通过 Apple Configurator 设置 iOS/iPadOS 设备注册Set up iOS/iPadOS device enrollment with Apple Configurator

Intune 支持注册 iOS/iPadOS 设备,方法是使用在 Mac 计算机上运行的 Apple ConfiguratorIntune supports the enrollment of iOS/iPadOS devices using Apple Configurator running on a Mac computer. 使用 Apple Configurator 进行注册时,需要通过 USB 将每个 iOS/iPadOS 设备连接到 Mac 计算机来设置公司注册过程。Enrolling with Apple Configurator requires that you USB-connect each iOS/iPadOS device to a Mac computer to set up corporate enrollment. 你可采用两种方式使用 Apple Configurator 将设备注册到 Intune:You can enroll devices into Intune with Apple Configurator in two ways:

  • 设置助理注册 – 擦除设备,使其准备好在设置助理期间进行注册。Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
  • 直接注册 - 不擦除设备,并通过 iOS/iPadOS 设置注册设备。Direct enrollment - Does not wipe the device and enrolls the device through iOS/iPadOS settings. 此方法适仅支持“无用户关联”的设备。This method only supports devices with no user affinity.

Apple Configurator 注册方法不能与设备注册管理器同时使用。Apple Configurator enrollment methods can't be used with the device enrollment manager.

必备条件Prerequisites

为设备创建 Apple Configurator 配置文件Create an Apple Configurator profile for devices

设备注册配置文件定义在注册期间应用的设置。A device enrollment profile defines the settings applied during enrollment. 这些设置只应用一次。These settings are applied only once. 按照以下步骤创建注册配置文件,使用 Apple Configurator 注册 iOS/iPadOS 设备。Follow these steps to create an enrollment profile to enroll iOS/iPadOS devices with Apple Configurator.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator”。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator.

    创建 Apple Configurator 配置文件

  2. 选择“配置文件” > “创建”。Choose Profiles > Create.

  3. 在“创建注册配置文件”下,输入配置文件的“名称”和“描述”,以便于管理 。Under Create Enrollment Profile, type a Name and Description for the profile for administrative purposes. 用户看不到这些详细信息。Users do not see these details. 可使用此“名称”字段在 Azure Active Directory 中创建动态组。You can use this Name field to create a dynamic group in Azure Active Directory. 使用配置文件名称定义 enrollmentProfileName 参数,以向设备分配此注册配置文件。Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. 详细了解 Azure Active Directory 动态组。Learn more about Azure Active Directory dynamic groups.

    创建配置文件屏幕的屏幕截图,选中了“通过用户关联注册”

  4. 对于“用户关联”,选择具有此配置文件的设备是否必须通过已分配的用户进行注册。For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • 通过用户关联进行注册 - 为属于用户且想要使用公司门户获取服务(如安装应用)的设备选择此选项。Enroll with user affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. 设备必须通过设置助理与某个用户关联,然后才可访问公司数据和电子邮件。The device must be affiliated with a user with Setup Assistant and can then access company data and email. 仅设置助理注册支持。Only supported for Setup Assistant enrollment. 用户关联需要 WS-Trust 1.3 用户名/混合终结点User affinity requires WS-Trust 1.3 Username/Mixed endpoint. 了解详细信息Learn more.

    • 不通过用户关联进行注册 - 为不属于单个用户的设备选择此选项。Enroll without User Affinity - Choose this option for devices unaffiliated with a single user. 为无需访问本地用户数据即可执行任务的设备使用此选项。Use this for devices that perform tasks without accessing local user data. 需要用户隶属关系的应用(包括用于安装业务线应用的公司门户应用)无法运行。Apps requiring user affiliation (including the Company Portal app used for installing line-of-business apps) won't work. 直接注册需要此设置此选项。Required for direct enrollment.

    备注

    选择“通过用户关联进行注册”时,请确保设备在注册后的前 24 小时内通过设置助理与某个用户关联。When Enroll with user affinity is selected, make sure that the device is affiliated with a user with Setup Assistant within the first 24 hours of the device being enrolled. 否则,注册可能会失败,需要恢复出厂设置才能注册设备。Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.

  5. 如果选择“通过用户关联进行注册”,则可选择让用户不使用 Apple 设置助理而使用公司门户进行身份验证。If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    备注

    如果想要执行以下任一操作,请将“不使用 Apple 设置助理而使用公司门户进行身份验证”设置为“是”。If you want do any of the following, set Authenticate with Company Portal instead of Apple Setup Assistant to Yes.

