設定行動裝置管理授權單位Set the mobile device management authority

行動裝置管理 (MDM) 授權單位設定會決定您管理裝置的方式。The mobile device management (MDM) authority setting determines how you manage your devices. 身為 IT 系統管理員,您必須在使用者可以註冊裝置以進行管理之前,設定 MDM 授權單位。As an IT admin, you must set an MDM authority before users can enroll devices for management.

可能的設定如下︰Possible configurations are:

  • Intune 獨立版 - 雲端版管理解決方案,可透過 Azure 入口網站設定。Intune Standalone - cloud-only management, which you configure by using the Azure portal. 包含 Intune 提供的完整功能集。Includes the full set of capabilities that Intune offers. 在 Intune 主控台中設定 MDM 授權單位Set the MDM authority in the Intune console.

  • Intune 混合版 - Intune 雲端解決方案與 System Center Configuration Manager 的整合版。Intune Hybrid - integration of the Intune cloud solution with System Center Configuration Manager. 您可以使用 Configuration Manager 主控台設定 Intune。You configure Intune by using the Configuration Manager console. 在 Configuration Manager 中設定 MDM 授權單位Set the MDM authority in Configuration Manager.

  • Office 365 的行動裝置管理 - Office 365 與 Intune 雲端解決方案的整合版。Mobile Device Management for Office 365 - integration of Office 365 with the Intune cloud solution. 您可以從 Office 365 系統管理中心設定 Intune。You configure Intune from your Office 365 Admin Center. 包含 Intune 獨立版提供的功能子集。Includes a subset of the capabilities that are available with Intune Standalone. 在 Office 365 系統管理中心中設定 MDM 授權單位。Set the MDM authority in Office 365 Admin Center.

重要

在 Configuration Manager 1610 版或更新版本及 Microsoft Intune 1705 版中,您可以在不需要連絡 Microsoft 支援服務的情況下變更 MDM 授權單位,且不需要取消註冊並重新註冊您現有的受管理裝置。In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 如需詳細資訊,請參閱選擇錯誤的 MDM 授權單位設定時該怎麼辦For details, see What to do if you choose the wrong MDM authority setting.

將 MDM 授權單位設為 IntuneSet MDM authority to Intune

如果您尚未設定 MDM 授權單位,請遵循下列步驟。If you haven't yet set the MDM authority, follow the steps below. 若要從某個 MDM 授權單位變更為另一個,請參閱下面的變更 MDM 授權單位一節。To change from one MDM authority to another, see the change MDM authority section below.

  1. 登入 Azure 入口網站Sign into the Azure portal.

  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.

  3. 選取橙色橫幅,以開啟 [行動裝置管理授權單位] 設定。Select the orange banner to open the Mobile Device Management Authority setting. 只有在您尚未設定 MDM 授權單位時,才會顯示橙色橫幅。The orange banner is only displayed if you haven't yet set the MDM authority.

  4. 在 [行動裝置管理授權單位] 下,從下列選項中選擇您的 MDM 授權單位:Under Mobile Device Management Authority, choose your MDM authority from the following options:

    • Intune MDM 授權單位Intune MDM Authority
    • Configuration Manager MDM 授權單位Configuration Manager MDM Authority
    • None

    Intune 設定行動裝置管理授權單位畫面的螢幕擷取畫面

    接著會顯示一則訊息指出您已成功將 Intune 設定為 MDM 授權單位。A message indicates that you have successfully set your MDM authority to Intune.

Intune 系統管理使用者介面的工作流程Workflow of Intune Administration UI

啟用 Android 或 Apple 裝置管理時,Intune 會傳送裝置與使用者資訊,以便與這些協力廠商服務整合來管理其各自的裝置。When Android or Apple device management is enabled, Intune sends device and user information to integrate with these third-party services to manage their respective devices.

