通过 Intune 启用使用受限的共享设备解决方案Enable a limited-use shared device solution with Intune

有时员工需要共享设备来访问应用和公司数据,以完成只需要特定设置和应用的基本任务。Sometimes employees need to share devices to access apps and company data to complete basic task work where only specific settings and apps are required. 这在零售商店、生产车间和运输行业较常见。This is commonly seen in retail stores, manufacturing floors, and transportation industries. 其他较常见的情况是需要在会议、酒店大厅、学校或图书馆等场所使用可公开访问的设备以交互方式访问资源的客户(而非员工)。Other times, it’s not employees, but customers who need to interactively access resources using publicly accessible devices at locations like conferences, hotel lobbies, schools, or libraries. 在某些情况下,你可能只需要向浏览的用户显示自动运行的演示文稿或提供静态信息。In some case, you might only need to display a self-running presentation or provide static information to people walking by.

在无其他选择的情况下,可以全屏运行应用以提供安全的交互式展台用户体验,同时还可以保护公司资产不受可疑用户活动的侵害。Running an app full-screen, with no other options, can be done to provide a secure, interactive Kiosk user experience while also protecting your company assets from suspicious user activities. 此功能使 IT 能够提供更高的安全性以及可自定义对体验,从而保证员工的工作效率并满足客户需求。This ability enables IT to provide more security along with a customizable experience that keeps employees productive and meets customer needs.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

借助 EMS,你可以提供用于创建一个高效的工作区,并在任何场合满足客户需求的功能和体验。EMS enables you to provide capabilities and experiences that create a productive workplace and satisfies customer needs, anywhere. 无论使用 iOS、MacOS、Android 还是 Windows Mobile 公司所有的设备,Microsoft Intune 都能帮助你提高员工的工作效率并向客户传达信息,同时保证公司数据安全。Whether using iOS, Mac OS, Android, or Windows Mobile company-owned devices, Microsoft Intune can help you deliver productivity to your people and information to your customers while keeping company data secure.

借助 Intune,可以利用面向 iOS 或 Android 移动设备的展台模式配置策略设置以及已分配的 Windows Mobile 电话访问权限来锁定设备,以便只有某些特定应用或功能可以正常运行。With Intune, you can leverage Kiosk mode configuration policy settings for iOS or Android mobile devices and assigned access for Windows Mobile phones to lock down a device so that only certain apps or features work. Intune 配置策略是控制移动设备和计算机上的功能的设置的组合。Intune configuration policies are groups of settings that control features on mobile devices and computers. 使用包含建议设置或自定义设置的模板创建策略,然后将其部署到设备或用户组。You create policies by using templates that contain recommended or custom settings, and then you deploy them to device or user groups. 例如,可以将展台模式配置策略部署到设备,让设备只运行一个指定的托管应用,也可以禁用设备上的音量按钮。For example, you can deploy Kiosk mode configuration policies to devices that allow them to run only one managed app that you specify or you can disable the volume buttons on a device. 这些设置可用于设备的演示模型,也可用于专门执行一个功能的设备(如销售点设备)。These settings might be used for a demonstration model of a device, or a device that is dedicated to performing only one function, such as a point-of-sale device.

实现本解决方案的方式How to implement this solution

此解决方案的其余部分分为以下各节,展示如何配置:The rest of this solution is divided into the following sections that show you how to configure:

  • 适用于 iOS 的展台模式Kiosk mode for iOS. 本部分说明了如何使用展台模式 Intune 配置策略设置锁定 iOS 设备。This section shows you how to lock down iOS devices using Kiosk mode Intune configuration policy settings.
  • 适用于 Android 的展台模式Kiosk mode for Android. 本部分说明了如何使用 Samsung KNOX 设备的展台模式 Intune 配置策略设置锁定 Android 设备。This section shows you how to lock down Android devices using Kiosk mode Intune configuration policy settings for Samsung KNOX devices.
  • 适用于 Windows 的已分配的访问策略Assigned access policies for Windows. 本节介绍如何使用 EnterpriseAssignedAccess 配置服务提供程序 (CSP) 来锁定 Windows 10 移动版设备,以提供分配的访问权限体验。This section describes how the EnterpriseAssignedAccess Configuration Service Provider (CSP) is used to lock down Windows 10 Mobile devices to provide an Assigned Access experience.

适用于 iOS 的展台模式Kiosk mode for iOS

Intune 提供了可以在 iOS 设备上配置的大量内置常规设置,其中包括允许你锁定托管 iOS 设备的展台模式配置设置。Intune supplies a range of built-in general settings that you can configure on iOS devices, including Kiosk mode configuration settings that allow you to lock down managed iOS devices.

