Intune 中移动设备管理的先决条件Prerequisites for mobile device management in Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

要使员工能在 Intune 中注册移动设备,需要执行以下步骤。You can enable employees to enroll their mobile devices with Intune requires the following steps. 管理公司拥有的设备需要同样的步骤。These same steps are required to manage company-owned devices.

步骤Steps 详细信息Details
步骤 1:启用连接Step 1: Enable connections 确保配置自定义域名并将网络通信准备就绪Ensure your custom domain name is configured and network communication is ready
步骤 2:设置 MDM 机构Step 2: Set MDM authority 移动设备管理机构定义分配给设备的服务The mobile device management authority defines the service assigned to your devices
步骤 3:创建组Step 3: Create groups 配置公司门户应用中面向用户的设置Configure user-facing settings for the Company Portal app
步骤 4:配置公司门户Step 4: Configure Company Portal 配置公司门户应用中面向用户的设置Configure user-facing settings for the Company Portal app
步骤 5分配用户许可证Step 5: Assign user licenses 将 Intune 许可证分配给用户,以便他们能够注册设备Assign Intune licenses to users so they can enroll devices
步骤 6启用注册Step 6: Enable enrollment 为 iOS 和 Windows 管理启用特定平台的设置。Enable platform-specific settings for iOS and Windows management. Android 设备不需要其他配置。Android devices need no additional configuration.
步骤 7:后续步骤Step 7: Next steps 为 iOS 和 Windows 管理启用特定平台的设置。Enable platform-specific settings for iOS and Windows management. Android 设备不需要其他配置。Android devices need no additional configuration.

想要使用 Configuration Manager 查找 Intune?Looking for Intune with Configuration Manager?

步骤 1:启用连接Step 1: Enable connections

启用移动设备注册前,请确保已完成以下步骤:Before you enable mobile device enrollment, be sure you've done the following:

步骤 2:设置 MDM 机构Step 2: Set MDM authority

MDM 机构定义有权管理一组设备的管理服务。The MDM authority defines the management service that has permission to manage a set of devices. 适用于 MDM 机构的选项包括 Intune 本身以及带 Intune 的 Configuration Manager。The options for the MDM authority include Intune by itself and Configuration Manager with Intune. 如果将 Configuration Manager 设置为管理机构,则没有其他服务可以用于移动设备管理。If you set Configuration Manager as the management authority, no other service can be used for mobile device management.

重要

在 Configuration Manager 版本 1610 或更高版本和 Microsoft Intune 版本 1705 中,你将可以更改 MDM 颁发机构,而无需联系 Microsoft 支持部门,并且无需取消注册并重新注册现有的受管理设备。In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 有关详细信息,请参阅如果选择了错误的 MDM 颁发机构设置怎么办For details, see What to do if you choose the wrong MDM authority setting.

  1. 在“Microsoft Intune 管理控制台”中,选择“管理员”>“移动设备管理”。In the Microsoft Intune administration console, choose Admin > Mobile Device Management.

  2. 在“任务”列表中,单击“设置移动设备管理机构”。In the Tasks list, click Set Mobile Device Management Authority. 将打开“设置 MDM 机构”对话框。The Set MDM Authority dialog box opens.

    “设置 MDM 机构”对话框

  3. Intune 要求确认你希望使用 Intune 作为 MDM 机构。Intune requests confirmation that you want Intune as your MDM authority. 勾选复选框,然后选择“”以使用 Microsoft Intune 管理移动设备。Select the check box, and then choose Yes to use Microsoft Intune to manage mobile devices.

步骤 3:创建组Step 3: Create groups

可通过创建用户和设备组,简化管理和提高已部署应用、策略和公司资源的目标。You can create user and device groups to simplify management and improve targeting of deployed apps, policies, and company resources. 了解如何创建组Learn how to create groups.

步骤 4:配置公司门户Step 4: Configure Company Portal

在 Intune 公司门户中,用户可以访问公司数据和执行常见任务,比如注册设备、安装应用,以及查找信息以从 IT 部门获得帮助。The Intune Company Portal is where users access company data and can do common tasks like enrolling devices, installing apps, and locating information for assistance from your IT department.