    • 使用多重身份验证use multifactor authentication
    • 提示用户在首次登录时需要更改密码prompt users who need to change their password when they first sign in
    • 提示用户在注册期间重置过期的密码prompt users to reset their expired passwords during enrollment

    使用 Apple 设置助理进行身份验证时不支持这些功能。These are not supported when authenticating with Apple Setup Assistant.

  6. 选择“创建”保存该配置文件。Choose Create to save the profile.

设置助理注册Setup Assistant enrollment

添加 Apple Configurator 序列号Add Apple Configurator serial numbers

  1. 创建没有标题的两列逗号分隔值 (.csv) 列表。Create a two-column, comma-separated value (.csv) list without a header. 在左列添加序列号,在右列添加详细信息。Add the serial number in the left column, and the details in the right column. 目前,该列表的最大长度为 5,000 行。The current maximum for the list is 5,000 rows. 在文本编辑器中,该 .csv 列表如下所示:In a text editor, the .csv list looks like this:

    F7TLWCLBX196,设备详细信息F7TLWCLBX196,device details
    DLXQPCWVGHMJ,设备详细信息DLXQPCWVGHMJ,device details

    了解如何查找 iOS/iPadOS 设备序列号Learn how to find an iOS/iPadOS device serial number.

  2. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator” > “设备” > “添加”。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Devices > Add.

  3. 选择一个注册配置文件,将其应用于导入的序列号。Select an Enrollment profile to apply to the serial numbers you're importing. 如果想要让新的序列号详细信息覆盖现有的所有详细信息,请选择“覆盖现有标识符的详细信息”。If you want the new serial number details to overwrite any existing details, choose Overwrite details for existing identifiers.

  4. 在“导入设备”下,浏览到序列号的 .csv 文件,然后选择“添加” 。Under Import Devices, browse to the csv file of serial numbers, and select Add.

将配置文件重新分配给设备序列号Reassign a profile to device serial numbers

为 Apple Configurator 注册导入 iOS/iPadOS 序列号时,可分配注册配置文件。You can assign an enrollment profile when you import iOS/iPadOS serial numbers for Apple Configurator enrollment. 此外,还可从 Azure 门户中的以下两个位置分配配置文件:You can also assign profiles from two places in the Azure portal:

  • Apple Configurator 设备Apple Configurator devices
  • AC 配置文件AC profiles

从 Apple Configurator 设备分配Assign from Apple Configurator devices

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator” > “设备”> 选择序列号 >“分配配置文件” 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Devices > choose the serial numbers > Assign profile.
  2. 在“分配配置文件”下,选择要分配的新配置文件,然后选择“分配” 。Under Assign Profile, choose the New profile you want to assign, and then choose Assign.

从配置文件分配Assign from profiles

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator” > “配置文件”> 选择配置文件 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose a profile.
  2. 在配置文件中,选择“已分配设备”,然后选择“分配” 。In the profile, choose Devices assigned, and then choose Assign.
  3. 通过筛选找到要分配给配置文件的设备序列号,选择设备,然后选择“分配”。Filter to find device serial numbers you want to assign to the profile, select the devices, and then choose Assign.

导出配置文件Export the profile

创建配置文件并分配序列号后,必须从 Intune 中以 URL 的形式导出配置文件。After you create the profile and assign serial numbers, you must export the profile from Intune as a URL. 然后将其导入 Mac 上的 Apple Configurator 用于部署到设备。You then import it into Apple Configurator on a Mac for deployment to devices.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator” > “配置文件”> 选择要导出的配置文件 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose the profile to export.

  2. 在配置文件上,选择“导出配置文件”。On the profile, select Export Profile.

  3. 复制“配置文件 URL”。Copy the Profile URL. 然后可在 Apple Configurator 中添加它,以定义 iOS/iPadOS 设备使用的 Intune 配置文件。You can then add it in Apple Configurator to define the Intune profile used by iOS/iPadOS devices.

    接下来按照以下过程将此配置文件导入 Apple Configurator,定义 iOS/iPadOS 设备使用的 Intune 配置文件。Next you import this profile to Apple Configurator in the following procedure to define the Intune profile used by iOS/iPadOS devices.

