管理注意事项Management considerations

支持 BYOD 模型的基础结构中必须具有管理域。A management domain is mandatory in an infrastructure that supports a BYOD model. 为了完全支持 BYOD 需求,管理域必须允许 IT 监视资源、提供报告功能、管理计算和存储资源、支持设备配置和自动化,并且可以管理应用部署和设置。In order to fully support BYOD demands, the management domain must be able to enable IT to monitor resources, provide reporting capabilities, manage compute and storage resources, enable device configuration and automation, and manage apps deployment and provisioning.

监视Monitoring

管理域的角色之一是监视符合性设置,不仅对于公司资产,对于用户拥有的移动设备也是如此。One of the roles of the management domain is to monitor compliance settings, not only for corporate assets but also for mobile devices owned by users. 应根据公司业务线评估符合性方面的注意事项。Considerations regarding compliance should be evaluated according to the company line of business. 一些公司可能仅允许公司数据在已加密时驻留在用户的设备上。Some companies might allow corporate data to reside on users’ devices only if it is encrypted. IT 必须控制安全设置以强制执行这些策略。Security settings must be controlled by IT in order to enforce those policies.

根据公司策略和公司将采用的 BYOD 基础结构,用户设备中的管理级别将有所不同。The level of management in users’ devices will vary according to company policy and the BYOD infrastructure that the company will adopt. 如果公司规定必须提供完全擦除功能才能访问公司资源,IT 必须在所有受监控的设备上强制实施此设置。If the company establishes that it is necessary to provide full-wipe capability in order to have access to company resources, IT must enforce this setting on all monitored devices. IT 还需要能够将设备重置为制造商的默认设置,这会擦除所有个人设置和数据(如有必要)。IT also needs the ability to reset devices to the manufacturer’s defaults, wiping all personal settings and data if necessary. 使用以下部分来确定你的 BYOD 基础结构将需要的监视选项。Use the section that follows to determine the monitoring options that will be required for your BYOD infrastructure.

监视选项 - 优点和缺点Monitoring options — advantages and disadvantages

使用以下列表了解每个监视选项的优点和缺点:Use the list below to understand the advantages and disadvantages of each monitoring option:

  • 用户的设备上装有管理代理Management agent installed on users’ devices
    • 优点Advantages
      • 更好地控制用户的设备More control over users’ devices
      • 远程擦除功能Remote wipe capability
      • 选择性擦除功能Selective wipe capability
      • 更快的应用部署和生命周期管理Faster app deployment and life cycle management
    • 缺点Disadvantages
      • 需要在用户设备中安装管理代理Need to install a management agent in users’ devices
      • 从用户的角度来看更具有侵入性More intrusive from users’ perspective
      • 需要后台管理基础结构以支持代理Requires a back-end management infrastructure to support the agent
  • 没有安装管理代理Management agent not installed
    • 优点Advantages
      • 用户的设备上未安装任何管理代理No management agent is installed on users’ devices
      • 只能从应用角度强制实施策略(例如,ActiveSync)Policy enforcement available only from the app perspective (for example, ActiveSync)
    • 缺点Disadvantage
      • IT 可用来管理设备的选项有限Limited options available for IT to manage devices

正如上表所示,在设计 BYOD 基础结构解决方案时,如果你要强制实施公司策略,就需要在用户的设备上安装代理。As you can see in the preceding table, when designing the BYOD infrastructure solution, you will need an agent installed on users’ devices if you want to enforce company policy.

如果公司选择支持不同类型的设备,你需要了解设备的功能,例如存储加密、VPN 连接选项以及受支持的编程语言。If the company chooses to support different types of devices, you need to understand the devices’ capabilities, such as storage encryption, VPN connectivity options, and supported programming languages. 评估可通过实现哪些功能来遵守公司策略。Evaluate what can be implemented to be in compliance with company policies. 可以通过强制执行策略来监视设备以满足符合性。Monitoring devices in order to meet compliance can be done by enforcing policies. 当数据存放在用户的设备中时,请考虑启用设备加密;这可以在你的数据泄露策略中提供帮助。Consider enabling device encryption while data is at rest in users’ devices; this can assist you in your data leakage strategy. 强制实施策略(例如密码解锁、密码历史记录和强密码)可以跨本地设备和移动设备实现类似的安全性。Enforcing policies such as password unlock, password history, and strong passwords can lend similar security across on-premises and mobile devices.

