在 Intune 中於 macOS 裝置使用 Shell 指令碼Use shell scripts on macOS devices in Intune

在 Intune 中使用 Shell 指令碼來擴充裝置管理功能,超越 macOS 作業系統所支援的功能。Use shell scripts to extend device management capabilities on Intune beyond what is supported by the macOS operating system.

先決條件Prerequisites

撰寫 Shell 指令碼並將其指派給 macOS 裝置時,請確定符合下列必要條件。Ensure that the following prerequisites are met when composing shell scripts and assigning them to macOS devices.

  • 裝置執行 macOS 10.12 或更新版本。Devices are running macOS 10.12 or later.
  • 裝置是由 Intune 管理。Devices are managed by Intune.
  • Shell 指令碼以 #! 為開頭,且必須在有效的位置,例如 #!/bin/sh#!/usr/bin/env zshShell scripts begin with #! and must be in a valid location such as #!/bin/sh or #!/usr/bin/env zsh.
  • 已安裝適用 Shell 的命令列解譯器。Command-line interpreters for the applicable shells are installed.

使用 Shell 指令碼之前的重要考慮Important considerations before using shell scripts

  • Shell 指令碼要求在 macOS 裝置上成功安裝 Microsoft Intune 管理代理程式。Shell scripts require that the Microsoft Intune management agent is successfully installed on the macOS device. 如需詳細資訊,請參閱 macOS 的 Microsoft Intune 管理代理程式For more information, see Microsoft Intune management agent for macOS.
  • Shell 指令碼會以平行方式在裝置上以個別的處理序執行。Shell scripts run in parallel on devices as separate processes.
  • 以登入使用者身分執行的 Shell 指令碼會在執行時,針對裝置上所有目前登入的使用者帳戶執行。Shell scripts that are run as the signed-in user will run for all currently signed-in user accounts on the device at the time of the run.
  • 終端使用者必須登入裝置,才能以登入使用者身分執行指令碼。An end user is required to sign in to the device to execute scripts running as a signed-in user.
  • 如果指令碼需要進行標準使用者帳戶無法進行的變更,則需要根使用者權限。Root user privileges are required if the script requires making changes that a standard user account cannot.
  • 在某些情況下,Shell 指令碼會嘗試比所選的指令碼頻率更頻繁地執行,例如磁碟已滿、儲存位置遭到修改、本機快取遭到刪除,或 Mac 裝置重新開機。Shell scripts will attempt to run more frequently than the chosen script frequency for certain conditions, such as if the disk is full, if the storage location is tampered with, if the local cache is deleted, or if the Mac device restarts.

建立並指派 Shell 指令碼原則Create and assign a shell script policy

  1. 登入 Microsoft 端點管理員系統管理中心Sign in to the Microsoft Endpoint Manager Admin Center.

  2. 選取 [裝置] > [macOS] > [指令碼] > [新增]。Select Devices > macOS > Scripts > Add.

  3. 在 [基本資訊] 中,輸入下列內容,然後選取 [下一步]:In Basics, enter the following properties, and select Next:

    • 名稱:輸入 Shell 指令碼的名稱。Name: Enter a name for the shell script.
    • 描述:輸入 Shell 指令碼的描述。Description: Enter a description for the shell script. 這是選擇性設定,但建議執行。This setting is optional, but recommended.
  4. 在 [指令碼設定] 中,輸入下列內容,然後選取 [下一步]:In Script settings, enter the following properties, and select Next:

    • 上傳指令碼:瀏覽至 Shell 指令碼。Upload script: Browse to the shell script. 指令碼檔案的大小必須小於 200 KB。The script file must be less than 200 KB in size.
    • 以登入使用者身分執行指令碼:選取 [是] 以使用裝置上的使用者認證來執行指令碼。Run script as signed-in user: Select Yes to run the script with the user's credentials on the device. 選擇 [否] (預設) 以根使用者身分執行指令碼。Choose No (default) to run the script as the root user.
    • 在裝置上隱藏指令碼通知: 根據預設,會針對每個執行的指令碼顯示指令碼通知。Hide script notifications on devices: By default, script notifications are shown for each script that is run. 終端使用者會在 MacOS 裝置上從 Intune 看到「IT 正在設定您的電腦」通知。End users see a IT is configuring your computer notification from Intune on macOS devices.
    • 指令碼頻率: 選取指令碼的執行頻率。Script frequency: Select how often the script is to be run. 選擇 [未設定] (預設),只執行一次指令碼。Choose Not configured (default) to run a script only once.
    • 指令碼失敗時可重試的最大次數: 選取指令碼傳回非零結束代碼 (零表示成功) 時,應該執行的次數。Max number of times to retry if script fails: Select how many times the script should be run if it returns a non-zero exit code (zero meaning success). 選擇 [未設定] (預設) 以在指令碼失敗時不重試。Choose Not configured (default) to not retry when a script fails.
  5. 在 [範圍標籤] 中,選擇性地為指令碼新增範圍標籤,然後選取 [下一步]。In Scope tags, optionally add scope tags for the script, and select Next. 您可使用範圍標籤來決定可在 Intune 中看見指令碼的人員。You can use scope tags to determine who can see scripts in Intune. 如需範圍標籤的完整詳細資料,請參閱針對分散式 IT 使用角色型存取控制和範圍標籤For full details about scope tags, see Use role-based access control and scope tags for distributed IT.