下列案例會另外詢問是否同意共用資料:Scenarios that add a consent to share data are included when:

  • 啟用 Android 工作設定檔。You enable Android work profiles.
  • 啟用並上傳 Apple MDM Push Certificate 時。You enable and upload Apple MDM push certificates.
  • 啟用任何 Apple 服務時,例如裝置註冊計劃、School Manager 或大量採購方案。You Enable any of the Apple services, such as Device Enrollment Program, School Manager, or Volume Purchasing Program.

在每個案例中,同意會與執行行動裝置管理服務嚴格相關,例如確認 IT 系統管理員已授權 Google 或 Apple 裝置註冊。In each case, the consent is strictly related to running a mobile device management service, such as confirming that an IT Admin has authorized Google or Apple devices to enroll. 當下列位置推出新的工作流程時,會提供文件說明哪些資訊為共用:Documentation to address what information is shared when the new workflows go live is available from the following locations:

重要考量Key Considerations

當您切換至新的 MDM 授權單位之後,在裝置簽入服務並完成同步處理之前,很可能需要經歷一些轉換時間 (最多 8 小時)。After you switch to the new MDM authority, there will likely be transition time (up to eight hours) before the device checks in and synchronizes with the service. 您必須在新的 MDM 授權單位 (混合式) 中進行設定,以確保已註冊裝置在變更後會繼續受到管理及保護。You are required to configure settings in the new MDM authority (hybrid) to ensure that enrolled devices will continue to be managed and protected after the change.

  • 裝置在變更後必須與服務連線,新的 MDM 授權單位 (Intune 獨立部署) 的設定才能取代裝置上的現有設定。Devices must connect with the service after the change so that the settings from the new MDM authority (Intune standalone) replace the existing settings on the device.
  • 在您變更 MDM 授權單位之後,部分來自先前 MDM 授權單位 (Intune 獨立部署) 的基本設定 (例如設定檔),將會在裝置上保留最多七天的時間,或直到裝置首次連線至服務為止。After you change the MDM authority, some of the basic settings (such as profiles) from the previous MDM authority (Intune standalone) will remain on the device for up to seven days or until the device connects to the service for the first time. 建議您盡快在新的 MDM 授權單位 (混合式) 中設定應用程式及設定 (原則、設定檔、應用程式等),並針對具有現有已註冊裝置的使用者,將設定部署至包含這些使用者的使用者群組。It is recommended that you configure apps and settings (policies, profiles, apps, etc.) in the new MDM authority (hybrid) as soon as possible and deploy the setting to the user groups that contains users who have existing enrolled devices. 在 MDM 授權單位變更之後,裝置在連線至服務時便會立即接收到來自新 MDM 授權單位的新設定,以避免管理及保護上出現間隙。As soon as a device connects to the service after the change in MDM authority, it will receive the new settings from the new MDM authority and prevent gaps in management and protection.
  • Intune 和 Configuration Manager 中有相同的裝置類別時,在您切換至新 MDM 授權單位之後,不會保留裝置的任何裝置類別指派。When the same device categories exist in both Intune and Configuration Manager, any device category assignments for devices are not carried over after you switch to the new MDM authority. 若要繼續使用裝置類別,必須在變更 MDM 授權單位之後將已移轉的裝置手動新增至適當的集合,而且裝置會顯示在 Configuration Manager 主控台中。To continue using device categories, migrated devices have to be manually added to the appropriate collections after the MDM authority is changed and the devices display in the Configuration Manager console.
  • 裝置若無關聯的使用者 (通常發生在 iOS 裝置註冊計劃或大量註冊的案例),便不會移轉至新的 MDM 授權單位。Devices that don't have associated users (typically when you have iOS Device Enrollment Program or bulk enrollment scenarios) are not migrated to the new MDM authority. 針對這些裝置,您需要連絡支援人員來取得協助,以便將這些裝置移至新的 MDM 授權單位。For those devices, you need to call support for assistance to move them to the new MDM authority.

