使用设备注册计划注册企业所有的 iOS 设备

Microsoft Intune 可以部署注册配置文件,该配置文件以“无线”方式注册通过设备注册计划 (DEP) 购买的 iOS 设备。Microsoft Intune can deploy an enrollment profile that enrolls iOS devices that were bought through the Device Enrollment Program (DEP) “over the air.” 注册包包括设备的设置助理选项。The enrollment package can include setup assistant options for the device.


DEP 注册不能与设备注册管理器方法共同使用。DEP enrollment can't be used with the device enrollment manager method. 此外,如果用户注册 iOS 设备(如使用公司门户应用),然后导入这些设备的序列号并为这些序列号分配了 DEP 配置文件,设备将从 Intune 取消注册。Also, if users enroll iOS devices (i.e. using the Company Portal app) and those devices' serial numbers are then imported and assigned a DEP profile, the device will be unenrolled from Intune.

使用 Apple DEP 管理注册 iOS 设备的先决条件Prerequisites for enrolling iOS devices by using Apple DEP management

  • 安装 APN 证书Install an APNs certificate

  • 组织必须加入 Apple DEP 并让设备通过该计划。Your organization must join Apple DEP and get devices through that program. 该过程的详细信息,可以通过以下网站获得: https://deploy.apple.com。该计划的优点包括免手动设置设备,无需通过 USB 电缆将每个设备连接到计算机。Details of that process are available at: https://deploy.apple.com. Advantages of the program include hands-free setup of devices without using a USB cable to connect each device to a computer.

  • 可以通过 DEP 注册公司拥有的 iOS 设备之前,需要从 Apple 获得 DEP 令牌。Before you can enroll corporate-owned iOS devices with DEP, you need a DEP token from Apple. 此令牌允许 Intune 同步有关公司所拥有的且加入了 DEP 的设备的信息。This token lets Intune sync information about DEP-participating devices that your corporation owns. 它也允许 Intune 将注册配置文件上传至 Apple,并向设备分配这些配置文件。It also permits Intune to perform Enrollment Profile uploads to Apple and to assign devices to those profiles.

使用 Apple DEP 管理注册 iOS 设备的步骤Steps to enroll iOS devices by using Apple DEP management

下列步骤介绍了如何使用 Apple DEP 管理即时注册 iOS 设备。The following steps explain how to enroll iOS devices on "day 0" by using Apple DEP management. 添加和删除组织中的设备时,可能将重复以下所述的部分步骤,例如添加或删除序列号。As devices are added and removed from your organization, you will likely repeat some of these steps, such as adding or removing serial numbers, as described below.

获取加密密匙Get an Encryption Key

  1. 以管理用户身份打开 Microsoft Intune 管理控制台,转到“管理”>“移动设备管理”>“iOS”>“设备注册计划”,然后选择“下载加密密钥”。As an administrative user, open the Microsoft Intune administration console, go to Admin > Mobile Device Management > iOS > Device Enrollment Program, and then choose Download Encryption Key.

  2. 在本地保存加密密钥(.pem)文件。Save the encryption key (.pem) file locally. .pem 文件用于从 Apple 设备注册计划门户请求信任关系证书。The .pem file is used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.


获取设备注册计划令牌Get a Device Enrollment Program token

  1. 转到设备注册计划门户 (https://deploy.apple.com), 然后使用公司 Apple ID 登录。Go to the Device Enrollment Program Portal (https://deploy.apple.com), and sign in with your company Apple ID. 之后必须使用此 Apple ID 才能续订 DEP 令牌。This Apple ID must be used later to renew your DEP token.

  2. 设备注册计划门户中,转到“设备注册计划”>“管理服务器”,然后选择“添加 MDM 服务器”。In the Device Enrollment Program Portal, go to Device Enrollment Program > Manage Servers, and then choose Add MDM Server.

