用于使用 Intune 中常见 iOS/iPadOS 功能的 iOS 和 iPadOS 设备设置iOS and iPadOS device settings to use common iOS/iPadOS features in Intune

Intune 包括一些内置设置,可便于 iOS/iPadOS 用户在自己的设备上使用各种 Apple 功能。Intune includes some built-in settings to allow iOS/iPadOS users to use different Apple features on their devices. 例如,你可以控制 AirPrint 打印机、将应用和文件夹添加到程序坞和主屏幕页面、显示应用通知、在锁定屏幕上显示资产标记详细信息、使用单一登录身份验证,以及使用证书身份验证。For example, you can control AirPrint printers, add apps and folders to the dock and home screen pages, show app notifications, show asset tag details on the lock screen, use single sign-on authentication, and use certificate authentication.

使用这些功能可以控制 iOS/iPadOS 设备,作为移动设备管理 (MDM) 解决方案的一部分。Use these features to control iOS/iPadOS devices as part of your mobile device management (MDM) solution.

本文列出了这些设置,并介绍了每个设置的用途。This article lists these settings, and describes what each setting does. 有关这些功能的详细信息,请参阅添加 iOS/iPadOS 或 macOS 设备功能设置For more information on these features, go to Add iOS/iPadOS or macOS device feature settings.

在开始之前Before you begin

创建 iOS/iPadOS 设备功能配置文件Create an iOS/iPadOS device features profile.

备注

这些设置适用于不同的注册类型,其中一些设置应用于所有注册选项。These settings apply to different enrollment types, with some settings applying to all enrollment options. 有关不同注册类型的详细信息,请参阅 iOS/iPadOS 注册For more information on the different enrollment types, see iOS/iPadOS enrollment.

AirPrintAirPrint

设置适用范围:所有注册类型Settings apply to: All enrollment types

备注

请确保将所有打印机添加到同一个配置文件。Be sure to add all printers to the same profile. Apple 禁止多个 AirPrint 配置文件面向同一设备。Apple prevents multiple AirPrint profiles from targeting the same device.

  • IP 地址:输入打印机的 IPv4 或 IPv6 地址。IP address: Enter the IPv4 or IPv6 address of the printer. 如果使用主机名标识打印机,可以通过在“终端”中对打印机执行 ping 操作来获取 IP 地址。If you use hostnames to identify printers, you can get the IP address by pinging the printer in the terminal. (本文中的)获取 IP 地址和路径提供了更多详细信息。Get the IP address and path (in this article) provides more details.
  • 路径:网络中打印机的路径通常是 ipp/printPath: The path is typically ipp/print for printers on your network. (本文中的)获取 IP 地址和路径提供了更多详细信息。Get the IP address and path (in this article) provides more details.
  • 端口:输入 AirPrint 目标的侦听端口。Port: Enter the listening port of the AirPrint destination. 如果将此属性留空,AirPrint 使用默认端口。If you leave this property blank, AirPrint uses the default port. 适用于 iOS 11.0 以上版本和 iPadOS 13.0 以上版本。Available on iOS 11.0+, and iPadOS 13.0+.
  • TLS:“启用”则可使用传输层安全性 (TLS) 确保 AirPrint 连接安全。TLS: Enable secures AirPrint connections with Transport Layer Security (TLS). 适用于 iOS 11.0 以上版本和 iPadOS 13.0 以上版本。Available on iOS 11.0+, and iPadOS 13.0+.

若要添加 AirPrint 服务器,可以执行以下操作:To add AirPrint servers, you can:

  • 添加:将 AirPrint 服务器添加到列表中。Add adds the AirPrint server to the list. 可以添加多个 AirPrint 服务器。Many AirPrint servers can be added.
  • 导入包含此类信息的逗号分隔文件 (.csv)。Import a comma-separated file (.csv) with this information. 或者,“导出”以创建所添加的 AirPrint 服务器的列表。Or, Export to create a list of the AirPrint servers you added.

获取服务器 IP 地址、资源路径和端口Get server IP address, resource path, and port

必须有打印机的 IP 地址、资源路径和端口,才能添加 AirPrinter 服务器。To add AirPrinter servers, you need the IP address of the printer, the resource path, and the port. 下面逐步介绍了如何获取此类信息。The following steps show you how to get this information.

  1. 在作为 AirPrint 打印机连接到同一本地网络(子网)的 Mac 上,打开“终端”(路径为“/Applications/Utilities” )。On a Mac that's connected to the same local network (subnet) as the AirPrint printers, open Terminal (from /Applications/Utilities).

  2. 在“终端”中,键入“ippfind”,再按 Enter。In the Terminal, type ippfind, and select enter.

    记下打印机信息。Note the printer information. 例如,可能会返回类似于 ipp://myprinter.local.:631/ipp/port1 的内容。For example, it may return something similar to ipp://myprinter.local.:631/ipp/port1. 第一部分是打印机名称。The first part is the name of the printer. 最后一部分 (ipp/port1) 是资源路径。The last part (ipp/port1) is the resource path.

  3. 在“终端”中,键入“ping myprinter.local”,再按 Enter。In the Terminal, type ping myprinter.local, and select enter.

    记下 IP 地址。Note the IP address. 例如,可能会返回类似于 PING myprinter.local (10.50.25.21) 的内容。For example, it may return something similar to PING myprinter.local (10.50.25.21).

  4. 使用 IP 地址和资源路径值。Use the IP address and resource path values. 在此示例中,IP 地址为 10.50.25.21,资源路径为 /ipp/port1In this example, the IP address is 10.50.25.21, and the resource path is /ipp/port1.

主屏幕布局Home screen layout

此功能适用于:This feature applies to:

  • iOS 9.3 或更高版本iOS 9.3 or newer
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

备注

仅向停靠、页面或页面上的文件夹添加一个应用。Only add one app to the dock, a page, or a folder on a page. 在所有位置添加相同的应用可防止该应用在设备上显示,并可能显示报告错误。Adding the same app in all places prevents the app from showing on devices, and may show reporting errors.

