在 Intune 中新增 iOS、iPadOS 或 macOS 裝置功能設定Add iOS, iPadOS, or macOS device feature settings in Intune

Intune 包含許多可協助系統管理員控制 iOS、iPadOS 和 macOS 裝置的功能和設定。Intune includes many features and settings that help administrators control iOS, iPadOS, and macOS devices. 例如,系統管理員可以:For example, administrators can:

  • 允許使用者存取您網路中的 AirPrint 印表機Allow users access to AirPrint printers in your network
  • 將應用程式與資料夾新增至主畫面,包括新增頁面Add apps and folders to the home screen, including adding new pages
  • 選擇是否要顯示應用程式通知及如何顯示Choose if and how app notifications are shown
  • 設定鎖定畫面以顯示一則訊息或資產標記,特別適用於共用裝置Configure the lock screen to show a message or the asset tag, especially for shared devices
  • 為使用者提供在應用程式之間共用認證的安全單一登入體驗Give users a secure single sign-on experience to share credentials between apps
  • 篩選使用成人內容語言的網站,並允許或封鎖特定網站Filter web sites that use adult language and allow or block specific web sites

Intune 會使用「組態設定檔」來依據貴組織的需求建立和自訂這些設定。Intune uses "configuration profiles" to create and customize these settings for your organization's needs. 在設定檔中新增這些功能之後,接著將該設定檔推送或部署至組織中的 iOS/iPadOS 和 macOS 裝置。After you add these features in a profile, you then push or deploy the profile to iOS/iPadOS and macOS devices in your organization.

本文描述您可以設定的各種功能,並示範如何建立裝置組態設定檔。This article describes the different features you can configure, and shows you how to create a device configuration profile. 您也可以查看適用於 iOS/iPadOSmacOS 裝置的所有可用設定。You can also see all the available settings for iOS/iPadOS and macOS devices.

AirPrintAirprint

AirPrint 是可讓裝置透過無線網路列印到檔案的 Apple 功能。Airprint is an Apple feature that allows devices to print to files over a wireless network. 在 Intune 中,您可以將 AirPrint 資訊新增至裝置。In Intune, you can add AirPrint information to devices.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的 AirPrintmacOS 上的 AirPrintFor a list of the settings you can configure in Intune, see AirPrint on iOS/iPadOS and AirPrint on macOS.

如需 AirPrint 的詳細資訊,請參閱 Apple 網站上的關於 AirPrintFor more information on AirPrint, see About AirPrint on Apple's web site.

適用於:Applies to:

  • iOS 7.0 和更新版本iOS 7.0 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer
  • macOS 10.10 和更新版本macOS 10.10 and newer

應用程式通知App notifications

選擇 iOS 和 iPadOS 裝置上應用程式接收通知的方式。Choose how apps on your iOS and iPadOS devices receive notifications. 例如傳送應用程式通知,以使其顯示於通知中心、顯示於鎖定畫面上或播放音效。For example, send app notifications so they show in the notification center, show on the lock screen, or play a sound.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的應用程式通知For a list of the settings you can configure in Intune, see App notifications on iOS/iPadOS.

如需此功能的詳細資訊,請參閱 Apple 網站上的通知 (英文)。For more information on this feature, see Notifications on Apple's web site.

適用於:Applies to:

  • iOS 9.3 與更新版本iOS 9.3 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

相關網域Associated domains

相關網域可讓您在網域 (例如 contoso.com) 和您的應用程式之間建立關聯性。Associated domains allow you to create a relationship between your domains, such as contoso.com, and your apps. 此功能可讓您:This feature allows you to:

  • 在組織中的應用程式與網站之間共用資料和登入認證。Share data and sign in credentials between apps and websites in your organization.

  • 使用以您的網站為基礎的應用程式功能,例如,單一登入應用程式擴充功能、通用連結,以及自動填滿密碼。Use app features that are based on your website, such as single sign-on app extension, universal links, and password autofill.

    例如,建立相關網域以允許自動填滿密碼為與您應用程式相關聯的網站建議認證 (例如密碼)。For example, create an associated domain to allow password autofill to recommend credentials, such as a password, for websites associated with your app.