  6. 選取 [指派] > [選取要包含的群組]。Select Assignments > Select groups to include. Azure AD 群組的現有清單會隨即顯示。An existing list of Azure AD groups is shown. 選取要接收指令碼的一或多個使用者或裝置群組。Select one or more user or device groups that are to receive the script. 選擇 [選取]。Choose Select. 選擇的群組會顯示在清單中,且會接收指令碼原則。The groups you choose are shown in the list, and will receive your script policy.

    注意

  7. 在 [檢閱 + 新增] 中,會顯示您設定的設定摘要。In Review + add, a summary is shown of the settings you configured. 選取 [新增] 以儲存此指令碼。Select Add to save the script. 選取 [新增] 時,會將指令碼原則部署到選擇的群組。When you select Add, the script policy is deployed to the groups you chose.

所建立的應用程式現在會出現在指令碼清單中。The script you created now appears in the list of scripts.

監視 Shell 指令碼原則Monitor a shell script policy

您可選擇下列其中一種報告,以監視使用者和裝置所有指派指令碼的執行狀態:You can monitor the run status of all assigned scripts for users and devices by choosing one of the following reports:

  • [指令碼] > 選取要監視的指令碼 > [裝置狀態]Scripts > select the script to monitor > Device status
  • [指令碼] > 選取要監視的指令碼 > [使用者狀態]Scripts > select the script to monitor > User status

重要

不論選取的 [指令碼頻率] 為何,只有在第一次執行指令碼時,才會報告指令碼執行狀態。Irrespective of the selected Script frequency, the script run status is reported only the first time a script is run. 在後續執行時,指令碼執行狀態不會更新。Script run status is not updated on subsequent runs. 不過,更新的指令碼會視為新指令碼,且會再次報告執行狀態。However, updated scripts are treated as new scripts and will report the run status again.

指令碼執行之後,就會傳回下列其中一個狀態:Once a script runs, it returns one of the following statuses:

  • 指令碼執行狀態 [失敗] 表示指令碼傳回非零的結束代碼,或指令碼的格式不正確。A script run status of Failed indicates that the script returned a non-zero exit code or the script is malformed.
  • 指令碼執行狀態 [成功] 表示指令碼傳回的結束代碼為零。A script run status of Success indicated that the script returned zero as the exit code.

使用記錄收集對 macOS 殼層指令碼原則進行疑難排解Troubleshoot macOS shell script policies using log collection

您可以收集裝置記錄,以協助針對 macOS 裝置上的指令碼問題進行疑難排解。You can collect device logs to help troubleshoot script issues on macOS devices.

記錄收集的需求Requirements for log collection

需有下列項目,才能在 macOS 裝置上收集記錄:The following items are required to collect logs on a macOS device:

  • 您必須指定完整的記錄檔路徑。You must specify the full absolute log file path.
  • 檔案路徑必須僅使用分號 (;) 分隔。File paths must be separated using only a semicolon (;).
  • 能上傳的記錄收集大小上限為 60 MB (已壓縮) 或 25 個檔案,視先到達的限制而定。The maximum log collection size to upload is 60 MB (compressed) or 25 files, whichever occurs first.
  • 記錄收集所允許的檔案類型包括下列副檔名: .log、.zip、.gz、.tar、.txt、.xml、.crash、.rtfFile types that are allowed for log collection include the following extensions: .log, .zip, .gz, .tar, .txt, .xml, .crash, .rtf

收集裝置記錄檔Collect device logs

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 在 [裝置狀態] 或 [使用者狀態] 報告中,選取裝置。In Device status or User status report, select a device.

