使用 Apple School Manager 啟用 iOS 裝置註冊Enable iOS device enrollment with Apple School Manager

本主題將協助您針對透過 Apple School Manager 計劃購買的裝置啟用 iOS 裝置註冊。This topic helps you enable iOS device enrollment for devices purchased through the Apple School Manager program. 使用 Intune 與 Apple School Manager,您甚至不用碰到它們即可註冊大量的 iOS 裝置。Using Intune with Apple School Manager, you can enroll large numbers of iOS devices without ever touching them. 當學生或老師啟動裝置時,會以預先設定的設定來執行設定助理,並註冊裝置以接受管理。When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

若要啟用 Apple School Manager 註冊,您可以使用 Intune 和 Apple School Manager 入口網站。To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. 需要序號或採購單編號的清單,以將裝置指派給 Intune 進行管理。A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. 您可以建立 DEP 註冊設定檔,其中包含已在註冊期間套用至裝置的設定。You create DEP enrollment profiles containing settings that applied to devices during enrollment.

Apple School Manager 註冊無法搭配 Apple 的裝置註冊計劃裝置註冊管理員使用。Apple School Manager enrollment can't be used with Apple's Device Enrollment Program or the device enrollment manager.

必要條件Prerequisites

取得 Apple 權杖並指派裝置Get an Apple token and assign devices

您必須先從 Apple 取得權杖 (.p7m) 檔案,才能為屬公司擁有的 iOS 裝置註冊 Apple School Manager。Before you can enroll corporate-owned iOS devices with Apple School Manager, you need a token (.p7m) file from Apple. 此權杖可讓 Intune 同步 Apple School Manager 參與裝置的相關資訊。This token lets Intune sync information about Apple School Manager-participating devices. 它也允許 Intune 將註冊設定檔上傳至 Apple,並將這些設定檔指派給裝置。It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. 當您在 Apple 入口網站時,也可以指派裝置序號以進行管理。While you are in the Apple portal, you can also assign device serial numbers to manage.

步驟 1:Step 1. 下載建立 Apple 權杖所需的 Intune 公開金鑰憑證Download the Intune public key certificate required to create an Apple token

  1. Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > [新增]。In Intune, choose Device enrollment > Apple enrollment > Enrollment program tokens > Add.

    取得註冊計劃權杖。

  2. 在 [註冊計劃權杖] 刀鋒視窗中,選擇 [下載您的公開金鑰憑證],在本機下載並儲存加密金鑰 (.pem) 檔案。In the Enrollment program token blade, choose Download your public key to download and save the encryption key (.pem) file locally. 這個 .pem 檔案會用於向 Apple School Manager 入口網站要求信任關係憑證。The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. 註冊計劃權杖刀鋒視窗。Enrollment Program Token blade.

步驟 2:Step 2. 下載權杖並指派裝置Download a token and assign devices

  1. 選擇 [透過 Apple School Manager 建立權杖],並以您的公司 Apple ID 登入 Apple School。Choose Create a token via Apple School Manager, and sign in to Apple School with your company Apple ID. 您可以使用此 Apple ID 來更新 Apple School Manager 權杖。You can use this Apple ID to renew your Apple School Manager token.

  2. Apple School Manager 入口網站 中,移至 [MDM 伺服器],然後選擇 [新增 MDM 伺服器] (右上角)。In the Apple School Manager portal, go to MDM Servers, and then choose Add MDM Server (upper right).

  3. 輸入 MDM 伺服器名稱Enter the MDM Server Name. 您可參考這個伺服器名稱,以識別行動裝置管理 (MDM) 伺服器,The server name is for your reference to identify the mobile device management (MDM) server. 但它不是 Microsoft Intune 伺服器的名稱或 URL。It is not the name or URL of the Microsoft Intune server. 螢幕擷取畫面:選取序號選項的 Apple School Manager 入口網站Screenshot of Apple School Manager portal with Serial Number option selected

  4. 在 Apple 入口網站中選擇 [上傳檔案...],瀏覽至 .pem 檔案,然後選擇 [儲存 MDM 伺服器] (右下角)。Choose Upload File... in the Apple portal, browse to the .pem file, and choose Save MDM Server (lower right).

