开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

进行数字转换的组织需要保护自己免受新的威胁和挑战,同时还要求 IT 不断追求更高的效率和性价比。Organizations going through digital transformation need to protect themselves from new threats and challenges while IT is continually being asked to drive efficiency and do more with less. 此外,在当今云优先、移动优先的世界中,用户希望在任何地方通过任何设备都可以高效工作。In addition, in a cloud-first, mobile-first world users expect to be productive from anywhere and on any device. 使用 EMS,可以获得全面的解决方案来帮助你:With EMS you get holistic solutions to help you:

  • 在云中控制标识 + 访问Control identity + access in the cloud. 跨设备、数据中心和云,集中管理标识并保护单一登录的安全。Centrally manage identities and secure single sign-on across devices, your datacenter, and the cloud.
  • 获取标识驱动的安全性Get identity-driven security. 全面、智能地防御当前的高级攻击。Comprehensive, intelligent protection against today's advanced attacks.
  • 管理移动设备 + 应用Manage mobile devices + apps. 从一个位置安全地管理 iOS、Android 和 Windows 上的应用和数据。Securely manage apps and data on iOS, Android, and Windows from one place.
  • 保护信息Protect your information. 智能地保护公司数据并实现安全协作。Intelligently safeguard your corporate data and enable secured collaboration.

阅读下文,了解 EMS 如何让 IT 能够自信地提供人们欢迎的安全和不受限制的工作效率。Read on to learn about how EMS empowers IT to confidently deliver secure, borderless productivity that people love. 从本地过渡到云、利用云安全性和保护以及最终通过云提供完整的服务 IT 时,这些示例方案将有助于入门 EMS。These example scenarios will help you get started with EMS as you transition from on-premises to the cloud, leverage cloud security and protection, and finally provide full service IT from the cloud.

从本地过渡到云Transition from on-premises to the cloud

EMS 包含许多服务和功能,可以根据业务需求和熟练程度选择使用。EMS is comprised of many services and functionality that you can use depending on your business needs and as you become more familiar with their capabilities.

建立 Azure AD 标识Establish Azure AD identity

一切内容均始于云标识,因此开始使用时需要做的第一件事就是建立组织的 Azure Active DirectoryEverything starts with cloud identity so the first thing you’ll need to do to get started is to establish your organization’s Azure Active Directory presence. 可以完全通过云来执行此操作,或通过 Azure Active Directory 同步当前的 Windows Server Active Directory 对象,利用当前在本地标识管理中的投资。You can do this completely from the cloud or synchronize your current Windows Server Active Directory objects with Azure Active Directory to leverage your current investments in on-premises identity management.

在第一道防线保护组织Protect your organization at the front door

传统的安全解决方案在过去足以保护你的业务。Traditional security solutions used to be enough to protect your business. 但随着移动性行业的发展,攻击风险日益增大,而向云端的过渡使得员工与其他用户、设备、应用和数据的交互变得更加复杂。But that was before the mobility industry grew, which created a larger attack landscape, and the transition to the cloud made employees' interactions with other users, devices, apps, and data more complex. 现在为了切实地保护公司,需要采用更加全面和创新的安全性策略,一种可以防止、检测和应对各种本地以及云端的威胁的策略。To truly protect your business now, you need to take a more holistic and innovative approach to security, one that can protect, detect, and respond to threats of all kinds on-premises as well as in the cloud.

开始管理设备Start managing devices

要确保公司数据安全且管理成本低,同时还要管理企业中的设备复杂性,传统 IT 可能难以完成这些工作。Ensuring corporate data is secure and administrative costs are low, while also managing device complexity in the enterprise, can be challenging for traditional IT. EMS 使你可以轻松支持多种设备管理方案:从公司拥有的“自择设备办公”(CYOD) 到个人拥有的用于工作的“自带设备办公”(BYOD)。EMS makes it easy for you to support many different device management scenarios ranging from company-owned Choose Your Own Device (CYOD) to Bring Your Own Device (BYOD) personally owned devices used at work.

