使用 Intune 添加 iOS/iPadOS 软件更新策略Add iOS/iPadOS software update policies in Intune

软件更新策略可强制受监督的 iOS/iPadOS 设备自动安装 OS 更新。Software update policies let you force supervised iOS/iPadOS devices to automatically install OS updates. 受监督的设备是使用 Apple Business Manager 或 Apple School Manager 注册的设备。Supervised devices are those that enrolled using either Apple Business Manager or Apple School Manager. 配置部署更新策略时,可以执行以下操作:When configuring a policy to deploy updates, you can:

  • 选择部署可用的“最新更新”,如果不想部署最新更新,请选择按更新版本号部署较旧的更新。Choose to deploy the latest update that's available, or choose to deploy a an older update by the update version number if you don't want to deploy the latest update. 如果选择部署较旧的更新,则还必须设置设备配置策略,以限制软件更新可见性。If you choose to deploy an older update, you must also set a Device Configuration policy to restrict visibility of software updates.
  • 指定一个计划,确定安装更新的时间。Specify a schedule that determines when the update installs. 计划可以非常简单,例如在下一次设备签入时安装更新,或者创建安装更新或阻止安装更新的日期和时间范围。Schedules can be as simple as installing updates the next time that the device checks in, or creating date and time ranges during which updates can install or are blocked from installing.

此功能适用于:This feature applies to:

  • iOS 10.3 及更高版本(受监督)iOS 10.3 and later (supervised)
  • iPadOS 13.0 及更高版本(受监督)iPadOS 13.0 and later (supervised)

默认情况下,设备会通过 Intune 大约每 8 小时签入一次。By default, devices check in with Intune about every 8 hours. 如果通过更新策略提供更新,则该设备会下载该更新。If an update is available through an update policy, the device downloads the update. 然后,设备会在下一次在计划配置中签入时安装更新。The device then installs the update upon next check in within your schedule configuration. 尽管更新过程通常不涉及到任何用户交互,但如果设备有密码,则用户必须输入密码才能启动软件更新。Although the update process does not typically involve any user interaction, if the device has a passcode the user must enter it in order to start a software update. 配置文件无法阻止用户手动更新操作系统。Profiles don't prevent users from updating the OS manually. 可以阻止用户使用设备配置策略手动更新 OS,以限制软件更新可见性。Users can be prevented from updating the OS manually with a Device Configuration policy to restrict visibility of software updates.

备注

如果使用自治单应用模式 (ASAM),则应考虑操作系统更新的影响,因为可能由此产生不良行为。If using Autonomous Single App Mode (ASAM), the impact of OS updates should be considered as the resulting behaviour may be undesirable. 考虑进行测试,评估操作系统更新对你在 ASAM 中运行的应用的影响。Consider testing to assess the impact of OS updates on the app you are running in ASAM.

配置策略Configure the policy

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “适用于 iOS/iPadOS 的更新策略” > “创建配置文件” 。Select Devices > Update policies for iOS/iPadOS > Create profile.

  3. 在“基本信息”选项卡上,为该策略指定名称并指定描述(可选),然后选择“下一步” 。On the Basics tab, specify a name for this policy, specify a description (optional), and then select Next.

    “基本信息”选项卡

  4. 在“更新策略设置”选项卡上,配置以下设置:On the Update policy settings tab, configure the following:

    1. 选择要安装的版本。Select version to install. 可以选择:You can choose from:

      • 最新更新:这会为 iOS/iPadOS 部署最近发布的更新。Latest update: This deploys the most recently released update for iOS/iPadOS.
      • 下拉框中提供的任何早期版本。Any previous version that is available in the dropdown box. 如果选择早期版本,则还必须部署设备配置策略,以延迟显示软件更新。If you select a previous version, you must also deploy a device configuration policy to delay visibility of software updates.
    2. 计划类型:配置该策略的计划:Schedule type: Configure the schedule for this policy:

      • 下次签入时更新:更新将在设备下一次通过 Intune 签入时进行安装。Update at next check-in: The update installs on the device the next time it checks in with Intune. 这是最简单的选项,无需其他配置。This is the simplest option and has no additional configurations.
      • 在计划时间内更新:可以配置一个或多个时间段,在此期间将在签入时安装更新。Update during scheduled time: You configure one or more windows of time during which the update will install upon check-in.
      • 在计划时间外更新:可以配置一个或多个时间段,在此期间将不会在签入时安装更新。Update outside of scheduled time: You configure one or more windows of time during which the updates won't install upon check-in.
    3. 每周计划:如果选择的计划类型不是“下次签入时更新”,请配置以下选项:Weekly schedule: If you choose a schedule type other than update at next check-in, configure the following options:

      选择在计划时间更新的示例

      • 时区:选择时区。Time zone: Choose a time zone.

      • 时间范围:定义一个或多个限制更新安装时间的时间段。Time window: Define one or more blocks of time that restrict when the updates install. 以下选项的效果取决于所选的计划类型。The effect of the following options depends on the Schedule type you selected. 通过使用开始日期和结束日期,将支持长段时间。By using a start day and end day, overnight blocks are supported. 选项包括:Options include:

        • 开始日期:选择计划时段开始的日期。Start day: Choose the day on which the schedule window starts.
        • 开始时间:选择计划时段开始的时间。Start time: Choose the time day when the schedule window begins. 例如,如果选择“凌晨 5 点”,并选择计划类型为“在计划时间内更新”,则会在凌晨 5 点开始安装更新。For example, if you select 5 AM and have a Schedule type of Update during scheduled time, 5 AM will be the time that updates can begin to install. 如果选择计划类型为“在计划时间之外更新”,则不会在凌晨 5 点开始安装更新。If you chose a Schedule type of Update outside of a scheduled time, 5 AM will be the start of a period of time that updates can't install.
        • 结束日期:选择计划时段结束的日期。End day: Choose the day on which the schedule window ends.
        • 结束时间:选择计划时段结束的时间。End time: Choose the time of day when the schedule window stops. 例如,如果选择“凌晨 1 点”,并选择计划类型为“在计划时间内更新”,则凌晨 1 点不再安装更新。For example, if you select 1 AM and have a Schedule type of Update during scheduled time, 1 AM will be the time that updates can no longer install. 如果选择计划类型为“在计划时间之外更新”,则凌晨 1 点会开始安装更新。If you chose a Schedule type of Update outside of a scheduled time, 1 AM will be the start of a period of time that updates can install.

      如果未配置开始时间或结束时间,则配置不会产生限制,随时都可以安装更新。If you do not configure times to start or end, the configuration results in no restriction and updates can install at any time.

      备注

      可在设备限制中配置设置,使更新于一段时间内在受监管的 iOS/iPadOS 设备上对设备用户不可见。You can configure settings in Device Restrictions to hide an update from device users for a period of time on your supervised iOS/iPadOS devices. 通过限制期,可在更新可供用户安装之前对其进行测试。A restriction period can give you time to test an update before its visible to users to install. 设备限制期限到期后,用户便可看到该更新。After the device restriction period expires, the update becomes visible to users. 然后,用户可选择安装更新,否则软件更新策略可能会在不久后自动安装它。Users can then choose to install it, or your Software update policies might automatically install it soon after.

      使用设备限制隐藏更新时,请查看软件更新策略,确保它们不会在该限制期间结束之前计划安装更新。When you use a device restriction to hide an update, review your software update policies to ensure they wont schedule the install of the update before that restriction period ends. 软件更新策略会根据自己的计划来安装更新,而不管更新对设备用户是隐藏的还是可见的。Software update policies install updates based on their own schedule, regardless of the update being hidden or visible to the device user.

    配置“更新策略设置”之后,选择“下一步”。After configuring Update policy settings, select Next.

