Microsoft Intune 的新功能What's new in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

了解每週的 Microsoft Intune 新功能Learn what’s new each week in Microsoft Intune. 您也可以了解即將推出的變更、關於服務的重要通知,以及過去版本的相關資訊。You can also find out about upcoming changes, important notices about the service, and information about past releases.

注意

如需混合式行動裝置管理 (MDM) 的新功能資訊,請參閱混合式新功能頁面For information on new functionality in hybrid mobile device management (MDM), check out our hybrid What’s New page.

2017 年 12 月 11 日當週Week of December 11, 2017

裝置設定Device configuration

新的自動重新部署設定 New automatic redeployment setting

自動重新部署設定允許具有系統管理權限的使用者,在裝置鎖定畫面上使用 CTRL + Win + R 來刪除所有使用者資料和設定。The Automatic redeployment setting allows users with administrative rights to delete all user data and settings using CTRL + Win + R at the device lock screen. 裝置會自動重新設定並重新註冊以納入管理。The device is automatically reconfigured and reenrolled into management. 您可以在 [Windows 10] > [裝置限制] > [一般] > [自動重新部署] 下找到此設定。This setting can be found under Windows 10 > Device restrictions > General > Automatic redeployment. 如需詳細資料,請參閱 Windows 10 的 Intune 裝置限制設定For details, see Intune device restriction settings for Windows 10.

支援 Windows 10 版本升級原則中的其他來源版本 Support for additional source editions in the Windows 10 edition upgrade policy

您現在可以使用 Windows 10 版本升級原則,從其他 Windows 10 版本 (Windows 10 專業版、Windows 10 專業教育版、Windows 10 Cloud 等) 進行升級。You can now use the Windows 10 edition upgrade policy to upgrade from additional Windows 10 editions (Windows 10 Pro, Windows 10 Pro for Education, Windows 10 Cloud, etc.). 在此版本之前,支援的版本升級路徑十分有限。Prior to this release, the supported edition upgrade paths were more limited. 如需詳細資訊,請參閱如何設定 Windows 10 版本升級For details, see How to configure Windows 10 edition upgrades.

新的 Windows Defender 資訊安全中心 (WDSC) 裝置組態設定檔設定 New Windows Defender Security Center (WDSC) device configuration profile settings

Intune 在 [端點保護] 下新增了新的裝置組態設定檔設定區段,名為 [Windows Defender 資訊安全中心]。Intune adds a new section of device configuration profile settings under the Endpoint protection named Windows Defender Security Center. IT 系統管理員可以設定使用者可存取的 Windows Defender 資訊安全中心應用程式方針。IT admins can configure which pillars of the Windows Defender Security Center app end-users can access. 如果 IT 系統管理員在 Windows Defender 資訊安全中心應用程式中隱藏某個方針,則與該隱藏方針相關聯的所有通知都不會顯示在使用者的裝置上。If an IT admin hides a pillar in the Windows Defender Security Center app, all notifications related to the hidden pillar do not display on the user's device.

以下是系統管理員可從 Windows Defender 資訊安全中心裝置組態設定檔設定中隱藏的方針:These are the pillars admins can hide from the Windows Defender Security Center device configuration profile settings:

  • 病毒與威脅防護Virus and threat protection
  • 裝置效能與健康情況Device performance and health
  • 防火牆與網路保護Firewall and network protections
  • 應用程式與瀏覽器控制App and browser control
  • 家長監護選項Family options

IT 系統管理員也可以自訂使用者可接收的通知。IT admins can also customize which notifications users receive. 例如,您可以設定是否讓使用者接收由 WDSC 中可見方針所產生的所有通知,或僅接收重要通知。For example, you can configure whether the users receive all notifications generated by visible pillars in the WDSC, or only critical notifications. 非重大通知包括 Windows Defender 防毒軟體活動的定期摘要,以及掃描完成時的通知。Non-critical notifications include periodic summaries of Windows Defender Antivirus activity and notifications when scans have completed. 所有其他通知都被視為重大通知。All other notifications are considered critical. 此外,您也可以自訂通知內容本身,例如,您可以在顯示於使用者裝置上的通知中內嵌 IT 連絡資訊。Additionally, you can also customize the notification content itself, for example, you can provide the IT contact information to embed in the notifications that appear on the users' devices.

針對 SCEP 和 PFX 憑證處理的多連接器支援 Multiple connector support for SCEP and PFX certificate handling

使用內部部署 NDES 連接器將憑證傳遞至裝置的客戶,現在可在單一租用戶上設定多個連接器。Customers who use the on-premise NDES connector to deliver certificates to devices can now configure multiple connectors in a single tenant.

此新功能支援下列案例:This new capability supports the following scenario:

  • 高可用性High availability

每個 NDES 連接器都會從 Intune 提取憑證要求。Each NDES connector pulls certificate requests from Intune. 如果有某個 NDES 連接器離線,其他連接器將可以繼續處理要求。If one NDES connector goes offline, the other connector can continue to process requests.

客戶主體名稱可以使用 AAD_DEVICE_ID 變數 Customer subject name can use AAD_DEVICE_ID variable

當您在 Intune 中建立 SCEP 憑證設定檔時,現在可在建置自訂的主體名稱時使用 AAD_DEVICE_ID 變數。When you create a SCEP certificate profile in Intune, you can now use the AAD_DEVICE_ID variable when you build the custom subject name. 當使用此 SCEP 設定檔要求憑證時,該變數會以要求憑證之裝置的 AAD 裝置識別碼來取代。When the certificate is requested using this SCEP profile, the variable is replaced with the AAD device ID of the device making the certificate request.

裝置管理Device management

使用 Intune 的裝置合規性引擎管理 Jamf 註冊的 macOS 裝置 Manage Jamf-enrolled macOS devices with Intune's device compliance engine

您現在可以使用 Jamf 將 macOS 裝置狀態資訊傳送到 Intune,然後 Intune 會評估裝置是否符合 Intune 主控台中定義的合規性原則。You can now use Jamf to send macOS device state information to Intune, which will then evaluate it for compliance with policies defined in the Intune console. 根據裝置合規性狀態以及其他條件 (例如位置、使用者風險等),條件式存取將會針對存取雲端的 macOS 裝置和與 Azure AD 連線之內部部署應用程式 (包括 Office 365) 強制執行合規性檢查。Based on the device compliance state as well as other conditions (such as location, user risk, etc.), conditional access will enforce compliance for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365. 深入了解設定 Jamf 整合強制執行 Jamf 受控裝置的合規性Find out more about setting up Jamf integration and enforcing compliance for Jamf-managed devices.

新的 iOS 裝置動作 New iOS device action

您現在可以關閉 iOS 10.3 受監督的裝置。You can now shut down iOS 10.3 supervised devices. 這個動作會立即關閉裝置,而不會警告使用者。This action shuts down the device immediately without warning to the end user. 您可以在 [裝置] 工作負載中選取裝置時,於裝置屬性中找到 [關機 (僅限受監督)] 動作。The Shut down (supervised only) action can be found at the device properties when you select a device in the Device workload.

不允許 Samsung Knox 裝置的日期/時間變更 Disallow date/time changes to Samsung Knox devices

我們已加入新的功能,可讓您封鎖 Samsung Knox 裝置上的日期與時間變更。We've added a new feature that allows you to block date and time changes on Samsung Knox devices. 您可以在 [裝置組態設定檔] > [裝置限制 (Android)] > [一般] 中找到此功能。You can find this in Device configuration profiles > Device restrictions (Android) > General.

支援 Surface Hub 資源帳戶 Surface Hub resource account supported

已加入新的裝置動作,以便系統管理員對與 Surface Hub 相關聯的資源帳戶進行定義及更新。A new device action has been added so administrators can define and update the resource account associated with a Surface Hub.

Surface Hub 會使用資源帳戶向 Skype/Exchange 進行驗證以加入會議。The resource account is used by a Surface Hub to authenticate with Skype/Exchange so it can join a meeting. 您可以建立唯一的資源帳戶,使 Surface Hub 在會議中顯示為會議室。You can create a unique resource account so the Surface Hub appears in the meeting as the conference room. 例如,資源帳戶可能會顯示為會議室 B41/6233For example, the resource account might appear as Conference Room B41/6233. Surface Hub 的資源帳戶 (也稱為裝置帳戶) 通常需要針對會議室位置,以及在其他資源帳戶參數需要被變更時進行設定。The resource account (known as the device account) for the Surface Hub typically needs to be configured for the conference room location and when other resource account parameters need to be changed.

當系統管理員想要更新裝置上的資源帳戶時,他們必須提供目前與裝置相關聯的 Active Directory/Azure Active Directory 認證。When administrators want to update the resource account on a device, they must provide the current Active Directory/Azure Active Directory credentials associated with the device. 如果裝置有開啟密碼輪換,則系統管理員必須移至 Azure Active Directory 以找出密碼。If password rotation is on for the device, administrators must go to Azure Active Directory to find the password.

注意

所有的欄位會以組合方式向下傳送,並覆寫先前設定的所有欄位。All fields get sent down in a bundle and overwrite all fields that were previously configured. 空白欄位也會覆寫現有欄位。Empty fields also overwrite existing fields.

以下是系統管理員可以設定的設定:The following are the settings administrators can configure:

  • 資源帳戶Resource account

    • Active Directory 使用者Active Directory user

      Domainname\username 或使用者主體名稱 (UPN):user@domainname.comDomainname\username or User Principle Name (UPN): user@domainname.com

    • 密碼Password

  • 選擇性資源帳戶參數 (必須使用指定的資源帳戶進行設定)Optional resource account parameters (must be set using the specified resource account)

    • 密碼輪換期間Password rotation period

      確保帳戶密碼每週會由 Surface Hub 基於安全性考量進行自動更新。Ensures the account password is updated automatically by the Surface Hub every week for security reasons. 若要在啟用此設定後設定任何參數,必須先將 Azure Active Directory 中的帳戶進行密碼重設。To configure any parameters after this has been enabled, the account in Azure Active Directory must have the password reset first.

    • SIP (工作階段初始通訊協定) 位址SIP (Session Initiation Protocol) address

      只有在自動探索失敗時才會使用。Only used when autodiscovery fails.

    • 電子郵件Email

      裝置/資源帳戶的電子郵件地址。Email address of the device/resource account.

    • Exchange 伺服器Exchange server

      只有自動探索失敗時才需要。Only required when autodiscovery fails.

    • 行事曆同步處理Calendar sync

      指定是否啟用行事曆同步處理和其他 Exchange 伺服器服務。Specifies whether calendar sync and other Exchange server services are enabled. 例如:會議同步處理。For example: meeting sync.

在 macOS 裝置上安裝 Office 應用程式 Install Office apps on macOS devices

您現在可在 macOS 裝置上安裝 Office 應用程式。You will now be able to install Office apps on macOS devices. 這個新的應用程式類型可讓您安裝 Word、Excel、PowerPoint、Outlook 及 OneNote。This new app type will allow you to install Word, Excel, PowerPoint, Outlook, and OneNote. 這些應用程式也會隨附於 Microsoft AutoUpdate (MAU),以協助保護您的應用程式並使它保持在最新狀態。These apps also come with the Microsoft AutoUpdate (MAU), to help keep your apps secure and up-to-date.

應用程式管理App management

刪除 iOS 大量採購方案權杖 Delete an iOS Volume Purchasing Program token

您可以使用主控台來刪除 iOS 大量採購方案 (VPP) 權杖。You can delete the iOS Volume Purchasing Program (VPP) token using the console. 當您擁有重複的 VPP 權杖執行個體時,這可能是必要的。This may be necessary when you have duplicate instances of a VPP token.

Intune 應用程式Intune apps

帳戶的終端使用者傳訊 End user messaging for accounts

「公司入口網站」網站的使用者將無法執行需要您租用戶寫入存取權的動作。Users of the Company Portal website, will be blocked from taking actions that require write access to your tenant. 這些使用者將會看到適當的錯誤訊息,說明其帳戶正在維護中。They will see appropriate error messaging explaining that their account is under maintenance. 相同的變更也即將在 Android、iOS、macOS 與 Windows 版「公司入口網站」應用程式上套用。Similar changes are coming to the Company Portal apps for Android, iOS, macOS, and Windows soon. 您可以在應用程式 UI 的新功能中看到此錯誤。You can see this error in the what's new in app UI.

以角色為基礎的存取控制Role-based access control

名為 Current User 的新實體集合限於目前作用中的使用者資料 A new entity collection named Current User is limited to currently active user data

User 實體集合包含企業中具有所指派授權的所有 Azure Active Directory (Azure AD) 使用者。The Users entity collection contains all the Azure Active Directory (Azure AD) users with assigned licenses in your enterprise. 例如,某個使用者可能在上個月內被新增到 Intune 然後又被移除。For example, a user may be added to Intune and then removed during the course of the last month. 雖然在報告的時候這個使用者不會出現,但使用者和狀態會出現在資料中。While this user is not present at the time of the report, the user and state are present in the data. 您可以建立一個報告,其中顯示使用者的歷程記錄在您資料中出現的期間。You could create a report that would show the duration of the user's historic presence in your data.