  5. 選擇 [取得權杖],然後將伺服器權杖 (.p7m) 檔案下載到您的電腦。Choose Get Token and then download the server token (.p7m) file to your computer.

  6. 移至 [裝置指派],然後手動輸入 [序號]、[訂單號碼],或 [上傳 CSV 檔案] 來 [選擇裝置]。Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or Upload CSV File. 螢幕擷取畫面:選取序號選項的 Apple School Manager 入口網站Screenshot of Apple School Manager portal with Serial Number option selected

  7. 選擇 [指派給伺服器],然後選擇您建立的 [MDM 伺服器]。Choose the action Assign to Server, and choose the MDM Server you created.

  8. 指定 [選擇裝置] 的方式,然後提供裝置資訊和詳細資料。Specify how to Choose Devices, then provide device information and details.

  9. 依序選擇 [Assign to Server](指派給伺服器)、針對 Microsoft Intune 指定的 <伺服器名稱> 以及 [確定]。Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.

步驟 3:Step 3. 儲存用以建立此權杖的 Apple IDSave the Apple ID used to create this token

在 Azure 入口網站的 Intune 中,提供 Apple ID 供日後參考。In Intune in the Azure portal, provide the Apple ID for future reference.

指定要用於建立註冊計劃權杖的 Apple 識別碼,並瀏覽至註冊計劃權杖的螢幕擷取畫面。

步驟 4:Step 4. 上傳權杖Upload your token

在 [Apple 權杖] 方塊中,瀏覽至憑證 (.pem) 檔案,選擇 [開啟],然後選擇 [建立]。In the Apple token box, browse to the certificate (.pem) file, choose Open, and then choose Create. 使用推播憑證,透過將原則推送到已註冊的行動裝置,Intune 即可註冊和管理 iOS 裝置。With the push certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune 會從 Apple 自動同步處理您的 Apple School Manager 裝置。Intune automatically synchronizes your Apple School Manager devices from Apple.

建立 Apple 註冊設定檔Create an Apple enrollment profile

安裝權杖之後,您可以為 Apple School 裝置建立註冊設定檔。Now that you've installed your token, you can create an enrollment profile for Apple School devices. 裝置註冊設定檔會定義要在註冊期間套用至裝置群組的設定。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖]。In Intune, choose Device enrollment > Apple Enrollment > Enrollment program tokens.

  2. 選取權杖,選擇 [設定檔],然後選擇 [建立設定檔]。Select a token, choose Profiles, and then choose Create profile.

  3. 在 [建立設定檔] 下,為設定檔輸入系統管理用的名稱以及描述Under Create Profile, enter a Name and Description for the profile for administrative purposes. 使用者看不到這些詳細資料。Users do not see these details. 您可以使用此 [名稱] 欄位,在 Azure Active Directory 中建立動態群組。You can use this Name field to create a dynamic group in Azure Active Directory. 設定檔名稱可用來定義 enrollmentProfileName 參數,以註冊具備此註冊設定檔的裝置。Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. 深入了解 Azure Active Directory 動態群組Learn more about Azure Active Directory dynamic groups. 設定檔名稱與描述。Profile name and description.

  4. 針對 [使用者親和性],為具備此設定檔的裝置選擇需要或不需要由指派的使用者來進行註冊。For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • 搭配使用者親和性進行註冊 - 針對屬於使用者的裝置,以及想要使用公司入口網站進行像是安裝應用程式等服務的裝置,選擇此選項。Enroll with User Affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. 此選項也可讓使用者使用公司入口網站來驗證其裝置。This option also lets users authenticate their devices by using the company portal. 使用者親和性需要 WS-Trust 1.3 使用者名稱/混合端點User affinity requires WS-Trust 1.3 Username/Mixed endpoint. 深入了解Learn more. Apple School Manager 的「共用的 iPad」模式需要使用者不搭配使用者親和性進行註冊。Apple School Manager's Shared iPad mode requires user enroll without user affinity.

