如何設定共用 iPad 裝置的 Intune 教育設定How to configure Intune education settings for shared iPad devices

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請參閱本 Intune 簡介Read the introduction to Intune.

Intune 支援 iOS Classroom 應用程式,可協助老師在課堂中引導學習,並控制學生的裝置。Intune supports the iOS Classroom app that helps teachers to guide learning, and control student devices in the classroom. 此外,對於 Classroom 應用程式,Apple 支援設定學生 iPad 裝置的功能,可讓多位學生共用單一裝置。In addition, to the Classroom app, Apple supports the ability for student iPad devices to be configured such that multiple students can share a single device. 本文件將引導您使用 Intune 達成這個目標。This document guides you to achieve this goal with Intune.

如需設定專用 (1:1) iPad 裝置以使用 Classroom 應用程式的詳細資訊,請參閱如何設定 iOS Classroom 應用程式的 Intune 設定For information about configuring dedicated (1:1) iPad devices to use the Classroom app, see How to configure Intune settings for the iOS Classroom app.

開始之前Before you start

使用共用 iPad 功能的必要條件如下:The prerequisites to use the shared iPad capabilities are:

步驟 1 - 將學校資料匯入至 Azure Active DirectoryStep 1 - Import your school data into Azure Active Directory

使用 Microsoft 的學校資料同步處理 (SDS) 從現有的學生資訊系統 (SIS) 將學校記錄匯入至 Azure Active Directory (Azure AD)。Use Microsoft's School Data Sync (SDS) to import school records from an existing Student Information System (SIS) to Azure Active Directory (Azure AD). SDS 會同步處理 SIS 的資訊,並將它儲存在 Azure AD 中。SDS synchronizes information from your SIS and stores it in Azure AD. Azure AD 是一套可協助您組織使用者與裝置的 Microsoft 管理系統。Azure AD is a Microsoft management system that helps you organize users and devices. 之後,您就可以使用這些資料來協助管理您的學生和課程。You can then use this data to help you manage your students and classes. 深入了解如何部署 SDSLearn more about how to deploy SDS.

如何使用 SDS 匯入資料How to import data using SDS

您可以使用下列其中一種方法,將資訊匯入至 SDS:You can import information into SDS by using one of the following methods:

  • CSV 檔案 - 手動匯出並編譯逗號分隔值 (.csv) 檔案CSV files - Manually export and compile comma-separated value (.csv) files
  • PowerSchool API - 簡化 Azure AD 同步流程的 SIS 提供者PowerSchool API - An SIS provider that simplifies syncing with Azure AD
  • OneRoster - 您可以匯出並轉換成此種 CSV 格式以便與 Azure AD 同步OneRoster - A CSV format that you can export and convert to sync with Azure AD

深入了解Find out more

步驟 2 - 在 Intune 中建立並指派 iOS 教育設定檔Step 2 - Create and assign an iOS Education profile in Intune

設定一般設定Configure general settings

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [裝置設定]。On the Intune pane, choose Device configuration.
  4. 在 [裝置設定] 窗格的 [管理] 區段下,選擇 [設定檔]。On the Device configuration pane under the Manage section, choose Profiles.
  5. 在 [設定檔] 窗格中,選擇 [建立設定檔]。On the profiles pane, choose Create profile.
  6. 在 [建立設定檔] 窗格中,輸入 iOS 教育設定檔的 [名稱] 和 [描述]。On the Create profile pane, enter a Name and Description for the iOS education profile.
  7. 從 [平台] 下拉式清單中,選擇 [iOS]。From the Platform drop-down list, choose iOS.
  8. 從 [設定檔類型] 下拉式清單中,選擇 [教育]。From the Profile type drop-down list, choose Education.
  9. 選擇 [設定] > [設定]。Choose Settings > Configure.

接下來,您需要憑證才能建立老師和學生 iPad 之間的信任關係。Next, you need certificates to establish a trust relationship between teacher and student iPads. 憑證是用來順暢且無訊息地驗證裝置之間的連線,而不需要輸入使用者名稱和密碼。Certificates are used to seamlessly and silently authenticate connections between devices without having to enter user names and passwords.

重要

您使用的老師和學生憑證必須由不同的憑證授權單位 (CA) 發行。The teacher and student certificates you use must be issued by different certificate authorities (CAs). 您必須建立兩個新的次級 CA,連線到現有的憑證基礎結構。一個供老師使用,一個供學生使用。You must create two new subordinate CAs connected to your existing certificate infrastructure; one for teachers, and one for students.

iOS 教育設定檔只支援 PFX 憑證。iOS education profiles support only PFX certificates. 不支援 SCEP 憑證。SCEP certificates are not supported.

您建立的憑證除了支援使用者驗證,還必須支援伺服器驗證。Certificates you create must support server authentication in addition to user authentication.

設定老師憑證Configure teacher certificates

在 [教育] 窗格中,選擇 [教師憑證]。On the Education pane, choose Teacher certificates.