  • 分发企业拥有的设备Issue corporate owned devices. Intune 提供大量预配和管理解决方案,帮助在组织中分发公司拥有的设备,这些解决方案与当今市场上的主要公司设备管理平台集成,包括 Apple 设备注册程序和 Samsung KNOX 移动安全平台。Intune offers bulk provisioning and management solutions to help you issue corporate-owned devices in your organization that are integrated with the major corporate device management platforms on the market today, including the Apple Device Enrollment Program and the Samsung KNOX mobile security platform.
  • 启用使用受限的共享设备解决方案Enable a limited-use shared device solution. 任务工作者开始越来越多地使用移动技术。Task workers are increasingly making use of mobile technologies. 无论是用于处理销售还是快速检查清单,可能只运行单一业务线应用的平板电脑通常会以使用受限的模式分发给员工。Whether used to process a sale or instantly check inventory, tablets that might only run a single line-of-business app, are usually handed to employees in a limited-use mode. Intune 允许你批量预配、保护和集中管理这些可配置为在此使用受限模式下运行的共享 iOS 和 Android 平板电脑。Intune enables you to bulk provision, secure, and centrally manage these shared iOS and Android tablets that can be configured to run in this limited-use mode.
  • 在组织中启用 BYODEnable a BYOD program in your organization. BYOD 可以降低硬件开销或增加员工的移动工作效率选择,因此受到越来越多组织的青睐。BYOD continues to grow in popularity among organizations as a means to reduce hardware expenditures or increase mobile productivity choices for employees. 随着企业开始摆脱传统的企业拥有设备模式,他们必须决定如何实施 BYOD 计划,允许员工使用个人设备完成某些工作任务。As enterprises move away from the traditional model of corporate-owned devices, they must decide how to implement a BYOD program to allow employees use their personal devices for some of their work tasks.
  • 使 Windows 10 部署和管理策略与业务、最终用户和IT需求保持一致Align Windows 10 deployment and management strategy to business, end-user, and IT needs. Windows 10 通过 Windows 7 和 Windows 8.1 中引入的技术为基础,提供新的部署功能、方案和工具,同时以一种服务概念引入新的 Windows,使操作系统保持最新。Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. 这些变化需要用户重新思考传统的部署过程Together, these changes require that you rethink the traditional deployment process. 部署 Windows 10 后,还需要确定如何通过 Intune 最好地管理 Windows 10 电脑,以满足最终用户的工作效率和业务需求。After you have deployed Windows 10, you will also need to determine how to best manage Windows 10 PCs using Intune to meet your end-user productivity and business needs. 有两种选择:将 Windows 10 电脑注册为一台移动设备,或安装 Intune 软件客户端,作为一台计算机来管理设备。You have two choices: enroll the Windows 10 PC as a mobile device or install the Intune software client to manage the device as a computer.

管理和保护公司数据Manage and protect company data

现在的大多数信息工作者都是移动办公,移动设备上的工作效率成为提高竞争力的必要途径。Most information workers are mobile these days and making productivity on mobile devices is an imperative to be competitive. 这些员工需要在任何时候、任何位置都能够无缝访问所有公司应用和数据,而 EMS 可轻松进行此操作(不管是在本地还是云中)。These employees need seamless access to all corporate apps and data, at any time, wherever they are and EMS makes this easy to do, whether on-premises or in the cloud.

