数据分隔Data segregation

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

数据分隔不仅对你的组织很重要,对于保护用户个人信息的隐私也很重要。Data segregation is important, not only for your organization, but also to keep your user’s personal information private. 数据分隔有助于你从属于用户的设备中删除所有公司应用和数据,而不会影响该用户的个人数据(请参见下图)。Data segregation helps you to remove all company apps and data from a device that belongs to a user, without affecting the user’s personal data (see figure below).

数据分隔

用户的个人数据与公司的数据隔离User’s personal data is isolated from company’s data

通过使 MDM 解决方案部署的所有应用、公司数据和策略保持分离,可以在必要时使用选择性擦除从设备中删除这些内容,而不会影响用户的个人内容和应用。By keeping separate all apps, company data, and policies that were deployed by the MDM solution, those can be removed from the device if necessary without affecting a user’s personal content and apps by using selective wipe.

提示

有关远程擦除在其他平台(如 iOS 和 Android)中的运行方式的详细信息,请阅读通过 Microsoft Intune 使用完全擦除或选择擦除来帮助保护数据Read Help protect your data with full or selective wipe using Microsoft Intune for more about how remote wipe will behave in other platforms like iOS and Android

移动设备数据管理的选择性擦除包含在 Windows Server 2012 R2 和 Windows 8.1 中。Selective wipe for mobile device data management is included in Windows Server 2012 R2 and Windows 8.1. 它的工作原理是将帮助 Exchange Server 和 Microsoft Intune 管理员管理设备上的企业数据和开发可使用 Windows 选择性擦除功能的应用的资源链接起来。It works by linking resources that help Exchange Server and Microsoft Intune administrators to manage enterprise data on devices and to develop apps that can use Windows Selective Wipe capabilities. Windows Phone 8 和更高版本支持在内部存储中分离数据。Windows Phone 8 and later supports separating data in the internal storage.

数据分隔

通过下载 Windows Phone 8.1 安全概述阅读有关 Windows Phone 8.1 安全功能的详细信息。Read more about Windows Phone 8.1 security capabilities by downloading the Windows Phone 8.1 Security Overview

如果用户在其移动设备上在个人帐户和公司帐户之间切换,则数据分隔可能难以实现。Data segregation can be challenging if users switch between personal accounts and corporate accounts on their mobile devices. 在 BYOD 方案中,用户通常使用多个凭据在其设备上执行不同的任务。In a BYOD scenario, it’s common for users to use multiple credentials to perform different tasks on their device.

企业数据保护 (EDP) 提供了数据隔离,但既不使用容器也不需要特殊版本的应用程序访问业务数据,然后使用另一个实例访问个人数据。Enterprise Data Protection (EDP) provides data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. 没有容器、分区或特殊文件夹以物理方式分隔个人和业务数据。There are no containers, partitions, or special folders to physically separate personal and business data. 相反,Windows 10 Mobile 是标识企业数据的访问控制代理,因为它对企业是加密状态。Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise.

EDP 通过对企业数据进行加密提供数据分隔。EDP provides data separation by virtue of encrypting enterprise data. 有关详细信息,请参阅企业数据保护 (EDP) 概述Read Enterprise data protection (EDP) overview for more information. Intune EDP 策略将管理受 EDP 保护的应用、企业网络位置、保护级别和加密设置的列表。Intune EDP policies will manage the list of apps protected by EDP, enterprise network locations, protection level, and encryption settings.

当用户安装并登录到在 Intune 托管的设备上支持多个标识(多标识)的应用(如 Outlook)时,Intune 将检查他们正在使用的帐户是否与设备上的托管帐户匹配。When a user installs and signs in to an app that supports multiple identities (multi-identity) on an Intune-managed device, such as Outlook, Intune checks to see if the account they’re using matches the managed account on the device. 如果该帐户是托管帐户,并且还存在针对该应用和用户的策略,则该策略设置将保护该帐户中的数据。If the account is managed, and there is also a policy for the app and the user, then the policy settings protect data in that account. 当用户将个人帐户添加到应用时,这些帐户将超出 Intune 管理和保护范围。When the user adds personal accounts to the app, those accounts are outside of Intune management and protection. 这允许应用程序的个人使用,而不会损害公司保护。This allows personal use of the application without compromising corporate protection. 有关 Intune 中的多身份功能的详细信息,请阅读通过 Microsoft Intune 使用移动应用程序管理策略保护数据Read Protect data using mobile application management policies with Microsoft Intune for more information about multi-identity capability in Intune.

下表比较了不同的 MDM 解决方案提供的选择性擦除功能,以帮助你选择最符合你的组织的数据分隔要求的 MDM 解决方案。The table below compares selective wipe features available with different MDM solutions to help you choose the MDM solution that best fits your organization’s data segregation requirements.

Intune(独立版)Intune (standalone)

优点Advantages

  • 允许你执行选择性擦除以仅删除位于移动设备上的公司数据Allows you to perform selective wipes to remove only company data located on mobile devices
  • 允许你执行恢复出厂设置并完全擦除移动设备Allows you to perform factory resets and fully wipe mobile devices
  • 对多标识应用的支持Support for multi-identity apps

缺点Disadvantages

  • 不包括移动设备存储的本机加密Does not include native encryption for mobile device storage
  • 没有与当前本地 MDM 平台的集成意味着将增加一个管理接口供你使用No integration with current on-premises MDM platform means an additional management interface for you to use

包含 MDM 的 Office 365Office 365 with MDM

优点Advantages

  • 允许你执行恢复出厂设置并完全擦除 Android、Windows Phone 和 iOS 设备Allows you to perform factory resets and fully wipe Android, Windows Phone, and iOS devices
  • 允许你在 Android、Windows Phone 和 iOS 设备上执行选择性擦除,从而仅从移动设备中删除公司数据Allows you to perform selective wipes on Android, Windows Phone, and iOS devices to remove only company data from mobile devices

缺点Disadvantages

  • 没有与当前本地 MDM 平台的集成意味着将增加一个管理接口供你使用No integration with current on-premises MDM platform means an additional management interface for you to use

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 允许你执行选择性擦除以仅从移动设备中删除公司数据Allows you to perform selective wipes to remove only company data from mobile devices
  • 允许你执行恢复出厂设置并完全擦除移动设备Allows you to perform factory resets and fully wipe mobile devices
  • 对多标识应用的支持Support for multi-identity apps
  • 用于管理基于云的和本地移动设备的单一管理控制台Single management console to manage cloud based and on-premises mobile devices

缺点Disadvantages

  • 如果组织没有当前本地 ConfigMgr 基础结构,则需在集成前规划、安装和配置此平台If the organization does not have a current on-premises ConfigMgr infrastructure, it will require to plan, install and configure this platform prior to the integration

若要了解如何在对每个移动设备平台进行选择性擦除后删除和保留数据,请务必阅读文章通过 Microsoft Intune 使用完全擦除或选择擦除来帮助保护数据Make sure to read the article Help protect your data with full or selective wipe using Microsoft Intune to understand how data is removed and retained after a selective wipe for each mobile device platform. 如果你有混合环境,请参考文章如何使用 Configuration Manager 远程擦除移动设备以了解如何使用 ConfigMgr 完成此任务。If you have a hybrid environment, consult the article How to remote wipe mobile devices using Configuration Manager to understand how ConfigMgr can be used to accomplish this task.