相較之下,新的 Current User 實體集合只包含尚未被移除的使用者。In contrast, the new Current User entity collection only contains users who have not been removed. Current User 實體集合只包含目前作用中的使用者。The Current User entity collection only contains currently active users. 如需 Current User 實體的詳細資訊,請參閱 Current User 實體的參考For information about the current user entity collection, see Reference for current user entity.

更新的 Graph API Updated Graph APIs

在此版本中,我們已更新一些 Intune 的搶鮮版 (Beta) Graph API。In this release, we've updated a few of the Graph API's for Intune that are in beta. 如需詳細資訊,請查看每月 Graph API 變更記錄 (英文)。Please check out the monthly Graph API changelog for more information.

2017 年 12 月 4 日當週Week of December 4, 2017

監視及疑難排解Monitor and troubleshoot

Intune 支援 Windows 資訊保護 (WIP) 拒絕應用程式 Intune supports Windows Information Protection (WIP) denied apps

您可以在 Intune 中指定拒絕的應用程式。You can specify denied apps in Intune. 如果應用程式遭到拒絕,它會被封鎖而無法存取公司資訊,效果與允許的應用程式清單相反。If an app is denied, it is blocked from accessing corporate information, effectively the opposite of the allowed apps list. 如需詳細資訊,請參閱 Recommended deny list for Windows Information Protection (Windows 資訊保護的建議拒絕清單)。For more information, see Recommended deny list for Windows Information Protection.

2017 年 11 月 27 日當週Week of November 27, 2017

裝置註冊Device enrollment

對註冊問題進行疑難排解 Troubleshoot enrollment issues

[疑難排解] 工作區現在會顯示使用者註冊問題。The Troubleshoot workspace now shows user enrollment issues. 其中包含問題的詳細資料與建議的補救步驟,可協助系統管理員和技術服務人員針對相關問題進行疑難排解。Details about the issue and suggested remediation steps can help administrators and help desk operators troubleshoot problems. 未擷取特定註冊問題,某些錯誤可能也沒有補救建議。Certain enrollment issues aren't captured and some errors might not have remediation suggestions.

群組指派註冊限制 Group-assigned enrollment restrictions

身為 Intune 系統管理員,您現在可以為使用者群組建立自訂的裝置類型和裝置限制註冊限制As an Intune administrator, you can now create custom Device Type and Device Limit enrollment restrictions for user groups.

Intune Azure 入口網站讓您每種限制類型最多可建立 25 個執行個體,指派給使用者群組。The Intune Azure Portal lets you create up to 25 instances of each restriction type which can then be assigned to user groups. 群組指派的限制會覆寫預設的限制。Group-assigned restrictions override the default restrictions.

限制類型的所有執行個體都使用嚴格排序的清單維護。All the instances of a restriction type are maintained in a strictly ordered list. 此順序會定義衝突解決方法的優先順序值。This order defines a priority value for conflict resolution. 受到多個限制執行個體影響的使用者,只受擁有最高優先順序值的執行個體限制。A user impacted by more than one restriction instance is only restricted by the instance with the highest priority value. 您可以變更指定的執行個體優先順序,只要將它拖曳到清單中的不同位置即可。You can change a given instance's priority by dragging it to a different position in the list.

當 Android for Work 設定從 [Android For Work 註冊] 功能表移轉到 [註冊限制] 功能表時,即發佈這項功能。This functionality will be released with the migration of Android for Work settings from the Android For Work enrollment menu to the Enrollment Restrictions menu. 因為這項移轉可能需要花費數天,而您的帳戶可能要升級 11 月版本的其他組件後,您才會看到 [註冊限制] 的群組指派成為啟用狀態。Since this migration may take several days, your account may be upgraded for other parts of the November release before you see group assignment become enabled for Enrollment Restrictions.

支援多個網路裝置註冊服務 (NDES) 連接器Support for multiple Network Device Enrollment Service (NDES) connectors

NDES 可讓行動裝置依據簡單憑證註冊通訊協定 (SCEP) 在沒有網域認證的情況下取得憑證。NDES allows mobile devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP). 使用這項更新,可支援多個 NDES 連接器。With this update, multiple NDES connectors are supported.

從 Android 裝置獨立管理 Android for Work 裝置Manage Android for Work devices independently from Android devices

注意:這些變更會在 11 月更新中推出,但可能要一段時間後才會在您的帳戶上執行。Note: The following changes will start rolling out with the November update, but may take time to execute on your account. 當這些變更對您的帳戶生效時,您會在 Office 365 入口網站中收到確認通知。You will receive a confirmation notification in the Office 365 portal when these changes are effective for your account. 推出後,會有額外的管理性選項。After the roll out, you’ll have additional manageability options. 推出期間不會變更任何使用者體驗。There will be no change to the end user experience during the rollout.

Intune 支援從 Android 平台獨立管理 Android for Work 裝置的註冊。Intune supports managing enrollment of Android for Work devices independently from the Android platform. 這些設定在 [裝置註冊] > [註冊限制] > [裝置類型限制] 下管理。These settings are managed under Device Enrollment > Enrollment restrictions > Device Type Restrictions. (原位於 [裝置註冊] > [Android for Work 註冊] > [Android for Work 註冊設定] 下。)(They were previously located under Device Enrollment > Android for Work Enrollment > Android for Work Enrollment Settings.)

根據預設,Android for Work 裝置設定與您的 Android 裝置設定相同。By default, your Android for Work devices settings are the same as your settings for your Android devices. 不過,變更 Android for Work 設定後,就不再是那麼回事了。However, after you change your Android for Work settings that will no longer be the case.

如果您封鎖個人的 Android for Work 註冊,只有公司的 Android 裝置可以註冊為 Android for Work。If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for Work.

使用新設定時,請考慮下列事項:When working with the new settings, consider the following:

之前是否從未啟動 Android for Work 註冊If you have never previously onboarded Android for Work enrollment

在預設的裝置類型限制中封鎖新的 Android for Work 平台。The new Android for Work platform is blocked in the default Device Type Restrictions. 啟動功能後,您可以允許裝置註冊 Android for Work。After you onboard the feature, you can allow devices to enroll with Android for Work. 若要這樣做,請變更預設值,或建立新的裝置類型限制來取代預設的裝置類型限制。To do so, change the default or create a new Device Type Restriction to supersede the default Device Type Restriction.

是否曾啟動 Android for Work 註冊If you have onboarded Android for Work enrollment

如果曾經啟動過,您的情況會隨您選擇的設定而異:If you’ve previously onboarded, your situation depends on the setting you chose:

SettingSetting 預設裝置類型限制中的 Android for Work 狀態Android for Work status in default Device Type Restriction 附註Notes
將所有裝置當成 Android 管理Manage all devices as Android 封鎖Blocked 所有 Android 裝置都必須註冊,但不是 Android for Work。All Android devices must enroll without Android for Work.
將支援的裝置當成 Android for Work 管理Manage supported devices as Android for Work 允許Allowed 所有支援 Android for Work 的裝置都必須註冊 Android for Work。All Android devices that support Android for Work must enroll with Android for Work.
將這些群組中僅限使用者的受支援裝置當成 Android for Work 管理Manage supported devices for users only in these groups as Android for Work 封鎖Blocked 已建立不同的裝置類型限制原則,以覆寫預設值。A separate Device Type Restriction policy was created to override the default. 此原則會定義您先前選取的群組,以允許 Android for Work 註冊。This policy defines the groups you previously selected to allow Android for Work enrollment. 所選群組內的使用者仍可以繼續註冊他們的 Android for Work 裝置。Users within the selected groups will continue to be allowed to enroll their Android for Work devices. 所有其他使用者則限制不能註冊 Android for Work。All other users are restricted from enrolling with Android for Work.

無論什麼情況,都會保留您預期的法規。In all cases, your intended regulation is preserved. 您不需要執行任何動作,即能維持您環境中 Android for Work 的全域或各群組額度。No action is required on your part to maintain the global or per-group allowance of Android for Work in your environment.

應用程式管理App management

已更新應用程式安裝報表,以包含安裝擱置中狀態 App install report updated to include Install Pending status

透過 [行動裝置應用程式] 工作負載中的 [應用程式] 清單,每個應用程式可存取的應用程式安裝狀態報告,現在包含使用者及裝置的安裝擱置中計數。The App install status report accessible for each app through the App list in the Mobile apps workload now contains an Install Pending count for Users and Devices.

適用於行動裝置威脅偵測的 iOS 11 應用程式清查 API iOS 11 app inventory API for Mobile Threat Detection

Intune 會從個人和公司擁有的裝置收集應用程式清查資訊,供行動裝置威脅偵測 (MTD) 提供者擷取,例如 Lookout for Work。Intune collects app inventory information from both personal and corporate-owned devices and makes it available for Mobile Thread Detection (MTD) providers to fetch, such as Lookout for Work. 您可以收集 iOS 11+ 裝置使用者的應用程式清查。You can collect an app inventory from the users of iOS 11+ devices.

應用程式清查App inventory
個人擁有和公司擁有的 iOS 11+ 裝置清查都會傳送給您的 MTD 服務提供者。Inventories from both corporate-owned iOS 11+ and personally owned devices are sent to your MTD service provider. 應用程式清查中的資料包括:Data in the app inventory includes:

  • 應用程式識別碼App ID
  • 應用程式版本App Version
  • 應用程式簡短版本App Short Version
  • 應用程式名稱App Name
  • 應用程式套件組合大小App Bundle Size
  • 應用程式動態大小App Dynamic Size
  • 應用程式是否已驗證App is validated or not
  • 應用程式是否受管理App is managed or not

裝置管理Device management

將混合式 MDM 使用者和裝置移轉至 Intune 獨立版 Migrate hybrid MDM users and devices to Intune standalone

我們在 Azure 入口網站中有新的處理程序和工具,將使用者及其裝置從混合式 MDM 移至 intune,這可讓您執行下列作業:We have a new process and tools for moving users and their devices from hybrid MDM to Intune in the Azure portal, which allow you to do the following:

  • 將原則與設定檔從 Configuration Manager 主控台複製到 Azure 入口網站的 IntuneCopy policies and profiles from the Configuration Manager console to Intune in the Azure portal
  • 將使用者子集移至 Azure 入口網站的 Intune,同時將其餘部分保留在混合式 MDM 中Move a subset of users to Intune in the Azure portal, while keeping the rest in hybrid MDM
  • 將裝置移轉至 Azure 入口網站的 Intune 但不需要重新註冊Migrate devices to Intune in the Azure portal without needing to re-enroll them

如需詳細資料,請參閱將混合式 MDM 使用者和裝置移轉至 Intune 獨立版For details, see Migrate hybrid MDM users and devices to Intune standalone.

內部部署 Exchange Connector 高可用性支援On-premises Exchange connector high availability support

在 Exchange Connector 使用指定的 CAS 建立與 Exchange 的連線之後,連接器現在便能夠探索其他 CAS。After the Exchange connector creates a connection to Exchange using the specified CAS, the connector now has the ability to discovery other CASs. 如果無法使用主要的 CAS,連接器將容錯移轉至另一個 CAS (如果有的話),直到有可用的主要 CAS 為止。If the primary CAS becomes unavailable, the connector will failover to another CAS, if available, until the primary CAS becomes available. 如需詳細資訊,請參閱內部部署 Exchange Connector 高可用性支援For details, see On-premises Exchange connector high availability support.

從遠端重新啟動 iOS 裝置 (僅受監督) Remotely restart iOS device (supervised only)

您現在可以使用裝置動作觸發受監督的 iOS 10.3+ 裝置,令它重新啟動。You can now trigger a supervised iOS 10.3+ device to restart using a device action. 如需使用裝置重新啟動動作的詳細資訊,請參閱使用 Intune 從遠端重新啟動裝置For more information on using the device restart action, see Remotely restart devices with Intune.

注意

此命令需要受監督的裝置和裝置鎖定存取權限。This command requires a supervised devices and the Device Lock access right. 裝置隨即重新啟動。The device restarts immediately. 密碼鎖定的 iOS 裝置重新啟動後,不會重新加入 Wi-Fi 網路;重新啟動後,它們可能無法與伺服器通訊。Passcode-locked iOS devices will not rejoin a Wi-Fi network after restart; after restart, they may not be able to communicate with the server.

iOS 的單一登入支援 Single Sign-on support for iOS

您可以讓 iOS 使用者使用單一登入。You can use Single Sign-on for iOS users. 編碼成在單一登入裝載中尋找使用者認證的 iOS 應用程式,因為有此裝載設定更新,所以很實用。The iOS apps that are coded to look for user credentials in the Single Sign-on payload are functional with this payload configuration update. 您也可以使用 UPN 和 Intune 裝置識別碼來設定主體名稱和領域。You can also use UPN and Intune Device ID to configure the Principal Name and Realm. 如需詳細資料,請參閱設定 Intune 以進行 iOS 裝置單一登入For details, see Configure Intune for iOS device single sign-on.