  • 保护本地公司数据Protect on-premises company data. 大多数企业移动性策略都以一个计划开始,让员工可以使用移动设备通过 Internet 安全访问电子邮件,但还需要能够安全地访问由移动设备访问的本地公司数据Most enterprise mobility strategies begin with a plan to enable secure access to email for employees with mobile devices out on the internet, but you also need to be able to securely access on-premises company data being accessed by mobile devices. 例如,许多组织仍然在公司网络上托管了本地数据和应用程序服务器(如 Microsoft Exchange)。For example, many organizations still have on-premises data and application servers, like Microsoft Exchange, hosted on their corporate network.
  • 保护 Office 365 公司数据Protect Office 365 company data. 在 Office 365 中保护公司数据(电子邮件、文档、即时消息等等)既方便了你,又给用户带来了更加顺畅的体验。Protecting corporate data in Office 365 (email, documents, instant messages, etc.) could not be easier for you or more seamless for your users. Office 365 和 EMS 提供了独一无二的集成式条件性访问解决方案,确保用户、应用或设备在符合公司的合规性要求(已执行多重身份验证,已向 Intune 注册,使用托管应用、受支持的 OS 版本、设备 pin 和低用户风险配置文件等等)之前无法访问 Office 365 数据。Office 365 and EMS provide a uniquely integrated conditional access solution that ensures no users, apps, or devices can access Office 365 data unless they meet your company’s compliance requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS version, device pin, low user risk profile, etc.).
  • 安全地访问 Office 365并保护非托管设备上的数据Secure access to Office 365 and protect data on unmanaged devices. 常见的 Office 365 部署做法是要求将设备注册到管理系统中,但并不是始终都有必要。A common Office 365 deployment practice is to require devices to enroll into management, but that is not always necessary. 如果用户只需访问公司电子邮件和文档(通常是个人拥有的设备),那么可以使用 Office 移动应用(已向其采用应用限制策略)并完全跳过设备注册。If a user simply needs to access corporate email and documents, which is often the case for personally owned devices, then you can just use the Office mobile apps (which you have applied app restriction policies to) and skip enrolling the device altogether.

利用云安全性和保护Leverage cloud security and protection

EMS 提供标识驱动的安全解决方案,它是一种用来应对移动优先、云优先时代安全挑战的全面性方法。EMS provides an identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era. 通过 EMS,不仅可以保护共享的组织数据,还可以在安全漏洞可能造成损害之前识别它们。With EMS, you can not only protect your shared organizational data, but also identify security breaches before they have a chance to cause damage.

安全地共享数据Securely share data

现今,已实现从多台设备跨组织边界进行信息共享。Nowadays information sharing is taking place from multiple devices and across organizational boundaries. 公司面临的挑战是确定哪些数据需要保护,哪些数据不需要保护。Companies are challenged to identify what data needs protection and what data does not. 若要解决这一难题,可以通过 Azure 信息保护来对敏感数据分类、加标签和保护以确保重要的公司数据不会遭到破坏,同时使用户可以安全地共享他们认为重要的数据来完成工作。To meet this challenge, you can classify, label and protect sensitive data with Azure Information Protection to ensure that critical corporate data is not compromised while enabling users to securely share what’s important for them to get their jobs done.

识别和防御威胁Identify and protect against threats

随着更多的组织采取承担违约的态度,EMS 可通过创新行为分析和异常检测技术,帮助识别组织内的攻击者 - 本地则采用 Microsoft 高级威胁分析,云中则采用Azure Active Directory云应用安全性As more organizations move to an assume breach posture, EMS helps you identify attackers in your organization using innovative behavioral analytics and anomaly detection technologies―on-premises with Microsoft Advanced Threat Analytics and in the cloud with Azure Active Directory and Cloud App Security. 借助云中海量数据集和机器学习驱动的 Microsoft 智能安全图,我们的威胁智能得到了增强。Our threat intelligence is enhanced with the Microsoft Intelligent Security Graph driven by vast datasets and machine learning in the cloud.

基于云的全面服务 ITFull service IT from the cloud

随着组织完成数字转换,基于云的全面服务 IT 将成为一项常规业务。As organizations complete their digital transformation, full service IT from the cloud will become business as usual. 具有成熟云实施的公司将期望利用 EMS 提供的功能,实现长期的端到端标识和数据保护方案。Companies with mature cloud implementations will look to take advantage of the capabilities provided by EMS to enable long-term, end-to-end identity and data protection scenarios.

