如何使用 Microsoft Intune 管理透過大量採購方案購買的 iOS 應用程式How to manage iOS apps purchased through a volume-purchase program with Microsoft Intune

iOS App Store 可讓您購買多個想要在公司內執行的應用程式授權。The iOS app store lets you purchase multiple licenses for an app that you want to run in your company. 購買多個複本有助於您在公司中有效率地管理應用程式。Purchasing multiple copies helps you to efficiently manage apps in your company.

Microsoft Intune 可透過下列方式協助您管理透過此計畫購買的多個應用程式複本:Microsoft Intune helps you manage multiple copies of apps purchased through this program by:

  • 從應用程式市集報告授權資訊。Reporting license information from the app store.
  • 追蹤您已經使用多少個授權。Tracking how many of the licenses you have used.
  • 協助您不要安裝超過擁有數目的應用程式複本。Helping you to not install more copies of the app than you own.

您可以使用兩種方法來指派大量採購的應用程式:There are two methods you can use to assign volume-purchased apps:

裝置授權Device licensing

當您將一個應用程式指派給多部裝置時,會使用一個應用程式授權,並與您指派的目標裝置保持關聯。When you assign an app to devices, one app license is used, and remains associated with the device to which you assigned it.

當您將大量採購的應用程式指派給一部裝置時,裝置的終端使用者不需要提供 Apple ID 來存取市集。When you assign volume-purchased apps to a device, the end user of the device does not have to supply an Apple ID to access the store.

使用者授權User licensing

當您將應用程式指派給使用者時,會使用一個應用程式授權,並與使用者建立關聯。When you assign an app to a user, one app license is used for and is associated with the user. 該應用程式可以在使用者擁有的多部裝置上執行 (受 Apple 有限控制)。The app can be run on multiple devices that the user owns (with a limit controlled by Apple).

當您將大量採購的應用程式指派給多位使用者時,每位終端使用者都必須具備有效和唯一的 Apple ID,才能存取 App Store。When you assign a volume-purchased app to users, each end user must have a valid and unique Apple ID in order to access the app store.

此外,針對從 Apple 大量採購方案 (VPP) 市集購買的書籍,您可以使用 Intune 來進行同步處理、管理及指派。Additionally, you can synchronize, manage, and assign books you purchased from the Apple volume-purchase program (VPP) store with Intune. 如需詳細資訊,請參閱如何管理透過大量採購方案購買的 iOS 電子書For more information, see How to manage iOS eBooks you purchased through a volume-purchase program.

管理大量採購的 iOS 裝置應用程式Manage volume-purchased apps for iOS devices

iOS 裝置支援 Apple 大量採購方案大量採購的應用程式Supports Apple Volume Purchase Program volume-purchased apps for iOS devices

請透過商務 Apple 大量採購方案教育 Apple 大量採購方案,購買多份 iOS 應用程式授權。Purchase multiple licenses for iOS apps through the Apple Volume Purchase Program for Business or the Apple Volume Purchase Program for Education. 這項程序包括從 Apple 網站設定 Apple VPP 帳戶,並將 Apple VPP 權杖上傳到 Intune。This process involves setting up an Apple VPP account from the Apple website and uploading the Apple VPP token to Intune. 您可以將您的大量採購資訊與 Intune 同步處理,並追蹤大量採購的應用程式使用情況。You can then synchronize your volume purchase information with Intune and track your volume-purchased app use.

iOS 裝置支援企業對企業大量採購的應用程式Supports Business-to-Business volume-purchased apps for iOS devices

此外,協力廠商開發人員也可以私下將應用程式散發給 iTunes Connect 中所指定的授權企業大量採購方案成員。In addition, third-party developers can also privately distribute apps to authorized Volume Purchase Program for Business members specified in iTunes Connect. 這些企業 VPP 成員可以登入大量採購方案 App Store,並購買其應用程式。These VPP for Business members can sign in to the Volume Purchase Program App Store and purchase their apps. 終端使用者所購買的企業 VPP 應用程式將與其 Intune 租用戶同步。VPP for Business apps purchased by the end user will sync to their Intune tenants.

