什麼是裝置註冊?What is device enrollment?

Intune 可讓您管理員工的裝置與應用程式,以及員工存取公司資料的方式。Intune lets you manage your workforce’s devices and apps and how they access your company data. 若要使用這項行動裝置管理 (MDM),裝置必須先在 Intune 服務中註冊。To use this mobile device management (MDM), the devices must first be enrolled in the Intune service. 裝置會在註冊時收到 MDM 憑證。When a device is enrolled, it is issued an MDM certificate. 這項憑證會用來與 Intune 服務通訊。This certificate is used to communicate with the Intune service.

在下表中,您可以看到數種註冊員工裝置的方法。As you can see in the following tables, there are several methods to enroll your workforce’s devices. 每種方法皆會因裝置擁有權 (個人或公司)、裝置類型 (iOS、Windows、Android) 及管理需求 (重設、親和性、鎖定) 而有所不同。Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking).

依預設,所有平台的裝置都可以在 Intune 中註冊。By default, devices for all platforms are allowed to enroll in Intune. 不過,您可以依平台限制裝置However, you can restrict devices by platform.

iOS 註冊方法iOS enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
裝置會在註冊期間恢復出廠預設值。Devices are factory reset during enrollment. 建立每部裝置與使用者的關聯。Associates each device with a user. 使用者無法取消註冊裝置。Users can’t unenroll devices.
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
DEPDEP Yes 選用Optional 選用Optional 詳細資訊More information
USB-SAUSB-SA Yes 選用Optional No 詳細資訊More information
USB-DirectUSB-Direct No No No 詳細資訊More information

macOS 註冊方法macOS enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information

Windows 註冊方法Windows enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
自動註冊Auto-enroll No Yes No 詳細資訊More information
大量註冊Bulk enroll No No No 詳細資訊More information

Android 註冊方法Android enrollment methods

方法Method 需要重設Reset Required 使用者親和性User Affinity 鎖定Locked 詳細資料Details
BYODBYOD No Yes No 詳細資訊More information
DEMDEM No No No 詳細資訊More information
Android 工作設定檔Android work profiles No Yes No 詳細資訊More information

攜帶您自己的裝置Bring your own device

攜帶您自己的裝置 (BYOD) 包括個人手機、平板電腦及電腦。Bring your own devices (BYOD) include personal phones, tables, and PCs. 使用者必須安裝並執行公司入口網站應用程式以註冊 BYOD。Users install and run the Company Portal app to enroll BYODs. 此程式可讓使用者存取公司資源,例如電子郵件。This program lets users access company resources like email.

公司擁有的裝置Corporate-owned device

公司擁有的裝置 (COD) 包括手機、平板電腦及電腦,由組織擁有並分配給員工。Corporate-owned devices (COD) include phones, tablets, and PCs owned by the organization and distributed to the workforce. COD 註冊支援自動註冊、共用裝置或授權前註冊需求等案例。COD enrollment supports scenarios like automatic enrollment, shared devices, or pre-authorized enrollment requirements. 常見的 COD 註冊方式是由系統管理員或主管使用裝置註冊管理員 (DEM)。A common way to enroll CODs is for an administrator or manager to use the device enrollment manager (DEM). iOS 裝置可直接透過 Apple 提供的裝置註冊計劃 (DEP) 工具進行註冊。iOS devices can be enrolled directly through the Device Enrollment Program (DEP) tools that are provided by Apple. 具備 IMEI 編號的裝置也能識別並標記為公司所有。Devices with an IMEI number can also be identified and tagged as company-owned.

裝置註冊管理員Device enrollment manager

裝置註冊管理員 (DEM) 是特殊的使用者帳戶,可用於註冊及管理公司擁有的多部裝置。Device enrollment manager (DEM) is a special user account that's used to enroll and manage multiple corporate-owned devices. 管理員可以安裝公司入口網站,並註冊許多無使用者裝置。Managers can install the Company Portal and enroll many user-less devices. 比方說,這些類型的裝置適合銷售點或公用程式應用程式,但對於需要存取電子郵件或公司資源的使用者而言則不適合。These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources. 深入了解 DEMLearn more about DEM.

Apple 裝置註冊方案Apple Device Enrollment Program

Apple 裝置註冊方案 (DEP) 管理功能可讓您「以無線方式」建立原則,並將原則部署至透過 DEP 購買及管理的 iOS 裝置。Apple Device Enrollment Program (DEP) management lets you create and deploy policy “over the air” to iOS devices that are purchased and managed with DEP. 當使用者第一次開啟裝置並執行 iOS 設定輔助程式時,即會註冊裝置。The device is enrolled when users turn on the device for the first time and run iOS Setup Assistant. 這種方法支援 iOS 受監督模式,接著會使用持定功能來設定裝置。This method supports iOS supervised mode, which enables a device to be configured with specific functionality.

深入了解 iOS DEP 註冊:Learn more about iOS DEP enrollment:

USB-SAUSB-SA

IT 管理員會透過 USB 使用 Apple Configurator,手動準備每部屬公司擁有的裝置,以使用「設定助理」進行註冊。IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant. IT 系統管理員會建立註冊設定檔,並將其匯出至 Apple Configurator。The IT admin creates an enrollment profile and exports it to Apple Configurator. 當使用者收到裝置時,系統會提示他們執行設定助理以註冊裝置。When users receive their devices, they are then prompted to run Setup Assistant to enroll their device. 這種方法支援 iOS 受監督模式,其接著會啟用下列功能:This method supports iOS supervised mode, which in turn enables the following features:

  • 已鎖定註冊Locked enrollment
  • Kiosk 模式及其他進階設定與限制Kiosk mode and other advanced configurations and restrictions

深入了解如如何使用「設定助理」進行 iOS Apple Configurator 註冊:Learn more about iOS Apple Configurator enrollment with Setup Assistant:

USB-DirectUSB-Direct

若是 Direct Enrollment,系統管理員必須建立註冊原則並將其匯出至 Apple Configurator,以手動註冊每部裝置。For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. 公司擁有的 USB 連接裝置可直接註冊,而不需重設成出廠預設值。USB-connected, corporate-owned devices are enrolled directly and don't require a factory reset. 裝置會以無使用者裝置形式進行管理。Devices are managed as user-less devices. 這些裝置不會受到鎖定或監管,亦不支援條件式存取、破解偵測和行動應用程式管理。They are not locked or supervised and cannot support conditional access, jailbreak detection, or mobile application management.

若要深入了解 iOS 註冊,請參閱︰To learn more about iOS enrollment, see:

使用 Exchange ActiveSync 和 Intune 的行動裝置管理Mobile device management with Exchange ActiveSync and Intune

針對未註冊但已連接 Exchange ActiveSync (EAS) 的行動裝置,Intune 可以使用 EAS MDM 原則進行管理。Mobile devices that aren't enrolled, but that connect to Exchange ActiveSync (EAS), can be managed by Intune using EAS MDM policy. Intune 會使用 Exchange Connector 與內部部署或雲端託管的 EAS 通訊。Intune uses an Exchange Connector to communicate with EAS, either on-premises or cloud-hosted. 更多資訊即將推出。More information is coming soon.

MDM 憑證到期後的行動裝置清除Mobile device cleanup after MDM certificate expiration

當行動裝置與 Intune 服務通訊時,會自動更新 MDM 憑證。The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. 若行動裝置被抹除,或有一段時間無法與 Intune 服務通訊,便無法更新 MDM 憑證。If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate is not renewed. 當 MDM 憑證過期 180 天後,該裝置便會從 Azure 入口網站上移除。The device is removed from the Azure portal 180 days after the MDM certificate expires.