应用程序管理选项Application management options

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

移动应用程序管理 (MAM) 策略有助于防止公司数据泄漏到移动设备上的使用者应用或服务。Mobile application management (MAM) policies help prevent your company data from being leaked to consumer apps or services on mobile devices. 通常情况下,仅会在移动设备管理解决方案中已注册的设备上强制执行这些策略。Typically, these policies would only be enforced on device enrolled in a mobile device management solution. Intune 现已扩展其 MAM 功能,当中包括了由其他移动设备管理解决方案管理的设备以及未在任何设备管理系统中注册的设备。Intune has now expanded its MAM capabilities to include devices managed by other mobile device management solutions and devices that aren’t enrolled in any device management system.

如下图所示,如果你已有 MDM 解决方案,Intune MAM 可帮助你管理和保护 Office 应用程序和 Office 365 数据的安全,而无需取消对员工设备的注册并且无需在共存或迁移方案中将这些设备重新注册在 Intune MDM 中:As shown in the figure below, if you already have an MDM solution in place, Intune MAM can help you manage and secure Office applications and Office 365 data without needing to un-enroll employee devices and re-enroll them in Intune MDM in a coexistence or migration scenario:

使用 Intune MAM 策略的移动设备的应用程序管理隔离概述

使用 Intune MAM 策略的移动设备的应用程序管理隔离概述Overview of application management separation for mobile devices using Intune MAM policies

Intune MAM 功能不是整个 MDM 解决方案的一种替代方案。Intune MAM features are not a replacement for entire MDM solutions. 许多设备管理方案(如 VPN、Wi-Fi、证书管理、应用程序部署和配置设备级别的安全设置)都需要使用 MDM 协议。The MDM protocol is required for comprehensive device management scenarios like VPN, Wi-Fi, certificate management, application deployment, and configuring device level security settings.

对于使用 ConfigMgr 和 Intune 的混合部署,移动应用管理策略还可用于保护不由 Intune 管理的设备上的应用。For hybrid deployments with ConfigMgr and Intune, mobile app management policies can be used to protect apps on devices that are not managed by Intune. 你可以使用这项新功能,为连接到 Office 365 服务的应用应用移动应用管理策略。Using this new capability, you can apply mobile app management policies for apps connecting to Office 365 services. 连接到内部部署 Exchange 或 SharePoint 的应用不支持此操作。This is not supported for apps connecting to on-premises Exchange or SharePoint. 若要使用此功能,必须使用 Azure 预览门户。To use this capability, you must use the Azure preview portal.

根据你对步骤 1 中的问题的回答,你应该能够确定想要在移动设备管理解决方案中如何管理应用程序。Depending on how you answered the questions in Step 1, you should be able to determine how you want applications to be managed in the mobile device management solution. 以下列表显示每个应用管理选项的优缺点。The lists below show the advantages and disadvantages of each app management option.

Intune(独立版)Intune (standalone)

  • 支持在以下设备上管理应用程序:在 Intune 中注册的设备、在其他管理解决方案中注册的设备,或未在任何管理解决方案中注册的设备Supports managing applications on devices enrolled in Intune, on devices enrolled in other management solutions, or on devices not enrolled in any management solution
  • 将公司数据与为 Intune 启用的应用内的客户个人数据中分隔。Isolates company data from consumer personal data within apps enlightened for Intune. 其中包括 Office Mobile 应用、已采用 Intune SDK 的第三方应用,或由 Intune 包装的业务线应用These include Office Mobile apps, third-party apps that have adopted the Intune SDK, or line-of-business apps wrapped by Intune
  • 可以在公司应用之间通过剪切/复制/粘贴来共享公司数据,同时防止将公司数据共享到个人应用Sharing company data with cut/copy/paste across company apps, while preventing the sharing of company data into personal apps
  • 关键数据丢失防护策略,如每个应用的 PIN、另存为控件和应用之间的托管数据共享。Key data loss prevention policies like per-app PINs, save-as controls, and managed data sharing between apps.
  • 这些功能在 Microsoft Word、Excel、PowerPoint、Outlook、OneNote 和 OneDrive for Business 中受到支持Support for these capabilities in Microsoft Word, Excel, PowerPoint, Outlook, OneNote, and OneDrive for Business
  • 管理通过企业批量采购计划的 Apple 批量采购计划购买的 iOS 应用Manage iOS apps purchased through the Apple Volume Purchase Program for Business volume-purchase program
  • 通过其内置功能 Windows 信息保护支持在 Android、iOS 设备和 Windows 10 设备上使用。Supported on Android, iOS devices, and Windows 10 devices through its built-in feature Windows information protection.

Office 365 的 MDMMDM for Office 365

  • 当前不支持Not currently supported

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • Intune 独立版的所有优点All the advantages of Intune standalone

缺点Disadvantages

  • 需要其他配置,以将 Intune 与本地 ConfigMgr 基础结构相连接Requires additional configuration to connect Intune with the on-premises ConfigMgr infrastructure
  • 对于尚未配置当前 ConfigMgr 基础结构的组织,需要在与 Intune 集成之前进行规划、安装和配置For organizations that don’t have a current ConfigMgr infrastructure configured, it will need to be planned, installed and configured prior to integrating with Intune

通过查看以下 Intune 和 ConfigMgr 内容来了解有关移动应用程序管理选项的详细信息:在 Microsoft Intune 控制台中配置和部署移动应用程序管理策略。Explore the details about mobile application management options by reviewing the following for Intune & ConfigMgr: Configure and deploy mobile application management policies in the Microsoft Intune console. 此外,要确保检查在 Intune MAM 策略下可使用的 Microsoft 应用列表以及 Intune 的兼容合作伙伴应用的扩展列表。Additionally, be sure to check out the list of Microsoft apps you can use with Intune MAM policies, as well as the expanding list of Intune’s compatible partner apps.