应用注意事项App considerations

关于 BYOD 的应用注意事项可能会因公司目标、约束和资源而有所不同。App considerations for BYOD can vary according to company goals, constraints, and resources. 公司应评估其当前应用、已用于开发应用的技术、在任何设备上运行应用的要求,以及用户必需利用哪些应用才能从任意位置进行访问。Companies should evaluate their current apps, the technologies that were used to develop the apps, the requirements for the apps to run on any device, and which apps are essential for the users to be able to access from any location. 尽管现代应用不像基于 Windows 的应用那样需要消耗大量资源进行预配和部署,但是依旧需要成本去开发和维护它们。Though modern apps are not as resource intensive to provision and deploy as Windows-based apps, a cost is still associated with developing and maintaining them.

对于专为 BYOD 方案开发的应用,存在一些模式,你必须评估当前的应用是否具有这些模式,并决定你要使这些应用适应 BYOD 方案,还是要在用户从他们的设备对其进行访问时提供传统体验。Patterns exist for apps developed specifically for BYOD scenarios, and you must evaluate if your current apps have those patterns and decide if you will adapt these apps to a BYOD scenario or provide a legacy experience for users to access them from their devices. 可以使用以下列表来标识这些模式:You can use the following list to identify these patterns:

  • 了解用户:你尝试使用此应用解决哪个问题?Understand the user: which problem are you trying to resolve with this app? 该问题与用户相关吗?Is the problem relevant to the user? 主要应该考虑应用的用户体验以及用户将使用该应用完成的工作。The user experience with the app and what users will accomplish by using the app are key considerations.
  • 简单:用户必须可以轻松地在尽可能少用指导的情况下自主学习使用应用。Simplicity: users must feel comfortable learning to use apps autonomously and with minimal guidance. 用户必须能够在不迷失的情况下浏览选项。Users must be able to navigate through options without getting lost.
  • 灵活升级:关于移动应用的策略是让用户有机会立即使用它们并提供可用于增强应用的反馈。Agility to upgrade: the strategy for mobile apps is to give users the chance to use them right away and provide feedback to enhance the apps. 在第一次发布时就提供完美的应用对于移动应用而言并不可行。Shipping a perfect app in its first release is not feasible for mobile apps. 你必须使发布周期更加灵活并更快速地响应反馈。You must make your release cycle more agile and respond quickly to feedback. 立即提供应用,并在整个应用生命周期内不断进行更改。Ship now and make continual changes throughout the app life cycle.
  • 性能:尽管基于 Windows 的传统应用可能更加可靠(因为它们在电脑上运行),但用户倾向于假定基于 Windows 的应用使用更多的资源。Performance: though traditional Windows-based apps can be more robust because they run on PCs, users tend to assume that Windows-based apps use more resources. 必须将移动应用设计为节省资源。Mobile apps must be designed to save resources. 你必须关注需要为用户提供什么内容才能尽可能提供出色的用户体验。You must focus on what you need to make available to the user to deliver the best user experience possible.

有关创建移动应用的一般注意事项的详细信息,请阅读创建适用于商业的移动应用的 10 大注意事项For more information about general considerations when creating mobile apps, read 10 considerations when creating mobile apps for business.

体验Experience

为了根据将运行应用的平台和部署策略提供更好的用户体验,公司必须确定将发布哪些应用以及发布方式。To provide a better user experience based on the platform that the apps will run and the deployment strategy, the company must identify which apps would be published and how. 如果确定存在异构环境且一些设备受公司支持,可采用通过公司门户发布应用这一策略。If it is identified that there is a heterogeneous environment and some devices will be supported by the company, one strategy would be to publish the apps via the Company Portal. 最终,业务决策将决定关于用户体验的注意事项。Ultimately, business decisions will drive the considerations for the user experience. 公司是否愿意开发无论在哪种平台都提供相同体验的应用?Is the company willing to develop apps that will provide the same experience regardless of the platform? 或者,公司是否会向用户提供培训,以便他们在不同平台中使用这些应用,而不提供相同的体验?Or will the company provide training to users to use those apps in different platforms without having the same experience? 针对上一段落提到的每种情况,考虑成本和投资回报。Consider the cost and the return on investment for each case mentioned in the previous paragraph. 虽然可以在主要的 Web 门户页面中整合提供相同体验的所有应用,但应用可能根据平台表现出不同的行为。It could be feasible to consolidate all apps in a main web portal page that provides the same experience, but the apps would behave differently according to the platform.

