使用 Apple 的裝置註冊計劃來自動註冊 iOS 裝置Automatically enroll iOS devices with Apple's Device Enrollment Program

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題將協助您針對透過 Apple 的裝置註冊計劃 (DEP) 購買的裝置啟用 iOS 裝置註冊。This topic helps you enable iOS device enrollment for devices purchased through Apple's Device Enrollment Program (DEP). 您可以在完全不需要接觸的情況下,啟用大量裝置的 DEP 註冊。You can enable DEP enrollment for large numbers of devices without ever touching them. 您可以將 iPhone 和 iPad 等裝置直接交付給使用者。You can ship devices like iPhones and iPads directly to users. 當使用者啟動裝置時,會以預先設定的設定來執行設定助理,並註冊裝置以接受管理。When the user turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management.

若要啟用 DEP 註冊,您要使用 Intune 與 Apple DEP 入口網站。To enable DEP enrollment, you use both the Intune and Apple DEP portals. 需要序號或採購單編號的清單,以將裝置指派給 Intune 進行管理。A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. 您可以建立 DEP 註冊設定檔,其中包含已在註冊期間套用至裝置的設定。You create DEP enrollment profiles containing settings that applied to devices during enrollment.

此外,DEP 註冊不能與裝置註冊管理員一起使用。By the way, DEP enrollment does not work with the device enrollment manager.

必要條件Prerequisites

注意

在設定使用者親和性的 DEP 註冊期間,無法使用多重要素驗證 (MFA)。Multifactor authentication (MFA) doesn't work during DEP enrollment set up for user affinity. 註冊後,MFA 會如預期地在這些裝置上運作。After enrollment, MFA works as expected on devices. 第一次登入時必須變更密碼的使用者不會收到裝置提示。Devices can't prompt users who need to change their password when they first sign in. 此外,密碼已過期的使用者也不會在註冊期間收到提示要重設其密碼。Additionally, users with expired passwords aren't prompted to reset their password during enrollment. 使用者必須使用不同的裝置來重設密碼。Users must use a different device to reset the password.

取得 Apple DEP 權杖Get the Apple DEP token

您必須先從 Apple 取得 DEP 權杖 (.p7m) 檔案,才能為 iOS 裝置註冊 DEP。Before you can enroll iOS devices with DEP, you need a DEP token (.p7m) file from Apple. 此權杖可讓 Intune 同步貴公司所擁有的 DEP 裝置資訊。This token lets Intune sync information about DEP devices that your corporation owns. 它也允許 Intune 將註冊設定檔上傳至 Apple,並將這些設定檔指派給裝置。It also permits Intune to upload enrollment profiles to Apple and to assign devices to those profiles.

您可以使用 Apple DEP 入口網站建立 DEP 權杖。You use the Apple DEP portal to create a DEP token. 您也可以使用 DEP 入口網站將裝置指派給 Intune 以便管理。You also use the DEP portal to assign devices to Intune for management.

注意

若您在遷移至 Azure 之前從 Intune 傳統主控台刪除了權杖,Intune 可能會還原已刪除的 Apple DEP 權杖。If you delete the token from the Intune classic console before migrating to Azure, Intune might restore a deleted Apple DEP token. 您可以從 Azure 入口網站再次刪除該 DEP 權杖。You can delete the DEP token again from the Azure portal. 您可以從 Azure 入口網站再次刪除該 DEP 權杖。You can delete the DEP token again from the Azure portal.

步驟 1.下載建立 Apple DEP 權杖所需的 Intune 公開金鑰憑證。Step 1. Download an Intune public key certificate required to create an Apple DEP token.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃權杖]。In Intune in the Azure portal, choose Device enrollment > Apple enrollment > Enrollment Program Token.

    [Apple 憑證] 工作區中,[註冊計劃權杖] 窗格的螢幕擷取畫面。

  2. 選擇 [下載您的公開金鑰],在本機下載並儲存加密金鑰 (.pem) 檔案。Choose Download your public key to download and save the encryption key (.pem) file locally. 這個 .pem 檔案會用於向 Apple 裝置註冊程式入口網站要求信任關係憑證。The .pem file is used to request a trust-relationship certificate from the Apple Device Enrollment Program portal.

    [Apple 憑證] 工作區中 [註冊計劃權杖] 窗格下載公開金鑰的螢幕擷取畫面。

步驟 2.建立並下載 Apple DEP 權杖。Step 2. Create and download an Apple DEP token.

  1. 選擇 Create a token via Apple's Device Enrollment Program 開啟 Apple 的部署計劃入口網站,並使用您的公司 Apple ID 登入。Choose Create a token via Apple's Device Enrollment Program to open Apple's Deployment Program portal, and sign in with your company Apple ID. 您可以使用此 Apple ID 來更新 DEP 權杖。You can use this Apple ID to renew your DEP token.
  2. 在 Apple 的部署計劃入口網站,針對 [裝置註冊計劃] 選擇 [開始使用]。In Apple's Deployment Programs portal, choose Get Started for Device Enrollment Program.

