确定网络要求Determine network requirements


本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

移动设备管理解决方案的一个重要特征是,使移动设备能够对多种企业资源进行安全的托管访问。Enabling secure, managed access to a wide variety of corporate resources by mobile devices is an important feature of a mobile device management solution. 虽然这些资源通常位于本地网络上,但现在更为普遍地是将资源托管在基于云的 Web 服务和外部网络上。移动设备连接到企业电子邮件平台、虚拟专用网络 (VPN) 和企业无线 (Wi-Fi) 网络的方式在保护企业数据和其他资源不受未经授权的访问方面都发挥着重要的作用。同等重要的是,使移动设备用户能够便捷地安全访问这些资源,以避免用户找到更方便但却不安全的方法来存储或访问资源。While these resources have typically been located in on-premises networks, it’s more common now for resources to be hosted in addition on cloud-based web services and external networks.How mobile devices connect to corporate email platforms, virtual private networks (VPNs), and corporate wireless (Wi-Fi) networks all play an important role in keeping corporate data and other resources protected from unauthorized access. Equally important is making it convenient and easy for mobile device users to have secure access these resources to avoid users finding a more convenient but not secure method of storing or accessing resources.

电子邮件管理Email management

不论是从个人所有还是公司所有的移动设备上进行访问,企业电子邮件通常都是大多数用户在企业网络上需要访问的主要数据资源。Corporate email is typically the primary data resource most users need access to on a corporate network, whether from a personally-owned or a company-owned mobile device. 访问电子邮件通常也是触发初始移动设备注册的连接。Accessing to email is also typically the connection that triggers initial mobile device enrollment. 如果能够在现有非移动设备管理解决方案和移动设备管理解决方案上管理移动设备的电子邮件访问,这将有助于避免设备覆盖面的不足,并且将增加对存储在电子邮件服务器上的数据的保护。Being able to manage email access for mobile devices across both your existing non-mobile device management solution and the mobile device management solution helps avoid device coverage gaps and increases the protection for data stored on email servers.

大多数移动设备管理解决方案使用以下一项或两项功能以提供电子邮件访问保护:Most mobile device management solutions provide email access protection by using one or both of the following features:

  • 电子邮件配置文件:通过设置和部署电子邮件配置文件,管理员可以使用用户连接到其电子邮件邮箱的相应电子邮件服务器信息自动配置移动设备。Email profiles: By setting up and deploying email profiles, administrators can automatically configure mobile devices with appropriate email server information for users to connect to their email mailboxes. 这有助于用户连接到正确的电子邮件服务器,而无需记住正确的电子邮件服务器终结点名称或网络地址。This helps users connect to the correct email server without having to remember the right email server endpoint names or network addresses. 此外,通过删除电子邮件配置文件,管理员可以从设备删除电子邮件以作为设备重置或选择性擦除的一部分。In addition, by removing an email profile, administrators can remove email from devices as part of device reset or selective wipe process. 电子邮件配置文件管理可以是非移动设备管理解决方案的一项功能,也可以与移动设备管理解决方案集成。Email profile management can be a feature in non-mobile device management solution, or can be integrated with a mobile device management solution.
  • 有条件电子邮件访问:有条件电子邮件访问(也称为“托管”电子邮件访问)通常重点关注访问移动设备上的电子邮件的安全性和合规性,而非移动设备连接到哪一个终结点。Conditional email access: Conditional email access, or “managed” email access, typically focuses on security and compliance for accessing email on a mobile device rather than which endpoint the mobile device connects to. 借助有条件的电子邮件访问,将定义合规性策略接受并将其分配给个别用户或设备或者用户组和/或设备组。With conditional email access, a compliance policy is defined and assigned to individual users or devices or groups of users and/or devices. 该策略概述了在移动设备能够连接到电子邮件资源之前必须具备的先决条件;例如,设备可能需要 PIN。The policy outlines the prerequisites that have to be in place before a mobile device can connect to an email resource; for example, a PIN might be required on the device. 该策略通常在设备首次注册时强制执行,但只要移动设备在移动设备管理系统中注册,它就会依旧存在并保持活动状态。The policy is typically enforced when the device first enrolls, but remains in place and active as long as the mobile device is enrolled in the mobile device management system.