開始之前Before you start

在開始之前,您必須從 Apple 取得 VPP 權杖,並將它上傳至您的 Intune 帳戶。Before you start, you need to get a VPP token from Apple and upload it to your Intune account. 此外,您還應該了解下列準則︰Additionally, you should understand the following criteria:

  • 您可以讓多個 VPP 權杖與 Intune 帳戶建立關聯。You can associate multiple VPP tokens with your Intune account.
  • 之前如有其他產品已使用過 VPP 權杖,您必須產生新的權杖來搭配 Intune 使用。If you previously used a VPP token with a different product, you must generate a new one to use with Intune.
  • 每個權杖有效期限為一年。Each token is valid for one year.
  • Intune 預設與 Apple VPP 服務一天進行兩次同步處理。By default, Intune syncs with the Apple VPP service twice a day. 您可以在任何時間啟動手動同步處理。You can start a manual sync at any time.
  • 開始搭配 Intune 使用 Apple VPP 之前,請移除任何以其他行動裝置管理 (MDM) 廠商所建立的現有 VPP 使用者帳戶。Before you start to use Apple VPP with Intune, remove any existing VPP user accounts created with other mobile device management (MDM) vendors. 基於安全性考量,Intune 不會把這些使用者帳戶同步處理到 Intune。Intune does not synchronize those user accounts into Intune as a security measure. Intune 只會同步處理 Intune 所建立的 Apple VPP 服務資料。Intune only synchronizes data from the Apple VPP service that Intune created.
  • Intune 支援新增最多 256 個 VPP 權杖。Intune supports adding up to 256 VPP tokens.
  • Apple 的裝置註冊設定檔 (DEP) 方案會自動化行動裝置管理 (MDM) 註冊。Apple's Device Enrollment Profile (DEP) program automates mobile device management (MDM) enrollment. 使用 DEP,您可以設定企業裝置,而不需要碰觸它們。Using DEP, you can configure enterprise devices without touching them. 您可以使用與 Apple 之 VPP 搭配使用的相同方案代理程式帳戶來註冊 DEP 方案。You can enroll in the DEP program using the same program agent account that you used with Apple's VPP. Apple 部署方案識別碼對 Apple Deployment Programs 網站下所列的方案而言是唯一的,而且無法用來登入 iTunes 商店這類 Apple 服務。The Apple Deployment Program ID is unique to programs listed under the Apple Deployment Programs website and cannot be used to log in to Apple services such as the iTunes store.
  • 當您使用使用者授權模型指派 VPP 應用程式給使用者或裝置 (具有使用者親和性) 時,每個 Intune 使用者在裝置上接受 Apple 條款和條件時,都必須與唯一的 Apple ID 或電子郵件地址建立關聯。When you assign VPP apps using the user licensing model to users or devices (with user affinity), each Intune user needs to be associated with a unique Apple ID or an email address when they accept the Apple terms and conditions on their device. 請確定當您為新 Intune 使用者設定裝置時,以該使用者的唯一 Apple ID 或電子郵件地址來進行設定。Ensure that when you set up a device for a new Intune user, you configure it with that user's unique Apple ID or email address. Apple ID 或電子郵件地址和 Intune 使用者形成唯一的組合,並可以用於多達五部裝置。The Apple ID or email address and Intune user form a unique pair and can be used on up to five devices.
  • VPP 權杖只支援一次用於一個 Intune 帳戶。A VPP token is only supported for use on one Intune account at a time. 請勿將相同的 VPP 權杖重複用於多個 Intune 租用戶。Do not reuse the same VPP token for multiple Intune tenants.
  • 當您使用使用者授權模型指派 VPP 應用程式給使用者或裝置 (具有使用者親和性) 時,每個 Intune 使用者在裝置上接受 Apple 條款和條件時,都必須與唯一的 Apple ID 或電子郵件地址建立關聯。When you assign VPP apps using the user licensing model to users or devices (with user affinity), each Intune user needs to be associated with a unique Apple ID or an email address when they accept the Apple terms and conditions on their device. 請確定當您為新 Intune 使用者設定裝置時,您用該使用者的唯一 Apple ID 或電子郵件地址來進行設定。Ensure that when you set up a device for a new Intune user, you configure it with that users unique Apple ID or email address. Apple ID 或電子郵件地址和 Intune 使用者形成唯一的組合,並可以用於多達五部裝置。The Apple ID or email address and Intune user form a unique pair and can used on up to five devices.

