如何在 Configuration Manager 中向本地 MDM 批量注册设备How to bulk-enroll devices with on-premises MDM in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

批量注册 Configuration Manager 本地移动设备管理 (MDM) 是自动注册设备的方法。Bulk enrollment in Configuration Manager on-premises mobile device management (MDM) is an automated method to enroll devices. 另一种方法是用户注册,要求用户输入其凭据来注册设备。The other method is user enrollment, which requires users to enter their credentials to enroll the device. 批量注册使用注册程序包在注册过程中对设备进行身份验证。Bulk enrollment uses an enrollment package to authenticate the device during enrollment. 此包是一个 ppkg 文件,它还可以包含用于支持注册的证书和 Wi-fi 配置文件。The package is a .ppkg file, which can also contain certificate and Wi-Fi profiles to support enrollment.

创建证书配置文件Create a certificate profile

包含一个证书配置文件,用于在设备上自动安装受信任的根证书。Include a certificate profile to automatically install a trusted root certificate on the device. 在设备和本地 MDM 所需的站点系统角色之间进行受信任的通信需要此根证书。This root certificate is required for trusted communication between the devices and the site system roles needed for on-premises MDM.

为本地 MDM 准备站点时,将导出受信任的根证书。When you prepare the site for on-premises MDM, you export the trusted root certificate. 在注册程序包的证书配置文件中使用此证书。Use this certificate in the enrollment package's certificate profile. 有关如何获取受信任的根证书的详细信息,请参阅 导出受信任的根证书For more information on how to get the trusted root certificate, see Export the trusted root certificate.

使用导出的证书创建证书配置文件。Use the exported certificate to create a certificate profile. 有关详细信息,请参阅 如何创建证书配置文件For more information, see How to create certificate profiles.

创建 Wi-Fi 配置文件Create a Wi-Fi profile

大容量注册包的另一个组件是 Wi-fi 配置文件。Another component of the bulk enrollment package is a Wi-Fi profile. 此配置文件可确保设备具有连接到的网络连接以支持注册。This profile can make sure that the device has the network connectivity to support enrollment.

有关如何在 Configuration Manager 中创建 Wi-fi 配置文件的详细信息,请参阅 如何创建 wi-fi 配置文件For more information on how to create a Wi-Fi profile in Configuration Manager, see How to create Wi-Fi profiles.

Wi-fi 配置文件限制Wi-Fi profile limitations

为本地 MDM 批量注册创建 Wi-fi 配置文件时,请查看以下限制。When you create a Wi-Fi profile for on-premises MDM bulk enrollment, review the following limitations.

用于本地 MDM 的 wi-fi 安全配置Wi-Fi security configurations for on-premises MDM

Configuration Manager 的 current branch 仅支持以下本地 MDM Wi-fi 安全配置:The current branch of Configuration Manager only supports the following Wi-Fi security configurations for on-premises MDM:

  • 安全类型:“WPA2 企业” **** 或“WPA2 个人” ****Security types: WPA2 Enterprise or WPA2 Personal

  • 加密类型:“AES” **** 或“TKIP” ****Encryption types: AES or TKIP

  • EAP 类型:“智能卡或其他证书” **** 或“PEAP” ****EAP types: Smart Card or other certificate or PEAP

代理服务器Proxy server

尽管 Configuration Manager 在 Wi-fi 配置文件中具有代理服务器信息的设置,但它不会在设备注册时配置代理。Although Configuration Manager has a setting for proxy server information in the Wi-Fi profile, it doesn't configure the proxy when the device enrolls. 如果需要在大容量注册的设备上设置代理服务器:If you need to set up a proxy server on bulk-enrolled devices:

  • 设备注册后,使用配置项目部署设置。Deploy the settings using configuration items once devices enroll.

  • 使用 Windows 映像和配置设计器 (ICD) 创建另一个包,然后将其与批量注册包一起部署。Create a second package using the Windows Image and Configuration Designer (ICD), then deploy it along with the bulk enrollment package.

创建注册配置文件Create an enrollment profile

注册配置文件允许你指定设备注册所需的设置。The enrollment profile allows you to specify settings required for device enrollment. 这些设置包括 证书配置文件wi-fi 配置文件These settings include a certificate profile and a Wi-Fi profile.