例如,如果将相机应用添加到停靠和页面,则不会显示相机应用,并且报告可能会显示策略错误。For example, if you add the camera app to a dock and a page, the camera app isn't shown, and reporting might show an error for the policy. 若要将相机应用添加到主屏幕布局中,请仅选择停靠或页面,而不是同时选择两者。To add the camera app to the home screen layout, choose only the dock or a page, not both.

程序坞Dock

使用“程序坞”设置最多可以向屏幕的程序坞添加六个项或文件夹。Use the Dock settings to add up to six items or folders to the dock on the screen. 许多设备支持添加的项数更少。Many devices support fewer items. 例如,iPhone 设备最多支持添加四个项。For example, iPhone devices support up to four items. 在此示例中,设备上仅显示你添加的前四个项。In this case, only the first four items you add are shown on devices.

最多可以对设备程序坞添加六个项(应用和文件夹加起来)。You can add up to six items (apps and folders combined) for the device dock.

  • 添加:将应用或文件夹添加到设备上的扩展坞。Add: Adds apps or folders to the dock on devices.

  • 类型:添加应用或文件夹 :Type: Add an App or a Folder:

    • 应用:选择此选项可向屏幕上的程序坞添加应用。App: Choose this option to add apps to the dock on the screen. 输入:Enter:

      • 应用名称:输入应用程序的名称。App Name: Enter a name for the app. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
      • 应用捆绑 ID:输入应用的捆绑 ID。App Bundle ID: Enter the bundle ID of the app. 有关示例,请参阅内置 iOS/iPadOS 应用的捆绑 IDSee Bundle IDs for built-in iOS/iPadOS apps for some examples.
    • 文件夹:选择此选项可向屏幕上的程序坞添加文件夹。Folder: Choose this option to add a folder to the dock on the screen.

      添加到文件夹中页面的应用按照列表中的相同顺序从左向右排列。Apps that you add to a page in a folder are arranged from left to right, and in the same order as the list. 如果添加的应用数超过了页面能够容纳的量,应用会移到其他页面。If you add more apps than can fit on a page, the apps are moved to another page.

      • 文件夹名称:输入文件夹的名称。Folder name: Enter the name of the folder. 该名称将显示在用户的设备上。This name is shown to users on their devices.

      • 页面列表:添加页面,并输入以下属性:List of pages: Add a page, and enter the following properties:

        • 页面名称:输入页面名称。Page name: Enter a name for the page. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
        • 应用名称:输入应用程序的名称。App Name: Enter a name for the app. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
        • 应用捆绑 ID:输入应用的捆绑 ID。App Bundle ID: Enter the bundle ID of the app. 有关示例,请参阅内置 iOS/iPadOS 应用的捆绑 IDSee Bundle IDs for built-in iOS/iPadOS apps for some examples.

        最多可以对设备程序坞添加 20 个页面。You can add up to 20 pages for the device dock.

备注

如果你使用“主屏幕布局”设置添加页面或将页面和应用添加到程序坞,主屏幕和页面上的图标就会被锁定。When you use the Home Screen Layout settings to add pages, or add pages and apps to the Dock, the icons on the Home Screen and pages are locked. 无法移动或删除它们。They can't be moved or deleted. 此行为可能是根据 iOS/iPadOS 和 Apple 的 MDM 策略特意设计的。This behavior might be by design with iOS/iPadOS and Apple's MDM policies.

示例Example

在下面的示例中,程序坞屏幕显示“Safari”、“邮件”和“股市”应用。In the following example, the dock screen shows the Safari, Mail, and Stocks apps. “邮件”应用被选为显示自己的属性:The Mail app is selected to show its properties:

Intune 中的示例 iOS/iPadOS 主屏幕布局程序坞设置Sample iOS/iPadOS Home screen layout dock settings in Intune

在你向 iPhone 分配策略后,程序坞如下图所示:When you assign the policy to an iPhone, the dock looks similar to the following image:

iPhone 上的示例 iOS/iPadOS 程序坞布局Sample iOS/iPadOS dock layout on iPhone

页面Pages

添加要在主屏幕上显示的页面,以及要在每个页面上显示的应用。Add the pages you want shown on the home screen, and the apps you want shown on each page. 添加到页面中的应用按照列表中的相同顺序从左向右排列。Apps that you add to a page are arranged from left to right, in the same order as the list. 如果添加的应用数超过了页面能够容纳的量,应用会移到其他页面。If you add more apps than can fit on a page, the apps are moved to another page.

提示

若要对任何主屏幕和页面列表中的项重新排序,可以拖放这些项。To reorder items in any Home screen and pages lists, you can drag and drop them.

最多可以在设备上添加 40 个页面。You can add up to 40 pages on a device.

  • 页面列表:添加页面,并输入以下属性:List of pages: Add a page, and enter the following properties:

    • 页面名称:输入页面名称。Page name: Enter a name for the page. 此名称用于在 Microsoft 终结点管理器管理中心内的引用,而不会显示在 iOS/iPadOS 设备上。This name is used for your reference in the Microsoft Endpoint Manager admin center, and isn't shown on the iOS/iPadOS device.

    最多可以在设备上添加 60 个项(应用和文件夹加起来)。You can add up to 60 items (apps and folder combined) on a device.

    • 添加:将应用或文件夹添加到设备上的页面。Add: Adds apps or folders to a page on devices.

      • 类型:添加应用或文件夹 :Type: Add an App or a Folder:

        • 应用:选择此选项可向屏幕上的页面添加应用。App: Choose this option to add apps to a page on the screen. 此外请输入:Also enter:

          • 应用名称:输入应用程序的名称。App Name: Enter a name for the app. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
          • 应用捆绑 ID:输入应用的捆绑 ID。App Bundle ID: Enter the bundle ID of the app. 有关示例,请参阅内置 iOS/iPadOS 应用的捆绑 IDSee Bundle IDs for built-in iOS/iPadOS apps for some examples.
        • 文件夹:选择此选项可向屏幕上的程序坞添加文件夹。Folder: Choose this option to add a folder to the dock on the screen.

