什麼是裝置註冊?What is device enrollment?

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題說明如何註冊,以及向 Intune 管理註冊行動裝置的各種方式。This topic describes enrollment and lists the different ways to enroll mobile devices in Intune management.

您會在 Intune 中註冊裝置的原因,是為了可以管理那些裝置。You enroll devices in Intune so that you can manage those devices. 在 Intune 文件中,我們將此功能稱為「行動裝置管理」(MDM)。We refer to this capability in the Intune documentation as mobile device management (MDM). 當裝置在 Intune 中註冊時,會核發給這些裝置 MDM 憑證,然後裝置會使用這些憑證與 Intune 服務通訊。When devices are enrolled in Intune, they are issued an MDM certificate, which the devices then use to communicate with the Intune service.

您的裝置註冊方式取決於裝置類型、擁有權,以及您所需要的管理級。The way you enroll your devices depends on the device type, ownership, and the level of management you needed. 「攜帶您自己的裝置」(BYOD) 註冊可讓使用者註冊其個人電話、平板電腦或電腦。"Bring your own device" (BYOD) enrollment lets users enroll their personal phones, tablets, or PCs. 屬公司擁有的裝置 (COD) 註冊可執行自動註冊、共用裝置或授權前註冊需求的管理案例。Corporate-owned device (COD) enrollment enables management scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirements.

您若是使用內部部署或裝載於雲端的 Exchange ActiveSync,則不需要註冊就能用一些簡單的 Intune 管理功能。If you use Exchange ActiveSync, either on-premises or hosted in the cloud, you can enable simple Intune management without enrollment (more information is coming soon). 您可以將 Windows 電腦視為行動裝置加以管理。建議您依照下列步驟採取此做法。You can manage Windows PCs as mobile devices, which is the recommended method described below.

裝置的註冊方法概觀Overview of device enrollment methods

下表提供 Intune 註冊方法的概觀及其功能與需求,如下所述。The following table offers an overview of Intune enrollment methods with their capabilities and requirements described below.

圖例Legend

  • 需要重設:裝置會在註冊期間重設成出廠預設值。Reset required - Device are factory reset during enrollment.
  • 使用者親和性:將裝置關聯至使用者。User Affinity - Associates devices with users. 如需詳細資訊,請參閱使用者親和性For more information, see User affinity.
  • 鎖定:防止使用者取消註冊裝置。Locked - Prevents users from unenrolling devices.

iOS 註冊方法iOS enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
DEPDEP Yes 選用Optional 選用Optional 詳細資訊More information
USB-SAUSB-SA Yes 選用Optional No 詳細資訊More information
USB-DirectUSB-Direct No No No 詳細資訊More information

Windows 的註冊方法Windows enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
自動註冊Auto-enroll No Yes No 詳細資訊More information
大量註冊Bulk enroll No No No 詳細資訊More information

Android 的註冊方法Android enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
Android for WorkAndroid for Work No Yes No 詳細資訊More information

BYODBYOD

「攜帶您自己的裝置」使用者會安裝並執行公司入口網站應用程式,以註冊其裝置。"Bring your own device" users install and run the Company Portal app to enroll their devices. 此程式可讓使用者存取公司資源,例如電子郵件。This program lets users access company resources like email.

屬公司擁有的裝置Corporate-owned devices

以下是屬公司擁有的裝置 (COD) 註冊案例。The following are corporate-owned devices (COD) enrollment scenarios. iOS 裝置可直接透過 Apple 提供的工具進行註冊。iOS devices can be enrolled directly through the tools that are provided by Apple. 系統管理員或管理員可使用裝置註冊管理員來註冊所有裝置類型。All device types can be enrolled by an admin or manager using the device enrollment manager. 也可以將包含 IMEI 號碼的裝置識別和標記為公司擁有,以啟用 COD 案例。Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.

DEMDEM

裝置註冊管理員 (DEM) 是特殊的使用者帳戶,可用於註冊及管理公司擁有的多部裝置。Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-owned devices. 管理員可以安裝公司入口網站,並註冊許多無使用者裝置。Managers can install the Company Portal and enroll many user-less devices. 深入了解 DEMLearn more about DEM.

