如何設定共用 iPad 裝置的 Intune 教育設定How to configure Intune education settings for shared iPad devices

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

簡介 Intune 支援 iOS Classroom 應用程式,可協助老師在課堂中引導學習,並控制學生的裝置。Introduction Intune supports the iOS Classroom app that helps teachers to guide learning, and control student devices in the classroom. 此外,對於 Classroom 應用程式,Apple 支援設定學生 iPad 裝置的功能,可讓多位學生共用單一裝置。In addition, to the Classroom app, Apple supports the ability for student iPad devices to be configured such that multiple students can share a single device. 本文件將引導您使用 Intune 達成這個目標。This document guides you to achieve this goal with Intune. 如需設定專用 (1:1) iPad 裝置以使用 Classroom 應用程式的詳細資訊,請參閱如何設定 iOS Classroom 應用程式的 Intune 設定For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to configure Intune settings for the iOS Classroom app.

開始之前Before you start

使用共用 iPad 功能的必要條件如下:The prerequisites to use the shared iPad capabilities are:

  • 安裝 Apple School Manager 和 School Data Sync (SDS)。Setup Apple School Manager and School Data Sync (SDS).
  • 在 Apple School Manager 的安裝過程中,為學生設定管理式 Apple IDAs part of Apple School Manager setup, configure Managed Apple IDs for students. 深入了解管理式 Apple IDLearn more about Managed Apple IDs.
  • 針對已從 Apple School Manager 同步處理的裝置序號,建立註冊設定檔。Create an enrollment profile for the device serial numbers synced from Apple School Manager.

步驟 1 - 將學校資料匯入至 Azure Active DirectoryStep 1 - Import your school data into Azure Active Directory

使用 Microsoft 的學校資料同步處理 (SDS) 從現有的學生資訊系統 (SIS) 將學校記錄匯入至 Azure Active Directory (Azure AD)。Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System (SIS) to Azure Active Directory (Azure AD). SDS 會同步處理 SIS 的資訊,並將它儲存在 Azure AD 中。SDS synchronizes information from your SIS and stores it in Azure AD. Azure AD 是一套可協助您組織使用者與裝置的 Microsoft 管理系統。Azure AD is a Microsoft management system that helps you organize users and devices. 之後,您就可以使用這些資料來協助管理您的學生和課程。You can then use this data to help you manage your students and classes. 深入了解如何部署 SDSLearn more about how to deploy SDS.

如何使用 SDS 匯入資料How to import data using SDS

您可以使用下列其中一種方法,將資訊匯入至 SDS:You can import information into SDS by using one of the following methods:

  • CSV 檔案 - 手動匯出並編譯逗號分隔值 (.csv) 檔案CSV files - Manually export and compile comma-separated value (.csv) files
  • PowerSchool API - 簡化 Azure AD 同步流程的 SIS 提供者PowerSchool API - An SIS provider that simplifies syncing with Azure AD
  • Clever API - 直接與 Azure AD 進行同步處理的身分識別管理解決方案Clever API - An identity management solution that syncs directly with Azure AD
  • OneRoster - 您可以匯出並轉換成此種 CSV 格式以便與 Azure AD 同步OneRoster - A CSV format that you can export and convert to sync with Azure AD

深入了解Find out more

步驟 2 - 在 Intune 中建立並指派 iOS 教育設定檔Step 2 - Create and assign an iOS Education profile in Intune

設定一般設定Configure general settings

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [設定檔]。On the Device Configuration blade, choose Manage > Profiles.
  5. 在設定檔刀鋒視窗中,選擇 [建立設定檔]。On the profiles blade, choose Create Profile.
  6. 在 [建立設定檔] 刀鋒視窗中,為 iOS 教育設定檔輸入 [名稱] 及 [描述]。On the Create Profile blade, enter a Name and Description for the iOS education profile.
  7. 從 [平台] 下拉式清單中,選擇 [iOS]。From the Platform drop-down list, choose iOS.
  8. 從 [設定檔類型] 下拉式清單中,選擇 [教育]。From the Profile type drop-down list, choose Education.
  9. 選擇 [設定] > [設定]。Choose Settings > Configure.

接下來,您需要憑證才能建立老師和學生 iPad 之間的信任關係。Next, you need certificates to establish a trust relationship between teacher and student iPads. 憑證是用來順暢且無訊息地驗證裝置之間的連線,而不需要輸入使用者名稱和密碼。Certificates are used to seamlessly and silently authenticate connections between devices without having to enter user names and passwords.

重要

您使用的老師和學生憑證必須由不同的憑證授權單位 (CA) 發行。The teacher and student certificates you use must be issued by different certificate authorities (CAs). 您必須建立兩個新的次級 CA,連線到現有的憑證基礎結構。一個供老師使用,一個供學生使用。You must create two new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS 教育設定檔只支援 PFX 憑證。iOS education profiles support only PFX certificates. 不支援 SCEP 憑證。SCEP certificates are not supported.

