使用 Apple School Manager 啟用 iOS 裝置註冊Enable iOS device enrollment with Apple School Manager

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題將協助 IT 系統管理員針對透過 Apple School Manager 計劃購買的裝置啟用 iOS 裝置註冊。This topic helps IT administrators enable iOS device enrollment for devices purchased through the Apple School Manager program. Microsoft Intune 可以「線上」部署註冊設定檔,註冊 Apple School Manager 裝置以進行管理。Microsoft Intune can deploy an enrollment profile “over the air” that enrolls Apple School Manager devices into management. 系統管理員完全不需實際取得每個受管理的裝置。The administrator never has to touch each managed device. 註冊設定檔會包含在包括 [設定助理] 選項的註冊期間要套用至裝置的管理設定。The enrollment profile contains management settings that are applied to devices during enrollment including Setup Assistant options.

Apple School Manager 註冊步驟Apple School Manager Enrollment steps

  1. 取得 Apple School Manager 權杖並指派裝置Get an Apple School Manager token and assign devices
  2. 建立註冊設定檔Create an enrollment profile
  3. 連線 School Data SyncConnect School Data Sync (選用)
  4. 同步 Apple School Manager 管理的裝置Sync Apple School Manager-managed devices
  5. 將 Apple School Manager 設定檔指派給裝置Assign Apple School Manager profile to devices
  6. 將裝置散發給使用者Distribute devices to users
注意

Apple School Manager 註冊無法搭配 Apple 的 DEP裝置註冊管理員使用。Apple School Manager enrollment can't be used with Apple's DEP or the device enrollment manager.

取得 Apple 權杖並指派裝置Get the Apple token and assign devices

您必須先從 Apple 取得權杖 (.p7m) 檔案,才能為屬公司擁有的 iOS 裝置註冊 Apple School Manager。Before you can enroll corporate-owned iOS devices with Apple School Manager, you need a token (.p7m) file from Apple. 此權杖可讓 Intune 同步 Apple School Manager 參與裝置的相關資訊。This token lets Intune sync information about Apple School Manager-participating devices. 它也允許 Intune 將註冊設定檔上傳至 Apple,並將這些設定檔指派給裝置。It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. 當您在 Apple 入口網站時,也可以指派裝置序號以進行管理。While you are in the Apple portal, you can also assign device serial numbers to manage.

先決條件Prerequisites

步驟 1.下載建立 Apple 權杖所需的 Intune 公開金鑰憑證。Step 1. Download an Intune public key certificate required to create an Apple token.

  1. 在 Azure Intune 入口網站中,選擇 [裝置註冊],然後選取 [註冊計劃權杖]。In the Azure Intune portal, choose Device enrollment and then select Enrollment program token.
  2. 在 [註冊計劃權杖] 刀鋒視窗中,選取 [下載您的公開金鑰憑證],在本機下載並儲存加密金鑰 (.pem) 檔案。In the Enrollment program token blade, select Download your public key to download and save the encryption key (.pem) file locally. 這個 .pem 檔案會用於向 Apple School Manager 入口網站要求信任關係憑證。The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal.

步驟 2.下載權杖並指派裝置。Step 2. Download a token and assign devices.
選取 [透過 Apple School Manager 建立權杖],並以您的公司 Apple ID 登入。Select Create a token via Apple School Manager, and sign in with your company Apple ID. 您可以使用此 Apple ID 來更新 Apple School Manager 權杖。You can use this Apple ID to renew your Apple School Manager token.

