设置基本移动性和安全性Set up Basic Mobility and Security

内置的基本移动性和安全性 Microsoft 365可帮助你保护和管理用户的移动设备,如 iPhone、iPad、Android 和 Windows 电话。The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage users' mobile devices such as iPhones, iPads, Androids, and Windows phones. 可以创建和管理设备安全策略,远程擦除设备,以及查看详细的设备报告。You can create and manage device security policies, remotely wipe a device, and view detailed device reports.

有问题?Have questions? 有关帮助解决常见问题的常见问题解答,请参阅 Basic Mobility and Security Frequently-asked questions (FAQ) For a FAQ to help address common questions, see Basic Mobility and Security Frequently-asked questions (FAQ). 请注意,不能使用委派管理员帐户管理基本移动性和安全性。Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security. 有关详细信息,请参阅合作伙伴 :提供委派管理For more info, see Partners: Offer delegated administration.

设备管理是安全与合规&的一部分,因此你需要前往开始基本移动性和安全性设置。Device management is part of the Security & Compliance Center so you'll need to go there to kick off Basic Mobility and Security setup.

激活基本移动性和安全性服务Activate the Basic Mobility and Security service

  1. Sign in to Microsoft 365 with your global admin account.Sign in to Microsoft 365 with your global admin account.

  2. 转到 激活基本移动性和安全性Go to Activate Basic Mobility and Security.

    激活基本移动性和安全性可能需要一些时间。It can take some time to activate Basic Mobility and Security. 完成后,你将收到一封电子邮件,说明要采取的步骤。When it finishes, you'll receive an email that explains the next steps to take.

设置移动设备管理Set up Mobile Device Management

服务准备就绪后,请完成以下步骤以完成设置。When the service is ready, complete the following steps to finish setup.

步骤 1: (配置) 移动性和安全性的域的必需步骤Step 1: (Required) Configure domains for Basic Mobility and Security

如果你没有与自定义域关联的自定义域Microsoft 365或者如果你未管理 Windows设备,可以跳过此部分。If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. 否则,您需要在 DNS 主机上添加域的 DNS 记录。Otherwise, you'll need to add DNS records for the domain at your DNS host. 如果已添加记录,作为设置域的一Microsoft 365,则一切都已设置。If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. 添加记录后,Microsoft 365组织中使用使用自定义域的电子邮件地址登录其 Windows 设备的用户将被重定向以注册基本移动性和安全性。After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.

需要帮助设置记录?Need help setting up the records? 查找你的域注册机构,然后选择注册机构名称以转到添加 DNS 记录以连接你的域中提供的有关创建 DNS 记录的分 步帮助Find your domain registrar and select the registrar name to go to step-by-step help for creating DNS record in the list provided in Add DNS records to connect your domain. 使用这些说明创建在不使用Azure AD Windows简化注册中所述的CNAME 高级版。Use those instructions to create CNAME records described in Simplify Windows enrollment without Azure AD Premium.

添加两条 CNAME 记录后,返回到安全与&中心,然后转到数据丢失防护 设备管理以完成下一 >   步。After you add the two CNAME records, go back to the Security & Compliance Center and go to Data loss prevention > Device management to complete the next step.

步骤 2: (为 iOS) 配置 APNs 证书所需的步骤Step 2: (Required) Configure an APNs Certificate for iOS devices

若要管理 iOS 设备iPad和 iPhone,需要创建 APNs 证书。To manage iOS devices like iPad and iPhones, you need to create an APNs certificate.

  1. Sign in to Microsoft 365 with your global admin account.Sign in to Microsoft 365 with your global admin account.

  2. 在浏览器类型中  https://protection.office.com :。In your browser type: https://protection.office.com.

  3. 选择  "数据丢失防护   >  ""设备管理",然后选择"适用于 iOS 设备的 APNs 证书"。Select  Data loss prevention > Device management, and choose APNs Certificate for iOS devices.

  4. 在"Apple 推送通知证书设置页上,选择"下一 步"。On the Apple Push Notification Certificate Settings page, choose Next.

  5. 选择 "下载 CSR 文件",将证书签名请求保存到计算机上将记住   的某个位置。Select Download your CSR file and save the Certificate signing request to somewhere on your computer that you'll remember. 选择" 下一步"。Select Next.

  6. 在"创建 APNs 证书"页上:On the Create an APNs certificate page:

    • 选择 Apple APNS 门户以打开 Apple 推送证书门户。Select Apple APNS Portal to open the Apple Push Certificates Portal.

    • Sign in with an Apple ID.Sign in with an Apple ID.

      重要

      Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.

    • 选择"创建证书"并接受使用条款。Select Create a Certificate and accept the Terms of Use.

    • 浏览到从计算机下载的证书签名请求,Microsoft 365选择"更新"。Browse to the Certificate signing request you downloaded to your computer from Microsoft 365 and selectUpload.

    • Download the APN certificate created by the Apple Push Certificate Portal to your computer.Download the APN certificate created by the Apple Push Certificate Portal to your computer.

      提示

      If you're having trouble downloading the certificate, refresh your browser.If you're having trouble downloading the certificate, refresh your browser.