使用设置助理注册设备Enroll devices with Setup Assistant

  1. 在 Mac 计算机上,打开“Apple Configurator 2”。On a Mac computer, open Apple Configurator 2. 在菜单栏中,选择“Apple Configurator 2”,然后选择“首选项”。 In the menu bar, choose Apple Configurator 2, and then choose Preferences.

    警告

    注册过程中,设备会重置为工厂配置。Devices are reset to factory configurations during the enrollment process. 最佳做法是重置设备,然后再启动。As a best practice, reset the device and turn it on. 连接设备时,设备应处于 Hello 屏幕界面。Devices should be at the Hello screen when you connect the device. 如果设备已注册 Apple ID 帐户,则必须先从 Apple iCloud 中删除该设备,然后才能开始注册过程。If the device was already registered with the Apple ID account, the device must be deleted from the Apple iCloud before starting the enrollment process. 提示错误显示为“无法激活 [设备名称]”。The prompt error appears as "Unable to activate [Device name]".

  2. 在“首选项”窗格中,选择“服务器”,然后选择加号 (+) 启动 MDM 服务器向导。In the preferences pane, select Servers and choose the plus symbol (+) to launch the MDM Server wizard. 选择“下一步”。Choose Next.

  3. 在使用 Microsoft Intune 对 iOS/iPadOS 设备注册设置助理的情况下,为 MDM 服务器输入主机名称或 URL 以及注册 URL 。Enter the Host name or URL and enrollment URL for the MDM server under Setup Assistant enrollment for iOS/iPadOS devices with Microsoft Intune. 对于注册 URL,请输入从 Intune 中导出的注册配置文件 URL。For the Enrollment URL, enter the enrollment profile URL exported from Intune. 选择“下一步”。Choose Next.
    可安全忽略警告“未验证服务器 URL”。You can safely disregard a warning stating "server URL is not verified." 若要继续,请选择“下一步”,直到完成该向导。To continue, choose Next until the wizard is finished.

  4. 用 USB 适配器将 iOS/iPadOS 移动设备连接到 Mac 计算机。Connect the iOS/iPadOS mobile devices to the Mac computer with a USB adapter.

  5. 选择要管理的 iOS/iPadOS 设备,然后选择“准备”。Select the iOS/iPadOS devices you want to manage, and then choose Prepare. 在“准备 iOS/iPadOS 设备”窗格上,选择“手动”,然后选择“下一步”。 On the Prepare iOS/iPadOS Device pane, select Manual, and then choose Next.

  6. 在“在 MDM 服务器中注册”窗格上,选择你创建的服务器名称,然后选择“下一步”。On the Enroll in MDM Server pane, select the server name you created, and then choose Next.

  7. 在“监督设备”窗格上,选择监督级别,然后选择“下一步”。 On the Supervise Devices pane, select the level of supervision, and then choose Next.

  8. 在“创建组织”窗格上,选择“组织”或创建新的组织,然后选择“下一步”。On the Create an Organization pane, choose the Organization or create a new organization, and then choose Next.

  9. 在“配置 iOS/iPadOS 设置助理”窗格上,选择要提供给用户的步骤,然后选择“准备”。On the Configure iOS/iPadOS Setup Assistant pane, choose the steps to be presented to the user, and then choose Prepare. 如果出现系统提示,请进行身份验证以更新信任设置。If prompted, authenticate to update trust settings.

  10. iOS/iPadOS 设备完成准备后,断开 USB 电缆的连接。When the iOS/iPadOS device finishes preparing, disconnect the USB cable.

分发设备Distribute devices

设备现已准备好企业注册。The devices are now ready for corporate enrollment. 关闭设备,并将它们分发给用户。Turn off the devices and distribute them to users. 用户打开其设备时,设置助理启动。When users turn on their devices, Setup Assistant starts.

用户收到设备后,必须完成设置助理。After users receive their devices, they must complete Setup Assistant. 配置了用户关联的设备可以安装和运行公司门户应用,以下载应用和管理设备。Devices configured with user affinity can install and run the Company Portal app to download apps and manage devices.

直接注册Direct enrollment

直接使用 Apple Configurator 注册 iOS/iPadOS 设备时,无需获取设备序列号即可注册设备。When you directly enroll iOS/iPadOS devices with Apple Configurator, you can enroll a device without acquiring the device's serial number. 在注册过程中,你还可以在 Intune 捕获设备名称前对设备命名以进行标识。You can also name the device for identification purposes before Intune captures the device name during enrollment. 直接注册的设备不支持公司门户应用。The Company Portal app is not supported for directly enrolled devices. 此方法不擦除设备。This method does not wipe the device.