如需可在 Intune 中設定的設定清單,請參閱 macOS 上的相關網域For a list of the settings you can configure in Intune, see Associated domains on macOS.

如需此功能的詳細資訊,請參閱 Apple 網站上的設定應用程式的相關網域 (英文)。For more information on this feature, see Setting Up an App's Associated Domains on Apple's web site.

適用於:Applies to:

  • macOS 10.15 與更新版本macOS 10.15 and newer

主畫面配置Home screen layout

這些設定會在 iOS 和 iPadOS 裝置的 Dock 和主畫面上設定應用程式配置和資料夾。These settings configure the app layout and folders on the dock and home screens on iOS and iPadOS devices. 您可以:You can:

  • 使用 Dock 設定來將應用程式或資料夾新增至畫面。Use the Dock settings to add apps or folders to the screen. 例如,在裝置 Dock 上顯示 [Safari] 和 [郵件] 應用程式。For example, show Safari and the Mail app on the device dock.
  • 新增您想要顯示於主畫面上的頁面,以及要顯示於每個頁面上的應用程式。Add Pages you want shown on the home screen, and the apps you want shown on each page. 例如,新增 [Contoso] 頁面,然後在此頁面上新增 [設定] 應用程式。For example, add a Contoso page, and add the Settings app on this page.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的主畫面配置For a list of the settings you can configure in Intune, see Home screen layout on iOS/iPadOS.

適用於:Applies to:

  • iOS 9.3 與更新版本iOS 9.3 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

鎖定畫面訊息Lock screen message

使用這些設定以在登入視窗和鎖定畫面上顯示自訂訊息或文字。Use these settings to show a custom message or text on the sign in window and lock screen. 例如,您可以輸入「若遺失,請送回...」訊息,並顯示資產標籤資訊。For example, you can enter an "If lost, return to ..." message, and show asset tag information.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的鎖定畫面訊息設定For a list of the settings you can configure in Intune, see Lock screen message settings on iOS/iPadOS.

如需鎖定畫面訊息的詳細資訊,請參閱 Apple 網站上的 LockScreenMessage (英文)。For more information on Lock Screen Message, see LockScreenMessage on Apple's web site.

適用於:Applies to:

  • iOS 9.3 與更新版本iOS 9.3 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

登入項目Login items

使用此功能,來選擇使用者登入裝置時所開啟的應用程式、自訂應用程式、檔案和資料夾。Use this feature to choose the apps, custom apps, files, and folders that open when users sign in to the devices.

如需可在 Intune 中設定的設定清單,請參閱 macOS 上的登入項目For a list of the settings you can configure in Intune, see Login items on macOS.

適用於:Applies to:

  • macOS 10.13 與更新版本macOS 10.13 and newer

登入視窗Login window

控制登入畫面的外觀,以及使用者在登入之前可使用的功能。Control the appearance of the login screen and functions available to users before they sign in. 例如,新增具有自訂訊息的橫幅,選擇是否要顯示 [睡眠] 按鈕,以及其他功能。For example, add a banner with a custom message, choose if the sleep button is shown, and more.

如需可在 Intune 中設定的設定清單,請參閱 macOS 上的登入視窗For a list of the settings you can configure in Intune, see Login window on macOS.

適用於:Applies to:

  • macOS 10.7 和更新版本macOS 10.7 and newer

單一登入Single sign-on

大部分的企業營運 (LOB) 應用程式需要某種程度的使用者驗證才會支援安全性。Most Line of Business (LOB) apps require some level of user authentication to support security. 在許多情況下,驗證都會要求使用者重複輸入相同認證。In many cases, the authentication requires users to enter the same credentials repeatedly. 為了改善使用者體驗,開發人員可以建立使用單一登入 (SSO) 的應用程式。To improve the user experience, developers can create apps that use single sign-on (SSO). 使用單一登入可減少使用者必須輸入認證的次數。Using single sign-on reduces the number of times a user must enter credentials.