新增個人裝置的「尋找我的 iPhone」Add "Find my iPhone" for personal devices

您現在可以檢視 iOS 裝置是否開啟 [啟用鎖定]。You can now view whether iOS devices have Activation Lock turned on. 這項功能以前位在 intune 傳統入口網站。This feature previously could be found in the Intune in the classic portal.

使用 Intune 從遠端鎖定受管理的 macOS 裝置 Remotely lock managed macOS device with Intune

您可以鎖定遺失的 macOS 裝置,並設定 6 位數的復原 PIN。You can lock a lost macOS device, and set a 6-digit recovery PIN. 鎖定時,[裝置概觀] 刀鋒視窗會顯示 PIN,直到傳送另一個裝置動作為止。When locked, the Device overview blade displays the PIN until another device action is sent.

如需詳細資訊,請參閱使用 Intune 從遠端鎖定受管理的裝置For more information, see Remotely lock managed devices with Intune.

支援新的 SCEP 設定檔詳細資料 New SCEP profile details supported

現在於 Windows、iOS、macOS 和 Android 平台上建立 SCEP 設定檔時,系統管理員可以設定其他設定。Administrators are now able to set additional settings when creating a SCEP profile on Windows, iOS, macOS, and Android platforms. 系統管理員可以設定 IMEI、序號或一般名稱,包括使用主體名稱格式的電子郵件。Administrators can set IMEI, serial number, or common name including email in the subject name format.

重設為原廠設定時保留資料 Retain data during a factory reset

將 Windows 10 1709 版和更新版本恢復出廠預設值時,有一項新的功能可以使用。When resetting Windows 10 version 1709 and later to factory settings, a new capability is available. 管理員可以指定是否透過恢復出廠預設值將裝置註冊及其他佈建資料保留在裝置上。Admins can specify if device enrollment and other provisioned data are retained on a device through a factory reset.

下列資料會透過原廠重設保留:The following data is retained through a factory reset:

  • 與裝置建立關聯的使用者帳戶User accounts associated with the device
  • 電腦狀態 (網域加入,已加入 Azure Active Directory)Machine state (domain join, Azure Active Directory-joined )
  • MDM 註冊MDM enrollment
  • OEM 安裝的應用程式 (市集和 Win32 應用程式)OEM installed apps (store and Win32 apps)
  • 使用者設定檔User profile
  • 使用者設定檔外的使用者資料User data outside of user profile
  • 使用者自動登入User autologon

不保留下列資料:The following data is not retained:

  • 使用者檔案User files
  • 使用者安裝的應用程式 (市集和 Win32 應用程式)User installed apps (store and Win32 apps)
  • 非預設的裝置設定Non-default device settings

監視及疑難排解Monitor and troubleshoot

顯示 Windows 10 更新通道指派 Window 10 update ring assignments are displayed

當要針對您正在檢視的使用者進行疑難排解時,您會看到所有 Windows 10 更新通道指派。When you are Troubleshooting, for the user you are viewing, you are able to see any Windows 10 update rings assignments.

Windows Defender 進階威脅防護回報頻率設定 Windows Defender Advanced Threat Protection reporting frequency settings

Windows Defender 進階威脅防護 (WDATP) 服務允許管理員管理受管理裝置的回報頻率。Windows Defender Advanced Threat Protection (WDATP) service allows admins to manage reporting frequency for managed devices. 使用新的 [加速遙測回報頻率] 選項,WDATP 可以更頻繁地收集資料及評估風險。With the new Expedite telemetry reporting frequency option, WDATP collects data and assesses risks more frequently. 回報預設值最佳化速度及效能。The default for reporting optimizes speed and performance. 增加回報頻率對高風險裝置很重要。Increasing the frequency of reporting can be valuable for high-risk devices. 此設定位在裝置設定Windows Defender ATP 設定檔中。This setting can be found in the Windows Defender ATP profile in Device configurations.

稽核更新 Audit updates

Intune 稽核會提供與 Intune 相關的變更作業記錄。Intune auditing provides a record of change operations related to Intune. 擷取所有建立、更新、刪除和遠端工作作業,並保留一年。All create, update, delete and remote task operations are captured and retained for one year. Azure 入口網站提供每個工作負載過去 30 天的稽核資料檢視,且可篩選。The Azure portal provides a view of the last 30 days of audit data in each workload, and is filterable. 對應的圖形 API 可讓您擷取去年儲存的稽核資料。A corresponding Graph API allows retrieval of the auditing data stored for the last year.

[稽核] 位在監視器群組下。Auditing is found under the MONITOR group. 每個工作負載都有 [稽核記錄檔] 功能表項目。There is an Audit Logs menu item for each workload.

2017 年 11 月 20 日當週Week of November 20, 2017

應用程式管理App management

Android 中的 Google Play Protect 支援 Google Play Protect support on Android

在 Android Oreo 版本中,Google 引進名為 Google Play Protect 的安全性功能套件,可讓使用者和組織執行安全的應用程式和保護 Android 映像。With the release of Android Oreo, Google introduces a suite of security features called Google Play Protect that allow users and organizations to run secure apps and secure Android images. Intune 將支援 Google Play Protect 功能,包括 SafetyNet 遠端證明。Intune will support Google Play Protect features, including SafetyNet remote attestation. 系統管理員可設定合規性原則需求,藉此要求設定 Google Play Protect 且其狀況良好。Admins can set compliance policy requirements that require Google Play Protect be configured and healthy. [SafetyNet 裝置證明] 設定可要求裝置連線至 Google 服務,以驗證裝置狀況良好且未遭入侵。The SafetyNet device attestation setting requires the device to connect with a Google service to verify that the device is healthy and is not compromised. 系統管理員也可以設定 Android for Work 的組態設定檔設定,以要求已安裝的應用程式必須經過 Google Play 服務驗證。Admins can also set a configuration profile setting for Android for Work to require that installed apps are verified by Google Play services. 如果裝置不符合 Google Play Protect 的需求規範,條件式存取可能會禁止使用者存取公司資源。Conditional access might block users from accessing corporate resources if a device is not compliant with Google Play Protect requirements.

允許來自受管理應用程式的文字通訊協定 Text protocol allowed from managed Apps

受 Intune App SDK 管理的應用程式可以傳送簡訊。Apps managed by the Intune App SDK are able to send SMS messages.

2017 年 11 月 13 日當週Week of November 13, 2017

Intune 應用程式Intune Apps

macOS 版公司入口網站應用程式已推出 Company Portal app for macOS is available

macOS 版 Intune 公司入口網站有已經最佳化的更新體驗,可完全顯示使用者註冊之所有裝置所需的所有資訊與合規性通知。The Intune Company Portal on macOS has an updated experience, which has been optimized to cleanly display all the information and compliance notifications your users need for all the devices they have enrolled. 此外,「Intune 公司入口網站」部署至裝置之後,適用於 macOS 的 Microsoft AutoUpdate 會提供其更新。And, once the Intune Company Portal has been deployed to a device, Microsoft AutoUpdate for macOS will provide updates to it. 您可以透過從 macOS 裝置登入「Intune 公司入口網站」來下載新的 macOS 版「Intune 公司入口網站」。You can download the new Intune Company Portal for macOS by logging into the Intune Company Portal website from a macOS device.

Microsoft Planner 現在是已核准應用程式的行動裝置應用程式管理 (MAM) 清單的一部分 Microsoft Planner is now part of the mobile app management (MAM) list of approved apps

iOS 版和 Android 版的 Microsoft Planner 應用程式現在是行動裝置應用程式管理 (MAM) 已核准的應用程式的一部分。The Microsoft Planner app for iOS and Android is now part of the approved apps for mobile app management (MAM). 可以透過 Azure 入口網站中的 [Intune 應用程式防護] 刀鋒視窗,將應用程式設定至所有租用戶。The app can be configured through the Intune App Protection blade in the Azure portal to all tenants.

iOS 裝置上的個別 App VPN 的需求更新頻率 Per-App VPN requirement update frequency on iOS devices

系統管理員現在可能會移除 iOS 裝置上應用程式的個別 App VPN 需求;受影響的裝置將在它們下一次 Intune 簽入後 (通常在 15 分鐘內發生)。Administrators may now remove Per-App VPN requirements for apps on iOS devices; affected devices will after their next Intune check-in, which generally occurs within 15 minutes.

監視及疑難排解Monitor and troubleshoot

適用於 Exchange 連接器的 System Center Operations Manager 管理組件支援 Support for System Center Operations Manager management pack for Exchange connector

適用於 Exchange 連接器的 System Center Operations Manager (SCOM) 管理組件現在可協助您剖析 Exchange 連接器記錄。The System Center Operations Manager (SCOM) management pack for Exchange connector is now available to help you parse the Exchange connector logs. 這可在您需要針對問題進行疑難排解時,為您提供不同方式來監視服務。This gives you different ways of monitoring the service when you need to troubleshoot issues.

2017 年 11 月 6 日當週Week of November 6, 2017

裝置註冊Device enrollment

Windows 10 裝置的共同管理 Co-management for Windows 10 devices

共同管理是一種可讓您從傳統管理過渡到現代化管理的解決方案,並提供您使用分段式方法的轉換過程。Co-management is a solution that provides a bridge from traditional to modern management, and it provides you with a path to make the transition using a phased approach. 本質上來說,共同管理解決方案可讓 Windows 10 裝置同時受 Configuration Manager 和 Microsoft Intune 管理,並聯結到 Active Directory (AD) 和 Azure Active Directory (Azure AD)。At its foundation, co-management is a solution where Windows 10 devices are concurrently managed by Configuration Manager and Microsoft Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD). 如果您無法一次到位,此設定提供隨時間逐步實行現代化的轉換過程,讓您依據組織進展的步調來進行。This configuration provides you with a path to modernize over time, at the pace that’s right for your organization if you can’t move all at once.

Windows 10 註冊的全新註冊狀態頁面 New enrollment status page for Windows 10 enrollments

現在,您可以設定要在使用者註冊 Windows 10 裝置時顯示的問候語。You can now configure a greeting that appears when your users enroll Windows 10 devices. 請使用註冊狀態畫面,設定要在使用者註冊 Windows 10 裝置時顯示的自訂訊息和超連結。Use the Enrollment Status Screen to configure a custom message and a hyperlink to be displayed to your end users when they enroll their Windows 10 devices. 註冊狀態畫面亦可讓使用者檢視要套用到其裝置的原則設定進度。The Enrollment Status Screen will also give end users a view into the progress of policy settings that are being applied to their device.

依 OS 版本限制 Windows 註冊 Restrict Windows Enrollment by OS version

您現在能夠以 Intune 系統管理員的身分指定裝置註冊的 Windows 10 最低與最高版本。As an Intune administrator, you can now specify a minimum and maximum version of Windows 10 for device enrollments. 您現可在 [平台設定] 刀鋒視窗設定這些限制。You can set these restrictions in the Platform Configurations blade.

Intune 會繼續支援註冊 Windows 8.1 電腦與手機。Intune will continue to support enrolling Windows 8.1 PCs and phones. 不過,只有 Windows 10 版本能夠設定最低與最高限制。However, only Windows 10 versions can be set with minimum and maximum limits. 若要允許 8.1 裝置的註冊,請在最低限制留空。To permit enrollment of 8.1 devices, leave the minimum limit empty.

Windows AutoPilot 未指派裝置的警示 Alerts for Windows AutoPilot unassigned devices

在 [Microsoft Intune] > [裝置註冊] > [概觀] 頁面上,有新的警示可供 Windows AutoPilot 未指派的裝置使用。A new alert is available for Windows AutoPilot unassigned devices on the Microsoft Intune > Device enrollment > Overview page. 此警示能夠顯示有多少 AutoPilot 方案的裝置未指派 AutoPilot 部署設定檔。This alert shows how many devices from the AutoPilot program do not have AutoPilot deployment profiles assigned. 您可以使用警示中的資訊來建立設定檔,並加以指派至未指派的裝置。Use the information in the alert to create profiles and assign them to the unassigned devices. 當您按一下警示時,會看到 Windows AutoPilot 裝置的完整清單,以及這些裝置的詳細資訊。When you click the alert, you see a full list of Windows AutoPilot devices and detailed information about them. 如需詳細資訊,請參閱使用 Windows AutoPilot 部署方案註冊 Windows 裝置For more information, see Enroll Windows devices using Windows AutoPilot deployment program.

裝置管理Device management

裝置清單的 [重新整理] 按鈕 Refresh button for Devices list

因為裝置清單並不會自動重新整理,所以您可以使用新的 [重新整理] 按鈕來更新清單中顯示的裝置。Because the Device list does not refresh automatically, you can use the new Refresh button to update the devices that display in the list.

