針對 Android Enterprise 公司擁有並使用工作設定檔的裝置設定 Intune 註冊Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile

Android Enterprise 公司擁有並使用工作設定檔的裝置,是專供公司和個人使用的單一使用者裝置。Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.

使用者可將其工作和個人資料分開保存,並保證個人資料和應用程式仍保持私密。End users can keep their work and personal data separate and are guaranteed that their personal data and applications will remain private. 系統管理員可控制整部裝置的一些設定和功能,包括:Admins can control some settings and features for the entire device, including:

  • 設定裝置密碼的需求Setting requirements for the device password
  • 控制藍牙和資料漫遊Controlling Bluetooth and data roaming
  • 設定重設成出廠預設值保護Configuring factory reset protection

Intune 可協助將應用程式和設定部署至 Android Enterprise 公司擁有並使用工作設定檔的裝置。Intune helps you deploy apps and settings to Android Enterprise corporate-owned devices with work profile. 如需 Android Enterprise 的相關特定詳細資訊,請參閱 Android Enterprise 的需求 (英文)。For specific details about Android Enterprise, see Android enterprise requirements.

裝置需求Device requirements

裝置必須符合這些需求,才能視為具有工作設定檔的 Android Enterprise 公司擁有裝置來加以管理:Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile devices:

  • Android OS 8.0 版和更新版本。Android OS version 8.0 and above.
  • 裝置必須執行具有 Google Mobile Services (GMS) 連線能力的 Android 發行版本。Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. 裝置必須有可用的 GMS ,而且必須能夠連線至 GMS。Devices must have GMS available and must be able to connect to GMS.

設定 Android Enterprise 公司擁有的工作設定檔裝置管理Set up Android Enterprise corporate-owned work profile device management

若要設定 Android Enterprise 公司擁有的工作設定檔裝置管理,請遵循下列步驟:To set up Android Enterprise corporate-owned work profile device management, follow these steps:

  1. 若要準備管理行動裝置,您必須將行動裝置管理 (MDM) 授權單位設定為 Microsoft Intune 以取得相關指示。To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune for instructions. 此項目只會設定一次,也就是第一次為行動裝置管理設定 Intune 之時。You set this item only once, when you're first setting up Intune for mobile device management.
  2. 將您的 Intune 租用戶帳戶連線到受控 Google Play 帳戶Connect your Intune tenant account to your Managed Google Play account.
  3. 建立註冊設定檔Create an enrollment profile.
  4. 建立裝置群組Create a device group.
  5. 註冊公司擁有的工作設定檔裝置Enroll the corporate-owned work profile devices.

建立註冊設定檔Create an enrollment profile

注意

公司擁有並使用工作設定檔的裝置其權杖不會自動過期。Tokens for corporate-owned devices with a work profile will not expire automatically. 如果系統管理員決定撤銷權杖,則與其建立關聯的設定檔將不會顯示在 [裝置] > [Android] > [Android 註冊] > [公司擁有並使用工作設定檔的裝置 (預覽)] 中。If an admin decides to revoke a token , the profile associated with it will not be displayed in Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview). 若要查看所有與作用中和非作用中權杖相關聯的設定檔,請按一下 [篩選],然後勾選 [作用中] 與 [非作用中] 原則狀態的方塊。To see all profiles associated with both active and inactive tokens, click on Filter and check the boxes for both "Active" and "Inactive" policy states.

您必須建立註冊設定檔,以便使用者可註冊公司擁有的工作設定檔裝置。You must create an enrollment profile so that users can enroll corporate-owned work profile devices. 建立設定檔時,它會為您提供註冊權杖 (隨機字串) 和 QR 代碼。When the profile is created, it provides you with an enrollment token (random string) and a QR code. 視 Android OS 和裝置的版本而定,您可以使用權杖或 QR 代碼來註冊專用裝置Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device.

  1. 登入 Microsoft 端點管理員系統管理中心,然後選擇 [裝置] > [Android] > [Android 註冊] > [公司擁有並使用工作設定檔的裝置 (預覽)]。Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview).
  2. 選擇 [建立設定檔] 並填寫欄位。Choose Create profile and fill out the fields.
    • 名稱:輸入將設定檔指派給動態裝置群組時,您要使用的名稱。Name: Type a name that you'll use when assigning the profile to the dynamic device group.
    • 描述:新增設定檔描述 (選用)。Description: Add a profile description (optional).
  3. 選擇 [下一步]。Choose Next.
  4. 在 [檢閱 + 建立] 頁面上,選擇 [建立] 以建立原則。On the Review + create page, choose Create to create the policy.

