制定你的移动设备管理采用策略Develop your mobile device management adoption strategy

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

在本任务中,你将开发移动设备管理采用策略,以符合你在任务 1 和 2 中确定的业务要求。In this task, you’ll develop the mobile device management adoption strategy that will meet the business requirements that you identified in Tasks 1 and 2.

设备所有权Device ownership

在查看你的组织当前用于管理设备的策略后,你应该有一个你的组织计划实施的方案列表。After reviewing your organization’s current policy and strategy to manage devices, you should have a list of scenarios that your organization plans to implement. 以下部分将帮助你了解每个方案的优点和缺点:The section below will help you understand the advantages and disadvantages of each scenario:

员工拥有设备 (BYOD)Employee owns the device (BYOD)

优点Advantages

  • 你的公司不需要为员工购买移动设备Your company does not need to buy mobile devices for the employees
  • 该方案通常能使员工提高工作效率,因为他们将使用自己选择的移动设备Usually allows employees to be more productive since they will be using the mobile device of their choice
  • 支持成本将会降低,因为组织将对移动设备提供有限的支持Support costs may decrease since the organization will have limited support over the mobile devices

缺点Disadvantages

  • 将增加保护个人设备上的公司数据时需考虑的安全注意事项数目Increases the amount of security considerations to protect company’s data located on personal devices
  • 将增加数据泄露的可能性,尤其是在未安装相应的安全控件时Increases likelihood of data leakage, especially when appropriate security controls aren’t in place
  • 有限的管理功能,因为隐私限制Limited management capability due to privacy restrictions

公司拥有的设备Company-owned device

优点Advantages

  • 完整的管理功能,包括设备强化和安全控件Full management capability, including device hardening and security controls
  • 更好地控制移动设备More control over mobile devices
  • 可以决定员工将使用哪台移动设备Capability of defining which mobile devices will be used by employees

缺点Disadvantages

  • 支持成本可能会增加,因为组织将需要维护移动设备Potential increases in support costs, since the organization will maintain the mobile devices
  • 最终用户的灵活性降低,从而可能会影响他们的工作效率Less flexibility for end users, which may affect their productivity
  • 成本增加,因为组织需要购买移动设备Cost increases, since the organization will have to buy mobile devices

在某些情况下,组织可以接受这两种模式:BYOD 和公司拥有的设备。In some scenarios, organizations will embrace both models: BYOD and company-owned devices. 在这种情况下,设备管理平台必须能够在与当前的本地基础结构集成的同时管理多个平台。In that case, the device management platform must be able to manage multiple platforms while integrating with current on-premises infrastructure. 如果你的组织适合这种情况,还请确保你的安全策略从法规遵从性的角度可涵盖这两种模式。If your organization fits in this scenario, also make sure your security policies are able to cover both models from the compliance perspective. 每种模式可能有不同的要求,当由 IT 进行控制时,你的移动设备管理解决方案应能处理两者。Different requirements may apply for each model and your mobile device management solution should be able to handle both while enabling IT to stay in control.

支持的移动设备平台Supported mobile device platforms

你所做的有关设备所有权的决策将有助于你确定你将支持哪些移动设备平台。The decision you made regarding device ownership will help you identify which mobile device platforms you’ll support. 你选择的移动设备管理解决方案将需要符合这一决策。The mobile device management solution that you choose will have to accommodate this decision. 在单个移动设备平台方案中,平台选择将不像多平台方案中的平台选择那样具有相关性。In a single mobile device platform scenario, the platform choice will not be as relevant as in the multi-platform scenario. 使用以下部分来帮助你为多平台方案选择移动设备管理解决方案:Use the section below to help you choose the mobile device management solution for a multi-platform scenario:

Intune(独立版)Intune (standalone)

优点Advantages

  • 支持最新 MDM 功能和更新的永不间断的云服务Always-on cloud service that supports the latest MDM features and updates
  • 支持预配所有主要的移动设备操作系统(Android、iOS、Windows 8、Windows 10 和 Windows Phone)Supports provisioning all major mobile device operating systems (Android, iOS, Windows 8, Windows 10, and Windows Phone)
  • 允许你从任何位置管理所有移动设备Allows you to manage any mobile device from any location
  • 移动设备的更多高级管理选项More advanced management options for mobile devices
  • 移动应用程序管理Mobile application management

缺点Disadvantages

  • 因为缺少与当前本地设备管理解决方案的集成,所以引入了一个附加的管理接口供你使用Lack of integration with current device management solution located on-premises will introduce an additional management interface for you to use
  • 使用本地 MDM 解决方案创建的策略不会复制到云服务Policies created using the on-premises MDM solution are not replicated to the cloud service

