利用 Intune 管理公司拥有的设备Manage company owned devices with Intune

在现代职场中,有许多可供选择的方式可以满足员工移动性体验的期望,包括自带设备办公 (BYOD) 计划。There are many options available to meet employee mobility experience expectations in the modern workplace, including bring your own device (BYOD) programs. 但是,许多组织想对能够使用哪些设备访问公司数据具有更强的控制力。However, many organizations want to have more control over which devices are used to access company data. 在这些情况下,公司可以实行自选设备办公 (CYOD) 策略,让 IT 为员工提供受管理的移动设备。In these scenarios, businesses can implement choose your own device (CYOD) strategies where IT provides managed, mobile devices to employees.

要成功实行 CYOD 策略,公司必须能够提供各种可供选择的设备让用户从中选择。For CYOD strategies to be successful, companies must be able to offer a select variety of devices that users can choose from. 当组织将 CYOD 作为 BYOD 的替代方法实行时尤其如此,因为如果用户对组织为其分发的设备不满意,他们就会想办法使用自己的不受管理的设备。This is especially true if the organization is implementing CYOD as an alternative to BYOD because if users do not like the device you issue them, they will find a way to use their own, unmanaged devices. 通过 CYOD,IT 可以只向管理系统注册特定类型的设备,降低支持成本,并且从将设备分发给员工的那一刻就开始帮助保护公司数据。With CYOD, IT can enroll only specific device types into management, reduce support costs, and help protect company data starting from the minute a device is issued to an employee. 员工可以选择他们在个人生活中已经习惯使用的移动设备,而无需采取其他步骤或呼叫技术支持来管理其设备和配置公司数据访问权限。Employees get the mobile device options they’ve grown accustomed to in their personal lives without needing to take any additional steps or call the help desk to get their devices managed and company data access configured.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

可通过 Microsoft Intune 采用多种方法来管理组织或公司拥有的设备,这具体取决于设备的类型、其购买方式及组织需求。You can enroll organization-owned or corporate-owned devices to manage with Microsoft Intune in a variety of ways, depending on the type of device, how the device was purchased, and the needs of the organization. 也可安装公司门户应用,注册和管理公司拥有的设备,如 BYOD 方案中所述。You also can install the Company Portal app to enroll and manage corporate-owned devices, just like in a BYOD scenario. 可通过 Apple 提供的配置工具使用 Intune 在管理系统中直接注册公司拥有的 iOS 设备。Corporate-owned iOS devices can be enrolled directly into management by Intune through the configuration tools provided by Apple. 管理员或经理可以使用设备注册管理器注册所有设备类型。All device types can be enrolled by an admin or manager using the device enrollment manager. 具有 IMEI 号码的设备也可以标识并标记为公司拥有,以实现 COD 方案。Devices with an IMEI number can also be identified and tagged as company-owned to enable COD scenarios.

通过 EMS,可以提供一种创建高效工作场所的功能和体验,它适用于多种工作风格,且不拘泥于地点。With EMS you can provide capabilities and experiences to create a productive workplace that embraces diverse workstyles, anywhere. 无论员工使用的是 iOS、MacOS、Android 还是 Windows 设备,Intune 都能帮助你提高员工跨设备的工作效率,同时保证公司数据安全。Whether your employees are using iOS, MacOS, Android, or Windows devices, Intune can help you deliver productivity to your people across devices while also keeping your company data secure. 除全面的移动设备和应用生命周期管理外,Intune 还直接与 Office 365 和 Office 移动应用集成,让你可以轻松保护公司数据。In addition to comprehensive mobile device and app lifecycle management, Intune integrates directly with Office 365 and Office mobile apps to allow you to easily protect corporate data.