提示

当你自定义公司门户时,配置会同时应用于公司门户网站和公司门户应用。When you customize the Company Portal, the configurations apply to both the Company Portal website and Company Portal apps.

自定义公司门户有助于为最终用户提供熟悉且有帮助的体验。Customizing the Company Portal helps to provide a familiar and helpful experience for your end users. 为此,只需以租户或服务管理员身份登录到“Microsoft Intune 管理员控制台”,选择“管理员”>“公司门户”,然后配置公司门户设置。To do this, just sign in to the Microsoft Intune administration console as a tenant or service administrator, choose Admin > Company Portal, and configure the Company Portal settings.

admin-console-admin-workspace-comp-portal-settings

公司联系人信息和隐私声明Company contact information and privacy statement

公司名称显示为公司门户的标题。The company name is displayed as the Company Portal title. 联系人信息和详细信息将在公司门户的“联系 IT 部门”屏幕中向用户显示。The contact information and details are displayed to users in the Contact IT screen of the Company Portal. 当用户单击隐私链接时,将显示隐私声明。The privacy statement is displayed when a user clicks the privacy link.

字段名称Field name 最大长度Max length 更多信息More information
公司名称Company name 4040 此名称显示为公司门户的标题。This name is displayed as the title of the Company Portal. 注意:仅支持字母数字字符。Note: Alpha-numeric characters only. 此字段不支持特殊字符。This field doesn't support special characters.
IT 部门联系人姓名IT department contact name 4040 此名称显示在“联系 IT”页上。This name is displayed on the Contact IT page.
IT 部门的电话号码IT department phone number 2020 此联系人号码显示在“联系 IT”页上。This contact number is displayed on the Contact IT page.
IT 部门的电子邮件地址IT department email address 4040 此联系人地址显示在“联系 IT”页上。This contact address is displayed on the Contact IT page. 必须以 alias@domainname.com 格式输入有效的电子邮件地址。You must enter a valid email address in the format alias@domainname.com.
其他信息Additional information 120120 此信息显示在“联系 IT”页上。This information is displayed on the Contact IT page.
公司隐私声明 URLCompany privacy statement URL 7979 你可以指定自己的公司隐私声明,当用户从公司门户中单击隐私链接时,该隐私声明将出现。You can specify your own company privacy statement that appears when users click the privacy links from the Company Portal. 必须以 https://www.contoso.com 格式输入有效的 URL。You must enter a valid URL in the format https://www.contoso.com.

支持联系人Support contacts

在公司门户向用户显示支持网站,以使他们能够访问在线支持。The support website is displayed to users in the Company Portal to enable them to access online support.

字段名称Field name 最大长度Max length 更多信息More information
支持网站 URLSupport website URL 150150 如果你拥有希望用户可以使用的支持网站,请在此处指定 URL。If you have a support website that you want your users to use, specify the URL here. 该 URL 必须采用 https://www.contoso.com 格式。如果不指定 URL,则公司门户中的“联系 IT”页上将不会显示支持网站的任何内容。The URL must be in the format https://www.contoso.com. If you don't specify a URL, nothing is displayed for the support website on the Contact IT page in the Company Portal.
网站名称Website name 4040 此名称是为支持网站的 URL 显示的友好名称。This name is the friendly name that is displayed for the URL to the support website. 如果指定支持网站 URL 而不指定友好名称,则公司门户中的“联系 IT”页上将显示“转到 IT 网站”。If you specify a support website URL and no friendly name, then Go to IT website is displayed on the Contact IT page in the Company Portal.

公司品牌自定义Company branding customization

你可以使用公司徽标、公司名称、主题颜色和背景来自定义公司门户。You can customize your Company Portal with your company logo, company name, theme color, and background.