          添加到文件夹中页面的应用按照列表中的相同顺序从左向右排列。Apps that you add to a page in a folder are arranged from left to right, and in the same order as the list. 如果添加的应用数超过了页面能够容纳的量,应用会移到其他页面。If you add more apps than can fit on a page, the apps are moved to another page.

          • 文件夹名称:输入文件夹的名称。Folder name: Enter a name for the folder. 此名称在设备上向用户显示。This name is shown to users on devices.

          • 添加:将页面添加到文件夹。Add: Adds pages to the folder. 同时输入以下属性:Also enter the following properties:

            • 页面名称:输入页面名称。Page name: Enter a name for the page. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
            • 应用名称:输入应用程序的名称。App Name: Enter a name for the app. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在 iOS/iPadOS 设备上。It isn't shown on the iOS/iPadOS device.
            • 应用捆绑 ID:输入应用的捆绑 ID。App Bundle ID: Enter the bundle ID of the app. 有关示例,请参阅内置 iOS/iPadOS 应用的捆绑 IDSee Bundle IDs for built-in iOS/iPadOS apps for some examples.

示例Example

在下面的示例中,添加了名为“Contoso”的新页面。In the following example, a new page named Contoso is added. 此页面显示“查找朋友”和“设置”应用:The page shows the Find Friends and Settings apps:

Intune 中的 iOS/iPadOS 主屏幕布局新页面设置和示例iOS/iPadOS Home screen layout new page settings and example in Intune

“设置”应用被选为显示自己的属性:The Settings app is selected to show its properties:

Intune 中的 iOS/iPadOS 主屏幕布局设置应用属性示例iOS/iPadOS Home screen layout Settings app properties example in Intune

在你向 iPhone 分配策略后,页面如下图所示:When you assign the policy to an iPhone, the page looks similar to the following image:

Intune 中已修改主屏幕的 iOS/iPadOS 设备iOS/iPadOS device with modified home screen in Intune

应用通知App notifications

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 添加:添加应用通知:Add: Add notifications for apps:

    在 Intune 中的 iOS/iPadOS 配置文件内添加应用通知Add app notification in iOS/iPadOS profile in Intune

    • 应用捆绑 ID:输入要添加的应用的“应用捆绑 ID”。App bundle ID: Enter the App Bundle ID of the app you want to add. 有关示例,请参阅内置 iOS/iPadOS 应用的捆绑 IDSee Bundle IDs for built-in iOS/iPadOS apps for some examples.
    • 应用名称:输入要添加的应用的名称。App name: Enter the name of the app you want to add. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在设备上。It isn't shown on devices.
    • 发布者:输入要添加的应用的发布者。Publisher: Enter the publisher of the app you're adding. 此名称用于在 Microsoft 终结点管理器管理中心内的引用。This name is used for your reference in the Microsoft Endpoint Manager admin center. 它不会显示在设备上。It isn't shown on devices.
    • 通知:选择“启用”或“禁用”可启用或禁用应用向设备发送通知 。Notifications: Enable or Disable the app from sending notifications to devices.
      • 在通知中心内显示:选择“启用”可允许应用在设备通知中心内显示通知。Show in Notification Center: Enable allows the app to show notifications in the device Notification Center. 选择“禁用”可阻止应用在设备通知中心内显示通知。Disable prevents the app from showing notifications in the Notification Center.
      • 在锁定屏幕中显示:选择“启用”可在设备锁定屏幕上显示应用通知。Show in Lock Screen: Enable shows app notifications on the device lock screen. 选择“禁用”可阻止应用在锁定屏幕中显示通知。Disable prevents the app from showing notifications on the lock screen.
      • 警报类型:解锁设备后,选择通知的显示方式。Alert type: When devices are unlocked, choose how the notification is shown. 选项包括:Your options:
        • :不显示通知。None: No notification is shown.
        • 横幅:短暂显示包含通知的横幅。Banner: A banner is briefly shown with the notification.
        • 模式:显示通知,并且用户必须先手动关闭通知,然后才能继续使用设备。Modal: The notification is shown and users must manually dismiss it before continuing to use the device.
      • 应用图标上的通知提醒:选择“启用”可向应用图标添加通知提醒。Badge on app icon: Select Enable to add a badge to the app icon. 通知提醒表示应用已发送通知。The badge means the app sent a notification.
      • 声音:选择“启用”可在通知送达时播放声音。Sounds: Select Enable to play a sound when a notification is delivered.

锁屏界面消息Lock screen message

此功能适用于:This feature applies to:

  • iOS 9.3 及更高版本iOS 9.3 and later
  • iPadOS 13.0 及更高版本iPadOS 13.0 and newer

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 资产标记信息: 输入有关该设备资产标记的信息。Asset tag information: Enter information about the asset tag of the device. 例如,输入 Owned by Contoso CorpSerial Number: {{serialnumber}}For example, enter Owned by Contoso Corp or Serial Number: {{serialnumber}}.

    输入的文本显示在设备上的登录窗口和锁定屏幕中。The text you enter is shown on the sign in window and lock screen on devices.

  • 锁屏脚注: 输入一个可帮助在设备丢失或被盗时将其找回的注释。Lock screen footnote: If devices are lost or stolen, enter a note that might help get the device returned. 可以输入所需的任何文本。You can enter any text you want. 例如,输入类似于 If found, call Contoso at ... 的内容。For example, enter something like If found, call Contoso at ....