  1. Apple School Manager 入口網站 中,移至 [MDM 伺服器],然後選取 [新增 MDM 伺服器] (右上角)。In the Apple School Manager portal, go to MDM Servers, and then select Add MDM Server (upper right).
  2. 輸入 MDM 伺服器名稱Enter the MDM Server Name. 您可參考這個伺服器名稱,以識別行動裝置管理 (MDM) 伺服器,The server name is for your reference to identify the mobile device management (MDM) server. 但它不是 Microsoft Intune 伺服器的名稱或 URL。It is not the name or URL of the Microsoft Intune server.
  3. 在 Apple 入口網站中選取 [上傳檔案...],瀏覽至 .pem 檔案,然後選取 [儲存 MDM 伺服器] (右下角)。Select Upload File... in the Apple portal, browse to the .pem file, and select Save MDM Server (lower right).
  4. 選取 [取得權杖],然後將伺服器權杖 (.p7m) 檔案下載到您的電腦。Select Get Token and then download the server token (.p7m) file to your computer.
  5. 移至 [裝置指派],然後手動輸入 [序號]、[訂單號碼],或 [上傳 CSV 檔案] 來 [選擇裝置]。Go to Device Assignments, and Choose Device by manual entry of Serial Numbers, Order Number, or Upload CSV File.
  6. 選擇 [指派給伺服器],然後選取您建立的 [MDM 伺服器]。Choose the action Assign to Server, and select the MDM Server you created.
  7. 指定 [選擇裝置] 的方式,然後提供裝置資訊和詳細資料。Specify how to Choose Devices, then provide device information and details.
  8. 依序選擇 [Assign to Server](指派給伺服器)、針對 Microsoft Intune 指定的 <伺服器名稱> 以及 [確定]。Choose Assign to Server and choose the <ServerName> specified for Microsoft Intune, and then choose OK.

步驟 3.輸入用以建立 Apple School Manager 權杖的 Apple ID。Step 3. Enter the Apple ID used to create your Apple School Manager token.
此 ID 應用來更新您的 Apple School Manager 權杖,並加以儲存以供未來參考。This ID should be used to renew your Apple School Manager token and is stored for your future reference.

步驟 4.找出並上傳您的權杖。Step 4. Locate and upload your token.
移至憑證 (.p7m) 檔案,選擇 [開啟],然後選擇 [上傳]。Go to the certificate (.p7m) file, choose Open, and then choose Upload. Intune 會從 Apple 自動同步您的 Apple School Manager 裝置。Intune automatically syncs your Apple School Manager devices from Apple.

建立 Apple 註冊設定檔Create an Apple enrollment profile

裝置註冊設定檔會定義要在註冊期間套用至裝置群組的設定。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. 在 Intune 入口網站中,選擇 [裝置註冊],然後選擇 [Apple 註冊]。In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
  2. 在 [註冊計劃] 下方,選取 [註冊計劃設定檔]。Under Enrollment Program, select Enrollment Program Profiles.
  3. 在 [註冊計劃設定檔] 刀鋒視窗中,選取 [建立]。On the Enrollment Program Profiles blade, select Create.
  4. 在 [建立註冊設定檔] 刀鋒視窗中,為 Intune 入口網站中顯示的設定檔輸入 [名稱] 和 [描述]。On the Create Enrollment Profile blade, enter a Name and Description for the profile that is displayed in the Intune portal.
  5. 為 [使用者親和性] 選擇具備此設定檔的裝置,在註冊時要或不要有使用者親和性。For User Affinity, choose whether devices with this profile enroll with or without user affinity.

    • 搭配使用者親和性進行註冊 - 在安裝期間建立裝置與使用者的關聯。Enroll with user affinity - Affiliates the device with a user during setup.
    注意

    在具有使用者親和性的 Apple School Manager 裝置註冊期間,無法使用多重要素驗證 (MFA)。Multifactor authentication (MFA) doesn't work during enrollment on Apple School Manager devices with user affinity. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on these devices.

    Apple School Manager 的「共用的 iPad」模式需要使用者不搭配使用者親和性進行註冊。Apple School Manager's Shared iPad mode requires user enroll without user affinity.

    注意

    具有使用者親和性的 Apple School Manager 必須啟用 WS-Trust 1.3 使用者名稱/混合端點,才能要求使用者權杖。Apple School Manager with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user token. 深入了解 WS-Trust 1.3Learn more about WS-Trust 1.3.

