如何在 Microsoft Intune 中設定憑證How to configure certificates in Microsoft Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

當您授與使用者透過 VPN、Wi-Fi 或電子郵件設定檔存取公司資源的權限時,您可以使用憑證來驗證這些連線。When you give users access to corporate resources through VPN, Wi-Fi, or email profiles, you can authenticate these connections by using certificates. 這樣就不必輸入使用者名稱和密碼來驗證連線。These remove the need to enter user names and passwords to authenticate connections.

您可以使用 Intune 來將這些憑證指派到您管理的裝置。You can use Intune to assign these certificates to devices you manage. Intune 支援指派及管理這些憑證類型:Intune supports assigning and managing these certificate types:

  • 簡單憑證註冊通訊協定 (SCEP)Simple Certificate Enrollment Protocol (SCEP)
  • PKCS#12 (或 PFX)PKCS#12 (or PFX)

其中的每種憑證都有各自的先決條件,以及基礎結構需求。Each of these certificate types has it's own prerequisites, and infrastructure requirements.

一般工作流程General workflow

  1. 確定您已備妥正確的憑證基礎結構。Ensure you have the right certificate infrastructure in place. 您可使用 SCEP 憑證PKCS 憑證You can use SCEP certificates, and PKCS certificates.
  2. 在每部裝置上安裝根憑證或中繼憑證授權單位 (CA) 憑證,讓裝置可以辨識 CA 的合法性。Install a root certificate or an intermediate Certification Authority (CA) certificate on each device so that the device recognizes the legitimacy of your CA. 若要執行此作業,請建立並指派信任的憑證設定檔To do this, create and assign a trusted certificate profile. 當您指派此設定檔時,您以 Intune 管理的裝置就會要求並收到根憑證。When you assign this profile, the devices that you manage with Intune will request and receive the root certificate. 每個平台必須分別建立各自的設定檔。You have to create a separate profile for each platform. 提供以下這些平台的受信任憑證設定檔︰Trusted certificate profiles are available for these platforms:
    • iOS 8.0 和更新版本iOS 8.0 and later
    • macOS 10.9 及更新版本macOS 10.9 and later
    • Android 4.0 及更新版本Android 4.0 and later
    • Android for WorkAndroid for Work
    • Windows 8.1 及更新版本Windows 8.1 and later
    • Windows Phone 8.1 和更新版本Windows Phone 8.1 and later
    • Windows 10 及更新版本Windows 10 and later
  3. 建立憑證設定檔,讓每個裝置要求一個用於驗證 VPN、Wi-Fi 和電子郵件存取的憑證。Create certificate profiles so that devices request a certificate to be used for authentication of VPN, Wi-Fi, and email access. 您可為執行這些平台的裝置,建立並指派 PKCSSCEP 憑證設定檔︰You can create and assign a PKCS or a SCEP certificate profile for devices running these platforms:

    • iOS 8.0 和更新版本iOS 8.0 and later
    • Android 4.0 及更新版本Android 4.0 and later
    • Android for WorkAndroid for Work
    • Windows 10 (桌面版和行動裝置版) 和更新版本Windows 10 (desktop and mobile) and later

      只有這些平台才可使用 SCEP 憑證設定檔:You can only use a SCEP certificate profile with these platforms:

  • macOS 10.9 及更新版本macOS 10.9 and later
  • Windows Phone 8.1 和更新版本Windows Phone 8.1 and later

您必須為每個裝置平台建立自己的設定檔。You must create a separate profile for each device platform. 當您建立設定檔時,請將該設定檔與您已建立之受信任的根憑證設定檔相關聯。When you create the profile, associate it with the trusted root certificate profile that you've already created.

進一步考量Further considerations

  • 如果沒有企業憑證授權單位,您必須建立一個。If you don't have an Enterprise Certification Authority, you must create one.
  • 如果您決定 (根據裝置平台) 使用簡單憑證註冊通訊協定 (SCEP) 設定檔,您也需要設定網路裝置註冊服務 (NDES) 伺服器。If you decide, based on your device platforms, to use the Simplified Certificate Enrollment Protocol (SCEP) profile, you'll also need to configure a Network Device Enrollment Service (NDES) server.
  • 無論是否預計會使用 SCEP 或 PKCS 設定檔,您都必須下載及設定 Microsoft Intune 憑證連接器。Whether you plan to use SCEP or PKCS profiles, you must download and configure the Microsoft Intune Certificate Connector.