使用 Intune,可轻松地授予员工几乎可从任何设备随时随地访问公司应用程序、数据和资源的权限,同时确保了公司信息安全。Using Intune you can easily provide employees access to company applications, data, and resources from virtually anywhere on any device, while helping to keep corporate information safe and secure at the same time. 直接与 Office 365 集成实现了杰出的最终用户体验,并提供适用于 Office 移动应用的最全面数据丢失防护功能,以及对 Office 365 的访问控制。Direct integration with Office 365 enables amazing end user experiences and provides the most comprehensive data loss prevention capabilities for Office mobile apps and access control to Office 365. 当设备丢失、被盗或单纯的无需再用于工作时,Intune 可以从受管理设备中有选择地仅擦除公司数据。When a device is lost, stolen, or just simply just not needed for work anymore, Intune allows you to selectively wipe only company data from managed devices.

备注

使用本解决方案中所述的任何一种方法注册设备时,Intune 都可将该设备视为公司拥有的设备。Intune recognizes devices as corporate owned when any of the methods described in this solution are used to enroll a device. Intune 服务将设备识别为公司设备时,管理员控制台中该设备记录的“所有权”列会显示为“公司”。When a device is recognized as corporate by the Intune service, you see Corporate in the Ownership column for that device record in the administrator console.

复杂设备环境中的选择

可以从以下网址下载此信息图:https://gallery.technet.microsoft.com/Infographic-Management-3644ae41。You can download this infographic at https://gallery.technet.microsoft.com/Infographic-Management-3644ae41.

实现本解决方案的方式How to implement this solution

此解决方案的其余部分分为以下各节,展示如何:The rest of this solution is divided into the following sections that show you how to:

  • 注册公司拥有的 iOS 设备Enroll corporate-owned iOS devices. 本部分介绍如何使用 Apple Configurator(Mac 设备上)和 Apple DEP 集成来注册公司拥有的设备。This section describes how to use the Apple Configurator (on a Mac device) and Apple DEP integration to enroll corporate-owned devices.
  • 注册公司拥有的 Windows 10 设备Enroll corporate-owned Windows 10 devices. 本部分介绍将 Windows 10 设备加入公司的 Azure Active Directory 后,如何在管理系统中自动注册该设备。In this section, how to automatically enroll Windows 10 devices into management when they are joined to your company's Azure Active Directory is described.
  • 使用设备注册管理器 (DEM) 帐户注册设备Enroll devices using a device enrollment manager (DEM) account. 了解 DEM 帐户如何允许 IT 部门中的某位人员在管理系统中注册超过默认数量的设备。Learn how DEM accounts enable a single person from IT to enroll more than the default number of devices into management.
  • 根据国际移动设备标识 (IMEI) 号码标记公司拥有的设备Tag corporate-owned devices with international mobile equipment identity (IMEI) numbers. 本部分介绍另一种方式,通过导入标识公司拥有设备的 IMEI 号码,在注册时就开始管理公司拥有的设备。This section describes another option to begin managing corporate-owned devices at enrollment by importing IMEI numbers that identify corporate-owned devices.
  • 确保管理的设备符合基本安全要求Make sure that managed devices comply with basic security requirements. 本部分介绍如何确保用于访问公司应用和数据的设备符合基本安全要求。This section describes how to make sure that devices used to access company apps and data comply with basic security requirements.
  • 提供对公司资源的访问Provide access to company resources. 本部分介绍 IT 如何通过将访问配置文件部署到托管设备来使用户能够轻松、安全地访问公司资源,以及如何使用 Intune 管理批量采购的应用部署。This section shows you how IT can enable users to easily, and securely, access company resources by deploying access profiles to managed devices, and how to manage volume-purchased app deployments with Intune.
  • 保护公司数据Protect company data. 本部分有助于了解如何提供对公司资源的条件访问、防止数据丢失,以及当设备上的公司应用和数据不再需要或丢失被盗时如何将其删除。This section helps you learn how to provide conditional access to company resources, prevent data loss, and remove company apps and data from devices when they are no longer needed for work or have been lost or stolen.