  7. 返回到"下一Microsoft 365,然后选择"下一 步"。Go back to Microsoft 365 and select Next.

  8. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

  9. 选择"  完成"。Select  Finish.

MFA 通过要求第二种形式的身份验证Microsoft 365移动设备注册保护登录安全。MFA helps secure the sign in to Microsoft 365 for mobile device enrollment by requiring a second form of authentication. 正确输入工作帐户密码后,用户需要确认其移动设备上的电话呼叫、短信或应用通知。Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. 他们只能在完成第二种形式的身份验证后注册设备。They can enroll their device only after this second form of authentication is completed. 在基本移动性和安全性中注册用户设备后,用户Microsoft 365工作帐户访问资源。After user devices are enrolled in Basic Mobility and Security, users can access Microsoft 365 resources with only their work account.

若要了解如何在 Azure AD 门户中启用 MFA,请参阅 设置多重身份验证To learn how to turn on MFA in the Azure AD portal, see Set up multi-factor authentication.

设置 MFA 后,返回到安全与合规&并导航到数据丢失防护 设备管理 **** 设备策略以完成下一   >   >  ****   步。After you set up MFA, go back to the Security & Compliance Center and navigate to  Data loss prevention > Device management > Device policies to complete the next step.

下一步是创建和部署设备安全策略,以帮助保护你的Microsoft 365数据。The next step is to create and deploy device security policies to help protect your Microsoft 365 organization data. 例如,如果用户丢失设备,可以通过创建一个策略,在 5 分钟不活动后锁定设备,在三次登录失败后擦除设备,以帮助防止数据丢失。For example, you can help prevent data loss if a user loses their device by creating a policy to lock devices after five minutes of inactivity and wipe devices after three sign-in failures.

  1. Sign in to Microsoft 365 with your global admin account.Sign in to Microsoft 365 with your global admin account.

  2. 选择 "激活移动设备管理"。Select Activate Mobile Device Management. 如果服务已激活,则改为激活步骤,你将看到"管理设备 "链接   。If the service is activated, instead the activation steps you'll see a link to Manage Devices .

  3. 转到设备 策略Go to Device policies.

    基本安全和移动策略设置

  4. 按照在基本移动性和安全性中创建设备安全策略中的步骤创建和部署适合 你的组织的设备安全策略Create and deploy device security policies appropriate for your organization following the steps in Create device security policies in Basic Mobility and Security.

提示

  • 创建新策略时,你可能希望设置该策略以允许访问,并报告用户设备不符合策略的策略违反。When you create a new policy, you might want to set the policy to allow access and report policy violation where a user device isn't compliant with the policy. 这允许你查看受策略影响的移动设备数,而不会阻止对移动设备Microsoft 365。This allows you see how many mobile devices are impacted by the policy without blocking access to Microsoft 365.

  • 在向组织中的每个人部署新策略之前,我们建议在少量用户使用的设备上测试该策略。Before you deploy a new policy to everyone in your organization, we recommend you test it on the devices used by a small number of users.

  • 此外,在部署策略之前,请让组织了解在基本移动性和安全性中注册设备的潜在影响。Also, before you deploy policies, let your organization know the potential impacts of enrolling a device in Basic Mobility and Security. 根据策略的设置方式,可能会阻止不符合策略 (不符合) 的设备访问Microsoft 365。Depending on how you set up the policies, devices that don't comply with policies (non-compliant devices) could be blocked from accessing Microsoft 365. 不兼容的设备可能还安装了应用、照片和其他个人信息,如果擦除设备,则注册的设备上可能会删除这些信息。Non-compliant devices might also have apps installed, photos, and other personal information which, on an enrolled device, could be deleted if the device is wiped. 有关详细信息,请参阅 Basic Mobility and Security中的擦除移动设备。For more info, see Wipe a mobile device in Basic Mobility and Security.

确保用户注册其设备Make sure users enroll their devices

创建并部署移动设备管理策略后,组织中应用设备策略的每个许可 Microsoft 365 用户下次从移动设备登录 Microsoft 365 时会收到注册消息。After you've created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organization that the device policy applies receives an enrollment message the next time they sign into Microsoft 365 from their mobile device. 他们必须完成注册和激活步骤,然后才能访问Microsoft 365文档。They must complete the enrollment and activation steps before they can access Microsoft 365 email and documents. 有关详细信息,请参阅使用基本 移动性和安全性注册移动设备For more info, see Enroll your mobile device using Basic Mobility and Security.

重要

如果注册过程不支持用户的首选语言,则用户可能会以另一种语言在移动设备上收到注册通知和步骤。If a user's preferred language isn't supported by the enrollment process, users might receive enrollment notification and steps on their mobile devices in another language. 移动设备的注册过程Microsoft 365支持的语言。Not all languages supported in Microsoft 365 are currently supported for the enrollment process on mobile devices.

使用 Android 或 iOS 设备的用户需要安装 公司门户 应用,这是注册过程的一部分。Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

基本移动性和安全性的功能Capabilities of Basic Mobility and Security
在基本移动性和安全性中创建设备安全策略Create device security policies in Basic Mobility and Security