设置移动设备管理机构Set the mobile device management authority

移动设备管理 (MDM) 机构设置决定了管理设备的方式。The mobile device management (MDM) authority setting determines how you manage your devices. 作为 IT 管理员,必须先设置 MDM 机构,然后用户才能注册设备来进行管理。As an IT admin, you must set an MDM authority before users can enroll devices for management.

可能的设置包括:Possible configurations are:

  • Intune 独立版 - 仅限云的管理,可使用 Azure 门户进行配置。Intune Standalone - cloud-only management, which you configure by using the Azure portal. 包括 Intune 提供的所有功能。Includes the full set of capabilities that Intune offers. 在 Intune 控制台中设置 MDM 机构Set the MDM authority in the Intune console.

  • Intune 共同管理 - 集成了 Intune 云解决方案和适用于 Windows 10 设备的 Configuration Manager。Intune co-management - integration of the Intune cloud solution with Configuration Manager for Windows 10 devices. 可使用 Configuration Manager 控制台配置 Intune。You configure Intune by using the Configuration Manager console. 配置设备自动注册到 IntuneConfigure auto-enrollment of devices to Intune.

  • Microsoft 365 的基本移动性和安全性 - 如果已激活此配置,则会看到 MDM 机构设置为“Office 365”。Basic Mobility and Security for Microsoft 365 - If you have this configuration activated, you'll see the MDM authority set to "Office 365". 如果要开始使用 Intune,则需要购买 Intune 许可证。If you want to start using Intune, you'll need purchase Intune licenses.

  • Microsoft 365 的基本移动性和安全性共存 - 如果你已在使用 Microsoft 365 的基本移动性和安全性,则可将 Intune 添加到租户上,然后将管理机构设置为 Intune 或 Microsoft 365 的基本移动性和安全性,以便各个用户可决定使用哪项服务管理其注册了 MDM 的设备。Basic Mobility and Security for Microsoft 365 coexistence - You can add Intune to your tenant if you're already using Basic Mobility and Security for Microsoft 365 and set the management authority to either Intune or Basic Mobility and Security for Microsoft 365 for each user to dictate which service will be used to manage their MDM-enrolled devices. 将基于分配给每个用户的许可证定义用户的管理机构:如果用户只有 Microsoft 365 基本或标准许可证,则其设备将由 Microsoft 365 的基本移动性和安全性进行管理。Each user's management authority is defined based on the license assigned to the user: If the user has only a license for Microsoft 365 Basic or Standard, their devices will be managed by Basic Mobility and Security for Microsoft 365. 如果用户有授权使用 Intune 的许可证,则其设备将由 Intune 管理。If the user has a license entitling Intune, their devices will be managed by Intune. 如果向之前由 Microsoft 365 的基本移动性和安全性管理的用户添加授权使用 Intune 的许可证,则其设备将切换到 Intune 管理。If you add a license entitling Intune to a user previously managed by Basic Mobility and Security for Microsoft 365, their devices will be switched to Intune management. 在将用户切换到 Intune 之前,请务必分配 Intune 配置给用户,以替换 Microsoft 365 的基本移动性和安全性,否则其设备将丢失 Microsoft 365 的基本移动性和安全性配置,并且不会从 Intune 接收任何替换信息。Be sure to have Intune configurations assigned to users to replace Basic Mobility and Security for Microsoft 365 before switching users to Intune, otherwise their devices will lose Basic Mobility and Security for Microsoft 365 configuration and won't receive any replacement from Intune.

将 MDM 机构设置为 IntuneSet MDM authority to Intune

对于使用 1911 服务版本及更高版本的租户,MDM 机构会自动设置为 Intune。For tenants using the 1911 service release and later, the MDM authority is automatically set to Intune.

对于 1911 版本之前的服务版本租户,如果尚未设置 MDM 权限,请执行以下步骤。For pre-1911 service release tenants, if you haven't yet set the MDM authority, follow the steps below.

  1. Microsoft Endpoint Manager 管理中心,选择橙色横幅,打开“移动设备管理机构”设置。In the Microsoft Endpoint Manager admin center, select the orange banner to open the Mobile Device Management Authority setting. 如果尚未设置 MDM 机构,则仅显示橙色横幅。The orange banner is only displayed if you haven't yet set the MDM authority.
  2. 在“移动设备管理机构”下,从以下选项中选择你的 MDM 机构:Under Mobile Device Management Authority, choose your MDM authority from the following options:
  • Intune MDM 机构Intune MDM Authority
  • None

Intune 移动设备管理机构设置屏幕的屏幕截图

将出现一条消息,表明已成功将 MDM 机构设置为 Intune。A message indicates that you have successfully set your MDM authority to Intune.