  5. 若要将标记应用于更新策略,请在“作用域标记”选项卡上,选择“+ 选择作用域标记”以打开“选择标记”窗格 。On the Scope tags tab, select + Select scope tags to open the Select tags pane if you want to apply them to the update policy.

    • “选择标记” 窗格中,选择一个或多个标记,然后单击 “选择” 以将其添加到策略,然后返回 “作用域标记” 窗格。On the Select tags pane, choose one or more tags, and then click Select to add them to the policy and return to the Scope tags pane.

    准备就绪后,选择“下一步”,转到“分配”。When ready, select Next to continue to Assignments.

  6. 在“分配”选项卡上,选择“+ 选择要包括的组”,然后将更新策略分配到一个或多个组 。On the Assignments tab, choose + Select groups to include and then assign the update policy to one or more groups. 使用“+ 选择要排除的组”对分配进行相应调整。Use + Select groups to exclude to fine-tune the assignment. 准备就绪后,选择“下一步”继续操作。When ready, select Next to continue.

    需对策略目标用户所用的设备进行更新符合性评估。The devices used by the users targeted by the policy are evaluated for update compliance. 此策略还支持无用户设备。This policy also supports userless devices.

  7. 在“查看 + 创建”选项卡中,查看设置,然后在已准备好保存 iOS/iPadOS 更新策略时选择“创建” 。On the Review + create tab, review the settings, and then select Create when ready to save your iOS/iPadOS update policy. 新策略显示在 iOS/iPadOS 更新策略列表中。Your new policy is displayed in the list of update policies for iOS/iPadOS.

如需 Intune 支持团队的指导,请参阅在 Intune 中为受监督的设备延迟软件更新可见性For guidance from the Intune support team, see Delay visibility of software updates in Intune for supervised devices.

备注

Apple MDM 不允许强制设备在特定时间或日期前安装更新。Apple MDM doesn't allow you to force a device to install updates by a certain time or date. 无法使用 Intune 软件更新策略来降低设备上的操作系统版本级别。You can't use Intune software update policies to downgrade the OS version on a device.

编辑策略Edit a policy

可以编辑现有策略,包括更改限制时间:You can edit an existing policy, including changing the restricted times:

  1. 选择“设备” > “适用于 iOS 的更新策略”。Select Devices > Update policies for iOS. 选择要编辑的策略。Select the policy you want to edit.

  2. 在查看策略“属性”时,为要修改的策略页面选择“编辑” 。While viewing the policies Properties, select Edit for the policy page you want to modify.

    编辑策略

  3. 进行更改后,选择“查看 + 保存” > “保存”,保存所做的修改,然后返回策略“属性” 。After introducing a change, select Review + save > Save to save your edits, and return to the policies Properties.

备注

如果“开始时间”和“结束时间”都设为凌晨 12 点,则 Intune 不会检查有关更新安装时间的限制 。If the Start time and End time are both set to 12 AM, Intune does not check for restrictions on when to install updates. 这意味着将忽略已有的任何“选择阻止安装更新的时间”配置,结果是可以随时安装更新。This means than any configurations you have for Select times to prevent update installations are ignored, and updates can install at any time.

监视设备安装故障Monitor device installation failures

“软件更新” > “iOS/iPadOS 设备安装故障”列出了虽是策略更新目标,但尝试更新后却未能成功更新的受监督 iOS 设备 。Software updates > Installation failures for iOS devices shows a list of supervised iOS/iPadOS devices targeted by an update policy, attempted an update, and couldn't be updated. 可以查看每个设备的状态,了解该设备未自动更新的原因。For each device, you can view the status on why the device hasn't been automatically updated. 运行正常的最新版本设备不会显示在该列表中。Healthy, up-to-date devices aren't shown in the list. “最新版本”设备包括设备本身支持的最新更新。"Up-to-date" devices include the latest update that the device itself supports.

后续步骤Next steps

监视其状态Monitor its status.