    • 不搭配使用者親和性進行註冊 - 該裝置不會與使用者建立關聯。Enroll without user affinity - The device is not affiliated with a user. 針對執行工作而不需存取本機使用者資料的裝置,請使用此關係。Use this affiliation for devices that perform tasks without accessing local user data. 需要使用者親和性的應用程式 (包含用於安裝企業營運應用程式的公司入口網站應用程式) 無法運作。Apps requiring user affinity (including the Company Portal app used for installing line-of-business apps) do not work.
  6. 選取 [裝置管理設定]。Select Device Management Settings. 這些項目是在啟用期間設定,且需要重設為原廠設定才能進行變更。These items are set during activation and require a factory reset to change. 設定下列設定檔設定,然後選取 [儲存]:configure the following profile settings, and then select Save:

    • 受監督 - 啟用更多管理選項,且預設會停用 [啟用鎖定] 的管理模式。Supervised - a management mode that enables more management options and disabled Activation Lock by default. 若將核取方塊留為空白,則管理功能有限。If you leave the check box blank, you have limited management capabilities.

    • 鎖定的註冊 - (需要管理模式 = 受監督) 停用允許移除管理設定檔的 iOS 設定。Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could allow removal of the management profile. 若將核取方塊留為空白,表示允許從 [設定] 功能表移除管理設定檔。If you leave the check box blank, it allows the management profile to be removed from the Settings menu.

    • 共用的 iPad - (需要 [不搭配使用者親和性進行註冊] 與 [受監督] 模式)。允許多位使用者使用受管理 Apple ID 登入註冊的 iPad。Shared iPad - (Requires Enroll without User Affinity and Supervised mode.) Allows multiple users to log on to enrolled iPads by using a managed Apple ID. 受管理 Apple ID 是在 Apple School Manager 入口網站中建立的。Managed Apple IDs are created in the Apple School Manager portal.
    注意

    如果將 [使用者親和性] 設定為 [搭配使用者親和性],或將 [受監督] 模式設定為 [關閉],就會停用註冊設定檔的「共用的 iPad」模式。If User Affinity is set to With user affinity or Supervised mode is set to Off, Shared iPad mode is disabled for the enrollment profile.

    • 快取使用者上限 - (需要 共用的 iPad = ) 在每個使用者的裝置上建立分割區。Maximum Cached Users - (Requires Shared iPad = Yes) Creates a partition on the device for each user. 建議的值為某段時間內可能使用裝置的學生人數。The recommended value is the number of students likely to use the device over a period of time. 例如,如果六位學生在週間定時使用裝置,請將此數字設為 6。For example, if six students use the device regularly during the week, set this number to six.

      • 允許配對 - 指定 iOS 裝置是否可與電腦同步。Allow Pairing - specifies whether iOS devices can sync with computers. 若選擇 [依據憑證允許 Apple Configurator],則必須在 [Apple Configurator 憑證] 下選擇憑證。If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

      • Apple Configurator 憑證 - 如果在 [允許配對] 下選擇了 [依據憑證允許 Apple Configurator],則請選取要匯入的 Apple Configurator 憑證。Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate under Allow Pairing, select an Apple Configurator Certificate to import.

  7. 選取 [設定助理設定],設定下列設定檔設定,然後選取 [儲存]:Select Setup Assistant Settings, configure the following profile settings, and then select Save:

    • 部門名稱 - 使用者於啟用期間點選 About Configuration 時顯示。Department Name - Appears when users tap About Configuration during activation.

    • 部門電話號碼 - 使用者於啟用期間按一下 [需要協助] 按鈕時顯示。Department Phone - Appears when the user clicks the Need Help button during activation.