字段名称Field name 更多信息More information
主题颜色Theme color 选择要应用于公司门户的主题颜色。Select a theme color to apply to the Company Portal.
包括公司徽标Include company logo 如果启用此选项,你可以上传公司徽标以显示在公司门户中。When you enable this option, you can upload your company logo to show in your Company Portal. 你可以上传两个徽标:一个在公司门户背景为白色时显示的徽标,以及一个在公司门户背景使用所选主题颜色时使用的徽标。You can upload two logos: one logo that is displayed when the Company Portal background is white, and one logo that is displayed when the Company Portal background uses your selected theme color. 每个徽标必须是 .png 或 .jpg 文件,最大分辨率为 400 x 100 像素,大小等于或小于 750 KB。Each logo must be a .png or .jpg file, have a maximum resolution of 400 x 100 pixels, and be 750 KB or less in size.
为公司门户应用选择背景Choose a background for the Company Portal app 此设置只影响公司门户应用的背景。This setting affects the background for the Company Portal app only.

保存更改之后,你可以使用管理控制台的“公司门户”页面底部提供的链接来查看公司门户网站。After you save your changes, you can use the links that are provided at the bottom of the Company Portal page of the administration console to view the Company Portal website. 无法更改这些链接。These links cannot be changed. 当用户登录时,这些链接将在公司门户中显示你的订阅。When a user signs in, these links display your subscriptions in the Company Portal.

步骤 5:分配用户许可证Step 5: Assign user licenses

使用 Office 365 管理门户手动添加基于云的用户并将许可证分配给基于云的用户帐户和从本地 Active Directory 同步到 Azure Active Directory (Azure AD) 的帐户。You use the Office 365 management portal to manually add cloud-based users and assign licenses to both cloud-based user accounts and accounts that are synchronized from your on-premises Active Directory to Azure Active Directory (Azure AD). 将本地用户同步到 Azure ADYou can synchronize on-premises users to Azure AD.

  1. 使用你的租户管理员凭据登录到 Office 365 管理门户Sign in to the Office 365 management portal by using your tenant administrator credentials.

  2. 选择你想要为其分配 Intune 用户许可证的用户帐户,然后在用户帐户属性上勾选“Microsoft Intune”复选框。Select the user account that you want to assign an Intune user license to, and then select the Microsoft Intune check box on the user account properties.

  3. 用户帐户即会添加到 Microsoft Intune 用户组,该用户组授予用户使用该服务和将设备注册到管理中的权限。The user account will now be added to the Microsoft Intune user group, which grants the user permissions to use the service and enroll their devices into management.

将本地用户与 Azure AD 同步To synchronize on-premises users with Azure AD

  1. 在本地 Active Directory 中,为你的自定义域添加 UPN 后缀Add the UPN suffix for your custom domain in your on-premises Active Directory.
  2. 为计划导入的本地用户设置新的 UPN 后缀。Set the new UPN suffix for the on-premises users that you plan to import.
  3. 运行 Azure AD Connect 同步,以将本地用户与 Azure AD 集成。Run Azure AD Connect sync to integrate your on-premises users with Azure AD.
  4. 成功同步用户帐户信息后,你可以使用 Office 365 管理门户分配 Microsoft Intune 许可证。Once the user account information has successfully synchronized, you can then assign Microsoft Intune licenses using the Office 365 Management Portal.

步骤 6:启用注册Step 6: Enable enrollment

设置 MDM 机构之后,需要为组织要支持的操作系统设置设备管理。After setting up the MDM authority, you need to set up device management for the operating systems that your organization wants to support. 设置设备管理所需的步骤因操作系统而异。The steps that are required to set up device management vary by operating system. 例如,Android OS 不需要你在 Intune 管理控制台中执行任何操作。For example, the Android OS does not require you to do anything in the Intune administration console. 另一方面,Windows 和 iOS 需要设备与 Intune 之间存在信任关系才能允许进行管理。On the other hand, Windows and iOS require a trust relationship between devices and Intune to allow management.

为下列平台设置管理:Set up management for the following platforms:

还可以启用公司拥有设备的注册You can also enable enrollment of corporate-owned devices.