Intune 管理 UI 的工作流Workflow of Intune Administration UI

启用 Android 或 Apple 设备管理后,Intune 将发送设备和用户信息来与这些第三方服务集成,以便管理其各自的设备。When Android or Apple device management is enabled, Intune sends device and user information to integrate with these third-party services to manage their respective devices.

可以同意共享数据的场景包括:Scenarios that add a consent to share data are included when:

  • 启用 Android 工作配置文件。You enable Android work profiles.
  • 启用并上传 Apple MDM Push Certificate 时。You enable and upload Apple MDM push certificates.
  • 启用任何诸如设备注册计划、School Manager 或批量采购计划等 Apple 服务时。You Enable any of the Apple services, such as Device Enrollment Program, School Manager, or Volume Purchasing Program.

不论在哪种情况下,该许可都与运行移动设备管理服务密切相关。In each case, the consent is strictly related to running a mobile device management service. 例如,确认 IT 管理员已授权 Google 或 Apple 设备注册。For example, confirming that an IT Admin has authorized Google or Apple devices to enroll. 以下位置提供当新的工作流上线时用于查阅共享了哪些信息的文档:Documentation to address what information is shared when the new workflows go live is available from the following locations:

重要注意事项Key Considerations

切换到新的 MDM 机构后,在设备签入并与服务同步之前,可能会有一定的过渡时间(最长八小时)。After you switch to the new MDM authority, there will likely be transition time (up to eight hours) before the device checks in and synchronizes with the service. 需要在新的 MDM 机构中配置设置,以确保注册的设备在更改后将继续受到管理和保护。You're required to configure settings in the new MDM authority to make sure enrolled devices will continue to be managed and protected after the change.

  • 设备必须在更改后与服务连接,以便来自新 MDM 机构(Intune 独立版)的设置可替换设备上的现有设置。Devices must connect with the service after the change so that the settings from the new MDM authority (Intune standalone) replace the existing settings on the device.
  • 更改 MDM 机构后,来自先前 MDM 机构的一些基本设置(如配置文件)将在设备上最长保留 7 天,或直到设备首次连接到该服务为止。After you change the MDM authority, some of the basic settings (such as profiles) from the previous MDM authority will remain on the device for up to seven days or until the device connects to the service for the first time. 建议尽快配置新 MDM 机构中的应用和设置(如策略、配置文件和应用),并将设置部署到包含具有现有已注册设备的用户的用户组。It's recommended that you configure apps and settings (like policies, profiles, and apps) in the new MDM authority as soon as possible and deploy the setting to the user groups that contains users who have existing enrolled devices. 更改 MDM 机构后,一旦设备连接到服务,它将从新 MDM 机构接收新设置,并防止在管理和保护方面出现空白。As soon as a device connects to the service after the change in MDM authority, it will receive the new settings from the new MDM authority and prevent gaps in management and protection.
  • 不会将没有关联用户的设备(通常在具有 iOS/iPadOS 设备注册计划或批处理注册方案时)迁移到新的 MDM 机构。Devices that don't have associated users (typically when you have iOS/iPadOS Device Enrollment Program or bulk enrollment scenarios) aren't migrated to the new MDM authority. 对于这些设备,需要调用支持以获取将它们移动到新 MDM 机构的帮助。For those devices, you need to call support for assistance to move them to the new MDM authority.

CoexistenceCoexistence

通过启用共存,可以将 Intune 用于一组新用户,同时继续将基本移动性和安全性用于现有用户。Enabling coexistence lets you use Intune for a new set of users while continuing to use Basic Mobility and Security for the existing users. 可以通过用户控制哪些设备由 Intune 管理。You control which devices are managed by Intune through the user. 如果用户分配有 Intune 许可证或正在使用 Configuration Manager 进行 Intune 共同管理,则所有已注册的设备都将由 Intune 管理。If a user is assigned an Intune license or is using Intune co-management with Configuration Manager, then all their enrolled devices will be managed by Intune. 否则,用户将由基本移动性和安全性管理。Otherwise, the user is managed by Basic Mobility and Security.

启用共存有三个主要步骤:There are three major steps to enable coexistence:

  1. 准备工作Preparation
  2. 添加 Intune MDM 机构Add Intune MDM authority
  3. 用户和设备迁移(可选)。User and Device migration (optional).