从采用到停用的标识管理Identity management from hire to retire

Microsoft 保护基于云的标识已超过十年,借助 Azure Active directory,Microsoft 向企业客户提供相同的保护系统,以确保用户和管理员能通过更高的安全性和更好的管理履行各自的职责。Microsoft has been securing cloud-based identities for over a decade, and with Azure Active directory, Microsoft is making these same protection systems available to enterprise customers, to ensure user’s and administrator’s accountability with better security and governance.

使用策略和跟踪保护共享的文件和 SaaS 应用Protect shared files and SaaS apps with policies and tracking

EMS 将高级公司数据保护无缝地集成到业务节奏中,使保护公司信息免于有意和意外数据丢失变得简单。EMS seamlessly integrates advanced company data protection into the rhythm of your business to make it easy to safeguard company information from both purposeful and accidental data loss.

  • 在内部和外部共享敏感数据Share sensitive data internally and externally. 虽然许多数据泄露是由网络攻击造成的,但专家认为更多的原因在于人为错误,或者说是因为员工无意间或不慎泄漏敏感商业数据所致。While many data breaches are due to cyberattacks, experts agree that many more are the result of human error, otherwise known as “oops” moments that happen when employees inadvertently leak sensitive business data. 通过设置适当的安全信息和数据丢失防护协议,几乎能够避免所有这类泄露。With the right security information and data loss prevention protocols in place, nearly all of these kinds of breaches are avoidable.
  • 跟踪共享数据使用情况并对数据滥用做出响应Track usage of shared data and respond to data abuse. Azure 信息保护是基于云的解决方案,可帮助组织对其文档和电子邮件进行分类、添加标签和保护。Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. 这可以由定义规则和条件的管理员自动进行、由用户手动进行或是组合进行(在这种情况下会向用户提供建议)。This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.
  • 通过灵活的部署和密钥管理选项,以自己的方式管理数据Manage your data your way with flexible deployment and key management options. 为了遵守适用于组织的特别规定,你可能想要自行管理 Azure 信息保护的租户密钥,而不是由 Microsoft 管理你的租户密钥(默认设置)。Instead of Microsoft managing your tenant key (the default), you might want to manage your own Azure Information Protection tenant key to comply with specific regulations that apply to your organization. 自行管理租户密钥也称为自带密钥 (BYOK)。Managing your own tenant key is also referred to as bring your own key, or BYOK.
  • 批准和管理员工的 SaaS 应用程序Sanction and manage SaaS applications for employees. 使用 Cloud App Security 以批准或取消批准应用程序、强制执行数据丢失防护 (DLP)、控制权限和共享,并生成自定义报表和警报。Use Cloud App Security to sanction/unsanction applications, enforce data loss prevention (DLP), control permissions and sharing, and generate custom reports and alerts.
  • 保护数据不受用户错误影响Protect your data from user mistakes. 我们提供对用户和数据活动的高度可见性,因此,当用户处理重要的公司数据时做出错误选择,你可以对公司进行保护。We provide deep visibility into user and data activity, so you can protect your company when users make poor choices as they work with critical company data. Microsoft Cloud App Security 对云应用(包括 ffice 365)提供可见性和控制。Microsoft Cloud App Security provides visibility and controls for cloud apps, including Office 365. 通过 Azure 信息保护,我们将分类和标签与持久数据保护结合在一起,实现了内部和外部的安全文件共享。With Azure Information Protection, we have brought together classification and labeling with persistent data protection to enable secure file sharing, internally and externally.

了解详细信息Learn more

请访问 Microsoft 企业移动性 + 安全性页面Visit the Microsoft Enterprise Mobility + Security page

了解企业移动性 + 安全性Learn about Enterprise Mobility + Security

免费试用 EMSTry out EMS for free