步骤 7:后续步骤Step 7: Next steps

现已启用注册,应设置管理以满足业务需要。Now that enrollment is enabled, you should set up management to meet your business's needs. 以下是一些管理选项:The following are some management options:

如果选择了错误的 MDM 机构设置怎么办What to do if you choose the wrong MDM authority setting

如果确定选择了错误的 MDM 颁发机构设置并需要对其进行更改,请使用以下选项。If you decide that you've chosen the wrong MDM authority setting and need to change it, you have the following options.

自己更改 MDM 颁发机构Change the MDM authority yourself

从 Configuration Manager 版本 1610 和 Microsoft Intune 版本 1705 开始,你将可以将 MDM 颁发机构从 Microsoft Intune 更改为 Configuration Manager(混合),反之亦然,而无需联系 Microsoft 支持部门,并且无需取消注册并重新注册现有的托管设备。Beginning in Configuration Manager version 1610 and Microsoft Intune version 1705, you can change the MDM authority from Microsoft Intune to Configuration Manager (hybrid) or vice versa without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 有关详细信息,请参阅更改 MDM 颁发机构For details, see Change your MDM authority.

联系 Microsoft 支持部门Contact Microsoft Support

如果 Configuration Manager 早于版本 1610,你必须联系 Microsoft 支持部门。When you have Configuration Manager prior to version 1610, you must contact Microsoft Support. 无法自行更改该设置。You cannot change the setting yourself. 联系 Microsoft 支持部门之前,请查看以下信息(Microsoft 支持部门需要获得这些信息才能进行更改)。Before contacting Microsoft Support, review the following information, which describes the information that Microsoft Support will need from you to make the change.

有三种方法可以重置 MDM 机构。There are three possible ways that your MDM authority can be reset. 在支持请求中,需要选择适用于你的情况的方式。In your Support request, you'll need to choose the way that applies to your situation. 如果请求的方案未列出,请进而与 Microsoft 支持部门联系。If the scenario you are requesting is not listed, follow up with Microsoft Support.

Microsoft 支持部门将让你确认下列信息:Microsoft Support will ask you to confirm the following information:

  • 租户 ID:用于登录到服务的域(例如 intune.onmicrosoft.com)Tenant ID: the domain used to log in to the service (for example, intune.onmicrosoft.com)
  • 想要更改为该机构的 MDM 机构The MDM authority that you want to change to
  • 确认已完成的必需步骤,如下所示Confirmation of prerequisite steps that you completed, as listed below

如果正在使用共存,则需要验证 Intune 和 Office 365 清单。If you are using coexistence, you need to verify both the Intune and Office 365 checklists.

将 MDM 机构从 Intune 重置为 Configuration ManagerReset MDM authority from Intune to Configuration Manager

请在联系 Microsoft 支持部门之前完成这些步骤以重置 MDM 机构。Complete these steps before contacting Microsoft Support to reset your MDM authority.

  • 从 Intune 管理员控制台停用所有设备。Retire all devices from the Intune admin console. 请勿尝试从设备停用设备。Do not try to retire a device from the device itself.
  • 删除 Service To Service Connector(“管理” > “移动设备管理” > “Microsoft Exchange”下),或禁用 Exchange Connector(如果已设置)。Delete the Service To Service Connector (under Administration > Mobile Device Management > Microsoft Exchange), or disable the Exchange Connector if you have set that up.
  • 在“管理员” > “设备注册管理器”中删除设备注册管理器角色。Remove the Device Enrollment Manager role from Admin > Device Enrollment Manager.
  • 在“管理员” > “移动设备管理” > “设备组映射”中关闭设备组映射。Turn off Device Group Mapping in Admin > Mobile Device Management > Device Group Mapping.
  • 从“管理员” > “移动设备管理” > “Windows” > “旁加载密钥”删除旁加载密钥。Delete sideloading keys from Admin > Mobile Device Management > Windows > Side Loading Keys.
  • 在“管理员” > “移动设备管理” > “iOS”页中,删除 iOS APN 证书。Delete the iOS APNs certificate in Admin > Mobile Device Management > iOS page.
  • 在“管理员” > “移动设备管理” > “iOS”页中,删除 iOS DEP 令牌。Delete the iOS DEP token in Admin > Mobile Device Management > iOS page.
  • 在“策略” > “配置策略”下,删除适用于 MDM 设备的所有策略。Delete all polices that are for MDM Devices under Policy > Configuration Policies.
  • 在“应用” > “托管软件”中,删除适用于 MDM 设备的所有已发布应用程序。Delete all published applications that are for MDM Devices in Apps > Managed Software.

