使用 Microsoft Intune 应用和 DISA Purebred 设置 Android 设备Set up Android device with the Microsoft Intune app and DISA Purebred

通过 Microsoft Intune 应用注册设备,从而在移动设备上安全地访问组织的电子邮件、文件和应用。Enroll your device with the Microsoft Intune app to gain secure, mobile access to your organization's email, files, and apps. 注册设备后,它将成为托管设备。After your device is enrolled, it becomes managed. 组织可通过移动设备管理 (MDM) 提供程序(如 Intune)为该设备分配策略和应用。Your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Intune.

在注册期间,还需在设备上安装派生凭据。During enrollment, you'll also install a derived credential on your device. 你的组织可能要求你在访问资源时使用派生凭据作为身份验证方法,或对电子邮件进行签名和加密。Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails.

如果使用智能卡执行以下操作,则可能需要设置派生凭据:You likely need to set up a derived credential if you use a smart card to:

  • 登录到学校或工作应用、Wi-Fi 和虚拟专用网络 (VPN)Sign in to school or work apps, Wi-Fi, and virtual private networks (VPN)
  • 使用 S/MIME 证书对学校或工作电子邮件进行签名和加密Sign and encrypt school or work emails using S/MIME certificates

在本文中,你将:In this article, you will:

  • 通过 Intune 应用注册 Android 移动设备Enroll a mobile Android device with the Intune app
  • 通过安装来自组织的派生凭据提供程序 DISA Purebred 的派生凭据来设置智能卡Set up your smart card by installing a derived credential from your organization's derived credential provider, DISA Purebred

什么是派生凭据?What are derived credentials?

派生凭据是一种派生自智能卡凭据并在设备上安装的证书。A derived credential is a certificate that's derived from your smart card credentials and installed on your device. 它授予你对工作资源的远程访问权限,同时防止未经授权的用户访问敏感信息。It grants you remote access to work resources, while preventing unauthorized users from accessing sensitive information.

派生凭据用于:Derived credentials are used to:

  • 对登录到学校或工作应用、Wi-Fi 和 VPN 的学生和员工进行身份验证Authenticate students and employees who sign in to school or work apps, Wi-Fi, and VPN
  • 使用 S/MIME 证书对学校或工作电子邮件进行签名和加密Sign and encrypt school or work emails with S/MIME certificates

派生凭据实现美国国家标准与技术研究院 (NIST) 关于派生个人身份验证 (PIV) 凭据的准则(属于《特殊出版物 (SP) 800-157》)。Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) guidelines for Derived Personal Identity Verification (PIV) credentials as part of Special Publication (SP) 800-157.

必备条件Prerequisites

若要完成注册,你必须具有:To complete enrollment, you must have:

  • 你的学校或工作提供的智能卡Your school or work-provided smart card
  • 可使用智能卡登录的计算机或网亭的访问权限Access to a computer or kiosk where you can sign in with your smart card
  • 运行 Android 7.0 或更高版本的新设备或已出厂重置的设备A new or factory-reset device running Android 7.0 or later
  • 设备上安装的 Microsoft Intune 应用The Microsoft Intune app installed on your device
  • 已在设备上安装 Purebred 应用(应用应在设备设置后立即自动安装。The Purebred app installed on your device (App should automatically install shortly after device setup. 如果没有自动安装,请与 IT 支持人员联系。)If it doesn't, contact your IT support person.)

你还需要在安装过程中联系 Purebred 代理或代表。You'll also need to contact a Purebred agent or representative during setup.

注册设备Enroll device

  1. 打开新的或恢复出厂设置设备。Turn on your new or factory-reset device.

  2. 在“欢迎使用”屏幕上,选择语言。On the Welcome screen, select your language. 如果系统指示使用 QR 码或 NFC 注册,请按照与该方法匹配的以下步骤操作。If you've been instructed to enroll with a QR code or NFC, follow the step below that matches the method.

    • NFC:针对程序员设备点击 NFC 支持的设备,以连接到组织的网络。NFC: Tap your NFC-supported device against a programmer device to connect to your organization's network. 按照屏幕上的提示操作。Follow the onscreen prompts. 访问 Chrome 的服务条款屏幕时,请继续执行步骤 5。When you reach the screen for Chrome's Terms of Service, continue to step 5.

    • QR 码:完成 QR 码注册中的步骤。QR code: Complete the steps in QR code enrollment.

    如果系统指示使用其他方法,请继续执行步骤 3。If you've been instructed to use another method, continue to step 3.

  3. 连接 Wi-Fi,然后点击“下一步”。Connect to Wi-Fi and tap NEXT. 按照与注册方法匹配的步骤操作。Follow the step that matches your enrollment method.

    • 令牌:转到 Google 登录屏幕后,完成令牌注册中的步骤。Token: When you get to the Google sign-in screen, complete the steps in Token enrollment.

    • Google Zero Touch:连接到 Wi-Fi 后,组织会识别你的设备。Google Zero Touch: After you connect to Wi-Fi, your device will be recognized by your organization. 继续执行步骤 4 并按照屏幕上的提示进行操作,直到设置完成。Continue to step 4 and follow the onscreen prompts until setup is complete.

