通过 Apple School Manager 设置 iOS/iPadOS 设备注册Set up iOS/iPadOS device enrollment with Apple School Manager

可以将 Intune 设置为,注册通过 Apple School Manager 计划购买的 iOS/iPadOS 设备。You can set up Intune to enroll iOS/iPadOS devices purchased through the Apple School Manager program. 通过结合使用 Intune 与 Apple School Manager,可在不触碰设备的情况下注册大量 iOS/iPadOS 设备。Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching them. 学生或教师打开设备时,“设置助理”使用预先配置的设置运行,并且会注册设备以便进行管理。When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

若要启用 Apple School Manager 注册,请使用 Intune 和 Apple School Manager 门户。To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. 需要序列号列表或购买订单编号,这样才能将设备分配到 Intune 进行管理。A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. 创建自动设备注册 (ADE) 注册配置文件,这些配置文件包含注册过程中应用于设备的设置。You create Automated Device Enrollment (ADE) enrollment profiles containing settings that applied to devices during enrollment.

Apple School Manager 注册不能与 Apple 的自动设备注册设备注册管理器一起使用。Apple School Manager enrollment can't be used with Apple's Automated Device Enrollment or the device enrollment manager.

必备条件Prerequisites

获取 Apple 令牌并分配设备Get an Apple token and assign devices

必须先从 Apple 获取令牌 (.p7m) 文件,然后才能使用 Apple School Manager 注册公司拥有的 iOS/iPadOS 设备。Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. 使用此令牌,Intune 可以同步有关已加入 Apple School Manager 的设备的信息。This token lets Intune sync information about Apple School Manager-participating devices. 它也允许 Intune 将注册配置文件上传至 Apple,并向设备分配这些配置文件。It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. 在 Apple 门户中时,还可分配设备序列号以进行管理。While you are in the Apple portal, you can also assign device serial numbers to manage.

步骤 1。Step 1. 下载创建 Apple 令牌所需的 Intune 公钥证书Download the Intune public key certificate required to create an Apple token

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “注册计划令牌” > “添加” 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment Program Tokens > Add.

    获取注册计划令牌。

  2. 在“注册计划令牌”边栏选项卡中,选择“下载公钥”,下载加密密钥 (.pem) 文件,并将其保存在本地。In the Enrollment program token blade, choose Download your public key to download and save the encryption key (.pem) file locally. .pem 文件用于从 Apple School Manager 门户请求信任关系证书。The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. 注册计划令牌”边栏选项卡Enrollment Program Token blade.

步骤 2。Step 2. 下载令牌并分配设备Download a token and assign devices

  1. 选择“通过 Apple School Manager 创建令牌”,使用公司 Apple ID 登录到 Apple School。Choose Create a token via Apple School Manager, and sign in to Apple School with your company Apple ID. 可使用此 Apple ID 续订 Apple School Manager 令牌。You can use this Apple ID to renew your Apple School Manager token.

  2. Apple School Manager 门户中,转到“MDM 服务器”,然后选择“添加 MDM 服务器”(右上方)。In the Apple School Manager portal, go to MDM Servers, and then choose Add MDM Server (upper right).

  3. 输入“MDM 服务器名称”。Enter the MDM Server Name. 服务器名称供参考,用于识别移动设备管理 (MDM) 服务器。The server name is for your reference to identify the mobile device management (MDM) server. 它不是 Microsoft Intune 服务器的名称或 URL。It isn't the name or URL of the Microsoft Intune server. Apple School Manager 门户的屏幕截图,选中了“序列号”选项Screenshot of Apple School Manager portal with Serial Number option selected

  4. 在 Apple 门户中选择“上传文件...”,浏览到 .pem 文件,然后选择“保存 MDM 服务器”(右下方)。Choose Upload File... in the Apple portal, browse to the .pem file, and choose Save MDM Server (lower right).

  5. 选择“获取令牌”,然后将服务器令牌 (.p7m) 文件下载到计算机。Choose Get Token and then download the server token (.p7m) file to your computer.

  6. 转到“设备分配”,并通过手动输入“序列号”、“订单编号”来“选择设备”,或“上传 CSV 文件”。Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or Upload CSV File. Apple School Manager 门户的屏幕截图,选中了“序列号”选项Screenshot of Apple School Manager portal with Serial Number option selected

  7. 选择“分配到服务器”操作,然后选择自己创建的“MDM 服务器”。Choose the action Assign to Server, and choose the MDM Server you created.

  8. 指定“选择设备”的方式,然后提供设备信息和详细信息。Specify how to Choose Devices, then provide device information and details.

  9. 选择“分配到服务器”,然后选择为 Microsoft Intune 指定的 <ServerName>,然后选择“确定”。Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.