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 与 Office 365 集成Integrated with Office 365
  • 如果你已经在使用 Office 365,则可轻松利用 MDM 功能来管理移动设备If you’re already using Office 365, the MDM capabilities are easily leveraged to manage mobile devices
  • 如果你已经使用 Office 365,你将不需要使用其他控制台来管理移动设备If you’re already using Office 365, you won’t need to use another console to manage mobile devices

缺点Disadvantages

  • 用于管理移动设备的有限的功能集(请参阅此表后面的说明)Limited set of capabilities (see the note that follows this table) to manage mobile devices
  • 因为缺少与当前本地设备管理解决方案的集成,所以引入了一个附加的管理接口供你使用Lack of integration with current device management solution located on-premises will introduce an additional management interface for you to use

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • Intune 和 ConfigMgr 之间的本机集成Native integration between Intune and ConfigMgr
  • 允许你使用集中式的控制台来部署策略和管理本地电脑、服务器以及移动设备Allows you to use a centralized console to deploy policies and manage on-premises PCs, servers, and mobile devices

缺点Disadvantages

  • 需要执行其他配置步骤来连接 Intune 和 ConfigMgrRequires additional configuration steps to connect Intune and ConfigMgr
  • 如果组织在本地没有当前 ConfigMgr 基础结构,则需在集成前规划、安装和配置此平台If the organization does not have a current ConfigMgr infrastructure on-premises, it will require to plan, install and configure this platform prior to the integration

如果你只需要管理对移动设备中的工作电子邮件、日历、联系人和任务的访问权限,请参阅 Office 365 中提供的 Exchange ActiveSync 设备管理功能If you only need to manage access to work email, calendar, contacts, and tasks from mobile devices, learn about the Exchange ActiveSync device management capabilities available in Office 365.

应用程序要求Application requirements

根据在任务 1 中定义的要求,你可以选择最适合你组织的移动设备管理解决方案。Based on the requirements that were defined in Task 1, you can choose which mobile device management solution best fits your organization. 使用下表来比较 MDM 选项,以及每个选项的优点和缺点。Use the table below to compare the MDM options, and advantages and disadvantages of each option.

Intune(独立版)Intune (standalone)

优点Advantages

  • 允许你在移动应用的整个生命周期内对其进行管理,包括从安装文件和应用商店部署应用、详细监视应用状态以及删除应用。Allows you to manage mobile apps through their lifecycle, including app deployment from installation files and app stores, detailed monitoring of app status, and app removal. 有关详细信息,请参阅“在 Microsoft Intune 中将软件部署到移动设备”。Read Deploy software to mobile devices in Microsoft Intune for more information.
  • 允许你指定允许用户安装的兼容性应用以及禁止用户安装的非兼容性应用列表。Allows you to specify a list of compliant apps that users are allowed to install and noncompliant apps, which must not be installed by users. 有关详细信息,请参阅“通过 Microsoft Intune 使用配置策略管理设备”。Read Manage devices using configuration policies with Microsoft Intune for more information.
  • 允许你通过使用移动应用程序管理策略为应用设置限制。Allows you to set restrictions for apps by using a mobile application management policy. 这可以帮助你通过限制数据的复制和粘贴、外部数据备份和应用之间的数据传输等操作来提高公司数据的安全性。This helps you to increase the security of your company data by restricting operations such as copy and paste, external data backup, and the transfer of data between apps. 有关详细信息,请参阅“通过 Microsoft Intune 使用移动应用程序管理策略控制应用”。Read Control apps using mobile application management policies with Microsoft Intune for more information.
  • 支持不同的移动平台。Supports different mobile platforms. 有关详细信息,请参阅“Microsoft Intune 中的移动设备管理功能”了解受支持的移动设备。Read about supported mobile devices at Mobile device management capabilities in Microsoft Intune for more information.
  • 控制哪些应用程序对 VPN 用户可用。Control which apps are available for VPN users. 当你设置 VPN 配置文件时,你可以通过创建应用列表,选择通过 VPN 自动连接到你的企业网络的应用You can select apps that automatically connect to your corporate network over VPN by creating a list of apps when you set up the VPN profile
  • 支持移动应用程序管理 (MAM) 策略有助于防止企业数据泄漏到使用者应用或服务。Supports mobile application management (MAM) policies that help prevent corporate data from being leaked to consumer apps or services.
  • Intune MAM 可以帮助 IT 为合作伙伴、承包商和供应商启用安全访问公司 SaaS(如 Office 365)数据,而无需管理其设备。Intune MAM helps IT enable secure access to corporate SaaS (such as Office 365) data for partners, contractors and vendors without managing their devices.

