使用 Apple 的裝置註冊計劃來自動註冊 iOS 裝置Automatically enroll iOS devices with Apple's Device Enrollment Program

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

本主題將協助您針對透過 Apple 的裝置註冊計劃 (DEP) 購買的裝置啟用 iOS 裝置註冊。This topic helps you enable iOS device enrollment for devices purchased through Apple's Device Enrollment Program (DEP). 您可以在完全不需要接觸的情況下,啟用大量裝置的 DEP 註冊。You can enable DEP enrollment for large numbers of devices without ever touching them. 您可以將 iPhone 和 iPad 等裝置直接交付給使用者。You can ship devices like iPhones and iPads directly to users. 當使用者啟動裝置時,會以預先設定的設定來執行設定助理,並註冊裝置以接受管理。When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

若要啟用 DEP 註冊,您要使用 Intune 與 Apple DEP 入口網站。To enable DEP enrollment, you use both the Intune and Apple DEP portals. 需要序號或採購單編號的清單,以將裝置指派給 Intune 進行管理。A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. 您可以建立 DEP 註冊設定檔,其中包含已在註冊期間套用至裝置的設定。You create DEP enrollment profiles containing settings that applied to devices during enrollment.

此外,DEP 註冊不能與裝置註冊管理員一起使用。By the way, DEP enrollment does not work with the device enrollment manager.

何謂受監督模式?What is supervised mode?

Apple 在 iOS 5 中引進受監督模式。Apple introduced supervised mode in iOS 5. 處於受監督模式的 iOS 裝置可以透過更多控制進行管理。An iOS device in supervised mode can be managed with more controls. 因此,特別適用於屬公司擁有的裝置。As such, it is especially useful for corporate-owned devices. Intune 支援針對受監督模式設定裝置,以作為 Apple 裝置註冊方案 (DEP) 的一部分。Intune supports configuring devices for supervised mode as part the Apple Device Enrollment Program (DEP).

必要條件Prerequisites

取得 Apple DEP 權杖Get an Apple DEP token

您必須先從 Apple 取得 DEP 權杖 (.p7m) 檔案,才能為 iOS 裝置註冊 DEP。Before you can enroll iOS devices with DEP, you need a DEP token (.p7m) file from Apple. 此權杖可讓 Intune 同步貴公司所擁有的 DEP 裝置資訊。This token lets Intune sync information about DEP devices that your corporation owns. 它也允許 Intune 將註冊設定檔上傳至 Apple,並將這些設定檔指派給裝置。It also permits Intune to upload enrollment profiles to Apple and to assign devices to those profiles.

您可以使用 Apple DEP 入口網站建立 DEP 權杖。You use the Apple DEP portal to create a DEP token. 您也可以使用 DEP 入口網站將裝置指派給 Intune 以便管理。You also use the DEP portal to assign devices to Intune for management.

注意

若在移轉至 Azure 之前從 Intune 傳統入口網站刪除了權杖,Intune 可能會還原已刪除的 Apple DEP 權杖。If you delete the token from the Intune classic portal before migrating to Azure, Intune might restore a deleted Apple DEP token. 您可以從 Azure 入口網站再次刪除該 DEP 權杖。You can delete the DEP token again from the Azure portal. 您可以從 Azure 入口網站再次刪除該 DEP 權杖。You can delete the DEP token again from the Azure portal.

步驟 1:Step 1. 下載建立權杖所需的 Intune 公開金鑰憑證。Download the Intune public key certificate required to create the token.

  1. Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > [新增]。In the Intune in the Azure portal, choose Device enrollment > Apple enrollment > Enrollment Program Tokens > Add.

    取得註冊計劃權杖。

  2. 藉由選取 [我同意] 來將權限授與 Microsoft,以將使用者和裝置資訊傳送給 Apple。Grant permission to Microsoft to send user and device information to Apple by selecting I agree.

    [Apple 憑證] 工作區中 [註冊計劃權杖] 窗格下載公開金鑰的螢幕擷取畫面。

  3. 選擇 [下載您的公開金鑰],在本機下載並儲存加密金鑰 (.pem) 檔案。Choose Download your public key to download and save the encryption key (.pem) file locally. 這個 .pem 檔案會用於向 Apple 裝置註冊程式入口網站要求信任關係憑證。The .pem file is used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.