步骤 3.Step 3. 保存用于创建此令牌的 Apple IDSave the Apple ID used to create this token

Microsoft Endpoint Manager 管理中心中,提供 Apple ID 供将来参考。In the Microsoft Endpoint Manager admin center, provide the Apple ID for future reference.

指定用来创建注册计划令牌的 Apple ID 并浏览到注册计划令牌的屏幕截图。

步骤 4.Step 4. 上传令牌Upload your token

在“Apple 令牌”框中,浏览到证书 (.pem) 文件,选择“打开”,然后选择“创建” 。In the Apple token box, browse to the certificate (.pem) file, choose Open, and then choose Create. 使用 Push Certificate,Intune 可通过将策略推送到已注册的移动设备来注册和管理 iOS/iPadOS 设备。With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile devices. Intune 会自动从 Apple 同步 Apple School Manager 设备。Intune automatically synchronizes your Apple School Manager devices from Apple.

创建 Apple 注册配置文件Create an Apple enrollment profile

至此,你已安装令牌,接下来可以为 Apple School 设备创建注册配置文件了。Now that you've installed your token, you can create an enrollment profile for Apple School devices. 设备注册配置文件定义注册时应用于设备组的设置。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “注册计划令牌” 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens.

  2. 选择令牌,选择“配置文件”,然后选择“创建配置文件” 。Select a token, choose Profiles, and then choose Create profile.

  3. 在“创建配置文件”下,输入配置文件的“名称”和“描述”以便于管理 。Under Create Profile, enter a Name and Description for the profile for administrative purposes. 用户看不到这些详细信息。Users don't see these details. 可以使用此“名称”字段在 Azure Active Directory 中创建动态组。You can use this Name field to create a dynamic group in Azure Active Directory. 使用配置文件名称定义 enrollmentProfileName 参数,以向设备分配此注册配置文件。Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. 详细了解 Azure Active Directory 动态组Learn more about Azure Active Directory dynamic groups.

    配置文件名称和描述。

  4. 对于“用户关联”,选择具有此配置文件的设备是否必须通过已分配的用户进行注册。For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • 通过用户关联进行注册 - 为属于用户且想要使用公司门户获取服务(如安装应用)的设备选择此选项。Enroll with User Affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. 使用此选项时,用户还可使用公司门户对其设备进行身份验证。This option also lets users authenticate their devices by using the company portal. 如果使用的是 ADFS,用户关联需要 WS-Trust 1.3 用户名/混合终结点If using ADFS, user affinity requires WS-Trust 1.3 Username/Mixed endpoint. 了解详细信息Learn more. Apple School Manager 的“Shared iPad”模式要求用户不通过用户关联进行注册。Apple School Manager's Shared iPad mode requires user enroll without user affinity.

    • 不通过用户关联进行注册 - 为不属于单个用户的设备(例如共享设备)选择此选项。Enroll without User Affinity - Choose this option for devices unaffiliated with a single user, such as a shared device. 对无需访问本地用户数据即可执行任务的设备使用此选项。Use this option for devices that perform tasks without accessing local user data. 公司门户等应用将无法运行。Apps like the Company Portal app don't work.

  5. 如果选择“注册用户关联”,可以让用户通过公司门户(而不是 Apple 设置助理)进行身份验证。If you chose Enroll with User Affinity, you can let users authenticate with Company Portal instead of the Apple Setup Assistant.

    使用公司门户进行身份验证。

    备注

    如果想要执行以下任一操作,请将“不使用 Apple 设置助理而使用公司门户进行身份验证”设置为“是”。If you want do any of the following, set Authenticate with Company Portal instead of Apple Setup Assistant to Yes.

    • 使用多重身份验证use multifactor authentication
    • 提示用户在首次登录时需要更改密码prompt users who need to change their password when they first sign in
    • 提示用户在注册期间重置过期的密码prompt users to reset their expired passwords during enrollment

    使用 Apple 设置助理进行身份验证时,不支持执行这些操作。These aren't supported when authenticating with Apple Setup Assistant.

  6. 选择“设备管理设置”,然后选择是否要监督使用此配置文件的设备。Choose Device Management Settings and choose if you want devices using this profile to be supervised. “受监督”的设备会提供更多的管理选项,并且会默认禁用“激活锁”。Supervised devices give you more management options and disabled Activation Lock by default. Microsoft 建议使用 ADE 作为启用 Intune 的受监督模式的机制,特别是针对计划部署大量 iOS/iPadOS 设备的组织。Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices.

