用户和设备注意事项User and device considerations

你需要解决的首要用户和设备问题是:现有技术将如何影响安全访问公司资源时的用户体验。The first user and device issue you need to address is how the technologies in place will affect the user experience when securely accessing company resources. 跨不同的设备解决用户体验问题十分困难,这不仅适用于安全的角度,从应用开发的角度来看也是如此。Addressing the user experience across different devices can be challenging, not only from a security point of view, but also from the perspective of app development. 为避免数据在传输时泄露,必须针对所需的适当级别的网络安全性考虑设备和公司资源之间的通信信道。The communication channel between the device and company resources must be considered for the proper level of network security required to avoid data leakage while data is in transit.

以下各节基于本指南的 BYOD 问题定义部分中用户和设备子域的各个组件,即 BYOD 问题域的概念图。The sections that follow are based on components for the Users and Devices subdomain shown in BYOD Problem Definition section of this guide, which is the conceptual diagram for the BYOD problem domain.

ProfilesProfiles

在设计你的 BYOD 基础结构解决方案时,了解用户的需求和要求以从他们选择的设备执行其工作非常重要。Understanding users’ needs and requirements to perform their jobs from the devices of their choice is essential when designing your BYOD infrastructure solution. 并非所有用户都具有相同的要求;一些用户始终访问本地数据,面向他们的策略强制措施可能有所不同。Not all users will have the same requirements; some users will always access data on-premises, and policy enforcement for them can be different. 远程工作人员将从各种不同的位置以及不同情况下访问公司数据。Remote workers will be accessing company data from a variety of locations and circumstances. 你必须考虑可用于满足这些需求的选项。You must consider the options available to address these needs. 根据其需求确定每位用户的配置文件:Determine each user’s profile according to their needs:

  • 他们只需访问应用吗?Do they need to access apps only?
  • 他们是否需要访问文件服务器上的文件夹?Do they need to access folders located on a file server?

虽然下表为每个用户的配置文件推荐了一组要求,但你可以根据贵公司的需求添加或删除要求以自定义此表。Though the following table suggests a set of requirements for each user’s profile, you can customize this table by adding or removing requirements based on your company’s needs. 相比于它应该包含的内容,每个配置文件类别的分类根据都基于它所消耗的资源。The rationale of each profile category compared to what it should contain is based on the resources it consumes. 例如,轻型配置文件表示设备上的资源利用率较低以及网络要求较低。For example, the light profile means low utilization of resources on the device and low network requirements. 请确保你了解每个用户的配置文件空间占用量;这使你可以在余下的整个设计过程中作出更适当的选择。Ensure that you understand each user’s profile footprint; this will allow you to make more appropriate choices throughout the rest of the design process.

本指南中建议的用户配置文件是:The user profile proposed in this guide are:

  • 轻型Light
    • 可以在本地或云中访问基于 Web 的应用Access to web-based apps on-premises or in the cloud
    • 可以访问企业移动应用Access to corporate mobile apps
  • 中等Moderate
    • 可以在本地或云中访问基于 Web 的应用Access to web-based apps on-premises or in the cloud
    • 可以访问企业移动应用Access to corporate mobile apps
    • 可以访问虚拟化的业务应用Access to virtualized business apps
    • 可以访问本地文件服务器上的文件Access to files located in file servers on-premises
    • 可以访问云中的文件Access to files located in the cloud
  • 重型Heavy
    • 可以在本地或云中访问基于 Web 的应用Access to web-based apps on-premises or in the cloud
    • 可以访问企业移动应用Access to corporate mobile apps
    • 可以访问本地文件服务器上的文件Access to files located in file servers on-premises
    • 可以访问云中的文件Access to files located in the cloud
    • 可以访问使用远程桌面的计算机Access to computers using Remote Desktop
    • 可以访问其他本地计算机Access to other computers located on-premises

你需要确定哪些用户配置文件更适合你的 BYOD 基础结构解决方案。You will need to determine which user profile is more suitable for your BYOD infrastructure solution. 你可以考虑根据其工作需求建立多位用户的配置文件。You might consider establishing multiple users’ profiles according to their job requirements. 在理想情况下,使用来实现 BYOD 基础结构解决方案的技术应该可以适应所有用户配置文件,因为要求可能会因人而异。Ideally, the technology that you use to implement your BYOD infrastructure solution should be able accommodate all user profiles, because the requirements might vary according to each individual.