單一登入設定檔是以 Kerberos 為基礎。The single sign-on profile is based on Kerberos. Kerberos 是一種網路驗證通訊協定,其會使用祕密金鑰加密來驗證用戶端-伺服器應用程式。Kerberos is a network authentication protocol that uses secret key cryptography to authenticate client-server applications. Intune 設定會在存取伺服器或指定的應用程式時定義 Kerberos 帳戶資訊,並處理 Kerberos 針對網頁和原生應用程式的挑戰。The Intune settings define Kerberos account information when accessing servers or specific apps, and handle Kerberos challenges for web pages and native apps. Apple 建議您使用 Kerberos SSO 應用程式擴充功能 (在本文中) 設定,而不是 SSO 設定。Apple recommends you use the Kerberos SSO app extension (in this article) settings instead of the SSO settings.

若要使用單一登入,請確定您已具備:To use single sign-on, be sure you have:

  • 已將程式碼撰寫成會在裝置上的單一登入中尋找使用者認證存放區的應用程式。An app that's coded to look for the user credential store in single sign-on on the device.
  • 設定進行 iOS/iPadOS 裝置單一登入的 Intune。Intune configured for iOS/iPadOS device single sign-on.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的單一登入For a list of the settings you can configure in Intune, see Single sign-on on iOS/iPadOS.

適用於:Applies to:

  • iOS 7.0 和更新版本iOS 7.0 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

單一登入應用程式擴充功能Single sign-on app extension

這些設定會設定應用程式擴充功能,以便為您的 iOS、iPadOS 和 macOS 裝置啟用單一登入 (SSO)。These settings configure an app extension that enables single sign-on (SSO) for your iOS, iPadOS, and macOS devices. 大部分的企業營運 (LOB) 應用程式和組織網站都需要某種程度的安全使用者驗證。Most Line of Business (LOB) apps and organization websites require some level of secure user authentication. 在許多情況下,驗證都會要求使用者重複輸入相同認證。In many cases, authentication requires users to enter the same credentials repeatedly. SSO 讓使用者在輸入其認證一次之後,就能存取應用程式和網站。SSO gives users access to apps and websites after entering their credentials once. SSO 也會為使用者提供更好的驗證體驗,並減少重複提示認證的次數。SSO also provides a better authentication experience for users, and reduces the number of repeated prompts for credentials.

在 Intune 中,使用這些設定來設定貴組織、您的識別提供者、Microsoft 或 Apple 所建立的 SSO 應用程式延伸模組。In Intune, use these settings to configure an SSO app extension created by your organization, your identity provider, Microsoft, or Apple. SSO 應用程式擴充功能會為您的使用者處理驗證。The SSO app extension handles authentication for your users. 這些設定會設定重新導向類型和認證類型的 SSO 應用程式延伸模組。These settings configure redirect-type and credential-type SSO app extensions.

  • 重新導向類型是專為 OpenID Connect、OAuth 與 SAML2 等新式驗證通訊協定設計的。The redirect type is designed for modern authentication protocols, such as OpenID Connect, OAuth, and SAML2. 您可以選擇 Microsoft Azure AD SSO 延伸模組 (Microsoft 企業單一登入外掛程式 (部分機器翻譯)) 和一般重新導向延伸模組。You can choose between the Microsoft Azure AD SSO extension (Microsoft Enterprise SSO plug-in) and a generic redirect extension.

    重要

    在 macOS 上,Microsoft Azure AD SSO 延伸模組仍正在開發 中。On macOS, the Microsoft Azure AD SSO extension is still being developed. 其會列在 Intune 使用者介面中,但不會如預期般運作。It's listed in the Intune user interface, but doesn't work as expected. 在 macOS 上,請勿將 Microsoft Azure AD 用於 SSO 應用程式延伸模組類型。On macOS, don't use Microsoft Azure AD for the SSO app extension type.

