BYOD 设计注意事项指南BYOD Design Considerations Guide

随着员工所使用设备的迅速普及,大多数企业正面临着严峻的两难境地:如何既能允许他们的用户使用自己的设备,同时又能保护留在这些设备上的公司数据?With the proliferation of devices used by employees, most enterprises are facing a big dilemma: how do they allow their users to use their own devices, while protecting corporate data that resides on those devices? 企业正在从传统的模型(企业拥有并为员工提供设备)转变到另一种模型(员工使用个人设备完成一些工作任务)。Enterprises are moving away from the traditional model, in which they own and provide devices to their employees, to a model in which employees use their personal devices for some of their work tasks. 此模型通常称为自带设备办公 (BYOD)This model is often referred to as Bring Your Own Device (BYOD). 在此模型中,允许员工使用其个人设备执行某些工作任务,但前提是员工允许公司管理他们设备的某些方面以确保企业数据的安全。In this model, employees are allowed to use their personal devices for some work tasks, but only if the employees allow the company to manage some aspects of their devices to ensure the security of corporate data. 通常,这意味着用户允许公司应用自定义策略、加强设备,或标准化根据公司政策建立的操作系统。Often, this means that users allow the company to apply custom policies, perform hardening of the devices, or standardize the operating system established by company policy. 读过来自 Microsoft 的关于工作方式转换的 CIO 注意事项文章的公司高管和决策者还可以确定采用一种员工有权使用其设备高效工作的模型所带来的好处。Executives and decision makers that read the CIO considerations for workstyle transformation paper from Microsoft can also identify the benefits of embracing a model in which people are empowered to use their devices to be productive at work.

虽然数据访问和保护是 BYOD 的主要挑战之一,但其他挑战要求通过一种更广泛的方法解决问题:Though data access and protection is one of the main challenges of BYOD, other challenges require addressing the problem with a broader approach:

  • 用户及其设备:如何支持用户使用自己的设备,并保持遵守公司政策?Users and their devices: how can users be enabled to use their own devices and remain compliant with company policies?
  • 管理:IT 如何管理非企业设备?Management: how will noncorporate devices be managed by IT?
  • 应用:如何从用户的设备访问业务线 (LOB) 应用?Apps: how will line-of-business (LOB) apps be accessed from users’ devices?

设备管理基础架构的要求、功能以及设计注意事项将推动这一讨论。This discussion will be driven by requirements, capabilities, and design considerations for a device management infrastructure. 将在要求和功能的上下文中提到 Microsoft 技术 - 反之则不然。Microsoft technologies are mentioned within the context of the requirements and capabilities—not vice versa. 我们期望这种方法能更好地与那些有兴趣了解必须解决的问题以及相应的可用解决方法的架构师和设计人员产生共鸣。It is our expectation that this approach will resonate better with architects and designers who are interested in the problems that must be solved and the approaches that are available for solving these problems. 只有这样,技术讨论才具有相关性。Only then is the technology discussion relevant.

本指南向系统设计师和系统设计人员提供关键设计注意事项的集合,在设计允许员工使用自己的设备并保护公司数据的“自带设备办公 (BYOD)”基础结构之前,必须考虑这些注意事项。This guide provides the system architect and system designer with a collection of critical design considerations that need to be addressed before designing a Bring Your Own Device (BYOD) infrastructure that enables employees to use their own devices and protects the company’s data.

目标受众Intended audience

本指南的主要受众是那些有兴趣了解他们在实现 BYOD 基础结构之前要考虑的问题的系统架构师或系统设计人员。The primary audience for this guide is the system architect or system designer who is interested in understanding the issues that need to be considered before implementing a BYOD infrastructure. 对此指南感兴趣的其他人可能包括 IT 实施人员、企业安全专家以及设备管理专家。Others who might be interested in this guide include IT implementers, enterprise security specialists, and device management specialists.

目的Purpose

本指南的目的:The purpose of this guide is:

  1. 向系统架构师或系统设计人员提供一组有待回答的精选问题。To provide the system architect or system designer a collection of issues and questions to be answered. 对这些问题的回答可用作对 BYOD 基础结构设计的要求。The answers to these questions can serve as the requirements for a BYOD infrastructure design.
  2. 向系统架构师或系统设计人员提供设计选项集合,可根据确定的要求评估和选择它们。To provide the system architect or system designer a collection of design options that can be evaluated and chosen based on identified requirements.