设备Devices

IT 必须确定它是否需要设备方面的知识。IT must determine if it requires knowledge of devices. 例如,一个 BYOD 方案如下:当员工不在办公室时,他们每小时检查其工时单,或者查看公司通知或社交网站。For example, one BYOD scenario is hourly employees checking their time sheets or reviewing corporate notices or social sites when out of the office. 在许多组织中,这些要求通常只是涉及到 LAN 的服务,但现在它们可能面向个人设备开放。In many organizations, these requirements were traditionally LAN-only services, but now they may be opened to personal devices. 检查其计划的人是否需要设备管理?Does someone checking their schedule require device management? 了解设备的空间占用量将帮助 IT 进行以下工作:Understanding the devices’ footprints will help IT to:

  • 跟踪哪些用户正在注册设备:用户每周注册多个设备可能表明存在可疑活动。Track which user is registering devices: a user registering a number of devices every week might indicate suspicious activity.
  • 了解设备的空间占用量:了解网络上正在使用哪些类型的设备都可以帮助 IT 支持这些设备。Understand devices’ footprints: knowing which types of devices are in use on the network can help IT support those devices.

请考虑让设备和用户之间的链接存储在一个中心位置,IT 以后在执行审核或报告时可以使用它。Consider having the link between the device and the user stored in a central location that can be later used by IT when performing auditing or reporting. IT 需要从未知的设备状态转为已知的设备状态以启用 BYOD。IT needs to move from an unknown device state to a known device state to enable BYOD. 这使 IT 部门能够对作为公司资产的设备拥有更多控制权。This will allow IT to have more control of devices that are corporate assets. 通常,公司将通过三种不同的方式达到这一要求:Usually, companies approach this requirement in three different ways:

  • 方法 1 :在每个用户的设备中安装一个管理代理。Approach 1: Installing a management agent in each user’s device.
  • 方法 2 :在一个中心存储库中注册每个设备,无需安装管理代理。Approach 2: Registering each device in a central repository without installing a management agent.
  • 方法 3(1 + 2):在每个用户的设备中注册并安装一个管理代理。Approach 3 (1+2): Registering and installing a management agent in each user’s device.

未知到已知设备选项 - 优点和缺点Unknown-to-known device options — advantages and disadvantages

使用以下列表来了解未知到已知设备选项的优点和缺点:Use the list below to understand the advantages and disadvantages of unknown-to-known device options:

  • 在每个用户的设备中安装一个管理代理Installing a management agent in each user’s device
    • 优点Advantages
      • 更好地控制用户的设备More control of users’ devices
      • 远程擦除功能Remote wipe capability
      • 应用部署功能App deployment capability
      • IT 可使用多种安全控制来控制设备More security controls available for IT to control the device
    • 缺点Disadvantages
      • 要求用户安装一个管理代理Requires users to install a management agent
      • 必须在不同设备的平台上安装管理代理Management agent must be installable on different devices’ platforms
      • 更多管理开销More administrative overhead
  • 在一个中心存储库中注册每个设备,无需安装管理代理Registering each device in a central repository without installing a management agent
    • 优点Advantages
      • 不需要管理代理No management agent required
      • 较少的管理开销Less administrative overhead
      • 设备的第二重身份验证Second-factor authentication of devices
      • 验证用户和设备之间的链接Validation of the link between users and devices
    • 缺点Disadvantages
      • 对用户设备的控制较弱Less control of users’ devices
      • 提供较少的安全控制Fewer security controls available
      • 缺少执行远程擦除和应用部署的功能Lack of capability to perform remote wipe and app deployment
  • 在每个用户的设备中注册并安装一个管理代理Registering and installing a management agent in each user’s device
    • 优点Advantages
      • 更好地控制用户的设备More control of users’ devices
      • 远程擦除功能Remote wipe capability
      • 应用部署功能App deployment capability
      • 更多安全控制More security controls
      • 设备的第二重身份验证Second-factor authentication of devices
      • 验证用户和设备之间的链接Validation of the link between users and devices
    • 缺点Disadvantages
      • 要求用户安装一个管理代理Requires users to install a management agent
      • 必须在不同设备的平台上安装管理代理Management agent must be installable on different devices’ platforms
      • 更多管理开销More administrative overhead

在 Windows Server 2012 R2 中,工作区加入的新概念允许 IT 部门将设备从未知状态变为已知状态。In Windows Server 2012 R2, the new concept of Workplace Join allows IT to move the device from an unknown state to a known state. 该设备也可用作到工作区资源和应用的第二重身份验证和单一登录。The device can also be used as second-factor authentication and single sign-on to workplace resources and apps. 工作区加入在 Windows 10 中以本机方式提供,但它也在诸如 iOS 和 Android 等其他平台中受到支持。Workplace Join is natively available in Windows 10, but it is also supported in other platforms such as iOS and Android. 工作区加入利用设备注册服务 (DRS)。Workplace Join leverages the Device Registration Service (DRS). 有关 DRS 的详细信息,请阅读使用设备注册服务配置联合务器For more information about DRS, read Configure a federation server with Device Registration Service. 工作区加入是一项新技术,并且适用于特定用例。Workplace Join is new technology and works with specific use cases. 有关结合使用工作区加入和单一登录的解决方案的详细信息,请参阅在任何设备上从任何位置安全地访问公司资源See Secure access to company resources from any location on any device for more information about a solution that leverages Workplace Join with single sign-on.