将 MDM 机构从 Configuration Manager 重置为 IntuneReset MDM authority from Configuration Manager to Intune

请在联系 Microsoft 支持部门之前完成这些步骤以重置 MDM 机构。Complete these steps before contacting Microsoft Support to reset your MDM authority.

  • 从 Configuration Manager 控制台停用所有设备(作为移动设备管理的设备)。Retire all devices (that are managed as mobile devices) from the Configuration Manager Console. 请勿尝试从设备停用设备。Do not try to retire a device from the device itself.
  • 删除 Intune 用户组中的所有用户。Remove all users from the Intune User Group. 将 Intune 订阅指向空用户集合,或删除目标集合中的所有用户。Point the Intune subscription to an empty user collection, or remove all users from the targeted collection. 在 CloudUserSync.log 中确认用户已删除。Confirm in the CloudUserSync.log that users are removed.
  • 取消选中 iOS 平台以清除 APN 证书。Uncheck the iOS platform to purge the APNs certificate.
  • 删除适用于 MDM 设备的所有已发布应用程序。Delete all published applications that are for MDM devices.
  • 删除适用于 MDM 设备的所有策略。Delete all polices that are for MDM devices.
  • 从 Configuration Manager 控制台(仅适用于 R2 SP1 或更低版本)删除 Windows Intune 连接器。Remove the Windows Intune Connector from the Configuration Manager Console (applicable only to R2 SP1 or below). 通过右键单击订阅并选择“删除”,可删除 Intune 订阅。-Remove the Intune subscription by right-clicking the subscription and selecting Delete.
  • 重启 SMS Executive 服务。Restart the SMS Executive Service.
  • 请提供一些示例用户,以便完成该过程后,我们可以验证 Configuration Manager 许可证已删除。Provide us with some example users so that we can verify, after the process completes, that Configuration Manager licenses were removed.

将 MDM 机构从 Office 365 重置为 Configuration ManagerReset MDM authority from Office 365 to Configuration Manager

  1. 导航到 https://protection.office.comNavigate to https://protection.office.com.
  2. 选择“安全策略”选项卡,然后选择“设备管理”。Select the Security Policies tab, and select Device Management.
  3. 通过选择“选择性擦除”停用所有设备。Retire all devices by choosing Selective Wipe. 请勿尝试从设备停用设备。Do not try to retire a device from the device itself. 如果已禁用“选择性擦除”,则不需要进一步操作。If selective wipe is disabled, no further action is required.
  4. 选择“安全策略”选项卡,然后选择“安全策略”。Select the Security Policies tab, and select Device Security Policies.
  5. 对所有现有策略选择“删除”。Select Delete for all existing policies. 如果策略都处于挂起状态,则不需要进一步操作。If the polices are in a pending state, no further action is required.

备注

无法删除 IOS APN 证书,该证书仍附加到帐户。The iOS APsN certificate cannot be deleted and remains attached to the account.

MDM 机构重置的后续步骤Next steps for MDM authority resets

Microsoft 支持部门验证适用清单上的项后,重置 MDM 机构最多需要 3 个工作日,但通常在一天之内完成。Once Microsoft Support verifies the items on the applicable checklist, resetting the MDM authority can take up to three business days, but typically occurs within one day.

重要

在 Microsoft 支持部门确认已成功完成重置之前,请勿尝试配置订阅!Do not try to configure your subscription until Microsoft Support confirms that the reset has completed successfully! 过早配置可能会导致损坏并/或影响 Intune 服务的使用。Premature configuration may cause corruption and/or impact your ability to use the Intune service.