使用 Apple School Manager 啟用 iOS 裝置註冊Enable iOS device enrollment with Apple School Manager

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題將協助您針對透過 Apple School Manager 計劃購買的裝置啟用 iOS 裝置註冊。This topic helps you enable iOS device enrollment for devices purchased through the Apple School Manager program. 使用 Intune 與 Apple School Manager,您甚至不用碰到它們即可註冊大量的 iOS 裝置。Using Intune with Apple School Manager, you can enroll large numbers of iOS devices without ever touching them. 當學生或老師啟動裝置時,會以預先設定的設定來執行設定助理,並註冊裝置以接受管理。When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

若要啟用 Apple School Manager 註冊,您可以使用 Intune 和 Apple School Manager 入口網站。To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. 需要序號或採購單編號的清單,以將裝置指派給 Intune 進行管理。A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. 您可以建立 DEP 註冊設定檔,其中包含已在註冊期間套用至裝置的設定。You create DEP enrollment profiles containing settings that applied to devices during enrollment.

另外,Apple School Manager 註冊無法搭配 Apple 的裝置註冊計劃裝置註冊管理員使用。By the way, Apple School Manager enrollment can't be used with Apple's Device Enrollment Program or the device enrollment manager.

先決條件Prerequisites

注意

在具有使用者親和性的 Apple School Manager 裝置註冊期間,無法使用多重要素驗證 (MFA)。Multifactor authentication (MFA) doesn't work during enrollment on Apple School Manager devices with user affinity. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on these devices. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on devices. 第一次登入時必須變更密碼的使用者不會收到裝置提示。Devices can't prompt users who need to change their password when they first sign in. 此外,密碼已過期的使用者也不會在註冊期間收到提示要重設其密碼。Additionally, users with expired passwords aren't prompted to reset their password during enrollment. 使用者必須使用不同的裝置來重設密碼。Users must use a different device to reset the password.

取得 Apple 權杖並指派裝置Get the Apple token and assign devices

您必須先從 Apple 取得權杖 (.p7m) 檔案,才能為屬公司擁有的 iOS 裝置註冊 Apple School Manager。Before you can enroll corporate-owned iOS devices with Apple School Manager, you need a token (.p7m) file from Apple. 此權杖可讓 Intune 同步 Apple School Manager 參與裝置的相關資訊。This token lets Intune sync information about Apple School Manager-participating devices. 它也允許 Intune 將註冊設定檔上傳至 Apple,並將這些設定檔指派給裝置。It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. 當您在 Apple 入口網站時,也可以指派裝置序號以進行管理。While you are in the Apple portal, you can also assign device serial numbers to manage.

步驟 1.下載建立 Apple 權杖所需的 Intune 公開金鑰憑證。Step 1. Download an Intune public key certificate required to create an Apple token.

  1. Azure 入口網站的 Intune 中,選擇 [裝置註冊],然後選擇 [註冊計劃權杖]。In Intune in the Azure portal, choose Device enrollment and then choose Enrollment program token.

    [Apple 憑證] 工作區中 [註冊計劃權杖] 窗格下載公開金鑰的螢幕擷取畫面。

  2. 在 [註冊計劃權杖] 刀鋒視窗中,選擇 [下載您的公開金鑰憑證],在本機下載並儲存加密金鑰 (.pem) 檔案。In the Enrollment program token blade, choose Download your public key to download and save the encryption key (.pem) file locally. 這個 .pem 檔案會用於向 Apple School Manager 入口網站要求信任關係憑證。The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal.

步驟 2.下載權杖並指派裝置。Step 2. Download a token and assign devices.