请考虑以下方面:面向远程用户的应用应该在多个平台上运行、尽可能轻便,并对用户设备要求最小的访问权限,你应该按照基于 Web 的应用和现代应用缩减选项。Considering that apps for remote users should run on more than one platform, be as light as possible, and require minimum access to users’ devices, you should narrow your options to web-based apps and modern apps. 下节内容会帮助你确定应将哪种应用体验用于你的解决方案。The section that follows will assist you to determine which app experience should be used for your solution.

应用体验选项 - 优点和缺点App experience options — advantages and disadvantages

使用以下列表了解每个应用体验选项的优缺点:Use the list below to understand the advantages and disadvantages of each app experience option:

  • 基于 WebWeb based
    • 优点Advantages
      • 广泛用于多种平台Widely available in many platforms
      • 可使用 HTTPS 协议加密Encryption available using HTTPS protocol
      • 成熟的技术Mature technology
      • 易用Easy to use
      • 不需要安装在用户的设备上Does not have to be installed on users’ devices
    • 缺点Disadvantages
      • 不具有移动应用的本机外观Does not have the native look and feel of a mobile app
      • 可能需要用户设备上装有第三方组件(如 Flash)Could require third-party components (such as Flash) to be installed on users’ devices
      • 易受浏览器漏洞影响Susceptible to browser vulnerabilities
  • 现代Modern
    • 优点Advantages
      • 现代的外观体验Modern look and feel
        • 最终用户的体验更丰富Richer experience for end users
        • 安全控制由开发人员构建Security controls are established by the developer
        • 利用本地操作系统的 APILeverages the local operating system’s APIs
        • 能够在不同的平台上运行Able to run on different platforms
        • 不依赖 Web 浏览器即可运行Does not rely on the web browser to run
    • 缺点Disadvantages
      • 要求安装在用户的设备上。Requires installation on users’ devices.
      • 需要后端基础结构以将应用部署到用户的设备。Requires a back-end infrastructure to deploy apps to users’ devices.
      • 可能需要开发人员提升知识,以使用这一新形式开发应用。Might require developers to ramp up their knowledge to develop apps using this new format.

应用要求 - 注意事项App requirements — considerations

评估那些为了便于远程用户从他们的设备使用而进行调整的应用,并确保向用户显示以下要求。Evaluate the apps that will be adjusted in order to be used by remote users from their devices, and ensure that these requirements are presented to the users. 下面为你提供了应用要求列表和每个要求的注意事项:Below you have a list of app requirements and considerations for each requirement:

  • Internet 访问权限/云服务访问权限如果应用需要 Internet 访问权限才能工作,请考虑以下几点:Internet access/cloud service access if apps require Internet access in order to work, consider the following points:
    • 应用必须能够传输加密的数据。Apps must be able to transfer encrypted data.
    • 应用应使用最小的带宽。Apps should consume minimal bandwidth.
    • 使用 Windows 推送通知服务评估更新的可能性。Evaluate the possibility of using Windows Push Notification Services for updates.
    • 在企业使用此类技术支持访问 Internet 的情况下,应用应该能够与代理服务器进行交互。Apps should be able to interact with a proxy server in case the enterprise uses this type of technology to allow Internet access.
    • 应用应能够使用移动设备的 Wi-Fi 连接。Apps should be able to use the mobile devices’ Wi-Fi connection.
  • 收集用户信息如果应用需要收集用户的信息才能正常工作,请考虑以下几点:Collect user information if apps require the collection of users’ information in order to work, consider the following points:
    • 应用应当详细说明将从用户收集哪些信息,并且用户必须同意此收集操作。Apps should state in detail what information will be collected from users, and users must agree with this collection.
    • 如果将传输隐私信息,请确保对数据进行加密。If private information is going to be transferred, ensure that the data is encrypted.
    • 如果隐私信息将存储在用户的设备上,则确保对数据进行加密。If private information will be stored on users’ devices, ensure that the data is encrypted.
  • 与社交网络集成如果应用需要与社交网络集成才能运行,请考虑以下几点:Integration with social networks if apps require integration with social networks in order to run, consider the following points:
    • 评估将用于使应用可以在社交网络进行身份验证的身份验证方法。Evaluate the authentication method that will be used to enable apps to authenticate with social networks.
    • 验证与社交网络的集成级别以避免数据泄露给更广泛的受众。Verify the integration level with social networks in order to avoid data leakage to a broader audience.
    • 确保应用详细说明哪些信息将由社交网络上的问题用户共享。Ensure that apps state in detail which information will be shared by the user on the social network in question.
    • 确保将向社交网络提供商发送的数据进行加密。Ensure that the data sent to the social network provider is encrypted.