準備將 MDM 授權單位變更為 Configuration ManagerPrepare to change the MDM authority to Configuration Manager

檢閱下列資訊以準備變更 MDM 授權單位:Review the following information to prepare for the change to the MDM authority:

  • 您必須有 Configuration Manager 1610 版或更新版本,才有變更 MDM 授權單位的選項可供選擇。You must have Configuration Manager version 1610 or higher for the option to change the MDM authority to be available.

  • 在您變更至新的 MDM 授權單位之後,裝置可能需要最多 8 小時的時間才能連線至服務。It can take up to eight hours for a device to connect to the service after you change to the new MDM authority.

  • 建立具有目前由 Intune 獨立部署所管理之所有使用者的 Configuration Manager 使用者集合,當您在 Configuration Manager 主控台中設定 Intune 訂用帳戶時將會用到它。Create a Configuration Manager user collection with all users currently managed by Intune standalone that you will use when you set up the Intune subscription in the Configuration Manager console. 這可在變更 MDM 授權單位之後,協助確保使用者及其裝置在混合式環境中將會被指派 Configuration Manager 授權並受到管理。This helps to ensure that the user and their devices will have a Configuration Manager license assigned and be managed in the hybrid environment after the change to the MDM authority.

  • 請確定 IT 管理使用者也位於此使用者集合之中。Make sure that the IT Admin user is in this user collection too.

  • 變更之前,MDM 授權單位在 Intune 管理主控台中會顯示為 [設定為 Microsoft Intune]\ (獨立部署)。Before the change, the MDM Authority will show as Set to Microsoft Intune (standalone) in the Intune administration console.

  • 在變更 MDM 授權單位之前,Microsoft Intune 管理主控台的 MDM 授權單位應該會顯示 [設定為 Microsoft Intune] (獨立租用戶)。The MDM authority should display Set to Microsoft Intune (standalone tenant) in the Microsoft Intune administration console prior to the change in MDM authority.

    注意

    如果 MDM 授權單位顯示 [由 Intune 和 Office 365 管理],則當您將 MDM 授權單位變更為 [Configuration Manager] (混合式) 之後,由 Office 365 管理的 MDM 裝置將不會再受到管理。If your MDM authority displays Managed by Intune and Office 365, then your Office 365 managed MDM devices are no longer be managed when you change your MDM authority to Configuration Manager (hybrid). 變更 MDM 授權單位之前,建議您為那些使用者提供 Intune 或 Enterprise Mobility Suite 的授權。We recommend that you license those users for Intune or Enterprise Mobility Suite before you change the MDM authority.

  • Microsoft Intune 管理主控台中,移除「裝置註冊管理員」角色。In the Microsoft Intune administration console, remove the Device Enrollment Manager role. 如需詳細資料,請參閱從 Intune 刪除裝置註冊管理員For details, see Delete a device enrollment manager from Intune.

  • 關閉所有已設定的裝置群組對應。Turn off any device group mappings that are configured. 如需詳細資料,請參閱在 Microsoft Intune 使用裝置群組對應分類裝置For details, see Categorize devices with device group mapping in Microsoft Intune.

  • 變更 MDM 授權單位期間,應該不會對使用者造成明顯影響。There should be no noticeable impact to end users during the change in MDM authority. 不過,您應該向使用者通知此變更,以確保他們的裝置已開啟,並會在變更後盡快連線至服務。However, you might want to communicate this change to users to make sure that their devices are powered on and that they connect with the service soon after the change. 這能確保絕大多數的裝置都會以最快的速度透過新授權單位與服務進行連線及註冊。This ensures that as many devices as possible connect and register with the service through the new authority as soon as possible.