  1. 選擇 [透過 Apple School Manager 建立權杖],並以您的公司 Apple ID 登入。Choose Create a token via Apple School Manager, and sign in with your company Apple ID. 您可以使用此 Apple ID 來更新 Apple School Manager 權杖。You can use this Apple ID to renew your Apple School Manager token.
  2. Apple School Manager 入口網站 中,移至 [MDM 伺服器],然後選擇 新增 MDM 伺服器In the Apple School Manager portal, go to MDM Servers, and then choose Add MDM Server (upper right).
  3. 輸入 MDM 伺服器名稱Enter the MDM Server Name. 您可參考這個伺服器名稱,以識別行動裝置管理 (MDM) 伺服器,The server name is for your reference to identify the mobile device management (MDM) server. 但它不是 Microsoft Intune 伺服器的名稱或 URL。It is not the name or URL of the Microsoft Intune server. 螢幕擷取畫面:選取序號選項的 Apple School Manager 入口網站Screenshot of Apple School Manager portal with Serial Number option selected

  4. 在 Apple 入口網站中選擇 [上傳檔案...],瀏覽至 .pem 檔案,然後選擇 儲存 MDM 伺服器Choose Upload File... in the Apple portal, browse to the .pem file, and choose Save MDM Server (lower right).

  5. 選擇 [取得權杖],然後將伺服器權杖 (.p7m) 檔案下載到您的電腦。Choose Get Token and then download the server token (.p7m) file to your computer.
  6. 移至 [裝置指派],然後手動輸入 [序號]、[訂單號碼],或 [上傳 CSV 檔案] 來 [選擇裝置]。Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or Upload CSV File. 螢幕擷取畫面:選取序號選項的 Apple School Manager 入口網站Screenshot of Apple School Manager portal with Serial Number option selected
  7. 選擇 [指派給伺服器],然後選擇您建立的 [MDM 伺服器]。Choose the action Assign to Server, and choose the MDM Server you created.
  8. 指定 [選擇裝置] 的方式,然後提供裝置資訊和詳細資料。Specify how to Choose Devices, then provide device information and details.
  9. 依序選擇 [Assign to Server](指派給伺服器)、針對 Microsoft Intune 指定的 <伺服器名稱> 以及 [確定]。Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.

步驟 3.輸入用以建立 Apple School Manager 權杖的 Apple ID。Step 3. Enter the Apple ID used to create your Apple School Manager token.
此 ID 應用來更新您的 Apple School Manager 權杖,並加以儲存以供未來參考。This ID should be used to renew your Apple School Manager token and is stored for your future reference.

指定要用於建立註冊計劃權杖的 Apple 識別碼,並瀏覽至註冊計劃權杖的螢幕擷取畫面。

步驟 4.找出並上傳您的權杖。Step 4. Locate and upload your token.
移至憑證 (.p7m) 檔案,選擇 [開啟],然後選擇 [上傳]。Go to the certificate (.p7m) file, choose Open, and then choose Upload. Intune 會從 Apple 自動同步您的 Apple School Manager 裝置。Intune automatically syncs your Apple School Manager devices from Apple.

建立 Apple 註冊設定檔Create an Apple enrollment profile

裝置註冊設定檔會定義要在註冊期間套用至裝置群組的設定。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊],然後選擇 [Apple 註冊]。In Intune in the Azure portal, choose Device enrollment, and then choose Apple Enrollment.
  2. 在 [註冊計劃] 下方,選擇 [註冊計劃設定檔]。Under Enrollment Program, choose Enrollment Program Profiles.
  3. 在 [註冊計劃設定檔] 刀鋒視窗中,選擇 [建立]。On the Enrollment Program Profiles blade, choose Create.
  4. 在 [建立註冊設定檔] 刀鋒視窗中,為 Intune 顯示的設定檔輸入 [名稱] 和 [描述]。On the Create Enrollment Profile blade, enter a Name and Description for the profile that is displayed in Intune.
  5. 為 [使用者親和性] 選擇具備此設定檔的裝置,在註冊時要或不要有使用者親和性。For User Affinity, choose whether devices with this profile enroll with or without user affinity.

