使用裝置註冊管理員註冊裝置Enroll devices using device enrollment manager

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

組織可以搭配使用 Intune 與單一使用者帳戶來管理大量的行動裝置。Organizations can use Intune to manage large numbers of mobile devices with a single user account. 裝置註冊管理員 (DEM) 帳戶是特殊的使用者帳戶,最多可以註冊 1,000 部裝置。The device enrollment manager (DEM) account is a special user account that can enroll up to 1,000 devices. 將現有的使用者加入 DEM 帳戶,能夠賦予他們特殊的 DEM 功能。You add existing users to the DEM account to give them the special DEM capabilities. 每個已註冊的裝置會使用單一授權。Each enrolled device uses a single license. 建議您將透過此帳戶註冊的裝置做為共用裝置使用,而不是做為個人 ("BYOD") 裝置使用。We recommend that you use devices enrolled through this account as shared devices rather than personal ("BYOD") devices.

使用者必須存在於 Azure 入口網站才能新增為裝置註冊管理員。Users must exist in the Azure portal to be added as device enrollment managers. 為了取得最佳安全性,DEM 使用者不應該同時為 Intune 管理員。For optimal security, the DEM user should not also be an Intune admin.

裝置註冊管理員案例範例Example of a device enrollment manager scenario

餐廳想要提供 50 部銷售點平板電腦給其服務生,和訂單監視器給廚房員工。A restaurant wants to provide 50 point-of-sale tablets for its wait staff, and order monitors for its kitchen staff. 那些員工永遠不會需要存取公司資料或以使用者身分登入。The employees never need to access company data or sign in as users. Intune 管理員會建立裝置註冊管理員帳戶,並將餐廳管理者新增至 DEM 帳戶,提供該管理者 DEM 功能。The Intune admin creates a device enrollment manager account and adds a restaurant supervisor to the DEM account, in effect giving that supervisor DEM capabilities. 管理者現在可以使用 DEM 認證來註冊 50 部平板電腦裝置。The supervisor can now enroll the 50 tablets devices by using the DEM credentials.

只有 Intune 主控台中的使用者才能是裝置註冊管理員。Only users in the Intune console can be device enrollment managers. 裝置註冊管理員使用者不能是 Intune 系統管理員。The device enrollment manager user cannot be an Intune admin.

DEM 使用者可以︰The DEM user can:

  • 在 Intune 中最多註冊 1000 部裝置。Enroll up to 1000 devices in Intune.
  • 登入公司入口網站以取得公司應用程式。Sign in to the Company Portal to get company apps.
  • 藉由將特定角色的應用程式部署到平板電腦來設定公司資料的存取權。Configure access to company data by deploying role-specific apps to the tablets.

以 DEM 帳戶註冊裝置的限制Limitations of devices that are enrolled with a DEM account

使用裝置註冊管理員帳戶所註冊的裝置具有下列限制︰Devices that are enrolled with a device enrollment manager account have the following limitations:

  • 不具每位使用者的存取權。No per-user access. 由於裝置並未指派使用者,因此,裝置不具任何電子郵件或公司資料存取權。Because devices don't have an assigned user, the device have no email or company data access. 但仍可使用 VPN 設定等來為裝置應用程式提供資料的存取權。VPN configurations, for example, could still be used to provide device apps with access to data.
  • 因為這些案例均屬每位使用者,所以沒有條件式存取。No conditional access because these scenarios are per-user.
  • DEM 使用者無法使用公司入口網站在裝置本身取消註冊 DEM 註冊的裝置。The DEM user can't unenroll DEM-enrolled devices on the device itself by using the Company Portal. Intune 管理員可以執行此動作,但 DEM 使用者不能。The Intune admin can do this, but the DEM user does not.
  • 只有本機裝置會出現在公司入口網站應用程式或網站中。Only the local device appears in the Company Portal app or website.
  • 因為進行應用程式管理需要每位使用者的 Apple ID,因此使用者無法使用 Apple 大量採購計劃 (VPP) 應用程式。Users can't use Apple Volume Purchase Program (VPP) apps because of per-user Apple ID requirements for app management.
  • (僅限 iOS) 如果您使用 DEM 註冊 iOS 裝置,就無法使用 Apple Configurator、Apple 裝置註冊計劃 (DEP) 或 Apple School Manager (ASM) 來註冊裝置。(iOS only) If you use DEM to enroll iOS devices, you can't use the Apple Configurator, Apple Device Enrollment Program (DEP), or Apple School Manager (ASM) to enroll devices.
  • 每部裝置都需要裝置授權。Each device requires a device license. 深入了解使用者和裝置授權Learn more about user and device licenses.
注意

若要將公司應用程式部署到受裝置註冊管理員管理的裝置,請以 [必要安裝] 將公司入口網站應用程式部署到裝置註冊管理員的使用者帳戶。To deploy company apps to devices that are managed by the device enrollment manager, deploy the Company Portal app as a Required Install to the device enrollment manager's user account. 為了改善效能,在 DEM 裝置上檢視公司入口網站應用程式只會顯示本機裝置。To improve performance, viewing the Company Portal app on a DEM device shows only the local device. 只能從 Intune 管理主控台遠端管理其他 DEM 裝置。Remote management of other DEM devices can only be done from the Intune admin console.