    将通过两种方式通知用户他们的设备受到监督:Users are notified that their devices are supervised in two ways:

    • 锁定屏幕显示:“此 iPhone 由 Contoso 托管”。The lock screen says: "This iPhone is managed by Contoso."

    • “设置” > “常规” > “关于”屏幕显示:“此 iPhone 受到监督”。The Settings > General > About screen says: "This iPhone is supervised. Contoso 可以监视你的 Internet 流量并找到此设备。”Contoso can monitor your Internet traffic and locate this device."

      备注

      不受监督的注册设备只能使用 Apple Configurator 重置为受监督。A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. 以此方式重置设备需要使用 USB 线将 iOS/iPadOS 设备连接到 Mac。Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. 有关详细信息,请参阅 Apple Configurator 文档Learn more about this on Apple Configurator docs.

  7. 选择是否要对使用此配置文件的设备进行锁定注册。Choose if you want locked enrollment for devices using this profile. “锁定注册”将禁用允许从“设置”菜单删除管理配置文件的 iOS/iPadOS 设置。Locked enrollment disables iOS/iPadOS settings that allow the management profile to be removed from the Settings menu. 在设备注册之后,如果不擦除设备,就无法更改此设置。After device enrollment, you can't change this setting without wiping the device. 此类设备必须将“受监督”管理模式设置为“是”。Such devices must have the Supervised Management Mode set to Yes.

  8. 可以允许多个用户使用托管 Apple ID 登录到已注册的 iPad。You can let multiple users sign on to enrolled iPads by using a managed Apple ID. 为此,请在“共享的 iPad”下选择“是”(此选项需要“不使用用户关联注册”并将“已监管”模式设置为“是”。)在 Apple School Manager 门户中创建托管的 Apple ID。To do so, choose Yes under Shared iPad (this option requires Enroll without User Affinity and Supervised mode set to Yes.) Managed Apple IDs are created in the Apple School Manager portal. 详细了解共享 iPadApple 的共享 iPad 要求Learn more about shared iPad and Apple's shared iPad requirements.

  9. 选择是否要让使用此配置文件的设备能够“与计算机同步”。Choose if you want the devices using this profile to be able to Sync with computers. “全部拒绝”表示所有使用此配置文件的设备将无法与任何计算机上的任何数据同步。Deny All means that all devices using this profile won't be able to sync with any data on any computer. 如果选择“通过证书允许 Apple Configurator”,则必须在“Apple Configurator 证书”下选择证书。If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

  10. 如果在上一步中选择了“通过证书允许 Apple Configurator”,则选择要导入的“Apple Configurator 证书”。If you chose Allow Apple Configurator by certificate in the previous step, choose an Apple Configurator Certificate to import.

  11. 可以为设备指定命名格式,此格式在设备注册时自动应用。You can specify a naming format for devices that is automatically applied when they enroll. 为此,请在“应用设备名称模板”下选择“是” 。To do so, select Yes under Apply device name template. 然后,在“设备名称模板”框中,输入要用于使用此配置文件的设备的名称模板。Then, in the Device Name Template box, enter the template to use for the names using this profile. 可以指定包含设备类型和序列号的模板格式。You can specify a template format that includes the device type and serial number.

  12. 选择“确定”。Choose OK.

  13. 选择“设置助理设置”,配置以下配置文件设置:设置助理自定义项。Choose Setup Assistant Settings to configure the following profile settings: Setup Assistant Customization.

    设置Setting 说明Description
    部门名称Department Name 用户在激活过程中轻点“关于配置”时显示。Appears when users tap About Configuration during activation.
    部门电话Department Phone 用户在激活过程中单击“需要帮助”按钮时显示。Appears when the user clicks the Need Help button during activation.
    设置助理选项Setup Assistant Options 这些可选设置可以稍后在 iOS/iPadOS 的“设置”菜单中设置。The following optional settings can be set up later in the iOS/iPadOS Settings menu.
    密码Passcode 在激活过程中提示输入密码。Prompt for passcode during activation. 对于不安全的设备,始终要求提供密码,除非以其他方式(如限制设备只能使用一个应用的展台模式)控制访问。Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app).
    位置服务Location Services 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for the service during activation.
    还原Restore 如果启用,在激活过程中设置助理会提示进行 iCloud 备份。If enabled, Setup Assistant prompts for iCloud backup during activation.
    iCloud 和 Apple IDiCloud and Apple ID 如果启用,设置助理会提示用户登录 Apple ID,“应用和数据”屏幕将允许从 iCloud 备份还原设备。If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup.
    条款和条件Terms and Conditions 如果启用,在激活过程中设置助理会提示用户接受 Apple 的条款和条件。If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation.
    Touch IDTouch ID 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for this service during activation.
    Apple PayApple Pay 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for this service during activation.
    缩放Zoom 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for this service during activation.
    SiriSiri 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for this service during activation.
    诊断数据Diagnostic Data 如果启用,在激活过程中设置助理会提示此服务。If enabled, Setup Assistant prompts for this service during activation.
  14. 选择“确定”。Choose OK.