支援 Symantec 雲端憑證授權單位 (CA) Support for Symantec Cloud Certification Authority (CA)

Intune 現在支援 Symantec 雲端 CA,因此 Intune 憑證連接器可將來自 Symantec 雲端 CA 的 PKCS 憑證簽發給受 Intune 管理的裝置。Intune now supports Symantec Cloud CA which allows the Intune Certificate Connector to issue PKCS certificates from the Symantec Cloud CA to Intune managed devices. 如果您已經使用 Intune 憑證連接器與 Microsoft 憑證授權單位 (CA),可利用現有的 Intune 憑證連接器安裝程式來新增 Symantec CA 支援。If you're already using the Intune Certificate Connector with Microsoft Certification Authority (CA), you can leverage the existing Intune Certificate Connector setup to add the Symantec CA support.

新增至裝置清查的項目 New items added to device inventory

在本版本中,我們新增了下列項目到已註冊裝置執行的清查In this release, we've added the following new items to the inventory taken by enrolled devices:

  • Wi-Fi Mac 位址Wi-Fi MAC address
  • 儲存空間總計Total storage space
  • 可用空間總計Total free space
  • MEIDMEID
  • 用戶載波Subscriber carrier

應用程式管理App management

依據裝置的 Android 安全性修補程式下限,來設定應用程式的存取權Set access for apps by minimum Android security patch on the device

系統管理員可以定義裝置必須安裝的 Android 安全性修補程式下限,才能以受管理帳戶來存取受管理的應用程式。An administrator is able to define the minimum Android security patch that must be installed on the device in order to gain access to a managed application under a managed account.

注意

這項功能只能限制 Android 6.0+ 裝置上由 Google 發行的安全性修補程式。This feature only restricts security patches released by Google on Android 6.0+ devices.

支援條件式啟動應用程式 App-conditional launch support

現在,IT 系統管理員可以透過 Azure 管理入口網站,設定在應用程式啟動時強制執行密碼,而不是透過行動裝置應用程式管理 (MAM) 的數字 PIN。IT admins can now set a requirement through the Azure admin portal to enforce a passcode instead a numeric PIN through the mobile app management (MAM) when the application launch. 如上進行設定後,使用者就必須在出現提示時設定並使用密碼,才能存取啟用 MAM 的應用程式。If configured, the user is required to set and use a passcode when prompted before getting access to MAM-enlightened applications. 密碼的定義為數字 PIN 和至少一個特殊字元或大寫/小寫字母。A passcode is defined as a numeric PIN with at least one special character or upper/lowercase alphabet. 此版 Intune 將僅在 iOS 上啟用這項功能。This release of Intune will enable this feature on iOS only. Intune 支援密碼的方式與數字 PIN 類似,它會設定長度下限,並允許重複的字元和順序。Intune supports passcode in a similar way to numeric PIN, it sets a minimum length, allowing repeat characters and sequences. 此功能需要應用程式 (亦即,WXP、Outlook、Managed Browser、Yammer) 的參與來就地整合 Intune App SDK 與此功能的程式碼,以在目標應用程式中強制執行密碼設定。This feature requires the participation of applications (i.e., WXP, Outlook, Managed Browser, Yammer) to integrate the Intune App SDK with the code for this feature in place for the passcode settings to be enforced in the targeted applications.

裝置安裝狀態報告中的企業營運應用程式版本號碼 App Version number for line-of-business in device install status report

在此版本中,裝置安裝狀態報告會顯示適用於 iOS 和 Android 的企業營運應用程式版本號碼。With this release, the Device install status report displays the app version number for the line-of-business apps for iOS and Android. 您可以使用這些資訊來針對應用程式進行疑難排解,或找出執行過時應用程式版本的裝置。You may use this information to troubleshoot your apps, or find devices that are running outdated app versions.

裝置設定Device configuration

系統管理員現在可以使用裝置組態設定檔來設定裝置的防火牆設定 Admins can now configure the Firewall settings on a device using a device configuration profile

系統管理員可以開啟裝置的防火牆,並針對網域、私用網路和公用網路設定各種通訊協定。Admins can turn on firewall for devices, and also configure various protocols for domain, private, and public networks. 您可以在 "Endpoint Protection" 設定檔中找到這些防火牆設定。These firewall settings can be found in the "Endpoint protection" profile.

Windows Defender 應用程式防護可依據組織的定義,協助保護裝置避免不受信任網站的威脅 Windows Defender Application Guard helps protect devices from untrusted websites, as defined by your organization

系統管理員可以使用 Windows 資訊保護工作流程,或裝置設定下方的全新「網路界限」設定檔,將網站定義為「受信任」網站或「公司」網站。Admins can define sites as "trusted" or "corporate" using a Windows Information Protection workflow or the new "Network boundary" profile under device configurations. 如果網站未列在 64 位元 Windows 10 裝置受信任的網路界限中,而您使用 Microsoft Edge 來檢視,則系統會改為在 Hyper-V 虛擬電腦的瀏覽器中開啟。Any sites that aren't listed in on a 64-bit Windows 10 device’s trusted network boundary, if they are viewed with Microsoft Edge, open instead in a browser within a Hyper-V virtual computer.

您可以在 "Endpoint Protection" 設定檔的裝置組態設定檔中,找到應用程式防護。Application Guard can be found in the device configuration profiles, in the "Endpoint protection" profile. 系統管理員可以從該處設定虛擬瀏覽器和主機電腦之間的互動、不受信任的網站和信任網站之間的互動,並儲存虛擬瀏覽器中產生的資料。From there, admins can configure interaction between the virtualized browser and the host machine, nontrusted sites and trusted sites, and storing data generated in the virtualized browser. 若要在裝置上使用應用程式防護,您必須先設定網路界限。To use Application Guard on a device, a network boundary first must be configured. 每部裝置都只能定義一個網路界限。It's important to define only one network boundary for a device.

Windows 10 Enterprise 的 Windows Defender 應用程式控制具有僅信任已獲授權應用程式的模式 Windows Defender Application Control on Windows 10 Enterprise provides mode to trust only authorized apps

每天有高達數千種的惡意檔案流竄出來,單純使用防毒特徵偵測來對抗惡意程式碼時,可能再也無法有效抵禦新的攻擊。With thousands of new malicious files created every day, using antivirus signature-based detection to fight against malware might no longer provide an adequate defense against new attacks. 使用 Windows 10 Enterprise 的 Windows Defender 應用程式控制時,您可以將裝置設定的模式,從信任防毒軟體或其他安全性解決方案未封鎖的應用程式,變更為讓作業系統僅信任獲得企業授權的應用程式。Using Windows Defender Application Control on Windows 10 Enterprise, you can change device configuration from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. 您可以將 Windows Defender 應用程式控制中的應用程式指派為信任。You assign trust to apps in Windows Defender Application Control.

使用 Intune 時,您可以在「僅限稽核」模式或「強制執行」模式中設定應用程式控制原則。Using Intune, you can configure the application control policies either in "audit only" mode or enforce mode. 在「僅限稽核」模式中執行時,不會封鎖應用程式。Apps will not be blocked when running in “audit only” mode. 「僅限稽核」模式會在本機用戶端記錄檔中記錄所有事件。“Audit only” mode logs all events in local client logs. 您也可以設定是否只允許執行 Windows 元件和 Windows 市集應用程式,或允許依據智慧型安全性圖表的定義,執行評價良好的其他應用程式。You can also configure whether only Windows components and Windows Store apps are allowed to run or whether additional apps with good reputations as defined by the Intelligent Security Graph are allowed to run.

Window Defender 惡意探索防護是 Windows 10 的全新入侵偵測功能 Window Defender Exploit Guard is a new set of intrusion prevention capabilities for Windows 10

Window Defender 惡意探索防護包含自訂規則,可降低擅用應用程式的可能性、避免巨集和指令碼的威脅、自動封鎖評價不良的 IP 位址網路連線,並協助資料抵禦勒索軟體和未知的威脅。Window Defender Exploit Guard includes custom rules to reduce the exploitability of applications, prevents macro and script threats, automatically blocks network connections to low reputation IP addresses, and can secure data from ransomware and unknown threats. Window Defender 惡意探索防護是由下列元件所組成:Windows Defender Exploit Guard consists of the following components:

  • 降低攻擊介面 (ASR) 提供的規則可讓您避免巨集、指令碼和電子郵件的威脅。Attack Surface Reduction (ASR) provides rules that allow you to prevent macro, script, and email threats.
  • 控制存取資料夾會自動封鎖對受保護資料夾內容的存取。Controlled Folder access automatically blocks access to content to protected folders.
  • 網路篩選會封鎖任何應用程式與評價不良 IP/網域的輸出連線。Network Filter blocks outbound connection from any app to low rep IP/domain
  • 惡意探索保護可提供記憶體限制、控制流程限制和原則限制,以用來保護應用程式不受惡意探索的威脅。Exploit Protection provides memory, control flow, and policy restrictions that can be used to protect an application from exploits.

在 Intune 中管理適用於 Windows 10 裝置的 PowerShell 指令碼Manage PowerShell scripts in Intune for Windows 10 devices

Intune 管理延伸模組可讓您在 Intune 中上傳 PowerShell 指令碼,以便在 Windows 10 裝置上執行。The Intune management extension lets you upload PowerShell scripts in Intune to run on Windows 10 devices. 延伸模組可補充 Windows 10 的行動裝置管理 (MDM) 功能,讓您更輕鬆地轉移至新式管理。The extension supplements Windows 10 mobile device management (MDM) capabilities and makes it easier for you to move to modern management. 如需詳細資料,請參閱在 Intune 中管理適用於 Windows 10 裝置的 PowerShell 指令碼For details, see Manage PowerShell scripts in Intune for Windows 10 devices.

Windows 10 的新裝置限制設定 New device restriction settings for Windows 10

  • 傳訊 (僅限行動裝置) - 停用測試或 MMS 訊息Messaging (mobile only) - disable testing or MMS messages
  • 密碼 - 可啟用 FIPS 和使用 Windows Hello 次要裝置以進行驗證的設定Password - settings to enable FIPS and the use of Windows Hello devices secondary devices for authentication
  • 顯示 - 可開啟或關閉舊版應用程式 GDI 縮放比例的設定Display - settings to turn on or off GDI Scaling for legacy apps

Windows 10 Kiosk 模式的裝置限制 Windows 10 kiosk mode device restrictions

您可以將 Windows 10 裝置使用者限制在 kiosk 模式中,使其僅可使用一組預先定義的應用程式。You can restrict Windows 10 device users to kiosk mode, which limits users to a set of predefined apps. 若要這樣做,請建立 Windows 10 裝置限制設定檔,然後進行 Kiosk 設定。To do so, create a Windows 10 device restriction profile and set the Kiosk settings.

Kiosk 模式支援兩種模式:單一應用程式 (只允許使用者執行一個應用程式) 或多重應用程式 (允許存取一組應用程式)。Kiosk mode supports two modes: single app (allows a user to run just one app) or multi app (permits access to a set of apps). 您可定義使用者帳戶和裝置名稱,以決定支援的應用程式。You define the user account and device name, which determines the supported apps). 當使用者登入時,就只能使用定義的應用程式。When the user is logged in, they're limited to the defined apps. 若要進一步了解,請參閱 AssignedAccess CSPTo learn more, see AssignedAccess CSP.

Kiosk 模式具有下列要求:Kiosk mode requires:

  • Intune 必須為 MDM 授權單位。Intune must be the MDM authority.
  • 目標裝置上必須已安裝應用程式。The apps must already be installed on the target device.
  • 裝置必須已正確佈建The device must be properly provisioned.

可建立網路界限的新裝置組態設定檔 New device configuration profile for creating network boundaries

我們已在其他裝置組態設定檔的相同位置,建立名為網路界限的裝置組態設定檔。We have created a device configuration profile called Network boundary that can be found with your other device configuration profiles. 您可以使用這個設定檔,將線上資源定義為公司資源和受信任的資源。Use this profile to define online resources that you want to be considered corporate and trusted. 您必須先定義裝置的網路界限之後,裝置才可以使用 Windows Defender 應用程式防護和 Windows 資訊保護等功能。You must define a network boundary for a device before features such as Windows Defender Application Guard and Windows Information Protection can be used on the device. 每部裝置都只能定義一個網路界限。It’s important to define only one network boundary for each device.

您可以定義要信任的企業雲端資源、IP 位址範圍和內部 Proxy 伺服器。You can define enterprise cloud resources, IP address ranges, and internal proxy servers that you want to be considered trusted. 定義好之後,Windows Defender 應用程式防護和 Windows 資訊保護等其他功能才可以使用網路界限。Once defined, the network boundary can be consumed by other features such as Windows Defender Application Guard and Windows Information Protection.

