使用原則集合將管理物件集合組成群組Use policy sets to group collections of management objects

原則集合可讓您建立現有管理實體的參考組合;這些實體必須以單一概念單元進行識別、設為目標及監視。Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. 原則集合是應用程式、原則及您所建立之其他管理物件的可指派集合。A policy set is an assignable collection of apps, policies, and other management objects you've created. 建立原則集合可讓您同時選取許多不同的物件,然後從單一位置指派它們。Creating a policy set enables you to select many different objects at once, and assign them from a single place. 隨著您組織的變更,您可以重新造訪原則集合來新增或移除其物件及指派。As your organization changes, you can revisit a policy set to add or remove its objects and assignments. 您可以使用原則集合來以單一套件的形式關聯及指派現有物件,例如應用程式、原則及 VPN。You can use a policy set to associate and assign existing objects, such as apps, policies, and VPNs in a single package.

重要

如需與原則集合相關的已知問題清單,請參閱原則集合已知問題For a list of known issues related to policy sets, Policy sets known issues.

原則集合不會取代現有的概念或物件。Policy sets do not replace existing concepts or objects. 您可以繼續指派個別物件,也能以原則集合之一部分的形式參考個別物件。You can continue to assign individual objects and you can also reference individual objects as part of a policy set. 因此,對那些個別物件所做的任何變更都會反映在原則集合中。Therefore, any changes to those individual objects will be reflected in the policy set.

您可以使用原則集合來:You can use policy sets to:

  • 將需要一起指派的物件組成群組Group objects that need to be assigned together
  • 在所有受控裝置上指派組織的最低設定需求Assign your organization's minimum configuration requirements on all managed devices
  • 將常用或相關的應用程式指派給所有使用者Assign commonly used or relevant apps to all users

您可以在原則集合中包含下列管理物件:You can include the following management objects in a policy set:

  • 應用程式Apps
  • 應用程式設定原則App configuration policies
  • 應用程式防護原則App protection policies
  • 裝置組態設定檔Device configuration profiles
  • 裝置合規性原則Device compliance policies
  • 裝置類型限制Device type restrictions
  • Windows AutoPilot 部署設定檔Windows autopilot deployment profiles
  • 註冊狀態頁面Enrollment status page

當您建立原則集合時,您會建立單一指派單位,並管理不同物件之間的關聯性。When you create a policy set, you create a single unit of assignment, and manage associations between different objects. 對於位於原則集合外部的物件來說,原則集合將會是參考。A policy set will be a reference to objects external to it. 所包含物件中的任何變更也都會影響原則集合。Any changes in the included objects will affect the policy set as well. 在您建立原則集合之後,您可以重複檢視及編輯其物件和指派。After you create a policy set, you can repeatedly view and edit its objects and assignments.

注意

原則集合支援 Windows、Android、macOS 及 iOS/iPadOS 設定,並可以跨平台指派。Policy sets support Windows, Android, macOS, and iOS/iPadOS settings, and can be assigned cross-platform.

如何建立原則集合How to create a policy set

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 選取 [裝置] > [原則集] > [原則集] > [建立] 。Select Devices > Policy Sets > Policy sets > Create.

  3. 在 [基本] 頁面上,新增下列值:On the Basics page, add the following values:

    • 原則集合名稱:為此原則集合提供名稱。Policy set name - Provide a name for this policy set.
    • 描述:選擇性地為原則集合提供描述。Description - Optionally, provide a description for the policy set.

    Create policy set - Basics

  4. 按一下 [下一步: 應用程式管理]。Click Next: Application management.
    在 [應用程式管理] 頁面上,您可以選擇性地將應用程式應用程式設定原則,以及應用程式防護原則新增至您的原則集合。On the Application management page you can optionally add apps, app configuration policies, and app protection policies to your policy set. 如需應用程式管理的詳細資訊,請參閱什麼是 Microsoft Intune 應用程式管理?For information about app management, see What is Microsoft Intune app management?.

  5. 按一下 [下一步: 裝置管理]。Click Next: Device management.
    [裝置管理] 頁面可讓您將裝置管理物件新增至您的原則集合,例如裝置組態設定檔裝置合規性原則The Device management page allows you to add device management objects to your policy set, such as device configuration profiles and device compliance policies. 請務必包含所有相關聯的物件,例如其他原則、憑證及安全性基準設定檔。Be sure to include all associated objects, such as other policies, certificates, and security baseline profiles.

  6. 按一下 [下一步: 裝置註冊]。Click Next: Device enrollment.
    [裝置註冊] 頁面可讓您將裝置註冊物件新增至您的原則集合,例如裝置類型限制Windows Autopilot 部署設定檔,以及註冊狀態頁面設定檔The Device enrollment page allows you to add device enrollment objects to your policy set, such as device type restrictions, Windows Autopilot deployment profiles, and enrollment status page profiles.

  7. 按一下 [下一步: 指派]。Click Next: Assignments.
    [指派] 頁面可讓您將原則集合指派給使用者和裝置。The Assignments page allows you can assign the policy set to users and devices. 請務必注意,不論裝置是否由 Intune 管理,您都可以將原則集合指派給該裝置。It is important to note that you can assign a policy set to a device whether or not the device is managed by Intune.

  8. 按一下 [下一步: 檢閱 + 建立],以檢閱您針對設定檔輸入的值。Click Next: Review + create to review the values you entered for the profile.