重要

在您將 VPP 權杖匯入到 Intune 之後,請不要將相同的權杖匯入到任何其他裝置管理解決方案。After you have imported the VPP token to Intune, do not import the same token to any other device management solution. 這樣做會導致授權指派與使用者記錄遺失。Doing so might result in the loss of license assignment and user records.

取得並上傳 Apple VPP 權杖To get and upload an Apple VPP token

  1. 登入 Azure 入口網站Sign into the Azure portal.
  2. 選擇 [All services] (所有服務) > [Intune]。Choose All services > Intune. Intune 位於 [Monitoring + Management] (監視 + 管理) 區段。Intune is located in the Monitoring + Management section.
  3. 在 [Intune] 窗格上,選擇 [設定] 下的 [行動應用程式] > [iOS VPP 權杖]。On the Intune pane, choose Mobile apps > iOS VPP tokens under Setup.
  4. 在 VPP 權杖清單窗格上,選取 [建立]。On the list of VPP tokens pane, select Create.
  5. 在 [建立 VPP 權杖] 窗格上,指定下列資訊:On the Create VPP token pane, specify the following information:
    • VPP 權杖檔案 - 若您尚未註冊,請註冊商務大量採購方案或教育方案。VPP token file - If you haven't already, sign up for the Volume Purchase Program for Business or the program for Education. 註冊之後,請下載您帳戶的 Apple VPP 權杖,然後在這裡選取它。After you sign up, download the Apple VPP token for your account and select it here.

    • Apple ID - 輸入與大量採購方案相關聯之帳戶的 Apple ID。Apple ID - Enter the Apple ID of the account associated with the volume-purchase program.

    • 國家/地區 - 選取 VPP 國家/地區市集。Country/Region - Select the VPP country store. Intune 會從指定的 VPP 國家/地區市集同步處理所有地區設定的 VPP 應用程式。Intune synchronizes VPP apps for all locales from the specified VPP country store.

      警告

      變更國家/地區,將會更新應用程式中繼資料,並且為使用此權杖建立的應用程式,更新下次與 Apple 服務同步時的存放區 URL 。Changing the country will update the apps metadata and store URL on next sync with the Apple service for apps created with this token. 如果應用程式不存在於新的國家/地區市集,即不會更新應用程式。The app will not be updated if it does not exist in the new country store.

    • VPP 帳戶類型 - 請選擇 [商務] 或 [教育]。Type of VPP account - Choose from Business or Education.

    • 自動更新應用程式 - 從 [開啟] 選擇為 [關閉],以啟用自動更新。Automatic app updates - Choose from On to Off to enable automatic updates. 啟用時,在裝置簽入時,Intune 會透過 Intune 服務更新針對所指定權杖購買的所有應用程式。When enabled, Intune updates all apps purchased for the specified token through the Intune service when the device checks-in. 會偵測應用程式市集內的 VPP 應用程式更新,並在裝置簽入時將更新自動推送至裝置。detect the VPP app updates inside the app store and automatically push them to the device when the device checks-in.

  6. 完成之後,請選取 [建立]。When you are done, select Create.

該權杖會顯示在權杖清單窗格內。The token is displayed in the list of tokens pane.

您可以隨時選擇 [立即同步處理],使用 Intune 同步處理 Apple 所儲存的資料。You can synchronize the data held by Apple with Intune at any time by choosing Sync now.