  • 如果您在變更 MDM 授權單位之前,是使用 Intune 獨立部署來管理 iOS 裝置,請務必確保先前用於 Intune 的 Apple Push Notification Service (APNs) 憑證已經更新,並已再次用來在 Configuration Manager (混合式) 中設定租用戶。If you are using Intune standalone to manage iOS devices prior to the change in MDM authority, you must make sure that the same Apple Push Notification service (APNs) certificate that was previously used in Intune is renewed and used to set up the tenant again in Configuration Manager (hybrid).

    重要

    如果針對混合式使用不同的 APNs 憑證,先前註冊的所有 iOS 裝置都會取消註冊,且您必須再次執行重新註冊這些裝置的程序。If a different APNs certificate is used for hybrid, then ALL previously enrolled iOS devices become unenrolled and you have to go through the process to reenroll them. 在變更 MDM 授權單位之前,請務必了解先前於 Intune 中用來管理 iOS 裝置的 APNs 憑證為何。Prior to making the MDM authority change, make sure that you know exactly what APNs certificate was used to manage iOS devices in Intune. 在 Apple Push Certificates 入口網站 (https://identity.apple.com)) 中尋找相同的憑證,識別擁有用來建立原始 APNs 憑證之 Apple 識別碼的使用者,並確定他可以更新該 APNs 憑證,以順利變更至新的 MDM 授權單位。Find the same certificate listed in Apple Push Certificates Portal (https://identity.apple.com) and make sure the user whose Apple ID was used to create the original APNs certificate is identified and available to renew the same APNs certificate as part of the change to the new MDM authority.

將 MDM 授權單位變更為 Configuration ManagerChange the MDM authority to Configuration Manager

  1. 在 Configuration Manager 主控台中,移至 [系統管理] > [概觀] > [雲端服務] > [Microsoft Intune 訂閱],然後選取以新增 Intune 訂閱。In the Configuration Manager console, go to Administration > Overview > Cloud Services > Microsoft Intune Subscription, and select to add an Intune subscription.
  2. 登入至您原本在 Intune 中設定 MDM 授權單位時所使用的 Intune 租用戶,然後按一下 [下一步]。Sign in to the Intune tenant that you originally used when you set the MDM authority in Intune, and click Next.
  3. 選取 [將我的 MDM 授權單位變更為 Configuration Manager],然後按一下 [下一步]。Select Change my MDM Authority to Configuration Manager, and click Next.
  4. 針對將繼續由新的混合式 MDM 授權單位所管理的所有使用者,選取會包含這些使用者的使用者集合。Select the user collection to contain all of the users that continue to be managed by the new hybrid MDM authority.
  5. 按 [下一步] ,並且完成精靈。Click Next and complete the wizard. MDM 授權單位現已變更為 [Configuration Manager]。The MDM authority is now changed to Configuration Manager.
  6. 使用相同的 Intune 租用戶登入 Microsoft Intune 管理主控台,並確認 MDM 授權單位已變更為 [設定為 Configuration Manager]。Log in to the Microsoft Intune administration console using the same Intune tenant and confirm that the MDM authority has been changed to Set to Configuration Manager.
  7. 將 MDM 授權單位變更為 Configuration Manager 之後,您可以設定 iOS 註冊Android 註冊After changing the MDM authority to Configuration manager, you can set up iOS enrollment and Android enrollment.
  8. 在 Configuration Manager 主控台中,從新的 MDM 授權單位 (混合式) 設定並部署新的設定及應用程式。In the Configuration Manager console, configure and deploy new settings and apps from the new MDM authority (hybrid).

當裝置再次連線至服務時,它將會進行同步處理,並從新的 MDM 授權單位接收新設定。The next time devices connect to the service, it synchronizes and receives the new settings from the new MDM authority.

將 MDM 授權單位變更為 Office 365Change MDM authority to Office 365

除了您現有的 Intune 服務,若要啟用 Office 365 MDM,請前往 https://protection.office.com,然後選擇 [資料外洩防護] > [裝置安全性原則] > [View list of Managed Devices] (檢視受控裝置清單) > [馬上開始]。To activate Office 365 MDM in addition to your existing Intune Service, go to https://protection.office.com, choose Data Loss Prevention > Device Security Policies > View list of Managed Devices > Let's get started.