Configuration Manager 中的符合性设置使 IT 能够管理企业中服务器、便携式计算机、台式计算机和移动设备的配置和符合性。Compliance settings in Configuration Manager allow IT to manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in the enterprise. 请考虑使用 Configuration Manager 中针对移动设备内置的默认符合性设置作为基准,并在此基础上根据贵公司的需求进行自定义。Consider using the default compliance settings built into Configuration Manager for mobile devices as a baseline, and from there, customize according to your company’s needs. 有关 Configuration Manager 中的符合性设置的详细信息,请参阅 Configuration Manager 中的符合性设置简介For more information about compliance settings in Configuration Manager, see Introduction to Compliance Settings in Configuration Manager.

通过使用 Windows 选择性擦除,IT 可以确保企业分散在公司或个人设备上的公司数据的安全。By using Windows Selective Wipe, IT can secure the enterprise’s corporate data that is dispersed to corporate or personal devices. 开发人员可以创建应用以对数据使用 Windows 选择性擦除策略,并在企业拥有的 Internet 域上对其进行保护。Developers can create apps to use a Windows Selective Wipe policy on data and protect it on an Internet domain that is owned by the enterprise. 有关 Windows 选择性擦除的详细信息,请参阅“用于设备数据管理的 Windows 选择性擦除”。For more information about Windows Selective Wipe, see Windows Selective Wipe for Device Data Management.

报表Reporting

若要保持对已知设备的控制,报告设备功能或者简单地了解这些设备的行为是 IT 的基本任务。Reporting device capabilities or simply understanding how these devices are behaving is fundamental to IT keeping control of known devices. 可以使用报告更好地了解当前的环境。Reports can be used to better understand the current environment. 当你不仅尝试了解环境,还要了解某些移动设备的功能时,将出现以下一些问题:Here are some questions that will arise when you are trying to understand not only the environment, but also the capabilities of some mobile devices:

  • 你的组织中使用多少 iOS 设备?How many iOS devices are in use in your organization?
  • 这些设备运行哪些 iOS 版本?Which iOS versions are those devices running?
  • 这些设备上安装了哪些公司应用?Which corporate apps are installed on the devices?
  • 你的组织中是否存在任何已越狱的设备?Are any devices in your organization jailbroken?

请考虑使用可提供设备清单和可自定义报告的管理解决方案。Consider using a management solution that can provide device inventory and customizable reports. 通过选择此选项,你将在 IT 需要发现关于用户设备的详细信息时为他们提供更灵活的方法。By choosing this option, you will enable a more flexible approach for IT when they need to discover more information about users’ devices. IT 必须能得到关于已在本地和云中注册的所有设备的报告。IT must be able to have reports about all devices that were registered on-premises and in the cloud. 管理系统的报告功能可以位于本地或云中 - 也可以是两者混合(称为混合解决方案)。Reporting capability for the management system can be located on-premises or in the cloud—or it can be a mix of both, which is called a hybrid solution. 使用下表来确定哪个报告选项适用于你的公司。Use the following table to determine which reporting option is appropriate for your company.

报告选项 - 优点和缺点Reporting options — advantages and disadvantages

使用以下列表了解每个报告选项的优点和缺点:Use the list below to understand the advantages and disadvantages of each reporting option:

  • 内部On-premises
    • 优点Advantages
      • 集中式报告Centralized report
      • 完全由 IT 控制Full controlled by IT
      • 可自定义Customizable
      • 在本地管理安全控制Security controls managed on-premises
    • 缺点Disadvantages
      • 不能以本机方式枚举非本地设备Unable to natively enumerate devices that are located off-premises
      • 与基于云的解决方案相比,管理开销较高Higher administrative overhead, when compared to cloud-based solutions
  • 基于云Cloud based
    • 优点Advantages
      • 能够报告已加入云服务的设备Capability to report devices that are joined to the cloud service
      • 经济高效Cost effective
      • 报告可用性(可从任何位置创建和查看报告)Reporting availability (create and view reports from anywhere)
      • 与本地解决方案相比,管理成本更低Lower administrative cost, when compared to an on-premises solution
    • 缺点Disadvantages
      • 不能以本机方式枚举本地设备Unable to natively enumerate devices that are located on-premises
      • 通常需要每月订阅服务Usually requires monthly subscription to the service
  • 混合Hybrid
    • 优点Advantages
      • 能够报告已加入云服务的设备Capability to report devices that are joined to the cloud service
      • 经济高效Cost effective
      • 报告可用性(可从任何位置创建和查看报告)Reporting availability (create and view reports from anywhere)
      • 与本地管理解决方案集成Integration with on-premises management solution
    • 缺点Disadvantages
      • 通常需要每月订阅服务。Usually requires monthly subscription to the service.

通过将 Microsoft Intune 与 System Center 2012 R2 相结合,你可以从本地和基于云的设备获取报告。By combining Microsoft Intune with System Center 2012 R2, you can have reporting from on-premises and cloud-based devices. Configuration Manager 包括很多随时可用的内置 UDM 报告,包括针对应用、硬件清单和设置管理的报告。Configuration Manager includes many ready-to-use, built-in reports for UDM, including reports for apps, hardware inventory, and settings management. 你不需要为电脑和移动设备管理创建自定义报告或单独的报告;这些功能可以集成在一起。You do not need to create custom reports or separate reports for PC and mobile-device management; these functions can be integrated.

有关 Configuration Manager 报告功能的详细信息,请参阅 Configuration Manager 中的报告简介For more information about Configuration Manager reporting capabilities, see Introduction to Reporting in Configuration Manager.

计算和存储Compute and storage

在开发新应用且用户使用自己的设备对其进行远程访问之后,如果没有合理规划解决方案,应用性能可能会降低。After new apps are developed and accessed remotely by users using their own devices, app performance might suffer if the solution has not been well planned. 尽管此设计注意事项指南不会向你深入介绍性能注意事项,但必须回答有关管理基础结构的问题:Though this design considerations guide does not intend to offer you a deeper look into performance considerations, questions about the management infrastructure must be answered:

  • 贵公司当前使用的管理解决方案是否能够针对支持从用户设备访问应用的平台管理存储和计算资源?Is the current management solution that your company uses able to manage storage and compute resources for the platform that supports the apps accessed from users’ devices?
  • 贵公司当前使用的管理解决方案是否能根据一组预先设定的规则针对支持从用户设备访问应用的平台增加计算和存储资源?Does the current management solution that your company uses have the capability to increase compute and storage resources for the platform that supports app access from users’ devices according to a set of preestablished rules? 如果目前采用的管理解决方案不能满足上述两个要求,可考虑使用一种通过解决下表所示的两个核心要求来管理计算和存储的管理解决方案。If the management solution that is currently in place is not capable of addressing those two requirements, consider using a management solution that can manage compute and storage by addressing the two core requirements shown in the following table.

计算和存储管理功能 - 优点和缺点Compute and storage management capabilities — advantages and disadvantages

使用以下列表了解每个存储管理功能的优缺点:Use the list below to understand the advantages and disadvantages of each storage management capability:

  • 资源池Resource pooling
    • 优点Advantages
      • 可分配来自不同位置的计算和存储池资源Able to allocate compute and storage pooling resources from different locations
      • 高级别可用性。High level of availability.
      • 比不能利用资源池的解决方案更加可靠More robust than solutions that are not able to leverage resource pooling
    • 缺点Disadvantages
      • 可利用资源池的管理解决方案非常少Few management solutions are able to take advantage of resource pooling
      • 如果公司尚未在其数据中心使用云计算原则,用于实现的初始开销可能更高Initial overhead to implement could be higher if the company is not yet using cloud computing principles in its datacenter
  • 弹性Elasticity
    • 优点Advantages
      • 能够按需动态分配计算和存储池资源Able to dynamically allocate compute and storage pooling resources based on demand
      • 高级别可用性High level of availability
      • 在实现后更易于管理Easier to manage after it is implemented
    • 缺点Disadvantages
      • 可利用弹性功能的管理解决方案非常少Few management solutions are able to take advantage of elasticity capability
      • 如果公司尚未在其数据中心使用云计算原则,用于实现的初始开销可能更高Initial overhead to implement could be higher if the company is not yet using cloud computing principles in its datacenter