指派大量採購應用程式To assign a volume-purchased app

  1. 在 [Intune] 窗格上,選擇 [管理] 下的 [行動應用程式] > [應用程式]。On the Intune pane, choose Mobile apps > Apps under Manage.
  2. 在應用程式窗格清單上,選擇您要指派的應用程式,然後選擇 [指派]。On the list of apps pane, choose the app you want to assign, and then choose Assignments.
  3. 在 [應用程式名稱] - [指派] 窗格上,選擇 [新增群組],然後在 [新增群組] 窗格中選擇 [指派類型],選擇要指派該應用程式的 Azure AD 使用者或裝置群組。On the App name - Assignments pane, choose Add group then, on the Add group pane, choose an Assignment type and choose the Azure AD user or device groups to which you want to assign the app.
  4. 針對您選取的每個群組,選擇下列設定:For each group you selected, choose the following settings:
    • 類型 - 選擇應用程式會是 [可用] (終端使用者可以從公司入口網站安裝應用程式) 或 [必要] (終端使用者的裝置會自動安裝應用程式)。Type - Choose whether the app will be Available (end users can install the app from the Company Portal), or Required (end user devices will automatically get the app installed).
    • 授權類型 - 選擇 [使用者授權] 或 [裝置授權]。License type - Choose from User licensing, or Device licensing.
  5. 完成之後,請選擇 [儲存]。Once you are done, choose Save.

注意

顯示的應用程式清單與權杖建立關聯。The list of apps displayed is associated with a token. 如果您的應用程式與多個 VPP 權杖建立關聯,您會看到相同的應用程式顯示多次;針對每個權杖各一次。If you have an app that is associated with multiple VPP tokens, you see the same app being displayed multiple times; once for each token.

VPP 的終端使用者提示End-User Prompts for VPP

終端使用者將會在許多案例中收到 VPP 應用程式安裝的提示。The end-user will receive prompts for VPP app installation in a number of scenarios. 下表說明每個狀況:The following table explains each condition:

# 案例Scenario 邀請加入 Apple VPP 方案Invite to Apple VPP program 應用程式安裝提示App install prompt 提示輸入 Apple IDPrompt for Apple ID
11 BYOD – 授權的使用者BYOD – user licensed YY YY YY
22 公司 – 授權的使用者 (不受監督的裝置)Corp – user licensed (not supervised device) YY YY YY
33 公司 – 授權的使用者 (受監督的裝置)Corp – user licensed (supervised device) YY NN YY
44 BYOD – 授權的裝置BYOD – device licensed NN YY NN
55 公司 – 授權的裝置 (不受監督的裝置)CORP – device licensed (not supervised device) NN YY NN
66 公司 – 授權的裝置 (受監督的裝置)CORP – device licensed (supervised device) NN NN NN
77 Kiosk 模式 (受監督的裝置) – 授權的裝置Kiosk mode (supervised device) – device licensed NN NN NN
88 Kiosk 模式 (受監督的裝置) – 授權的使用者Kiosk mode (supervised device) – user licensed --- --- ---

注意

不建議將 VPP 應用程式指派給使用 VPP 使用者授權的 Kiosk 模式裝置。It is not recommended to assign VPP apps to Kiosk-mode devices using the VPP user licensing.

撤銷應用程式授權和刪除權杖Revoking app licenses and deleting tokens

您可以根據指定的裝置、使用者或應用程式,撤銷所有相關聯的 iOS 大量採購方案 (VPP) 應用程式授權。You can revoke all associated iOS volume-purchase program (VPP) app licenses based on a given device, user, or app. 當應用程式不再指派給使用者時,您可以通知他們。You can notify users when an app is no longer assigned to them. 撤銷應用程式授權將不會從該裝置解除安裝相關聯的 VPP 應用程式。Revoking an app license will not uninstall the related VPP app from the device. 若要解除安裝 VPP 應用程式,並回收指派給使用者或裝置的應用程式授權,您必須將指派動作變更為 [解除安裝]。To uninstall a VPP app and reclaim an app license assigned to a user or device, you must change the assignment action to Uninstall. 當您移除已指派給使用者的應用程式,Intune 會回收使用者或裝置授權,並從裝置解除安裝應用程式。When you remove an app that was assigned to a user, Intune reclaims the user or device license and uninstalls the app from the device. 回收的授權計數將會反映在 Intune 之 [應用程式] 工作負載中的 [授權的應用程式] 節點。The reclaimed license count will be reflected in Licensed Apps node in the App workload of Intune. 一旦解除安裝 VPP 應用程式並回收應用程式授權,您可以選擇將應用程式授權指派給其他使用者或裝置。Once an VPP app has been uninstall and the app license has been reclaimed, you can choose to assign the app license to another user or device.