步驟 1:設定您的憑證基礎結構Step 1- Configure your certificate infrastructure

如需設定憑證設定檔每種類型基礎結構的說明,請參閱下列主題之一:See one of the following topics for help configuring the infrastructure for each type of certificate profile:

步驟 2:匯出受信任的根 CA 憑證Step 2 - Export your trusted root CA certificate

從發行 CA 或信任發行 CA 的任何裝置,將可信任的根憑證授權單位匯出為 .cer 檔案。Export the Trusted Root Certification Authorities (CA) certificate as a .cer file from the issuing CA, or from any device that trusts your issuing CA. 不要匯出私密金鑰。Do not export the private key.

當您設定受信任的憑證設定檔時,會匯入此憑證。You'll import this certificate when you set up a trusted certificate profile.

步驟 3:建立可信任的憑證設定檔Step 3: Create trusted certificate profiles

您必須先建立受信任的憑證設定檔,然後才可建立 SCEP 或 PKCS 憑證設定檔。You must create a trusted certificate profile before you can create a SCEP or PKCS certificate profile. 每個裝置平台都需要一個受信任的憑證設定檔以及 SCEP 或 PKCS 設定檔。You need a trusted certificate profile and a SCEP or PKCS profile for each device platform. 針對每種裝置平台,建立受信任憑證的流程皆相似。The flow for creating trusted certificates is similar for each device platform.

建立可信任的憑證設定檔To create a trusted certificate profile

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [裝置設定]。On the Intune blade, choose Device configuration.
  4. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [設定檔]。On the Device Configuration blade, choose Manage > Profiles.
  5. 在設定檔刀鋒視窗中,選擇 [建立設定檔]。On the profiles blade, choose Create Profile.
  6. 在 [建立設定檔] 刀鋒視窗中,為受信任的憑證設定檔輸入 [名稱] 及 [描述]。On the Create Profile blade, enter a Name and Description for the trusted certificate profile.
  7. 從 [平台] 下拉式清單中,選取此受信任憑證的裝置平台。From the Platform drop-down list, select the device platform for this trusted certificate. 您目前可為憑證設定選擇下列其中一個平台︰Currently, you can choose one of the following platforms for certificate settings:
    • AndroidAndroid
    • iOSiOS
    • macOSmacOS
    • Windows Phone 8.1Windows Phone 8.1
    • Windows 8.1 及更新版本Windows 8.1 and later
    • Windows 10 及更新版本Windows 10 and later
  8. 從 [設定檔類型] 下拉式清單中,選擇 [信任的憑證]。From the Profile type type drop-down list, choose Trusted certificate.
  9. 瀏覽至您於工作 1 中所儲存的憑證,然後按一下 [確定]。Browse to the certificate you saved in task 1, then click OK.
  10. 僅適用於 Windows 8.1 與 Windows 10 裝置,請為來自以下位置的受信任憑證,選取 [目的地存放區]︰For Windows 8.1 and Windows 10 devices only, select the Destination Store for the trusted certificate from:
    • 電腦憑證存放區 - 根Computer certificate store - Root
    • 電腦憑證存放區 - 中繼Computer certificate store - Intermediate
    • 使用者憑證存放區 - 中繼User certificate store - Intermediate
  11. 完成後,請選擇 [確定]返回 [建立設定檔] 刀鋒視窗,然後點擊 [建立]。When you're done, choose OK, go back to the Create Profile blade, and hit Create.

隨即會建立設定檔,並會出現在 [設定檔清單] 刀鋒視窗上。The profile will be created and appears on the profiles list blade.

若想繼續,並將此設定檔指派給群組,請參閱如何指派裝置設定檔If you want to go ahead and assign this profile to groups, see How to assign device profiles.

注意

Android 裝置會顯示協力廠商已安裝受信任憑證的通知。Android devices will display a notice that a third party has installed a trusted certificate.

步驟 4:建立 SCEP 或 PKCS 憑證設定檔Step 4: Create SCEP or PKCS certificate profiles

如需設定及指派憑證設定檔每種類型的說明,請參閱下列主題之一:See one of the following topics for help configuring and assigning each type of certificate profile:

建立受信任的憑證設定檔之後,請為您要使用的每個平台,建立 SCEP 或 PKCS 憑證設定檔。After you create a trusted certificate profile, create SCEP or PKCS certificate profiles for each platform you want to use. 建立 SCEP 憑證設定檔時,必須為該相同的平台指定受信任的憑證設定檔。When you create a SCEP certificate profile, you must specify a trusted certificate profile for that same platform. 如此即會連結兩個憑證設定檔,但您仍然必須分別指派每個設定檔。This links the two certificate profiles, but you still must assign each profile separately.

後續步驟Next steps

請參閱如何指派裝置設定檔,以取得如何指派裝置設定檔的一般資訊。See How to assign device profiles for general information about how to assign device profiles.

若要提交意見反應,請前往 Intune Feedback