为了增强用户体验,你还应该根据开发团队的标准将所有应用分类,以免用户总是需要滚动浏览数百个应用。To enhance the user experience, you should also categorize all apps according to your development team’s standards for reducing the need for users to scroll through hundreds of apps.

平台Platform

在处理用户体验时,评估不同的平台并确定你的公司愿意支持哪种平台是很正常的。When dealing with user experience, it is normal to evaluate different platforms and determine what your company is willing to support. 很多时候,支持用户使用自己的设备意味着具有一个异构生态系统,IT 可能还没准备好支持这种生态系统。Many times, enabling users to use their own devices means having a heterogeneous ecosystem, and IT might not be ready to support such an ecosystem.

每个平台对于签名和发布应用都有不同的要求,它们会直接影响 IT 资源,因为 IT 需要评估在特定平台上运行的应用的整个生命周期。Each platform has different requirements for signing and publishing apps, which directly impact IT resources because IT needs to evaluate the entire life cycle for apps running on a specific platform. 你还需要访问用于 BYOD 基础结构解决方案的应用的平台要求。You also need to access the apps’ platform requirements for a BYOD infrastructure solution. 下一节包含有关应用平台要求的关键注意事项。The section that follows includes key considerations about app platform requirements.

应用平台要求 - 注意事项App platform requirements — considerations

下面为你提供了应用平台要求列表和每个要求的注意事项:Below you have a list of app platform requirements and considerations for each requirement:

  • 后端基础架构Back-end infrastructure
    • 评估扩展应用以供远程用户使用是否会影响应用服务器的整体性能。Evaluate if extending apps for use by remote users will impact the overall performance of the app server.
    • 根据这一评估,验证是否需要升级服务器、增加服务器数量或者虚拟化服务器。Based on this evaluation, verify the need to upgrade servers, increase the number of servers, or virtualize servers.
  • 可支持性Supportability
    • 定义公司将支持哪些平台(如 Windows、iOS 和 Android)。Define which platforms (such as Windows, iOS, and Android) will be supported by the company.
      • 如果公司决定采用所有平台,请为每个平台定义可支持性边界。If the company decides to embrace all platforms, define the supportability boundaries for each platform.
    • 建立公司支持的和不支持的方案。Establish the scenarios that are supported and not supported by the company. 例如:你的公司可能决定不支持已越狱的设备。For example: your company might decide to not support devices that have been jailbroken.
  • 操作系统平台Operating system platform
    • 定义每个操作系统的约束,以便运行公司的应用。Define the constraints of each operating system in order to run the company’s apps.
    • 对公司决定支持的每个操作系统上的应用定义最低要求。Define minimum requirements for apps on each operating system that the company decides to support.
    • 测试每个操作系统上的应用,以验证应用是否在每个操作系统上都有类似的行为。Test apps on each operating system to verify if the apps have similar behavior on each. 记录不同的行为。Document the differences.

作为支持多个平台这一战略的一部分,你必须定义这些平台将如何使用应用。As part of the strategy to support multiple platforms, you must define how apps will be consumed by those platforms. 通过使用 Microsoft Intune,你可以使用户通过公司门户使用应用。By using Microsoft Intune, you can enable users to consume apps by using the Company Portal. 此功能不仅适用于 Windows,也适用于其他平台This capability is not only available for Windows, but also for other platforms. 在考虑用户应该可以通过公司门户访问哪些应用时,请考虑可通过公司门户提供的两种类型的应用:When considering which apps should be accessed by users via the Company Portal, take into account the two types of apps that can be available via the Company Portal:

  • 旁加载应用:现代 LOB 应用,开发并将其发布到托管其内容的公司门户。Sideloaded apps: modern LOB apps developed and published to the Company Portal where the content is hosted.
  • 深层链接应用:Microsoft 应用商店(或适用于 iOS 应用的 Apple 应用商店)里指向这些应用的链接存储在 Configuration Manager 中,用户可通过公司门户进行访问。Deep-link apps: links to apps in the Microsoft Store (or Apple Marketplace for iOS apps) stored in Configuration Manager, which users access via the Company Portal.