准备工作Preparation

在启用与基本移动性和安全性的共存之前,请考虑以下几点:Before enabling coexistence with Basic Mobility and Security, consider the following points:

  • 确保你想要通过 Intune 管理的用户拥有足够的 Intune 许可证Make sure you have sufficient Intune licenses for the users you intend to manage through Intune.
  • 查看哪些用户分配有 Intune 许可证。Review which users are assigned Intune licenses. 启用共存后,任何已分配有 Intune 许可证的用户都可以将其设备切换到 Intune。After you enable coexistence, any user already assigned an Intune license will have their devices switch to Intune. 若要避免意外的设备切换,我们建议你在启用共存之前不分配任何 Intune 许可证。To avoid unexpected device switches, we recommend not assigning any Intune licenses until you've enabled coexistence.
  • 创建并部署 Intune 策略来替换最初通过 Office 365 安全与合规门户部署的设备安全策略。Create and deploy Intune policies to replace device security policies that were originally deployed through the Office 365 Security & Compliance portal. 应为希望从基本移动性和安全性转换到 Intune 的任何用户执行此替换。This replacement should be done for any users you expect to move from Basic Mobility and Security to Intune. 如果没有为这些用户分配 Intune 策略,则启用共存可能会导致其丢失基本移动性和安全性设置。If there are no Intune policies assigned to those users, enabling coexistence may cause them to lose Basic Mobility and Security settings. 这些设置将丢失而不进行替换,如托管电子邮件配置文件。These settings will be lost without replacement, like managed email profiles. 即使将设备安全策略替换为 Intune 策略,在设备移到 Intune 管理后,也可能会提示用户重新对其电子邮件配置文件进行身份验证。Even when replacing device security policies with Intune policies, users may be prompted to re-authenticate their email profiles after the device is moved to Intune management.

添加 Intune MDM 机构Add Intune MDM authority

若要启用共存,必须为你的环境添加 Intune 作为 MDM 机构:To enable coexistence, you must add Intune as the MDM authority for your environment:

  1. 使用 Azure AD 全局或 Intune 服务管理员权限登录到 endpoint.microsoft.com。Sign in to endpoint.microsoft.com with Azure AD Global or Intune service administrator rights.
  2. 导航到“设备”。Navigate to Devices.
  3. 将显示“添加 MDM 机构”边栏选项卡。The Add MDM Authority blade displays.
  4. 若要将 MDM 机构从“Office 365”切换到“Intune”并启用共存,请选择“Intune MDM 机构” > “添加”。To switch the MDM authority from Office 365 to Intune and enables coexistence, select Intune MDM Authority > Add. “添加 MDM 机构”屏幕的屏幕截图Screenshot of Add MDM Authority screen

迁移用户和设备(可选)Migrate users and devices (optional)

启用 Intune MDM 机构后,将激活共存,然后可以通过 Intune 开始管理用户。After the Intune MDM authority is enabled, coexistence is activated and you can begin managing users through Intune. (可选)如果要将设备由基本移动性和安全性管理转换到由 Intune 管理,请为这些用户分配 Intune 许可证。Optionally, if you want to move devices previously managed by Basic Mobility and Security to be managed by Intune, assign those users an Intune license. 用户的设备将在下次 MDM 签入时切换到 Intune。The users' devices will switch to Intune on their next MDM check-in. 将不再应用通过基本移动性和安全性应用到这些设备的设置,并且会将其从设备中删除。Settings applied to these devices through Basic Mobility and Security will no longer be applied and will be removed from the devices.

MDM 证书过期后的移动设备清理Mobile device cleanup after MDM certificate expiration

当移动设备与 Intune 服务通信时,将自动续订 MDM 证书。The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. 如果移动设备被擦除,或者它们在一段时间内无法与 Intune 服务通信,则 MDM 证书将不会续订。If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate won't get renewed. MDM 证书过期 180 天后,设备将从 Azure 门户中删除。The device is removed from the Azure portal 180 days after the MDM certificate expires.

删除 MDM 机构Remove MDM authority

可将 MDM 机构更改回“未知”。The MDM authority can't be changed back to Unknown. 服务使用 MDM 机构确定已注册设备的目标报告门户(Microsoft Intune 或 Microsoft 365 的基本移动性和安全性)。The MDM authority is used by the service to determine which portal enrolled devices report to (Microsoft Intune or Basic Mobility and Security for Microsoft 365).