  3. 選取 [收集記錄],提供僅以分號 (;) 分隔的記錄檔資料夾路徑 (路徑之間沒有空格或分行符號)。Select Collect logs, provide folder paths of log files separated only by a semicolon (;) without spaces or newlines in between paths.
    例如,多個路徑應撰寫為 /Path/to/logfile1.zip;/Path/to/logfile2.logFor example, multiple paths should be written as /Path/to/logfile1.zip;/Path/to/logfile2.log.

    重要

    使用逗號、句點、分行符號或引號 (不論是否有空格) 分隔的多個記錄檔路徑,都會導致記錄收集錯誤。Multiple log file paths separated using comma, period, newline or quotation marks with or without spaces will result in log collection error. 路徑之間也不允許使用空格作為分隔符號。Spaces are also not allowed as separators between paths.

  4. 選取 [確定]。Select OK. 下次裝置上的 Intune 管理代理程式存回 Intune 時,就會收集記錄。Logs are collected the next time the Intune management agent on the device checks in with Intune. 這項簽入通常會每 8 小時發生一次。This check-in usually occurs every 8 hours.

    注意

    • 收集的記錄會在裝置上加密,傳輸至 Microsoft Azure 儲存體並儲存 30 天。Collected logs are encrypted on the device, transmitted and stored in Microsoft Azure storage for 30 days. 儲存的記錄可隨需解密,並可使用 Microsoft 端點管理員系統管理中心下載。Stored logs are decrypted on demand and downloaded using Microsoft Endpoint Manager admin center.
    • 除了系統管理員特定的記錄以外,也會從下列資料夾收集 Intune 管理代理程式記錄:/Library/Logs/Microsoft/Intune~/Library/Logs/Microsoft/IntuneIn addition to the admin-specified logs, the Intune management agent logs are also collected from these folders: /Library/Logs/Microsoft/Intune and ~/Library/Logs/Microsoft/Intune. 代理程式記錄檔名稱為 IntuneMDMDaemon date--time.logIntuneMDMAgent date--time.logThe agent log file-names are IntuneMDMDaemon date--time.log and IntuneMDMAgent date--time.log.
    • 如果有任何系統管理員指定的檔案遺失或副檔名錯誤,您將會發現這些檔案名稱列在 LogCollectionInfo.txt 中。If any admin-specified file is missing or has the wrong file-extension, you will find these file-names listed in LogCollectionInfo.txt.

記錄收集錯誤Log collection errors

記錄收集可能因為下表提供的下列任何一個原因而無法成功。Log collection may not be successful due to any of the following reasons provided in the table below. 若要解決這些錯誤,請遵循補救步驟。To resolve these errors, follow the remediation steps.

錯誤碼 (hex)Error code (hex) 錯誤碼 (dec)Error code (dec) 錯誤訊息Error message 補救步驟Remediation steps
0X87D300D10X87D300D1 20162148342016214834 記錄檔大小不能超過 60 MB。Log file size cannot exceed 60 MB. 確定壓縮記錄的大小小於 60 MB。Ensure that compressed logs are less than 60 MB in size.
0X87D300D10X87D300D1 20162148312016214831 提供的記錄檔路徑必須存在。The provided log file path must exist. 系統使用者資料夾是記錄檔的無效位置。The system user folder is an invalid location for log files. 確定所提供的檔案路徑有效並可存取。Ensure that the provided file path is valid and accessible.
0X87D300D20X87D300D2 20162148302016214830 記錄收集檔案因為上傳 URL 到期而上傳失敗。Log collection file upload failed due to expiration of upload URL. 重試 [收集記錄] 動作。Retry the Collect logs action.
0X87D300D3、0X87D300D5、0X87D300D70X87D300D3, 0X87D300D5, 0X87D300D7 2016214829、2016214827、20162148252016214829, 2016214827, 2016214825 記錄收集檔案因為加密失敗而上傳失敗。Log collection file upload failed due to encryption failure. 請重試記錄上傳。Retry log upload. 重試 [收集記錄] 動作。Retry the Collect logs action.
20162148282016214828 記錄檔數超過允許的 25 個檔案上限。The number of log files exceeded the allowed limit of 25 files. 一次最多只能收集 25 個記錄檔。Only up to 25 log files can be collected at a time.
0X87D300D60X87D300D6 20162148262016214826 記錄收集檔案上傳因為 zip 錯誤而失敗。Log collection file upload failed due to zip error. 請重試記錄上傳。Retry log upload. 重試 [收集記錄] 動作。Retry the Collect logs action.
20162147402016214740 找不到壓縮的記錄,因此無法將記錄加密。The logs couldn't be encrypted as compressed logs were not found. 重試 [收集記錄] 動作。Retry the Collect logs action.
20162147392016214739 已收集記錄,但無法儲存。The logs were collected but couldn't be stored. 重試 [收集記錄] 動作。Retry the Collect logs action.