  3. 输入“MDM 服务器名称”,然后选择“下一步”。Enter the MDM Server Name, and then choose Next. 服务器名称供参考,用于识别移动设备管理 (MDM) 服务器。The server name is for your reference to identify the mobile device management (MDM) server. 它不是 Microsoft Intune 服务器的名称或 URL。It is not the name or URL of the Microsoft Intune server.

  4. 此时将打开“添加 <服务器名称>”对话框。The Add <ServerName> dialog box opens. 选择“选择文件…”Choose Choose File… 以上传 .pem 文件,然后选择“下一步”。to upload the .pem file, and then choose Next.

  5. “添加 <ServerName>”对话框显示“你的服务器令牌”链接。The Add <ServerName> dialog box shows a Your Server Token link. 将服务器令牌 (.p7m) 文件下载到计算机,然后选择“完成”。Download the server token (.p7m) file to your computer, and then choose Done.

    此证书(.p7m)文件用于在 Intune 和 Apple 的设备注册计划服务器之间建立信任关系。This certificate (.p7m) file is used to establish a trust relationship between Intune and Apple’s Device Enrollment Program servers.

将 DEP 令牌添加到 IntuneAdd the DEP token to Intune

  1. Microsoft Intune 管理控制台,转到“管理”>“移动设备管理”>“iOS”>“设备注册计划”。In the Microsoft Intune administration console, go to Admin > Mobile Device Management > iOS > Device Enrollment Program.

  2. 选择“上传 DEP 令牌”。Choose Upload the DEP Token. 浏览到证书 (.p7m) 文件,输入你的 Apple ID,然后选择“上传”。Browse to the certificate (.p7m) file, enter your Apple ID, and then choose Upload.

添加企业设备注册策略Add the Corporate Device Enrollment Policy

  1. Microsoft Intune 管理控制台中,转到“策略”>“企业设备注册”,然后选择“添加”。In the Microsoft Intune administration console, go to Policy > Corporate Device Enrollment, and then choose Add.

  2. 提供常规详细信息,包括名称说明,然后指定分配到配置文件的设备是否拥有用户关联或是否属于某个组:Provide General details including Name and Description, and specify whether devices assigned to the profile have user affinity or belong to a group:

    • 用户关联提示:必须在初始设置过程中将设备与某个用户相关联,然后才能以该用户的身份允许此设备访问公司数据和电子邮件。Prompt for user affinity: The device must be affiliated with a user during initial setup before it can be permitted to access company data and email as that user. 应该对属于用户且需要使用公司门户(即需要安装应用)的 DEP 托管设备设置用户关联User affinity should be set up for DEP-managed devices that belong to users and need to use the company portal (that is, to install apps). 在具有用户关联的 DEP 设备上注册期间,多重身份验证 (MFA) 不起作用。Multifactor authentication (MFA) doesn't work during enrollment on DEP devices with user affinity. 注册之后,MFA 在这些设备上会正常运行。After enrollment, MFA works as expected on these devices. 注册 DEP 设备时,需要在首次登录时更改密码的新用户不会获得提示。New users who are required to change their password when they first sign in cannot be prompted during enrollment on DEP devices. 此外,在 DEP 注册过程中,密码已过期的用户不会获得重置密码的提示,必须使用其他设备重置密码。Additionally, users whose passwords have expired won't be prompted to reset their password during DEP enrollment and must reset the password from a different device.


      具有用户关联的 DEP 要求启用 WS-Trust 1.3 用户名/混合终结点以请求用户令牌。DEP with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token. 详细了解 WS-Trust 1.3Learn more about WS-Trust 1.3.

    • 没有用户关联:该设备不与用户关联。No user affinity: The device is not affiliated with a user. 将此隶属关系用于无需访问本地用户数据即可执行任务的设备。Use this affiliation for devices that do tasks without accessing local user data. 需要用户隶属关系的应用(包括用于安装业务线应用的公司门户应用)无法运行。Apps that require user affiliation, including the Company Portal app that is used to install line-of-business apps, won’t work.

