更改 MDM 机构Change the MDM authority

从 Configuration Manager 1610 版本开始,无需联系 Microsoft 支持部门,也无需取消注册并重新注册现有的受管理设备即可更改 MDM 机构。Beginning in Configuration Manager version 1610, you can change your MDM authority without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 本主题逐步讲解在不取消注册并重新注册现有托管设备的情况下,如何将从 Intune 配置的且 MDM 机构设置为 Microsoft Intune(独立版)的现有 Microsoft Intune 租户更改为 Configuration Manager(混合 MDM)。This topic provides the steps to change an existing Microsoft Intune tenant configured from Intune and with the MDM authority set to Microsoft Intune (standalone) to Configuration Manager (hybrid MDM) without having to unenroll and reenroll existing managed devices.

备注

如果要将 Configuration Manager 控制台(混合版)中配置的且 MDM 机构设置为 Microsoft Intune(混合版)的现有 Microsoft Intune 租户更改为 Microsoft Intune 独立版,请参阅将 MDM 机构从 Configuration Manager(混合 MDM)更改为 Intune 独立版If you want to change an existing Microsoft Intune tenant configured from the Configuration Manager console (hybrid) and with the MDM authority set to Configuration Manager (hybrid) to Microsoft Intune standalone, see Change the MDM authority from Configuration Manager (hybrid MDM) to Intune standalone.

重要注意事项Key Considerations

切换到新的 MDM 机构后,在设备签入并与服务同步之前,可能会有一定的过渡时间(最长八小时)。After you switch to the new MDM authority, there will likely be transition time (up to eight hours) before the device checks in and synchronizes with the service. 需要在新的 MDM 机构(混合)中配置设置,以确保注册的设备在更改后将继续受到管理和保护。You are required to configure settings in the new MDM authority (hybrid) to ensure that enrolled devices will continue to be managed and protected after the change.

  • 设备必须在更改后与服务连接,以便来自新 MDM 机构(Intune 独立版)的设置可替换设备上的现有设置。Devices must connect with the service after the change so that the settings from the new MDM authority (Intune standalone) replace the existing settings on the device.
  • 更改 MDM 机构后,来自先前 MDM 机构 (Intune Standalone) 的一些基本设置(如配置文件)将在设备上最长保留 7 天,或直到设备首次连接到该服务为止。After you change the MDM authority, some of the basic settings (such as profiles) from the previous MDM authority (Intune standalone) will remain on the device for up to seven days or until the device connects to the service for the first time. 建议尽快配置新 MDM 机构(混合)中的应用和设置(策略、配置文件、应用等),并将设置部署到包含具有现有已注册设备的用户的用户组。It is recommended that you configure apps and settings (policies, profiles, apps, etc.) in the new MDM authority (hybrid) as soon as possible and deploy the setting to the user groups that contains users who have existing enrolled devices. 更改 MDM 机构后,一旦设备连接到服务,它将从新 MDM 机构接收新设置,并防止在管理和保护方面出现空白。As soon as a device connects to the service after the change in MDM authority, it will receive the new settings from the new MDM authority and prevent gaps in management and protection.
  • 当 Intune 和 Configuration Manager 中存在相同的设备类别时,如果切换到新 MDM 机构,设备的任何设备类别分配都不会随之迁移。When the same device categories exist in both Intune and Configuration Manager, any device category assignments for devices are not carried over after you switch to the new MDM authority. 当 MDM 机构更改并且设备显示在 Configuration Manager 控制台中时,若要继续使用设备类别,必须将迁移设备手动添加到适当集合。To continue using device categories, migrated devices have to be manually added to the appropriate collections after the MDM authority is changed and the devices display in the Configuration Manager console.
  • 不会将没有关联用户的设备(通常在具有 iOS 设备注册计划或批处理注册方案时)迁移到新的 MDM 机构。Devices that don't have associated users (typically when you have iOS Device Enrollment Program or bulk enrollment scenarios) are not migrated to the new MDM authority. 对于这些设备,需要调用支持以获取将它们移动到新 MDM 机构的帮助。For those devices, you need to call support for assistance to move them to the new MDM authority.