步驟 2:Step 2. 使用您的金鑰,下載來自 Apple 的權杖。Use your key to download a token from Apple.

  1. 選擇 [建立 Apple 裝置註冊計劃的權杖] 以開啟 Apple 的部署計劃入口網站,並使用您的公司 Apple ID 登入。Choose Create a token for Apple's Device Enrollment Program to open Apple's Deployment Program portal, and sign in with your company Apple ID. 您可以使用此 Apple ID 來更新 DEP 權杖。You can use this Apple ID to renew your DEP token.

  2. 在 Apple 的部署計劃入口網站,針對 [裝置註冊計劃] 選擇 [開始使用]。In Apple's Deployment Programs portal, choose Get Started for Device Enrollment Program.

  3. 在 [管理伺服器] 頁面上,選擇 [新增 MDM 伺服器]。On the Manage Servers page, choose Add MDM Server.

  4. 輸入 [MDM 伺服器名稱],然後選擇 [下一步] 。Enter the MDM Server Name, and then choose Next. 您可參考這個伺服器名稱,以識別行動裝置管理 (MDM) 伺服器,The server name is for your reference to identify the mobile device management (MDM) server. 但它不是 Microsoft Intune 伺服器的名稱或 URL。It is not the name or URL of the Microsoft Intune server.

  5. [新增 <服器名稱>] 對話方塊隨即開啟,指出上傳您的公用金鑰The Add <ServerName> dialog box opens, stating Upload Your Public Key. 選擇 [選擇檔案...]Choose Choose File… 以上傳 .pem 檔案,然後選擇 [下一步]。to upload the .pem file, and then choose Next.

  6. 移至 [部署計劃] > [裝置註冊計劃] > [管理裝置]。Go to Deployment Programs > Device Enrollment Program > Manage Devices.

  7. 在 [選擇裝置依據] 下,指定識別裝置的方式:Under Choose Devices By, specify how devices are identified:

    • 序號Serial Number
    • 訂單號碼Order Number
    • 上傳 CSV 檔案Upload CSV File.

    指定依據序號選擇裝置、將選擇的動作設定為 [指派給伺服器],然後選取伺服器名稱的螢幕擷取畫面。

  8. 針對 [選擇動作] 選擇 [Assign to Server] (指派給伺服器)),然後選擇指定給 Microsoft Intune 的 <伺服器名稱>,再選擇 [確定]。For Choose Action, choose Assign to Server, choose the <ServerName> specified for Microsoft Intune, and then choose OK. Apple 入口網站會將指定的裝置指派給 Intune 伺服器以便管理 ,然後顯示 [指派完成]。The Apple portal assigns the specified devices to the Intune server for management and then displays Assignment Complete.

    在 Apple 入口網站中,移至 [部署計劃] > [裝置註冊計劃] > [檢視指派歷程記錄] 查看裝置及其 MDM 伺服器指派的清單。In the Apple portal, go to Deployment Programs > Device Enrollment Program > View Assignment History to see a list of devices and their MDM server assignment.

步驟 3:Step 3. 儲存用以建立此權杖的 Apple ID。Save the Apple ID used to create this token.

在 Azure 入口網站的 Intune 中,提供 Apple ID 供日後參考。In Intune in the Azure portal, provide the Apple ID for future reference.

指定要用於建立註冊計劃權杖的 Apple 識別碼,並瀏覽至註冊計劃權杖的螢幕擷取畫面。

步驟 4:Step 4. 上傳權杖。Upload your token.

在 [Apple 權杖] 方塊中,瀏覽至憑證 (.pem) 檔案,選擇 [開啟],然後選擇 [建立]。In the Apple token box, browse to the certificate (.pem) file, choose Open, and then choose Create. 使用推播憑證,透過將原則推送到已註冊的行動裝置,Intune 即可註冊和管理 iOS 裝置。With the push certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune 會自動與 Apple 同步處理,以查看您的註冊計劃帳戶。Intune automatically synchronizes with Apple to see your enrollment program account.

建立 Apple 註冊設定檔Create an Apple enrollment profile

安裝權杖之後,您可以為 DEP 裝置建立註冊設定檔。Now that you've installed your token, you can create an enrollment profile for DEP devices. 裝置註冊設定檔會定義要在註冊期間套用至裝置群組的設定。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens.