缺点Disadvantages

  • 由于缺少与本地设备管理解决方案的集成,将引入一个附加的管理接口,以便你可以在管理移动设备时使用(如果你拥有本地解决方案)。Lacks integration with on-premises device management solutions, which introduces an additional management interface for you to use when managing mobile devices if you have an on-premises solution.
  • 使用本地 MDM 平台创建的策略无法复制到云服务,因为需要两组管理与合规性策略(如果你拥有本地 MDM 解决方案)Policies created using an on-premises MDM platform aren’t replicated to the cloud service, requiring two sets of management and compliance policies (if you have ab on-premises MDM solution)

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 提供跨操作系统平台的 MDM 功能,如密码要求Provides MDM capabilities across OS platforms such as password requirements

缺点Disadvantages

  • 用于控制应用的有限的功能集Limited set of capabilities to control apps
  • 由于缺少与本地设备管理解决方案的集成,将引入一个附加的管理接口,以便你可以在管理移动设备时使用(如果你拥有本地解决方案)。Lacks integration with on-premises device management solutions, which introduces an additional management interface for you to use when managing mobile devices if you have an on-premises solution.
  • 无法部署应用并应用移动应用程序管理功能No ability to deploy apps and apply mobile application management capabilities

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 从 Intune 独立版继承应用控件设置Inherits app control settings from Intune standalone
  • 提供集成的管理体验(在 Intune 和 ConfigMgr 之间)Provides an integrated management experience (between Intune and ConfigMgr)
  • 利用“Configuration Manager 应用”管理功能Leverages Configuration Manager App management capabilities. 有关详细信息,请参阅“Configuration Manager 中的应用程序管理”。Read Application Management in Configuration Manager for more information.
  • 利用“Configuration Manager 应用”管理功能Leverages Configuration Manager App management capabilities. 有关详细信息,请参阅“Configuration Manager 中的应用程序管理”。Read Application Management in Configuration Manager for more information.
  • 允许你使用单个控制台来部署策略和管理适用于本地电脑、服务器以及移动设备的应用程序策略Allows you to use a single console to deploy policies and manage application policies for on-premises PCs, servers, and mobile devices
  • 控制哪些应用程序对 VPN 用户可用。Control which apps are available for VPN users. 当你设置 VPN 配置文件时,你可以通过创建应用列表,选择通过 VPN 自动连接到你的企业网络的应用。You can select apps that automatically connect to your corporate network over VPN by creating a list of apps when you set up the VPN profile.

缺点Disadvantages

  • 需要执行其他步骤来设置集成Requires additional steps to set up the integration
  • 如果你的组织没有当前本地 ConfigMgr 基础结构,则必须首先规划、安装和配置 ConfigMgr 平台If your organization does not have a current on-premises ConfigMgr infrastructure, you must plan, install, and configure the ConfigMgr platform first
  • 如果没有与 Intune 集成,ConfigMgr 的移动设备管理解决方案将有一定限制,具体取决于支持的移动设备平台。Without integration with Intune, ConfigMgr has a limited mobile device management solution based on supported mobile device platforms. 有关详细信息,请参阅“确定如何在 Configuration Manager 中管理移动设备”。Read Determine How to Manage Mobile Devices in Configuration Manager for more information.

跟踪要求Track requirements

了解用户行为并且能够确定他们的位置是包含在你的移动设备管理策略中的重要因素。Understanding user behavior and being able to identify their location are important factors to include in your mobile device management strategy. 跟踪设备的方式将因你的业务要求和需求而异。How devices will be tracked will vary according to your business requirements and needs. 每个移动操作系统中都提供了不同的跟踪功能,因此你选择支持的移动设备平台将影响你的选项。Different tracking capabilities are available in each mobile operating system so the mobile device platforms you choose to support will impact your options. 例如,合规性要求可能会影响你对要采用的允许你跟踪用户位置并使用地理围栏的移动设备平台设置优先级。For example, compliance requirements may influence you to prioritize adopting mobile devices platforms that allow you to track user’s location and use geofencing.

提示

地理围栏让你可以监视移动设备的地理位置并根据该位置启用/禁用设备和网络资源。Geofencing allows you to monitor a mobile device’s geographic location and enable/disable device and network resources based on that location. 例如,Windows 8.1 允许应用定义地理区域,并在运行应用的设备进入或退出该区域时让系统提醒应用。For example, Windows 8.1 supports allows an app to define a geographical region and have the system alert the app when the device it's running on enters or exits that area. 有关 Windows 8.1 中此功能的详细信息,请参阅地理围栏详细信息 (XAML)For more information about this feature in Windows 8.1, read Geofencing, start to finish (XAML).