准备将 MDM 机构更改为 Configuration Manager(混合)Prepare to change the MDM authority to Configuration Manager (hybrid)

检查以下信息,准备对 MDM 机构的更改:Review the following information to prepare for the change to the MDM authority:

  • 你必须具有 Configuration Manager 版本 1610 或更高版本才能将 MDM 机构更改为可用。You must have Configuration Manager version 1610 or higher for the option to change the MDM authority to be available.
  • 更改为新的 MDM 机构后,设备最多可能需要八小时才能连接到服务。It can take up to eight hours for a device to connect to the service after you change to the new MDM authority.
  • 创建一个所有用户当前由 Intune Standalone 托管的 Configuration Manager 用户集合,你将在 Configuration Manager 控制台中设置 Intune 订阅时使用该用户集合。Create a Configuration Manager user collection with all users currently managed by Intune standalone that you will use when you set up the Intune subscription in the Configuration Manager console. 这有助于在更改为 MDM 机构后,确保用户及其设备具有在混合环境中分配和管理的 Configuration Manager 许可证。This helps to ensure that the user and their devices will have a Configuration Manager license assigned and be managed in the hybrid environment after the change to the MDM authority.
  • 确保 IT 管理员用户也位于此用户集合中。Make sure that the IT Admin user is in this user collection too.
  • 在更改之前,MDM 机构将在 Intune 管理控制台中显示为“设置为 Microsoft Intune” (Standalone)。Before the change, the MDM Authority will show as Set to Microsoft Intune (standalone) in the Intune administration console.
  • 在更改 MDM 机构之前,MDM 机构应在 Microsoft Intune 管理控制台中显示“设置为 Microsoft Intune”(Standalone 租户)。The MDM authority should display Set to Microsoft Intune (standalone tenant) in the Microsoft Intune administration console prior to the change in MDM authority.

    备注

    如果 MDM 机构显示由 Intune 和 Office 365 托管,则在将 MDM 机构更改为“Configuration Manager”(混合)时,将不再托管 Office 365 托管的 MDM 设备。If your MDM authority displays Managed by Intune and Office 365, then your Office 365 managed MDM devices are no longer be managed when you change your MDM authority to Configuration Manager (hybrid). 我们建议你在更改 MDM 机构之前,许可 Intune 或 Enterprise Mobility Suite 的这些用户。We recommend that you license those users for Intune or Enterprise Mobility Suite before you change the MDM authority.

  • Microsoft Intune 管理控制台中,删除设备注册管理器角色。In the Microsoft Intune administration console, remove the Device Enrollment Manager role. 有关详细信息,请参阅从 Intune 删除设备注册管理器For details, see Delete a device enrollment manager from Intune.

  • 请关闭任何已配置的设备组映射。Turn off any device group mappings that are configured. 有关详细信息,请参阅使用 Microsoft Intune 中的设备组映射对设备进行分类For details, see Categorize devices with device group mapping in Microsoft Intune.
  • 更改 MDM 机构期间应不会对最终用户产生明显影响。There should be no noticeable impact to end users during the change in MDM authority. 但是,你可能需要将此更改传递给用户,以确保其设备已开机,并在更改后立即与服务连接。However, you might want to communicate this change to users to make sure that their devices are powered on and that they connect with the service soon after the change. 这将确保尽可能多的设备可尽快通过新机构连接并注册服务。This ensures that as many devices as possible connect and register with the service through the new authority as soon as possible.
  • 在更改 MDM 机构之前,如果你使用 Intune 独立版管理 iOS 设备,则必须确保已续订先前在 Intune 中使用的同一 Apple Push Notification 服务 (APN) 证书并,并用于再次在 Configuration Manager(混合)中设置租户。If you are using Intune standalone to manage iOS devices prior to the change in MDM authority, you must make sure that the same Apple Push Notification service (APNs) certificate that was previously used in Intune is renewed and used to set up the tenant again in Configuration Manager (hybrid).

    重要

    如果为混合环境使用不同的 APN 证书,则将取消注册所有以前注册的 iOS 设备,用户将不得不通过该过程重新注册它们。If a different APNs certificate is used for hybrid, then ALL previously enrolled iOS devices become unenrolled and you have to go through the process to reenroll them. 在更改 MDM 机构之前,请确保你准确了解使用何种 APN 证书来管理 Intune 中的 iOS 设备。Prior to making the MDM authority change, make sure that you know exactly what APNs certificate was used to manage iOS devices in Intune. 找到 Apple Push Certificates 门户 (https://identity.apple.com) 中列出的相同证书,并确保已标识其 Apple ID 用于创建原始 APN 证书的用户,并且可作为新 MDM 机构更改的一部分续订相同的 APN 证书。Find the same certificate listed in Apple Push Certificates Portal (https://identity.apple.com) and make sure the user whose Apple ID was used to create the original APNs certificate is identified and available to renew the same APNs certificate as part of the change to the new MDM authority.