    • 不搭配使用者親和性進行註冊 - 針對未與任何使用者相關的裝置選擇此選項,例如共用的裝置。Enroll without User Affinity - Choose this option for devices unaffiliated with a single user, such as a shared device. 針對執行工作而不需存取本機使用者資料的裝置使用此選項。Use this for devices that perform tasks without accessing local user data. 公司入口網站應用程式之類的應用程式無法運作。Apps like the Company Portal app don’t work.

  5. 如果您選擇 [搭配使用者親和性進行註冊],則可以選擇讓使用者使用公司入口網站進行驗證,而不是 Apple 設定助理。If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    使用公司入口網站進行驗證。

    注意

    如果您將設定檔屬性設定為 [搭配使用者親和性使用] 且您不是使用公司入口網站,則在 Apple School Manager 裝置註冊期間,多重要素驗證 (MFA) 無法運作。Multifactor authentication (MFA) doesn't work during enrollment on Apple School Manager devices if you have profile properties set to Use with User Affinity and you aren't using a Company Portal. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on these devices. 第一次登入時必須變更密碼的使用者不會收到裝置提示。Devices can't prompt users who need to change their password when they first sign in. 此外,密碼已過期的使用者也不會在註冊期間收到提示要重設其密碼。Additionally, users with expired passwords aren't prompted to reset their password during enrollment. 使用者必須使用不同的裝置來重設密碼。Users must use a different device to reset the password.

  6. 選擇 [裝置管理設定],並選取您是否想要監督使用此設定檔的裝置。Choose Device Management Settings and select whether or not you want devices using this profile to be supervised. 受監督裝置可提供您更多管理選項,並且預設會停用 [啟用鎖定]。Supervised devices give you more management options and disabled Activation Lock by default. Microsoft 建議使用 DEP 作為啟用受監督模式的機制,特別是針對將部署大量 iOS 裝置的組織。Microsoft recommends using DEP as the mechanism for enabling supervised mode, especially for organizations that are deploying large numbers of iOS devices.

    有兩種方式可通知使用者其裝置收到監督:Users are notified that their devices are supervised in two ways:

    • 鎖定畫面指出:「此 iPhone 受 Contoso 管理。」The lock screen says: "This iPhone is managed by Contoso."

    • [設定] > [一般] > [關於] 畫面指出:「此 iPhone 受監督。The Settings > General > About screen says: "This iPhone is supervised. Contoso 可以監視您的網際網路流量並找到此裝置。」Contoso can monitor your Internet traffic and locate this device."

      注意

      註冊為不受監督的裝置,僅可透過使用 Apple Configurator 重設為受監督。A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. 以這種方式將裝置重設,需要使用 USB 纜線將 iOS 裝置連接至 Mac。Resetting the device in this manner requires connecting an iOS device to a Mac with a USB cable. Apple Configurator 文件上,深入了解這項作業。Learn more about this on Apple Configurator docs.

  7. 選擇您是否想要針對使用此設定檔的裝置鎖定註冊。Choose whether or not you want locked enrollment for devices using this profile. 鎖定的註冊會停用可將管理設定檔從 [設定] 功能表中移除的 iOS 設定。Locked enrollment disables iOS settings that allow the management profile to be removed from the Settings menu. 註冊裝置之後,必須將裝置恢復出廠預設值才能變更此設定。After device enrollment, you cannot change this setting without factory resetting the device. 這類裝置必須將受監督管理模式設為 [是]。Such devices must have the Supervised Management Mode set to Yes.