如果你考虑使用 DRS,请了解此功能不提供任何管理功能。If you consider using DRS, understand that this feature does not provide management capabilities. 如果你的公司需要更多安全控制,以便具有更多用于控制用户设备的选项,请考虑结合使用 DRS 和移动设备注册以作为管理代理解决方案。If your company needs more security controls in order to have more options available to control users’ devices, consider using DRS in conjunction with mobile device enrollment as the management agent solution. 但是,如果你选择此选项,你必须具有 Windows Intune 订阅。However, if you choose this option, you must have a Microsoft Intune subscription. 有关 Microsoft Intune 的详细信息,请参阅 Microsoft Intune 页For more information about Microsoft Intune, see Microsoft Intune page.

Network (网络)Network

必须从用户和设备的角度处理企业网络访问权限。Corporate network access from the user and device perspective must be addressed. 用户如何在使用自己的设备时访问公司数据?How will users access company data while using their own devices? 大多数 BYOD 基础架构解决方案仅在最低程度上关注从用户的设备进行远程访问;但是,如果采取以人为中心的做法,就必须考虑用户所在的物理位置。Most BYOD infrastructure solutions focus only minimally on remote access from users’ devices; however, from a people-centric approach, you must consider where users are physically located. 你不仅应该关注远程访问,还应关注用户在本地访问数据的方式。You should focus on not only remote access, but also how users will access the data while on-premises. 此外,你需要考虑特定于贵组织的地缘政治联合的法规问题。In addition, you will need to consider regulatory issues specific to your organization's geopolitical alignment. 例如,在物理上位于不同国家或地区的用户如何具有个性化的网络访问权限?For example, how can users that are physically located in a different country or region have personalized network access?

如果贵公司在公共云中的资源将通过 Internet 从用户设备进行访问,你必须考虑如何处理通信。If your company has resources in the public cloud that will be accessible via the Internet from users’ devices, you must consider how traffic will be handled. 请考虑在数据从用户设备传输到云提供商的过程中使用加密。Consider using encryption while the data is in flight from users’ devices to the cloud provider. 当用户访问内部资源时,你也应该使用数据加密。When users are accessing internal resources, you should also use data encryption.

网络连接选项 - 优点和缺点Network connectivity options — advantages and disadvantages

使用以下列表来了解连接选项的优点和缺点:Use the list below to understand the advantages and disadvantages of the connectivity options:

  • 传统 VPNTraditional VPN
    • 优点Advantages
      • 技术成熟Mature technology
      • 易于配置Easy to configure
      • 在多个平台上广泛使用Widely available on many platforms
    • 缺点Disadvantages
      • VPN 和加密协议带来的协议开销Protocol overhead from VPN and encryption protocols
      • 必须在启动应用之前启动Must be launched before launching apps
      • 要求用户交互以建立连接Requires user interaction to establish the connection
  • Microsoft 直接访问Microsoft Direct Access
    • 优点Advantages
      • 为用户提供无缝体验(始终启用)Seamless experience for users (always on)
      • 支持对 Internet 网络服务器执行选定服务器访问权限和 IPsec 身份验证Supports selected server access and IPsec authentication with an Internet network server
      • 支持端到端身份验证和加密Supports end-to-end authentication and encryption
    • 缺点Disadvantages
      • 需要本地基础结构以支持此功能Requires an on-premises infrastructure to support this capability
      • 故障排除可能比较困难Troubleshooting can be challenging
      • 更多管理开销Higher administrative overhead
      • 并非在所有平台上可用Not available on all platforms
  • 自动触发器 VPNAutomatic Trigger VPN
    • 优点Advantages
      • 易于配置Easy to configure
      • 当某个应用需要对公司资源的访问权限时,将启动到本地服务器的连接Connection to on-premises server is launched when an app needs access to corporate resources
    • 缺点Disadvantages
      • VPN 和加密协议带来的协议开销Protocol overhead from VPN and encryption protocols
      • 并非在所有平台上可用Not available on all platforms
  • 使用 VDI 的远程桌面Remote Desktop with VDI
    • 优点Advantages
      • 无缝用户体验Seamless user experience
      • 更好地控制桌面(加强)More control over the desktop (hardening)
      • 在多个平台上广泛使用Widely available on many platforms
    • 缺点Disadvantages
      • 需要本地基础结构以支持此功能Requires an on-premises infrastructure to support this capability
      • 必须对网络、存储和计算谨慎执行容量规划以避免性能瓶颈Capacity planning for network, storage and compute must be carefully performed to avoid a performance bottleneck
      • 每个设备需要一个远程访问客户应用Each device requires a remote access client app
  • Web 访问Web access
    • 优点Advantages
      • 在多个平台上广泛使用Widely available on many platforms
      • 可使用 HTTPS 加密Encryption available using HTTPS
      • 技术成熟Mature technology
      • 易于配置Easy to configure
    • 缺点Disadvantage
      • 需要证书Requires certificates
      • 如果证书基础结构在内部,则需要 PKI 基础结构If the certificate infrastructure is internal, it requires a PKI infrastructure
      • 需要边缘基础结构才能安全地发布应用Requires an edge infrastructure to securely publish apps