      Google 条款屏幕的示例图像,如果使用的是 Google Zero Touch,其中会突出显示“接受并继续”按钮。

  4. 查看 Google 的条款。Review Google's terms. 然后点击“接受并继续”。Then tap ACCEPT & CONTINUE.

    Google 条款屏幕的示例图像,其中突出显示“接受并继续”按钮。

  5. 查看 Chrome 的服务条款。Review Chrome's Terms of Service. 然后点击“接受并继续”。Then tap ACCEPT & CONTINUE.

    Chrome 服务条款屏幕的示例图像,其中突出显示“接受并继续”按钮。

  6. 在登录屏幕上,依次点击“登录选项”和“从其他设备登录” 。On the sign-in screen, tap Sign-in options and then Sign in from another device.

  7. 记下屏幕代码。Write down the onscreen code.

  8. 切换到支持智能卡的设备,并转到屏幕上显示的网址。Switch to your smart card-enabled device and go to the web address that's shown on your screen.

  9. 输入先前记下的代码。Enter the code you previously wrote down.

    公司门户网站上“输入代码”提示的屏幕截图。Screenshot of the Company Portal website "Enter code" prompt.

  10. 插入智能卡进行登录。Insert your smart card to sign in.

  11. 在登录屏幕上,选择工作或学校帐户。On the sign-in screen, select your work or school account. 然后切换回移动设备。Then switch back to your mobile device.

  12. 根据组织的要求,系统可能会提示更新设置(如锁屏或加密)。Depending on your organization's requirements, you might be prompted to update settings, such as screen lock or encryption. 如果看到这些提示,请点击“设置”并按照屏幕上的说明进行操作。If you see these prompts, tap SET and follow the onscreen instructions.

    “设置工作电话”屏幕的示例图像,其中突出显示“设置”按钮。

  13. 若要在设备上安装工作应用,请点击“安装”。To install work apps on your device, tap INSTALL. 安装完成后,点击“下一步”。After installation is complete, tap NEXT.

    “设置工作电话”屏幕的示例图像,其中突出显示“安装”按钮。

  14. 点击“启动”,打开 Microsoft Intune 应用。Tap START to open the Microsoft Intune app.

    “设置工作电话”屏幕的示例图像,其中突出显示了“开始”按钮。

  15. 返回到移动设备上的 Intune 应用,然后按照屏幕上的说明进行操作,直到注册完成。Return to the Intune app on your mobile device and follow the onscreen instructions until enrollment is done.

    设置访问权限、注册设备屏幕的示例图像,其中突出显示“完成”按钮。

  16. 继续到本文中的设置智能卡部分,完成设备设置。Continue to the set up your smart card section in this article to finish setting up your device.

QR 码设备注册QR code enrollment

在本节中,将扫描公司提供的 QR 码。In this section, you'll scan your company-provided QR code. 完成后,你将重定向回设备注册步骤。When you're done, we'll redirect you back to the device enrollment steps.

  1. 在“欢迎”屏幕上,点击屏幕五次,才能启动 QR 码安装。On the Welcome screen, tap the screen five times to start QR code setup.

    设备安装“欢迎”屏幕的示例图像,其中突出显示点击屏幕的说明。

  2. 按照屏幕上的任何说明连接到 Wi-Fi。Follow any onscreen instructions to connect to Wi-Fi.

  3. 如果设备没有安装 QR 码扫描仪,安装屏幕将显示安装扫描仪时的进程。If your device doesn't have a QR code scanner, the setup screens will show the progress as a scanner is installed. 等待安装完成。Wait for installation to complete.

  4. 系统出现提示时,扫描组织提供的注册配置文件 QR 码。When prompted, scan the enrollment profile QR code that your organization gave you.

  5. 返回步骤 4 注册设备,继续执行安装。Return to Enroll device, step 4 to continue setup.

令牌注册Token enrollment

在本节中,输入公司提供的令牌。In this section, you'll enter your company-provided token. 完成后,你将重定向回设备注册步骤。When you're done, we'll redirect you back to the device enrollment steps.

  1. 在 Google 登录屏幕上,在“电子邮件或电话”框中,键入“afw#setup” 。On the Google sign-in screen, in the Email or phone box, type afw#setup. 点击“下一步”。Tap Next.

    “Google 登录”屏幕的示例图像,其中显示键入到字段中的“afw#setup”。

  2. 为“Android 设备策略”应用选择“安装” 。Choose Install for the Android Device Policy app. 继续完成安装。Continue through the installation. 可能需要查看并接受其他条款,具体取决于你的设备。Depending on your device, you might need to review and accept additional terms.

  3. 在“注册此设备”屏幕上,选择“下一步” 。On the Enroll this device screen, select Next.

  4. 选择“输入条形码”。Select Enter code.

  5. 在“扫描或输入条形码”屏幕上,键入组织提供的条形码。On the Scan or enter code screen, type in the code that your organization gave you. 然后单击 “下一步”Then click Next.

