在 Microsoft Intune 中指派使用者和裝置設定檔Assign user and device profiles in Microsoft Intune

您可以建立設定檔,而且它會包含您所輸入的所有設定。You create a profile, and it includes all the settings you entered. 下一個步驟是將設定檔部署或「指派」至您的使用者或裝置群組。The next step is to deploy or "assign" the profile to your user or device groups. 獲指派時,使用者和裝置會收到您的設定檔,並套用您所輸入的設定。When it's assigned, the users and devices receive your profile, and the settings you entered are applied.

本文說明如何指派設定檔,並包含有關在設定檔上使用範圍標籤的一些資訊。This article shows you how to assign a profile, and includes some information on using scope tags on your profiles.

注意

當設定檔已移除或不再指派給裝置時,可能會發生不同的情況,視設定檔中的設定而定。When a profile is removed or no longer assigned to a device, different things can happen, depending on the settings in the profile. 這些設定是以 CSP 為基礎,而每個 CSP 可以不同的方式來處理設定檔移除。The settings are based on CSPs, and each CSP can handle the profile removal differently. 例如,設定可能會維持現有的值,而不會還原回預設值。For example, a setting might keep the existing value, and not revert back to a default value. 此行為是由作業系統中的每個 CSP 所控制。The behavior is controlled by each CSP in the operating system. 如需 Windows CSP 的清單,請參閱設定服務提供者 (CSP) 參考 (部分機器翻譯)。For a list of Windows CSPs, see configuration service provider (CSP) reference.

若要將設定變更為不同的值,請建立新的設定檔,將設定設為 [未設定],然後指派設定檔。To change a setting to a different value, create a new profile, configure the setting to Not configured, and assign the profile. 套用至裝置之後,使用者應該可以控制將設定變更為其慣用的值。Once applied to the device, users should have control to change the setting to their preferred value.

進行這些設定時,建議您部署到試驗群組。When configuring these settings, we suggest deploying to a pilot group. 如需更多 Intune 首度發行建議,請參閱建立首度發行計畫For more Intune rollout advice, see create a rollout plan.

開始之前Before you begin

確保您具備指派設定檔的正確角色。Be sure you have the correct role to assign profiles. 如需詳細資訊,請參閱使用 Microsoft Intune 的角色型存取控制 (RBAC)For more information, see Role-based access control (RBAC) with Microsoft Intune.

指派裝置設定檔Assign a device profile

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 選取 [裝置] > [組態設定檔]。Select Devices > Configuration profiles. 隨即列出所有設定檔。All the profiles are listed.

  3. 選取您想要指派的設定檔 > [屬性] > [指派] > [編輯]:Select the profile you want to assign > Properties > Assignments > Edit:

    在 Microsoft Intune 和端點管理員中選取指派以將設定檔部署給使用者和群組

  4. 選取 [包含的群組] 或 [排除的群組],然後選擇 [選取要納入的群組]。Select Included groups or Excluded groups, and then choose Select groups to include. 當您選取群組時,會選擇 Azure AD 群組。When you select your groups, you're choosing an Azure AD group. 若要選取多個群組,請按住 Ctrl 鍵,然後選取您的群組。To select multiple groups, hold down the Ctrl key, and select your groups.

    在 Microsoft Intune 和端點管理員中指派或部署設定檔時包含或排除使用者和群組。

  5. 選取 [檢閱並儲存]。Select Review + Save. 此步驟不會指派您的設定檔。This step doesn't assign your profile.

  6. 選取 [儲存]。Select Save. 當您儲存時,系統便會指派您的設定檔。When you save, your profile is assigned. 當裝置向 Intune 服務簽入時,您的群組將會接收到您的設定檔設定。Your groups will receive your profile settings when the devices check in with the Intune service.

使用範圍標籤或適用性規則Use scope tags or applicability rules

當您建立或更新設定檔時,也可以將範圍標籤與適用性規則新增到設定檔。When you create or update a profile, you can also add scope tags and applicability rules to the profile.