  2. 選取權杖,選擇 [設定檔],然後選擇 [建立設定檔]。Select a token, choose Profiles, and then choose Create profile.

    建立設定檔螢幕擷取畫面。

  3. 在 [建立設定檔] 下,為設定檔輸入系統管理用的名稱以及描述Under Create Profile, enter a Name and Description for the profile for administrative purposes. 使用者看不到這些詳細資料。Users do not see these details. 您可以使用此 [名稱] 欄位,在 Azure Active Directory 中建立動態群組。You can use this Name field to create a dynamic group in Azure Active Directory. 設定檔名稱可用來定義 enrollmentProfileName 參數,以註冊具備此註冊設定檔的裝置。Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. 深入了解 Azure Active Directory 動態群組Learn more about Azure Active Directory dynamic groups.

    設定檔名稱與描述。

  4. 針對 [使用者親和性],為具備此設定檔的裝置選擇需要或不需要由指派的使用者來進行註冊。For User Affinity, choose whether devices with this profile must enroll with or without an assigned user.

    • 搭配使用者親和性進行註冊 - 針對屬於使用者的裝置,以及想要使用公司入口網站進行像是安裝應用程式等服務的裝置,選擇此選項。Enroll with User Affinity - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. 此選項也可讓使用者使用公司入口網站來驗證其裝置。This option also lets users authenticate their devices by using the company portal. 使用者親和性需要 WS-Trust 1.3 使用者名稱/混合端點User affinity requires WS-Trust 1.3 Username/Mixed endpoint. 深入了解Learn more.

    • 不搭配使用者親和性進行註冊 - 針對未與任何使用者相關的裝置選擇此選項。Enroll without User Affinity - Choose this option for device unaffiliated with a single user. 針對執行工作而不需存取本機使用者資料的裝置使用此選項。Use this for devices that perform tasks without accessing local user data. 公司入口網站應用程式之類的應用程式無法運作。Apps like the Company Portal app don’t work.

  5. 如果您選擇 [搭配使用者親和性進行註冊],則可以選擇讓使用者使用公司入口網站進行驗證,而不是 Apple 設定助理。If you chose Enroll with User Affinity, you have the option to let users authenticate with Company Portal instead of the Apple Setup Assistant.

    使用公司入口網站進行驗證。

    注意

    如果您將設定檔屬性設定為 [使用使用者親和性註冊] ,多重要素驗證 (MFA) 在 DEP 註冊期間將無法運作。Multifactor authentication (MFA) doesn't work during DEP enrollment if you have profile properties set to Enroll with User Affinity. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on devices. 第一次登入時必須變更密碼的使用者不會收到裝置提示。Devices can't prompt users who need to change their password when they first sign in. 此外,密碼已過期的使用者也不會在註冊期間收到提示要重設其密碼。Additionally, users with expired passwords aren't prompted to reset their password during enrollment. 使用者必須使用不同的裝置來重設密碼。Users must use a different device to reset the password.

  6. 選擇 [裝置管理設定],並選取您是否想要監督使用此設定檔的裝置。Choose Device Management Settings and select whether or not you want devices using this profile to be supervised.

    裝置管理設定螢幕擷取畫面。

    受監督裝置可提供您更多管理選項,並且預設會停用 [啟用鎖定]。Supervised devices give you more management options and disabled Activation Lock by default. Microsoft 建議使用 DEP 作為啟用受監督模式的機制,特別是針對將部署大量 iOS 裝置的組織。Microsoft recommends using DEP as the mechanism for enabling supervised mode, especially for organizations that are deploying large numbers of iOS devices.

    有兩種方式可通知使用者其裝置收到監督:Users are notified that their devices are supervised in two ways:

    • 鎖定畫面指出:「此 iPhone 受 Contoso 管理。」The lock screen says: "This iPhone is managed by Contoso."

    • [設定] > [一般] > [關於] 畫面指出:「此 iPhone 受監督。The Settings > General > About screen says: "This iPhone is supervised. Contoso 可以監視您的網際網路流量並找到此裝置。」Contoso can monitor your Internet traffic and locate this device."

