使用 Intune 添加 iOS、iPadOS 或 macOS 设备功能设置Add iOS, iPadOS, or macOS device feature settings in Intune

Intune 包含许多有助于管理员控制 iOS、iPadOS 和 macOS 设备的功能和设置。Intune includes many features and settings that help administrators control iOS, iPadOS, and macOS devices. 例如,管理员可以:For example, administrators can:

  • 允许用户有权在网络中访问 AirPrint 打印机Allow users access to AirPrint printers in your network
  • 将应用和文件夹添加到主屏幕,包括添加新页面Add apps and folders to the home screen, including adding new pages
  • 选择是否以及如何显示应用通知Choose if and how app notifications are shown
  • 将锁定屏幕配置为显示消息或资产标记,特别是对于共享设备Configure the lock screen to show a message or the asset tag, especially for shared devices
  • 为用户提供安全的单一登录体验,以在应用间共用凭据Give users a secure single sign-on experience to share credentials between apps
  • 筛选使用成人语言的网站,并允许或屏蔽特定网站Filter web sites that use adult language and allow or block specific web sites

Intune 使用“配置文件”创建和自定义这些设置,从而满足组织需求。Intune uses "configuration profiles" to create and customize these settings for your organization's needs. 在配置文件中添加这些功能后,需将此配置文件推送或部署到组织中的 iOS/iPadOS 和 macOS 设备。After you add these features in a profile, you then push or deploy the profile to iOS/iPadOS and macOS devices in your organization.

本文介绍可配置的不同功能,并演示如何创建设备配置文件。This article describes the different features you can configure, and shows you how to create a device configuration profile. 还可以查看所有适用于 iOS/iPadOSmacOS 设备的设置。You can also see all the available settings for iOS/iPadOS and macOS devices.

AirprintAirprint

Airprint 是允许设备通过无线网络打印到文件的 Apple 功能。Airprint is an Apple feature that allows devices to print to files over a wireless network. 可以在 Intune 中将 AirPrint 信息添加到设备。In Intune, you can add AirPrint information to devices.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的 AirPrintmacOS 上的 AirPrintFor a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and AirPrint on macOS.

有关 AirPrint 的详细信息,请参阅 Apple 网站上的关于 AirPrintFor more information on AirPrint, see About AirPrint on Apple's web site.

适用于:Applies to:

  • iOS 7.0 及更高版本iOS 7.0 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • macOS 10.10 及更高版本macOS 10.10 and newer

应用通知App notifications

选择 iOS 和 iPadOS 设备上的应用接收通知的方式。Choose how apps on your iOS and iPadOS devices receive notifications. 例如,发送应用通知,使它们在通知中心、锁屏界面上显示,或发出提示音。For example, send app notifications so they show in the notification center, show on the lock screen, or play a sound.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的应用通知For a list of the settings you can configure in Intune, see App notifications on iOS/iPadOS.

有关此功能的详细信息,请参阅 Apple 网站上的通知For more information on this feature, see Notifications on Apple's web site.

适用于:Applies to:

  • iOS 9.3 及更高版本iOS 9.3 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

关联域Associated domains

关联域允许在域(如 contoso.com)和应用之间建立关系。Associated domains allow you to create a relationship between your domains, such as contoso.com, and your apps. 可以使用此功能实现以下操作:This feature allows you to:

  • 在组织的应用和网站之间共享数据和登录凭据。Share data and sign in credentials between apps and websites in your organization.

  • 使用基于网站的应用功能,例如单一登录应用扩展、通用链接和密码自动填充。Use app features that are based on your website, such as single sign-on app extension, universal links, and password autofill.

    例如,创建关联域,以允许密码自动填充推荐与应用关联的网站的凭据,如密码。For example, create an associated domain to allow password autofill to recommend credentials, such as a password, for websites associated with your app.

有关可以在 Intune 中配置的设置列表的信息,请参阅 macOS 上的关联域For a list of the settings you can configure in Intune, see Associated domains on macOS.

有关此功能的详细信息,请参阅 Apple 网站上的设置应用的关联域For more information on this feature, see Setting Up an App's Associated Domains on Apple's web site.