範圍標籤是將設定檔篩選到特定群組 (例如 US-NC IT TeamJohnGlenn_ITDepartment) 的絕佳方式。Scope tags are a great way to filter profiles to specific groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 如需詳細資訊,請參閱針對分散式 IT 使用 RBAC 和範圍標籤Use RBAC and scope tags for distributed IT has more information.

在 Windows 10 裝置上,您可以新增適用性規則,讓設定檔僅適用於特定 OS 版本或特定 Windows 版本。On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS version or a specific Windows edition. 適用性規則提供更多資訊。Applicability rules has more information.

使用者群組與裝置群組的比較User groups vs. device groups

許多使用者會詢問何時使用使用者群組,以及何時使用裝置群組。Many users ask when to use user groups and when to use device groups. 答案取決於您的目標。The answer depends on your goal. 以下是一些入門指南。Here's some guidance to get you started.

裝置群組Device groups

如果您想要在裝置上套用設定 (不論登入者為何),請將設定檔指派給裝置群組。If you want to apply settings on a device, regardless of who's signed in, then assign your profiles to a devices group. 套用至裝置群組的設定一律會與裝置 (而不是使用者) 搭配使用。Settings applied to device groups always go with the device, not the user.

例如:For example:

  • 裝置群組適用於管理沒有專用使用者的裝置。Device groups are useful for managing devices that don't have a dedicated user. 例如,您擁有列印票證的裝置、掃描清查的裝置、由輪班工人共用的裝置、指派給特定倉儲的裝置等等。For example, you have devices that print tickets, scan inventory, are shared by shift workers, are assigned to a specific warehouse, and so on. 將這些裝置放在裝置群組中,並將設定檔指派給此裝置群組。Put these devices in a devices group, and assign your profiles to this devices group.

  • 您會建立裝置韌體設定介面 (DFCI) Intune 設定檔,以更新 BIOS 中的設定。You create a Device Firmware Configuration Interface (DFCI) Intune profile that updates settings in the BIOS. 例如,您可以將此設定檔設定為停用裝置攝影機,或鎖定開機選項,以防止使用者啟動另一個 OS。For example, you configure this profile to disable the device camera, or lock down the boot options to prevent users from booting up another OS. 此設定檔是指派給裝置群組的好情節。This profile is a good scenario to assign to a devices group.

  • 在某些特定的 Windows 裝置上,無論誰使用該裝置,您始終都希望控制一些 Microsoft Edge 設定。On some specific Windows devices, you always want to control some Microsoft Edge settings, regardless of who's using the device. 例如,您想要封鎖所有下載、將所有 cookie 限制在目前的瀏覽工作階段,並刪除瀏覽歷程記錄。For example, you want to block all downloads, limit all cookies to the current browsing session, and delete the browsing history. 針對此情節,請將這些特定 Windows 裝置放在裝置群組中。For this scenario, put these specific Windows devices in a devices group. 然後,在 Intune 中建立系統管理範本、新增這些裝置設定,然後將此設定檔指派給裝置群組。Then, create an Administrative Template in Intune, add these device settings, and then assign this profile to the devices group.

總而言之,如不在意誰在裝置上登入或是否有人登入時,請使用裝置群組。To summarize, use device groups when you don't care who's signed in on the device, or if anyone signs in. 您希望您的設定一律在裝置上。You want your settings to always be on the device.

使用者群組User groups

套用至使用者群組的設定檔設定一律會與使用者一起使用,並且在登入其許多裝置時,與使用者一起使用。Profile settings applied to user groups always go with the user, and go with the user when signed in to their many devices. 使用者通常擁有許多裝置,例如工作用的 Surface Pro 與個人的 iOS/iPadOS 裝置。It's normal for users to have many devices, such as a Surface Pro for work, and a personal iOS/iPadOS device. 而且,使用者也可以從這些裝置存取電子郵件和其他組織資源。And, it's normal for a person to access email and other organization resources from these devices.

遵循此一般規則:如果是屬於使用者的功能,例如電子郵件或使用者憑證,請指派給使用者群組。Follow this general rule: If a feature belongs to a user, such as email or user certificates, then assign to user groups.