    设备令牌还可以用于向这些字段添加特定于设备的信息。Device tokens can also be used to add device-specific information to these fields. 例如,若要显示序列号,请输入 Serial Number: {{serialnumber}}Device ID: {{DEVICEID}}For example, to show the serial number, enter Serial Number: {{serialnumber}} or Device ID: {{DEVICEID}}. 在锁屏上,文本显示类似于 Serial Number 123456789ABCOn the lock screen, the text shows similar to Serial Number 123456789ABC. 输入变量时,请务必使用大括号 {{ }}When entering variables, be sure to use curly brackets {{ }}. 应用配置令牌包含可用变量的列表。App configuration tokens includes a list of variables that can be used. 还可以使用 DEVICENAME 或任何其他特定于设备的值。You can also use DEVICENAME or any other device-specific value.

    备注

    变量不在 UI 中进行验证,且区分大小写。Variables aren't validated in the UI, and are case sensitive. 因此,可能会看到使用不正确输入保存的配置文件。As a result, you may see profiles saved with incorrect input. 例如,如果输入 {{DeviceID}} 而不是 {{deviceid}} 或“{{DEVICEID}}”,则显示文本字符串而不是设备的唯一 ID。For example, if you enter {{DeviceID}} instead of {{deviceid}} or '{{DEVICEID}}', then the literal string is shown instead of the device's unique ID. 请确保输入正确的信息。Be sure to enter the correct information. 支持全部小写或全部大写的变量,但不支持混合使用。All lowercase or all uppercase variables are supported, but not a mix.

单一登录Single sign-on

设置适用范围:设备注册、自动设备注册(受监督)Settings apply to: Device enrollment, Automated device enrollment (supervised)

  • 领域:输入 URL 的域部分。Realm: Enter the domain part of the URL. 例如,输入 contoso.comFor example, enter contoso.com.

  • Kerberos 主体名称:Intune 为 Azure AD 中的每个用户查找此属性。Kerberos principal name: Intune looks for this attribute for each user in Azure AD. 然后,Intune 先填充相应字段(如“UPN”),再生成在设备上安装的 XML。Intune then populates the respective field (such as UPN) before generating the XML that gets installed on devices. 选项包括:Your options:

    • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting. 默认情况下,将配置文件部署到设备时,操作系统将提示用户提供 Kerberos 主体名称。By default, the OS will prompt users for a Kerberos principal name when the profile is deployed to devices. MDM 安装 SSO 配置文件时需要使用主体名称。A principal name is required for MDMs to install SSO profiles.

    • 用户主体名称:将按以下方式分析用户主体名称 (UPN):User principal name: The user principal name (UPN) is parsed in the following way:

      Intune 中的 iOS/iPadOS 用户名 SSO 属性iOS/iPadOS Username SSO attribute in Intune

      还可以使用在“领域”文本框中键入的文本覆盖该领域。You can also overwrite the realm with the text you enter in the Realm text box.

      例如,Contoso 有多个区域,包括欧洲、亚洲和北美。For example, Contoso has several regions, including Europe, Asia, and North America. Contoso 希望亚洲用户使用 SSO,且应用要求采用 username@asia.contoso.com 格式的 UPN。Contoso wants their Asia users to use SSO, and the app requires the UPN in the username@asia.contoso.com format. 在你选择“用户主体名称”后,系统从 Azure AD 中获取每个用户的领域,即 contoso.comWhen you select User Principal Name, the realm for each user is taken from Azure AD, which is contoso.com. 因此,对于亚洲用户,选择“用户主体名称”,再输入“asia.contoso.com”。So for users in Asia, select User Principal Name, and enter asia.contoso.com. 用户的 UPN 变成 username@asia.contoso.com,而不是 username@contoso.comThe user's UPN becomes username@asia.contoso.com, instead of username@contoso.com.

    • Intune 设备 ID:Intune 自动选择 Intune 设备 ID。Intune device ID: Intune automatically selects the Intune Device ID.

      默认情况下,应用只需使用设备 ID。By default, apps only need to use the device ID. 但如果应用使用领域和设备 ID,则你可在“领域”文本框中键入领域。But if your app uses the realm and the device ID, you can type the realm in the Realm text box.

      备注

      如果使用设备 ID,则默认将领域留空。By default, keep the realm empty if you use device ID.

    • Azure AD 设备 IDAzure AD device ID

    • SAM 帐户名:Intune 将填充本地安全帐户管理器 (SAM) 帐户名。SAM account name: Intune populates the on-premises Security Accounts Manager (SAM) account name.

  • 应用:在用户设备上添加可使用单一登录的应用。Apps: Add apps on users devices that can use single sign-on.

    AppIdentifierMatches 数组必须包含与应用捆绑 ID 匹配的字符串。The AppIdentifierMatches array must include strings that match app bundle IDs. 这些字符串可以是完全匹配项(如 com.contoso.myapp),也可以使用 * 通配符输入捆绑 ID 的前缀匹配项。These strings may be exact matches, such as com.contoso.myapp, or enter a prefix match on the bundle ID using the * wildcard character. 通配符必须位于句点字符 (.) 后面,并只能在字符串末尾出现一次(如 com.contoso.*)。The wildcard character must appear after a period character (.), and may appear only once, at the end of the string, such as com.contoso.*. 如果包括通配符,则程序包 ID 以前缀开头的任何应用都将被授予对帐户的访问权限。When a wildcard is included, any app whose bundle ID begins with the prefix is granted access to the account.

    使用应用名称输入一个用户友好名称,帮助识别捆绑 ID。Use App Name to enter a user-friendly name to help you identify the bundle ID.

  • URL 前缀:添加组织中任何要求用户进行单一登录身份验证的 URL。URL prefixes: Add any URLs in your organization that require user single sign-on authentication.

    例如,用户连接到任何这些站点时,iOS/iPadOS 设备会使用单一登录凭据。For example, when a user connects to any of these sites, the iOS/iPadOS device uses the single sign-on credentials. 用户不需要输入任何其他凭据。Users don't need to enter any additional credentials. 如果已启用多重身份验证,用户必须输入第二重身份验证凭据。If multi-factor authentication is enabled, then users are required to enter the second authentication.