Windows Defender 防毒軟體的兩個其他設定 Two additional settings for Windows Defender Antivirus

檔案封鎖層級File blocking level

尚未設定Not Configured [尚未設定] 會使用預設的 Windows Defender 防毒軟體封鎖層級,並提供強式偵測,而不會增加偵測合法檔案的風險。Not Configured uses the default Windows Defender Antivirus blocking level and provides strong detection without increasing the risk of detecting legitimate files.
High [高] 適用於強力偵測層級。High applies a strong level of detection.
高 +High + [高 +] 可提供 [高] 層級與額外的保護措施,但可能會影響用戶端效能。High + provides the High level with additional protection measures that might impact client performance.
零容錯Zero tolerance [零容錯] 會封鎖所有未知的可執行檔。Zero tolerance blocks all unknown executables.

雖然可能性很低,但設定為 [高] 有可能會導致部分合法檔案受到偵測。While unlikely, setting to High may cause some legitimate files to be detected. 建議您將檔案封鎖層級設為預設值 [尚未設定]。We recommend you set File blocking level to the default, Not configured.

延長掃描檔案的逾時 (依雲端)Timeout extension for file scanning by the cloud

秒數 (0-50)Number of seconds (0-50) 指定 Windows Defender 防毒軟體在封鎖檔案前應等候雲端結果的時間上限。Specify the maximum amount of time that Windows Defender Antivirus should block a file while waiting for a result from the cloud. 預設時間量為 10 秒:此處所指定的任何額外時間 (最多 50 秒) 均會加上預設的 10 秒。The default amount is 10 seconds: any additional time specified here (up to 50 seconds) is added to those 10 seconds. 在大部分情況下,掃描需要的時間遠比最大值少很多。In most cases, the scan takes much less time than the maximum. 延長的時間可讓雲端徹底調查可疑的檔案。Extending the time allows the cloud to thoroughly investigate suspicious files. 建議您啟用此設定,並至少多指定 20 秒。We recommend that you enable this setting and specify at least 20 additional seconds.

為 Windows 10 裝置新增 Citrix VPN Citrix VPN added for Windows 10 devices

您可為其所擁有的 Windows 10 裝置設定 Citrix VPN。You can configure Citrix VPN for their Windows 10 devices. 設定 Windows 10 和更新版本的 VPN 時,您可以在 [基本 VPN] 刀鋒視窗的 [選取連線類型] 清單中,選擇 Citrix VPN。You can choose the Citrix VPN in the Select a connection type list in the Base VPN blade when configuring a VPN for Windows 10 and later.

注意

iOS 和 Android 中已有 Citrix 設定。Citrix configuration existed for iOS and Android.

iOS 上的 Wi-Fi 連線支援預先共用金鑰Wi-Fi connections support pre-shared keys on iOS

客戶可在 iOS 裝置上設定 Wi-Fi 設定檔,以使用預先共用金鑰 (PSK) 進行 WPA/WPA2 個人連線。Customers can configure Wi-Fi profiles to use pre-shared keys (PSK) for WPA/WPA2 Personal connections on iOS devices. 當裝置註冊到 Intune 時,會將這些設定檔推送到使用者的裝置。These profiles are pushed to user's device when the device is enrolled into Intune.

將設定檔推送到裝置後,下一個步驟則取決於設定檔設定。When the profile has been pushed to the device, the next step depends on the profile configuration. 若設定為自動連線,就會在下次需要網路時這麼做。If set to connect automatically, it does so when the network is next needed. 若設定為手動連線,使用者就必須手動啟用連線。When the profile is connects manually, the user must activate the connection manually.

Intune 應用程式Intune apps

存取 iOS 的受管理應用程式記錄檔Access to managed app logs for iOS

安裝 Managed Browser 的使用者現在可以檢視所有 Microsoft 所發行應用程式的管理狀態,並傳送記錄檔來針對受管理的 iOS 應用程式進行疑難排解。End users with the managed Browser installed can now view the management status of all Microsoft published apps and send logs for troubleshooting their managed iOS apps.

深入了解如何在 iOS 裝置上的 Managed Browser 啟用疑難排解模式,請參閱 How to access to managed app logs using the Managed Browser on iOS (如何在 iOS 上使用 Managed Browser 存取受管理應用程式記錄檔)。Learn how to enable the troubleshooting mode in the Managed Browser on an iOS device, see How to access to managed app logs using the Managed Browser on iOS.

iOS 版公司入口網站 2.9.0 版中裝置設定工作流程的改善 Improvements to device setup workflow in the Company Portal for iOS in version 2.9.0

我們已改善 iOS 版公司入口網站應用程式中的裝置設定工作流程。We've improved the device setup workflow in the Company Portal app for iOS. 語言對使用者來說更簡單明瞭,而且我們已盡量將可以合併的畫面合併。The language is more user-friendly and we've combined screens where possible. 我們也透過在整個設定文字中使用您的公司名稱,讓語言更特定於您的公司。We have also made the language more specific to your company by using your company name throughout the setup text. 您可以在 [應用程式 UI 中的新增功能]  頁面中看到這個更新的工作流程。You can see this updated workflow on the what's new in app UI page.

監視及疑難排解Monitor and troubleshoot

使用者實體包含資料倉儲資料模型中的最新使用者資料User entity contains latest user data in Data Warehouse data model

Intune 資料倉儲資料模型的第一個版本只包含最新的歷程 Intune 資料。The first version of the Intune Data Warehouse data model only contained recent, historical Intune data. 報表製作者無法擷取使用者的目前狀態。Report makers could not capture the current state of a user. 在這項更新中,使用者實體會填入最新的使用者資料。In this update, the User entity is populated with the latest user data.

2017 年 10 月 30 日當週Week of October 30, 2017

應用程式管理App management

顯示 iOS 和 Android 的企業營運應用程式版本號碼iOS and Android line-of-business app version number is visible

Intune 的應用程式現在會顯示 iOS 和 Android 的企業營運應用程式版本號碼。Apps in Intune now display the version number for iOS and Android line-of-business apps. 此號碼會顯示在 Azure 入口網站的應用程式清單及 [應用程式概觀] 刀鋒視窗中。The number displays in the Azure portal in the app list and in the app overview blade. 使用者可以在公司入口網站應用程式及入口網站中看到應用程式號碼。End users can see the app number in the Company Portal app and in the web portal.

完整版本號碼 完整的版本號碼可識別特定的應用程式版本。Full version number The full version number identifies a specific release of the app. 此號碼會顯示為_版本_(組建)。The number appears as Version(Build). 例如,2.2(2.2.17560800)For example, 2.2(2.2.17560800)

完整的版本號碼有兩個部分:The full version number has two components:

  • 版本Version
    版本號碼是人類可讀的應用程式版本號碼。The version number is the human-readable release number of the app. 可供使用者識別不同的應用程式版本。This is used by end users to identify different releases of the app.

  • 組建編號Build Number
    組建編號是內部編號,用於偵測應用程式與以程式設計方式管理應用程式。The build number is an internal number that can be used in app detection and to programmatically manage the app. 組建編號是指參考程式碼變更的應用程式反覆項目。The build number refers to an iteration of the app that references changes in the code.

深入了解版本號碼及開發企業營運應用程式,請參閱開始使用 Microsoft Intune App SDKLearn more about version numbers and developing line-of-business apps in Get started with the Microsoft Intune App SDK.

裝置與應用程式管理整合 Device and app management integration

Intune 早已開始整合應用程式和裝置管理的 IT 系統管理員體驗;現在,Intune 的行動裝置管理 (MDM) 與行動應用程式管理 (MAM) 都可從 Azure 入口網站存取。Now that Intune’s mobile device management (MDM) and mobile application management (MAM) are both accessible from the Azure portal, Intune started integrating the IT admin experience around application and device management. 這些變更都是為了簡化您的裝置和應用程式管理體驗。These changes are geared to simplify your device and app management experience.

如需深入了解已宣布的 MDM 和 MAM 變更,請參閱 Intune 支援小組部落格Learn more about the MDM and MAM changes announced in the Intune support team blog.

Apple 裝置的新註冊警示 New enrollment alerts for Apple devices

註冊的 [概觀] 頁面會顯示對 IT 管理員極有幫助,有關 Apple 裝置管理的警示。The overview page for enrollment will show useful alerts for IT admins regarding management of Apple devices. 在下列情況中 [概觀] 頁面會顯示警示:Apple MDM Push Certificate 即將到期或已過期時、裝置註冊計劃權杖即將到期或已過期時、裝置註冊計劃中有未指派的裝置時。Alerts will show up on Overview page when the Apple MDM push certificate is expiring or has already expired; when the Device Enrollment Program token is expiring or has already expired; and when there are unassigned devices in the Device Enrollment Program.

支援在不註冊裝置的情況下替換應用程式設定 Support token replacement for app configuration without device enrollment

您可以在未註冊裝置的應用程式中,使用應用程式設定的動態值權杖。You can use tokens for dynamic values in app configurations for apps on devices that are not enrolled. 如需詳細資訊,請參閱在不註冊裝置的情況下新增受管理應用程式的應用程式設定原則For more information, see Add app configuration policies for managed apps without device enrollment.

Intune 應用程式Intune apps

Windows 10 版公司入口網站應用程式的更新 Updates to the Company Portal app for Windows 10

Windows 10 版「公司入口網站」應用程式中的 [設定] 頁面已更新,以使設定和預期的使用者動作在所有設定中更加一致。The Settings page in the Company Portal app for Windows 10 has been updated to make the settings and intended user actions to be more consistent across all settings. 它也已更新為符合其他 Windows 應用程式的配置。It has also been updated to match the layout of other Windows apps. 您可以在 應用程式 UI 中的新增功能 頁面中找到之前/之後影像。You can find before/after images in the what's new in app UI page.

通知終端使用者可看到哪些 Windows 10 裝置資訊 Inform end users what device information can be seen for Windows 10 devices

我們在 Windows 10 版公司入口網站應用程式的 [裝置詳細資料] 畫面新增了 [擁有權類型]。We have added Ownership Type to the Device Details screen on the Company Portal app for Windows 10. 如此一來,使用者就能夠直接從 Intune 終端使用者文件的此頁面,了解有關隱私權的更多資訊。他們也能夠在 [關於] 畫面上找到此資訊。This will allow users to find out more about privacy directly from this page from the Intune end user docs. They will also be able to locate this information on the About screen.

Android 版公司入口網站應用程式的意見反應提示 Feedback prompts for the Company Portal app for Android

Android 版公司入口網站應用程式現在會要求使用者意見反應。The Company Portal app for Android now requests end user feedback. 此意見反應將直接傳送給 Microsoft,並讓使用者有機會在公開的 Google Play 商店中檢閱應用程式。This feedback is sent directly to Microsoft, and provide end users with an opportunity to review the app in the public Google Play store. 意見反應並不是必要的,可以輕鬆地關閉,讓使用者可以繼續使用應用程式。Feedback is not required, and can easily be dismissed so users can continue using the app.

協助您的使用者自助使用適用於 Android 的公司入口網站應用程式 Helping your users help themselves with the Company Portal app for Android

Android 版公司入口網站應用程式新增了終端使用者指示,能幫助他們了解,並盡可能自行解決新的使用案例。The Company Portal app for Android has added instruction for end users to help them understand and, where possible, self-solve on new use cases.

Android 裝置的新「解決」動作 New 'Resolve' action available for Android devices

Android 公司入口網站應用程式在 [更新裝置設定] 頁面中推出「解決」動作。The Company Portal app for Android is introducing a 'Resolve' action on the Update device settings page. 選取此選項會直接將使用者引導至造成裝置不相容的設定。Selecting this option will take the end user directly to the setting that is causing their device to be noncompliant. Android 版公司入口網站應用程式目前在裝置密碼USB 偵錯未知來源設定支援此動作。The Company Portal app for Android currently supports this action for the device passcode, USB debugging, and Unknown Sources settings.

Android 版公司入口網站中的裝置設定進度列指示器 Device setup progress indicator in Android Company Portal

Android 版公司入口網站應用程式會顯示使用者註冊其裝置時的裝置設定進度列指示器。The Company Portal app for Android shows a device setup progress indicator when a user is enrolling their device. 指示器會顯示新的狀態,從「正在設定您的裝置...」開始,然後依序是「正在註冊您的裝置...」、「正在完成註冊您的裝置...」、「正在完成設定您的裝置...」。The indicator shows new statuses, beginning with "Setting up your device...", then "Registering your device...", then "Finishing registering your device...", then "Finishing setting up your device...".

