Microsoft Intune 是適用於您裝置的 MDM 和 MAM 提供者Microsoft Intune is an MDM and MAM provider for your devices

Microsoft Intune 是以雲端為基礎的服務,著重於行動裝置管理 (MDM) 和行動應用程式管理 (MAM)。Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). 您可以控制組織裝置 (包括行動電話、平板電腦與膝上型電腦) 的使用方式。You control how your organization’s devices are used, including mobile phones, tablets, and laptops. 您也可以設定特定原則來控制應用程式。You can also configure specific policies to control applications. 例如,您可以防止電子郵件傳送給組織外部的人。For example, you can prevent emails from being sent to people outside your organization. Intune 也可以讓您組織中的人將其個人裝置用於學校或公司。Intune also allows people in your organization to use their personal devices for school or work. 在個人裝置上,Intune 可協助確保您的組織資料保持受保護狀態,並可隔離組織資料與個人資料。On personal devices, Intune helps make sure your organization data stays protected, and can isolate organization data from personal data.

Intune 是 Microsoft Enterprise Mobility + Security (EMS) 套件的一部分。Intune is part of Microsoft's Enterprise Mobility + Security (EMS) suite. Intune 會與 Azure Active Directory (Azure AD) 整合,以控制誰有存取權,以及他們可以存取的內容。Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. 其也與用於資料保護的 Azure 資訊保護整合。It also integrates with Azure Information Protection for data protection. 其可搭配 Microsoft 365 套件產品使用。It can be used with the Microsoft 365 suite of products. 例如,您可以將 Microsoft Teams、OneNote 與其他 Microsoft 365 應用程式部署到裝置。For example, you can deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. 此功能可讓組織中的人員在其所有裝置上都有生產力,同時使用您所建立的原則保護您組織的資訊。This feature enables people in your organization to be productive on all of their devices, while keeping your organization’s information protected with policies you create.

Intune 架構的影像Image of Intune architecture

使用 Intune,您可以︰With Intune, you can:

  • 選擇使用 Intune 實現 100% 雲端,或者使用 Configuration Manager 和 Intune 共同管理Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune.
  • 在個人和組織擁有的裝置上設定規則和組態設定,以存取資料和網路。Set rules and configure settings on personal and organization-owned devices to access data and networks.
  • 部署及驗證裝置上的應用程式 -- 內部部署和行動裝置。Deploy and authenticate apps on devices -- on-premises and mobile.
  • 藉由控制使用者存取和共用資訊的方式來保護您的公司資訊。Protect your company information by controlling the way users access and share information.
  • 請確定裝置和應用程式都符合您的安全性需求。Be sure devices and apps are compliant with your security requirements.

管理裝置Manage devices

在 Intune 中,您可以使用最適合您的方法來管理裝置。In Intune, you manage devices using an approach that's right for you. 針對組織擁有的裝置,您可能會想要完全控制裝置,包括設定、功能和安全性。For organization-owned devices, you may want full control on the devices, including settings, features, and security. 在此方法中,這些裝置的裝置和使用者會在 Intune 中「註冊」。In this approach, devices and users of these devices "enroll" in Intune. 註冊完成後,他們會透過 Intune 中設定的原則來接收您的規則和設定。Once enrolled, they receive your rules and settings through policies configured in Intune. 例如,您可以設定密碼和 PIN 需求、建立 VPN 連線、設定威脅防護等。For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.

對於個人裝置或攜帶您自己的裝置 (BYOD),使用者可能不想讓組織系統管理員擁有完全控制權。For personal devices, or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. 在這種方法中,請提供使用者選項。In this approach, give users options. 例如,如果使用者想要完整存取您的組織資源,請註冊其裝置。For example, users enroll their devices if they want full access to your organization resources. 或者,如果這些使用者只想要存取電子郵件或 Microsoft Teams,則請使用需要多重要素驗證 (MFA) 的應用程式保護原則來使用這些應用程式。Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.

當裝置在 Intune 中註冊和管理時,系統管理員可以:When devices are enrolled and managed in Intune, administrators can:

  • 查看已註冊的裝置,並取得存取組織資源之裝置的詳細目錄。See the devices enrolled, and get an inventory of devices accessing organization resources.
  • 設定裝置,使其符合您的安全性和健康情況標準。Configure devices so they meet your security and health standards. 例如,您可能會想要封鎖已越獄的裝置。For example, you probably want to block jailbroken devices.
  • 將憑證推送至裝置,讓使用者可以輕鬆地存取您的 Wi-Fi 網路,或使用 VPN 來連線到您的網路。Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to your network.
  • 查看符合規範以及不符合規範的使用者和裝置報告。See reports on users and devices that are compliant, and not compliant.
  • 如果裝置遺失、遭竊或不再使用,請移除組織資料。Remove organization data if a device is lost, stolen, or not used anymore.