    备注

    这些 URL 必须采用正确格式化的 FQDN。These URLs must be properly formatted FQDN. Apple 要求这些 URL 必须采用 http://<yourURL.domain> 格式。Apple requires these to be in the http://<yourURL.domain> format.

    匹配模式的 URL 必须以 http://https:// 开头。The URL matching patterns must begin with either http:// or https://. 由于运行的是简单字符串匹配,因此 http://www.contoso.com/ URL 前缀与 http://www.contoso.com:80/ 不匹配。A simple string match is run, so the http://www.contoso.com/ URL prefix doesn't match http://www.contoso.com:80/. 在 iOS 10.0 以上版本和 iPadOS 13.0 以上版本中,可使用一个通配符 * 输入所有匹配值。With iOS 10.0+ and iPadOS 13.0+, a single wildcard * may be used to enter all matching values. 例如,http://*.contoso.com/ 同时匹配 http://store.contoso.com/http://www.contoso.comFor example, http://*.contoso.com/ matches both http://store.contoso.com/ and http://www.contoso.com.

    http://.comhttps://.com 模式分别匹配所有 HTTP 和 HTTPS URL。The http://.com and https://.com patterns match all HTTP and HTTPS URLs, respectively.

  • 续订证书:如果使用证书(而不是密码)进行身份验证,选择现有 SCEP 或 PFX 证书作为身份验证证书。Renewal certificate: If using certificates for authentication (not passwords), select the existing SCEP or PFX certificate as the authentication certificate. 通常,此证书是针对其他配置文件(如 VPN、Wi-Fi 或电子邮件)部署到用户的相同证书。Typically, this certificate is the same certificate that's deployed to users for other profiles, such as VPN, Wi-Fi, or email.

Web 内容筛选器Web content filter

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 筛选器类型:选择以允许特定网站。Filter Type: Choose to allow specific web sites. 选项包括:Your options:

    • 配置 URL:使用 Apple 的内置 Web 筛选器来查找成人术语,包括猥亵和露骨色情语言。Configure URLs: Use Apple's built-in web filter that looks for adult terms, including profanity and sexually explicit language. 此功能在网页加载时评估每个网页,并发现和阻止不适合的内容。This feature evaluates each web page as it's loaded, and identifies and blocks unsuitable content. 还可以添加不希望筛选器检查的 URL。You can also add URLs that you don't want checked by the filter. 或屏蔽特定 URL,无论 Apple 的筛选器设置如何。Or, block specific URLs, regardless of Apple's filter settings.

      • 允许的 URL:添加要允许的 URL。Permitted URLs: Add the URLs you want to allow. 这些 URL 可绕过 Apple 的 Web 筛选器。These URLs bypass Apple's web filter.

        备注

        输入的 URL 是你不希望 Apple Web 筛选器评估的 URL。The URLs you enter are the URLs you don't want evauluated by the Apple web filter. 这些 URL 不是允许的网站列表。These URLs aren't a list of allowed web sites. 若要创建允许的网站列表,请将“筛选器类型”设置为“仅特定网站”。To create a list of allowed websites, set the Filter Type to Specific websites only.

      • 屏蔽的 URL:添加要阻止打开的 URL,无论 Apple Web 筛选器设置如何。Blocked URLs: Add the URLs you want to stop from opening, regardless of the Apple web filter settings.

    • 仅特定网站(仅适用于 Safari Web 浏览器):这些 URL 会添加到 Safari 浏览器的书签中。Specific websites only (for the Safari web browser only): These URLs are added to the Safari browser's bookmarks. 用户只能访问这些网站;无法打开其他任何网站。Users are only allowed to visit these sites; no other sites can be opened. 仅在知道用户可以访问的 URL 的确切列表时使用此选项。Use this option only if you know the exact list of URLs that users can access.

      • URL:输入要允许的网站的 URL。URL: Enter the URL of the website you want to allow. 例如,输入 https://www.contoso.comFor example, enter https://www.contoso.com.
      • 书签路径:Apple 更改了此设置。Bookmark Path: Apple changed this setting. 所有书签都将进入“已批准的站点”文件夹。All bookmarks go into the Approved Sites folder. 书签不会进入你输入的书签路径。Bookmarks don't go in to the bookmark path you enter.
      • 标题:输入书签的描述性标题。Title: Enter a descriptive title for the bookmark.

      如果未输入任何 URL,则用户无法访问任何网站(microsoft.commicrosoft.netapple.com 除外)。If you don't enter any URLs, then users can't access any websites except for microsoft.com, microsoft.net, and apple.com. Intune 自动允许这些 URL。These URLs are automatically allowed by Intune.

单一登录应用扩展Single sign-on app extension

此功能适用于:This feature applies to:

  • iOS 13.0 及更高版本iOS 13.0 and later
  • iPadOS 13.0 及更高版本iPadOS 13.0 and later

设置适用范围:所有注册类型Settings apply to: All enrollment types

  • SSO 应用扩展类型:选择 SSO 应用扩展的类型。SSO app extension type: Choose the type of SSO app extension. 选项包括:Your options:

    • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting. 默认情况下,操作系统不会使用应用扩展。By default, the OS doesn't use app extensions. 若要禁用应用扩展,可将 SSO 应用扩展类型切换为“未配置”。To disable an app extension, you can switch the SSO app extension type to Not configured.

    • Microsoft Azure AD:使用 Microsoft 企业 SSO 插件,它是一个重定向类型的 SSO 应用扩展。Microsoft Azure AD: Uses the Microsoft Enterprise SSO plug-in, which is a redirect-type SSO app extension. 此插件为所有支持 Apple 企业单一登录功能的应用程序提供 Active Directory 帐户的 SSO。This plug-in provides SSO for Active Directory accounts across all applications that support Apple's Enterprise Single Sign-On feature. 使用此 SSO 应用扩展类型可在使用 Azure AD 进行身份验证的 Microsoft 应用、组织应用和网站上启用 SSO。Use this SSO app extension type to enable SSO on Microsoft apps, organization apps, and websites that authenticate using Azure AD.