    • 搭配使用者親和性進行註冊 - 在安裝期間建立裝置與使用者的關聯。Enroll with user affinity - Affiliates the device with a user during setup.

    Apple School Manager 的「共用的 iPad」模式需要使用者不搭配使用者親和性進行註冊。Apple School Manager's Shared iPad mode requires user enroll without user affinity.

    • 不搭配使用者親和性進行註冊 - 針對未與任何使用者相關的裝置選擇此選項,如共用裝置。Enroll without user affinity - Choose for device unaffiliated with a single user, such as shared devices. 用於執行工作而不需存取本機使用者資料的裝置。Use for devices that perform tasks without accessing local user data. 公司入口網站應用程式之類的應用程式無法運作。Apps like the Company Portal app don’t work.
  6. 選擇 [裝置管理設定]。Choose Device Management Settings. 這些項目是在啟用期間設定,且需要重設為原廠設定才能進行變更。These items are set during activation and require a factory reset to change. 設定下列設定檔設定,然後選擇 [儲存]:configure the following profile settings, and then choose Save:

    選擇管理模式的螢幕擷取畫面。

    • 受監督 - 啟用更多管理選項,且預設會停用 [啟用鎖定] 的管理模式。Supervised - a management mode that enables more management options and disabled Activation Lock by default. 若將核取方塊留為空白,則管理功能有限。If you leave the check box blank, you have limited management capabilities.

      • 鎖定的註冊 - (需要管理模式 = 受監督) 停用允許移除管理設定檔的 iOS 設定。Locked enrollment - (Requires Management Mode = supervised) Disables iOS settings that could allow removal of the management profile. 若將核取方塊留為空白,表示允許從 [設定] 功能表移除管理設定檔。If you leave the check box blank, it allows the management profile to be removed from the Settings menu.
      • 共用的 iPad - (需要 [不搭配使用者親和性進行註冊] 與受監督模式)。允許多位使用者使用受管理 Apple ID 登入註冊的 iPad。Shared iPad - (Requires Enroll without User Affinity and Supervised mode.) Allows multiple users to log on to enrolled iPads by using a managed Apple ID. 受管理 Apple ID 是在 Apple School Manager 入口網站中建立的。Managed Apple IDs are created in the Apple School Manager portal. 深入了解共用的 iPadLearn more about shared iPad. 您也應檢閱 Apple 的共用 iPad 需求You should also review Apple's shared iPad requirements.

    注意

    如果將 [使用者親和性] 設定為 [搭配使用者親和性],或將 [受監督] 模式設定為 [關閉],就會停用註冊設定檔的「共用的 iPad」模式。If User Affinity is set to With user affinity or Supervised mode is set to Off, Shared iPad mode is disabled for the enrollment profile.

     - **Maximum Cached Users** - (Requires **Shared iPad** = **Yes**) Creates a partition on the device for each user. The recommended value is the number of students likely to use the device over a period of time. For example, if six students use the device regularly during the week, set this number to six.  
    
    • 允許配對 - 指定 iOS 裝置是否可與電腦同步。Allow Pairing - specifies whether iOS devices can sync with computers. 若選擇 [依據憑證允許 Apple Configurator],則必須在 [Apple Configurator 憑證] 下選擇憑證。If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

      • Apple Configurator 憑證 - 如果在 [允許配對] 下選擇了 [依據憑證允許 Apple Configurator],則請選擇要匯入的 Apple Configurator 憑證。Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate under Allow Pairing, choose an Apple Configurator Certificate to import.
  7. 選擇 [設定助理設定],設定下列設定檔設定,然後選擇 [儲存]:Choose Setup Assistant Settings, configure the following profile settings, and then choose Save:

    • 部門名稱 - 使用者於啟用期間點選 About Configuration 時顯示。Department Name - Appears when users tap About Configuration during activation.

    • 部門電話號碼 - 使用者於啟用期間按一下 [需要協助] 按鈕時顯示。Department Phone - Appears when the user clicks the Need Help button during activation.