  8. 如果您想要讓多個使用者使用受控 Apple ID 登入已註冊的 iPad,請選擇 [共用的 iPad] 下的 [是]。If you want to let multiple users sign on to enrolled iPads by using a managed Apple Id, choose Yes under Shared iPad. 這需要 [不搭配使用者親和性進行註冊] 與受監督模式設定為 [是]。受管理 Apple ID 是在 Apple School Manager 入口網站中建立的。This requires Enroll without User Affinity and Supervised mode set to Yes.) Managed Apple IDs are created in the Apple School Manager portal. 深入了解共用的 iPadLearn more about shared iPad. 您也應檢閱 Apple 的共用 iPad 需求You should also review Apple's shared iPad requirements.

  9. 選擇您是否想要讓使用此設定檔的裝置與電腦同步處理Choose whether or not you want the devices using this profile to be able to Sync with computers. 若選擇 [依據憑證允許 Apple Configurator],則必須在 [Apple Configurator 憑證] 下選擇憑證。If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

  10. 若您在前一個步驟中選擇 [依據憑證允許 Apple Configurator],則請選擇要匯入的 Apple Configurator 憑證。If you chose Allow Apple Configurator by certificate in the previous step, choose an Apple Configurator Certificate to import.

  11. 選擇 [確定]。Choose OK.

  12. 選擇 [設定助理設定],以設定下列設定檔的設定:自訂設定助理Choose Setup Assistant Settings to configure the following profile settings: Setup Assistant Customization.

    設定Setting 說明Description
    部門名稱Department Name 使用者在啟用期間點選 [關於設定] 時顯示。Appears when users tap About Configuration during activation.
    部門電話Department Phone 在使用者在啟用期間按一下 [需要協助] 按鈕時顯示。Appears when the user clicks the Need Help button during activation.
    設定助理選項Setup Assistant Options 下列是選用設定,可稍後在 iOS [設定] 功能表中進行設定。The following optional settings can be set up later in the iOS Settings menu.
    密碼Passcode 在啟用期間提示輸入密碼。Prompt for passcode during activation. 除非裝置受到保護,或以其他方式控制存取 (例如,將裝置限制為單一應用程式的 Kiosk 模式),否則一律需要密碼。Always require a passcode unless the device is secured or has access controlled in some other manner (that is, kiosk mode that restricts the device to one app).
    位置服務Location Services 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for the service during activation.
    還原Restore 啟用時,設定助理會在啟用期間提示 iCloud 備份。If enabled, Setup Assistant prompts for iCloud backup during activation.
    iCloud 與 Apple IDiCloud and Apple ID 啟用時,設定助理會提示使用者登入 Apple ID,且 [應用程式與資料] 畫面可允許從 iCloud 備份還原裝置。If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup.
    條款和條件Terms and Conditions 啟用時,設定助理會在啟用期間提示使用者接受 Apple 的條款及條件。If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation.
    Touch IDTouch ID 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    Apple PayApple Pay 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    縮放Zoom 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    SiriSiri 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    診斷資料Diagnostic Data 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
  13. 選擇 [確定]。Choose OK.

  14. 若要儲存該設定檔,請選擇 [建立]。To save the profile, choose Create.

連線 School Data SyncConnect School Data Sync

(選用) Apple School Manager 支援使用 Microsoft School Data Sync (SDS) 將類別名冊資料同步處理到 Azure Active Directory (AD)。(Optional) Apple School Manager supports synchronizing class roster data to the Azure Active Directory (AD) using Microsoft School Data Sync (SDS). 您僅可透過 SDS 同步處理一個權杖。You can only sync one token with SDS. 如果您透過 School Data Sync 設定另一個權杖,SDS 將會從之前擁有它的權杖中移除。If you set up another token with School Data Sync, SDS will be removed from the token that previously had it. 新的連線將取代目前的權杖。A new connection will replace the current token. 請完成下列步驟以使用 SDS 同步學校資料。Complete the following steps to use SDS to sync school data.