      SSO 插件充当高级身份验证代理,可改进安全性和用户体验。The SSO plug-in acts as an advanced authentication broker that offers security and user experience improvements. 对于使用 Microsoft Authenticator 应用进行身份验证的所有应用,都将继续获取具有适用于 Apple 设备的 Microsoft 企业 SSO 插件的 SSO。All apps that used the Microsoft Authenticator app for authentication continue to get SSO with the Microsoft Enterprise SSO plug-in for Apple devices.

      重要

      要通过 Microsoft Azure AD SSO 应用扩展类型实现 SSO,请先在设备上安装 iOS/iPadOS 版 Microsoft Authenticator 应用。To achieve SSO with the Microsoft Azure AD SSO app extension type, first install the iOS/iPadOS Microsoft Authenticator app on devices. Authenticator 应用将 Microsoft 企业 SSO 插件传递到设备,MDM SSO 应用扩展设置会激活该插件。The Authenticator app delivers the Microsoft Enterprise SSO plug-in to devices, and the MDM SSO app extension settings activate the plug-in. 在设备上安装 Authenticator 和 SSO 应用扩展配置文件后,用户必须在设备上输入其凭据才能登录和建立会话。Once Authenticator and the SSO app extension profile are installed on devices, users must enter their credentials to sign in, and establish a session on their devices. 然后,该会话可在不同的应用程序中使用,而无需用户再次进行身份验证。This session is then used across different applications without requiring users to authenticate again. 有关 Authenticator 的详细信息,请参阅什么是 Microsoft Authenticator 应用For more information about Authenticator, see What is the Microsoft Authenticator app.

    • 重定向:使用通用的可自定义重定向应用扩展,通过新式身份验证流使用 SSO。Redirect: Use a generic, customizable redirect app extension to use SSO with modern authentication flows. 确保你知道组织应用扩展的扩展 ID。Be sure you know the extension ID for your organization's app extension.

    • 凭据:使用通用的可自定义凭据应用扩展,通过质询和响应身份验证流来使用 SSO。Credential: Use a generic, customizable credential app extension to use SSO with challenge-and-response authentication flows. 确保你知道组织应用扩展的扩展 ID。Be sure you know the extension ID for your organization's app extension.

    • Kerberos:使用 Apple 的内置 Kerberos 扩展,该扩展包含在 iOS 13.0 以上版本和 iPadOS 13.0 以上版本中。Kerberos: Use Apple's built-in Kerberos extension, which is included on iOS 13.0+ and iPadOS 13.0+. 此选项是“凭据”应用扩展的 Kerberos 特定版本。This option is a Kerberos-specific version of the Credential app extension.

    提示

    使用“重定向”和“凭据”类型,可以添加自己的配置值以传递扩展。With the Redirect and Credential types, you add your own configuration values to pass through the extension. 如果使用的是“凭据”,请考虑使用 Apple 在“Kerberos”类型中提供的内置配置设置。If you're using Credential, consider using built-in configuration settings provided by Apple in the Kerberos type.

  • 共享设备模式(仅用于 Microsoft Azure AD):如果要将 Microsoft 企业 SSO 插件部署到已配置支持 Azure AD 共享设备模式功能的 iOS/iPadOS 设备,请选择“启用”。Shared device mode (Microsoft Azure AD only): Choose Enable if you're deploying the Microsoft Enterprise SSO plug-in to iOS/iPadOS devices configured for Azure AD's shared device mode feature. 通过共享模式下的设备,多名用户可以全局方式在支持共享设备模式的应用程序中登录和注销。Devices in shared mode allow many users to globally sign in and out of applications that support shared device mode. 设置为“未配置”时,Intune 不会更改或更新此设置。When set to Not configured, Intune doesn't change or update this setting. 默认情况下,iOS/iPadOS 设备不会在多名用户之间共享。By default, iOS/iPadOS devices aren't intended to be shared among multiple users.

    要详细了解共享设备模式及其启用方式,请参阅共享设备模式概述以及适用于 iOS 设备的共享设备模式For more information about shared device mode and how to enable it, see Overview of shared device mode and Shared device mode for iOS devices.

    此功能适用于:This feature applies to:

    • iOS/iPadOS 13.5 及更高版本iOS/iPadOS 13.5 and newer
  • 扩展 ID(“重定向”和“凭据”):输入可标识 SSO 应用扩展的程序包标识符,如 com.apple.extensiblessoExtension ID (Redirect and Credential): Enter the bundle identifier that identifies your SSO app extension, such as com.apple.extensiblesso.

  • 团队 ID(“重定向”和“凭据”):输入 SSO 应用扩展的团队标识符。Team ID (Redirect and Credential): Enter the team identifier of your SSO app extension. 团队标识符是由 Apple 生成的 10 个字符的字母数字(包含数字和字母)字符串,如 ABCDE12345A team identifier is a 10-character alphanumerical (numbers and letters) string generated by Apple, such as ABCDE12345. 不需要团队 ID。The team ID isn't required.

    找到你的团队 ID(打开 Apple 网站)提供了详细信息。Locate your Team ID (opens Apple's website) has more information.

  • 领域(“重定向”和“Kerberos”):输入身份验证领域的名称。Realm (Credential and Kerberos): Enter the name of your authentication realm. 领域名称应为大写形式,如 CONTOSO.COMThe realm name should be capitalized, such as CONTOSO.COM. 通常情况下,你的领域名称与 DNS 域名相同,但全部为大写形式。Typically, your realm name is the same as your DNS domain name, but in all uppercase.