更改 MDM 机构的预期结果What to expect after changing the MDM authority

  • 当 Intune 服务检测到租户的 MDM 机构已发生更改时,它将向所有已注册的设备发送通知消息,以便签入并与服务同步(此通知并非计划的定期签入)。When the Intune service detects that a tenant's MDM authority has changed, it sends out a notification message to all the enrolled devices to check in and synchronize with the service (this notification is outside of the regularly scheduled check-in). 因此,租户的 MDM 机构从 Intune 独立版更改后,开机且联机的所有设备将与服务连接,接收新的 MDM 机构,并且由新的 MDM 机构托管。Therefore, after the MDM authority for the tenant has been changed from Intune standalone, all the devices that are powered on and online will connect with the service, receive the new MDM authority, and be managed by the new MDM authority. 对这些设备的管理和保护不会中断。There's no interruption to the management and protection of these devices.
  • 更改 MDM 机构过程中(或在不久之后),即使设备开机且联机,但设备在新的 MDM 机构中注册到该服务之前,将会有最长八小时的延迟(取决于计划的下次定期签入的执行时间)。Even for devices that are powered on and online during (or shortly after) the change in MDM authority, there will be a delay of up to eight hours (depending on the timing of the next scheduled regular check-in) before devices are registered with the service under the new MDM authority.

重要

在更改 MDM 机构以及将续订的 APN 证书上传到新机构时,iOS/iPadOS 设备的新设备注册和设备签入将失败。Between the time when you change the MDM authority and when the renewed APNs certificate is uploaded to the new authority, new device enrollments and device check-in for iOS/iPadOS devices fail. 因此,更改 MDM 机构后,请务必尽快查看并将 APN 证书上传到新机构。Therefore, it's important that you review and upload the APNs certificate to the new authority as soon as possible after the change in MDM authority.

  • 用户可以通过手动启动从设备到服务的签入来快速更改为新的 MDM 机构。Users can quickly change to the new MDM authority by manually starting a check-in from the device to the service. 用户可以通过使用公司门户应用轻松进行此更改,并启动设备符合性检查。Users can easily make this change by using the Company Portal app and starting a device compliance check.
  • 更改 MDM 机构后,要验证设备签入并与服务同步后一切工作是否正常运行,可在新 MDM 机构中查找设备。To validate that things are working correctly after devices have checked-in and synchronized with the service after the change in MDM authority, look for the devices in the new MDM authority.
  • 在更改 MDM 机构期间设备处于脱机状态时,以及设备签入服务时,会存在一个过渡期。There's an interim period when a device is offline during the change in MDM authority and when that device checks in to the service. 为帮助确保设备在此过渡期间仍然受到保护并可正常运行,以下配置文件将在设备上保留长达七天(或直到设备与新的 MDM 机构连接并接收将覆盖现有设置的新设置为止):To help ensure that the device remains protected and functional during this interim period, the following profiles remain on the device for up to seven days (or until the device connects with the new MDM authority and receives new settings that overwrite the existing ones):
    • 电子邮件配置文件E-mail profile
    • VPN 配置文件VPN profile
    • 证书配置文件Cert profile
    • Wi-Fi 配置文件Wi-Fi profile
    • 配置文件Configuration profiles
  • 更改为新的 MDM 机构后,Microsoft Intune 管理控制台中的符合性数据可能需要长达一周的时间才能准确报告。After you change to the new MDM authority, the compliance data in the Microsoft Intune administration console can take up to a week to accurately report. 但是,Azure Active Directory 和设备上的符合性状态是准确的,因此,设备仍将受到保护。However, the compliance states in Azure Active Directory and on the device will be accurate so the device is still be protected.
  • 确保用于覆盖现有设置的新设置与以前的设置具有相同的名称,以确保覆盖旧设置。Make sure the new settings that are intended to overwrite existing settings have the same name as the previous ones to ensure that the old settings are overwritten. 否则,设备可能会出现冗余配置文件和策略。Otherwise, the devices might end up with redundant profiles and policies.

提示

作为最佳做法,你应该在 MDM 机构更改完成后立即创建所有管理设置和配置以及部署。As a best practice, you should create all management settings and configurations, as well as deployments, shortly after the change to the MDM authority has completed. 这有助于确保在过渡期间对设备进行保护和主动管理。This helps ensure that devices are protected and actively managed during the interim period.

  • 更改 MDM 机构后,请执行以下步骤来验证新设备是否成功注册到新的机构:After you change the MDM authority, perform the following steps to validate that new devices are enrolled successfully to the new authority:
  • 注册新设备Enroll a new device
  • 确保新注册的设备显示在新 MDM 机构中。Make sure the newly enrolled device shows up in the new MDM authority.
  • 执行一个从管理控制台到设备的操作,如远程锁定。Perform an action, such as Remote Lock, from the administration console to the device. 如果成功,则表示该设备将由新的 MDM 机构管理。If it's successful, the device is being managed by the new MDM authority.
  • 如果你对特定设备有疑问,则可以取消注册然后重新注册设备,以使其连接到新的机构并尽快接受管理。If you have issues with specific devices, you can unenroll and reenroll the devices to get them connected to the new authority and managed as quickly as possible.

后续步骤Next steps

设置 MDM 机构后即可开始注册设备With the MDM authority set, you can start enrolling devices.