注册企业拥有的 iOS 设备Enroll corporate-owned iOS devices

如果 CYOD 策略中提供了iOS 设备供用户选择,则可预配置注册,使设备自用户首次打开它时就通过 Intune 管理。If you offer users iOS devices to choose from as part of your CYOD strategy, you can preconfigure enrollment so that the device is managed with Intune from the first time the user turns it on. 针对设置助理直接注册,Intune 支持通过 Apple 设备注册计划 (DEP) 或使用 Mac 计算机上的 Apple Configurator 工具进行注册。Intune supports enrollment via the Apple Device Enrollment Program (DEP), or by using the Apple Configurator tool on a Mac computer for Setup Assistant or direct enrollment. 还可以将注册配置文件无线部署到通过 DEP 购买的 iOS 设备。You can also deploy an enrollment profile over the air to iOS devices purchased through DEP.

设置助理注册Setup Assistant enrollment

使用适用于 iOS 设备的设置助理注册选项时,设备将重置为出厂默认设置并为设备的新用户准备好最后的安装。When you use the Setup Assistant enrollment option for iOS devices, the device is reset to factory defaults and prepared for final setup by the device's new user. 此方法要求管理员通过 USB 将 iOS 设备连接到运行 Apple 配置器 的 Mac 计算机以预配置注册。This method requires the admin to connect the iOS device through USB to a Mac computer running Apple Configurator to preconfigure the enrollment. 然后,将设备提供给运行设置助理过程的用户。Devices are then delivered to their users, who run the Setup Assistant process. 此过程使用工作或学校凭据配置该设备,并完成注册过程。This process configures the device with their work or school credentials and completes the enrollment process.

直接注册Direct enrollment

适用于 iOS 设备的直接注册会在设备准备过程中创建 Apple Configurator 符合文件以供使用。Direct enrollment for iOS devices creates an Apple Configurator–compliant file for use during device preparation. 已注册设备没有进行出厂重置,但没有用户隶属关系。The enrolled device isn’t factory reset, but it has no user affiliation. 此方法要求管理员通过 USB 将 iOS 设备连接到运行 Apple 配置器的 Mac 计算机以注册设备。This method requires the admin to connect the iOS device through USB to a Mac computer running Apple Configurator to enroll the device.

DEP 注册DEP enrollment

Microsoft Intune 可以部署注册配置文件,该配置文件以无线方式注册通过设备注册计划 (DEP) 购买的 iOS 设备。Microsoft Intune can deploy an enrollment profile that enrolls iOS devices that were bought through the Device Enrollment Program (DEP) over the air. 注册包可以包括设备的设置助理选项,这样当用户在设备上运行设置助理时,就在 Intune 中注册该设备,以便提供即时管理。The enrollment package can include setup assistant options for the device so when a user runs Setup Assistant on the device, the device is enrolled in Intune to provide day 0 management.

重要

用户无法注销通过 DEP 注册的设备Devices enrolled through DEP cannot be unenrolled by users.

注册公司拥有的 Windows 10 设备Enroll corporate-owned Windows 10 devices

在 Azure AD (Premium) 中启用自动注册功能,使用户可以在管理系统中无缝注册 Windows 设备。You can make enrolling Windows devices into management seamless for your users by enabling the automatic enrollment feature in your Azure AD (Premium). 执行该操作时,如果公司拥有的设备联接了组织的 Azure AD,当用户添加工作或学校帐户来注册该设备时,设备将通过 Intune 自动注册到管理系统。When you do that, devices will automatically be enrolled into management with Intune when a user adds a work or school account to register their company owned device when it joins your organization’s Azure AD.

Windows 10 Azure Active Directory 联接(Azure AD 联接)可以方便用户通过 Azure AD 连接到你的企业云。Windows 10 Azure Active Directory Join (Azure AD Join) makes it easy for users to connect to your enterprise cloud through Azure AD. 他们可以从此处在 Windows 设备上访问组织的应用和资源。From there, they can access to organizational apps and resources from their Windows devices. 自动设备注册集成意味着这些设备也由 Microsoft Intune 自动管理。Automatic device enrollment integration means that those devices are also automatically managed by Microsoft Intune.