例如:For example:

  • 您想要為所有使用者的所有裝置上放置一個 [技術支援中心] 圖示。You want to put a Help Desk icon for all users on all their devices. 在此情節中,請將這些使用者放在使用者群組中,並將您的 [技術支援中心] 圖示設定檔指派給這個使用者群組。In this scenario, put these users in a users group, and assign your Help Desk icon profile to this users group.

  • 使用者收到新的組織擁有的裝置。A user receives a new organization-owned device. 使用者使用其網域帳戶登入裝置。The user signs in to the device with their domain account. 裝置會自動在 Azure AD 中註冊,並自動由 Intune 管理。The device is automatically registered in Azure AD, and automatically managed by Intune. 此設定檔是指派給使用者群組的好情節。This profile is a good scenario to assign to a users group.

  • 每當使用者登入裝置時,您會想要控制應用程式 (例如 OneDrive 或 Office) 中的功能。Whenever a user signs in to a device, you want to control features in apps, such as OneDrive or Office. 在此情節中,請將您的 OneDrive 或 Office 設定檔設定指派給使用者群組。In this scenario, assign your OneDrive or Office profile settings to a users group.

    例如,您想要封鎖 Office 應用程式中不受信任的 ActiveX 控制項。For example, you want to block untrusted ActiveX controls in your Office apps. 您可以在 Intune 中建立系統管理範本、進行這項設定,然後將此設定檔指派給使用者群組。You can create an Administrative Template in Intune, configure this setting, and then assign this profile to a users group.

總而言之,當您希望設定和規則一律與使用者一起使用時 (無論他們使用什麼裝置),請使用使用者群組。To summarize, use user groups when you want your settings and rules to always go with the user, whatever device they use.

從設定檔指派排除群組Exclude groups from a profile assignment

Intune 裝置組態設定檔可讓您從設定檔指派包含與排除群組。Intune device configuration profiles let you include and exclude groups from profile assignment.

最佳做法是特別針對您的使用者群組建立並指派設定檔。As a best practice, create and assign profiles specifically for your user groups. 此外,請特別針對您的裝置群組建立並指派不同設定檔。And, create and assign different profiles specifically for your device groups. 如需群組的詳細資訊,請參閱新增群組來組織使用者與裝置For more information on groups, see Add groups to organize users and devices.

當您指派設定檔時,請在包含和排除群組時使用下表。When you assign your profiles, use the following table when including and excluding groups. 核取記號表示支援該指派:A checkmark means that assignment is supported:

在設定檔指派中包含或排除群組的支援選項

您應該知道的事項What you should know

  • 在下列相同群組類型案例中,排除的優先順序高於包含:Exclusion takes precedence over inclusion in the following same group type scenarios:

    • 包含使用者群組與排除使用者群組Including user groups and excluding user groups
    • 包含裝置群組與排除裝置群組Including device groups and excluding device group

    例如,您可以將裝置設定檔指派給 [所有公司使用者] 使用者群組,但排除 [資深管理層] 使用者群組中的成員。For example, you assign a device profile to the All corporate users user group, but exclude members in the Senior Management Staff user group. 因為這兩個群組都是使用者群組,所以 [所有公司使用者] 會取得設定檔,但 [資深管理人員] 除外。Since both groups are user groups, All corporate users except the Senior Management staff get the profile.

  • Intune 不會評估使用者對裝置群組關聯性。Intune doesn't evaluate user-to-device group relationships. 如果您將設定檔指派給混合群組,結果可能不是您想要或預期的。If you assign profiles to mixed groups, the results may not be what you want or expect.

    例如,您可以將裝置設定檔指派給 [所有使用者] 使用者群組,但排除 [所有個人裝置] 裝置群組。For example, you assign a device profile to the All Users user group, but exclude an All personal devices device group. 在此混合群組設定檔指派中,[所有使用者] 會取得設定檔。In this mixed group profile assignment, All users get the profile. 排除不適用。The exclusion does not apply.

    因此,不建議將設定檔指派給混合群組。As a result, it's not recommended to assign profiles to mixed groups.

後續步驟Next steps

如需有關監視設定檔以及執行設定檔之裝置的指引,請參閱監視裝置設定檔See monitor device profiles for guidance on monitoring your profiles, and the devices running your profiles.