2017 年 10 月 23 日當週Week of October 23, 2017

Intune 應用程式Intune apps

支援 iOS 版公司入口網站的憑證式驗證 Certificate-based authentication support on the Company Portal for iOS

我們已新增支援 iOS 版公司入口網站應用程式的憑證式驗證 (CBA)。We have added support for certificate-based authentication (CBA) in the Company Portal app for iOS. 使用 CBA 的使用者可輸入其使用者名稱,然後點選 Sign in with a certificate 連結。Users with CBA enter their username, then tap the “Sign in with a certificate” link. Android 和 Windows 版公司入口網站應用程式已支援 CBA。CBA is already supported on the Company Portal apps for Android and Windows. 若要深入了解,請參閱登入公司入口網站應用程式頁面。You can learn more on the sign in to the Company Portal app page.

需要或無須註冊而提供的應用程式現在可以直接安裝,而不會提示註冊。Apps that are available with or without enrollment can now be installed without being prompted for enrollment.

在 Android 公司入口網站應用程式上需要或無需註冊才可使用的公司應用程式,現在皆已可安裝而不會提示需要註冊。Company apps that have been made available with or without enrollment on the Android Company Portal app can now be installed without a prompt to enroll.

2017 年 10 月 16 日當週Week of October 16, 2017

裝置註冊Device enrollment

Microsoft Intune 中的 Windows AutoPilot Deployment 方案支援Windows AutoPilot Deployment Program support in Microsoft Intune

您可以現在使用 Microsoft Intune Windows AutoPilot 部署計劃,讓您的使用者能夠佈建其公司裝置而不需要 IT 介入。You can now use Microsoft Intune with Windows AutoPilot Deployment Program to empower your users to provision their corporate devices without involving IT. 您可以自訂全新體驗 (OOBE),並引導使用者將他們的裝置加入 Azure AD 且在 Intune 中註冊。You can customize the out-of-box experience (OOBE) and guide users to join their device to Azure AD and enroll in Intune. 搭配使用時,Microsoft Intune 和 Windows AutoPilot 不須部署、維護及管理作業系統映像。Working together, Microsoft Intune and Windows AutoPilot eliminate the need to deploy, maintain, and manage operating system images. 如需詳細資料,請參閱 Enroll Windows devices using Windows AutoPilot Deployment Program (使用 Windows AutoPilot Deployment 方案註冊 Windows 裝置)。For details, see Enroll Windows devices using Windows AutoPilot Deployment Program.

裝置註冊的快速入門 Quick start for device enrollment

快速入門現在提供於 [裝置註冊],並提供管理平台和設定註冊程序的參考表格。Quick start is now available in Device enrollment and provides a table of references for managing platforms and configuring the enrollment process. 每個項目的簡短描述,以及文件連結和逐步指示,提供實用的文件來簡化開始使用。A brief description of each item and links to documentation with step-by-step instructions provides useful documentation to simplify getting started.

裝置分類 Device categorization

[裝置] > [概觀] 刀鋒視窗的註冊裝置平台圖,會依平台組織裝置,包括 Android、iOS、macOS、Windows 和 Windows Mobile。The enrolled devices platform chart of the Devices > Overview blade organizes devices by platform, including Android, iOS, macOS, Windows, and Windows Mobile. 執行其他作業系統的裝置會分組為「其他」。Devices running other operating systems are grouped into "Other." 這包括由 Blackberry、NOKIA 和其他廠商製造的裝置。This includes devices manufactured by Blackberry, NOKIA, and others.

若要了解您租用戶中的哪些裝置受到影響,請選擇 [管理] > [所有裝置],然後使用 [篩選] 限制 [OS] 欄位。To learn which devices are affected in your tenant, choose Manage > All devices and then use Filter to limit the OS field.

裝置管理Device management

Zimperium - 新的 Mobile Threat Defense 夥伴Zimperium - New Mobile Threat Defense partner

您可以根據由 Zimperium (與 Microsoft Intune 整合的 Mobile Threat Defense 解決方案) 所進行的風險評定,使用條件式存取來控制行動裝置對公司資源的存取。You can control mobile device access to corporate resources using conditional access based on risk assessment conducted by Zimperium, a Mobile Threat Defense solution that integrates with Microsoft Intune.

整合 Intune 如何運作How integration with Intune works

風險評估的依據是收集自執行 Zimperium 裝置的遙測。Risk is assessed based on telemetry collected from devices running Zimperium. 您可以根據透過 Intune 裝置合規性政策啟用的 Zimperium 風險評估,設定 EMS 條件式存取原則。透過該原則,您可以根據偵測到的威脅來允許或封鎖不符合規範的裝置存取公司資源。You can configure EMS conditional access policies based on Zimperium risk assessment enabled through Intune device compliance policies, which you can use to allow or block non-compliant devices to access corporate resources based on detected threats.

適用於 Windows 10 裝置限制設定檔的新設定 New settings for Windows 10 device restriction profile

我們將為 Windows Defender SmartScreen 類別中的 Windows 10 裝置限制設定檔新增設定。We are adding new settings to the Windows 10 device restriction profile in the Windows Defender SmartScreen category.

如需 Windows 10 裝置限制設定檔的詳細資料,請參閱 Windows 10 及更新版本的裝置限制設定For details about the Windows 10 device restriction profile, see Windows 10 and later device restriction settings.

適用於 Windows 和 Windows Mobile 裝置的遠端支援 Remote support for Windows and Windows Mobile devices

Intune 現在可使用 TeamViewer 軟體 (需另行購買),讓您為執行 Windows 和 Windows Mobile 裝置的使用者提供遠端協助。Intune can now use the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Windows, and Windows Mobile devices.

使用 Windows Defender 掃描裝置 Scan devices with Windows Defender

您現在可以在受管理的 Windows 10 裝置上,使用 Windows Defender 防毒軟體來執行快速掃描完整掃描,和更新簽章You can now run a Quick scan, Full scan, and Update signatures with Windows Defender Antivirus on managed Windows 10 devices. 從裝置的概觀刀鋒視窗,選擇要在裝置上執行的動作。From the device's overview blade, choose the action to run on the device. 系統會提示您確認動作,然後命令才會傳送到裝置。You are prompted to confirm the action before the command is sent to the device.

快速掃描:快速掃描會掃描惡意程式碼註冊要啟動的位置,例如登錄機碼和已知的 Windows 啟動資料夾。Quick scan: A quick scan scans locations where malware registers to start, such as registry keys and known Windows startup folders. 快速掃描平均會花費五分鐘。A quick scan takes an average of five minutes. 快速掃描與 [隨時開啟即時保護] 設定 (可在檔案開啟、關閉,以及使用者每次瀏覽資料夾時掃描檔案) 結合時,可提供保護以防禦潛藏於系統或核心的惡意程式碼。Combined with the Always-on real-time protection setting that scans files when they are opened, closed, and whenever a user navigates to a folder, a quick scan helps provide protection from malware that might be in the system or the kernel. 掃描完成時,使用者可在其裝置上查看掃描結果。Users see the scan results on their devices when it finishes.

完整掃描:完整掃描對於已遭遇惡意程式碼威脅的裝置非常實用,可找出是否有任何需要進一步完整清理的尚未作用元件,且適合執行隨選掃描。Full scan: A full scan can be useful on devices that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and is useful for running on-demand scans. 完整掃描可能需要一個小時來進行。Full scan can take an hour to run. 掃描完成時,使用者可在其裝置上查看掃描結果。Users see the scan results on their devices when it finishes.

更新簽章:更新簽章命令會更新 Windows Defender 防毒軟體的惡意程式碼定義和簽章。Update signatures: The update signature command updates Windows Defender Antivirus malware definitions and signatures. 這有助於確保 Windows Defender 防毒軟體能有效偵測惡意程式碼。This helps ensure Windows Defender Antivirus is effective in detecting malware. 這項功能僅適用於 Windows 10 裝置,且需要裝置的網際網路連線。This feature is for Windows 10 devices only, pending device internet connectivity.

[啟用/停用] 按鈕從 Intune Azure 入口網站的 [Intune 憑證授權單位] 頁面移除 The Enable/Disable button is removed from the Intune Certificate Authority page of the Intune Azure portal

我們正在消除設定 Intune 上憑證連接器的多餘步驟。We are eliminating an extra step in setting up the certificate connector on Intune. 目前,您會下載憑證連接器,然後在 Intune 主控台中啟用它。Currently, you download the certificate connector and then enable it in the Intune console. 不過,如果您在 Intune 主控台中停用連接器,連接器會繼續發出憑證。However, if you disable the connector in the Intune console, the connector continues to issue certificates.

此變更對我造成什麼影響?How does this affect me?

從 10 月開始,[啟用/停用] 按鈕不會再出現在 Azure 入口網站的 [憑證授權單位] 頁面上。Starting in October, the Enable/Disable button will no longer appear on the Certificate Authority page in the Azure portal. 連接器功能將保持不變。Connector functionality remains the same. 憑證仍會部署到在 Intune 中註冊的裝置。Certificates are still deployed to devices enrolled in Intune. 您可以繼續下載並安裝憑證連接器。You can continue to download and install the certificate connector. 若要停止發出憑證,您現在要解除安裝憑證連接器而非將它停用。To stop certificates from being issued, you now uninstall the certificate connector rather than disable it.

我需要為這項變更做什麼準備?What do I need to do to prepare for this change?

如果您目前已停用憑證連接器,您應該將它解除安裝。If you currently have the certificate connector disabled, you should uninstall it.

裝置設定Device configuration

適用於 Windows 10 團隊版裝置限制設定檔的新設定 New settings for Windows 10 Team device restriction profile

在此版本中,我們新增了許多設定到 Windows 10 團隊版裝置限制設定檔,以協助您控制 Surface Hub 裝置。In this release, we’ve added many new settings to the Windows 10 Team device restriction profile to help you control Surface Hub devices.

如需此設定檔的詳細資訊,請參閱 Windows 10 團隊版裝置限制設定For more information about this profile, see Windows 10 Team device restriction settings.

防止 Android 裝置的使用者變更其裝置的日期和時間 Prevent users of Android devices from changing their device date and time

您可以使用 Android 自訂裝置原則來防止 Android 裝置使用者變更裝置的日期和時間。You can use an Android custom device policy to prevent Android device users from changing the device date and time.

若要這樣做,請設定 Android 自訂原則,將 URI ./Vendor/MSFT/PolicyManager/My/System/AllowDateTimeChange 設定為 TRUE,然後指派給所需的群組。To do this, configure an Android custom policy with the setting URI ./Vendor/MSFT/PolicyManager/My/System/AllowDateTimeChange Set this to TRUE, and then assign it to the required groups.

BitLocker 裝置設定 BitLocker device configuration

[Windows 加密] > [基本設定] 包含新的 [其他磁碟加密的警告] 設定,讓您停用使用者裝置上可能正在使用的其他磁碟加密警告提示The Windows Encryption > Base Settings include a new Warning for another disk encryption setting that lets you disable the warning prompt for other disk encryption that might be in use on the user's device. 警告提示會要求使用者同意,然後才會在裝置上設定 BitLocker,在使用者確認之前則會封鎖 BitLocker 設定。The warning prompt requires end-user consent before setting up BitLocker on the device and blocks BitLocker setup until confirmed by the end-user. 新的設定會停用使用者警告。The new setting disables the end-user warning.

應用程式管理App management

企業大量採購方案應用程式現在將會同步到 Intune 租用戶 Volume Purchase Program for Business apps will now sync to your Intune Tenant

協力廠商開發人員可以私下將應用程式散發給 iTunes Connect 中所指定的授權企業大量採購方案 (VPP) 成員。Third-party developers can privately distribute apps to authorized Volume Purchase Program (VPP) for Business members specified in iTunes Connect. 這些企業 VPP 成員可以登入大量採購方案 App Store,並購買其應用程式。These VPP for Business members can sign in to the Volume Purchase Program App Store and purchase their apps.

在此版本中,終端使用者所購買的企業 VPP 應用程式將開始與其 Intune 租用戶同步。With this release, the VPP for Business apps purchased by the end user will now start syncing to their Intune tenants.

選取 Apple 國家/地區市集以同步處理 VPP 應用程式 Select Apple country store to sync VPP apps

上傳您的大量採購方案 (VPP) 權杖時,可以設定 VPP 的國家/地區市集。You can configure the Volume Purchase Program (VPP) country store when uploading your VPP token. Intune 會從指定的 VPP 國家/地區市集同步處理所有地區設定的 VPP 應用程式。Intune synchronizes VPP apps for all locales from the specified VPP country store.

注意

目前 Intune 只會從符合 Intune 地區設定 (建立 Intune 租用戶所在位置) 的 VPP 國家/地區市集同步處理 VPP 應用程式。Today, Intune only synchronizes VPP apps from the VPP country store that match the Intune locale in which the Intune tenant was created.

Intune 應用程式Intune apps

封鎖 Android for Work 中工作和個人設定檔間的複製和貼上 Block copy and paste between work and personal profiles in Android for Work

在此版本中,您可以將 Android for Work 的工作設定檔設定為封鎖工作和個人應用程式間的複製和貼上。With this release, you are able to configure the work profile for Android for Work to block copy and paste between work and personal apps. 您可以在 [工作設定檔設定] 中,於 [Android for Work] 平台的 [裝置限制] 設定檔內找到這項新設定。You can find this new setting in the Device restrictions profile for the Android for Work Platform in Work profile settings.