  • (“凭据”和“Kerberos”):输入可通过 SSO 进行身份验证的站点的域名或主机名。Domains (Credential and Kerberos): Enter the domain or host names of the sites that can authenticate through SSO. 例如,如果你的网站是 mysite.contoso.com,则 mysite 为主机名,contoso.com 为域名。For example, if your website is mysite.contoso.com, then mysite is the host name, and contoso.com is the domain name. 当用户连接到这些站点中的任何一个时,应用扩展会处理身份验证质询。When users connect to any of these sites, the app extension handles the authentication challenge. 通过此身份验证,用户可以使用 Face ID、Touch ID 或 Apple PIN 码/密码登录。This authentication allows users to use Face ID, Touch ID, or Apple pincode/passcode to sign in.

    • 单一登录应用扩展 Intune 配置文件中的所有域都必须是唯一的。All the domains in your single sign-on app extension Intune profiles must be unique. 即使使用的是不同类型的 SSO 应用扩展,也不能在任何登录应用扩展配置文件中使用重复的域。You can't repeat a domain in any sign-on app extension profile, even if you're using different types of SSO app extensions.
    • 这些域不区分大小写。These domains aren't case-sensitive.
  • URL(仅用于“重定向”):输入标识提供者的 URL 前缀,重定向应用扩展将代表它们使用 SSO。URLs (Redirect only): Enter the URL prefixes of your identity providers on whose behalf the redirect app extension uses SSO. 当用户重定向到这些 URL 时,SSO 应用扩展会介入并提示 SSO。When users are redirected to these URLs, the SSO app extension intervenes and prompts SSO.

    • Intune 单一登录应用扩展配置文件中的所有 URL 都必须是唯一的。All the URLs in your Intune single sign-on app extension profiles must be unique. 即使使用的是不同类型的 SSO 应用扩展,也不能在任何 SSO 应用扩展配置文件中使用重复的域。You can't repeat a domain in any SSO app extension profile, even if you're using different types of SSO app extensions.
    • URL 必须以 http://https:// 开头。The URLs must begin with http:// or https://.
  • 其他配置(Microsoft Azure AD、“重定向”和“凭据”):输入要传递到 SSO 应用扩展的其他扩展特定数据:Additional configuration (Microsoft Azure AD, Redirect, and Credential): Enter additional extension-specific data to pass to the SSO app extension:

    • 密钥:输入要添加的项的名称,如 user nameKey: Enter the name of the item you want to add, such as user name. AppAllowList 区分大小写。AppAllowList is case sensitive. 请确保准确输入“AppAllowList”。Be sure to exactly enter 'AppAllowList'.

    • 类型:输入数据的类型。Type: Enter the type of data. 选项包括:Your options:

      • 字符串String
      • 布尔值:在“配置值”中,输入 TrueFalseBoolean: In Configuration value, enter True or False.
      • 整数:在“配置值”中,输入一个数字。Integer: In Configuration value, enter a number.
    • :输入数据。Value: Enter the data.

    • 添加:选择此项可添加配置密钥。Add: Select to add your configuration keys.

  • 密钥链用法(仅用于“Kerberos”):设置为“阻止”可阻止在密钥链中保存和存储密码。Keychain usage (Kerberos only): Block prevents passwords from being saved and stored in the keychain. 如果被阻止,系统不会提示用户保存其密码,并且用户在 Kerberos 票证过期时需要重新输入密码。If blocked, users aren't prompted to save their password, and need to reenter the password when the Kerberos ticket expires. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能允许保存密码并将其存储在密钥链中。By default, the OS might allow passwords to be saved and stored in the keychain. 票证过期时,系统不会提示用户重新输入其密码。Users aren't prompted to reenter their password when the ticket expires.

  • Face ID、Touch ID 或密码(仅用于“Kerberos”):如果选择“需要”,则强制用户在需要凭据以刷新 Kerberos 票证时输入其 Face ID、Touch ID 或设备密码。Face ID, Touch ID, or passcode (Kerberos only): Require forces users to enter their Face ID, Touch ID, or device passcode when the credential is needed to refresh the Kerberos ticket. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能不需要用户使用生物特征或设备密码来刷新 Kerberos 票证。By default, the OS might not require users to use biometrics or device passcode to refresh the Kerberos ticket. 如果“密钥链用法”被阻止,则此设置不适用。If Keychain usage is blocked, then this setting doesn't apply.

  • 默认领域(仅用于“Kerberos”):选择“启用”可将入的“领域”值设置为默认领域 。Default realm (Kerberos only): Enable sets the Realm value you entered as the default realm. 设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting. 默认情况下,OS 可能未设置默认领域。By default, the OS might not set a default realm.

    提示

    • 如果要在组织中配置多个 Kerberos SSO 应用扩展,请“启用”此设置。Enable this setting if you're configuring multiple Kerberos SSO app extensions in your organization.
    • 如果要使用多个领域,请“启用”此设置。Enable this setting if you're using multiple realms. 它将你输入的“领域”值设置为默认领域。It sets the Realm value you entered as the default realm.
    • 如果只有一个领域,请将其保留为“未配置”(默认设置)。If you only have one realm, leave it Not configured (default).
  • 主体名称(仅用于“Kerberos”):输入 Kerberos 主体的用户名。Principal name (Kerberos only): Enter the username of the Kerberos principal. 不需要加上领域名称。You don't need to include the realm name. 例如,在 user@contoso.com 中,user 是主体名称,contoso.com 是领域名称。For example, in user@contoso.com, user is the principal name, and contoso.com is the realm name.

    提示

    • 还可以通过输入大括号 {{ }} 来使用主体名称中的变量。You can also use variables in the principal name by entering curly brackets {{ }}. 例如,若要显示用户名,请输入 Username: {{username}}For example, to show the username, enter Username: {{username}}.
    • 不过,请注意变量替换,因为变量未在 UI 中验证,并且它们区分大小写。However, be careful with variable substitution because variables aren't validated in the UI and they are case sensitive. 请确保输入正确的信息。Be sure to enter the correct information.
  • Active Directory 站点代码(仅用于“Kerberos”):输入 Kerberos 扩展应使用的 Active Directory 站点的名称。Active Directory site code (Kerberos only): Enter the name of the Active Directory site that the Kerberos extension should use. 可能不需要更改此值,因为 Kerberos 扩展可能会自动查找 Active Directory 站点代码。You may not need to change this value, as the Kerberos extension may automatically find the Active Directory site code.