适用于:Applies to:

  • macOS 10.15 及更高版本macOS 10.15 and newer

主屏幕布局Home screen layout

这些设置配置 iOS 和 iPadOS 设备的停靠面板和主屏幕中的应用布局和文件夹。These settings configure the app layout and folders on the dock and home screens on iOS and iPadOS devices. 你可以:You can:

  • 使用“停靠面板”设置将应用或文件夹添加到屏幕。Use the Dock settings to add apps or folders to the screen. 例如,在设备停靠面板上显示 Safari 和邮件应用。For example, show Safari and the Mail app on the device dock.
  • 添加要在主屏幕上显示的页面,以及要在每个页面上显示的应用。Add Pages you want shown on the home screen, and the apps you want shown on each page. 例如,添加 Contoso 页,并在此页面上添加设置应用。For example, add a Contoso page, and add the Settings app on this page.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的主屏幕布局For a list of the settings you can configure in Intune, see Home screen layout on iOS/iPadOS.

适用于:Applies to:

  • iOS 9.3 及更高版本iOS 9.3 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

锁屏界面消息Lock screen message

使用这些设置在登录窗口和锁定屏幕中显示自定义消息或文本。Use these settings to show a custom message or text on the sign in window and lock screen. 例如,可输入“如果丢失,请送还至…”消息,然后显示资产标记信息。For example, you can enter an "If lost, return to ..." message, and show asset tag information.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的锁屏界面消息设置For a list of the settings you can configure in Intune, see Lock screen message settings on iOS/iPadOS.

有关锁屏界面消息的详细信息,请参阅 Apple 网站上的 LockScreenMessageFor more information on Lock Screen Message, see LockScreenMessage on Apple's web site.

适用于:Applies to:

  • iOS 9.3 及更高版本iOS 9.3 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

登录项Login items

使用此功能选择用户登录到设备时打开的应用、自定义应用、文件和文件夹。Use this feature to choose the apps, custom apps, files, and folders that open when users sign in to the devices.

有关可以在 Intune 中配置的设置列表的信息,请参阅 macOS 上的登录项For a list of the settings you can configure in Intune, see Login items on macOS.

适用于:Applies to:

  • macOS 10.13 及更高版本macOS 10.13 and newer

登录窗口Login window

控制登录屏幕外观以及用户登录前向用户提供的功能。Control the appearance of the login screen and functions available to users before they sign in. 例如,添加带有自定义消息的横幅,选择是否显示睡眠按钮等。For example, add a banner with a custom message, choose if the sleep button is shown, and more.

有关可以在 Intune 中配置的设置列表的信息,请参阅 macOS 上的登录窗口For a list of the settings you can configure in Intune, see Login window on macOS.

适用于:Applies to:

  • macOS 10.7 及更高版本macOS 10.7 and newer

单一登录Single sign-on

大多数业务线 (LOB) 应用需要某种级别的用户身份验证,才能支持安全性。Most Line of Business (LOB) apps require some level of user authentication to support security. 在许多情况下,此类身份验证要求用户重复输入相同凭据。In many cases, the authentication requires users to enter the same credentials repeatedly. 为了提升用户体验,开发人员可以创建使用单一登录 (SSO) 的应用。To improve the user experience, developers can create apps that use single sign-on (SSO). 使用单一登录减少了用户必须输入凭据的次数。Using single sign-on reduces the number of times a user must enter credentials.

单一登录配置文件基于 Kerberos。The single sign-on profile is based on Kerberos. Kerberos 是一种网络身份验证协议,它使用密钥加密来对客户端-服务器应用程序进行身份验证。Kerberos is a network authentication protocol that uses secret key cryptography to authenticate client-server applications. Intune 设置在访问服务器或特定应用时定义 Kerberos 帐户信息,并处理网页和本机应用的 Kerberos 质询。The Intune settings define Kerberos account information when accessing servers or specific apps, and handle Kerberos challenges for web pages and native apps. Apple 建议使用 Kerberos SSO 应用扩展(在本文中)设置,而不是 SSO 设置。Apple recommends you use the Kerberos SSO app extension (in this article) settings instead of the SSO settings.

若要使用单一登录,请务必确保:To use single sign-on, be sure you have:

  • 已将应用编码为,在设备上的单一登录中查找用户凭据存储。An app that's coded to look for the user credential store in single sign-on on the device.
  • Intune 配置有 iOS/iPadOS 设备单一登录。Intune configured for iOS/iPadOS device single sign-on.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的单一登录For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.