    你还可以将设备分配到以下组You can also Assign devices to the following group. 选择“选择...”来选择组。Choose Select... to choose a group.


    组分配将从 Intune 移到 Azure Active Directory。Group assignments are moving from Intune to Azure Active Directory. Intune 帐户收到适用的更新后,将不再显示“将设备分配给以下组”选项。Once your Intune account receives the applicable update, you won't see the Assign devices to the following group option. 了解详细信息Learn more.

  3. 启用“为该策略配置设备注册程序设置”以支持 DEP。Enable Configure Device Enrollment Program settings for this policy to support DEP.


    为 DEP 托管的设备提供了下列设置:The following settings are available for DEP-managed devices:

    • 部门 - 用户在激活过程中点击“关于配置”时显示Department - Appears when users tap About Configuration during activation
    • 支持电话号码 - 用户在激活过程中单击“需要帮助”按钮时显示Support phone number - Appears when the user clicks the Need Help button during activation
    • 准备模式 - 在激活过程中设置,且只能通过恢复设备出厂设置更改:Preparation mode - Set during activation and cannot be changed without factory resetting the device:
      • 无人监督 - 有限的管理功能Unsupervised - Limited management capabilities
      • 受到监督 - 启用更多的管理选项,并默认禁用激活锁定Supervised - Enables more management options and disables Activation Lock by default
    • 将注册配置文件锁定到设备 - 在激活过程中设置,且只能通过恢复出厂设置更改Lock enrollment profile to device - Set during activation and cannot be changed without a factory reset
      • 禁用 - 允许从设置菜单中删除管理配置文件Disable - Allows the management profile to be removed from the Settings menu
      • 启用 -(需要准备模式 = 受到监督)会禁用用于删除管理配置文件的 iOS 设置菜单选项Enable - (Requires Preparation Mode = Supervised) Disables the iOS Settings menu option to remove the management profile
    • 设置助理选项 - 这些可选设置可以稍后在 iOS 的“设置”菜单中设置。Setup Assistant Options - These optional settings can be set up later in the iOS Settings menu.
      • 密码 - 在激活过程中提示输入密码。Passcode - Prompt for passcode during activation. 始终需要密码,除非设备将受到保护,或以某种其他方式(即限制设备只可使用一个应用的展台模式)控制访问权限Always require a passcode unless the device will be secured or have access controlled in some other manner (that is, kiosk mode that restricts the device to one app)
        • 定位服务 - 如果启用,在激活过程中设置助手会提示此服务Location Services - If enabled, Setup Assistant prompts for the service during activation
        • 还原 - 如果启用,在激活过程中设置助手会提示进行 iCloud 备份Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
        • Apple ID如果启用,Intune 在没有 ID 的情况下尝试安装应用时,iOS 将提示用户提供 Apple ID。Apple ID - If enabled, iOS will prompt users for an Apple ID when Intune attempts to install an app without an ID. 下载 iOS 应用商店应用(包括由 Intune 安装的应用)时需要 Apple ID。An Apple ID is required to download iOS App Store apps, including those installed by Intune.
        • 条款和条件 - 如果启用,在激活过程中设置助手会提示用户接受 Apple 的条款和条件Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation
        • Touch ID - 如果启用,在激活过程中设置助手会提示此服务Touch ID - If enabled, Setup Assistant prompts for this service during activation
        • Apple Pay - 如果启用,在激活过程中设置助手会提示此服务Apple Pay - If enabled, Setup Assistant prompts for this service during activation
        • Zoom - 如果启用,在激活过程中设置助手会提示此服务Zoom - If enabled, Setup Assistant prompts for this service during activation
        • Siri - 如果启用,在激活过程中设置助手会提示此服务Siri - If enabled, Setup Assistant prompts for this service during activation
        • 向 Apple 发送诊断数据 - 如果启用,在激活过程中设置助手会提示此服务Send diagnostic data to Apple - If enabled, Setup Assistant prompts for this service during activation
    • 启用附加 Apple Configurator 管理 - 设置为禁止可阻止通过 Apple Configurator 与 iTunes 或管理同步文件。Enable additional Apple Configurator management - Set to Disallow to prevent syncing files with iTunes or management via Apple Configurator. 建议选择“禁止”,从 Apple 配置器中导出任何进一步的配置,然后通过 Intune 部署为自定义 iOS 配置文件,而不使用此设置允许带或不带证书的手动部署。It's a good idea to choose Disallow, export further configurations from Apple Configurator, and then deploy as a Custom iOS configuration profile via Intune instead of using this setting to allow manual deployment with or without a certificate.
      • 禁止 - 阻止设备通过 USB (禁止配对)进行通信Disallow - Prevents the device from communicating via USB (disables pairing)
      • 允许 - 允许设备通过任何电脑或 Mac 的 USB 连接进行通信Allow - Allows a device to communicate via USB connection for any PC or Mac
      • 需要证书 - 允许与具有导入到注册配置文件的证书的 Mac 配对Require certificate - Allows pairing with a Mac with a certificate imported to the enrollment profile