  1. Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖]。In Intune, choose Device enrollment > Apple Enrollment > Enrollment program tokens.
  2. 選取 Apple School Manager 權杖,然後選擇 [School Data Sync]。Select an Apple School Manager token and then choose School Data Sync.
  3. 在 [School Data Sync] 下,選擇 [允許]。Under School Data Sync, choose Allow. 此設定會允許 Intune 和 Office 365 中的 SDS 連線。This setting allows Intune to connect with SDS in Office 365.
  4. 若要啟用 Apple School Manager 與 Azure AD 之間的連線,請選擇 [設定 Microsoft School Data Sync]。深入了解如何設定 School Data SyncTo enable a connection between Apple School Manager and Azure AD, choose Set up Microsoft School Data Sync. Learn more about how to set up School Data Sync.
  5. 按一下 [儲存] > [確定]。Click Save > OK.

同步受管理裝置Sync managed devices

由於 Intune 已被指派管理您 Apple School Manager 裝置的權限,您可以同步處理 Intune 與 Apple 服務,以在 Intune 中查看受管理裝置。Now that Intune has been assigned permission to manage your Apple School Manager devices, you can synchronize Intune with the Apple service to see your managed devices in Intune.

Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > 選擇清單中的權杖 > [裝置] > [同步處理]。選取 [註冊計劃裝置] 節點並選擇 [同步] 連結的螢幕擷取畫面。In Intune, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list > Devices > Sync. Screenshot of Enrollment Program Devices node selected and Sync link being chosen.

為了符合 Apple 規定的可接受註冊計劃流量,Intune 具有下列限制︰To comply with Apple’s terms for acceptable enrollment program traffic, Intune imposes the following restrictions:

  • 完整同步處理每 7 天只能執行一次。A full sync can run no more than once every seven days. 完整同步期間,每當 Apple 序號指派至 Intune 時,Intune 都會重新整理一次。During a full sync, Intune refreshes every Apple serial number assigned to Intune. 如果在上一次完整同步處理過後的 7 天內嘗試進行完整同步處理,Intune 只會重新整理尚未列在 Intune 中的序號。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that are not already listed in Intune.
  • 任何同步處理要求都會在 15 分鐘內完成。Any sync request is given 15 minutes to finish. 在此期間或直到要求成功,會停用 [同步處理] 按鈕。During this time or until the request succeeds, the Sync button is disabled.
  • Intune 每 24 小時會與 Apple 同步一次新增及移除的裝置。Intune syncs new and removed devices with Apple every 24 hours.

注意

您也可以從 [註冊計劃裝置] 刀鋒視窗,指派 Apple School Manager 序號給設定檔。You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.

將設定檔指派給裝置Assign a profile to devices

在註冊由 Intune 管理的 Apple School Manager 裝置之前,必須將註冊設定檔指派給它們。Apple School Manager devices managed by Intune must be assigned an enrollment profile before they are enrolled.

  1. Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > 選擇清單中的權杖。In Intune, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list.
  2. 選擇 [裝置] > 選擇清單中的裝置 > [指派設定檔]。Choose Devices > choose devices in the list > Assign profile.
  3. 在 [指派設定檔] 下,選擇裝置的設定檔,然後選擇 [指派]。Under Assign profile, choose a profile for the devices and then choose Assign.

將裝置散發給使用者Distribute devices to users

您已啟用 Apple 與 Intune 之間的管理和同步,並指派設定檔以供您的 Apple School 裝置註冊。You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. 您現在可以將裝置散發給使用者。You can now distribute devices to users. 當 iOS Apple School Manager 裝置開機時,就會加以註冊交由 Intune 管理。When an iOS Apple School Manager device is turned on, it is enrolled for management by Intune. 如果裝置已啟動且正在使用中,則在該裝置重設為原廠設定之前,將無法套用設定檔。If the device has been activated and is in use, the profile cannot be applied until the device is factory reset.