适用于:Applies to:

  • iOS 7.0 及更高版本iOS 7.0 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

单一登录应用扩展Single sign-on app extension

这些设置将配置可为 iOS、iPadOS 和 macOS 设备启用单一登录 (SSO) 的应用扩展。These settings configure an app extension that enables single sign-on (SSO) for your iOS, iPadOS, and macOS devices. 大多数业务线 (LOB) 应用和组织网站需要某种级别的安全的用户身份验证。Most Line of Business (LOB) apps and organization websites require some level of secure user authentication. 在许多情况下,此类身份验证要求用户重复输入相同凭据。In many cases, authentication requires users to enter the same credentials repeatedly. 借助 SSO,用户输入一次凭据后,即可访问应用和网站。SSO gives users access to apps and websites after entering their credentials once. SSO 还为用户提供了更好的身份验证体验,并减少了重复提示输入凭据的次数。SSO also provides a better authentication experience for users, and reduces the number of repeated prompts for credentials.

在 Intune 中,使用这些设置配置由组织、标识提供者、Microsoft 或 Apple 创建的 SSO 应用扩展。In Intune, use these settings to configure an SSO app extension created by your organization, your identity provider, Microsoft, or Apple. SSO 应用扩展将处理对用户的身份验证。The SSO app extension handles authentication for your users. 这些设置可配置重定向类型和凭据类型 SSO 应用扩展。These settings configure redirect-type and credential-type SSO app extensions.

  • 重定向类型适用于 OpenID Connect、OAuth 和 SAML2 等新式身份验证协议。The redirect type is designed for modern authentication protocols, such as OpenID Connect, OAuth, and SAML2. 可在 Microsoft 的 Azure AD SSO 扩展(Microsoft 企业 SSO 插件)和通用重定向扩展之间进行选择。You can choose between the Microsoft Azure AD SSO extension (Microsoft Enterprise SSO plug-in) and a generic redirect extension.

    重要

    在 macOS 上,Microsoft Azure AD SSO 扩展仍处于开发阶段。On macOS, the Microsoft Azure AD SSO extension is still being developed. 它会在 Intune 用户界面中列出,但无法按预期方式工作。It's listed in the Intune user interface, but doesn't work as expected. 在 macOS 上,请勿将 Microsoft Azure AD 用作 SSO 应用扩展类型。On macOS, don't use Microsoft Azure AD for the SSO app extension type.

  • 凭据类型适用于质询与响应身份验证流。The credential type is designed for challenge-and-response authentication flows. 可选择通用凭据扩展或者 Apple 提供的 Kerberos 专属凭据扩展。You can choose between a Kerberos-specific credential extension provided by Apple, and a generic credential extension.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS SSO 应用扩展macOS SSO 应用扩展For a list of the settings you can configure in Intune, see iOS/iPadOS SSO app extension and macOS SSO app extension.

有关开发 SSO 应用扩展的详细信息,请观看 Apple 网站上的可扩展的企业 SSOFor more information on developing an SSO app extension, watch Extensible Enterprise SSO on Apple's web site. 若要阅读 Apple 的功能说明,请访问“单一登录扩展”有效负载设置To read Apple's description of the feature, visit Single Sign-On Extensions payload settings.

备注

单一登录应用扩展功能不同于单一登录功能: The Single sign-on app extension feature is different than the Single sign-on feature:

  • “单一登录应用扩展”设置适用于 iPadOS 13.0、iOS 13.0 和 macOS 10.15(以及它们的更高版本)。The Single sign-on app extension settings apply to iPadOS 13.0 (and newer), iOS 13.0 (and newer), and macOS 10.15 (and newer). 单一登录设置适用于 iPadOS 13.0(以及更高版本)和 iOS 7.0 以及更高版本。Single sign-on settings apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.

  • “单一登录应用扩展”设置定义了供标识提供者或组织使用的扩展,以提供无缝的企业登录体验。The Single sign-on app extension settings define extensions for use by identity providers or organizations to deliver a seamless enterprise sign-on experience. “单一登录”设置定义了有关用户访问服务器或应用时的 Kerberos 帐户信息。The Single sign-on settings define Kerberos account information for when users access servers or apps.

  • 单一登录应用扩展使用 Apple 操作系统进行身份验证。The Single sign-on app extension uses the Apple operating system to authenticate. 因此,它可能会提供比单一登录更棒的最终用户体验。So, it might provide an end-user experience that's better than Single sign-on.