    • 設定輔助程式選項 - 如果從設定輔助選項排除,稍後可以在 iOS [設定] 功能表中進行設定。Setup Assistant Options - If excluded from Setup Assistant options, these settings can be set later in the iOS Settings menu.
      • 密碼 - 在啟用期間提示輸入密碼。Passcode - Prompt for passcode during activation. 除非裝置受到保護,或以其他方式控制存取 (例如,將裝置限制為單一應用程式的 Kiosk 模式),否則一律需要密碼。Always require a passcode unless the device is secured or has access controlled in some other manner (that is, kiosk mode that restricts the device to one app).
      • 定位服務 - 啟用時,設定助理會在啟用期間提示服務Location Services - If enabled, Setup Assistant prompts for the service during activation
      • 還原 - 啟用時,設定助理會在啟用期間提示 iCloud 備份Restore - If enabled, Setup Assistant prompts for iCloud backup during activation
      • Apple ID - 啟用時,如果 Intune 嘗試不使用 Apple ID 來安裝應用程式,iOS 會提示使用者輸入 Apple ID。Apple ID - If enabled, iOS prompts users for an Apple ID when Intune attempts to install an app without an ID. 若要下載 iOS App Store 應用程式 (包含 Intune 所安裝的應用程式),您必須提供 Apple ID。An Apple ID is required to download iOS App Store apps, including apps installed by Intune.
      • 條款及條件 - 啟用時,設定助理會在啟用期間提示使用者接受 Apple 的條款及條件Terms and Conditions - If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation
      • Touch ID - 啟用時,設定助理會在啟用期間提示此服務Touch ID - If enabled, Setup Assistant prompts for this service during activation
      • Apple Pay - 啟用時,設定助理會在啟用期間提示此服務Apple Pay - If enabled, Setup Assistant prompts for this service during activation
      • 縮放 - 啟用時,設定助理會在啟用期間提示此服務Zoom - If enabled, Setup Assistant prompts for this service during activation
      • Siri - 啟用時,設定助理會在啟用期間提示此服務Siri - If enabled, Setup Assistant prompts for this service during activation
      • 診斷資料 - 啟用時,設定助理會在啟用期間提示此服務Diagnostic Data - If enabled, Setup Assistant prompts for this service during activation
  8. 若要儲存設定檔設定,請於 [建立註冊設定檔] 刀鋒視窗上,選取 [建立]。To save the profile settings, select Create on the Create Enrollment Profile blade.

連線 School Data SyncConnect School Data Sync

(選用) Apple School Manager 支援使用 Microsoft School Data Sync (SDS) 將類別名冊資料同步到 Azure Active Directory (AD)。(Optional) Apple School Manager supports synching class roster data to Azure Active Directory (AD) using Microsoft School Data Sync (SDS). 請完成下列步驟以使用 SDS 同步學校資料。Complete the following steps to use SDS to sync school data.

  1. 在 [註冊程式權杖] 刀鋒視窗中,選取藍色資訊橫幅或 [連線 SDS]。On the Enrollment Program Token blade, select either the blue information banner or Connect SDS.
  2. 選取 [允許 Microsoft School Data Sync 使用此權杖],設定為 [允許]。Select Allow Microsoft School Data Sync to use this token, setting to Allow. 此設定會允許 Intune 和 Office 365 中的 SDS 連線。This setting allows Intune to connect with SDS in Office 365.
  3. 若要啟用 Apple School Manager 與 Azure AD 之間的連線,請選取 [設定 Microsoft School Data Sync]。To enable a connection between Apple School Manager and Azure AD, select Set up Microsoft School Data Sync. 深入了解如何設定 School Data SyncLearn more about how to set up School Data Sync.
  4. 按一下 [確定] 以儲存並繼續。Click OK to save and continue.

同步受管理裝置Sync managed devices

由於 Intune 已被指派管理您 Apple School Manager 裝置的權限,您可以同步處理 Intune 與 Apple 服務,以在 Intune 入口網站中查看受管理裝置。Now that Intune has been assigned permission to manage your Apple School Manager devices, you can synchronize Intune with the Apple service to see your managed devices in the Intune portal.