建立僅限於特定地區 Apple App Store 的 iOS 應用程式 Create iOS apps limited to specific regional Apple App Stores

您可以在 Apple App Store 受管理的應用程式建立期間,指定國家/地區的地區設定。You will be able to specify the country locale during the creation of an Apple App Store managed app.

注意

目前,您僅能建立出現在美國市集的 Apple App Store 受管理應用程式。Currently, you can only create Apple App Store managed apps that are present in the US country store.

更新 iOS VPP 使用者和裝置授權的應用程式 Update iOS VPP user and device licensed apps

您可以透過 Intune 服務,設定 iOS VPP 權杖以更新為該權杖所購買的全部應用程式。You will be able to configure the iOS VPP token to update all apps purchased for that token through the Intune service. Intune 會偵測應用程式市集內的 VPP 應用程式更新,並在裝置簽入時將更新自動推送至裝置。Intune will detect the VPP app updates inside the app store and automatically push them to the device when the device checks-in.

如需設定 VPP 權杖並啟用自動更新的步驟,請參閱如何使用 Microsoft Intune 管理透過大量採購方案購買的 iOS 應用程式For steps to set an VPP token and enable automatic updates, see How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune.

監視及疑難排解Monitor and troubleshoot

使用者裝置關聯實體集合已新增至 Intune 資料倉儲資料模型 User device association entity Collection added to Intune Data Warehouse data model

您現在可以使用使用者裝置關聯資訊 (關聯使用者和裝置實體集合) 來建立報表和資料視覺效果。You can now build reports and data visualizations using the user device association information that associates user and device entity collections. 資料模型的存取可透過擷取自資料倉儲 Intune 頁面的 Power BI 檔案 (PBIX)、透過 OData 端點,或開發自訂用戶端來存取。The data model can be accessed through the Power BI file (PBIX) retrieved from the Data Warehouse Intune page, through the OData endpoint, or by developing a custom client.

檢閱 Windows 10 更新通道的原則合規性 Review policy compliance for Windows 10 update rings

您可以從 [軟體更新] > [依更新通道別部署狀態] 來檢閱 Windows 10 更新通道的原則報告。You will be able to review a policy report for your Windows 10 update rings from Software updates > Per update ring deployment state. 原則報告包括已設定更新通道的部署狀態。The policy report includes deployment status for the update rings that you have configured.

列出舊版 iOS 之 iOS 裝置的新報表 New report that lists iOS devices with older iOS versions

[軟體更新] 工作區提供 [過期的 iOS 裝置] 報表。The Out-of-date iOS Devices report is available from the Software updates workspace. 在此報表中,您可以檢視受監督的 iOS 裝置清單,這些是 iOS 更新原則之前鎖定並有可用更新的裝置。In the report, you can view a list of supervised iOS devices that were targeted by an iOS update policy and have available updates. 針對每部裝置,您可以檢視狀態,以了解為何尚未自動更新裝置。For each device, you can view a status for why the device has not been automatically updated.

檢視應用程式保護原則指派以進行疑難排解 View app protection policy assignments for troubleshooting

在此即將發行的版本中,將會新增 [應用程式保護原則] 選項到疑難排解刀鋒視窗中提供的 [指派] 下拉式清單。In this upcoming release, App protection policy option will be added to the Assignments drop-down list available on the troubleshooting blade. 您現在可以選取應用程式保護原則,以查看指派給所選取使用者的應用程式保護原則。You can now select app protection policies to see app protection policies assigned to the selected users.

2017 年 10 月 2 日當週Week of October 2, 2017

Intune 應用程式Intune apps

對公司入口網站之裝置安裝工作流程的改善 Improvements to device setup workflow in Company Portal

我們已改善 Android 版公司入口網站應用程式中的裝置安裝工作流程。We've improved the device setup workflow in the Company Portal app for Android. 我們採用您公司專屬的語言、對使用者來說更簡單明瞭,並盡量將可以合併的畫面合併。The language is more user-friendly and specific to your company, and we've combined screens where possible. 您可以在應用程式 UI 的新功能頁面中,查看這些變更。You can see these on the what's new in app UI page.

改善在 Android 裝置上要求存取連絡人的相關指引 Improved guidance around the request for access to contacts on Android devices

Android 版公司入口網站應用程式通常會要求使用者接受「連絡人」權限。The Company Portal app for Android often requires the end user to accept the Contacts permission. 如果使用者拒絕此存取權,系統現會顯示應用程式內通知,提醒他們授與此權限以進行條件式存取。If an end user declines this access, they will now see an in-app notification that alerts them to grant it for conditional access.

Android 的安全啟動修復 Secure startup remediation for Android

如果使用者是使用 Android 裝置,可以點選公司入口網站應用程式中的不相容原因。End users with Android devices will be able to tap the non-compliance reason in the Company Portal app. 如此一來,系統會盡可能將使用者直接移至設定應用程式的正確位置,以修正問題。When possible, this will take them directly to the correct location in the settings app to fix the issue.

在 Android Oreo 的公司入口網站應用程式上新增終端使用者的推播通知 Additional push notifications for end users on the Company Portal app for Android Oreo

終端使用者將會看到其他通知,這些通知會指出 Android Oreo 版公司入口網站應用程式正在執行背景工作,例如從 Intune 服務擷取原則。End users will see additional notifications to indicate to them when the Company Portal app for Android Oreo is performing background tasks, such as retrieving policies from the Intune service. 這樣可讓終端使用者清楚了解公司入口網站在其裝置上執行的系統管理工作。This increases transparency for end users about when the Company Portal is performing administrative tasks on their device. 這是適用於 Android Oreo 版公司入口網站應用程式之整體公司入口網站 UI 最佳化的一部分。This is part of the overall optimization of the Company Portal UI for the Company Portal app for Android Oreo.

在 Android Oreo 中啟用的新 UI 項目已進一步最佳化。There are further optimizations for new UI elements that are enabled in Android Oreo. 終端使用者會看到額外的通知,顯示出公司入口網站執行背景工作 (例如從 Intune 服務擷取原則) 的時間。End users will see additional notifications that will indicate to them when Company Portal is performing background tasks such as retrieving policy from the Intune service. 這可讓使用者清楚知道公司入口網站在裝置上執行管理工作的時間。This increases transparency for end users about when Company Portal is performing administrative tasks on the device.

Android 公司入口網站應用程式使用工作設定檔的新行為 New behaviors for the Company Portal app for Android with work profiles

當您使用工作設定檔註冊 Android for Work 裝置時,是由工作設定檔中的公司入口網站應用程式來執行裝置上的管理工作。When you enroll an Android for Work device with a work profile, it's the Company Portal app in the work profile that performs management tasks on the device.

除非您使用個人設定檔中啟用 MAM 的應用程式,否則 Android 公司入口網站應用程式不再有任何用途。Unless you are using a MAM-enabled app in the personal profile, the Company Portal app for Android no longer serves any use. 為了改善工作設定檔的體驗,Intune 會在成功註冊工作設定檔後,自動隱藏個人的公司入口網站應用程式。To improve the work profile experience, Intune will automatically hide the personal Company Portal app after a successful work profile enrollment.

您可以隨時啟用個人設定檔中的 Android 公司入口網站應用程式,方法是瀏覽 Play Store 中的公司入口網站,然後點選 [啟用]。The Company Portal app for Android can be enabled at any time in the personal profile by browsing for Company Portal in the Play Store and tapping Enable.

Windows 8.1 和 Windows Phone 8.1 版公司入口網站移至維持模式 Company Portal for Windows 8.1 and Windows Phone 8.1 moving to sustaining mode

自 2017 年 10 月起,Windows 8.1 和 Windows Phone 8.1 公司入口網站應用程式將會移至維持模式。Beginning in October 2017, the Company Portal apps for Windows 8.1 and Windows Phone 8.1 will move to sustaining mode. 這表示這些平台將會繼續支援應用程式和現有的案例 (例如註冊和合規性)。This means that the apps and existing scenarios, such as enrollment and compliance, will continue to be supported for these platforms. 這些應用程式仍可透過現有的發行通道 (例如 Microsoft 市集) 下載取得。These apps will continue to be available for download through existing release channels, such as the Microsoft Store.

一旦進入維持模式,這些應用程式僅會接收重大安全性更新。Once in sustaining mode, these apps will only will receive critical security updates. 但是,將不會針對這些應用程式發行額外的更新或功能。There will be no additional updates or features released for these apps. 如需新功能,建議您將裝置更新為 Windows 10 或 Windows 10 行動裝置版。For new features, we recommend that you update devices to Windows 10 or Windows 10 Mobile.

裝置註冊Device enrollment

封鎖不支援的 Samsung Knox 裝置註冊 Block unsupported Samsung Knox device enrollment

公司入口網站應用程式只會嘗試註冊支援的 Samsung Knox 裝置。The Company Portal app only attempts to enroll supported Samsung Knox devices. 為了避免 Knox 啟用錯誤而導致 MDM 註冊失敗,如果裝置出現在 Samsung 發佈的裝置清單中,則系統只會嘗試進行裝置註冊。To avoid Knox activation errors that prevent MDM enrollment, device enrollment is only attempted if the device appears in the list of devices published by Samsung. 有些 Samsung 裝置型號可能支援 Knox,而有些不支援。Samsung devices can have model numbers that support Knox while others that don't. 在您購買及部署之前,請先跟裝置轉銷商確認 KNOX 相容性。Verify Knox compatibility with your device reseller before purchase and deployment. 您可以在 Android 和 Samsung Knox Standard 原則設定中找到已驗證裝置的完整清單。You can find the full list of verified devices in the Android and Samsung Knox Standard policy settings.

結束對 Android 4.3 和較舊版本的支援End of support for Android 4.3 and lower

受管理的應用程式和 Android 公司入口網站應用程式需要 Android 4.4 及更新版本才能存取公司資源。Managed apps and the Company Portal app for Android will require Android 4.4 and higher to access company resources. 今年 12 月會強制淘汰所有已註冊的裝置,以致無法存取公司資源。By December, all enrolled devices will be force retired in December, resulting in loss of access to company resources. 如果您使用不含 MDM 的應用程式保護原則,應用程式就不會接收更新,其體驗品質會隨著時間而降低。If you are using app protection policies without MDM, apps will not receive updates, and the quality of their experience will diminish over time.

通知使用者可在已註冊裝置上看到哪些裝置資訊 Inform end users what device information can be seen on enrolled devices

針對所有公司入口網站應用程式的 [裝置詳細資料] 畫面,我們會新增 [擁有權類型]。We are adding Ownership Type to the Device Details screen on all Company Portal apps. 如此一來,使用者就能夠直接從公司可以看到哪些資訊?一文中,了解隱私權的詳細資訊。This will allow users to find out more about privacy directly from the What information can your company see? article. 在不久的將來,這項功能就會跨所有公司入口網站應用程式推出。This will be rolling out across all Company Portal apps in the near future. iOS 的這項功能已於 9 月推出。We announced this for iOS in September.

2017 年 9 月 25 日當週Week of September 25, 2017

裝置註冊Device enrollment

Intune 支援 iOS 11 Intune supports iOS 11

Intune 支援 iOS 11。Intune supports iOS 11. 這項資訊之前已在 Intune 支援部落格宣布過。This was previously announced on the Intune Support blog.

結束對 iOS 8.0 的支援End of support for iOS 8.0

受管理的應用程式和 iOS 公司入口網站應用程式需要 iOS 9.0 及更新版本才能存取公司資源。Managed apps and the Company Portal app for iOS will require iOS 9.0 and higher to access company resources. 今年 9 月前未更新的裝置將不再能存取公司入口網站或這些應用程式。Devices that aren't updated before this September will no longer be able to access the Company Portal or those apps.

Intune 應用程式Intune apps

重新整理動作已新增至 Windows 10 的公司入口網站應用程式 Refresh action added to the Company Portal app for Windows 10

Windows 10 公司入口網站應用程式可讓使用者提取以重新整理,或按桌上型電腦的 F5,重新整理應用程式中的資料。The Company Portal app for Windows 10 allows users to refresh the data in the app by either pulling to refresh or, on desktops, pressing F5.

通知Notices

規劃變更:Easy Assist 生命週期結束 Plan for Change: Easy Assist End-of-Life

Intune 會使用 Microsoft Easy Assist 進行電腦管理遠端協助。Intune uses the Microsoft Easy Assist for PC management remote assistance. 您可能不知道 Microsoft Easy Assist 為 Office Live Meeting 的元件,而該服務已於 2017 年 12 月 31 日被取代。One thing you may not know is that Microsoft Easy Assist is a component of Office Live Meeting, a service that is being deprecated December 31, 2017. 因此,Intune 的 Easy Assist 供應項目生命週期也將於 2017 年 12 月 31 日結束。Therefore, Intune’s Easy Assist offering will also reach end of life on December 31, 2017.

