configure Windows 10 1709 and later (RS3 and later) desktops, in the Intune Azure portal.

此變更對我造成什麼影響?How does this affect me?

我們的記錄指出您目前使用 [Windows 10] > [裝置限制] > [Kiosk (預覽)] 設定。Our records indicate that you are using the Windows 10 > Device Restrictions > Kiosk (preview) setting. 這會在五月於 UI 中重新命名為 [Windows 10] > [裝置限制] > [Kiosk (已過時)],用來指出已不再建議使用。This will be renamed in May, to Windows 10 > Device Restrictions > Kiosk (obsolete) in the UI to indicate that it is no longer recommended for use. 不過,它仍將持續運作,直到七月的 Intune 更新為止。It will, however, continue to function until the July update to Intune. 接著,就會在後端將其設定為已過時,且將無法再運作。Then, it will be made obsolete in the backend and will no longer work. 我們將在五月發行新的裝置組態設定檔來作為替代方案:[Windows 10] > [Kiosk],其中包含可設定 Windows 10 RS4 和更新版本上 Kiosk 的設定。As an alternative, we’re releasing a new Device configuration profile in May: Windows 10 > Kiosk, containing the settings to configure Kiosks on Windows 10 RS4 and later.

我需要為這項變更做什麼準備?What do I need to do to prepare for this change?

當 Intune 在大約五月底發行五月服務更新時,我們將會提供指示,供您測試及驗證是否能夠將您的 Kiosk 設定從 Windows 10 RS3 移轉至 Windows 10 RS4。When Intune releases the May service update around the end of May, we’ll share instructions for you to test and verify that you are able to migrate your Kiosk configuration from Windows 10 RS3 to Windows 10 RS4. 請參考這些指示,使用新的 Kiosk 裝置組態設定檔將您的裝置設定成 Kiosk。Use these instructions to configure your devices as Kiosks using the new device configuration profile for Kiosks.

此變更對我造成什麼影響?How does this affect me?

這項變更會影響 Intune 獨立客戶和混合式 (含 Configuration Manager 的 Intune) 客戶。This change will affect both Intune standalone customers and hybrid (Intune with Configuration Manager) customers. 這項整合有助於簡化雲端管理系統管理。This integration will help simplify your cloud management administration. 現在,Azure 中只會有一個刀鋒視窗 (Intune 刀鋒視窗) 來管理群組、原則、應用程式和任何行動裝置管理。Now, you’ll just have one blade to go to in Azure – the Intune blade – to manage groups, policies, apps, and any mobile device management.

我需要為這項變更做什麼準備?What do I need to do to prepare for this change?

請將 Intune 標記為我的最愛,而不是 [Intune 應用程式防護] 服務刀鋒視窗,並確定您熟悉 Intune 的 [行動應用程式] 刀鋒視窗中的應用程式保護原則工作流程。Please tag Intune as a favorite instead of the Intune App Protection service blade and ensure you’re familiar with the App protection policy workflow in the Mobile app blade within Intune. 我們會短時間內重新導向,然後移除 [應用程式保護] 刀鋒視窗。We’ll redirect for a short period of time and then remove the App Protection blade. 請記住,所有應用程式保護原則都已在 Intune 中,而且您可以遵循這裡的文件來修改任何條件式存取原則:https://aka.ms/azuread_caRemember, all App Protection policies are already over in Intune and you can modify any of your conditional access policies by following the documentation here: https://aka.ms/azuread_ca.

其他資訊https://aka.ms/intuneapppolicyAdditional Information: https://aka.ms/intuneapppolicy

變更計劃:變更適用於 Cordova 外掛程式的 Microsoft Intune App SDK 支援Plan for Change: Change in support for the Microsoft Intune App SDK for Cordova plugin

Intune 即將在 2018 年 5 月 1 日結束 Microsoft Intune App SDK Cordova 外掛程式的支援。Intune is ending support for the Microsoft Intune App SDK Cordova Plugin on May 1, 2018. 建議您改用 Intune App Wrapping Tool,以讓您的 Cordova 應用程式可在 Intune 中管理及運作。We recommend that you use the Intune App Wrapping Tool instead, to prepare your Cordova based apps for manageability and availability in Intune. 當此變更生效時,適用於 Cordova 外掛程式的 Microsoft Intune APP SDK 將不再保留或接收更新。When this change takes effect, the Microsoft Intune APP SDK for Cordova plugin will no longer be maintained or receive updates. 應用程式開發人員將無法使用此外掛程式。App developers will not be able to use this plugin. Intune 計劃繼續支援以 Cordova 建置的應用程式。Intune plans to continue supporting apps built with Cordova. 但是,以適用於 Cordova 外掛程式之 Microsoft Intune APP SDK 建置的任何應用程式在 Intune 中的功能會減少。However, any apps built with the Microsoft Intune APP SDK for Cordova plugin will experience reduced functionality in Intune. 使用 Intune App Wrapping Tool 包裝後,應用程式就能以其一般狀態部署至終端使用者。After wrapping with the Intune App Wrapping Tool, apps can be deployed to end users as they normally would be. 對於發行至 Google Play 商店之 Cordova 的 Android 應用程式:For Cordova-based Android apps that are released to the Google Play Store:

  • 使用者第一次啟動時,系統將提示其認證,以接收 Intune 原則。End users will be prompted for credentials to receive Intune policy on first launch.
  • 應用程式應發行至以 Intune 使用者為目標的應用程式市集,如「適用於 Intune 的 Contoso 應用程式」。Apps should be released to the app store targeted for Intune users, for example “Contoso App for Intune”.