DEPDEP

Apple 裝置註冊方案 (DEP) 管理功能可讓您「以無線方式」建立原則,並將原則部署至透過 DEP 購買及管理的 iOS 裝置。Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS devices that are purchased and managed with DEP. 當使用者第一次開啟裝置並執行 iOS 設定輔助程式時,即會註冊裝置。The device is enrolled when users turn on the device for the first time and run iOS Setup Assistant. 這種方法支援 iOS 受監督模式,接著會使用下列功能來設定裝置:This method supports iOS supervised mode, which enables a device to be configured with the following functionality:

  • App Lock (單一應用程式模式)App Lock (Single App Mode)
  • 全域 HTTP ProxyGlobal HTTP Proxy
  • 啟用鎖定略過Activation Lock Bypass
  • 自發性單一應用程式模式Autonomous Single App Mode
  • 網路內容篩選Web Content Filter
  • 設定背景和鎖定畫面Set background and lock screen
  • 無訊息應用程式推送Silent App Push
  • AlwaysOn VPNAlways-On VPN
  • 只允許受管理應用程式安裝Allow managed app installation exclusively
  • iBookstoreiBookstore
  • iMessagesiMessages
  • Game CenterGame Center
  • AirDropAirDrop
  • AirPlayAirPlay
  • 主機配對Host pairing
  • 雲端同步Cloud Sync
  • Spotlight 搜尋Spotlight search
  • 遞交Handoff
  • 清除裝置Erase device
  • 限制 UIRestrictions UI
  • 透過 UI 安裝組態設定檔Installation of configuration profiles by UI
  • 新聞News
  • 鍵盤快速鍵Keyboard shortcuts
  • 密碼修改Passcode modifications
  • 裝置名稱變更Device name changes
  • 底色圖案變更Wallpaper changes
  • 自動應用程式下載Automatic app downloads
  • 企業應用程式信任變更Changes to enterprise app trust
  • Apple MusicApple Music
  • 郵件放置Mail Drop
  • 與 Apple Watch 配對Pair with Apple Watch
注意

Apple 確認在 2018 年,特定設定將會移至僅受監督。Apple confirmed that certain settings will move to supervised-only in 2018. 建議您在使用這些設定時考慮這點,而不是等待 Apple 將它們移轉至僅受監督:We recommend taking this into consideration when using these settings instead of waiting for Apple to migrate them to supervised-only:

  • 應用程式安裝App installation
  • 應用程式移除App removal
  • FaceTimeFaceTime
  • SafariSafari
  • iTunesiTunes
  • 偏激內容Explicit content
  • iCloud 文件和資料iCloud documents and data
  • 多人遊戲Multiplayer gaming
  • 新增 Game Center 朋友Add Game Center friends

深入了解 iOS DEP 註冊:Learn more about iOS DEP enrollment:

USB-SAUSB-SA

IT 管理員會透過 USB 使用 Apple Configurator,手動準備每部屬公司擁有的裝置,以使用「設定助理」進行註冊。IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant. IT 系統管理員會建立註冊設定檔,並將其匯出至 Apple Configurator。The IT admin creates an enrollment profile and exports it to Apple Configurator. 當使用者收到裝置時,系統會提示他們執行設定助理以註冊裝置。When users receive their devices, they are then prompted to run Setup Assistant to enroll their device. 這種方法支援 iOS 受監督模式,其接著會啟用下列功能:This method supports iOS supervised mode, which in turn enables the following features:

  • 已鎖定註冊Locked enrollment
  • Kiosk 模式及其他進階設定與限制Kiosk mode and other advanced configurations and restrictions

深入了解如如何使用「設定助理」進行 iOS Apple Configurator 註冊:Learn more about iOS Apple Configurator enrollment with Setup Assistant:

USB-DirectUSB-Direct

若是 Direct Enrollment,系統管理員必須建立註冊原則並將其匯出至 Apple Configurator,以手動註冊每部裝置。For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. 公司擁有的 USB 連接裝置可直接註冊,而不需重設成出廠預設值。USB-connected, corporate-owned devices are enrolled directly and don't require a factory reset. 裝置會以無使用者裝置形式進行管理。Devices are managed as user-less devices. 這些裝置不會受到鎖定或監管,亦不支援條件式存取、破解偵測和行動應用程式管理。They are not locked or supervised and cannot support conditional access, jailbreak detection, or mobile application management.

若要深入了解 iOS 註冊,請參閱︰To learn more about iOS enrollment, see:

使用 Exchange ActiveSync 和 Intune 的行動裝置管理Mobile device management with Exchange ActiveSync and Intune

針對未註冊但已連接 Exchange ActiveSync (EAS) 的行動裝置,Intune 可以使用 EAS MDM 原則進行管理。Mobile devices that aren't enrolled, but that connect to Exchange ActiveSync (EAS), can be managed by Intune using EAS MDM policy. Intune 會使用 Exchange Connector 與內部部署或雲端託管的 EAS 通訊。Intune uses an Exchange Connector to communicate with EAS, either on-premises or cloud-hosted. 更多資訊即將推出。More information is coming soon.

MDM 憑證到期後的行動裝置清除Mobile device cleanup after MDM certificate expiration

當行動裝置與 Intune 服務通訊時,會自動更新 MDM 憑證。The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. 若行動裝置被抹除,或有一段時間無法與 Intune 服務通訊,便無法更新 MDM 憑證。If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate will not get renewed. 當 MDM 憑證過期 180 天後,該裝置便會從 Azure 入口網站上移除。The device is removed from the Azure portal 180 days after the MDM certificate expires.