      注意

      註冊為不受監督的裝置,僅可透過使用 Apple Configurator 重設為受監督。A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. 以這種方式將裝置重設,需要使用 USB 纜線將 iOS 裝置連接至 Mac。Resetting the device in this manner requires connecting an iOS device to a Mac with a USB cable. Apple Configurator 文件上,深入了解這項作業。Learn more about this on Apple Configurator docs.

  7. 選擇您是否想要針對使用此設定檔的裝置鎖定註冊。Choose whether or not you want locked enrollment for devices using this profile. 鎖定的註冊會停用可將管理設定檔從 [設定] 功能表中移除的 iOS 設定。Locked enrollment disables iOS settings that allow the management profile to be removed from the Settings menu. 註冊裝置之後,必須將裝置恢復出廠預設值才能變更此設定。After device enrollment, you cannot change this setting without factory resetting the device. 這類裝置必須將受監督管理模式設為 [是]。Such devices must have the Supervised Management Mode set to Yes.

  8. 選擇您是否想要讓使用此設定檔的裝置與電腦同步處理Choose whether or not you want the devices using this profile to be able to Sync with computers. 若選擇 [依據憑證允許 Apple Configurator],則必須在 [Apple Configurator 憑證] 下選擇憑證。If you choose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

  9. 若您在前一個步驟中選擇 [依據憑證允許 Apple Configurator],則請選擇要匯入的 Apple Configurator 憑證。If you chose Allow Apple Configurator by certificate in the previous step, choose an Apple Configurator Certificate to import.

  10. 選擇 [確定]。Choose OK.

  11. 選擇 [設定助理設定],以設定下列設定檔的設定:自訂設定助理Choose Setup Assistant Settings to configure the following profile settings: Setup Assistant Customization.

    設定Setting 說明Description
    部門名稱Department Name 使用者在啟用期間點選 [關於設定] 時顯示。Appears when users tap About Configuration during activation.
    部門電話Department Phone 在使用者在啟用期間按一下 [需要協助] 按鈕時顯示。Appears when the user clicks the Need Help button during activation.
    設定助理選項Setup Assistant Options 下列是選用設定,可稍後在 iOS [設定] 功能表中進行設定。The following optional settings can be set up later in the iOS Settings menu.
    密碼Passcode 在啟用期間提示輸入密碼。Prompt for passcode during activation. 除非裝置受到保護,或以其他方式控制存取 (例如,將裝置限制為單一應用程式的 Kiosk 模式),否則一律需要密碼。Always require a passcode unless the device is secured or has access controlled in some other manner (that is, kiosk mode that restricts the device to one app).
    位置服務Location Services 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for the service during activation.
    還原Restore 啟用時,設定助理會在啟用期間提示 iCloud 備份。If enabled, Setup Assistant prompts for iCloud backup during activation.
    iCloud 與 Apple IDiCloud and Apple ID 啟用時,設定助理會提示使用者登入 Apple ID,且 [應用程式與資料] 畫面可允許從 iCloud 備份還原裝置。If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup.
    條款和條件Terms and Conditions 啟用時,設定助理會在啟用期間提示使用者接受 Apple 的條款及條件。If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation.
    Touch IDTouch ID 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    Apple PayApple Pay 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    縮放Zoom 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    SiriSiri 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
    診斷資料Diagnostic Data 啟用時,設定助理會在啟用期間提示此服務。If enabled, Setup Assistant prompts for this service during activation.
  12. 選擇 [確定]。Choose OK.

  13. 若要儲存該設定檔,請選擇 [建立]。To save the profile, choose Create.

同步受管理裝置Sync managed devices

由於 Intune 有管理您裝置的權限,您可以同步處理 Intune 與 Apple,以在 Azure 入口網站的 Intune 中查看受管理裝置。Now that Intune has permission to manage your devices, you can synchronize Intune with Apple to see your managed devices in Intune in the Azure portal.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > 選擇清單中的權杖 > [裝置] > [同步處理]。選取 [註冊計劃裝置] 節點並選擇 [同步] 連結的螢幕擷取畫面。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list > Devices > Sync. Screenshot of Enrollment Program Devices node selected and Sync link being chosen.