  1. 在 Intune 入口網站中,選擇 [裝置註冊],然後選擇 [Apple 註冊]。In the Intune portal, choose Device enrollment, and then choose Apple Enrollment.
  2. 在 [註冊計劃裝置] 下方,選取 [同步]。Under Enrollment Program Devices, select Sync. 進度列會顯示再次要求進行同步之前,必須要等待的總時間。The progress bar shows the amount of time you must wait before requesting Sync again.

    為了符合 Apple 規定的可接受流量,Intune 具有下列限制:To comply with Apple’s terms for acceptable traffic, Intune imposes the following restrictions:

    • 完整同步處理每 7 天只能執行一次。A full sync can run no more than once every seven days. 在完整同步處理期間,Intune 會重新整理 Apple 已指派給 Intune 的每個序號,不論先前是否已同步處理序號。During a full sync, Intune refreshes every serial number that Apple has assigned to Intune whether the serial has previously been synced or not. 如果在上一次完整同步處理過後的 7 天內嘗試進行完整同步處理,Intune 只會重新整理尚未列在 Intune 中的序號。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that are not already listed in Intune.
    • 任何同步處理要求都會在 15 分鐘內完成。Any sync request is given 15 minutes to finish. 在此期間或直到要求成功,會停用 [同步處理] 按鈕。During this time or until the request succeeds, the Sync button is disabled.
注意

您也可以從 [註冊計劃裝置] 刀鋒視窗,指派 Apple School Manager 序號給設定檔。You can also assign Apple School Manager serial numbers to profiles from the Enrollment Program Devices blade.

將設定檔指派給裝置Assign a profile to devices

在註冊由 Intune 管理的 Apple School Manager 裝置之前,必須將註冊設定檔指派給它們。Apple School Manager devices managed by Intune must be assigned an enrollment profile before they are enrolled.

  1. 在 [Intune] 入口網站中,依序選擇 [裝置註冊] > [Apple 註冊],然後選取 [註冊計劃設定檔]。In the Intune portal, choose Device enrollment > Apple Enrollment, and then select Enrollment Program profiles.
  2. 從 [註冊計劃設定檔] 清單中,選取您想要指派給裝置的設定檔,然後選取 [裝置指派]From the list of Enrollment Program Profiles, select the profile you want to assign to devices and then select Device Assignments
  3. 選取 [指派],然後選取您想要指派此設定檔的 Apple School Manager 裝置。Select Assign and then select the Apple School Manager devices you want to assign this profile. 您可以篩選以檢視可用的裝置︰You can filter to view available devices:
    • 未指派unassigned
    • 任何any
    • <>Apple School Manager 設定檔名稱<Apple School Manager profile name>
  4. 選取您想要指派的裝置。Select the devices you want to assign. 資料行上方的核取方塊可選取最多 1000 個列出的裝置。The checkbox above the column selects up to 1000 listed devices. 按一下 [指派]。Click Assign. 若要註冊 1000 部以上的裝置,請重複指派步驟,直到將註冊設定檔指派給所有的裝置為止。To enroll more than 1000 devices, repeat the assignment steps until all devices are assigned an enrollment profile.

將裝置散發給使用者Distribute devices to users

現在已可將公司擁有的裝置提供給使用者。You can now distribute corporate-owned devices to users. 當 iOS Apple School Manager 裝置開機時,就會加以註冊交由 Intune 管理。When an iOS Apple School Manager device is turned on, it is enrolled for management by Intune. 如果裝置已啟動且正在使用中,則在該裝置重設為原廠設定之前,將無法套用設定檔。If the device has been activated and is in use, the profile cannot be applied until the device is factory reset.

使用者在其裝置安裝及使用公司入口網站的方式How users install and use the Company Portal on their devices

已設定使用者親和性的裝置可以安裝並執行公司入口網站 App,以下載 App 及管理裝置。Devices that are configured with user affinity can install and run the Company Portal app to download apps and manage devices. 使用者收到裝置之後,他們必須執行設定助理並安裝公司入口網站 App。After users receive their devices, they must run Setup Assistant and install the Company Portal app.

若要提交意見反應,請前往 Intune Feedback