    • 設定輔助程式選項 - 如果從設定輔助選項排除,稍後可以在 iOS [設定] 功能表中進行設定。Setup Assistant Options - If excluded from Setup Assistant options, these settings can be set later in the iOS Settings menu.
      • 密碼 - 在啟用期間提示輸入密碼。Passcode - Prompt for passcode during activation. 除非裝置受到保護,或以其他方式控制存取 (例如,將裝置限制為單一應用程式的 Kiosk 模式),否則一律需要密碼。Always require a passcode unless the device is secured or has access controlled in some other manner (that is, kiosk mode that restricts the device to one app).
      • 定位服務 - 啟用時,設定助理會在啟用期間提示服務Location Services - If enabled, Setup Assistant prompts for the service during activation
      • 還原 - 啟用時,設定助理會在啟用期間提示 iCloud 備份Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
      • Apple ID - 啟用時,如果 Intune 嘗試不使用 Apple ID 來安裝應用程式,iOS 會提示使用者輸入 Apple ID。Apple ID - If enabled, iOS prompts users for an Apple ID when Intune attempts to install an app without an ID. 若要下載 iOS App Store 應用程式 (包含 Intune 所安裝的應用程式),您必須提供 Apple ID。An Apple ID is required to download iOS App Store apps, including apps installed by Intune.
      • 條款及條件 - 啟用時,設定助理會在啟用期間提示使用者接受 Apple 的條款及條件Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation
      • Touch ID - 啟用時,設定助理會在啟用期間提示此服務Touch ID - If enabled, Setup Assistant prompts for this service during activation
      • Apple Pay - 啟用時,設定助理會在啟用期間提示此服務Apple Pay - If enabled, Setup Assistant prompts for this service during activation
      • 縮放 - 啟用時,設定助理會在啟用期間提示此服務Zoom - If enabled, Setup Assistant prompts for this service during activation
      • Siri - 啟用時,設定助理會在啟用期間提示此服務Siri - If enabled, Setup Assistant prompts for this service during activation
      • 診斷資料 - 啟用時,設定助理會在啟用期間提示此服務Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
  8. 若要儲存設定檔設定,請在 [建立註冊設定檔] 刀鋒視窗中,選擇 [建立]。To save the profile settings, choose Create on the Create Enrollment Profile blade.

連線 School Data SyncConnect School Data Sync

(選用) Apple School Manager 支援使用 Microsoft School Data Sync (SDS) 將類別名冊資料同步到 Azure Active Directory (AD)。(Optional) Apple School Manager supports synching class roster data to Azure Active Directory (AD) using Microsoft School Data Sync (SDS). 請完成下列步驟以使用 SDS 同步學校資料。Complete the following steps to use SDS to sync school data.

  1. 在 [註冊程式權杖] 刀鋒視窗中,選擇藍色資訊橫幅或 [連線 SDS]。On the Enrollment Program Token blade, choose either the blue information banner or Connect SDS.
  2. 選擇 [允許 Microsoft School Data Sync 使用此權杖],設定為 [允許]。Choose Allow Microsoft School Data Sync to use this token, setting to Allow. 此設定會允許 Intune 和 Office 365 中的 SDS 連線。This setting allows Intune to connect with SDS in Office 365.
  3. 若要啟用 Apple School Manager 與 Azure AD 之間的連線,請選擇 [設定 Microsoft School Data Sync]。深入了解如何設定 School Data SyncTo enable a connection between Apple School Manager and Azure AD, choose Set up Microsoft School Data Sync. Learn more about how to set up School Data Sync.
  4. 按一下 [確定] 以儲存並繼續。Click OK to save and continue.