    為了符合 Apple 規定的可接受註冊計劃流量,Intune 具有下列限制︰To comply with Apple’s terms for acceptable enrollment program traffic, Intune imposes the following restrictions:

    • 完整同步處理每 7 天只能執行一次。A full sync can run no more than once every seven days. 在完整同步期間,Intune 會擷取指派至已連線 Intune 之 Apple MDM 伺服器的序號完整更新清單。During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune. 註冊計劃從 Intune 入口網站刪除之後,在完整同步執行之前都無法重新匯入。After an Enrollment Program device is deleted from Intune portal, it can't be re-imported until the full sync is run.
    • 同步會每 24 小時自動執行一次。A sync is run automatically every 24 hours. 您也可以按一下 [同步] 按鈕來進行同步 (請勿在 15 分鐘內重複點選)。You can also sync by clicking the Sync button (no more than once every 15 minutes). 所有同步要求都必須在 15 分鐘內完成。All sync requests are given 15 minutes to finish. [同步] 按鈕在同步完成前都會處於停用狀態。The Sync button is disabled until a sync is completed. 此同步會重新整理現有的裝置狀態,以及匯入指派至 Apple MDM 伺服器的新裝置。This sync will refresh existing device status and import new devices assigned to the Apple MDM server.

將註冊設定檔指派給裝置Assign an enrollment profile to devices

必須先將註冊計劃設定檔指派至裝置,裝置才能註冊。You must assign an enrollment program profile to devices before they can enroll.

注意

您也可以從 [Apple 序號] 刀鋒視窗中,將序號指派給設定檔。You can also assign serial numbers to profiles from the Apple Serial Numbers blade.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > 選擇清單中的權杖。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list.
  2. 選擇 [裝置] > 選擇清單中的裝置 > [指派設定檔]。Choose Devices > choose devices in the list > Assign profile.
  3. 在 [指派設定檔] 下,選擇裝置的設定檔,然後選擇 [指派]。Under Assign profile, choose a profile for the devices and then choose Assign.

指派預設設定檔Assign a default profile

您可以針對使用特定權杖註冊的所有裝置,挑選要套用的預設設定檔。You can pick a default profile to be applied to all devices enrolling with a specific token.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖] > 選擇清單中的權杖。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens > choose a token in the list.
  2. 選擇 [設定預設設定檔]、在下拉式清單中選擇設定檔,然後選擇 [儲存]。Choose Set Default Profile, choose a profile in the drop-down list, and then choose Save. 此設定檔將套用到使用該權杖註冊的所有裝置。This profile will be applied to all devices that enroll with the token.

散發裝置Distribute devices

您已啟用 Apple 與 Intune 之間的管理和同步,並指派設定檔以供您的 DEP 裝置註冊。You have enabled management and syncing between Apple and Intune, and assigned a profile to let your DEP devices enroll. 您現在可以將裝置散發給使用者。You can now distribute devices to users. 具有使用者親和性的裝置會需要為每個使用者指派 Intune 授權。Devices with user affinity require each user be assigned an Intune license. 沒有使用者親和性的裝置需要裝置授權。Devices without user affinity require a device license. 裝置恢復出廠預設值之前,已啟動的裝置無法套用註冊設定檔。An activated device cannot apply an enrollment profile until the device is factory reset.

請參閱以裝置註冊計劃在 Intune 註冊 iOS 裝置See Enroll your iOS device in Intune with the Device Enrollment Program.

更新 DEP 權杖Renew a DEP token

  1. 前往 deploy.apple.com。Go to deploy.apple.com.
  2. 在 [管理伺服器] 下,選擇與您所欲更新之權杖檔案相關的 MDM 伺服器。Under Manage Servers, choose your MDM server associated with the token file that you want to renew.
  3. 選擇 [產生新權杖]。Choose Generate New Token.
  4. 選擇 [您的伺服器權杖]。Choose Your Server Token.
  5. Azure 入口網站中的 Intune 內,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment program tokens.
  6. 依序選擇權杖和 [更新權杖]。Choose the token and then choose Renew token.
  7. 輸入用於建立原始權杖的 Apple ID。Enter the Apple ID used to to create the original token.
  8. 上傳新下載的權杖。Upload the newly downloaded token.
  9. 選擇 [更新權杖]。Choose Renew token. 您會看到權杖已更新的確認。You'll see the confirmation that the token was renewed.