建立裝置群組Create a device group

您可以將應用程式和原則的目標設為指派的裝置群組或動態裝置群組。You can target apps and policies to either assigned or dynamic device groups. 透過下列步驟,您可設定動態 Azure AD 裝置群組,自動填入使用特定註冊設定檔註冊的裝置:You can configure dynamic Azure AD device groups to automatically populate devices that are enrolled with a particular enrollment profile by following these steps:

  1. 登入 Microsoft 端點管理員系統管理中心,然後選擇 [群組] > [所有群組] > [新增群組]。Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group.
  2. 在 [群組] 刀鋒視窗中填寫必要的欄位,如下所示:In the Group blade, fill out the required fields as follows:
    • 群組類型:安全性Group type: Security
    • 群組名稱:輸入直覺式名稱 (例如 Factory 1 裝置)Group name: Type an intuitive name (like Factory 1 devices)
    • 成員資格類型:動態裝置Membership type: Dynamic device
  3. 選擇 [新增動態查詢]。Choose Add dynamic query.
  4. 在 [動態成員資格規則] 刀鋒視窗中填寫欄位,如下所示:In the Dynamic membership rules blade, fill out the fields as follows:
    • 新增動態成員資格規則:簡易規則Add dynamic membership rule: Simple rule
    • 新增裝置,其中:enrollmentProfileNameAdd devices where: enrollmentProfileName
    • 在中間方塊中,選擇 [等於]。In the middle box, choose Equals.
    • 在最後一個欄位中,輸入您稍早建立的註冊設定檔名稱。In the last field, enter the enrollment profile name that you created earlier. 如需動態成員資格規則的詳細資訊,請參閱 AAD 中群組的動態成員資格規則For more information about dynamic membership rules, see Dynamic membership rules for groups in AAD.
  5. 選擇 [新增查詢] > [建立]。Choose Add query > Create.

撤銷權杖Revoke tokens

您可以立即使權杖/QR 代碼過期。You can immediately expire the token/QR code. 從此時開始,權杖/QR 代碼不再可用。From this point on, the token/QR code is no longer usable. 在下列情況下,您可以使用此選項:You might use this option if you:

  • 意外地與未經授權的合作對象共用權杖/QR 代碼accidentally share the token/QR code with an unauthorized party
  • 完成所有註冊,而不再需要權杖/QR 代碼complete all enrollments and no longer need the token/QR code

撤銷權杖/QR 代碼不會對已註冊的裝置產生任何影響。Revoking a token/QR code won't have any effect on devices that are already enrolled.

  1. 登入 Microsoft 端點管理員系統管理中心,然後選擇 [裝置] > [Android] > [Android 註冊] > [公司擁有並使用工作設定檔的裝置 (預覽)]。Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview).
  2. 選擇您想要使用的設定檔。Choose the profile that you want to work with.
  3. 選擇 [權杖]。Choose Token.
  4. 若要撤銷權杖,請選擇 [撤銷權杖] > [是]。To revoke the token, choose Revoke token > Yes.

註冊公司擁有的工作設定檔裝置Enroll the corporate-owned work profile devices

使用者現在可註冊公司擁有的工作設定檔裝置Users can now enroll their corporate-owned work profile devices.

注意

系統會在註冊公司擁有工作設定檔裝置期間自動安裝 Microsoft Intune 應用程式。The Microsoft Intune app will be automatically installed during enrollment of a corporate-owned work profile device. 進行註冊需要此應用程式,您無法將它解除安裝。This app is required for enrollment and cannot be uninstalled.

在 Android Enterprise 公司擁有的工作設定檔裝置中管理應用程式Managing apps on Android Enterprise corporate-owned work profile devices

只有將指派類型設定為 [必要] 的應用程式,才能安裝在 Android Enterprise 公司擁有的工作設定檔裝置中。Only apps that have Assignment type set to Required can be installed on Android Enterprise corporate-owned work profile devices. 應用程式會以和 Android Enterprise 工作設定檔裝置相同的方式,從受控 Google Play 商店安裝。Apps are installed from the Managed Google Play store in the same manner as Android Enterprise work profile devices.

當應用程式開發人員將更新發佈至 Google Play 時,應用程式就會在受控裝置上自動更新。Apps are automatically updated on managed devices when the app developer publishes an update to Google Play.

若要從 Android Enterprise 公司擁有的工作設定檔裝置中移除應用程式,則可執行下列任一個步驟:To remove an app from Android Enterprise corporate-owned work profile devices, you can do either of the following:

  • 刪除所需的應用程式部署。Delete the Required app deployment.
  • 建立應用程式的解除安裝部署。Create an uninstall deployment for the app.

後續步驟Next steps