常見問題集Frequently asked questions

為什麼指派的 Shell 指令碼未在裝置上執行?Why are assigned shell scripts not running on the device?

可能原因如下:There could be several reasons:

  • 代理程式可能需要簽入,才能接收新的或已更新指令碼。The agent might need to check-in to receive new or updated scripts. 此簽入程序會每 8 小時發生一次,且與 MDM 簽入不同。This check-in process occurs every 8 hours and is different from the MDM check-in. 請確定裝置處於喚醒狀態,且已連線到網路,以順利完成代理程式簽入,並等候代理程式簽入。Make sure that the device is awake and connected to a network for a successful agent check-in and wait for the agent to check-in. 您也可以要求終端使用者在 Mac 上開啟公司入口網站,選取裝置,並按一下 [檢查設定]。You can also request the end-user to open Company Portal on the Mac, select the device and click Check settings.
  • 可能未安裝代理程式。The agent may not be installed. 檢查代理程式是否安裝在 macOS 裝置上的 /Library/Intune/Microsoft Intune Agent.appCheck that the agent is installed at /Library/Intune/Microsoft Intune Agent.app on the macOS device.
  • 代理程式可能不是處於健全狀態。The agent may not be in a healthy state. 代理程式會嘗試復原 24 小時、將自己移除,並在仍指派 Shell 指令碼的情況下重新安裝。The agent will attempt to recover for 24 hours, remove itself and reinstall if shell scripts are still assigned.

指令碼執行狀態的報告頻率為何?How frequently is script run status reported?

當指令碼執行完成時,就會將指令碼執行狀態回報給 Microsoft Endpoint Manager 系統管理主控台。Script run status is reported to Microsoft Endpoint Manager Admin Console as soon as script run is complete. 如果指令碼排定以設定的頻率定期執行,則只會在第一次執行時回報狀態。If a script is scheduled to run periodically at a set frequency, it only reports status the first time it runs.

何時會再次執行 Shell 指令碼?When are shell scripts run again?

只有在已設定 [指令碼失敗時可重試的最大次數] 設定,且指令碼在執行時失敗,才會再次執行指令碼。A script is run again only when the Max number of times to retry if script fails setting is configured and the script fails on run. 如果未設定 [指令碼失敗時可重試的最大次數],且指令碼在執行時失敗,則不會再次執行,且執行狀態會回報為 [失敗]。If the Max number of times to retry if script fails is not configured and a script fails on run, it will not be run again and run status will be reported as failed.

Shell 指令碼需要什麼 Intune 角色權限?What Intune role permissions are required for shell scripts?

指派的 Intune 角色需要 [裝置設定] 權限,才能刪除、指派、建立、更新或讀取 Shell 指令碼。Your assigned-intune role requires Device configurations permissions to delete, assign, create, update, or read shell scripts.

macOS 的 Microsoft Intune 管理代理程式Microsoft Intune management agent for macOS

為什麼需要代理程式?Why is the agent required?

Microsoft Intune 管理代理程式必須安裝在受控 macOS 裝置上,才能啟用原生 macOS 作業系統不支援的進階裝置管理功能。The Microsoft Intune management agent is necessary to be installed on managed macOS devices in order to enable advanced device management capabilities that are not supported by the native macOS operating system.

如何安裝代理程式?How is the agent installed?

代理程式會自動以無訊息方式安裝在受 Intune 管理的 macOS 裝置上,您可在 Microsoft Endpoint Manager 系統管理中心為其指派至少一個 Shell 指令碼。The agent is automatically and silently installed on Intune-managed macOS devices that you assign at least one shell script to in Microsoft Endpoint Manager Admin Center. 代理程式會在適用時安裝在 /Library/Intune/Microsoft Intune Agent.app,且不會出現在 macOS 裝置上的 [搜尋工具] > [應用程式] 中。The agent is installed at /Library/Intune/Microsoft Intune Agent.app when applicable and doesn't appear in Finder > Applications on macOS devices. 在 macOS 裝置上執行時,代理程式會在 [活動監視器] 中顯示為 IntuneMdmAgentThe agent appears as IntuneMdmAgent in Activity Monitor when running on macOS devices.

代理程式有哪些功能?What does the agent do?