  • 認證類型是專為挑戰和回應驗證流程所設計。The credential type is designed for challenge-and-response authentication flows. 您可以在 Apple 所提供的 Kerberos 特定認證擴充功能和一般認證擴充功能之間進行選擇。You can choose between a Kerberos-specific credential extension provided by Apple, and a generic credential extension.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS SSO 應用程式延伸模組macOS SSO 應用程式延伸模組For a list of the settings you can configure in Intune, see iOS/iPadOS SSO app extension and macOS SSO app extension.

如需開發 SSO 應用程式延伸模組的詳細資訊,請觀賞 Apple 網站上的可擴充的企業 SSO (英文)。For more information on developing an SSO app extension, watch Extensible Enterprise SSO on Apple's web site. 若要閱讀 Apple 的功能描述,請瀏覽「單一登入延伸功能」承載資料設定To read Apple's description of the feature, visit Single Sign-On Extensions payload settings.

注意

單一登入應用程式擴充功能單一登入功能不同:The Single sign-on app extension feature is different than the Single sign-on feature:

  • 單一登入應用程式延伸模組設定適用於 iPadOS 13.0 (和更新版本)、iOS 13.0 (和更新版本) 及 macOS 10.15 (和更新版本)。The Single sign-on app extension settings apply to iPadOS 13.0 (and newer), iOS 13.0 (and newer), and macOS 10.15 (and newer). 單一登入設定適用於 iPadOS 13.0 (和更新版本) 及 iOS 7.0 和更新版本。Single sign-on settings apply to iPadOS 13.0 (and newer) and iOS 7.0 and newer.

  • 單一登入應用程式延伸模組設定會定義識別提供者或組織用於提供順暢企業登入體驗的延伸模組。The Single sign-on app extension settings define extensions for use by identity providers or organizations to deliver a seamless enterprise sign-on experience. 單一登入設定會定義當使用者存取伺服器或應用程式時的 Kerberos 帳戶資訊。The Single sign-on settings define Kerberos account information for when users access servers or apps.

  • 單一登入應用程式擴充功能會使用 Apple 作業系統進行驗證。The Single sign-on app extension uses the Apple operating system to authenticate. 因此,可能會提供比單一登入更好的終端使用者體驗。So, it might provide an end-user experience that's better than Single sign-on.

  • 從開發觀點來看,透過單一登入應用程式延伸模組,您可以使用任何類型的重新導向 SSO 或認證 SSO 驗證。From a development perspective, with Single sign-on app extension, you can use any type of redirect SSO or credential SSO authentication. 使用單一登入,您只能使用 Kerberos SSO 驗證。With Single sign-on, you can only use Kerberos SSO authentication.

  • Kerberos 單一登入應用程式延伸模組是由 Apple 所開發,並內建於 iOS/iPadOS 13.0+ 和 macOS 10.15+ 平台。The Kerberos Single sign-on app extension was developed by Apple and is built into the iOS/iPadOS 13.0+ and macOS 10.15+ platforms. 內建的 Kerberos 延伸模組可用來將使用者登入支援 Kerberos 驗證的原生應用程式和網站。The built-in Kerberos extension can be used to log users into native apps and websites that support Kerberos authentication. 單一登入不是 Apple 的 Kerberos 實作。Single sign-on is not an Apple implementation of Kerberos.

  • 內建的 Kerberos 單一登入應用程式延伸模組可處理網頁和應用程式的 Kerberos 挑戰,就像是單一登入一樣。The built-in Kerberos Single sign-on app extension handles Kerberos challenges for web pages and apps just like Single sign-on. 不過,內建的 Kerberos 延伸模組支援密碼變更,且在企業網路中的表現更佳。However, the built-in Kerberos extension supports password changes and behaves better in enterprise networks. 當您決定要使用單一登入應用程式延伸模組單一登入時,建議使用延伸模組,因為其效能和功能均已獲得改善。When deciding between the Kerberos Single sign-on app extension and Single sign-on, we recommend using the extension due to improved performance and capabilities.