  • 缓存名称(仅用于“Kerberos”):输入 Kerberos 缓存的通用安全服务 (GSS) 名称。Cache name (Kerberos only): Enter the Generic Security Services (GSS) name of the Kerberos cache. 很可能不需要设置此值。You most likely don't need to set this value.

  • 应用捆绑包 ID(Microsoft Azure AD、Kerberos):输入应通过设备上的扩展获得单一登录的其他应用的捆绑 ID。App bundle IDs (Microsoft Azure AD, Kerberos): Enter the bundle IDs of the additional apps that should get single sign-on through an extension on your devices.

    如果你使用的是 Microsoft Azure AD SSO 应用扩展类型,则这些应用将使用 Microsoft 企业 SSO 插件来对用户进行身份验证,而无需登录。If you're using the Microsoft Azure AD SSO app extension type, these apps use the Microsoft Enterprise SSO plug-in to authenticate the user without requiring a sign-in. 如果你输入的应用捆绑包 ID 不使用任何 Microsoft 库(例如 Microsoft 身份验证库(MSAL)),则它有权使用 Microsoft Azure AD SSO应用扩展。The app bundle IDs you enter have permission to use the Microsoft Azure AD SSO app extension if they don't use any Microsoft libraries, such as Microsoft Authentication Library (MSAL). 与 Microsoft 库相比,这些应用可能不会带来相同的无缝体验。The experience for these apps may not be as seamless compared to the Microsoft libraries. 如果是使用 MSAL 身份验证的旧版应用或不使用最新 Microsoft 库的应用,则必须添加到此列表,才能正常使用 Microsoft Azure SSO 应用扩展。Older apps that use MSAL authentication, or apps that don't use the newest Microsoft libraries, must be added to this list to work properly with the Microsoft Azure SSO app extension.

    如果你使用的是 Kerberos SSO 应用扩展类型,则这些应用将有权访问 Kerberos 票证授予票证(身份验证票证),并在用户访问他们有权访问的服务时对其进行身份验证。If you're using the Kerberos SSO app extension type, these apps have access to the Kerberos Ticket Granting Ticket, the authentication ticket, and authenticate users to services they’re authorized to access.

  • 域领域映射(仅用于“Kerberos”):添加应映射到领域的域 DNS 后缀。Domain realm mapping (Kerberos only): Add the domain DNS suffixes that should map to your realm. 当主机的 DNS 名称与领域名称不匹配时,使用此设置。Use this setting when the DNS names of the hosts don't match the realm name. 很可能不需要创建此自定义域到领域的映射。You most likely don't need to create this custom domain-to-realm mapping.

  • PKINIT 证书(仅用于“Kerberos”):选择可用于 Kerberos 身份验证的初始身份验证 (PKINIT) 证书的公钥加密。PKINIT certificate (Kerberos only): Select the Public Key Cryptography for Initial Authentication (PKINIT) certificate that can be used for Kerberos authentication. 可以从已在 Intune 中添加的 PKCSSCEP 证书中进行选择。You can choose from PKCS or SCEP certificates that you've added in Intune. 有关证书的详细信息,请参阅在 Microsoft Intune 中使用证书进行身份验证For more information about certificates, see Use certificates for authentication in Microsoft Intune.

壁纸Wallpaper

无映像的配置文件分配给具有现有映像的设备时,可能会遇到意外行为。You may experience unexpected behavior when a profile with no image is assigned to devices with an existing image. 例如,创建无映像的配置文件。For example, you create a profile without an image. 此配置文件分配给已有映像的设备。This profile is assigned to devices that already have an image. 在此方案中,映像可能会变为设备默认值,或者初始映像可能保留在设备上。In this scenario, the image may change to the device default, or the original image may stay on the device. 此行为受 Apple 的 MDM 平台控制和限制。This behavior is controlled and limited by Apple's MDM platform.

设置适用范围:自动设备注册(监督)Settings apply to: Automated device enrollment (supervised)

  • 壁纸显示位置:选择要在设备上显示图像的位置。Wallpaper Display Location: Choose a location on devices to show the image. 选项包括:Your options:
    • 未配置:Intune 不会更改或更新此设置。Not configured: Intune doesn't change or update this setting. 自定义图像不会添加到设备。A custom image isn't added to devices. 默认情况下,OS 可能会设置自己的映像。By default, the OS might set its own image.
    • 锁定屏幕:向锁定屏幕添加图像。Lock screen: Adds the image to the lock screen.
    • 主屏幕:向主屏幕添加图像。Home screen: Adds the image to the home screen.
    • 锁定屏幕和主屏幕:在锁定屏幕和主屏幕上使用相同的图像。Lock screen and Home screen: Uses the same image on the lock screen and home screen.
  • 壁纸图像:上传要使用的现有 .png、.jpg 或 .jpeg 图像。Wallpaper Image: Upload an existing .png, .jpg, or .jpeg image you want to use. 请确保文件小于 750KB。Be sure the file size is less than 750 KB. 还可以删除已添加的图像。You can also remove an image that you added.

提示

若要在锁定屏幕和主屏幕上显示不同的图像,请创建包含锁定屏幕图像的配置文件,To display different images on the lock screen and home screen, create a profile with the lock screen image. 以及另一个包含主屏幕图像的配置文件。Create another profile with the home screen image. 将两个配置文件分配到 iOS/iPadOS 用户组或设备组。Assign both profiles to your iOS/iPadOS user or device groups.

后续步骤Next steps

分配配置文件监视其状态Assign the profile and monitor its status.

还可以为 macOS 设备创建设备功能配置文件。You can also create device feature profiles for macOS devices.