  1. 在 Configuration Manager 控制台中,请参阅 " 资产和符合性 " 工作区,展开 " 所有公司拥有的设备",展开 " Windows",然后选择 " 注册配置文件 " 节点。In the Configuration Manager console, go to the Assets and Compliance workspace, expand All Corporate-owned Devices, expand Windows, and select the Enrollment Profiles node.

  2. 在功能区中,选择 " 创建注册配置文件"。In the ribbon, select Create Enrollment Profile.

  3. 在 "创建注册配置文件向导" 的 " 常规 " 页上,指定下列信息:On the General page of the Create Enrollment Profile wizard, specify the following information:

    • Name:标识配置文件的唯一名称Name: A unique name to identify the profile

    • 说明:用于进一步描述配置文件的可选字段Description: An optional field to further describe the profile

    • 管理机构:仅选择 本地Management Authority: Only select On-Premises

  4. 在 " 站点分配 " 页上,选择具有设备管理点的 管理站点代码On the Site assignment page, select the Management site code with a device management point.

  5. 在 " 选择注册代理点 " 页上,选择 " 仅 Intranet",然后选择一个或多个注册代理点。On the Select Enrollment Proxy Point page, select Intranet Only, and then select one or more enrollment proxy points. 设备将使用这些服务器来启动注册过程。Device will use these servers to start the enrollment process.

  6. 在 " 选择受信任的根证书 " 页上,选择包含受信任的根证书的证书配置文件。On the Select Trusted Root Certificate page, select the certificate profile that contains the trusted root certificate.

  7. 在 " wi-fi 配置文件 " 页上,选择包含要连接的设备必需的网络设置的 wi-fi 配置文件。On the Wi-Fi profiles page, select the Wi-Fi profile that contains the necessary network settings for devices to connect.

    提示

    如果没有为注册包使用 Wi-fi 配置文件,请跳过此步骤。If you aren't using a Wi-Fi profile for your enrollment package, skip this step.

  8. 完成向导。Complete the wizard.

创建注册包Create an enrollment package

(ppkg) 的注册包是用于为本地 MDM 批量注册设备的文件。The enrollment package (ppkg) is the file that you use to bulk-enroll devices for on-premises MDM. Configuration Manager 创建此文件。Create this file with Configuration Manager. 虽然你可以使用 Windows ICD 创建类似类型的程序包,但只有你在 Configuration Manager 中创建的包才能用于为本地 MDM 注册设备。While you can create similar types of packages with Windows ICD, only packages that you create in Configuration Manager can be used to enroll devices for on-premises MDM. 使用 Windows ICD 创建的包只能提供注册所需的用户主体名称 (UPN) ,它无法启动实际的注册过程。A package that you create with Windows ICD can only provide the user principal name (UPN) needed for enrollment, it can't start the actual enrollment process.

创建注册程序包的过程需要适用于 Windows 10 的 Windows 评估和部署工具包 (ADK)。The process to create the enrollment package requires the Windows Assessment and Deployment Toolkit (ADK) for Windows 10. 在运行 Configuration Manager 控制台的计算机上,安装最新版本的 Windows ADK。On the computer running the Configuration Manager console, install the latest version of the Windows ADK. 选择 **映像和配置设计器 (ICD) ** 功能和任何依赖项。Select the Imaging and Configuration Designer (ICD) feature and any dependencies. (此版本不需要与 Configuration Manager 站点用于 OS 部署的版本相匹配 ) 。有关详细信息,请参阅 下载适用于 windows 10 的 WINDOWS ADK(This version doesn't need to match the version used for OS deployment by the Configuration Manager site.) For more information, see Download the Windows ADK for Windows 10.

  1. 在 Configuration Manager 控制台中,请参阅 " 资产和符合性 " 工作区,展开 " 所有公司拥有的设备",展开 " Windows",然后选择 " 注册配置文件 " 节点。In the Configuration Manager console, go to the Assets and Compliance workspace, expand All Corporate-owned Devices, expand Windows, and select the Enrollment Profiles node.

  2. 选择现有的注册配置文件。Select an existing enrollment profile. 在功能区中,选择 " 导出"。In the ribbon, select Export.