System Center 2012 R2 可以使用资源池和弹性来管理存储和计算。System Center 2012 R2 has the capability to use resource pooling and the elasticity to manage storage and compute. System Center 2012 R2 还将存储与差异磁盘这一优化集成,它通过允许在多个虚拟磁盘之间共享大部分磁盘数据来降低存储要求,这可以优化存储成本。System Center 2012 R2 also integrates storage with optimization of differencing disks to reduce storage requirements by allowing a large percentage of disk data to be shared among multiple virtual disks, which optimizes storage costs. 使用 System Center 2012 R2 虚拟化并且将由远程用户所使用的应用利用的服务器可以采取这种技术。Servers that are virtualized using System Center 2012 R2 and will be consumed by apps used by remote users can take advantage of this technology.

有关 System Center 2012 R2 存储功能的详细信息,请参阅 System Center 2012 R2 的 VMM 中的新增功能For more information about System Center 2012 R2 storage capabilities, see What's New in VMM in System Center 2012 R2.

自动化Automation

自动化可用于修正不合规的设备,并且 IT 还可以指定不同级别的不合规严重性。Automation can be employed to remediate noncompliant devices, and IT can assign different levels of noncompliance severity. 你应该考虑自动化在 BYOD 不同方面的用法;例如,如何自动部署将由移动设备使用的新服务?You should consider the use of automation in different areas of BYOD; for example, how should you automate the deployment of new services that will be consumed by mobile devices? 如何自动化移动设备的授权过程?And how should you automate the authorization process for mobile devices?

尽管你将看到显示的所有 BYOD 子域都可以利用自动化,但自动化资源的责任属于管理子域。Although you will see that all BYOD subdomains presented can take advantage of automation, the responsibility to automate resources is owned by the management subdomain. 自动化可内置于操作系统;但是,公司将采用的管理解决方案将负责扩展这些功能并提供减轻 IT 日常任务的方法,同时还要监视和报告自动化所产生的结果。Automation can be built into the operating system; however, the management solution that the company will adopt is responsible for extending these capabilities and providing ways to alleviate daily IT tasks while monitoring and reporting results from the automation. System Center 2012 R2 中功能最强大的自动化选项是 Windows PowerShell。The most powerful automation option in System Center 2012 R2 is Windows PowerShell. 有关 System Center 2012 R2 自动化的详细信息,请参阅使用 Windows PowerShell 的 System Center 自动化For more information about System Center 2012 R2 automation, see System Center Automation with Windows PowerShell. 但是,还可使用另一个选项,它提供一种更为简单但不十分可靠的自动化任务形式:任务序列。However, another option is available that provides a simpler but not very robust form of automating tasks: task sequence. 使用下表来评估每个选项的优缺点。Use the following table to evaluate the advantages and disadvantages of each option.

自动化选项 - 优点和缺点Automation options — advantages and disadvantages

使用以下列表了解每个自动化选项的优点和缺点:Use the list below to understand the advantages and disadvantages of each automation option:

  • Windows PowerShellWindows PowerShell
    • 优点Advantage
      • 与 Windows 操作系统集成Integrated with Windows operating system
      • 比任务序列更可靠More robust than task sequence
      • 可以编写脚本Can be scripted
      • 可以使用编程原则,如过程、循环和数组Can use programming principles such as procedures, loops, and arrays
      • 提供管理平台以外的功能。Provides capabilities beyond the management platform
    • 缺点Disadvantages
      • 需要更多技术技能才能使用它Requires more technical skills in order to use it
      • 开发初始自动化脚本可能需要更长的时间,具体取决于手头的任务Depending on the task at hand, developing the initial automation script might require more time
  • 任务序列Task sequence
    • 优点Advantages
      • 易用Easy to use
      • 可使用 System Center 内的本机功能Native capability available in System Center
    • 缺点Disadvantages
      • 功能有限Limited functionality
      • 不可脚本化Not scriptable
      • 功能仅适用于 System Center 本身的一些任务Capabilities are limited to some tasks within System Center itself