电子邮件管理规划问题Email management planning questions

回答以下关于规划电子邮件管理的问题:Answer the following planning questions about email management:

  • 移动设备将如何连接到现有本地或云托管的电子邮件系统?How will mobile devices connect to your existing on-premises or cloud-hosted email system?
  • 管理员和/或用户是否需要负责将移动设备连接到电子邮件系统?Will administrators or users (or a combination of both) be responsible for connecting mobile devices to your email system? 如果用户要将移动设备连接到电子邮件系统,他们将如何执行以下操作:If users will be connecting mobile devices to the email system, how will they:
    • 选择访问他们的电子邮件邮箱的正确连接点?Choose the proper connection point to access their email mailbox?
    • 选择正确的连接协议或连接方法?Choose the proper connection protocol or connection method?
  • 在连接到你的电子邮件系统之前,或在保持连接状态时,移动设备需要满足某些安全和合规性标准吗?Will mobile devices need to meet certain security and compliance standards before and while remaining connected to your email system?
  • 你是否需要具备创建自定义电子邮件安全和合规性连接策略的能力?Do you need the ability to create custom email security and compliance connection policies? 如果需要,那么具体要求是什么?If so, what are the specific requirements?
  • 你是否需要具备导入或导出电子邮件安全和合规性连接策略的能力?Will you need the ability to import or export email security and compliance connection policies?
  • 你需要如何管理到电子邮件系统的连接?How do you need to manage connections to your email system?
    • 通过设备用户?By device user?
    • 通过设备类型?By device type?
    • 通过设备操作系统?By device OS?
    • 通过用户组或角色?By user group or role?
  • 当移动设备需要从你的电子邮件系统中断开连接时,电子邮件数据将如何从移动设备中删除?When a mobile device needs to be disconnected from your email system, how will email data be deleted from the mobile device?
  • 管理员和用户是否都需要具备删除电子邮件数据或电子邮件系统的连接的能力?Will both administrators and users need the ability to delete email data or the connection to the email system?
  • 如何验证或确认电子邮件数据删除的确认情况?How will confirmation of email data deletion be verified or confirmed?
  • 如果你同时使用本地和基于云的电子邮件系统,它们将如何与移动设备管理解决方案集成?If you’re using both an on-premises and cloud-based email system, how do they integrated with the mobile device management solution?
  • 从 IT 角度来看,各种电子邮件配置文件或各种受管理的托管访问策略是相同还是不同?Are email profiles or managed access policies administered the same or differently from the IT perspective? 用户的电子邮件连接体验是否会因为其邮箱的托管位置而有所不同?Is the user email connection experience the same or different depending on where their mailbox is hosted?

网络连接管理Network connectivity management

移动设备通常使用以下访问技术连接到企业网络和资源:Mobile devices typically connect to corporate networks and resources by using the following access technologies:

  • Wi-Fi:无线访问企业资源通常用作本地网络的扩展服务,适用于临近本地网络的设备。Wi-Fi: Wireless access to corporate resources is typically provided as an on-premises network extension service for devices that are in close physical proximity to the on-premises network. 这通常包括以下情形:当用户在办公场所的不同位置(如会议室、其他办公室,或其他办公区域)间走动时,允许移动设备连接到网络资源。This usually involves allowing mobile devices to connect to network resources as users roam from location-to-location in an on-premises office, such as conference and meeting rooms, different offices, or other on-premises areas. 它还包括从非企业托管的无线网络接入点上的远程位置的无线访问,例如从用户家庭网络或公共无线接入点的无线访问。It can also include wireless access from remote locations over non-corporate managed wireless network access points, such as the user’s home network or a public wireless access point. 为了简化无线网络连接,管理员通常使用无线配置文件管理这些连接,这些配置文件概述了移动设备在连接到无线网络之前必须具备的特定设置。To simplify connections to wireless networks, administrators usually manage these connections using wireless profiles that outline the specific settings mobile devices must have in place before they can connect to the wireless network. 这可能包括自动配置自定义网络名称、网络服务集标识符 (SSID)、安全设置、网络代理,以及设备是否应在处于网络范围内时自动连接到无线网络。This may include automatically configuring a custom network name, network Service Set Identifier (SSID), security settings, network proxy, and whether or not the device should automatically connect to the wireless network when the device is in range.
  • 虚拟专用网络 (VPN):安全远程访问企业资源通常包括在移动设备上使用已定义的 VPN 连接类型。Virtual Private Network (VPN): Secure remote access to corporate resources often includes using a defined VPN connection type from the mobile device. 这通常由供应商指定,包括在移动设备上安装 VPN 应用程序。This is often vendor-specific and includes the installation of a VPN application on the mobile device. 另外,这些 VPN 应用程序通常使用数字证书或单独托管的用户帐户凭据对 VPN 连接进行身份验证。Additionally, these VPN applications often use either digital certificates or separately managed user account credentials to authenticate the VPN connection. 为了简化 VPN 连接,管理员通常会使用 VPN 配置文件或包括在 VPN 解决方案中的 VPN 管理工具管理来这些连接。To simplify connections to VPNs, administrators can usually manage these connections using VPN profiles or the VPN management tools included with the VPN solution. 某些 VPN 平台并不一定能够选择通过移动设备管理解决方案管理 VPN 连接,这取决于集成支持。Depending on integration support, managing VPN connections with the mobile device management solution may or may not be an option with certain VPN platforms.

你可能拥有其他基于 Web 的资源(例如 SharePoint),这些资源通过安全套接字层 (SSL) 或传输层安全性 (TLS) 利用安全访问。You may have other web-based resources, such as SharePoint, that leverage secure access via Secure Socket Layer (SSL) or Transport Layer Security (TLS). 请确保你已了解移动设备如何访问这些资源或者访问带有单独 VPN 或安全访问方法的资源。Be sure you understand how mobile devices will access these resources or resources with separate VPN or secure access methods.

网络连接管理规划问题Network connectivity management planning questions

回答以下有关规划网络连接管理的问题:Answer the following planning questions about network connectivity management:

  • 你已在本地网络上部署了哪类 VPN 平台?What type of VPN platform do you have deployed in your on-premises network?
  • VPN 平台是否受支持或者是否能够与移动设备管理解决方案集成?Is the VPN platform supported or able to be integrated with the mobile device management solution?
  • 如果 VPN 平台已集成或者受现有非移动设备管理解决方案支持,移动设备管理解决方案会与这两个系统集成吗?If the VPN platform is already integrated or support by an existing non-mobile device management solution – does the mobile device management solution integrate with both systems?
  • 你的 Wi-Fi 基础结构是否要求更新以适应增加的设备连接和增长的带宽需求?Will your Wi-Fi infrastructure require updating to accommodate increased device connections and increased bandwidth demands?
  • 移动设备将如何连接到现有本地无线或 VPN 平台?How will mobile devices connect to your existing on-premises wireless or VPN platform?
  • 如果移动设备已连接到现有无线或 VPN 平台,设备用于连接的连接类型或协议是什么?If mobile devices are already connecting to your existing wireless or VPN platform, what connection type or protocol are the devices using to connect?
  • 如果设备已在移动设备管理解决方案中注册,则需要更改这些连接吗?Will changes to these connections be needed if the devices are enrolled in a mobile device management solution?
  • 管理员和/或用户是否需要负责将移动设备连接到无线或 VPN 平台?Will administrators or users (or a combination of both) be responsible for connecting mobile devices to your wireless or VPN platform? 如果用户将移动设备连接到无线或 VPN 平台,他们将执行以下哪些操作:If users will be connecting mobile devices to the wireless or VPN platform, how will they:
    • 选择访问他们的企业网络的正确连接点?Choose the proper connection point to access the corporate network?
    • 选择正确的连接协议或连接方法?Choose the proper connection protocol or connection method?
    • 选择适用于连接方法的正确数字证书?Choose the proper digital certificate for the connection method?
  • 是否希望在用户移动设备上自动配置无线和 VPN 连接属性及设置?Do you want to automatically configure wireless and VPN connection properties and settings on user’s mobile devices?
    • 是否需要向不同种类的用户、设备、设备操作系统或用户组和角色提供不同的无线网络配置或安全设置?Do you need to provide different wireless network configuration or security settings to different types of users, devices, device operating systems, or user groups and roles?
    • 是否具备导入或导出无线和/或 VPN 配置或安全连接策略的能力?Will you need the ability to import or export wireless and/or VPN configuration or security connection policies?

