如何在 Configuration Manager 中使用內部部署 MDM 大量註冊裝置How to bulk-enroll devices with on-premises MDM in Configuration Manager

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

大量註冊 Configuration Manager 內部部署行動裝置管理 (MDM) 是註冊裝置的自動化方法。Bulk enrollment in Configuration Manager on-premises mobile device management (MDM) is an automated method to enroll devices. 另一種方法是使用者註冊,這會要求使用者輸入其認證來註冊裝置。The other method is user enrollment, which requires users to enter their credentials to enroll the device. 大量註冊使用註冊套件在註冊期間驗證裝置。Bulk enrollment uses an enrollment package to authenticate the device during enrollment. 封裝是 ppkg 檔案,它也可以包含憑證和 Wi-fi 設定檔來支援註冊。The package is a .ppkg file, which can also contain certificate and Wi-Fi profiles to support enrollment.

建立憑證設定檔Create a certificate profile

包含憑證設定檔,以在裝置上自動安裝受信任的根憑證。Include a certificate profile to automatically install a trusted root certificate on the device. 在裝置與內部部署 MDM 所需的網站系統角色之間進行信任通訊時,需要這個根憑證。This root certificate is required for trusted communication between the devices and the site system roles needed for on-premises MDM.

當您準備內部部署 MDM 的網站時,您會匯出受信任的根憑證。When you prepare the site for on-premises MDM, you export the trusted root certificate. 在註冊套件的憑證設定檔中使用此憑證。Use this certificate in the enrollment package's certificate profile. 如需如何取得受信任根憑證的詳細資訊,請參閱 匯出受信任的根憑證For more information on how to get the trusted root certificate, see Export the trusted root certificate.

使用匯出的憑證來建立憑證設定檔。Use the exported certificate to create a certificate profile. 如需詳細資訊,請參閱 如何建立憑證設定檔For more information, see How to create certificate profiles.

建立 Wi-Fi 設定檔Create a Wi-Fi profile

大量註冊套件的另一個元件是 Wi-fi 設定檔。Another component of the bulk enrollment package is a Wi-Fi profile. 此設定檔可確保裝置具有網路連線能力,可支援註冊。This profile can make sure that the device has the network connectivity to support enrollment.

如需有關如何在 Configuration Manager 中建立 Wi-fi 設定檔的詳細資訊,請參閱 如何建立 wi-fi 設定檔For more information on how to create a Wi-Fi profile in Configuration Manager, see How to create Wi-Fi profiles.

Wi-fi 設定檔限制Wi-Fi profile limitations

當您為內部部署 MDM 大量註冊建立 Wi-fi 設定檔時,請參閱下列限制。When you create a Wi-Fi profile for on-premises MDM bulk enrollment, review the following limitations.

適用于內部部署 MDM 的 wi-fi 安全性設定Wi-Fi security configurations for on-premises MDM

Configuration Manager 的最新分支只支援下列內部部署 MDM 的 Wi-fi 安全性設定:The current branch of Configuration Manager only supports the following Wi-Fi security configurations for on-premises MDM:

  • 安全性類型: WPA2 EnterpriseWPA2 PersonalSecurity types: WPA2 Enterprise or WPA2 Personal

  • 加密類型: AESTKIPEncryption types: AES or TKIP

  • EAP 類型: 智慧卡或其他憑證PEAPEAP types: Smart Card or other certificate or PEAP

Proxy 伺服器Proxy server

雖然 Configuration Manager 在 Wi-fi 設定檔中具有 proxy 伺服器資訊的設定,但不會在裝置註冊時設定 proxy。Although Configuration Manager has a setting for proxy server information in the Wi-Fi profile, it doesn't configure the proxy when the device enrolls. 如果您需要在大量註冊的裝置上設定 proxy 伺服器:If you need to set up a proxy server on bulk-enrolled devices:

  • 裝置註冊後,使用設定專案部署設定。Deploy the settings using configuration items once devices enroll.

  • 使用 Windows 映像和設定設計工具 (ICD) 建立第二個套件,然後將它與大量註冊套件一起部署。Create a second package using the Windows Image and Configuration Designer (ICD), then deploy it along with the bulk enrollment package.

建立註冊設定檔Create an enrollment profile

註冊設定檔可讓您指定裝置註冊所需的設定。The enrollment profile allows you to specify settings required for device enrollment. 這些設定包括 憑證設定檔wi-fi 設定檔These settings include a certificate profile and a Wi-Fi profile.