新增裝置註冊管理員Add a device enrollment manager

  1. 在 Azure 入口網站中,選擇 [更多服務] > [監視 + 管理] > [Intune]。In the Azure portal, choose More Services > Monitoring + Management > Intune.

  2. 在 Intune 刀鋒視窗上,選擇 [註冊裝置],然後選擇 [裝置註冊管理員]。On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.

  3. 選取 [新增]。Select Add.

  4. 在 [新增使用者] 刀鋒視窗中,輸入 DEM 使用者的使用者主體名稱,然後選取 [新增]。On the Add User blade, enter a user principal name for the DEM user, and select Add. DEM 隨即會新增至 DEM 使用者清單。The DEM user is added to the list of DEM users.

DEM 的權限Permissions for DEM

需要具備全域或 Intune 服務管理員 Azure AD 角色,才能執行 DEM 註冊工作。Global or Intune Service Administrator Azure AD roles are required to perform DEM enrollment tasks. 儘管 RBAC 權限列於且適用於自訂使用者角色之下,但也需要有這些角色才能查看所有 DEM 使用者。These roles are also required to see all DEM users despite RBAC permissions being listed and available under the custom User role. 未指派全域管理員或 Intune 服務管理員角色,但具備裝置註冊管理員角色之讀取權限的使用者,只能看到他們所建立的 DEM 使用者。A user without Global administrator or Intune Service administrator role assigned, but who has read permissions for the Device Enrollment Managers role, can only see the DEM users they created. 支援這些功能的 RBAC 角色將會在未來宣布。RBAC role support for these features will be announced in the future.

若未針對使用者指派全域管理員或 Intune 服務管理員角色,但他們具備已針對所指派之裝置註冊管理員角色啟用的讀取權限,則將只能看到他們所建立的 DEM 使用者。If a user does not have Global administrator or Intune Service administrator role assigned to them but has read permissions enabled for the Device Enrollment Managers role assigned to them, they’ll only be able to see the DEM users they have created.

移除裝置註冊管理員Remove a device enrollment manager

移除裝置註冊管理員並不會影響已註冊的裝置。Removing a device enrollment manager does not affect enrolled devices. 移除裝置註冊管理員時:When a device enrollment manager is removed:

  • 已註冊的裝置不會受到影響,仍可全面管理。Enrolled devices are unaffected and continue to be fully managed.
  • 移除的裝置註冊管理員帳戶認證仍持續有效。The removed device enrollment manager account credentials remain valid.
  • 移除裝置註冊管理員依然無法抹除或淘汰裝置。The removed device enrollment manager still cannot wipe or retire devices.
  • 已移除的裝置註冊管理員可註冊的裝置數目,不得超過 Intune 管理員所設定的每位使用者限制。The removed device enrollment manager can only enroll a number of devices up to the per-user limit configured by the Intune admin.

移除裝置註冊管理員To remove a device enrollment manager

  1. 在 Azure 入口網站中,選擇 [更多服務] > [監視 + 管理] > [Intune]。In the Azure portal, choose More Services > Monitoring + Management > Intune.
  2. 在 Intune 刀鋒視窗上,選擇 [註冊裝置],然後選擇 [裝置註冊管理員]。On the Intune blade, choose Enroll devices, and then choose Device Enrollment Managers.
  3. 在 [裝置註冊管理員] 刀鋒視窗上,於 DEM 使用者上按一下滑鼠右鍵,然後選取 [移除]。On the Device Enrollment Managers blade, right-click the DEM user, and select Remove.

檢視裝置註冊管理員的內容View the properties of a device enrollment manager

  1. 在 Intune 入口網站中,選擇 [註冊裝置],然後選擇 [裝置註冊管理員]。In the Intune portal, choose Device enrollment, and then choose Device Enrollment Managers.
  2. 在 [裝置註冊管理員] 刀鋒視窗上,於 DEM 使用者上按一下滑鼠右鍵,然後選取 [內容]。On the Device Enrollment Managers blade, right-click the DEM user, and select Properties.
若要提交意見反應,請前往 Intune Feedback