適用於:Applies to:

  • iOS 13.0 與更新版本iOS 13.0 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer
  • macOS 10.15 與更新版本macOS 10.15 and newer

桌布Wallpaper

將自訂的 .png、.jpg 或 .jpeg 影像新增至受監督 iOS/iPadOS 裝置。Add a custom .png, .jpg, or .jpeg image to your supervised iOS/iPadOS devices. 例如,使用 Intune 來將公司標誌新增至裝置上的鎖定畫面。For example, use Intune to add a company logo to the lock screen on your devices.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的底色圖案For a list of the settings you can configure in Intune, see Wallpaper on iOS/iPadOS.

適用於:Applies to:

  • iOSiOS
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

Web 內容篩選Web content filter

這些設定會使用 Apple 的內建自動篩選演算法來評估網頁,並封鎖成人內容和成人語言。These settings use Apple's built-in AutoFilter algorithm to evaluate web pages, and block adult content and adult language. 您也可以建立已允許的網頁連結及受限制之網頁連結的清單。You can also create a list of allowed web links and restricted web links. 例如,您可以允許僅開啟 contoso 網站。For example, you can allow only contoso web sites to open.

如需可在 Intune 中設定的設定清單,請參閱 iOS/iPadOS 上的內容篩選For a list of the settings you can configure in Intune, see Web content filter on iOS/iPadOS.

適用於:Applies to:

  • iOS 7.0 和更新版本iOS 7.0 and newer
  • iPadOS 13.0 和更新版本iPadOS 13.0 and newer

建立設定檔Create the profile

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 選取 [裝置] > [組態設定檔] > [建立設定檔]。Select Devices > Configuration profiles > Create profile.

  3. 輸入下列內容:Enter the following properties:

    • 平台:選擇您的裝置平台。Platform: Choose the platform of your devices. 選項包括:Your options:

      • iOS/iPadOSiOS/iPadOS
      • macOSmacOS
    • 設定檔:選取 [裝置功能]。Profile: Select Device features.

  4. 選取 [建立] 。Select Create.

  5. 在 [基本資訊] 中,輸入下列內容:In Basics, enter the following properties:

    • 名稱:輸入政策的描述性名稱。Name: Enter a descriptive name for the policy. 為您的設定檔命名,以方便之後能夠輕鬆識別。Name your policies so you can easily identify them later. 例如,良好的原則名稱是 macOS:設定登入畫面For example, a good policy name is macOS: Configures login screen.
    • 描述:輸入政策的描述。Description: Enter a description for the policy. 這是選擇性設定,但建議執行。This setting is optional, but recommended.
  6. 選取 [下一步] 。Select Next.

  7. 在 [組態設定] 中,您可進行的設定會根據您選擇的平台而不同。In Configuration settings, depending on the platform you chose, the settings you can configure are different. 選擇您平台來進行詳細設定:Choose your platform for detailed settings:

  8. 選取 [下一步] 。Select Next.

  9. 在 [範圍標籤] (選擇性) 中,指派標籤來針對特定 IT 群組篩選設定檔,例如 US-NC IT TeamJohnGlenn_ITDepartmentIn Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 如需範圍標籤的詳細資訊,請參閱針對分散式 IT 使用 RBAC 和範圍標籤For more information about scope tags, see Use RBAC and scope tags for distributed IT.

    選取 [下一步] 。Select Next.

  10. 在 [指派] 中,選取將接收您設定檔的使用者或群組。In Assignments, select the users or groups that will receive your profile. 如需指派設定檔的詳細資訊,請參閱指派使用者和裝置設定檔For more information on assigning profiles, see Assign user and device profiles.

    選取 [下一步] 。Select Next.

  11. 在 [檢閱 + 建立] 中,檢閱您的設定。In Review + create, review your settings. 當您選取 [建立] 時,系統會儲存您的變更,然後指派設定檔。When you select Create, your changes are saved, and the profile is assigned. 原則也會顯示在設定檔清單中。The policy is also shown in the profiles list.

後續步驟Next steps

雖然設定檔已建立,但它可能還不會執行任何動作。The profile is created, but it may not be doing anything yet. 接下來,指派設定檔監視其狀態Next, assign the profile and monitor its status.

檢視適用於 iOS/iPadOSmacOS 裝置的所有裝置功能設定。View all the device feature settings for iOS/iPadOS and macOS devices.