  1. 在 Configuration Manager 主控台中,移至 [ 資產與相容性 ] 工作區,展開 [ 所有公司擁有的裝置],展開 [ Windows],然後選取 [ 註冊設定檔 ] 節點。In the Configuration Manager console, go to the Assets and Compliance workspace, expand All Corporate-owned Devices, expand Windows, and select the Enrollment Profiles node.

  2. 在功能區中,選取 [ 建立註冊設定檔]。In the ribbon, select Create Enrollment Profile.

  3. 在 [建立註冊設定檔] 的 [ 一般 ] 頁面上,指定下列資訊:On the General page of the Create Enrollment Profile wizard, specify the following information:

    • 名稱:用來識別設定檔的唯一名稱Name: A unique name to identify the profile

    • 描述:可進一步描述設定檔的選擇性欄位Description: An optional field to further describe the profile

    • 管理授權單位:只選取 內部部署Management Authority: Only select On-Premises

  4. 在 [ 網站指派 ] 頁面上,選取具有裝置管理點的 管理網站碼On the Site assignment page, select the Management site code with a device management point.

  5. 在 [ 選取註冊 Proxy 點 ] 頁面上,選取 [ 僅限內部網路],然後選取一或多個註冊 Proxy 點。On the Select Enrollment Proxy Point page, select Intranet Only, and then select one or more enrollment proxy points. 裝置會使用這些伺服器來啟動註冊程式。Device will use these servers to start the enrollment process.

  6. 在 [ 選取受信任的根憑證 ] 頁面上,選取包含受信任根憑證的憑證設定檔。On the Select Trusted Root Certificate page, select the certificate profile that contains the trusted root certificate.

  7. 在 [ wi-fi 設定檔 ] 頁面上,選取包含裝置連線所需網路設定的 wi-fi 設定檔。On the Wi-Fi profiles page, select the Wi-Fi profile that contains the necessary network settings for devices to connect.

    提示

    如果您的註冊套件未使用 Wi-fi 設定檔,請略過此步驟。If you aren't using a Wi-Fi profile for your enrollment package, skip this step.

  8. 完成精靈。Complete the wizard.

建立註冊套件Create an enrollment package

註冊套件 (ppkg) 是您用來大量註冊內部部署 MDM 裝置的檔案。The enrollment package (ppkg) is the file that you use to bulk-enroll devices for on-premises MDM. 使用 Configuration Manager 建立此檔案。Create this file with Configuration Manager. 雖然您可以使用 Windows ICD 建立類似類型的套件,但只有您在 Configuration Manager 中建立的套件可用來註冊內部部署 MDM 的裝置。While you can create similar types of packages with Windows ICD, only packages that you create in Configuration Manager can be used to enroll devices for on-premises MDM. 您使用 Windows ICD 建立的套件只能提供註冊所需的使用者主體名稱 (UPN) ,它無法啟動實際的註冊程式。A package that you create with Windows ICD can only provide the user principal name (UPN) needed for enrollment, it can't start the actual enrollment process.

在 Windows 10 建立註冊套件的程序需要 Windows 評定及部署工具套件 (ADK)。The process to create the enrollment package requires the Windows Assessment and Deployment Toolkit (ADK) for Windows 10. 在執行 Configuration Manager 主控台的電腦上,安裝最新版本的 Windows ADK。On the computer running the Configuration Manager console, install the latest version of the Windows ADK. 選取 [ **映射和設定設計工具] (ICD) ** 功能和任何相依性。Select the Imaging and Configuration Designer (ICD) feature and any dependencies. (此版本不需要符合 Configuration Manager 網站用於 OS 部署的版本 ) 。如需詳細資訊,請參閱 下載 WINDOWS ADK for Windows 10(This version doesn't need to match the version used for OS deployment by the Configuration Manager site.) For more information, see Download the Windows ADK for Windows 10.

  1. 在 Configuration Manager 主控台中,移至 [ 資產與相容性 ] 工作區,展開 [ 所有公司擁有的裝置],展開 [ Windows],然後選取 [ 註冊設定檔 ] 節點。In the Configuration Manager console, go to the Assets and Compliance workspace, expand All Corporate-owned Devices, expand Windows, and select the Enrollment Profiles node.

  2. 選取現有的註冊設定檔。Select an existing enrollment profile. 在功能區中,選取 [ 匯出]。In the ribbon, select Export.

