设备管理选项Device management options

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

通过 Intune 和 ConfigMgr 中心管理移动设备将围绕着管理策略进行。Managing mobile devices with Intune and ConfigMgr centers around management policies. 策略用于定义移动设备的设置组,并且可使用模板进行创建或者为特定设备、用户或组进行自定义。Policies define groups of settings for mobile devices and can be either created from templates or customized for specific devices, users, or groups. 最佳管理实践是在管理解决方案中注册移动设备前创建管理策略。The best management practice is to create management policies before mobile devices are enrolled in the management solution. 这将确保根据在 IT 策略中定义的策略和过程即时管理设备。This insures that the devices are immediately managed in accordance with the policies and processes defined in your IT strategy. 这两种解决方案均允许配置以下策略类型:Both solutions allow for configuring the following policy types:

  • 配置策略:配置策略用于定义每台注册移动设备的常规组织设置。Configuration policies: Configuration policies are used to define the general organizational settings for each enrolled mobile device. 这可能包括设备密码、应用程序、云策略和加密设置,但可以包括不同管理方面的许多其他设备设置This may include device password, application, cloud policy, and encryption settings, but can include many other device settings for different management areas. 此外,不同类型的移动设备操作系统使用设备注册配置文件应用和配置配置策略的方式也不同。Additionally, configuration policies are applied and configured differently for different types of mobile device operating systems by using device enrollment profiles.
提示

在为不同类型的设备、用户或组创建不同的策略时,很容易将互相冲突的策略设置应用到同一设备。When creating different policies for different types of devices, users, or groups – it’s easy to have conflicting policy settings applied to the same device. 请确保已了解如何应用冲突的策略设置Be sure that you understand how conflicting policy settings are applied.

  • 合规性策略:合规性策略强制执行移动设备访问(或被拒绝访问)公司资源或服务的组织要求。Compliance policies: Compliance policies enforce your organization’s requirements for mobile devices to access (or be denied access) to company resources or services. 这也包括设备密码和加密设置,还要确定移动设备是否取得根权限(“已越狱”)。This can also include device password and encryption settings, as well as determining if the mobile device is rooted (“jailbroken”). 与配置策略一样,Intune 和 ConfigMgr 合规性策略选项也会根据移动设备操作系统类型而有所不同。As with configuration policies, Intune and ConfigMgr compliance policy options also vary by mobile device operating system type. 如果你在 ConfigMgr 中创建合规性策略,请务必注意,在多部分过程中可配置更高的粒度级别:If you’re creating compliance policies in ConfigMgr, it’s important to note that increased granularity can be configured as part of a multi-part process:

    1. 创建配置项目Creating configuration items
    2. 创建配置基线Creating configuration baselines
    3. 配置基线部署到 ConfigMgr 用户或设备集合Deploying the configuration baselines to ConfigMgr user or device collections
  • 条件访问策略:条件访问策略定义电子邮件的访问权限管理方式,可单独使用或与合规性策略结合使用。Conditional access policies: Conditional access policies define how access to email is managed and can be used separately or in conjunction with compliance policies. 在可以部署条件访问策略前,必须在 IntuneConfigMgr 中配置连接到本地 Exchange Server 或 Exchange Online 服务的连接。Connections to your on-premises Exchange Server or Exchange Online service must be configured in Intune or in ConfigMgr before conditional access policies can be deployed. 也可以为 Office 365 和 SharePoint Online 服务配置条件访问。Conditional access can also be configured for Office 365 and SharePoint Online services.

对步骤 1 中的问题的回答可以帮助你确定想要如何在移动设备管理解决方案中注册设备。Your answers the questions in Step 1 can help you determine how you want devices to be enrolled in the mobile device management solution. 下面的列表将有助于你了解每个管理方案的优缺点。The lists below will help you understand the advantages and disadvantages of each management scenario.