您建立的憑證除了支援使用者驗證,還必須支援伺服器驗證。Certificates you create must support server authentication in addition to user authentication.

設定老師憑證Configure teacher certificates

在 [教育] 刀鋒視窗中,選擇 [老師憑證]。On the Education blade, choose Teacher certificates.

設定老師根憑證Configure teacher root certificate

在 [老師根憑證] 下,選擇瀏覽按鈕以選取副檔名為 .cer (DER 或 Base64 編碼) 或 .P7B (不論有無完整鏈結) 的老師根憑證。Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

設定老師 PKCS#12 憑證Configure teacher PKCS#12 certificate

在 [老師 PKCS #12 憑證] 下,設定下列值︰Under Teacher PKCS#12 certificate, configure the following values:

  • 主體名稱格式 - Intune 會自動為老師憑證的憑證一般名稱前面加上 leader,然後為學生憑證的憑證一般名稱前面加上 memberSubject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the student certificate.
  • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported.
  • 憑證授權單位名稱:輸入您的憑證授權單位名稱。Certification authority name - Enter the name of your certification authority.
  • 憑證範本名稱- 輸入已新增至發行 CA 的憑證範本名稱。**Certificate template name **- Enter the name of a certificate template that has been added to an issuing CA.
  • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • 憑證有效期間 - 指定憑證到期之前的剩餘時間。Certificate validity period - Specify the amount of remaining time before the certificate expires. 您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 此值也必須低於發行 CA 憑證的剩餘有效期間。The value must also be lower than the remaining validity period of the issuing CA certificate.

當您完成設定老師憑證時,請選擇 [確定]。When you have finished configuring teacher certificates, choose OK.

設定學生憑證Configure student certificates

  1. 在 [教育] 刀鋒視窗中,選擇 [學生憑證]。On the Education blade, choose Student certificates.
  2. 在 [學生憑證] 刀鋒視窗中,從 [學生裝置憑證類型] 清單中,選擇 [共用的 iPad]。On the Student certificates blade, from the Student device certificates type list, choose Shared iPad.

設定學生根憑證Configure student root certificate

在 [裝置根憑證] 下,選擇瀏覽按鈕以選取副檔名為 .cer (DER 或 Base64 編碼) 或 .P7B (不論有無完整鏈結) 的學生根憑證。Under Device root certificate, choose the browse button to select the student root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

設定裝置 PKCS#12 憑證Configure device PKCS#12 certificate

在 [學生 PKCS #12 憑證] 下,設定下列值︰Under Student PKCS#12 certificate, configure the following values:

  • 主體名稱格式 - Intune 會自動為老師憑證的憑證一般名稱前面加上 leader,並為裝置憑證的憑證一般名稱前面加上 member。Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the device certificate.
  • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported.
  • 憑證授權單位名稱:輸入您的憑證授權單位名稱。Certification authority name - Enter the name of your certification authority.
  • 憑證範本名稱 - 輸入已新增至發行 CA 的憑證範本名稱。Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
  • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • 憑證有效期間 - 指定憑證到期之前的剩餘時間。Certificate validity period - Specify the amount of remaining time before the certificate expires. 您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 此值也必須低於發行 CA 憑證的剩餘有效期間。The value must also be lower than the remaining validity period of the issuing CA certificate.

當您完成設定憑證時,請選擇 [確定]。When you are finished configuring certificates, choose OK.

完成憑證設定Complete Certificate Setup

  1. 在 [教育] 刀鋒視窗中,選擇 [確定]。On the Education blade, choose OK.
  2. 在 [建立設定檔] 刀鋒視窗中,選擇 [建立]。On the Create Profile blade, choose Create.

設定檔隨即建立,並出現在 [設定檔清單] 刀鋒視窗上。The profile is created and appears on the profiles list blade.

步驟 3 - 建立裝置類別Step 3 - Create a device category

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [裝置註冊]。On the Intune blade, choose Device enrollment.
  4. 在 [註冊 - 概觀] 刀鋒視窗中,選擇 [裝置類別]。On the Enrollment - Overview blade, choose Device Categories.
  5. 在 [註冊 - 裝置類別] 刀鋒視窗中,選擇 [建立]。On the Enrollment - Device Categories blade, choose Create.
  6. 在 [建立裝置類別] 刀鋒視窗中,為類別輸入 [名稱] 及 [描述]。On the Create device category blade, enter a Name and Description for the category.
  7. 在 [建立裝置類別] 刀鋒視窗中,選擇 [建立]。On the Create device category blade, choose Create.

即會在 [註冊 – 裝置類別] 刀鋒視窗中建立裝置類別。The device category is created in the Enrollment – Device Categories blade.