  3. 在 [管理伺服器] 頁面上,選擇 [新增 MDM 伺服器]。On the Manage Servers page, choose Add MDM Server.

  4. 輸入 [MDM 伺服器名稱],然後選擇 [下一步] 。Enter the MDM Server Name, and then choose Next. 您可參考這個伺服器名稱,以識別行動裝置管理 (MDM) 伺服器,The server name is for your reference to identify the mobile device management (MDM) server. 但它不是 Microsoft Intune 伺服器的名稱或 URL。It is not the name or URL of the Microsoft Intune server.

    新增 DEP 的 MDM 伺服器名稱,然後按一下 [下一步] 的螢幕擷取畫面。

  5. [新增 <服器名稱>] 對話方塊隨即開啟,指出上傳您的公用金鑰The Add <ServerName> dialog box opens, stating Upload Your Public Key. 選擇 [選擇檔案...]Choose Choose File… 以上傳 .pem 檔案,然後選擇 [下一步]。to upload the .pem file, and then choose Next.

  6. [新增 <伺服器名稱>] 對話方塊會顯示 [您的伺服器權杖] 連結。The Add <ServerName> dialog box shows a Your Server Token link. 將伺服器權杖 (.p7m) 檔案下載到您的電腦,然後選擇 [完成]。Download the server token (.p7m) file to your computer, and then choose Done.

  7. 移至 [部署計劃] > [裝置註冊計劃] > [管理裝置]。Go to Deployment Programs > Device Enrollment Program > Manage Devices.

  8. 在 [選擇裝置依據] 下,指定識別裝置的方式:Under Choose Devices By, specify how devices are identified:

    • 序號Serial Number
    • 訂單號碼Order Number
    • 上傳 CSV 檔案Upload CSV File.

    指定依據序號選擇裝置、將選擇的動作設定為 [指派給伺服器],然後選取伺服器名稱的螢幕擷取畫面。

  9. 針對 [選擇動作] 選擇 Assign to Server),然後選擇指定給 Microsoft Intune 的 <伺服器名稱>,再選擇 [確定]。For Choose Action, choose Assign to Server, choose the <ServerName> specified for Microsoft Intune, and then choose OK. Apple 入口網站會將指定的裝置指派給 Intune 伺服器以便管理 ,然後顯示 [指派完成]。The Apple portal assigns the specified devices to the Intune server for management and then displays Assignment Complete.

    在 Apple 入口網站中,移至 [部署計劃] > [裝置註冊計劃] > [檢視指派歷程記錄] 查看裝置及其 MDM 伺服器指派的清單。In the Apple portal, go to Deployment Programs > Device Enrollment Program > View Assignment History to see a list of devices and their MDM server assignment.

步驟 3.輸入用以建立註冊計劃權杖的 Apple ID。Step 3. Enter the Apple ID used to create your enrollment program token.
在 Azure 入口網站的 Intune 中,提供 Apple ID 供日後參考。In Intune in the Azure portal, provide the Apple ID for future reference. 使用此 ID 來更新註冊計劃權杖,以避免未來需要重新註冊所有裝置。Use this ID to renew your enrollment program token in the future to avoid needing to re-enroll all your devices.

指定要用於建立註冊計劃權杖的 Apple 識別碼,並瀏覽至註冊計劃權杖的螢幕擷取畫面。

步驟 4.瀏覽至要上傳的註冊計劃權杖。Step 4. Browse to your enrollment program token to upload.
前往憑證 (.pem) 檔案,選擇 [開啟],然後選擇 [上傳]。Go to the certificate (.pem) file, choose Open, and then choose Upload. 使用推播憑證,透過將原則推送到已註冊的行動裝置,Intune 即可註冊和管理 iOS 裝置。With the push certificate, Intune can enroll and manage iOS devices by pushing policy to enrolled mobile devices. Intune 會自動與 Apple 同步處理,以查看您的註冊計劃帳戶。Intune automatically synchronizes with Apple to see your enrollment program account.