Intune(独立版)Intune (standalone)

优点Advantages

  • 支持简化的管理用户和设备的策略控制,该策略控制现已被设备平台分隔。Supports simplified policy control for managing users and devices, now separated by device platform.
  • 支持 Android、iOS、Windows 10、Windows 8.x 和 Windows Phone 平台,也支持 Exchange ActiveSync。Supports Android, iOS, Windows 10, Windows 8.x, and Windows Phone platforms, as well as support for Exchange ActiveSync.
  • 提供简单的基于 Web 的管理控制台,并且该控制台可从任意位置进行访问。Provides a simple, web-based administration & management console that is accessible from any location
  • 支持基于组的策略,使管理量大类多的移动设备变得更简单Supports group-based policies, making it easier to manage large numbers and diverse types of mobile devices
  • 支持高级移动设备合规性功能,包括设备根和越狱检测Supports advanced mobile device compliance features and functionality, including device root and jailbreak detection
  • 允许对所有移动设备进行选择性擦除或重置为完全出厂设置Allows for selective wipe or full factory reset for all mobile devices
  • 包括可自定义的公司门户,允许以托管方式安全分配内部和第三方移动应用程序Includes a customizable Company portal, allowing the managed and secure distribution of internal and 3rd party mobile applications
  • 将证书部署到移动设备Deploy certificates to mobile devices
  • 允许组织在移动应用程序中阻止剪切/复制/粘贴功能Allows organizations to prevent cut/copy/paste functions in mobile applications
  • 支持强制使用托管的浏览器Supports enforcing the use of managed browsers
  • 支持使用设备 IMEI 号码来标识和标记企业拥有的设备,以便与个人拥有的设备的策略分配分开Supports using device IMEI numbers to identify and tag corporate-owned devices to separate policy assignments from personal-owned devices

缺点Disadvantages

  • 用户帐户在 Intune 服务中注册设备的其他许可要求和成本Additional licensing requirements and costs for user accounts enrolling devices in the Intune service

Office 365 的 MDMMDM for Office 365

优点Advantages

  • Office 365 租户中集成的基于 Web 的管理控制台Integrated web-based administration and management console within Office 365 tenants
  • 支持基于组的策略,使管理量大类多的移动设备变得更简单Supports group-based policies, making it easier to manage large numbers and diverse types of mobile devices
  • 支持高级移动设备合规性功能,包括设备根和越狱检测Supports advanced mobile device compliance features and functionality, including device root and jailbreak detection
  • 允许对所有移动设备进行选择性擦除或重置为完全出厂设置Allows selective wipe or full factory reset for all mobile devices

缺点Disadvantages

  • 不支持高级移动设备管理功能,包括:Advanced mobile device management features aren’t supported, including:
    • 预配和管理证书、电子邮件、VPN、无线配置文件Provisioning and managing certificates, email, VPN, wireless profiles
    • 注册和管理设备集合Enrolling and managing collections of devices
  • 不支持某些移动应用程序管理功能:Some mobile application management features and functionality aren’t supported:
    • 将业务线应用程序部署到移动设备Deploying line of business applications to mobile devices
    • 启用 Office 移动应用程序的安全数据访问Enabling secure data access to Office mobile applications
    • 将企业数据安全扩展到移动设备的业务线应用Extending corporate data securely to line of business apps for mobile devices
    • 托管的浏览器或其他内容查看应用程序Managed browsers or other content viewing applications

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 除了 Intune 独立版的所有优点外,还包括以下优点:All the advantages of Intune standalone, plus the following:
    • 提供一个窗格的管理企业资源的半透明视图,包括基于角色的管理和脚本(通过 PowerShell)的灵活性Provides a single pane of glass view for managing the corporate estate, including flexibility for role-based administration and scripting (through PowerShell)

缺点Disadvantages

  • 需要其他配置,以将 Intune 与本地 ConfigMgr 基础结构相连接Requires additional configuration to connect Intune with the on-premises ConfigMgr infrastructure
  • 对于尚未配置当前 ConfigMgr 基础结构的组织,需要在与 Intune 集成前进行规划、安装和配置For organizations that don’t have a current ConfigMgr infrastructure configured, it will need to be planned, installed and configured prior to integrating withIntune
  • 当前不支持适用于 Android 设备的 VPN 和电子邮件配置文件VPN and email profiles for Android devices aren’t currently supported
  • 当前不支持托管的浏览器支持Managed browser support isn’t currently supported