将配置文件分配给设备Assign the profile to devices

  1. Microsoft Intune 管理控制台中,转到“策略”>“企业设备注册”,然后选择“分配”。In the Microsoft Intune administration console, go to Policy > Corporate Device Enrollment, and then choose Assign.

  2. 选择要向其分配创建的配置文件的设备。Choose the devices to which you want to assign the profile that you created. 可以选择“所有设备”,或者选择特定的设备,然后选择“添加”。You can choose All devices or select specific devices, and then select Add.


目前,Intune 可以指定一个“默认”设备注册配置文件,这意味着当新序列号与 Apple DEP 服务同步时,新的序列号将自动分配给该默认配置文件。Currently, Intune lets you designate a "default" device enrollment profile," which means that new serial numbers are automatically assigned to that default profile when you synchronize new serial numbers with the Apple DEP service. 之后,当租户迁移到新的 Azure 门户时,将不再能设置默认配置文件,也不再能为该配置文件自动分配序列号。When your tenant is migrated to the new Azure portal in the near future, you will no longer be able to set a default profile and have serial numbers be automatically assigned to that profile. 而必须手动为特定配置文件分配序列号。Instead, you will have to assign serial numbers to a specific profile. 了解详细信息Learn more

分配 DEP 设备以进行管理Assign DEP Devices for Management

  1. 转到设备注册计划门户 (https://deploy.apple.com) 然后使用公司 Apple ID 登录。Go to the Device Enrollment Program Portal (https://deploy.apple.com) and sign in with your company Apple ID.

  2. 转到“部署计划”>“设备注册计划”>“管理设备”。Go to Deployment Program > Device Enrollment Program > Manage Devices.

  3. 指定 “选择设备”的方式,提供设备信息并按设备 “序列号”“订单编号”指定详细信息,或 “上载 CSV 文件”Specify how you will Choose Devices, provide device information and specify details by device Serial Number, Order Number, or Upload CSV File.

  4. 选择“分配到服务器”,然后选择为 Microsoft Intune 指定的 <ServerName>,然后选择“确定”。Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.

同步 DEP 托管的设备Synchronize DEP-Managed Devices

此步骤会将设备同步到 Apple DEP 服务,并在 Intune 控制台中显示设备。This step synchronizes devices with the Apple DEP Service, and makes the devices appear in the Intune console.

  1. 以管理用户身份打开 Microsoft Intune 管理控制台,转到“管理”>“移动设备管理”>“iOS”>“设备注册计划”,然后选择“立即同步”。As an administrative user, open the Microsoft Intune administration console, go to Admin > Mobile Device Management > iOS > Device Enrollment Program, and then choose Sync now. 会向 Apple 发送同步请求。A sync request is sent to Apple.