在为展台模式配置 iOS(8.0 及更高版本)设备之前,必须首先在 Mac 设备上使用 Apple 配置器工具,或者部署注册配置文件以注册通过 Apple 设备注册计划 (DEP) 购买的 iOS 设备,使设备处于监督模式。Before you can configure an iOS (8.0 and later) device for Kiosk mode, you must first use the Apple Configurator tool on a Mac device or deploy an enrollment profile to enroll iOS devices that were bought through The Apple Device Enrollment Program (DEP) to put the device into supervised mode. 在此操作完成后,可以使用 Intune 配置策略部署展台模式配置设置来控制应用和设备设置。After that’s done, you can deploy Kiosk mode configuration settings to control app and device settings using an Intune configuration policy.

在 Intune 管理员控制台中,只需依次导航到 Intune 管理控制台的“策略”和“iOS”节点,创建一个新的 iOS 常规配置(iOS 8.0 及更高版本)策略,然后定义展台模式设置。In the Intune administrator console, just navigate to the POLICY node of the Intune administration console, then iOS, create a new iOS General Configuration (iOS 8.0 and later) policy, and define Kiosk mode settings. 这些设置最重要的一点是定义在设备处于展台模式时允许运行的托管应用。The most important of these settings is defining the managed app that will be allowed to run when the device is placed in Kiosk mode.

iOS 展台模式策略设置

你可以指定托管应用或来自 Apple 应用商店的应用,但在应用展台模式策略后,设备上将无法运行其他任何应用。You can specify a managed app or an app from the Apple app store, but no other apps will be able to run on the device after the kiosk mode policy is applied. 此外,请注意,部署该策略后,它只会影响处于监督模式的 iOS 设备。Also, remember that when the policy is deployed, it will only take effect on iOS devices in supervised mode.

备注

如果在部署配置策略之后安装已指定的应用,设备将在重启后才会进入展台模式。If the app that you specify is installed after you deploy the configuration policy, the device will not enter kiosk mode until after it is restarted.

适用于 Android 的展台模式Kiosk mode for Android

锁定 Android KNOX 标准版(4.0 及更高版本)设备的方式类似于将 iOS 设备置于展台模式的方式。Locking down Android KNOX Standard (4.0 and later) devices is done in similar fashion to putting iOS devices in Kiosk mode. 在 Intune 管理员控制台中,只需依次导航到 Intune 管理控制台的“策略”和“Android”节点,创建一个新的常规配置(Android 4 及更高版本,Samsung KNOX 标准版 4.0 及更高版本)策略,然后定义展台模式设置。In the Intune administrator console, just navigate to the POLICY node of the Intune administration console, then Android, create a new General Configuration (Android 4 and later, Samsung KNOX Standard 4.0 and later) policy, and then define Kiosk mode settings.

可用于配置 Android KNOX 设备的设置较少,但最重要的一点仍然是展台模式下允许运行托管应用。There are less settings available to configure with Android KNOX devices, but still the most important is the managed app that will be allowed to run while in Kiosk mode. 如果不小心谨慎,这些设备将不支持应用商店应用,并且部署的策略将在接收该策略的任何 Samsung KNOX 设备(包括 BYOD 个人设备)上运行。Store apps are not supported for these devices and the policy that you deploy will run on any Samsung KNOX device the policy is received on—including BYOD personal devices if you aren’t careful. 为此,应仅将适用于 Android 设备的展台模式设置部署到管理需要作为展台设备进行管理的公司所有的设备的批量注册的人员。For that reason, you should only deploy Kiosk mode settings for Android devices to the person who manages bulk enrollment for your corporate owned devices that need to be managed as Kiosk devices.

备注

如果在部署配置策略之后安装已指定的应用,设备将在重启后才会进入展台模式。If the app that you specify is installed after you deploy the configuration policy, the device will not enter kiosk mode until after it is restarted.

适用于 Windows 的已分配的访问策略Assigned access policies for Windows

也可以将 Windows 10 移动版(版本 1511 及更高版本)设备配置为展台设备,但使用的是自定义 Windows 配置策略而不是常规配置策略。Windows 10 Mobile (version 1511 and later) devices can also be configured as Kiosk devices, but instead of a general configuration policy, a custom Windows configuration policy is used. 你可以通过此类策略利用 Windows 10 OMA-URI 设置通过 Intune 来管理设备配置设置。These kinds of policies allow you to leverage Windows 10 OMA-URI settings to manage device configuration settings with Intune.