步驟 4 – 建立動態群組Step 4 – Create a dynamic group

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [群組]。On the Intune blade, choose Groups.
  4. 在 [使用者和群組 - 所有群組] 刀鋒視窗中,選擇 [新增群組]。On the Users and Groups – All Groups blade, choose New Group.
  5. 在 [群組] 刀鋒視窗中,為群組輸入 [名稱] 及 [描述]。On the Group blade, enter a Name and Description for the group.
  6. 從 [成員資格類型] 下拉式清單中,選擇 [動態裝置]。From the Membership Type drop-down list, choose Dynamic Device.
  7. 選擇 [動態裝置成員] 來建立成員資格規則。Choose Dynamic device members to create membership rules.
  8. 在 [動態成員資格規則] 刀鋒視窗中:On the Dynamic membership rules blade:
  9. 從 [新增裝置,其中] 下拉式清單中,選取 [deviceCategory]。Select deviceCategory from the Add devices where drop-down list.
  10. 選擇 [等於]Choose Equals
  11. 在空白的文字方塊中輸入您建立的裝置類別Enter the device category you created in the blank text box
  12. 在 [動態成員資格規則] 刀鋒視窗中,選擇 [新增查詢]。On the Dynamic membership rules blade, choose Add query.
  13. 在 [群組] 刀鋒視窗中,選擇 [建立]。On the Group blade, choose Create.

即會在 [使用者和群組 – 所有群組] 刀鋒視窗中建立動態群組。The dynamic group is created in the Users and Groups – All Groups blade.

步驟 5 – 將裝置指派給類別 (購物車)Step 5 – Assign a device to a category (Carts)

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [裝置]。On the Intune blade, choose Devices.
  4. 在 [裝置] 刀鋒視窗中,選擇 [所有裝置]。On the Devices blade, choose All devices.
  5. 在 [裝置 – 所有裝置] 刀鋒視窗中,選擇 一個裝置。On the Devices – All devices blade, choose a device.
  6. 在 [裝置] 刀鋒視窗中,選擇 [內容]。On the device blade, choose Properties.
  7. 在裝置的 [內容] 刀鋒視窗中,於 [裝置類別] 文字方塊中輸入裝置類別。On the device’s properties blade, enter the device category in the Device category text box.
  8. 在 [裝置] 刀鋒視窗中,選擇 [儲存]。On the device blade, choose Save.

裝置現在已與裝置類別相關聯。The device is now associated to the device category. 針對您想要關聯到所建立裝置類別的所有裝置,重複此處理序。Repeat this process for all the devices you want to associate to the device category you created.

步驟 6 – 建立教室設定檔Step 6 – Create classroom profiles

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [購物車設定檔]。On the Device Configuration blade, choose Manage > Cart Profiles.
  5. 在設定檔刀鋒視窗中,選擇 [建立設定檔]。On the profiles blade, choose Create Profile.
  6. 在 [建立關聯] 刀鋒視窗中,輸入 [名稱] 及 [描述]。On the Create Association blade, enter a Name and Description.
  7. 選擇 [選取類別] > [設定],將群組關聯至購物車設定檔。Choose Select Classes > Configure to associate groups to the Cart Profile.
  8. 選擇要納入購物車設定檔的類別,然後選擇 [選取]。Choose the classes to include to the Cart Profile then choose Select.
  9. 選擇 [選取購物車] > [設定],將群組關聯至購物車設定檔。Choose Select Carts > Configure to associate groups to the Cart Profile.
  10. 選擇要納入購物車設定檔的群組,然後選擇 [選取]。Choose the groups to include to the Cart Profile then choose Select.
  11. 在 [建立關聯] 刀鋒視窗中,選擇 [儲存] 來儲存購物車設定檔。On the Create Association blade, choose Save to save the Cart Profile.

設定檔隨即建立,並出現在 [設定檔清單] 刀鋒視窗上。The profile is created and appears on the profiles list blade.

步驟 7 - 將購物車設定檔指派給類別Step 7 - Assign the Cart Profile to Classes

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [其他] > [Intune]。Choose More Services > Other > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中,選擇 [監視] > [指派狀態]。On the Device Configuration blade, choose Monitor > Assignment status.
  5. 在 [指派狀態] 刀鋒視窗中,選取您所建立的 [購物車設定檔]。On the Assignment status blade, select the Cart Profile you created.
  6. 在 [購物車設定檔] 刀鋒視窗中,選擇 [指派],然後在 [Include] 中,選擇 [選取要納入的群組]。On the Cart Profile blade choose Assignments and then, under Include choose Select groups to include.
  7. 選擇您希望購物車設定檔設為目標的類別 (不要選取群組),然後選擇 [選取]。Select the classes you want the cart profile to target (do not select a group), then choose Select.
  8. 完成之後,請選擇 [儲存]When you are finished, choose Save.

指派完成時,Intune 會根據教室指派,將教室設定檔部署到目標裝置上。The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the classroom assignment.

後續步驟Next Steps

現在學生可以共用學生間的裝置,學生可以挑選教室中的任何 iPad,使用 PIN 碼進行登入,然後利用其內容進行個人化。Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a PIN and have it personalized with their content. 如需共用 iPad 的詳細資訊,請參閱 Apple 網站For more information about Shared iPads, see the Apple website.

若要提交意見反應,請前往 Intune Feedback