提示

若要从 Microsoft Azure 门户中启用 Azure AD Premium 目录中的自动 MDM 注册,请转到“Azure Active Directory” > “移动性(MDM 和 MAM)” > “Microsoft Intune”。To enable auto-MDM enrollment in your Azure AD Premium directory from the Microsoft Azure portal, go to Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

Azure AD 联接适用于云优先/仅限云的企业。Azure AD Join is intended for enterprises that are cloud-first/cloud-only. 这些组织通常是中小规模的企业,并且没有本地 Windows Server Active Directory 域服务 (AD DS) 基础结构。These organizations are typically small and medium-sized businesses that do not have an on-premises Windows Server Active Directory Domain Services (AD DS) infrastructure. 这就是说,大型组织也可以在无法进行传统域联接的设备(例如移动设备)上使用 Azure AD 联接,并且主要需要访问 Office 365 或其他 Azure AD SaaS 应用的用户也可以使用 Azure AD 联接。That said, Azure AD Join can and will also be used by large organizations on devices that are incapable of doing a traditional domain join (mobile devices, for example) or for users who primarily need to access Office 365 or other Azure AD SaaS apps. 使用 Intune 进行设备管理后,IT 管理员可以通过混合 MDM 在 Configuration Manager 管理控制台中管理 Azure AD 联接的设备和 AD DS 加入域的设备。When device management is done with Intune, IT administrators can manage Azure AD-joined devices alongside AD DS domain-joined devices in the Configuration Manager management console through hybrid MDM. 用户在 Windows 10 设备上添加工作或学校帐户时,该设备将被自动标记为“公司所有”。When a user adds a work or school account on a Windows 10 device, the device is automatically tagged as "corporate-owned."

使用设备注册管理器 (DEM) 帐户注册设备Enroll devices with a device enrollment manager (DEM) account

一个 Intune 设备管理注册器 (DEM) 帐户可用于为组织注册大量移动设备。A single Intune device enrollment manager (DEM) account can be used to enroll large numbers of mobile devices for your organization. 创建 DEM 帐户后,可以使用该帐户注册多达 1,000 台设备。After you create a DEM account, it can be used to enroll up to 1,000 devices.

仅可使用 DEM 帐户注册未被单个特定用户使用的设备。You can use a DEM account to enroll only devices that aren't used by a single, specific user. 这些类型的设备非常适用于销售点或实用工具应用,但是不适用于需要访问电子邮件或公司资源的用户。Those types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources.

  • 用户无法使用 Apple 批量购买计划 (VPP) 应用,因为每个用户都需具有 Apple ID 才可管理应用。Users can't use Apple Volume Purchase Program (VPP) apps because of per-user Apple ID requirements for app management.
  • 如果使用 DEM 注册 iOS 设备,则无法使用 Apple Configurator 或 Apple 设备注册计划 (DEP) 注册设备。If you use DEM to enroll iOS devices, you can't use the Apple Configurator or Apple Device Enrollment Program (DEP) to enroll devices.

根据国际移动设备标识 (IMEI) 号码标记公司拥有的设备Tag corporate-owned devices with international mobile equipment identity (IMEI) numbers

Microsoft Intune 让管理员可以使用 IMEI 号码导入移动设备平台的国际移动设备标识 (IMEI) 号码,以帮助标识公司拥有的移动设备。Microsoft Intune lets admins import international mobile equipment identity (IMEI) numbers for mobile device platforms by using IMEI numbers to help identify corporate-owned mobile devices.

使用特殊格式的 .CSV 文件最多可以导入 5,000 个 IMEI 号码,在 Intune 管理控制台中一次可以手动输入最多 15 台设备 IMEI 号码。You can import up to 5,000 IMEI numbers using a specially formatted .CSV file or manually input up to 15 device IMEI numbers at a time from within the Intune administration console. 当具有 IMEI 号码的设备在 Intune 中注册后,通常当用户安装公司门户应用并完成注册过程时,设备会被标记为“公司拥有”,并在“IMEI 设备”组中显示为“已注册”。When a device that has IMEI number enrolls in Intune, usually when a user installs the Company Portal app and completes the enrollment process, the device will be tagged as corporate-owned and appear as enrolled in the IMEI Devices group.