部署和设置Deployment and provisioning

下一步是了解将应用部署和设置到远程设备的相关注意事项。The next step is to understand the considerations for deploying and provisioning apps to remote devices. 应回答两个关键问题:Two key questions should be answered:

  • 用户如何从他们自己的设备访问应用?How will users access apps from their own devices?
  • IT 如何以友好而有效的方式向用户提供这些应用?How will IT provision these apps to users in a friendly and effective manner?

公司采用的管理解决方案还负责处理软件分发和设置(不考虑用户使用的平台)。The management solution that will be adopted by the company is also responsible for addressing software distribution and provisioning, regardless of the platform that the user is using. 用户应该能够从自己的设备安全访问一个集中的位置并安装他们有权使用的应用,以执行他们的工作。Users should be able to securely access a centralized location from their devices and install the apps that they are authorized to use to perform their work.

该方面的挑战之一是:要能够管理不同的平台并保留一个集中的管理界面,该界面使 IT 能够快速识别本地和云中连接的设备。One challenge in this area is to be able to manage different platforms and preserve a centralized management interface that allows IT to quickly identify devices that are connected on-premises and in the cloud. 你必须考虑采用可整合这两者(本地和云)的管理平台,还要考虑采用能够管理 Windows 和非 Windows 系统的管理平台。You must consider the adoption of a management platform that can consolidate both (on-premises and cloud), and also a management platform that is capable of managing Windows and non-Windows systems.

若要在本地进行集中式管理,你可以使用 Configuration Manager 。For centralized management on-premises, you can use Configuration Manager. 通过使用此选项,IT 可利用企业注册功能在公司的 Configuration Manager 服务器上注册设备。By using this option, IT can leverage the Enterprise Enrollment capability to enroll devices with the company’s Configuration Manager Server. 有关如何使用 Configuration Manager 管理设备的详细信息,请参阅使用 Configuration Manager 和 Microsoft Intune 管理移动设备For more information about how to manage devices using Configuration Manager, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

若要管理不是基于 Windows 设备的其他平台,你可以利用 Microsoft Intune 云服务。To manage other platforms that are not Windows-based devices, you can leverage the Microsoft Intune cloud service. Microsoft Intune 公司门户可以用于注册、管理和安装已授权的应用。The Microsoft Intune Company Portal can be used to enroll, manage, and install licensed apps. 用户可以轻松访问应用,并将它们安装在自己的设备上。Users can have easy access to apps and install them on their devices.

提示

有关 Microsoft Intune 的详细信息,请参阅 Microsoft Intune 页For more information about Microsoft Intune, see Microsoft Intune page.

尽管它们是两个不同的选项,但你可以将两者集成,以便从单个位置提供应用部署和设置。Though these are two distinct options, you can integrate both in order to provide app deployment and provisioning from a single location. 使用下表来确定哪个选项适合你的 BYOD 设计。Use the following table to identify which option fits your BYOD design.

设计要求Design requirements 部署和设置选项Deployment and provisioning options
将应用部署和设置到仅位于本地的设备。Deploy and provision apps to devices located on-premises only. Microsoft System Center 2012Microsoft System Center 2012
将应用部署和设置到位于公司外部的设备。Deploy and provision apps to devices located outside the company. Microsoft IntuneMicrosoft Intune
将应用部署和设置到非 Windows 设备。Deploy and provision apps to non-Windows devices. Microsoft IntuneMicrosoft Intune
仅部署和设置应用程序到本地设备,部署和设置应用到公司外部设备或部署和设置应用到非 Windows 设备。Deploy and provision apps to devices located on-premises only, deploy and provision apps to devices located outside the company or deploy and provision apps to non-Windows devices. 与 Configuration Manager 集成的 Microsoft IntuneMicrosoft Intune integrated with Configuration Manager