從 Android 裝置獨立管理 Android for Work 裝置Manage Android for Work devices independently from Android devices

注意:這些變更會在 11 月更新中推出,但可能要一段時間後才會在您的帳戶上執行。Note: The following changes will start rolling out with the November update, but may take time to execute on your account. 當這些變更對您的帳戶生效時,您會在 Office 365 入口網站中收到確認通知。You will receive a confirmation notification in the Office 365 portal when these changes are effective for your account. 推出後,會有額外的管理性選項。After the roll out, you’ll have additional manageability options. 推出期間不會變更任何使用者體驗。There will be no change to the end user experience during the rollout.

Intune 支援從 Android 平台獨立管理 Android for Work 裝置的註冊。Intune supports managing enrollment of Android for Work devices independently from the Android platform. 這些設定在 [裝置註冊] > [註冊限制] > [裝置類型限制] 下管理。These settings are managed under Device Enrollment > Enrollment restrictions > Device Type Restrictions. (原位於 [裝置註冊] > [Android for Work 註冊] > [Android for Work 註冊設定] 下。)(They were previously located under Device Enrollment > Android for Work Enrollment > Android for Work Enrollment Settings.)

根據預設,Android for Work 裝置設定會與您的 Android 裝置設定相同。By default, your Android for Work devices settings will be the same as your settings for your Android devices. 不過,變更 Android for Work 設定後,就不再是那麼回事了。However, after you change your Android for Work settings that will no longer be the case.

如果您封鎖個人的 Android for Work 註冊,只有公司的 Android 裝置可以註冊為 Android for Work。If you block personal Android for Work enrollment, only corporate Android devices can enroll as Android for Work.

使用新設定時,請考慮下列事項:When working with the new settings, consider the following:

之前是否從未啟動 Android for Work 註冊If you have never previously onboarded Android for Work enrollment

在預設的裝置類型限制中封鎖新的 Android for Work 平台。The new Android for Work platform is blocked in the default Device Type Restrictions. 啟動功能後,您可以允許裝置註冊 Android for Work。After you onboard the feature, you can allow devices to enroll with Android for Work. 若要這樣做,請變更預設值,或建立新的裝置類型限制來取代預設的裝置類型限制。To do so, change the default or create a new Device Type Restriction to supersede the default Device Type Restriction.

是否曾啟動 Android for Work 註冊If you have onboarded Android for Work enrollment

如果曾經啟動過,您的情況會隨您選擇的設定而異:If you’ve previously onboarded, your situation depends on the setting you chose:

SettingSetting 預設裝置類型限制中的 Android for Work 狀態Android for Work status in default Device Type Restriction 附註Notes
將所有裝置當成 Android 管理Manage all devices as Android 封鎖Blocked 所有 Android 裝置都必須註冊,但不是 Android for Work。All Android devices must enroll without Android for Work.
將支援的裝置當成 Android for Work 管理Manage supported devices as Android for Work 允許Allowed 所有支援 Android for Work 的裝置都必須註冊 Android for Work。All Android devices that support Android for Work must enroll with Android for Work.
將這些群組中僅限使用者的受支援裝置當成 Android for Work 管理Manage supported devices for users only in these groups as Android for Work 封鎖Blocked 已建立不同的裝置類型限制原則,以覆寫預設值。A separate Device Type Restriction policy was created to override the default. 此原則會定義您先前選取的群組,以允許 Android for Work 註冊。This policy defines the groups you previously selected to allow Android for Work enrollment. 所選群組內的使用者仍可以繼續註冊他們的 Android for Work 裝置。Users within the selected groups will continue to be allowed to enroll their Android for Work devices. 所有其他使用者則限制不能註冊 Android for Work。All other users are restricted from enrolling with Android for Work.

無論什麼情況,都會保留您預期的法規。In all cases, your intended regulation is preserved. 您不需要執行任何動作,即能維持您環境中 Android for Work 的全域或各群組額度。No action is required on your part to maintain the global or per-group allowance of Android for Work in your environment.

即將取代 OS X Mavericks 10.10 與舊版 macOS 的支援Deprecating support for OS X Mavericks 10.10 and previous versions of macOS

我們宣布即將在 2018 年 2 月開始不再支援 OS X Yosemite 10.10 與舊版 macOS 的裝置註冊。We are announcing that we will begin deprecation of enrollment for devices with OS X Yosemite 10.10 and previous versions of macOS in February 2018. Intune 完全支援 OS X El Capitan 10.11 與更新版本。Intune fully supports OS X El Capitan 10.11 and newer.

Graph API 中受管理裝置的新路徑 New path for managed devices in Graph API

我們針對 Graph API 搶鮮版 (Beta) 中用來存取受管理裝置的路徑進行了變更。We are making a change to the path used to access managed devices in the beta version of the Graph API.

目前的路徑Current path https://graph.microsoft.com/beta/managedDeviceshttps://graph.microsoft.com/beta/managedDevices
新的路徑New path https://graph.microsoft.com/beta/deviceManagement/managedDeviceshttps://graph.microsoft.com/beta/deviceManagement/managedDevices

在 10 月期間,這兩個路徑都能運作。Both paths will work through the month of October. 但在 10 月的服務版本之後,就只能使用新的路徑。After the October service release, only the new path will work. 如果您使用 Graph API 來存取受管理的裝置,請使用新路徑來更新並驗證您的指令碼和應用程式。If you are using the Graph API to access managed devices, update and verify your scripts and applications with the new path. 如需了解其他變更,請查看每月的 Graph API 變更記錄For additional changes, check the monthly Graph API changelog.

直接存取 Apple 註冊案例 Direct access to Apple enrollment scenarios

對於在 2017 年 1 月之後建立的 Intune 帳戶,Intune 已經啟用使用 Azure 入口網站中的「註冊裝置」工作負載直接存取 Apple 註冊案例。For Intune accounts created after January 2017, Intune has enabled direct access to Apple enrollment scenarios using the Enroll Devices workload in the Azure portal. Apple 註冊預覽原本只能從 Intune 傳統入口網站中的連結存取。Previously, the Apple enrollment preview was only accessible from links in the Intune classic portal. 在 2017 年 1 月之前建立的 Intune 帳戶需要進行一次性移轉,才能在 Azure 中使用這些功能。Intune accounts created before January 2017 require a one-time migration before these features are available in Azure. 移轉的排程尚未宣布,但將會盡快提供詳細資料。The schedule for migration has not been announced yet, but details will be made available as soon as possible. 如果您現有的帳戶無法存取 Azure 入口網站,我們強烈建議您建立試用帳戶來測試新的體驗。We strongly recommend creating a trial account to test out the new experience if your existing account cannot access the Azure portal.

Azure 入口網站中將被取代的系統管理角色Administration roles being replaced in Azure portal

在 Intune 傳統入口網站 (Silverlight) 中使用的現有行動應用程式管理 (MAM) 系統管理角色 (參與者、擁有者或唯讀) 在 Intune Azure 入口網站中會被取代為一組新的、完整的角色型系統管理控制 (RBAC)。The existing mobile application management (MAM) administration roles (Contributor, Owner, and Read-Only) used in the Intune classic portal (Silverlight) are being replaced with a full set of new role-based administration controls (RBAC) in the Intune Azure portal. 當您移轉至 Azure 入口網站之後,必須將系統管理員重新指派至這些新的系統管理角色。Once you are migrated to the Azure portal, you will need to reassign your admins to these new administration roles. 如需 RBAC 和新角色的詳細資訊,請參閱 Microsoft Intune 的角色型存取控制For more information about RBAC and the new roles, see Role-based access control for Microsoft Intune.

未來動態What's coming

Intune 的條件式存取原則只在 Azure 入口網站提供 Conditional Access policies for Intune will only be available from the Azure portal

我們正在簡化您設定與管理條件式存取的方法。We are simplifying where you configure and manage conditional access. 目前,您可以在 Intune 應用程式防護 刀鋒視窗中,透過 Windows Azure 入口網站的傳統 Azure AD 體驗管理條件式存取。Currently, you can manage conditional access from the Intune App Protection (MAM) blade, and through the classic Azure AD experience in the Windows Azure Portal. 自 1 月開始,您只能夠從 [Azure Active Directory] > [條件式存取],在 Azure 入口網站設定與管理原則。Starting in January, you will only be able to configure and manage your policies in the Azure portal from Azure Active Directory > Conditional Access. 為了方便起見,您也可以在 [Intune] > [條件式存取],從 Azure 入口網站的 Intune 存取此刀鋒視窗。For your convenience, you can also access this blade from Intune in the Azure portal at Intune > Conditional Access.

使用 Intune 的裝置合規性引擎管理 Jamf 註冊的 macOS 裝置 Manage Jamf-enrolled macOS devices with Intune's device compliance engine

從 2018 年初開始,Jamf 會將 macOS 裝置狀態資訊傳送到 Intune,然後 Intune 會評估它是否符合 Intune 主控台中定義的合規性原則。Beginning in early 2018, Jamf will send macOS device state information to Intune, which will then evaluate it for compliance with policies defined in the Intune console. 根據裝置合規性狀態以及其他條件 (例如位置、使用者風險等),條件式存取將會針對存取雲端的 macOS 裝置和與 Azure AD 連線之內部部署應用程式 (包括 Office 365) 強制執行合規性檢查。Based on the device compliance state as well as other conditions (such as location, user risk, etc.), conditional access will enforce compliance for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365.

Intune iOS 公司入口網站應用程式的支援變更 Changes in support for the Intune iOS Company Portal app

iOS 的 Microsoft Intune 公司入口網站應用程式很快將會有更新,屆時將只支援執行 iOS 9.0 或更新版本的裝置。Coming soon, there will be a new version of the Microsoft Intune Company Portal app for iOS that will support only devices running iOS 9.0 or later. 支援 iOS 8 的公司入口網站版本仍然可以使用非常短的一段時間。The version of the Company Portal that supports iOS 8 will still be available for a very short period of time. 不過,請注意,如果您也使用啟用 MAM 的 iOS 應用程式,我們支援 iOS 9.0 及更新版本,因此您會想要確保您的終端使用者更新到最新的作業系統。However, note that if you also use MAM-enabled iOS apps we support iOS 9.0 and later, so you'll want to ensure your end users update to the latest OS.

此變更對我造成什麼影響?How does this affect me?

我們讓您事先知道這項資訊,雖然我們沒有特定的日期,您仍有時間進行規劃。We are letting you know this in advance, even though we don't have specific dates, so you have time to plan. 請確認您的使用者更新為 iOS 9+,且當公司入口網站應用程式發行時,要求您的終端使用者更新其公司入口網站應用程式。Ensure your users are updated to iOS 9+ and when the Company Portal app releases, request that your end users update their Company Portal app.

我需要為這項變更做什麼準備?What do I need to do to prepare for this change?

鼓勵您的使用者更新到 iOS 9.0 或更新版本,以便完全利用 Intune 的新功能。Encourage your users to update to iOS 9.0 or later to take full advantage of new Intune features. 鼓勵使用者安裝新版的公司入口網站,並利用它將提供的新功能。Encourage users to install the new version of the Company Portal and take advantage of the new features it will offer.

在 Azure 入口網站中移至 Intune,檢視 [裝置] > [所有裝置],並依 iOS 版本篩選,以查看作業系統早於 iOS 9 的任何目前裝置。Go to the Intune in the Azure portal and view Devices > All Devices and filter by iOS version to see any current devices with operating systems earlier than iOS 9.

Apple 要求必須更新 Application Transport Security Apple to require updates for Application Transport Security

Apple 宣布將會強制執行 Application Transport Security (ATS) 的特定需求。Apple has announced that they will enforce specific requirements for Application Transport Security (ATS). ATS 可用來對透過 HTTPS 進行的所有應用程式通訊,強制執行更嚴格的安全性。ATS is used to enforce stricter security on all app communications over HTTPS. 此變更會影響使用 iOS 公司入口網站應用程式的 Intune 客戶。This change impacts Intune customers using the iOS Company Portal apps.

我們已透過 Apple TestFlight 方案,提供符合新 ATS 需求的 iOS 版公司入口網站應用程式。We have made available a version of the Company Portal app for iOS through the Apple TestFlight program that enforces the new ATS requirements. 如果您想試用該版本以便測試 ATS 合規性,請傳送電子郵件到 CompanyPortalBeta@microsoft.com,並附上您的姓氏、名字、電子郵件地址和公司名稱。If you would like to try it so you can test your ATS compliance, email CompanyPortalBeta@microsoft.com with your first name, last name, email address, and company name. 如需詳細資訊,請檢閱我們的 Intune 支援部落格Review our Intune support blog for more details.

另請參閱See also