确保托管设备符合基本安全要求Make sure that managed devices comply with basic security requirements

注册 iOS、Android 或 Windows 10 设备时,IT 需要确保用于访问公司应用和数据的设备符合基本安全要求。Whether enrolling an iOS, Android, or Windows 10 device, IT needs to make sure that devices used to access company apps and data comply with basic security requirements. 这些规则可能包括使用 PIN 访问设备和加密存储在设备上的数据。These rules might include using a PIN to access devices and encrypting data stored on devices. 一组这样的规则就称为合规性策略A set of such rules is called a compliance policy.

向用户创建和部署符合性策略时,将检查所有由 Intune 管理的设备,以查看它们是否符合 CYOD 或 BYOD 策略中由你所定义的基本安全要求。When you create and deploy a compliance policy to a user, all the devices they have managed by Intune will be checked to see if they comply with basic security requirements you’ve defined as part of your CYOD or BYOD policy. 在对设备进行策略合规性评估后,会将其状态报告回 Intune 服务。After a device has been evaluated for policy compliance, it will report its status back to the Intune service. 在某些情况下,用户可能收到需修正不合规设置的提示,例如使用 PIN 或设备加密时,但有时公司门户应用也只向用户通知所发现的任意合规性问题。In some cases, users might be prompted to remediate non-compliant settings, such as using a PIN or device encryption, but other times the company portal app will only notify the user about any compliance problems found.

提供对公司资源的访问Provide access to company resources

本部分介绍 IT 如何通过将访问配置文件部署到托管设备来使用户能够轻松、安全地访问公司资源,以及如何管理批量采购的应用。This section shows you how IT can enable users to easily, and securely, access company resources by deploying access profiles to managed devices, and managing volume-purchased apps.

提供对公司数据的访问Provide access to company data

大多数员工希望通过其移动设备做的第一件事是访问公司电子邮件和文档。The first thing most employees want on their mobile device is access to company email and documents. 他们希望设置步骤简单,不需要询问支持人员。And they expect to set it up without going through complex steps or calling the help desk. Microsoft Intune 让你轻松为预安装在组织所用移动设备上的本机电子邮件应用创建和部署电子邮件设置Microsoft Intune makes it easy for you to create and deploy email settings for native email apps that are pre-installed on mobile devices used by your organization.

备注

Intune 支持 Google Play 商店中的 Gmail 和 Nine Work 电子邮件应用使用 Android for Work 电子邮件配置文件配置。Intune supports Android for Work email profile configuration for the Gmail and Nine Work email apps found in the Google Play store.

除了电子邮件,EMS 还有助于控制访问权限和保护正从外部传统公司安全边界访问的本地公司数据。In addition to email, EMS also helps you control access and protect on-premises company data being accessed from outside traditional corporate security boundaries. Microsoft Intune Wi-FiVPN 和电子邮件配置文件协同工作,以便帮助你的用户获得对完成其工作所需的文件和资源的访问权限,无论他们身在何处。Microsoft Intune Wi-Fi, VPN, and email profiles work together to help your users gain access to the files and resources that they need to do their work wherever they are. 使用 Azure Active Directory 应用程序代理和条件性访问,也可实现对公司 Web 应用程序和本地托管服务的安全访问和保护。Your company's web applications and services hosted on-premises can also be securely accessed and protected using the Azure Active Directory Application Proxy and conditional access.

为注册设备添加应用Add apps for enrolled devices

使用 Intune 将应用添加到已注册设备很容易,但是必须使用 Intune 软件发布程序将其添加到 Intune 后才能部署或管理该应用。It's easy to add apps for enrolled devices with Intune, but before you can deploy or manage an app, you must add it to Intune using the Intune Software Publisher. 你可以使用 Intune 软件发行者来配置应用的属性,并将该应用上载到云存储空间(如果适用)。You use the Intune Software Publisher to configure the properties of the app and, where applicable, upload it to your cloud storage space.