  3. 在 [匯出註冊封裝] 視窗中,指定下列資訊:In the Export Enrollment Package window, specify the following information:

    • **有效期間 (天) **:根據預設,Configuration Manager 會將註冊套件設定為在兩周內到期, (14 天) 。Validity Period (days): By default, Configuration Manager sets the enrollment package to expire in two weeks (14 days). 有效期限到期後,即無法使用套件進行裝置註冊。You can't use the package for device enrollment after the validity period expires. 輸入介於1到30之間的整數。Enter an integer between 1 and 30.

    • 封裝檔案:指定 ppkg 檔案的本機或網路檔案路徑和名稱。Package File: Specify a local or network file path and name for the .ppkg file.

    • 加密封裝:啟用此選項以對封裝進行密碼保護。Encrypt Package: Enable this option to password-protect the package. 匯出封裝之後,Configuration Manager 會顯示產生的密碼。After you export the package, Configuration Manager displays the generated password. 複製密碼並將其儲存在安全的位置。Copy and save the password in a secure location. 您無法在沒有密碼的情況下使用匯出的註冊套件。You can't use the exported enrollment package without the password.

      重要

      Configuration Manager 不會儲存密碼,且您無法自訂或變更密碼。Configuration Manager doesn't save the password, and you can't customize or change it. 關閉顯示密碼的視窗之後,就無法取得密碼。Once you close the window that displays the password, there's no way to retrieve the password.

  4. 選取 [匯出] 。Select Export. Configuration Manager 使用 Windows ADK 建立註冊套件。Configuration Manager uses the Windows ADK to create the enrollment package.

Configuration Manager 追蹤有效的註冊套件。Configuration Manager keeps track of valid enrollment packages. 在主控台中,展開 [ 註冊設定檔 ] 節點,然後選取 [ 匯出的套件]。In the console, expand the Enrollment Profile node and select Exported Packages.

提示

如果您從 Configuration Manager 主控台移除註冊套件,則無法使用它來註冊裝置。If you remove an enrollment package from the Configuration Manager console, you can't use it to enroll devices. 使用此方法來管理您不想讓其他人用於大量註冊的註冊套件。Use this method to manage enrollment packages that you don't want others to use for bulk enrollment.

大量註冊裝置Bulk-enroll a device

您可以使用套件在裝置的全新體驗 (OOBE) 程式之前或之後註冊裝置。You can use a package to enroll devices before or after the device's out-of-box experience (OOBE) process. 註冊套件也可以包含為原始設備製造商 (OEM) 布建套件的一部分。The enrollment package can also be included as part of an original equipment manufacturer (OEM) provisioning package.

若要使用套件進行大量註冊,您必須實際將其傳遞至裝置。To use the package for bulk enrollment, you need to physically deliver it to the device. 視您的需求而定,有各種不同的方法,例如:There are various methods depending on your needs, for example:

  • 從檔案系統複製Copy from the file system

  • 附加至電子郵件Attach to an email

  • 在近距離無線通訊 (NFC) 連線之間複製Copy across a near field communication (NFC) connection

  • 從記憶卡複製Copy from a memory card

  • 掃描條碼Scan a barcode

  • 從有行動網卡的裝置複製Copy from a tethered device

  • 包含在 OEM 布建套件中Include in an OEM provisioning package

使用大量註冊套件註冊裝置Enroll a device with bulk enrollment package

  1. 在裝置上,開啟 ppkg 檔案。On a device, open the .ppkg file. 如有必要,請以系統管理員身分執行。Run as administrator if necessary.

  2. Windows 詢問套件是否來自受信任的來源,請選取 [是]Windows asks if the package is from a trusted source, select Yes.

註冊程式隨即啟動。The enrollment process starts.

驗證註冊Verify enrollment

確認裝置上的大量註冊Verify bulk enrollment on the device

  1. 在裝置上,開啟 [ 設定]。On the device, open Settings.

  2. 選取 [帳戶],然後選取 [存取公司或學校****帳戶]。Select Accounts, and select Access work or school. 註冊成功時,您會看到 [] 下的帳戶。When enrollment is successful, you see an account under CompanyApps.

  3. 選取帳戶,然後選取 [ 同步]。此動作會開始管理 Configuration Manager。Select the account, and then select Sync. This action starts management with Configuration Manager.

在主控台中驗證註冊Verify enrollment in the console

使用 Configuration Manager 主控台來確認裝置已成功註冊。Use the Configuration Manager console to verify that devices are enrolled successfully. 在 Configuration Manager 主控台中,移至 [資產與合規性] 工作區,然後選取 [裝置]。In the Configuration Manager console, go to the Assets and Compliance workspace, and select Devices. 流覽或搜尋裝置清單中已註冊的裝置。Browse or search for the enrolled device in the list of devices.