证书管理Certificate management

数字证书无论是自签名的还是由第三方证书颁发机构 (CA) 颁发的,均可用于对网络连接或特定网络资源的移动设备进行身份验证。Digital certificates, either self-signed or issued from a third party Certificate Authorities (CAs), may be used to authenticate mobile devices to network connections or specific network resources. 为了简化数字证书的管理,管理员通常使用证书配置文件来管理证书。To simplify managing digital certificates, administrators usually manage certificates using certificate profiles. 这允许使用统一且集中的方法管理证书,包括证书的创建、颁发和续订方式。This allows a uniform, centralized method for managing certificates, including how they are created, issued, and renewed. 这也有助于用户连接到企业资源,而无需请求和手动安装证书或使用未经批准的安全过程。不过,将证书用于此类身份验证通常有其他本地基础结构要求。This also helps users connect to corporate resource without having to request and install certificates manually or by using a non-approved security process.However, using certificates for this type of authentication often requires additional on-premises infrastructure requirements. 这可能包括以下全部或部分网络组件,具体取决于移动设备管理解决方案支持的集成级别:This may include all or some of the following network components, depending on the level of integration supported by the mobile device management solution:

  • 目录服务:通常需要目录服务(例如 Microsoft Active Directory),才能安全地连接和管理所有其他网络组件。Directory services: Directory services, such as Microsoft Active Directory, are usually required to securely connect and manage all other network components.
  • 证书颁发机构 (CA) 服务器:如果你为你的组织颁发自签名证书,将需要一个证书颁发机构来创建、颁发、管理和续订数字证书。Certification Authority (CA) server: If you’re issuing self-signed certificates for your organization, you’ll need a certification authority to create, issue, manage and renew digital certificates.
  • 网络设备注册服务 (NDES) 服务器:此服务器允许软件和移动设备获取基于简单证书注册协议 (SCEP) 的证书。Network Device Enrollment Service (NDES) server: This server allows software and mobile devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).
  • 代理服务器:根据本地网络配置,你可能需要一个代理服务器以便移动设备可以使用 Internet 连接接收证书,而不必直接连接到内部企业网络。Proxy server: Depending on your on-premises network configuration, you may require a proxy server that allows mobile devices to receive certificates using an Internet connection and without directly connecting to your internal corporate network.

证书管理规划问题Certificate management planning questions

回答以下有关规划证书管理的问题:Answer the following planning questions about certificate management:

  • 你的组织已经要求或使用数字证书对网络资源的访问权限进行身份验证了吗?Does your organization already require or use digital certificates to authenticate access to network resources?
  • 你拥有现有企业公钥基础结构 (PKI) 吗?Do you have an existing enterprise public key infrastructure (PKI)?
  • 你需要自动将数字证书颁发给移动设备吗?Do you need to automatically issue digital certificates to mobile devices?
  • 如何从移动设备创建、颁发、续订或撤销数字证书?How are digital certificates created, issued, renewed, or revoked from mobile devices?
  • 数字证书是由本地还是第三方证书颁发机构 (CA) 集中管理?Are digital certificates centrally managed by an on-premises or third party Certification Authority (CA)?
  • 你需要分配用于访问不同网络服务的不同证书吗?Do you need to have different certificates assigned for access to different network services? 这是否取决于访问网络的移动设备类型?Is this dependent on the type of mobile device accessing the network?

请务必记录下每个答案,并了解答案背后的基本原理。Make sure to take notes of each answer and understand the rationale behind the answer. 之后的任务将详细阐述可用选项以及每个选项的优点/缺点。Later tasks will go over the options available and advantages/disadvantages of each option. 回答这些问题将帮助你选择最符合你的业务需求的选项。Answering these questions will help you select the option that best suits your business needs.