  3. 在 "导出注册包" 窗口中,指定以下信息:In the Export Enrollment Package window, specify the following information:

    • **有效期 (天) **:默认情况下,Configuration Manager 将注册包设置为在两周后过期 (14 天) 。Validity Period (days): By default, Configuration Manager sets the enrollment package to expire in two weeks (14 days). 有效期到期后,不能使用包进行设备注册。You can't use the package for device enrollment after the validity period expires. 输入一个介于1和30之间的整数。Enter an integer between 1 and 30.

    • 包文件:指定 ppkg 文件的本地或网络文件路径和名称。Package File: Specify a local or network file path and name for the .ppkg file.

    • 加密包:启用此选项以对包进行密码保护。Encrypt Package: Enable this option to password-protect the package. 导出包后 Configuration Manager 会显示生成的密码。After you export the package, Configuration Manager displays the generated password. 将密码复制并保存在安全的位置。Copy and save the password in a secure location. 不能使用没有密码的已导出注册包。You can't use the exported enrollment package without the password.

      重要

      Configuration Manager 不保存密码,并且不能对其进行自定义或更改。Configuration Manager doesn't save the password, and you can't customize or change it. 一旦您关闭了显示该密码的窗口,就无法检索该密码。Once you close the window that displays the password, there's no way to retrieve the password.

  4. 选择“导出”。 Select Export. Configuration Manager 使用 Windows ADK 创建注册包。Configuration Manager uses the Windows ADK to create the enrollment package.

Configuration Manager 跟踪有效的注册包。Configuration Manager keeps track of valid enrollment packages. 在控制台中,展开 " 注册配置文件 " 节点,然后选择 " 导出的包"。In the console, expand the Enrollment Profile node and select Exported Packages.

提示

如果从 Configuration Manager 控制台删除注册包,则不能使用它来注册设备。If you remove an enrollment package from the Configuration Manager console, you can't use it to enroll devices. 使用此方法管理不希望其他人用于大容量注册的注册包。Use this method to manage enrollment packages that you don't want others to use for bulk enrollment.

批量注册设备Bulk-enroll a device

你可以使用包在设备的现成体验 (OOBE) 进程之前或之后注册设备。You can use a package to enroll devices before or after the device's out-of-box experience (OOBE) process. 注册包还可以作为原始设备制造商 (OEM) 预配包的一部分包含在内。The enrollment package can also be included as part of an original equipment manufacturer (OEM) provisioning package.

要使用包进行大容量注册,需要以物理方式将其传送到设备。To use the package for bulk enrollment, you need to physically deliver it to the device. 有多种方法取决于你的需求,例如:There are various methods depending on your needs, for example:

  • 从文件系统复制Copy from the file system

  • 附加到电子邮件Attach to an email

  • 通过近乎现场通信 (NFC) 连接Copy across a near field communication (NFC) connection

  • 从内存卡复制Copy from a memory card

  • 扫描条码Scan a barcode

  • 从受限设备复制Copy from a tethered device

  • 包含在 OEM 设置包中Include in an OEM provisioning package

使用批量注册包注册设备Enroll a device with bulk enrollment package

  1. 在设备上,打开 ppkg 文件。On a device, open the .ppkg file. 如有必要,请以管理员身份运行。Run as administrator if necessary.

  2. Windows 询问包是否来自受信任的源,请选择 "是"Windows asks if the package is from a trusted source, select Yes.

注册过程将开始。The enrollment process starts.

验证注册Verify enrollment

验证设备上的批量注册Verify bulk enrollment on the device

  1. 在设备上,打开 " 设置"。On the device, open Settings.

  2. 选择 " 帐户",然后选择 " 访问工作单位或学校"。Select Accounts, and select Access work or school. 注册成功后,将在 " " "" 下看到一个帐户。When enrollment is successful, you see an account under CompanyApps.

  3. 选择该帐户,然后选择 " 同步"。此操作通过 Configuration Manager 启动管理。Select the account, and then select Sync. This action starts management with Configuration Manager.

在控制台中验证注册Verify enrollment in the console

使用 Configuration Manager 控制台验证是否已成功注册设备。Use the Configuration Manager console to verify that devices are enrolled successfully. 在 Configuration Manager 控制台中,转到“资产和符合性”工作区,并选择“设备” 。In the Configuration Manager console, go to the Assets and Compliance workspace, and select Devices. 在设备列表中浏览或搜索已注册的设备。Browse or search for the enrolled device in the list of devices.