注意

當員工離職且不再屬於 AAD 群組時,Intune 會擷取所有使用者授權的 iOS VPP 應用程式授權。Intune will retrieve all user licensed iOS VPP apps licenses when an employee leaves the company and is no longer part of the AAD groups.

您可以使用主控台來刪除 iOS 大量採購方案 (VPP) 權杖。You can delete an iOS Volume Purchasing Program (VPP) token using the console. 當您擁有重複的 VPP 權杖執行個體時,這可能是必要的。This may be necessary when you have duplicate instances of a VPP token. 刪除權杖也會刪除任何相關聯的應用程式和指派。Deleting a token will also delete any associated apps and assignment. 不過,刪除權杖不會撤銷應用程式授權或解除安裝應用程式。However, deleting a token does not revoke app licenses or uninstall apps.

注意

刪除權杖之後,Intune 無法撤銷應用程式授權。Intune cannot revoke app licenses after a token has been deleted.

若要撤銷指定 VPP 權杖的所有 VPP 應用程式的授權,您必須先撤銷與權杖建立關聯的所有應用程式授權,然後刪除權杖。To revoke the license of all VPP apps for a given VPP token, you must first revoke all app licenses associated with the token, then delete the token.

進一步資訊Further information

當具有合格裝置的使用者第一次嘗試將 VPP 應用程式安裝至裝置時,系統會要求他們加入 Apple 大量採購方案。When a user with an eligible device first tries to install a VPP app to a device, they are asked to join the Apple Volume Purchase program. 他們必須加入,應用程式安裝才會繼續執行。They must join before the app installation proceeds. 對於加入 Apple 大量採購方案的邀請,需要使用者能夠在 iOS 裝置上使用 iTunes 應用程式。The invitation to join the Apple Volume Purchase program requires that the user can use the iTunes app on the iOS device. 如果您已經設定停用 iTunes Store 應用程式的原則,則 VPP 應用程式以使用者為基礎的授權將無法運作。If you have set a policy to disable the iTunes Store app, user-based licensing for VPP apps does not work. 解決方法是移除原則以允許 iTunes 應用程式,或是使用以裝置為基礎的授權。The solution is to either allow the iTunes app by removing the policy, or use device-based licensing.

常見問題集Frequently asked questions

在裝置上安裝或移除應用程式之後,入口網站需要多久的時間才能更新授權計數?How long does the portal take to update the license count once an app is installed or removed from the device?

在安裝或解除安裝應用程式之後的幾小時內,應該就會更新授權。The license should be updated within a few hours after installing or uninstalling an app. 請注意,如果使用者從裝置移除應用程式,該授權仍然會指派給該使用者或裝置。Note that if the end user removes the app from the device, the license is still assigned to that user or device.

是否可以過度訂閱某個應用程式,如果可以,是在怎樣的情況下?Is it possible to oversubscribe an app and, if so, in what circumstance?

是。Yes. Intune 系統管理員可以過度訂閱應用程式。The Intune admin can oversubscribe an app. 例如,如果系統管理員購買 100 份 XYZ 應用程式的授權,然後將該應用程式的對象設為一個有 500 個成員的群組。For example, if the admin purchases 100 licenses for app XYZ, and then targets the app to a group with 500 members in it. 前 100 個成員 (使用者或裝置) 將會獲得授權指派,其餘成員的授權指派則會失敗。The first 100 members (users or devices) will get the license assigned to them, the rest of the members will fail on license assignment.

就我所知,Intune 每天都會與 Apple 自動同步應用程式授權,對嗎?I understand Intune automatically syncs app licenses each day with Apple, is that correct?

Intune 會每天兩次與 Apple 同步應用程式授權。Intune syncs app licenses twice a day with Apple.

接下來的步驟Next steps

請參閱如何監視應用程式,以取得協助您監視應用程式指派的資訊。See How to monitor apps for information to help you monitor app assignments.