  2. 若要在同步后查看 DEP 托管的设备,在 Microsoft Intune 管理控制台中,转到“组”>“所有设备”>“企业预注册设备”>“按 iOS 序列号”。To see DEP-managed devices after synchronization, in the Microsoft Intune administration console go to Groups > All Devices > Corporate Pre-enrolled devices > By iOS Serial Number. 在“按 iOS 序列号”工作区中,在打开设备并运行设置助理以注册设备之前,托管设备的“状态”将一直显示为“未连接”。In the By iOS Serial Number workspace, the State for managed devices reads “Not contacted” until the device is powered on and runs the Setup Assistant to enroll the device.

    为了遵从 Apple 的有关可接受的 DEP 流量的条款,Intune 规定了以下限制:To comply with Apple’s terms for acceptable DEP traffic, Intune imposes the following restrictions:

    • 每七天只运行一次完全的 DEP 同步。A full DEP sync can run no more than once every seven days. 无论之前是否同步了序列号,在完全同步时,Intune 都将刷新 Apple 分配给 Intune 的每个序列号。During a full sync, Intune refreshes every serial number that Apple has assigned to Intune whether the serial has previously been synced or not. 如果在上一个完全同步的七天内尝试完全同步,则 Intune 只刷新已经不在 Intune 中列出的序列号。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that are not already listed in Intune.

    • 任何同步请求都在 10 分钟内完成。Any sync request is given 10 minutes to finish. 在此期间或在请求成功之前,“同步”按钮处于禁用状态。During this time or until the request succeeds, the Sync button is disabled.

将设备分配给用户Distribute devices to users

你的企业拥有的设备现在可以分配给用户。Your corporate-owned devices can now be distributed to users. 打开 iOS 设备时,它将注册为由 Intune 管理。When an iOS device is turned on it will be enrolled for management by Intune. 用户设备限制适用于 DEP 托管的设备。The user device limit applies to DEP-managed devices.


如果用户试图注册 DEP 设备,但超过了其设备限制,注册将以静默方式失败而不会警告用户。If a user attempts to enroll a DEP device but has exceeded her device limit, enrollment will fail silently without warning the user.

Intune 组分配的更改Changes to Intune group assignments

从 2017 年 4 月开始,设备组管理将移到 Azure Active Directory。Starting in April 2017, device group management is moving to Azure Active Directory. 过渡到 Azure Active Directory 组后,组分配将不会出现在“企业注册配置文件”选项中。After the transition to Azure Active Directory groups, group assignment will not appear in the Corporate Enrollment Profile options. 由于此更改将历时数月,因此你可能不会立即看到更改。Because this change will roll out over a series of months, you might not see the change right away. 迁移到新门户后,可以根据企业注册配置文件名定义动态设备组分配。After moving to the new portal, dynamic device group assignments can be defined based on the Corporate Enrollment Profile names.

迁移后,对于所有由企业设备注册配置文件预分配的 Intune 设备组,都将根据企业设备注册配置文件名在 Azure AD 中创建相应的动态设备组。Upon migration, for every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic device group will be created in Azure AD based on the Corporate Device Enrollment profile’s name. 新配置文件名的格式为:EnrollmentProfile:<相关配置文件的名称>New profile names have the format EnrollmentProfile:<name of associated profile>. 此过程可确保已分配到设备组的设备在部署了策略和应用的组中自动注册。This process ensures that devices that are assigned to a device group already will automatically enroll in the group with policy and apps deployed.

在组迁移期间,只会这样自动创建一次组。This automatic group creation happens only once, during groups migration. 迁移后,Intune 管理员必须使用 Azure 门户创建组。After migration, Intune admins must create groups using the Azure portal. 若要详细了解此更改对公司拥有的 iOS 设备注册造成的影响,请参阅企业预注册的 iOS 设备的自动分组变更For details about how this affects company-owned iOS device enrollment, see Changes to Automatic Grouping for Corporate Pre-enrolled iOS Devices.

也可以详细了解 Azure Active Directory 组You can also Learn more about Azure Active Directory groups.