尽管这些问题可用于任何供应商,但可用选项的示例将侧重于 Windows Server 2012 R2、System Center 2012 R2 以及 Windows Intune 中的功能Though the questions can be used with any vendor, examples of available options will focus on capabilities within Windows Server 2012 R2, System Center 2012 R2, and Windows Intune

除此之外,本指南还包括:In addition, this guide includes:

  • 与供应商无关的设计注意事项,可用于适应一个支持 BYOD 模型的基础架构。Vendor-agnostic design considerations to adapt an infrastructure to enable the BYOD model.
  • 针对用户、设备、管理平台、应用以及数据访问和保护的设计注意事项。Design considerations for users, devices, management platforms, apps, and data access and protection.

在生产环境中启动 BYOD 模型之前,需要在网络、存储、计算和身份方面考虑安全性、可用性、性能和可扩展性的问题。Before embarking on a BYOD model in a production environment, security, availability, performance, and scalability issues need to be considered in the areas of networking, storage, compute, and identity. 存在这样一种倾向:在具体分析当前环境,以及需要哪些操作才能安全地使用户能够从任何地方的任何设备进行工作之前,就希望采用 BYOD。There is a tendency to want to embrace BYOD before there is a concrete analysis of the current environment and what needs to be done to securely enable users to work from any device anywhere.

本指南的目的在于:It is not the purpose of this guide to:

  • 为 BYOD 模型的基础结构组件提供性能基线。Provide a performance baseline for the infrastructure components of a BYOD model.
  • 为 BYOD 的基础结构组件提供性能调整和最佳做法。Provide performance tuning and best practices for the infrastructure components of BYOD.
  • 提供用于移动设备的应用开发指南。Provide app development guidance for mobile devices.
  • 提供用于移动设备的应用开发最佳做法。Provide app development best practices for mobile devices.
  • 提供用于第三方组件的指南和最佳做法。Provide guidance and best practices for third-party components.

问题定义Problem definition

尝试采用 BYOD 的公司通常会遇到以下问题或挑战:The following problems or challenges are typically the ones encountered by companies trying to embrace BYOD:

  • 现有的管理平台不能允许用户将自己的设备带来工作并使其有权访问公司资源。The existing management platform is unable to allow users to bring their own devices and have access to company resources.
  • 现有的安全策略不能解决 BYOD 给环境带来的安全难题。The security strategy already in place does not address the security challenges that BYOD introduces to the environment.
  • 用户开始采用新技术,并要求访问公司资源以开展工作。Users are embracing new technologies and demanding access to company resources to perform their jobs.
  • 业务决策者了解 BYOD 为业务带来的优势,它们主要体现在可降低操作成本的用户工作效率上。Business decision makers understand the benefits that BYOD brings to the business, primarily in user productivity that can decrease operation cost. 但是,业务决策制定者不确定如何在保持遵守规则和法规的同时采用 BYOD。However, business decision makers are uncertain how to embrace BYOD while remaining in compliance with rules and regulations.

在从自行管理设备(假定 IT 可完全控制设备)切换到另一种模型(IT 必须假定它对设备具有更少的控制权,同时需要满足用户对于访问企业数据的需求)之前,具有大型基础结构的组织需要确定各种要求。Organizations with a large infrastructure need to determine requirements before shifting from managing devices themselves—which assumes that IT has total control of devices—to a model in which IT must assume that it has less control of devices and at the same time needs to address users’ needs to access corporate data. 这通常称为从以设备为中心切换到以人为中心的 IT。This is often referred to as a switch from device-centric to people-centric IT. 还必须针对现有的和新的应用或者针对将现有应用移到云环境谨慎地规划相同的注意事项和要求。The same considerations and requirements must also be carefully planned for existing and new apps or for moving existing apps into a cloud environment. 图 1 包含 BYOD 问题域以及本指南将涉及的方面的概念图。Figure 1 includes a conceptual diagram of the BYOD problem domain and the areas that will be covered in this guide.

问题域