    “扫描或输入条形码”屏幕的示例图像,其中突出显示“下一步”按钮。

  6. 返回步骤 4 注册设备,继续执行安装。Return to Enroll device, step 4 to continue setup.

设置智能卡Set up smart card

备注

需要使用 Purebred 应用才能完成这些步骤,该应用将在注册后自动安装在设备上。The Purebred app is required to complete these steps and will automatically install on your device after enrollment. 若在等待一段时间后仍未安装应用,请联系 IT 支持人员。If you still don't have the app after waiting a short while, contact your IT support person.

  1. 注册完成后,Intune 应用会通知你设置智能卡。After enrollment is complete, the Intune app will notify you to set up your smart card. 点击通知。Tap the notification. 如果没有收到通知,请检查你的电子邮件。If you don't get a notification, check your email.

    设备主屏幕上的 Intune 应用推送通知的屏幕截图。Screenshot of the Intune app push notification on device home screen.

  2. 在“设置智能卡”屏幕上:On the Set up smart card screen:

    1. 点击指向组织设置说明的链接并查看这些内容。Tap the link to your organization's setup instructions and review them. 如果你的组织未提供其他说明,你将参阅本文。If your organization doesn't provide additional instructions, you'll be sent to this article.

    2. 点击“开始”。Tap BEGIN.

    Intune 应用中“设置智能卡”屏幕的屏幕截图。Screenshot of the Intune app, Set up smart card screen.

  3. 在“获取证书”屏幕上,点击“启动 Purebred”以打开 Purebred 应用 。On the Get certificates screen, tap LAUNCH PUREBRED to open the Purebred app. (该应用应自动安装在你的设备上。(The app should have been installed automatically on your device. 若设备上没有该应用,请与支持人员联系。)If you don't have it, contact your support person.)

    Intune 应用提示打开 DISA Purebred 应用的屏幕截图。Screenshot of the Intune app prompt to open DISA Purebred app.

  4. Purebred 应用可能需要你授予其他权限才能正常运行。The Purebred app might need additional permissions from you in order to run properly. 在出现提示时,请点击“允许”或“始终允许” 。Tap Allow or Allow all the time when prompted. 要详细了解为什么需要这些权限,请咨询支持人员或 Purebred 代理。For more information about why these permissions are required, speak with your support person or Purebred agent.

  5. 进入 Purebred 应用后,请与组织的 Purebred 代理合作下载并安装访问工作或学校资源所需的证书。Once you're in the Purebred app, work with your organization's Purebred agent to download and install the certificates you need to access work or school resources.

    重要

    在此过程中,若出现提示,请点击“确定”或“安装” 。During this process, tap OK or Install when prompted. 请勿更改系统提示安装的任何证书颁发机构 (CA) 或证书的名称。Don't change the names of any certificate authorities (CAs) or certificates that you're prompted to install.

  6. 安装完成后,你将收到一条通知,其中指出证书已准备就绪。After installation is complete, you'll receive a notification that your certificates are ready. 点击通知以返回 Intune 应用。Tap the notification to return to the Intune app.

    “允许访问证书”屏幕的屏幕截图Screenshot of the "Allow access to certificates" screen

  7. 在“允许访问证书”屏幕中,你将授予 Intune 应用访问从 DISA Purebred 获取的派生凭据的权限。From the Allow access to certificates screen, you'll give the Intune app permission to access the derived credential you got from DISA Purebred. 此步骤确保组织能在你访问受保护的工作或学校资源时验证你的身份。This step ensures that your organization can verify your identity whenever you access protected work or school resources.

    1. 点击“下一步”。Tap NEXT.

      “证书已准备就绪”提示的屏幕截图Screenshot of the "Certificates are ready" prompt

    2. 当系统提示你“选择证书”时,请勿更改已选择的选项。When you're prompted to Choose certificate, don't change the selection. 系统已选择正确的证书,因此只需点击“选择”或“确定”即可 。The correct certificate is already selected, so just tap Select or OK.

      “选择证书”提示的屏幕截图Screenshot of the "Choose certificate" prompt

    3. 你的派生凭据由多个证书组成,因此可能会出现多次“选择证书”提示。Your derived credential is made up of multiple certificates, so you might see the Choose certificate prompt multiple times. 请重复上述步骤,直到不再出现提示。Repeat the previous step until no more prompts appear.

  8. 处理所有证书后,请等待 Intune 应用完成设备的设置。Once all of the certificates are processed, wait for the Intune app to finish setting up your device. 看到“设置完成!”屏幕时,You'll know setup is complete when you see the You're all set! 即表示设置已完成。screen.

    “设置完成”屏幕的屏幕截图Screenshot of the "You're all set" screen

后续步骤Next steps

注册完成后,你将可以访问工作资源,如电子邮件、Wi-Fi 和你的组织提供的任何应用。After enrollment is complete, you'll have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. 要详细了解如何在 Intune 应用中获取、搜索、安装和卸载应用,请参阅:For more information about how to get, search for, install, and uninstall apps in the Intune app see:

仍需帮助?Still need help? 请与公司支持人员联系。Contact your company support. 有关联系信息,请查看公司门户网站For contact information, check the Company Portal website.