使用 Intune 可以将以下几种类型的应用部署到已注册设备或对其进行管理With Intune, you can deploy or manage the following types of apps to enrolled devices:

  • 软件安装程序Software installer. 这类应用包括 Windows 软件安装程序(.exe 或 .msi)、Android 应用包 (.apk)、iOS 应用包 (.ipa)、Windows Phone 应用包(.xap、.appx 和 .appxbundle)、Windows 应用包(.appx、.appxbundle)和通过 MDM (.msi) 文件的 Windows 安装程序。These kinds of apps include Windows software installer (.exe, or .msi), App Package for Android (.apk), App Package for iOS (.ipa), Windows Phone app package (.xap, .appx, and .appxbundle), Windows app package (.appx, .appxbundle), and Windows Installer through MDM (.msi) files. 所有软件安装程序的应用类型都会上传到云存储空间All software installer app types are uploaded to your cloud storage space.
  • 外部链接External link. 这类应用部署会提供一个外部链接 (URL) 方便用户从应用商店下载应用,或者提供一个指向基于 Web 的应用的链接,该应用从 Web 浏览器中运行。This type of app deployment provides an external link (URL) that lets users download an app from an app store or a link to a web-based app that runs from the web browser. 基于外部链接的应用不存储在 Intune 云存储空间中。Apps based on external links are not stored in your Intune cloud storage space.
  • 来自应用商店的托管 iOS 应用Managed iOS app from the app store. 你可以使用托管 iOS 应用管理和部署来自应用商店的免费 iOS 应用。You can use managed iOS apps to manage and deploy iOS apps that are free of charge from the app store. 你还可使用托管 iOS 应用将移动应用管理策略与兼容的应用相关联,并在管理员控制台中查看它们的状态。You can also use managed iOS apps to associate mobile application management policies with compatible apps and review their status in the administrator console. 托管 iOS 应用不存储在 Intune 云存储空间中。Managed iOS apps are not stored in your Intune cloud storage space.

管理批量采购的应用Manage volume-purchased apps

可以轻松将应用商店应用传递到托管设备,甚至使用公司门户网站将应用定向传递至非托管设备,但 Intune 还允许你管理和部署从 iOS 应用商店和适用于企业的 Windows 应用商店批量购买的应用。You can easily deliver store apps to managed devices, and even target apps to unmanaged devices using the company portal website, but Intune also allows you to manage and deploy apps that you purchased in volume from the iOS app store and the Windows Store for Business. 这有助于降低跟踪批量购买应用的管理成本。This helps you reduce the administrative overhead of tracking volume-purchased apps.

提示

可以轻松使用 Azure AD Connect 配置单一登录 (SSO),以便让用户可以通过其在本地使用的域用户名和密码登录应用。You can easily configure Single Sign On (SSO) with Azure AD Connect to enable users to sign into apps with the domain user name and password they use on-premises. 此外,还可使用 Azure Active Directory 应用程序代理来提供对本地托管的 Web 应用的基于 Internet 的访问In addition, you can provide internet-based access to web apps hosted on-premises using the Azure Active Directory Application Proxy.

通过 Intune 可轻松导入来自应用商店的批量许可证信息,跟踪已使用的许可证数量,并防止用户安装的应用副本数多于你所拥有的数量。With Intune it is easy to import the volume license information from either app store, track how many licenses you have used, and prevent your users from installing more copies of the app than you own.

保护公司数据Protect company data

Intune 通过多个技术层保护公司数据。Intune protects company data through multiple technology layers. 在标识层上,条件性访问通过仅允许从托管及合规设备进行访问来保护对服务的访问。At the identity layer, conditional access protects access to services by only allowing access from managed and compliant devices. 在客户端应用程序层上,应用管理策略通过防止将数据移动到不受保护的应用或存储位置以及在设备丢失或被盗时擦除数据来防止数据丢失。At the client application layer, app protection policies protect against data loss by preventing data from moving to nonprotected apps or storage locations—and by wiping data when a device is lost or stolen.