提示

配置服务提供程序 (CSP) 在 Windows 10 中公开 OMR-URI 设备配置设置。Configuration Service Providers (CSPs) expose OMR-URI device configuration settings in Windows 10.

EnterpriseAssignedAccess CSP用于锁定 Windows 10 设备以提供分配的访问权限体验。The EnterpriseAssignedAccess CSP is used to lock down Windows 10 devices to provide an Assigned Access experience. 此外,还可以使用该 CSP 来配置其他设置,如语言、主题,或在设备上配置自定义布局。You can also use that CSP to configure other settings like language, themes, or configure custom layouts on a device.

若要创建适用于 Windows 设备的策略,需要依次转到 Intune 管理控制台的“策略”节点和“Windows”,创建一个新的自定义配置(Windows 10 桌面版和移动版及更高版本)策略。To create the policy for Windows devices, you need to go to the POLICY node of the Intune administration console, then Windows, create a new Custom Configuration (Windows 10 Desktop and Mobile and later) policy. 你需要在该位置提供 CSP 信息并导入定义要应用到此策略部署面向的 Windows 设备的设置的有效 XML 文件。From there, you need to provide the CSP information and import a valid XML file that defines the settings to be applied to Windows devices targeted by the deployment of this policy.

OMA-URI 设置

若要创建一个简单的分配的访问策略,请提供名称、说明的基本元数据,将数据类型设置为字符串 (XML),然后输入区分大小写的 OMA URI 值的 ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXmlTo create a simple assigned access policy, provide the basic metadata of name, description, set the data type to String (XML), and enter ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml for the case-sensitive OMA-URI value. 在以下示例 .XML 中,设备将被锁定,以便仅允许列表(本例中为 Microsoft Edge)中指定的应用程序可在设备上使用。In the following example .XML, the device will be locked down so that only the applications specified in an Allow list (Microsoft Edge in this case) are available to use on the device. 无法被允许列表中 Windows 10 移动版应用产品 ID 识别的应用仍会在设备上安装,但会在视图中隐藏并阻止启动。Apps not identified by their Windows 10 Mobile app product IDs in the Allow list remain installed on the device, but are hidden from view and blocked from launching. 若要输入所需的 .XML 数据,只需导入包含以下示例信息的新的 .XML 文件或复制并将其作为单行格式的 XML 粘贴到文本区域:To enter the required .XML data, just import a new .XML file containing the following sample information or copy and paste it as a single line formatted XML into the Value text area:

重要

将提供的格式化 XML 示例粘贴到值框中时,请务必将整个 XML 格式设置为单行。When pasting the formatted XML sample provided into the values box, be sure that the entire XML is formatted into a single line.

<?xml version="1.0" encoding="UTF-8"?>
<HandheldLockdown version="1.0">
   <Default>
      <ActionCenter enabled="false" />
      <Apps>
         <!-- Microsoft Edge -->
         <Application productId="{395589FB-5884-4709-B9DF-F7D558663FFD}" autoRun="true">
            <PinToStart>
               <Size>Medium</Size>
               <Location>
                  <LocationX>0</LocationX>
                  <LocationY>0</LocationY>
               </Location>
            </PinToStart>
         </Application>
      </Apps>
      <Buttons>
         <ButtonLockdownList>
            <!-- Lockdown all buttons -->
            <Button name="Search">
               <ButtonEvent name="Press" />
               <ButtonEvent name="PressAndHold" />
            </Button>
            <Button name="Camera">
               <ButtonEvent name="Press" />
               <ButtonEvent name="PressAndHold" />
            </Button>
         </ButtonLockdownList>
         <ButtonRemapList />
      </Buttons>
      <MenuItems>
         <DisableMenuItems />
      </MenuItems>
      <Settings>
         <System name="Microsoft.WiFi" />
         <System name="Microsoft.About" />
         <System name="Microsoft.Feedback" />
         <System name="Microsoft.CompanyAccount" />
         <System name="Microsoft.VPN" />
      </Settings>
      <StartScreenSize>Small</StartScreenSize>
   </Default>
</HandheldLockdown>

成功创建策略后,将其部署到你想要配置为展台设备的 Windows 设备组。After the policy is successfully created, deploy it to a group of Windows devices that you want to be configured as Kiosk devices.

重要

请务必将分配的访问策略部署到正确的组。Ensure that the assigned access policy is deployed to the correct group. 除了恢复设备的出厂设置外,没有其他方法可以撤销已分配的访问策略。There is no way to reverse an assigned access policy other than factory resetting the device.

了解详细信息Learn more

开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

Microsoft 企业移动性Microsoft Enterprise Mobility