  15. 若要保存配置文件,则选择“创建”。To save the profile, choose Create.

连接学校数据同步Connect School Data Sync

(可选)Apple School Manager 支持使用 Microsoft 学校数据同步 (SDS) 将学籍数据同步到 Azure Active Directory (AD)。(Optional) Apple School Manager supports synchronizing class roster data to the Azure Active Directory (AD) using Microsoft School Data Sync (SDS). 你只能同步一个包含 SDS 的令牌。You can only sync one token with SDS. 如果设置了其他包含学校数据同步的令牌,则会从之前包含 SDS 的令牌中将其删除。If you set up another token with School Data Sync, SDS will be removed from the token that previously had it. 新连接将替换当前的令牌。A new connection will replace the current token. 请完成以下步骤以使用 SDS 来同步学校数据。Complete the following steps to use SDS to sync school data.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “注册计划令牌” 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens.
  2. 选择 Apple School Manager 令牌,然后选择“学校数据同步”。Select an Apple School Manager token and then choose School Data Sync.
  3. 在“学校数据同步”下,选择“允许”。 Under School Data Sync, choose Allow. 此设置将允许 Intune 与 Microsoft 365 中的 SDS 连接。This setting allows Intune to connect with SDS in Microsoft 365.
  4. 若要允许 Apple School Manager 与 Azure AD 连接,请选择“设置 Microsoft 学校数据同步”。详细了解如何设置学校数据同步To enable a connection between Apple School Manager and Azure AD, choose Set up Microsoft School Data Sync. Learn more about how to set up School Data Sync.
  5. 单击“保存” > “确定” 。Click Save > OK.

同步托管设备Sync managed devices

在 Intune 分配有管理 Apple School Manager 设备的权限后,将 Intune 与 Apple 服务同步,以便在 Intune 中查看托管设备。After Intune has been assigned permission to manage your Apple School Manager devices, synchronize Intune with the Apple service to see your managed devices in Intune.

Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “注册计划令牌”> 从列表中选择令牌 >“设备” > “同步” 。“注册计划设备”节点和“同步”链接的屏幕截图。In the Microsoft Endpoint Manager admin center), choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > choose a token in the list > Devices > Sync. Screenshot of the Enrollment Program Devices node and Sync link.

为了遵守 Apple 有关可接受注册计划流量的条款,Intune 规定了以下限制:To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions:

  • 每七天只能运行一次完全同步。A full sync can run no more than once every seven days. 在完全同步期间,Intune 将刷新分配给 Intune 的每一个 Apple 序列号。During a full sync, Intune refreshes every Apple serial number assigned to Intune. 如果在上一个完全同步的七天内尝试完全同步,则 Intune 只刷新已经不在 Intune 中列出的序列号。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune.
  • 任何同步请求都在 15 分钟内完成。Any sync request is given 15 minutes to finish. 在此期间或在请求成功之前,“同步”按钮处于禁用状态。During this time or until the request succeeds, the Sync button is disabled.
  • Intune 每 24 小时与 Apple 同步一次新设备及已删除设备。Intune syncs new and removed devices with Apple every 24 hours.

备注

也可以从“注册计划设备”边栏选项卡向配置文件分配 Apple School Manager 序列号。You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.

为设备分配配置文件Assign a profile to devices

必须先向 Intune 管理的 Apple School Manager 设备分配注册配置文件,然后才能注册设备。Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “iOS/iPadOS” > “iOS/iPadOS 注册” > “注册计划令牌”> 从列表中选择令牌 。In the Microsoft Endpoint Manager admin center, choose Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > choose a token in the list.
  2. 选择“设备”> 在列表中选择设备 >“分配配置文件”。 Choose Devices > choose devices in the list > Assign profile.
  3. 在“分配配置文件”下,选择设备的配置文件,再选择“分配”。Under Assign profile, choose a profile for the devices, and then choose Assign.

将设备分发给用户Distribute devices to users

已经在 Apple 和 Intune 之间启用了管理和同步,并且分配了注册 Apple School 设备所需的配置文件。You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. 现在可以将设备分配给用户。You can now distribute devices to users. 打开 iOS/iPadOS Apple School Manager 设备时,它将注册为由 Intune 管理。When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. 在擦除设备之前,配置文件不能应用于当前正在使用的已激活设备。Profiles can't be applied to activated devices currently in use until the device is wiped.