无法安装需要用户隶属关系的应用(包括用于安装业务线应用的公司门户应用)。Apps requiring user affiliation, including the Company Portal app used for installing line-of-business apps, cannot be installed.

将配置文件作为 .mobileconfig 导出到 iOS/iPadOS 设备Export the profile as .mobileconfig to iOS/iPadOS devices

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “Apple Configurator” > “配置文件”> 选择要导出的配置文件>“导出配置文件” 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple Configurator > Profiles > choose the profile to export > Export Profile.

  2. 在“直接许可登记表”下,选择“下载配置文件”并保存此文件。 Under Direct enrollment, choose Download profile, and save the file. 注册配置文件的有效期仅为两周,必须在此时间重新创建。An enrollment profile file is only valid for two weeks at which time you must re-create it.

  3. 将文件传输到运行 Apple Configurator 的 Mac 计算机,作为管理配置文件直接推送到 iOS/iPadOS 设备。Transfer the file to a Mac computer running Apple Configurator to push directly as a management profile to iOS/iPadOS devices.

  4. 通过以下步骤使用 Apple Configurator 准备设备:Prepare the device with Apple Configurator by using the following steps:

    1. 在 Mac 计算机上,打开 Apple Configurator 2.0。On a Mac computer, open Apple Configurator 2.0.

    2. 使用 USB 线将 iOS/iPadOS 设备连接到 Mac 计算机。Connect the iOS/iPadOS device to the Mac computer with a USB cord. 关闭“照片”、iTunes 和其他在检测设备时为设备打开的应用。Close Photos, iTunes, and other apps that open for the device when the device is detected.

    3. 在 Apple Configurator 中,选择已连接的 iOS/iPadOS 设备,然后选择“添加”按钮。In Apple Configurator, choose the connected iOS/iPadOS device, and then choose the Add button. 可以添加到设备的选项将显示在下拉列表中。Options that can be added to the device appear in the drop-down list. 选择“配置文件”。Choose Profiles.

      采集设置助理注册的导出配置文件的屏幕快照,在其中突出显示配置文件 URL

    4. 使用文件选取器选择从 Intune 导出的 .mobileconfig 文件,然后选择“添加”。Use the file picker to select the .mobileconfig file that you exported from Intune, and then choose Add. 配置文件将添加到设备。The profile is added to the device. 如果设备是“非监督”状态,安装将需要在设备上验收。If the device is Unsupervised, the installation requires acceptance on the device.

  5. 使用以下步骤在 iOS/iPadOS 设备上安装配置文件。Use the following steps to install the profile on the iOS/iPadOS device. 设备必须已经完成设置助理且准备好使用。The device must have already completed the Setup Assistant and be ready to use. 如果注册需要应用部署,设备应设置一个 Apple ID,因为应用部署需要有一个 Apple ID 登录到应用商店。If enrollment entails app deployments, the device should have an Apple ID set up because the app deployment requires that you have an Apple ID signed in for the App Store.

    1. 解锁 iOS/iPadOS 设备。Unlock the iOS/iPadOS device.
    2. 在“管理配置文件”的“安装配置文件”对话框中,选择“安装”。In the Install profile dialog box for Management profile, choose Install.
    3. 如有必要,提供“设备密码”或“Apple ID”。Provide the Device Passcode or Apple ID, if necessary.
    4. 接受“警告”,并选择“安装”。Accept the Warning, and choose Install.
    5. 接受“远程警告”,并选择“信任”。Accept the Remote Warning, and choose Trust.
    6. “已安装配置文件”框确认配置文件“已安装”后,选择“完成”。When the Profile Installed box confirms the profile as Installed, choose Done.
  6. 在 iOS/iPadOS 设备上,打开“设置”并转到“常规” > “设备管理” > “管理配置文件” 。On the iOS/iPadOS device, open Settings and go to General > Device Management > Management Profile. 确认配置文件安装已列出,并检查 iOS/iPadOS 策略限制和已安装的应用。Confirm that the profile installation is listed, and check the iOS/iPadOS policy restrictions and installed apps. 策略限制和应用可能需要 10 分钟才会出现在设备上。Policy restrictions and apps might take up to 10 minutes to appear on the device.

  7. 分配设备。Distribute devices. iOS/iPadOS 设备现已在 Intune 中注册并已托管。The iOS/iPadOS device is now enrolled in Intune and managed.