深层链接应用可减少管理开销,因为它们可以将用户重定向到 Windows 应用商店以获取最新版本,而无需管理更新并将其发布到公司门户。Deep-link apps can reduce administrative overhead, by redirecting users to the Windows Store for the latest version, instead of having to manage and publish updates to the Company Portal. 使用 Microsoft 应用商店部署应用也可以引发一些问题,例如:The use of the Microsoft Store to deploy apps can also raise some questions, such as:

  • 你可以使用当前基础结构通过 Windows 应用商店部署这些应用吗?Can you use your current infrastructure to deploy these apps via the Windows Store?
  • Windows 应用商店在应用部署过程中充当什么角色?What role does the Windows Store play in the app deployment process?
  • 所有应用都需要来自 Windows 应用商店吗?Do all apps need to come from the Windows Store?

根据公司部署策略的当前状态,以及该状态在他们选择使用 Windows 应用商店时的发展方式,这些答案将有所不同。The answers will vary according to the current state of the company deployment strategy and how this needs to evolve if they choose to use the Windows Store. 请记住,Windows 应用商店是一种数字分配系统,并且是 Windows 10、Windows 8.1、Windows 8 和 Windows RT 中现代应用的主要分配平台。Keep in mind that the Windows Store is a digital distribution system and is the primary distribution platform for modern apps in Windows 10, Windows 8.1, Windows 8, and Windows RT. 但是,也可以使用 Windows 应用商店列出那些已认证为可以在基于 Windows 8 的设备上运行的桌面应用。However, it is possible to use the Windows Store to list desktop apps certified to run on Windows 8–based devices. 有关旁加载应用的详细信息,请参阅试用:旁加载的 Windows 应用商店应用For more information about sideloaded apps, see Try It Out: Sideload Windows Store Apps.

部署Deployment

为了处理有关要部署到用户的应用的注意事项,有必要了解公司访问权限的相关要求。In order to address the considerations about apps that will be deployed to users, it is necessary to understand the requirements regarding corporate access. 即使用户不需要有权访问其他公司资源,或不需要对企业网络内所有企业资源的完全访问权限,部署方案中仍包含必须始终连接到公司资源的应用。Deployment scenarios include apps that need to be always connected to company resources, even though users do not need to have access to other corporate resources or do not need full access to all corporate resources while inside the corporate network. 验证每个应用的部署选项,并评估哪种方法是贵公司的首选。Verify the deployment options for each app and evaluate which method is preferred for your company. 下一节包含最常用的部署选项,你可以将其用作决策基线的一部分。The section that follows includes the most common deployment options that you can use as part of a decision baseline.

部署选项 - 优点和缺点Deployment options — advantages and disadvantages

使用以下列表了解每个部署选项的优缺点:Use the list below to understand the advantages and disadvantages of each deployment option:

  • 基于内部部署On-premises based
    • 优点Advantages
      • 所有安全控制都以物理方式位于本地,并且 IT 部门具有完全控制权All security controls are physically located on-premises, and IT has full control
      • IT 可以对保存部署角色的服务器执行强化IT can perform hardening of the server that holds the deployment role
      • 提供了更精细的审核、日志记录和报告功能Provides more granular auditing, logging, and reporting capabilities
    • 缺点Disadvantages
      • 与云解决方案相比,维护成本更高Higher cost to maintain, when compared to a cloud solution
      • 缺乏与云服务的集成Lack of integration with cloud services
      • 很难为未托管的设备部署应用Difficult to deploy apps for nonmanaged devices
      • 很难为不在本地的设备控制部署选项Difficult to control deployment options for devices that are not on-premises
  • 基于云Cloud based
    • 优点Advantages
      • 可以从任意位置安装应用Apps can be installed from anywhere
      • 多平台部署的能力Multiplatform deployment capability
      • 与本地解决方案相比,更容易将应用部署到未托管的设备Easier to deploy apps to nonmanaged devices than an on-premises solution
    • 缺点Disadvantages
      • 仅对使用应用的本地设备提供有限的报告功能Limited reporting capabilities for on-premises devices consuming apps
      • 缺乏集中式管理和部署控制Lack of centralized management and deployment control
  • 混合(部分位于本地,部分位于云中)Hybrid (part on-premises and part in the cloud)
    • 优点Advantages
      • 与本地解决方案相比,更容易将应用部署到未托管的设备。Easier to deploy apps to nonmanaged devices than an on-premises solution.
      • IT 仍可以完全控制部署角色的本地部分。IT still has full control over the on-premises portion of the deployment role.
      • 在单个位置集成本地设备和在云上托管的设备。Integration between on-premises devices and cloud-managed devices in a single location.
      • 与本地解决方案相比,更容易跨多个平台控制部署选项。Easier to control the deployment options across multiple platforms than an on-premises solution.
    • 缺点Disadvantages
      • 通常需要云服务订购。Usually requires a cloud-service subscription.
      • 与本地部署解决方案的集成可能会因云服务而有所不同。Integration with the on-premises deployment solution might vary according to the cloud service.

应用部署要求 - 注意事项App deployment requirements — considerations

你还需要针对 BYOD 基础结构解决方案访问应用的部署要求。You also need to access the apps’ deployment requirements for a BYOD infrastructure solution. 以下列表包含一些关键的应用部署注意事项:The list below includes some key app deployment considerations:

  • 权限Permissions
    • 确保用户安装应用时必须具有的权限级别是非侵入式的。Ensure that the level of permissions users must have to install apps is not intrusive. 例如,你不应要求用户以设备管理员身份安装应用。For example, you should not require a user to be the administrator of a device in order to install apps.
    • 如果应用使用临时文件或文件夹,请确保它不需要管理级权限来处理这些对象。If an app uses temporary files or folders, ensure that it does not require administrative-level permissions to handle those objects.
  • CertificateCertificate
    • 如果应用部署需要用户设备中的证书,确保设备能够访问证书吊销列表 (CRL),以验证该证书的真实性。If app deployment requires a certificate in users’ devices, ensure that the devices are able to access the certificate revocation list (CRL) to validate the authenticity of the certificate.
    • 如果在应用安装过程中安装了证书,请确保用户知道这一点并收到了征询同意的提示。If a certificate is installed during the app installation process, ensure that users are aware of this and are prompted for consent.
    • 定义将使用的证书。Define which certificate will be used. 如果证书由内部证书颁发机构 (CA) 颁发,则确保用户的设备先安装 CA 证书,然后安装应用的证书。If the certificate was issued by an internal certification authority (CA), ensure that users’ devices have the CA certificate installed first, and then install the apps’ certificates. 如果证书由第三方公共 CA 颁发,则确保设备能够通过 Internet 验证此证书。If the certificate was issued by a third-party public CA, ensure that the device is capable of validating this certificate through the Internet. 如果验证失败,请确保用户了解其失败原因并避免安装(出于安全考虑)。If validation fails, ensure that users are aware why it failed and avoid the installation for security reasons.
  • 移动设备管理 (MDM) 代理Mobile Device Management (MDM) Agent
    • 如果应用需要用户设备在安装应用之前装有 MDM 代理,请确保用户知道这一点并收到了征询同意的提示。If apps require an MDM agent to be installed on users’ devices prior to the apps’ installation, ensure that the users are aware of this and are prompted for consent.
    • 如果需要安装 MDM 代理,请确保安装过程易于执行并占用最少的系统资源。If the MDM agent needs to be installed, ensure that the installation process is easy to follow and will use minimal system resources.

通过使用 System Center 2012 R2 Configuration Manager ,IT 可以在 Configuration Manager 中通过用户发现功能来标识特定用户并为其授权,然后将用户添加到自定义集合中,该集合会将这些用户帐户与 Microsoft Intune 同步。Using System Center 2012 R2 Configuration Manager, IT can identify and license specific users via user discovery capability in Configuration Manager and then add users to a custom collection that will synchronize these user accounts with Microsoft Intune. 这也有助于部署这些应用。This will also assist in the deployment of these apps. 应用部署的相关注意事项中还应包括应用更新。App updating should also be included in the considerations for app deployment. 在安装应用后,应该在 Windows 应用商店应用中自动检测对应用的更新并将其通知给用户。After apps are installed, updates to apps should be automatically detected and the users notified of them in the Windows Store app. System Center 2012 R2 使企业能够拥有自己的企业应用存储,并使用户可以从此存储安装 LOB 应用。System Center 2012 R2 offers capabilities for enterprises to have their own enterprise app store and enable users to install LOB apps from this store. 关于企业应用存储的详细信息,请参阅“设计案例研究:企业业务线 Windows 应用商店应用”。For more information about the enterprise app store, see Design case study: Enterprise line of business Windows Store app.