  9. 完成後,請按一下 [建立] 以在 Intune 中建立原則集合。When you are done, click Create to create the policy set in Intune.

原則集合已知問題Policy sets known issues

在 1910 中新推出的原則集合具有下列已知問題。Policy sets, new to 1910, have the following known issues.

  • 建立原則集合時,如果具範圍的系統管理員嘗試在沒有選取任何範圍標籤的情況下建立原則集合,在抵達 [檢閱 + 建立] 頁面時,驗證將會失敗,且系統會在狀態列上顯示錯誤。When creating a policy set, if an scoped admin tries to create a policy set without any scope tags selected, upon reaching the Review + Create page, validation will fail and an error will be displayed on the status bar. 系統管理員必須切換到程序中不同的頁面,然後再返回 [檢閱 + 建立] 頁面。The admin must switch to a different page in the process, then return to the Review + Create page. 這將會啟用 [建立] 選項。This will enable the Create option.

  • 原則集合目前支援下列應用程式類型:The following app types are currently supported by policy sets:

    • iOS/iPadOS store appiOS/iPadOS store app
    • iOS/iPadOS 企業營運應用程式iOS/iPadOS line-of-business app
    • 受控 iOS/iPadOS 企業營運應用程式Managed iOS/iPadOS line-of-business app
    • Android 市集應用程式Android store app
    • Android 企業營運應用程式Android line-of-business app
    • 受控 Android 企業營運應用程式Managed Android line-of-business app
    • Microsoft 365 Apps (Windows 10)Microsoft 365 Apps (Windows 10)
    • 網頁連結Web link
    • 內建 iOS/iPadOS 應用程式Built-in iOS/iPadOS app
    • 內建 Android 應用程式Built-in Android app
  • 不支援將原則設定指派從 [所有使用者] 設定為 [Autopilot 設定檔] 。Setting a policy set assignment of All Users to Autopilot Profile is unsupported.

  • 原則集合具有下列註冊限制和註冊狀態頁面 (ESP) 問題:Policy sets have the following enrollment restrictions and Enrollment Status Page (ESP) issues:

    • 限制和 ESP 不支援虛擬群組指派。Restrictions and ESP do not support virtual group assignments.
    • 限制和 ESP 不嚴格支援排除群組指派。Restrictions and ESP do not strictly support exclusion group assignments.
    • 限制 ESP 會使用以優先順序為基礎的衝突解決。Restrictions and ESP use priority-based conflict resolution. 如果限制和 ESP 同時也是較高優先順序的限制和 ESP 的目標,則該限制和 ESP 可能不會與原則集合的其餘承載一起套用至相同的使用者。Restrictions and ESP might not be applied to the same users as the rest of a policy set's payloads if the Restrictions and ESP are also targeted by a higher priority Restrictions and ESP.
    • 無法將預設的限制和 ESP 新增至原則集合。The default Restrictions and ESP cannot be added to a policy set.
  • 支援原則集合的 MAM 原則類型包含下列項目:MAM policy types that support policy sets include the following:

    • 以 MAM WIP(Windows) MDM 為目標的受控應用程式保護MAM WIP( Windows) MDM targeted managed app protection
    • 以 MAM iOS/iPadOS 為目標的受控應用程式保護MAM iOS/iPadOS targeted managed app protection
    • 以 MAM Android 為目標的受控應用程式保護MAM Android targeted managed app protection
    • 以 MAM iOS/iPadOS 為目標的受控應用程式設定MAM iOS/iPadOS targeted managed app configuration
    • 以 MAM Android 為目標的受控應用程式設定MAM Android targeted managed app configuration
  • 不支援原則集合的 MAM 原則類型包含下列項目:MAM policy types that do not support policy sets include the following:

    • 以 MAM WIP(Windows) 為目標的受控應用程式保護MAM WIP (Windows) targeted managed app protection
  • MAM 會針對下列原則類型將原則集合指派以直接指派的形式處理:MAM processes policy set assignments as direct assignments for the following policy types:

    • 以 MAM iOS/iPadOS 為目標的受控應用程式保護MAM iOS/iPadOS targeted managed app protection

    • 以 MAM Android 為目標的受控應用程式保護MAM Android targeted managed app protection

    • 以 MAM iOS/iPadOS 為目標的受控應用程式設定MAM iOS/iPadOS targeted managed app configuration

    • 以 MAM Android 為目標的受控應用程式設定MAM Android targeted managed app configuration

      如果將原則新增至已部署至群組的原則集合,該群組將會在工作負載中顯示為已直接指派,而非「透過原則集合指派」。If a policy is added to a policy set that is deployed to a group, the group would show as directly assigned in in the workload, not "assigned via the policy set". 因此,MAM 並不會處理來自原則集合的群組指派刪除。As a result of this, MAM does not process group assignment deletions coming from policy sets.

  • MAM 針對任何原則類型皆不支援部署至 [所有使用者] 和 [所有裝置] 虛擬群組。MAM does not support deployment to All Users and All Devices virtual groups for any policy types.

  • 無法選取類型為 [系統管理範本] 的裝置組態設定檔作為原則集的一部分。The Device Configuration Profile of type "Administrative Templates" cannot be selected as part of a policy set.

後續步驟Next steps