将 MDM 机构更改为 Configuration ManagerChange the MDM authority to Configuration Manager

将 MDM 机构更改为 Configuration Manager(混合)的过程包括以下高级步骤:The process to change the MDM authority to Configuration Manager (hybrid) includes the following high-level steps:

  • 在 Configuration Manager 控制台中,添加 Microsoft Intune 订阅。In the Configuration Manager console, add the Microsoft Intune subscription.
  • 通过使用你续订的相同 APN 证书配置 Apple APN 证书。Configure the Apple APNs certificate by using the same APNs certificate that you renewed.
  • 在 Configuration Manager 控制台中,从新的 MDM 机构(混合)中配置和部署新的设置和应用。In the Configuration Manager console, configure and deploy new settings and apps from the new MDM authority (hybrid).
  • 下一次设备连接到服务时,它将同步并从新的 MDM 机构接收新的设置。The next time devices connect to the service, it synchronizes and receives the new settings from the new MDM authority.

将 MDM 机构更改为 Configuration Manager 的具体步骤To change the MDM authority to Configuration Manager

  1. 在 Configuration Manager 控制台中,转到“管理”>“概述”>“云服务”>“Microsoft Intune订阅”,然后选择添加 Intune 订阅。In the Configuration Manager console, go to Administration > Overview > Cloud Services > Microsoft Intune Subscription, and select to add an Intune subscription.
  2. 登录到你在 Intune 中设置 MDM 机构时最初使用的 Intune 租户,然后单击“下一步”。Sign in to the Intune tenant that you originally used when you set the MDM authority in Intune, and click Next.
  3. 选择“将我的 MDM 机构更改为 Configuration Manager”,然后单击“下一步”。Select Change my MDM Authority to Configuration Manager, and click Next.
  4. 选择将包含所有用户的用户集合,这些用户将继续由新的混合 MDM 机构托管。Select the user collection to contain all of the users that continue to be managed by the new hybrid MDM authority.
  5. 单击“下一步” 并完成向导。Click Next and complete the wizard. MDM 现已机构更改为 Configuration Manager。The MDM authority is now changed to Configuration Manager.
  6. 使用同一 Intune 租户登录 Microsoft Intune 管理控制台,并确认 MDM 机构已更改为“设置为 Configuration Manager”。Log in to the Microsoft Intune administration console using the same Intune tenant and confirm that the MDM authority has been changed to Set to Configuration Manager.

启用 iOS 注册Enable iOS enrollment

当你有 iOS 设备时,必须在 Configuration Manager 中配置 APN 证书。When you have iOS devices, you must configure the APNs certificate in Configuration Manager.

启用 iOS 注册和配置 APN 证书的具体步骤To enable iOS enrollment and configure the APNs certificate

  1. 下载证书签名请求Download a certificate signing request

    1. 在 Configuration Manager 控制台中,转到“管理”>“云服务”>“Microsoft Intune 订阅”,然后选择“创建 APN 证书请求”,以打开“请求 Apple 推送通知服务证书签名请求”对话框。In the Configuration Manager console, go to Administration > Cloud Services > Microsoft Intune Subscriptions, and select Create APNs certificate request to open the Request Apple Push Notification Service Certificate Signing Request dialog box.
    2. 浏览到要保存新的证书签名请求 (.csr) 文件的路径。Browse to the path to save the new certificate signing request (.csr) file. 本地保存证书签名请求 (.csr) 文件。Save the certificate signing request (.csr) file locally.
    3. 单击“下载”。Click Download. 下载新 Microsoft Intune .csr 文件,并由 Configuration Manager 保存。The new Microsoft Intune .csr file downloads and is saved by Configuration Manager.

      重要

      你必须下载新的证书签名请求。You must download a new certificate signing request. 请勿使用现有文件,否则它将失败。Do not use an existing file or it fails.

  2. 转到 Apple Push Certificates 门户,并使用同一 Apple ID 登录,该 Apple ID 之前用于创建和续订在 Intune standalone 中使用的 APN 证书。Go to the Apple Push Certificates Portal, and sign-in with the same Apple ID that was used to previously create and renew the APNs certificate that you used in Intune standalone.