線上資源Online resources:

試試互動式指南Try the interactive guide

使用 Microsoft 端點管理員管理裝置 (英文) 互動式指南會帶您逐步使用 Microsoft Endpoint Manager 系統管理中心,以示範如何管理和保護行動及傳統型應用程式。The Manage devices with Microsoft Endpoint Manager interactive guide steps you through the Microsoft Endpoint Manager admin center to show you how to manage and protect mobile and desktop applications.

管理應用程式Manage apps

Intune 中的行動應用程式管理 (MAM) 是設計來保護應用程式等級的組織資料,包括自訂應用程式和市集應用程式。Mobile application management (MAM) in Intune is designed to protect organization data at the application level, including custom apps and store apps. 應用程式管理可以在組織擁有的裝置和個人裝置上使用。App management can be used on organization-owned devices, and personal devices.

當應用程式在 Intune 中受控時,系統管理員可以:When apps are managed in Intune, administrators can:

  • 新增行動應用程式並將其指派給使用者群組和裝置,包括特定群組中的使用者、特定群組中的裝置等等。Add and assign mobile apps to user groups and devices, including users in specific groups, devices in specific groups, and more.
  • 將應用程式設定為在啟用特定設定的情況下啟動或執行,並更新裝置上已有的現有應用程式。Configure apps to start or run with specific settings enabled, and update existing apps already on the device.
  • 查看已使用的應用程式相關報告,並追蹤其使用方式。See reports on which apps are used, and track their usage.
  • 透過僅移除應用程式中的組織資料,進行選擇性抹除。Do a selective wipe by removing only organization data from apps.

Intune 提供行動應用程式安全性的一種方式,是透過 應用程式保護原則One way that Intune provides mobile app security is through app protection policies. 應用程式保護原則:App protection policies:

  • 使用 Azure AD 身分識別,將組織資料與個人資料隔離。Use Azure AD identity to isolate organization data from personal data. 因此,個人資訊會被隔離不被組織 IT 所知。So personal information is isolated from organizational IT awareness. 使用組織認證存取的資料會獲得額外的安全性保護。Data accessed using organization credentials are given additional security protection.
  • 限制使用者可採取的動作 (例如複製並貼上、儲存和檢視),協助保護個人裝置上的存取。Help secure access on personal devices by restricting actions users can take, such as copy-and-paste, save, and view.
  • 可以在已於 Intune 中註冊的裝置上、在另一個 MDM 服務中註冊的裝置上、或未在任何 MDM 服務中註冊的裝置上建立及部署。Can be created and deployed on devices that are enrolled in Intune, enrolled in another MDM service, or not enrolled in any MDM service. 在已註冊的裝置上,應用程式保護原則可以新增額外的保護層。On enrolled devices, app protection policies can add an extra layer of protection.

例如,使用者以其組織認證登入裝置。For example, a user signs in to a device with their organization credentials. 其組織身分識別允許存取其個人身分識別所拒絕的資料。Their organization identity allows access to data that's denied to their personal identity. 使用該組織資料時,應用程式保護原則會控制資料的儲存和共用方式。As that organization data is used, app protection policies control how the data is saved and shared. 當使用者使用其個人身分識別登入時,不會套用相同的保護。When users sign in with their personal identity, those same protections aren't applied. 如此一來,IT 能夠控制組織資料,而終端使用者則維持對個人資料的控制權和隱私權。In this way, IT has control of organization data, while end users maintain control and privacy over their personal data.

而且,您可以將 Intune 與 EMS 中的其他服務搭配使用。And, you can use Intune with the other services in EMS. 這項功能為您的組織所提供的行動應用程式安全性,超出了作業系統和任何應用程式所包含的範圍。This feature provides your organization mobile app security beyond what's included with the operating system and any apps. 使用 EMS 管理的應用程式可以存取更廣泛的行動應用程式和資料保護功能。Apps managed with EMS have access to a broader set of mobile app and data protection features.

顯示應用程式管理資料安全性層級的影像

合規性與條件式存取Compliance and conditional access

Intune 與 Azure AD 整合後,獲得了大量資料存取管控的相關案例。Intune integrates with Azure AD to enable a broad set of access control scenarios. 例如,要求行動裝置必須符合 Intune 中定義的組織標準,才能存取網路資源 (例如電子郵件或 SharePoint)。For example, require mobile devices be compliant with organization standards defined in Intune before accessing network resources, such as email or SharePoint. 同樣地,您可以鎖定服務,使其僅適用於一組特定的行動應用程式。Likewise, you can lock down services so they're only available to a specific set of mobile apps. 例如,您可以鎖定 Exchange Online,使其僅供 Outlook 或 Outlook Mobile 存取。For example, you can lock down Exchange Online so it's only accessed by Outlook or Outlook Mobile.

線上資源Online resources:

如何取得 IntuneHow to get Intune

Intune 可以下列方式提供使用:Intune is available:

Intune 用於許多領域,包括政府機關教育、用於製造和零售業的資訊站或專用裝置等等。Intune is used in many sectors, including government, education, kiosk or dedicated device for manufacturing and retail, and more.

後續步驟Next steps