强制执行对公司资源的条件访问Enforce conditional access to company resources

可结合使用合规性策略与条件访问策略,以检查设备是否符合你的 BYOD 策略所需的基本安全要求。You can use compliance policies in combination with conditional access policies to check if devices comply with basic security requirements that your BYOD policy requires. 如果设备不符合策略,则强制执行条件访问规则并拒绝其访问,直至将设备配置为满足策略要求。If a device is not compliant with policy, conditional access rules are enforced and access is denied until the device is configured to meet policy requirements. 这可确保仅托管设备和合规设备才能从 Exchange(Exchange 内部部署Exchange Online)、SharePoint Online、Skype for Business Online 等服务访问公司数据。This ensures that only managed and compliant devices can access company data from services like Exchange (Exchange On-premises or Exchange Online), SharePoint Online, Skype for Business Online, and others.

重要

如果用于验证合规性的合规性策略未准备就绪,则无法使用条件访问策略。Conditional access policies will not work if there is no compliance policy in place to validate compliance.

使用应用程序保护策略防止公司数据丢失Prevent data loss of company data with application protection policies

Intune 的应用程序保护策略使你能多方面地管理访问数据的方式(无论设备注册与否)。Intune’s application protection policies give you the versatility to manage how your data is accessed with or without device enrollment. 公司数据保护功能(无论设备注册与否),使你能够启用数据保护方案,从而安全访问公司数据,即使用户不愿意将其设备注册到管理。The ability to protect company data with or without device enrollment give you the ability to enable data protection scenarios so that company data can be accessed securely even when a user is reluctant to enroll their device into management.

可使用 Intune 应用保护策略帮助保护由用户的 iOS 和 Android 设备访问的公司数据。You can use Intune app protection policies to help protect company data that is accessed by your users' iOS and Android devices. 通过实施这些应用级策略,可控制员工使用和共享公司数据的方式(即使该设备本身不由 Intune 管理)。By implementing these app-level policies, you are able to control how company data is used and shared by employees even if the device itself isn’t managed by Intune.

使用 Windows 信息保护 (WIP) 策略对托管的 Windows 10 设备可执行相同操作。Use Windows Information Protection (WIP) policies to do the same for managed Windows 10 devices. 这些策略不会影响员工体验,也无需对网络环境或其他应用进行更改。These policies work without interfering with the employee experience or requiring changes to your network environment or other apps.

在保留个人数据完整的同时,擦除公司数据Wipe company data while leaving personal data intact

如果不再需要某设备用于办公、设备改变用途或丢失,则需要从此设备删除公司的应用和数据。When a device is no longer needed for work, is being repurposed, or maybe has just gone missing, you need to be able to remove company apps and data from it. 为此,可使用 Intune 的选择性擦除和完全擦除功能。To do this you can leverage Intune's selective wipe and full wipe capabilities. 用户也可从 Intune 公司门户远程擦除注册到管理的自有设备。Your users can also remotely wipe their own personally owned devices they've enrolled into management from the Intune Company Portal.

可以不使用完全擦除将设备恢复出厂默认设置并删除用户数据和设置,而是使用选择性擦除功能可以仅删除设备上的公司数据,同时保留用户个人数据完整性。Rather than doing a full wipe that restores a device to its factory default settings and removes user data and settings, you can use selective wipe functionality to only remove company data from the device while leaving users’ personal data intact.

启动后,设备将立即开始选择性擦除流程,从管理中删除。Once initiated, the device will immediately begin the selective wipe process to be removed from management. 流程完成后,将删除所有公司数据,设备名称将从 Intune 管理员控制台中删除,设备管理生命周期结束。When the process is complete, all company data is deleted and the device name will be removed from the Intune administrator console completing the device management lifecycle.

了解详细信息Learn more

开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

Microsoft 企业移动性Microsoft Enterprise Mobility