    Apple Push Certificates 门户登录页

  3. 选择在 Intune standalone 中使用的 APN 证书,然后单击“续订”。Select the APNs certificate that you used in Intune standalone, and then click Renew.

    续订 APN 对话框

  4. 选择下载到本地的 APN 证书签名请求 (.csr) 文件,然后单击“上传”。Select the APNs certificate signing request (.csr) file that you downloaded locally, and then click Upload.

    Apple Push Certificates 门户登录页

  5. 选择同一 APN,然后单击“下载”。Select the same APNs, and then click Download. 下载 APNs (.pem) 证书并本地保存文件。Download the APNs (.pem) certificate, and save the file locally.

    Apple Push Certificates 门户登录页

  6. 将续订的 APN 证书上传到与之前使用同一 Apple ID 的混合租户。Upload the renewed APNs certificate to the hybrid tenant using the same Apple ID as before.

    1. 在 Configuration Manager 控制台中,转到“管理”>“云服务”>“Microsoft Intune订阅”,然后选择“配置平台”>“iOS”。In the Configuration Manager console, go to Administration > Cloud Services > Microsoft Intune Subscription, and choose Configure Platforms > iOS.
    2. 在“Microsoft Intune 订阅属性”对话框中,选择“APN 证书”选项卡,并单击选择“启用 iOS 和 Mac OS X (MDM)注册” 复选框。In the Microsoft Intune Subscription Properties dialog box, select the APNs Certificate tab and click to select the Enable iOS and MAC OS X (MDM) enrollment checkbox.
    3. 单击“浏览”并转到“从 Apple 下载的 APNs 证书(.cer)文件”。Click Browse, and go to the APNs certificate (.cer) file downloaded from Apple. Configuration Manager 会显示 APNs 证书信息。Configuration Manager displays the APNs certificate information. 单击“确定”,将 APN 证书保存到 Intune。Click OK to save the APNs certificate to Intune.

      Intune 订阅属性页 - iOS

启用 Android 注册Enable Android enrollment

  1. 在 Configuration Manager 控制台中,转到“管理”>“云服务”>“Microsoft Intune订阅”,然后选择“配置平台”>“Android”。In the Configuration Manager console, go to Administration > Cloud Services > Microsoft Intune Subscription, and choose Configure Platforms > Android.
  2. 选择“启用 Android 注册”,然后单击“确定”。Select Enable Android enrollment and click OK.

启用 Windows 注册Enable Windows enrollment

  1. 在 Configuration Manager 控制台中,转到“管理”>“云服务”>“Microsoft Intune订阅”,然后选择“配置平台”>“Windows”。In the Configuration Manager console, go to Administration > Cloud Services > Microsoft Intune Subscription, and choose Configure Platforms > Windows.
  2. 选择“启用 Windows 注册”,然后单击“确定”。Select Enable Windows enrollment and click OK.

启用 Windows Phone 注册Enable Windows Phone enrollment

  1. 在 Configuration Manager 控制台中,转到“管理”>“云服务”>“Microsoft Intune订阅”,然后选择“配置平台”>“Windows Phone”。In the Configuration Manager console, go to Administration > Cloud Services > Microsoft Intune Subscription, and choose Configure Platforms > Windows Phone.
  2. 选择想要启用的平台,然后单击“确定”。Select the platform that you want to enable, and click OK.

后续步骤Next steps

更改 MDM 机构完成后,请复查以下步骤:After the change in MDM authority is complete, review the following steps:

  • 当 Intune 服务检测到租户的 MDM 机构已更改时,它将向所有已注册的设备发送通知消息,以便签入并与服务同步(这并非计划的定期签入)。When the Intune service detects that a tenant’s MDM authority has changed, it sends out a notification message to all the enrolled devices to check in and synchronize with the service (this is outside of the regularly scheduled check-in). 因此,租户的 MDM 机构从 Intune standalone 更改为混合环境后,开机且联机的所有设备将与服务连接,接收新的 MDM 机构,并且由混合环境托管。Therefore, after the MDM authority for the tenant has been changed from Intune standalone to hybrid, all the devices that are powered on and online will connect with the service, receive the new MDM authority, and be managed by hybrid. 这些设备的管理和保护不会中断。There is no interruption to the management and protection of these devices.
  • 更改 MDM 机构过程中(或在不久之后),即使设备开机且联机,但设备在新的 MDM 机构中注册到该服务之前,将会有最长八小时的延迟(取决于计划的下次定期签入的执行时间)。Even for devices that are powered on and online during (or shortly after) the change in MDM authority, there will be a delay of up to eight hours (depending on the timing of the next scheduled regular check in) before devices are registered with the service under the new MDM authority.