Windows 10 中自动触发的 VPN 可用于支持应用访问公司资源。Autotriggered VPN in Windows 10 can be used to enable apps to access corporate resources. 此功能使 IT 能够设置预定义的应用列表,它们可以在应用启动时通过打开 VPN 连接来自动连接到公司网络。This feature enables IT to set a list of predefined apps to automatically connect to corporate networks by opening a VPN connection when the app is started. 你可以定义你希望使其自动触发的应用,并根据用户访问资源时所用的用户身份和计算机身份来限制远程访问。You can define the apps you want to make available for autotriggering and restrict remote access based on user identity and computer identity from which the user is accessing the resource. 有关自动引发 VPN 的详细信息,请参阅 Windows Server 2012 R2 中远程访问的新增功能For more information about autotriggered VPN, see What's New in Remote Access in Windows Server 2012 R2.

如果你的公司采用 Windows Phone,并希望使用户能够针对此平台使用 LOB 应用,首先应了解应用的注册过程。If your company is adopting Windows Phone and wants to enable users to use LOB apps for this platform, you should start by understanding the app enrollment process. 公司必须执行一些步骤以建立公司帐户、注册设备并将应用分发到它们注册的设备。Companies must follow some steps to establish a company account, enroll devices, and distribute apps to their enrolled devices. 有关 Windows Phone 应用部署的详细信息,请参阅 Windows Phone 的公司应用分发For more information about Windows Phone App deployment, see Company app distribution for Windows Phone.

存储和网络Storage and network

存储和网络应用注意事项可能对应用服务器和设备都有影响。Storage and network app considerations can have an impact on both app servers and devices. 当你开始考虑应用的这两个核心组件时,将出现下列问题:The following questions will arise when you start considering these two core components for apps:

  • 应用会在用户的存储区中存储任何内容吗?Will the apps store anything in users’ storage?
    • 如果是这样,那么在用户的设备上存储信息时,对应用有哪些存储要求?If so, what are the storage requirements for apps when storing information on users’ devices? 是由应用还是由操作系统对数据进行加密?Is the data encrypted by the apps or by the operating system?
  • 在通过有线或无线网络进行传输的过程中,应用是否会处理敏感信息?Will the apps handle sensitive information while in transit through the wired or wireless network?
    • 如果是这样,那么会对数据进行加密吗?If so, will the data be encrypted?

下一节包含关于应用存储和网络要求的关键注意事项。The section that follows includes key considerations for app storage and network requirements.

应用存储和网络要求 - 注意事项App storage and network requirements—considerations

使用以下列表了解每个应用存储的优缺点以及网络要求和注意事项:Use the list below to understand the advantages and disadvantages of each app storage and network requirements and considerations:

  • 硬盘空间Disk space
    • 如果应用部署过程需要使用的空间超出应用所需的大小(因为临时文件),确保妥善记录该状况,并确保用户知道这一点以及收到了征询同意的提示。If the app deployment process needs to use more space than the app requires (because of temporary files), ensure that this is well documented, users are aware of it, and users are prompted for consent.
    • 确保在安装应用后,删除在部署过程中存储在用户的存储设备上的所有临时文件和文件夹。Ensure that all the temporary files and folders that were stored on users’ storage devices during the deployment process are removed after an app is installed.
  • 数据隐私Data privacy
    • 如果应用在用户的设备存储中存储来自公司或用户的隐私信息,请确保用户是否知道这一点并收到了征询同意的提示。If an app stores private information from the company or from the user in users’ device storage, ensure that users are aware and prompted for consent.
      • 如果应用确实存储隐私信息,请确保对用户设备上的文件进行加密。If the app does store private information, ensure that the files are encrypted on users’ devices.
    • 如果应用通过网络传输来自公司或用户的隐私信息,确保传输过程经过加密。If apps transfer private information from the company or users via the network, ensure that the transfer process is encrypted.
  • 备份Backup
    • 如果应用在正常操作期间在用户的设备存储中存储临时文件,以便之后提交到服务器的数据库,请确保存在用于保存文件的备份机制,以防应用崩溃、设备电量耗尽,并为任何可能会导致数据丢失的其他未知情况做好准备。If apps store temporary files in users’ device storage during normal operation to later commit to the server’s database, ensure that there is a backup mechanism to save the files in case the apps crash, the device runs out of power, and preparations are made for any other unknown circumstance that might lead to data loss.
    • 还要确保备份数据不会受到未经授权的用户或进程的访问。Ensure that backed-up data is also protected against unauthorized users or processes.
    • 如果用户网络失去与应用服务器的连接,请确保应用具有备份过程以避免数据丢失。If the user network loses connectivity with the app server, ensure that apps have a backup process to avoid data loss.
  • 后端基础架构Back-end infrastructure
    • 评估对于升级、扩展或虚拟化后端存储服务器的需求。Evaluate the needs to upgrade, expand, or virtualize back-end storage servers.
    • 确保后端基础架构具有多个用于访问用户设备的网络路径。Ensure that the back-end infrastructure has multiple network paths to access users’ devices.
    • 确保本地边缘解决方案能够处理多个 ISP,以避免来自云的用户丢失与本地应用服务器的连接。Ensure that the on-premises edge solution is able to handle multiple ISPs to avoid users that are coming from the cloud losing connectivity with on-premises app servers.

在考虑要在你的 BYOD 基础结构中使用的应用时,你还可以利用 Windows Server 2012 R2 虚拟桌面基础结构 (VDI)。When considering apps to be used in your BYOD infrastructure, you can also leverage Windows Server 2012 R2 Virtual Desktop Infrastructure (VDI). 用户可以远程运行 Windows 8 应用(包括视频剪辑、电影、流传输视频和图形密集型应用),就好像这些应用在其本地设备上运行一样。Users can remotely run Windows 8 apps as though they were running on their local device, including video clips, movies, streaming videos, and graphically intensive apps. 可通过 Microsoft RemoteFX 在 Windows Server 2012 R2 中增强用户体验。The user experience can be enhanced in Windows Server 2012 R2 with Microsoft RemoteFX. Windows Server 2012 R2 包括编解码器和媒体流的增强功能,它可以在各种网络条件下尽可能提供最佳用户体验,方法是利用可用的带宽来换取体验的分辨率(在需要时)。Windows Server 2012 R2 includes codec and media streaming improvements, and it delivers the best possible user experience under varying network conditions, trading off resolution of experience with bandwidth available when required. 此外,通过 Microsoft 远程桌面应用,用户可从各种平台(包括 Windows、Windows RT、iOS、Mac OS X 和 Android)连接到他们的企业数据和应用。Furthermore, with the Microsoft Remote Desktop app, users can connect to their corporate data and apps from a variety of platforms, including Windows, Windows RT, iOS, Mac OS X, and Android.

如果你考虑使用 VDI,以使 BYOD 用户可以访问公司应用,你首先应了解可用于 VDI 的部署类型:If you consider using VDI to enable BYOD users to access company apps, you should first understand the types of deployments that are available for VDI:

  • 基于虚拟机:在 Hyper-V 基础结构中运行的 Windows 8 虚拟机。Virtual machine based: Windows 8 virtual machines running in a Hyper-V infrastructure. 在这种情况下,你可以使用远程桌面服务为用户提供到虚拟机的远程连接。In this case, you use Remote Desktop Services to provide users with remote connectivity to virtual machines. 你可以对共用或个人虚拟机集合使用基于虚拟机的部署方案。You can use the virtual machine–based deployment scenario with pooled or personal virtual machine collections.
  • 基于会话:用户可以连接到 Windows Server 2012 R2 中的远程桌面服务 (RDS),并在 Windows Server 2012 R2 会话中运行其应用。Session based: users connect to Remote Desktop Services (RDS) in Windows Server 2012 R2 and run their apps in Windows Server 2012 R2 sessions. 此类部署仅需要 RDS。Only RDS is required for this type of deployment. 针对 VDI 的存储体验在 Windows Server 2012 R2 中通过存储分层和联机重复数据删除得到了改进。The storage experience for VDI is improved in Windows Server 2012 R2 with storage tiering and online data deduplication. 此功能使 IT 可以创建可自动跨磁盘优化数据位置的存储卷,它们可以将最常访问的数据块放在性能最高的磁盘上。This functionality enables IT to create storage volumes that automatically optimize locations of data across disks and locate the most frequently accessed data blocks on the highest performing disks. 你还可以针对 VDI 利用 Windows Server 2012 R2 中的以下存储功能:You can also leverage the following storage capabilities in Windows Server 2012 R2 for VDI:
  • 多个存储选项:支持虚拟机中直接连接的、通过网络连接的、群集化的存储或 SAN 存储;利用联机磁盘重复数据删除大大减少存储需求。Multiple storage options: supports direct-attached, network-attached, clustered, or SAN storage of virtual machines; utilizes online disk deduplication to greatly reduce storage requirements.
  • 公平共享:在其他虚拟机和会话之间动态分配带宽、CPU 和磁盘使用率,这可确保没有哪一个虚拟机或会话可以在系统上独占资源或损害其他用户的体验。Fair Share: dynamically distributes bandwidth, CPU, and disk use across other virtual machines and sessions, ensuring that no single virtual machine or session monopolizes resources or degrades the experience for other users on the system.

有关 Windows Server 2012 R2 中 VDI 的详细信息,请参阅 Windows Server 2012 R2 中远程桌面服务的新增功能For more information about VDI in Windows Server 2012 R2, see What's New in Remote Desktop Services in Windows Server 2012 R2.

对于将哪些应用部署和体验用于 BYOD 基础架构设计的决策应与总拥有成本 (TCO) 相均衡。The decision of which app deployment and experience will be used for your BYOD infrastructure design should be balanced with the total cost of ownership (TCO). 若要更好地了解采用 VDI 的 TCO,我们推荐你阅读针对机构工作人员环境的 VDI TCO 分析To better understand the TCO for VDI adoption, we recommend that you read VDI TCO Analysis for Office Worker Environments.

安全Security

请考虑为所有应用(它们将由利用自己设备的用户使用)使用安全开发生命周期。Consider using a security development life cycle for all apps that will be consumed by users who are using their own devices. 必须在开发过程的所有阶段中嵌入安全性措施,并且应考虑到所有可能的威胁。Security must be embedded in all phases of the development process, and all potential threats should be taken into consideration. STRIDE 和其他安全策略可以通过使用 Microsoft 安全开发生命周期 (SDL) 合并到开发生命周期。STRIDE and other security strategies can be incorporated into the development life cycle by using the Microsoft Security Development Lifecycle (SDL). 当前基础结构将如何与 BYOD 的总体安全策略集成?这是一个重要的注意事项。How the current infrastructure will be integrated with the overall security strategy for BYOD is an important consideration. 当前环境能够为应用提供安全的基础吗?Is the current environment able to provide a secure foundation for apps? 公司是否需要获取第三方安全解决方案以减少采用新方案会带来的任何潜在漏洞?Does the company need to acquire third-party secure solutions to mitigate any potential vulnerability that this new adoption will create?

对于将由采用自己设备的用户使用的应用而言,安全注意事项非常重要。Security considerations are important for apps that will be consumed by users using their own devices. 建议你为几个具有特定访问要求的应用使用基于 Active Directory 安全组的自定义集合来限制目标用户,这可以限制哪些用户可以安装它们。It is recommended that you use custom collections based on Active Directory security groups to limit the targeted users for a few apps with specific access requirements, limiting which users can install them. 还可以利用安全性来增强用户体验,因为它允许用户使用相同的用户名和密码来访问公司资源,这可以使用 AD FS 完成。Security also can be leveraged to enhance the user experience by allowing users to use the same user name and password to access corporate resources, which can be accomplished using AD FS. 在设计这些应用的部署时,安全性也很重要。Security is also important when designing the deployment for these apps. 在启用用户注册前,你应该获取并部署证书和旁加载项。You should acquire and deploy certificates and sideloading keys before enabling user enrollment. 与其他小组协作以优化应用认证过程。Work in coordination with other teams to streamline the app certification process.