設定老師根憑證Configure teacher root certificate

在 [老師根憑證] 下,選擇瀏覽按鈕以選取副檔名為 .cer (DER 或 Base64 編碼) 或 .P7B (不論有無完整鏈結) 的老師根憑證。Under Teacher root certificate, choose the browse button to select the teacher root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

設定老師 PKCS#12 憑證Configure teacher PKCS#12 certificate

在 [老師 PKCS #12 憑證] 下,設定下列值︰Under Teacher PKCS#12 certificate, configure the following values:

  • 主體名稱格式 - Intune 會自動為老師憑證的憑證一般名稱前面加上 leader,然後為學生憑證的憑證一般名稱前面加上 memberSubject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the student certificate.
  • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported.
  • 憑證授權單位名稱:輸入您的憑證授權單位名稱。Certification authority name - Enter the name of your certification authority.
  • 憑證範本名稱 - 輸入已新增至發行 CA 的憑證範本名稱。Certificate template name- Enter the name of a certificate template that has been added to an issuing CA.
  • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • 憑證有效期間 - 指定憑證到期之前的剩餘時間。Certificate validity period - Specify the amount of remaining time before the certificate expires. 您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 此值也必須低於發行 CA 憑證的剩餘有效期間。The value must also be lower than the remaining validity period of the issuing CA certificate.

當您完成設定老師憑證時,請選擇 [確定]。When you have finished configuring teacher certificates, choose OK.

設定學生憑證Configure student certificates

  1. 在 [教育] 窗格中,選擇 [學生憑證]。On the Education pane, choose Student certificates.
  2. 在 [學生憑證] 窗格中,從 [學生裝置憑證類型] 清單中,選擇 [共用的 iPad]。On the Student certificates pane, from the Student device certificates type list, choose Shared iPad.

設定學生根憑證Configure student root certificate

在 [裝置根憑證] 下,選擇瀏覽按鈕以選取副檔名為 .cer (DER 或 Base64 編碼) 或 .P7B (不論有無完整鏈結) 的學生根憑證。Under Device root certificate, choose the browse button to select the student root certificate with the extension .cer (DER, or Base64 encoded), or .P7B (with or without full chain).

設定裝置 PKCS#12 憑證Configure device PKCS#12 certificate

在 [學生 PKCS #12 憑證] 下,設定下列值︰Under Student PKCS#12 certificate, configure the following values:

  • 主體名稱格式 - Intune 會自動為老師憑證的憑證一般名稱前面加上 leader,並為裝置憑證的憑證一般名稱前面加上 member。Subject name format - Intune automatically prefixes the certificate common name with leader, for the teacher certificate, and member, for the device certificate.
  • 憑證授權單位:在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification authority - An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported.
  • 憑證授權單位名稱:輸入您的憑證授權單位名稱。Certification authority name - Enter the name of your certification authority.
  • 憑證範本名稱 - 輸入已新增至發行 CA 的憑證範本名稱。Certificate template name - Enter the name of a certificate template that has been added to an issuing CA.
  • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
  • 憑證有效期間 - 指定憑證到期之前的剩餘時間。Certificate validity period - Specify the amount of remaining time before the certificate expires. 您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 此值也必須低於發行 CA 憑證的剩餘有效期間。The value must also be lower than the remaining validity period of the issuing CA certificate.

當您完成設定憑證時,請選擇 [確定]。When you are finished configuring certificates, choose OK.

完成憑證設定Complete Certificate Setup

  1. 在 [教育] 窗格中,選擇 [確定]。On the Education pane, choose OK.
  2. 在 [建立設定檔] 窗格中,選擇 [建立]。On the Create profile pane, choose Create.

設定檔隨即建立,並出現在 [設定檔清單] 窗格上。The profile is created and appears on the profiles list pane.

步驟 3 - 建立裝置類別Step 3 - Create a device category

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [裝置註冊]。On the Intune pane, choose Device enrollment.
  4. 在 [裝置註冊 - 概觀] 窗格中,選擇 [裝置類別]。On the Device enrollment - Overview pane, choose Device categories.
  5. 在 [裝置註冊 - 裝置類別] 窗格中,選擇 [建立]。On the Device enrollment - Device Categories pane, choose Create.
  6. 在 [建立裝置類別] 窗格中,輸入類別的 [名稱] 和 [描述]。On the Create device category pane, enter a Name and Description for the category.
  7. 在 [建立裝置類別] 窗格中,選擇 [建立]。On the Create device category pane, choose Create.

即會在 [註冊 – 裝置類別] 窗格中建立裝置類別。The device category is created in the Enrollment – Device Categories pane.