    重要

    在更改 MDM 机构以及将续订的 APN 证书上传到新机构时,iOS 设备的新设备注册和设备签入将失败。Between the time when you change the MDM authority and when the renewed APNs certificate is uploaded to the new authority, new device enrollments and device check-in for iOS devices fail. 因此,更改 MDM 机构后,请务必尽快查看并将 APN 证书上传到新机构。Therefore, it is important that you review and upload the APNs certificate to the new authority as soon as possible after the change in MDM authority.

  • 用户可以通过手动启动从设备到服务的签入来快速更改为新的 MDM 机构。Users can quickly change to the new MDM authority by manually starting a check in from the device to the service. 用户可以通过使用公司门户应用轻松执行此操作,并启动设备符合性检查。Users can easily do this by using the Company Portal app and initiating a device compliance check.

  • 更改 MDM 机构后,要验证设备签入并与服务同步后一切工作正常运行,可在 Configuration Manager 控制台中查找设备。To validate that things are working correctly after devices have checked-in and synchronized with the service after the change in MDM authority, look for the devices the Configuration Manager console. 之前由 Intune 托管的设备现在将显示为 Configuration Manager 平台中的托管设备。The devices that were previously managed by Intune are now displayed as managed devices in the Configuration Manager console.
  • 在更改 MDM 机构期间设备处于脱机状态时,以及设备签入服务,会存在一个过渡期。There is an interim period when a device is offline during the change in MDM authority and when that device checks in to the service. 为帮助确保设备在此过渡期间仍然受到保护并可正常运行,以下配置文件将在设备上最多保留七天(或直到设备与新的 MDM 机构连接并接收将覆盖现有设置的新设置为止):To help ensure that the device remains protected and functional during this interim period, the following profiles remain on the device for up to seven days (or until the device connects with the new MDM authority and receives new settings that overwrite the existing ones):
    • 电子邮件配置文件E-mail profile
    • VPN 配置文件VPN profile
    • 证书配置文件Cert profile
    • Wi-Fi 配置文件Wi-Fi profile
    • 配置文件Configuration profiles
  • 更改为新的 MDM 机构后,Microsoft Intune 管理控制台中的符合性数据可能需要长达一周的时间才能准确报告。After you change to the new MDM authority, the compliance data in the Microsoft Intune administration console can take up to a week to accurately report. 但是,Azure Active Directory 和设备上的符合性状态是准确的,因此,设备仍将受到保护。However, the compliance states in Azure Active Directory and on the device will be accurate so the device is still be protected.
  • 确保用于覆盖现有设置的新设置与以前的设置具有相同的名称,以确保覆盖旧设置。Make sure the new settings that are intended to overwrite existing settings have the same name as the previous ones to ensure that the old settings are overwritten. 否则,设备可能会出现冗余配置文件和策略。Otherwise, the devices might end up with redundant profiles and policies.

    提示

    作为最佳做法,你应该在 MDM 机构更改完成后立即创建所有管理设置和配置以及部署。As a best practice, you should create all management settings and configurations, as well as deployments, shortly after the change to the MDM authority has completed. 这有助于确保在过渡期间对设备进行保护和主动管理。This helps ensure that devices are protected and actively managed during the interim period.

  • 更改 MDM 机构后,请执行以下步骤来验证新设备是否成功注册到新的机构:After you change the MDM authority, perform the following steps to validate that new devices are enrolled successfully to the new authority:

    • 注册新设备Enroll a new device
    • 确保新注册的设备显示在 Configuration Manager 控制台中。Make sure the newly enrolled device shows up in the Configuration Manager console.
    • 执行一个从管理控制台到设备的操作,如远程锁定。Perform an action, such as Remote Lock, from the administration console to the device. 如果成功,则表示该设备将由新的 MDM 机构管理。If it is successful, the device is being managed by the new MDM authority.
  • 如果你对特定设备有疑问,则可以取消注册然后重新注册设备,以使其连接到新的机构并尽快接受管理。If you have issues with specific devices, you can unenroll and reenroll the devices to get them connected to the new authority and managed as quickly as possible.