  • 代理程式會在簽入以接收 macOS 裝置的已指派 Shell 指令碼之前,以無訊息方式向 Intune 服務進行驗證。The agent silently authenticates with Intune services before checking in to receive assigned shell scripts for the macOS device.
  • 代理程式會接收已指派 Shell 指令碼,並根據系統管理員所設定的設定排程、重試嘗試、通知設定和其他設定來執行指令碼。The agent receives assigned shell scripts and runs the scripts based on the configured schedule, retry attempts, notification settings, and other settings set by the admin.
  • 代理程式通常每 8 小時會使用 Intune 服務來檢查新的或已更新指令碼。The agent checks for new or updated scripts with Intune services usually every 8 hours. 此簽入程序與 MDM 簽入無關。This check-in process is independent of the MDM check-in.

如何從 Mac 手動起始代理程式簽入?How can I manually initiate an agent check-in from a Mac?

在已安裝代理程式的受控 Mac 上,開啟公司入口網站,選取本機裝置,然後按一下 [檢查設定]。On a managed Mac that has the agent installed, open Company Portal, select the local device, click on Check settings. 這樣做會隨即起始 MDM 簽入,以及代理程式簽入。This initiates an MDM check-in as well as an agent check-in.

或者,您可以開啟終端機,執行 sudo killall IntuneMdmAgent 命令以終止 IntuneMdmAgent 處理序。Alternatively, open Terminal, run the sudo killall IntuneMdmAgent command to terminate the IntuneMdmAgent process. IntuneMdmAgent 處理序會立即重新啟動,這將會起始 Intune 的簽入。The IntuneMdmAgent process will restart immediately, which will initiate a check-in with Intune.

注意

在 Microsoft 端點管理員管理主控台中,裝置的同步處理動作會起始 MDM 簽入,而不會強制代理程式簽入。The Sync action for devices in Microsoft Endpoint Manager Admin Console initiates an MDM check-in and does not force an agent check-in.

何時會移除代理程式?When is the agent removed?

有幾個情況可能會導致代理程式從裝置中移除,例如:There are several conditions that can cause the agent to be removed from the device such as:

  • Shell 指令碼不再指派給裝置。Shell scripts are no longer assigned to the device.
  • macOS 裝置不再受控。The macOS device is no longer managed.
  • 代理程式處於無法復原的狀態超過 24 小時 (裝置喚醒時間)。The agent is in an irrecoverable state for more than 24 hours (device-awake time).

為什麼即使 Mac 不再受管理,仍會持續執行指令碼?Why are scripts running even though the Mac is no longer managed?

當指派了指令碼的 Mac 不再受管理時,系統並不會立即移除代理程式。When a Mac with assigned scripts is no longer managed, the agent is not removed immediately. 代理程式會在下一次代理程式簽入 (通常每 8 小時一次) 時偵測到 Mac 已不受管理,才取消已排程的指令碼執行。The agent detects that the Mac is not managed at the next agent check-in (usually every 8 hours) and cancels scheduled script-runs. 因此,只要任何儲存在本機的指令碼排程執行頻率比下一次排程代理程式簽入頻率更高,就會執行這些指令碼。So, any locally stored scripts scheduled to run more frequently than the next scheduled agent check-in will run. 當代理程式無法簽入時,最多會在 24 小時 (裝置喚醒時間) 內重試簽入,之後從 Mac 中自行移除。When the agent is unable to check-in, it retries checking in for up to 24 hours (device-awake time) and then removes itself from the Mac.

如何關閉傳送給 Microsoft 的 Shell 指令碼使用量資料?How to turn off usage data sent to Microsoft for shell scripts?

若要關閉從 Intune 管理代理程式傳送給 Microsoft 的使用方式資料,請開啟公司入口網站並選取 [功能表] > [偏好設定] > 取消選取 [允許 Microsoft 收集使用方式資料]。To turn off usage data sent to Microsoft from the Intune management agent, open Company Portal and select Menu > Preferences > uncheck 'allow Microsoft to collect usage data'. 這會關閉傳送代理程式和公司入口網站的使用方式資料。This will turn off usage data sent for both the agent and Company Portal.

已知問題Known issues

  • 沒有指令碼執行狀態: 雖然不太可能發生,但如果在裝置上收到指令碼,且裝置在回報執行狀態之前就離線,則裝置將不會在系統管理主控台中報告指令碼的執行狀態。No script run status: In the unlikely event that a script is received on the device and the device goes offline before the run status is reported, the device will not report run status for the script in the admin console.

後續步驟Next steps