在定义用于访问远程网络的设计之后,请考虑用户拥有的设备在以物理方式连接到你的网络时将如何进行连接。After you define the design for remote network access, consider how user-owned devices will connect to your network while they are physically connected to it. 携带自己设备上班的用户很可能会使用 Wi-Fi 功能连接到公司资源。Users who bring their devices to work will likely be using Wi-Fi capabilities to connect to corporate resources. 你应该考虑为用户设备使用网络分段(以物理或逻辑方式)以将其隔离。You should consider using network segmentation (physical or logical) for users’ devices in order to isolate them.

还可以根据它们运行的平台将连接到 Wi-Fi 网络的设备分段。You can also segment the devices that will connect to the Wi-Fi network according to the platform they run. 当它们在本地访问公司资源时,还应考虑如何保护其通信和授权。Also consider how to secure their communication and authorization while they are on-premises accessing corporate resources.

可以在你的无线接入点和网络组件上(交换机和路由器)选择物理分段,以隔离使用自己的设备进行连接的用户。You can choose a physical segmentation on your wireless access point and network components (switches and routers) to isolate users who are connecting by using their own devices. 你还可以通过使用 Configuration Manager 中的 Wi-Fi 配置文件实现这种分段。You can also implement this type of segmentation by using Wi-Fi Profiles in Configuration Manager. 提供范围广泛的安全设置,例如,用于服务器验证和客户端身份验证的证书,这些证书已使用 Configuration Manager 证书配置文件进行预配。A wide range of security settings is available, such as certificates for server validation and client authentication that have been provisioned by using Configuration Manager certificate profiles.

Wi-Fi 网络分段选项 - 优点和缺点Wi-Fi network segmentation options - advantages and disadvantages

使用以下列表来了解 Wi-Fi 分段选项的优点和缺点:Use the list below to understand the advantages and disadvantages of the Wi-Fi segmentation options:

  • 物理分段Physical segmentation
    • 优点Advantages
      • 较低级别的安全分段Lower-level security segmentation
      • 相对易于配置Relatively easy to configure
      • 将其自身从平台(操作系统)抽离Abstracts itself from the platform (operating system)
    • 缺点Disadvantages
      • 可管理性可能因供应商而有所不同Manageability may vary according to the vendor
      • 不同硬件供应商之间的集成可能颇具挑战性Integration among different hardware vendors could be challenging
      • 更高的实施和维护成本Higher cost to implement and maintain
  • 逻辑分段(Wi-Fi 配置文件)Logical segmentation (Wi-Fi profiles)
    • 优点Advantages
      • 为用户提供无缝体验。Seamless experience for users.
      • 更易于管理(与物理分段相比)Easier to manage (when compared to physical segmentation)
      • 实施成本更低(与物理分段相比)Lower cost to implement (when compared to physical segmentation)
      • 将其自身从用于连接设备的硬件中抽离Abstracts itself from the hardware used to connect devices
      • 支持多个平台(操作系统)Supports multiple platforms (operating systems)
    • 缺点Disadvantages
      • 不提供硬件解决方案执行的较低级别的安全分段Does not provide the lower-level security segmentation that the hardware solution does
  • 动态分段Dynamic Segmentation
    • 优点Advantages
      • 无线访问点使用通用基础架构和 SSIDWireless Access Points use a common infrastructure and SSID
      • 最终用户和设备属性将动态设置网络访问End-user and device attributes dynamically provision network access
    • 缺点Disadvantages
备注

有关 Configuration Manager 中 Wi-Fi 配置文件的详细信息,请参阅 Configuration Manager 中的 Wi-Fi 配置文件简介For more information about Wi-Fi Profiles in Configuration Manager, see Introduction to Wi-Fi Profiles in Configuration Manager.

网络位置是考虑用户和设备时的一个重要注意事项。Network location plays an important role for user and device considerations. 你可以利用 AD FS 中的多重访问控制以启用按应用程序的授权策略,借此你可以根据用户、设备和网络位置来允许或拒绝访问。You can leverage multi-factor access control in AD FS to enable per-application authorization policies, whereby you can permit or deny access based on user, device, and network location. 有关如何设置环境以验证此功能的详细信息,请参阅使用多重访问控制管理风险See Manage Risk with Multi-Factor Access Control for more information about how to set up an environment to validate this capability.