  • 从开发角度而言,使用单一登录应用扩展,你可以使用任意类型的重定向 SSO 或凭据 SSO 身份验证。From a development perspective, with Single sign-on app extension, you can use any type of redirect SSO or credential SSO authentication. 使用单一登录时,只可以使用 Kerberos SSO 身份验证。With Single sign-on, you can only use Kerberos SSO authentication.

  • Kerberos 单一登录应用扩展由 Apple 开发,内置于 iOS/iPadOS 13.0 + 和 macOS 10.15 + 平台中。The Kerberos Single sign-on app extension was developed by Apple and is built into the iOS/iPadOS 13.0+ and macOS 10.15+ platforms. 内置的 Kerberos 扩展可用于将用户登录到支持 Kerberos 身份验证的本机应用和网站。The built-in Kerberos extension can be used to log users into native apps and websites that support Kerberos authentication. 单一登录不是 Kerberos 的 Apple 实现。Single sign-on is not an Apple implementation of Kerberos.

  • 内置的 Kerberos 单一登录应用扩展可以像单一登录一样处理网页和应用的 Kerberos 质询 。The built-in Kerberos Single sign-on app extension handles Kerberos challenges for web pages and apps just like Single sign-on. 不过,内置的 Kerberos 扩展支持密码更改,并且在企业网络中效果更佳。However, the built-in Kerberos extension supports password changes and behaves better in enterprise networks. 在 Kerberos 单一登录应用扩展和单一登录之间进行选择时,由于扩展可以提高性能和功能,因此我们建议使用前者 。When deciding between the Kerberos Single sign-on app extension and Single sign-on, we recommend using the extension due to improved performance and capabilities.

适用于:Applies to:

  • iOS 13.0 及更高版本iOS 13.0 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer
  • macOS 10.15 及更高版本macOS 10.15 and newer

壁纸Wallpaper

将自定义 .png、.jpg 或 .jpeg 图像添加到受监督的 iOS/iPadOS 设备。Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. 例如,使用 Intune 将公司徽标添加到设备的锁屏界面。For example, use Intune to add a company logo to the lock screen on your devices.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的壁纸For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.

适用于:Applies to:

  • iOSiOS
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

Web 内容筛选器Web content filter

这些设置使用 Apple 的内置自动筛选算法评估网页,并阻止成人内容和成人语言。These settings use Apple's built-in AutoFilter algorithm to evaluate web pages, and block adult content and adult language. 还可以创建允许的 Web 链接和限制的 Web 链接列表。You can also create a list of allowed web links and restricted web links. 例如,可以仅允许 contoso 网站打开。For example, you can allow only contoso web sites to open.

有关可以在 Intune 中配置的设置列表信息,请参阅 iOS/iPadOS 上的 Web 内容筛选器For a list of the settings you can configure in Intune, see Web content filter on iOS/iPadOS.

适用于:Applies to:

  • iOS 7.0 及更高版本iOS 7.0 and newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

创建配置文件Create the profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择设备平台。Platform: Choose the platform of your devices. 选项包括:Your options:

      • iOS/iPadOSiOS/iPadOS
      • macOSmacOS
    • 配置文件:选择“设备功能”。Profile: Select Device features.

  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入策略的描述性名称。Name: Enter a descriptive name for the policy. 为策略命名,以便稍后可以轻松地识别它们。Name your policies so you can easily identify them later. 例如,策略名称最好是“macOS:配置登录屏幕”。For example, a good policy name is macOS: Configures login screen.
    • 描述:输入策略的说明。Description: Enter a description for the policy. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步” 。Select Next.

  7. 在“配置设置”中,根据所选择的平台,可配置的设置有所不同。In Configuration settings, depending on the platform you chose, the settings you can configure are different. 选择平台,以了解详细设置:Choose your platform for detailed settings:

  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the users or groups that will receive your profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步” 。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

后续步骤Next steps

此时,配置文件创建完成,但它可能尚未执行任何操作。The profile is created, but it may not be doing anything yet. 下一步,分配配置文件监视其状态Next, assign the profile and monitor its status.

查看所有适用于 iOS/iPadOSmacOS 设备的设备功能设置。View all the device feature settings for iOS/iPadOS and macOS devices.