如需了解 App Wrapping Tool 的詳細資訊,請參閱適用於 iOS 的 App Wrapping Tool適用於 Android 的 App Wrapping ToolFor more information about the App Wrapping Tool, see App Wrapping Tool for iOS and App Wrapping Tool for Android. 如有任何問題或疑問,請連絡 msintuneappsdk@microsoft.comFor any issues or questions, contact msintuneappsdk@microsoft.com.

規劃變更:立即在 Azure 上使用 Intune 進行 MDM 管理 Plan for Change: Use Intune on Azure now for your MDM management

一年多前,我們公佈了 Azure 上的 Intune 公開預覽版 ,六個月前追加了 Intune 的新管理員體驗正式運作Over a year ago, we announced public preview of Intune on Azure and followed up six months ago with general availability of the new admin experience for Intune. 自 2018 年 8 月 31 日起,使用 Intune 獨立版的客戶將無法繼續在傳統 Silverlight 主控台中使用行動裝置管理 (MDM)。Starting on August 31, 2018, we will turn off mobile device management (MDM) in the classic Silverlight console for those customers using Intune standalone. 但您可以使用 Azure 上的 Intune 處理 MDM 需求。Instead, you can use Intune on Azure for your MDM needs. 如果仍在使用 MDM 的傳統主控台,請停止使用並熟悉 Azure 上的 Intune。If you're still using the classic console for MDM, please stop and familiarize yourself with Intune on Azure. 我們不希望這項變更影響任何使用者。We do not expect any end user impact with this change. Silverlight 仍提供傳統的電腦管理。Classic PC management will remain in Silverlight. 您可以在這裡深入了解這項變更,以及它對您的影響。You can learn more about this change and how it affects you here.

直接存取 Apple 註冊案例 Direct access to Apple enrollment scenarios

對於在 2017 年 1 月之後建立的 Intune 帳戶,Intune 已經啟用使用 Azure 入口網站中的「註冊裝置」工作負載直接存取 Apple 註冊案例。For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure portal. Apple 註冊預覽原本只能從 Intune 傳統入口網站中的連結存取。Previously, the Apple enrollment preview was only accessible from links in the Intune classic portal. 在 2017 年 1 月之前建立的 Intune 帳戶需要進行一次性移轉,才能在 Azure 中使用這些功能。Intune accounts created before January 2017 require a one-time migration before these features are available in Azure. 移轉的排程尚未宣布,但將會盡快提供詳細資料。The schedule for migration has not been announced yet, but details will be made available as soon as possible. 如果您現有的帳戶無法存取 Azure 入口網站,則強烈建議建立試用帳戶來測試新的體驗。If your existing account cannot access the Azure portal, we strongly recommend creating a trial account to test out the new experience.

未來動態What's coming

本機裝置安全性選項設定 Local device security option settings

您將能夠使用新的 [本機裝置安全性選項] 設定,在 Windows 10 裝置上啟用安全性設定。You'll be able to enable security settings on Windows 10 devices using the new Local Device Security Option settings. 當您建立 Windows 10 裝置設定原則時,在 [Endpoint Protection] 類別中找到這些設定。Find these settings in the Endpoint Protection category when you create a Windows 10 device configuration policy.

公司入口網站的新使用者體驗更新 New user experience update for the Company Portal website

我們將在四月引進新的公司入口網站體驗,其中有 UI 更新、簡化的工作流程和協助工具改進。We’re introducing a new Company Portal website experience in April, with UI updates, streamlined workflows and accessibility improvements. 這將包含客戶驅動的增強功能,例如應用程式共用和改善的整體效能,讓您擁有更方便使用的體驗。This will include customer-driven enhancements like app sharing and improved overall performance to bring you a more user-friendly experience. 我們已根據客戶的意見反應來新增一些新功能,這將大幅改善現有功能和可用性:We’ve added some new features, based on feedback from customers like you, that will significantly improve existing functionality and usability:

  • 整個網站的 UI 改進UI improvements throughout the website
  • 可以共用應用程式的直接連結Ability to share direct links to apps
  • 改善大型應用程式目錄的效能Improved performance for large app catalogs

您不需要為此變更進行任何準備動作。You don't need to take any action to prepare for this change. 我們會讓您知道更新過的公司入口網站何時可供使用。We’ll let you know when the updated Company Portal website becomes available for you. 不過,您最終可能需要使用更新過的螢幕擷取畫面來更新使用者文件。However, you may eventually need to update end user docs with updated screenshots. 請注意,您也可能需要更新 iOS 上公司入口網站應用程式的文件,因為網站具有 iOS 應用程式的 [應用程式] 區段。Note that you may also need to update documentation for the Company Portal app on iOS, as the website powers the Apps section of the iOS app. 您可以在應用程式 UI 中的新功能頁面上查看此動作的範例影像。You can see a sample image for this on the what's new in app UI page.

Apple 要求必須更新 Application Transport Security Apple to require updates for Application Transport Security

Apple 宣布將會強制執行 Application Transport Security (ATS) 的特定需求。Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS 可用來對透過 HTTPS 進行的所有應用程式通訊,強制執行更嚴格的安全性。ATS is used to enforce stricter security on all app communications over HTTPS. 此變更會影響使用 iOS 公司入口網站應用程式的 Intune 客戶。This change impacts Intune customers using the iOS Company Portal apps. 我們會在 Intune 支援部落格上持續提供詳細資料。We'll keep our Intune support blog with details.

另請參閱See also