步驟 4 – 建立動態群組Step 4 – Create a dynamic group

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [群組]。On the Intune pane, choose Groups.
  4. 在 [使用者和群組 - 所有群組] 窗格中,選擇 [新增群組]。On the Users and Groups – All Groups pane, choose New group.
  5. 在 [群組] 窗格中,選擇 [群組類型],然後鍵入群組的 [名稱] 和 [描述]。On the Group pane, choose a Group type and then enter a Name and Description for the group.
  6. 從 [成員資格類型] 下拉式清單中,選擇 [動態裝置]。From the Membership type drop-down list, choose Dynamic Device.
  7. 選擇 [動態裝置成員] 來建立成員資格規則。Choose Dynamic device members to create membership rules.
  8. 在 [動態成員資格規則] 窗格中:On the Dynamic membership rules pane:
  9. 從 [新增裝置,其中] 下拉式清單中,選取 [deviceCategory]。Select deviceCategory from the Add devices where drop-down list.
  10. 選擇 [等於]。Choose Equals.
  11. 在空白的文字方塊中輸入您建立的裝置類別。Enter the device category you created in the blank text box.
  12. 在 [動態成員資格規則] 窗格中,選擇 [新增查詢]。On the Dynamic membership rules pane, choose Add query.
  13. 在 [群組] 窗格中,選擇 [建立]。On the Group pane, choose Create.

即會在 [使用者和群組 – 所有群組] 窗格中建立動態群組。The dynamic group is created in the Users and Groups – All Groups pane.

步驟 5 – 將裝置指派給類別 (購物車)Step 5 – Assign a device to a category (Carts)

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [裝置]。On the Intune pane, choose Devices.
  4. 在 [裝置] 窗格中,選擇 [所有裝置]。On the Devices pane, choose All devices.
  5. 在 [裝置 – 所有裝置] 窗格中,選擇一部裝置。On the Devices – All devices pane, choose a device.
  6. 在 [裝置] 窗格中,選擇 [內容]。On the device pane, choose Properties.
  7. 在裝置的 [內容] 窗格中,於 [裝置類別] 文字方塊中輸入裝置類別。On the device’s properties pane, enter the device category in the Device category text box.
  8. 在 [裝置] 窗格中,選擇 [儲存]。On the device pane, choose Save.

裝置現在已與裝置類別相關聯。The device is now associated to the device category. 針對您想要關聯到所建立裝置類別的所有裝置,重複此處理序。Repeat this process for all the devices you want to associate to the device category you created.

步驟 6 – 建立教室設定檔Step 6 – Create classroom profiles

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [裝置設定]。On the Intune pane, choose Device configuration.
  4. 在 [裝置設定] 窗格中,選擇 [管理] > [購物車設定檔]。On the Device configuration pane, choose Manage > Cart Profiles.
  5. 在 [設定檔] 窗格中,選擇 [建立設定檔]。On the profiles pane, choose Create Profile.
  6. 在 [建立關聯] 窗格中,輸入 [名稱] 和 [描述]。On the Create Association pane, enter a Name and Description.
  7. 選擇 [選取類別] > [設定],將群組關聯至購物車設定檔。Choose Select Classes > Configure to associate groups to the Cart Profile.
  8. 選擇要納入購物車設定檔的類別,然後選擇 [選取]。Choose the classes to include to the Cart Profile then choose Select.
  9. 選擇 [選取購物車] > [設定],將群組關聯至購物車設定檔。Choose Select Carts > Configure to associate groups to the Cart Profile.
  10. 選擇要納入購物車設定檔的群組,然後選擇 [選取]。Choose the groups to include to the Cart Profile then choose Select.
  11. 在 [建立關聯] 窗格中,選擇 [儲存] 來儲存購物車設定檔。On the Create Association pane, choose Save to save the Cart Profile.

設定檔隨即建立,並出現在 [設定檔清單] 窗格上。The profile is created and appears on the profiles list pane.

步驟 7 - 將購物車設定檔指派給類別Step 7 - Assign the Cart Profile to Classes

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格中,選擇 [裝置設定]。On the Intune pane, choose Device configuration.
  4. 在 [裝置設定] 窗格中,選擇 [監視] > [指派狀態]。On the Device configuration pane, choose Monitor > Assignment status.
  5. 在 [指派狀態] 窗格中,選取您所建立的 [購物車設定檔]。On the Assignment status pane, select the Cart Profile you created.
  6. 在 [購物車設定檔] 窗格中,選擇 [指派],然後在 [Include] 下,選擇 [Select groups to include] (選取要包含的群組)。On the Cart Profile pane choose Assignments and then, under Include choose Select groups to include.
  7. 選擇您希望購物車設定檔設為目標的類別 (不要選取群組),然後選擇 [選取]。Select the classes you want the cart profile to target (do not select a group), then choose Select.
  8. 完成之後,請選擇 [儲存]When you are finished, choose Save.

指派完成時,Intune 會根據教室指派,將教室設定檔部署到目標裝置上。The assignment completes, and Intune deploys the Classroom profile to the targeted devices based on the classroom assignment.

後續步驟Next Steps

現在學生可以共用學生間的裝置,學生可以挑選教室中的任何 iPad,使用 PIN 碼進行登入,然後利用其內容進行個人化。Now students can share devices between students, and students can pick up any iPad in a classroom, log in with a PIN and have it personalized with their content. 如需共用 iPad 的詳細資訊,請參閱 Apple 網站For more information about Shared iPads, see the Apple website.