建立 Apple 註冊設定檔Create an Apple enrollment profile

安裝權杖之後,您可以為 DEP 裝置建立註冊設定檔。Now that you've installed your token, you can create an enrollment profile for DEP devices. 裝置註冊設定檔會定義要在註冊期間套用至裝置群組的設定。A device enrollment profile defines the settings applied to a group of devices during enrollment.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment.
  2. 在 [Apple 的註冊計劃] 下,選擇 [註冊計劃設定檔] > [建立]。Under Enrollment Program for Apple, choose Enrollment Program Profiles > Create.
  3. 或在 [建立註冊設定檔] 上,為設定檔輸入系統管理用的 [名稱] 以及 [描述]。On Create Enrollment Profile, enter a Name and Description for the profile for administrative purposes. 使用者看不到這些詳細資料。Users do not see these details. 您可以使用此 [名稱] 欄位,在 Azure Active Directory 中建立動態群組。You can use this Name field to create a dynamic group in Azure Active Directory. 設定檔名稱可用來定義 enrollmentProfileName 參數,以註冊具備此註冊設定檔的裝置。Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. 深入了解 Azure Active Directory 動態群組Learn more about Azure Active Directory dynamic groups.

    為 [使用者親和性] 選擇具備此設定檔的裝置,在註冊時要或不要有指派的使用者。For User Affinity, choose whether devices with this profile enroll with or without an assigned user.

    • 搭配使用者親和性進行註冊 - 針對屬於使用者的裝置,以及需要使用公司入口網站進行像是安裝應用程式等服務的裝置,選擇此選項。Enroll with user affinity - Choose for devices that belong to users and that need to use the company portal for services like installing apps.

    • 不搭配使用者親和性進行註冊 - 針對未與任何使用者相關的裝置選擇此選項。Enroll without user affinity - Choose for device unaffiliated with a single user. 用於執行工作而不需存取本機使用者資料的裝置。Use for devices that perform tasks without accessing local user data. 公司入口網站應用程式之類的應用程式無法運作。Apps like the Company Portal app don’t work.

  4. 選擇 [裝置管理設定] 以對下列設定檔進行設定:Choose Device Management Settings to configure the following profile settings:

    選擇管理模式的螢幕擷取畫面。

    • 受監督 - 啟用更多管理選項,且預設會停用 [啟用鎖定] 的管理模式。Supervised - a management mode that enables more management options and disabled Activation Lock by default. 若將核取方塊留為空白,則管理功能有限。If you leave the check box blank, you have limited management capabilities.

    • 鎖定的註冊 - (需要管理模式 = 受監督) 停用允許移除管理設定檔的 iOS 設定。Locked enrollment - (Requires Management Mode = Supervised) Disables iOS settings that could allow removal of the management profile. 若將核取方塊留為空白,表示允許從 [設定] 功能表移除管理設定檔。If you leave the check box blank, it allows the management profile to be removed from the Settings menu. 註冊裝置之後,必須將裝置恢復出廠預設值才能變更此設定。After device enrollment, you cannot change this setting without factory resetting the device.

    • 允許配對 - 指定 iOS 裝置是否可與電腦同步。Allow Pairing - Specifies whether iOS devices can sync with computers. 若選擇 [依據憑證允許 Apple Configurator],則必須在 [Apple Configurator 憑證] 下選擇憑證。If you chose Allow Apple Configurator by certificate, you must choose a certificate under Apple Configurator Certificates.

    • Apple Configurator 憑證 - 如果在 [允許配對] 下選擇了 [依據憑證允許 Apple Configurator],則請選擇要匯入的 Apple Configurator 憑證。Apple Configurator Certificates - If you chose Allow Apple Configurator by certificate under Allow Pairing, choose an Apple Configurator Certificate to import.

    選擇 [儲存]。Choose Save.

  5. 選擇 [設定助理設定],對下列設定檔進行設定:Choose Setup Assistant Settings to configure the following profile settings:

    為新註冊計劃設定檔使用可用設定選取組態設定的螢幕擷取畫面。

    • 部門名稱 - 使用者於啟用期間點選 About Configuration 時顯示。Department Name - Appears when users tap About Configuration during activation.

    • 部門電話 - 在使用者於啟用期間按一下 [需要協助] 按鈕時顯示。Department Phone - Appears when the user clicks the Need Help button during activation.

    • 設定輔助程式選項 - 這些是選用設定,稍後可以在 iOS [設定] 功能表中進行設定。Setup Assistant Options - These optional settings can be set up later in the iOS Settings menu.

      • 密碼Passcode
      • 位置服務Location Services
      • 還原Restore
      • Apple IDApple ID
      • 條款和條件Terms and Conditions
      • Touch IDTouch ID
      • Apple PayApple Pay
      • 縮放Zoom
      • SiriSiri
      • 診斷資料Diagnostic Data

      選擇 [儲存]。Choose Save.

  6. 若要儲存設定檔設定,請在 [建立註冊設定檔] 刀鋒視窗中,選擇 [建立]。To save the profile settings, choose Create on the Create Enrollment Profile blade. 註冊設定檔會出現在 Apple 註冊計劃註冊設定檔清單。The enrollment profile appears in the Apple Enrollment Program Enrollment Profiles list.