同步受管理裝置Sync managed devices

由於 Intune 已被指派管理您 Apple School Manager 裝置的權限,您可以同步處理 Intune 與 Apple 服務,以在 Intune 中查看受管理裝置。Now that Intune has been assigned permission to manage your Apple School Manager devices, you can synchronize Intune with the Apple service to see your managed devices in Intune.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃裝置] > [同步]。進度列會顯示再次要求進行同步之前,必須要等待的總時間。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment Program Devices > Sync. The progress bar shows the amount of time you must wait before requesting Sync again.

    已選取註冊計劃裝置節點,且正在選擇 [同步] 連結的螢幕擷取畫面。

  2. 在 [同步] 刀鋒視窗中,選擇 [要求同步]。進度列會顯示再次要求進行同步之前,必須要等待的總時間。On the Sync blade, choose Request Sync. The progress bar shows the amount of time you must wait before requesting Sync again.

    [同步] 刀鋒視窗,以及正在選擇 [要求同步] 連結的螢幕擷取畫面。

    為了符合 Apple 規定的可接受流量,Intune 具有下列限制:To comply with Apple’s terms for acceptable traffic, Intune imposes the following restrictions:

    • 完整同步處理每 7 天只能執行一次。A full sync can run no more than once every seven days. 在完整同步處理期間,Intune 會重新整理 Apple 已指派給 Intune 的每個序號,不論先前是否已同步處理序號。During a full sync, Intune refreshes every serial number that Apple has assigned to Intune whether the serial has previously been synced or not. 如果在上一次完整同步處理過後的 7 天內嘗試進行完整同步處理,Intune 只會重新整理尚未列在 Intune 中的序號。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that are not already listed in Intune.
    • 任何同步處理要求都會在 15 分鐘內完成。Any sync request is given 15 minutes to finish. 在此期間或直到要求成功,會停用 [同步處理] 按鈕。During this time or until the request succeeds, the Sync button is disabled.

注意

您也可以從 [註冊計劃裝置] 刀鋒視窗,指派 Apple School Manager 序號給設定檔。You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.

將設定檔指派給裝置Assign a profile to devices

在註冊由 Intune 管理的 Apple School Manager 裝置之前,必須將註冊設定檔指派給它們。Apple School Manager devices managed by Intune must be assigned an enrollment profile before they are enrolled.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊],然後選擇 [註冊計劃設定檔]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment, and then choose Enrollment Program profiles.
  2. 從 [註冊計劃設定檔] 清單中,選擇您想要指派給裝置的設定檔,然後選擇 Device AssignmentsFrom the list of Enrollment Program Profiles, choose the profile you want to assign to devices and then choose Device Assignments

    選取 [指派] 的 [裝置指派] 螢幕擷取畫面。

  3. 選擇 [指派],然後選擇您想要指派此設定檔的 Apple School Manager 裝置。Choose Assign and then choose the Apple School Manager devices you want to assign this profile. 您可以篩選以檢視可用的裝置︰You can filter to view available devices:

    • 未指派unassigned
    • 任何any
    • <設定檔名稱><profile name>
  4. 選擇您想要指派的裝置。Choose the devices you want to assign. 資料行上方的核取方塊可選取最多 1000 個列出的裝置。The checkbox above the column selects up to 1000 listed devices. 按一下 [指派]。Click Assign. 若要註冊 1000 部以上的裝置,請重複指派步驟,直到將註冊設定檔指派給所有的裝置為止。To enroll more than 1000 devices, repeat the assignment steps until all devices are assigned an enrollment profile.

    在 Intune 中用來指派註冊計劃設定檔的 [指派] 按鈕螢幕擷取畫面

將裝置散發給使用者Distribute devices to users

現在已可將公司擁有的裝置提供給使用者。You can now distribute corporate-owned devices to users. 當 iOS Apple School Manager 裝置開機時,就會加以註冊交由 Intune 管理。When an iOS Apple School Manager device is turned on, it is enrolled for management by Intune. 如果裝置已啟動且正在使用中,則在該裝置重設為原廠設定之前,將無法套用設定檔。If the device has been activated and is in use, the profile cannot be applied until the device is factory reset.