如需詳細資訊,請參閱在 Office 365 中設定行動裝置管理 (MDM)For more information, see Set up Mobile Device Management (MDM) in Office 365.

如果您只想透過 Office 365 MDM 管理終端使用者,請移除啟用 Office 365 MDM 之後所指派的任何 Intune 及/或 EMS 授權。If you want the end users to only be managed by Office 365 MDM, then remove any assigned Intune and/or EMS licenses after activating Office 365 MDM.

MDM 憑證到期後的行動裝置清除Mobile device cleanup after MDM certificate expiration

當行動裝置與 Intune 服務通訊時,會自動更新 MDM 憑證。The MDM certificate is renewed automatically when mobile devices are communicating with the Intune service. 若行動裝置被抹除,或有一段時間無法與 Intune 服務通訊,便無法更新 MDM 憑證。If mobile devices are wiped, or they fail to communicate with the Intune service for some period of time, the MDM certificate will not get renewed. 當 MDM 憑證過期 180 天後,該裝置便會從 Azure 入口網站上移除。The device is removed from the Azure portal 180 days after the MDM certificate expires.

移除 MDM 授權單位Remove MDM authority

MDM 授權單位無法變更回「未知」。The MDM authority can't be changed back to Unknown. Microsoft 伺服器使用 MDM 授權單位來決定已註冊裝置回報的入口網站 (ConfigMGR、Azure Intune、Office 365 MDM)。The MDM authority is used by Microsoft servers to determine which portal that enrolled devices report to (ConfigMGR, Azure Intune, Office 365 MDM).

變更 MDM 授權單位之後預期會發生的情況What to expect after changing the MDM authority

  • 當 Intune 服務偵測到租用戶的 MDM 授權單位已變更之後,將會向所有已註冊的裝置傳送通知訊息,以要求簽入服務並進行同步處理 (這有別於一般的排程簽入)。When the Intune service detects that a tenant’s MDM authority has changed, it sends out a notification message to all the enrolled devices to check in and synchronize with the service (this is outside of the regularly scheduled check-in). 因此,當租用戶的 MDM 授權單位從 Intune 獨立部署變更至混合式之後,所有電源已開啟並處於線上的裝置都會連線至服務,接收新的 MDM 授權單位,並由混合式進行管理。Therefore, after the MDM authority for the tenant has been changed from Intune standalone to hybrid, all the devices that are powered on and online will connect with the service, receive the new MDM authority, and be managed by hybrid. 這些裝置的管理和保護不會有任何中斷。There is no interruption to the management and protection of these devices.

  • 就算裝置在 MDM 授權單位變更期間 (或於結束後立即) 啟動電源並上線,在裝置能與處於新 MDM 授權單位之下的服務進行註冊之前,將會有最多 8 小時 (視下一個已排程一般簽入的時間而定) 的延遲。Even for devices that are powered on and online during (or shortly after) the change in MDM authority, there will be a delay of up to eight hours (depending on the timing of the next scheduled regular check-in) before devices are registered with the service under the new MDM authority.

    重要

    從變更 MDM 授權單位到將更新的 APNs 憑證上傳至新授權單位的期間內,針對 iOS 裝置的新裝置註冊及裝置簽入會失敗。Between the time when you change the MDM authority and when the renewed APNs certificate is uploaded to the new authority, new device enrollments and device check-in for iOS devices fail. 因此,在變更 MDM 授權單位之後,請務必盡快檢閱並將 APNs 憑證上傳至新的授權單位。Therefore, it is important that you review and upload the APNs certificate to the new authority as soon as possible after the change in MDM authority.