同步受管理裝置Sync managed devices

由於 Intune 有管理您裝置的權限,您可以同步處理 Intune 與 Apple,以在 Azure 入口網站的 Intune 中查看受管理裝置。Now that Intune has permission to manage your devices, you can synchronize Intune with Apple to see your managed devices in Intune in the Azure portal.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊] > [註冊計劃裝置]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment > Enrollment Program Devices.
  2. 在 [註冊計劃裝置] 下,選擇 [同步]。Under Enrollment Program Devices, choose Sync.

    已選取註冊計劃裝置節點,且正在選擇 [同步] 連結的螢幕擷取畫面。

  3. 在 [同步] 刀鋒視窗中,選擇 [要求同步]。On the Sync blade, choose Request Sync. 進度列會顯示再次要求進行同步之前,必須要等待的總時間。The progress bar shows the amount of time you must wait before requesting Sync again.

    [同步] 刀鋒視窗,以及正在選擇 [要求同步] 連結的螢幕擷取畫面。

    為了符合 Apple 規定的可接受註冊計劃流量,Intune 具有下列限制︰To comply with Apple’s terms for acceptable enrollment program traffic, Intune imposes the following restrictions:

    • 完整同步處理每 7 天只能執行一次。A full sync can run no more than once every seven days. 完整同步期間,每當 Apple 序號指派至 Intune 時,Intune 都會重新整理一次。During a full sync, Intune refreshes every Apple serial number assigned to Intune. 如果在上一次完整同步處理過後的 7 天內嘗試進行完整同步處理,Intune 只會重新整理尚未列在 Intune 中的序號。If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that are not already listed in Intune.
    • 任何同步處理要求都會在 15 分鐘內完成。Any sync request is given 15 minutes to finish. 在此期間或直到要求成功,會停用 [同步處理] 按鈕。During this time or until the request succeeds, the Sync button is disabled.
    • Intune 每 24 小時會與 Apple 同步一次新增及移除的裝置。Intune syncs new and removed devices with Apple every 24 hours.
  4. 在 [註冊計劃裝置] 工作區中,選擇 [重新整理] 以查看您的裝置。In the Enrollment Program Devices workspace, choose Refresh to see your devices.

將註冊設定檔指派給裝置Assign an enrollment profile to devices

必須先將註冊計劃設定檔指派至裝置,裝置才能註冊。You must assign an enrollment program profile to devices before they can enroll.

注意

您也可以從 [Apple 序號] 刀鋒視窗中,將序號指派給設定檔。You can also assign serial numbers to profiles from the Apple Serial Numbers blade.

  1. 在 Azure 入口網站的 Intune 中,選擇 [裝置註冊] > [Apple 註冊],然後選擇 [註冊計劃設定檔]。In Intune in the Azure portal, choose Device enrollment > Apple Enrollment, and then choose Enrollment Program Profiles.
  2. 從 [註冊計劃設定檔] 清單中,選擇您想要指派給裝置的設定檔,然後選擇 [指派裝置]。From the list of Enrollment Program Profiles, choose the profile you want to assign to devices and then choose Assign devices.

    選取 [指派] 的 [裝置指派] 螢幕擷取畫面。

  3. 選擇 [指派],然後選擇您想要指派此設定檔的裝置。Choose Assign and then choose the devices you want to assign this profile. 您可以篩選以檢視可用的裝置︰You can filter to view available devices:

    • 未指派unassigned
    • 任何any
    • <設定檔名稱><profile name>
  4. 選擇您想要指派的裝置。Choose the devices you want to assign. 資料行上方的核取方塊最多可選取 1000 個列出的裝置,然後按一下 [指派]。The checkbox above the column selects up to 1000 listed devices, and then click Assign. 若要註冊 1000 部以上的裝置,請重複指派步驟,直到將註冊設定檔指派給所有的裝置為止。To enroll more than 1000 devices, repeat the assignment steps until all devices are assigned an enrollment profile.

    在 Intune 中用來指派註冊計劃設定檔的 [指派] 按鈕螢幕擷取畫面

散發裝置Distribute devices

您已啟用 Apple 與 Intune 之間的管理和同步,並指派設定檔以供您的 DEP 裝置註冊。You have enabled management and syncing between Apple and Intune, and assigned a profile to let your DEP devices enroll. 您現在可以將裝置散發給使用者。You can now distribute devices to users. 具有使用者親和性的裝置會需要為每個使用者指派 Intune 授權。Devices with user affinity require each user be assigned an Intune license. 沒有使用者親和性的裝置需要裝置授權。Devices without user affinity require a device license. 裝置恢復出廠預設值之前,已啟動的裝置無法套用註冊設定檔。An activated device cannot apply an enrollment profile until the device is factory reset.

請參閱以裝置註冊計劃在 Intune 註冊 iOS 裝置See Enroll your iOS device in Intune with the Device Enrollment Program.

若要提交意見反應,請前往 Intune Feedback