  • 使用者可以透過從裝置手動啟動服務簽入,來快速變更至新的 MDM 授權單位。Users can quickly change to the new MDM authority by manually starting a check-in from the device to the service. 使用者可以使用公司入口網站應用程式並起始裝置合規性檢查,來輕鬆達成這項操作。Users can easily do this by using the Company Portal app and initiating a device compliance check.

  • 在變更 MDM 授權單位之後,若要在裝置簽入服務並完成同步處理後確認一切是否正常,請在 Configuration Manager 管理主控台中尋找裝置。To validate that things are working correctly after devices have checked-in and synchronized with the service after the change in MDM authority, look for the devices the Configuration Manager console. 先前由 Intune 所管理的裝置,現在會在 Configuration Manager 主控台中顯示為受管理的裝置。The devices that were previously managed by Intune are now displayed as managed devices in the Configuration Manager console.

  • 從 MDM 授權單位變更到裝置簽入服務這段期間,裝置會有一段過渡時間是處於離線狀態。There is an interim period when a device is offline during the change in MDM authority and when that device checks in to the service. 為了協助確保裝置在此期間能獲得保護並持續運作,下列設定檔會在裝置上保留最多七天 (或直到裝置與新的 MDM 授權單位連線,並接收會覆寫現有設定的新設定為止):To help ensure that the device remains protected and functional during this interim period, the following profiles remain on the device for up to seven days (or until the device connects with the new MDM authority and receives new settings that overwrite the existing ones):

    • 電子郵件設定檔E-mail profile
    • VPN 設定檔VPN profile
    • 憑證設定檔Cert profile
    • Wi-Fi 設定檔Wi-Fi profile
    • 組態設定檔Configuration profiles
  • 當您變更至新的 MDM 授權單位之後,Microsoft Intune 管理主控台中的合規性資料可能需要最多一週的時間才能正確回報。After you change to the new MDM authority, the compliance data in the Microsoft Intune administration console can take up to a week to accurately report. 不過,位於 Azure Active Directory 中和裝置上的相容性狀態將會正確,因此裝置仍然會受到保護。However, the compliance states in Azure Active Directory and on the device will be accurate so the device is still be protected.

  • 請確定要覆寫現有設定之新設定的名稱與先前的設定相同,以使它能確實覆寫舊設定。Make sure the new settings that are intended to overwrite existing settings have the same name as the previous ones to ensure that the old settings are overwritten. 否則,裝置可能會有多餘的設定檔和原則。Otherwise, the devices might end up with redundant profiles and policies.

    提示

    最佳做法是在變更 MDM 授權單位之後,便立即建立所有管理設定和組態,以及部署。As a best practice, you should create all management settings and configurations, as well as deployments, shortly after the change to the MDM authority has completed. 這可協助確保裝置在過渡期間獲得保護並受到主動管理。This helps ensure that devices are protected and actively managed during the interim period.

  • 在您變更 MDM 授權單位之後,請執行下列步驟以確認新裝置已成功註冊至新的授權單位:After you change the MDM authority, perform the following steps to validate that new devices are enrolled successfully to the new authority:

    • 註冊新裝置Enroll a new device
    • 確定新註冊的裝置已顯示在 Configuration Manager 主控台中。Make sure the newly enrolled device shows up in the Configuration Manager console.
    • 從管理主控台對裝置執行某個動作 (例如遠端鎖定)。Perform an action, such as Remote Lock, from the administration console to the device. 如果成功,便代表該裝置已由新的 MDM 授權單位管理。If it is successful, the device is being managed by the new MDM authority.
  • 如果您在特定裝置上遇到問題,可以將該裝置解除註冊並重新註冊,來盡快使它們連線至新的授權單位並受到管理。If you have issues with specific devices, you can unenroll and reenroll the devices to get them connected to the new authority and managed as quickly as possible.

接下來的步驟Next steps

設定 MDM 授權單位之後,您可以開始註冊裝置With the MDM authority set, you can start enrolling devices.