设备设置选项Device provisioning options

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

如果用户可以使用和注册自己的设备,这不仅会增加对用户和 IT 的要求,也会对多个方面造成影响。When a user can use and enroll their own device, this increases the requirements for both the user and IT, and impacts several areas. 例如,下图显示使用 Intune 和 ConfigMgr 的组织的注册过程概述。For example, teh figure below shows an overview of the enrollment process for an organization using both Intune and ConfigMgr. 本示例概述了在计划解决方案时需要考虑的证书、Web 应用程序和同步注意事项:This example outlines the certificate, web application, and synchronization considerations that you’ll need to consider when planning your solution:

使用混合 Intune 和 ConfigMgr 的移动设备的注册过程概述

使用混合 Intune 和 ConfigMgr 的移动设备的注册过程概述Overview of the enrollment process for mobile devices using hybrid Intune and ConfigMgr

  1. 通过 Windows Server 2012 R2,引入了名为设备注册的新概念。With Windows Server 2012 R2, a new concept known as device registration was introduced. 用户可以使用工作区加入注册其设备以用于单一登录和访问企业数据。Users can register their devices for single sign-on and access to corporate data using Workplace Join. 作为此注册过程的一部分,将在设备上安装证书。As part of this registration process, a certificate is installed on the device. 在用户已注册其设备并了解设备管理解决方案后,用户可以获得对原先仅在加入域的电脑上使用的企业资源的访问权限。In return for registering their device and making in known to the device management solution, the user gains access to corporate resources that were previously not available outside of their domain-joined PC.
  2. 用户可使用公司门户通过 Intune 对要配置以供管理的设备进行注册,之后利用 Microsoft Intune 公司门户不仅可以轻松访问企业应用程序、数据,还能管理他们自己的设备,并在设备丢失、被盗或更换时执行诸如远程擦除等任务。Users can enroll devices which configure the device for management with Intune using the Company Portal, and then leverage the Microsoft Intune Company Portal for easy access to corporate applications, data and to be able to manage their own devices, performing tasks such as remote wiping them in the event they are lost, stolen or replaced.
  3. 根据设备感知(即设备是否已注册)和用户标识,你可以通过 Windows Server 2012 R2 中名为 Web 应用程序代理的内置功能发布企业资源的访问权限。You can publish access to corporate resources with the built in capability available in Windows Server 2012 R2 called Web Application Proxy based on device awareness (i.e. is it registered) and the users identity. 如果你正使用企业移动性 + 安全性,还可使用 Azure AD 应用程序代理发布应用程序。If you’re using the Enterprise Mobility + Security, you can also publish applications using the Azure AD Application Proxy. 多重身份验证可通过 Azure Active 身份验证进行使用。Multi-factor authentication can be used through Azure Active Authentication.
  4. 为了向管理员提供整个环境的统一视图,Intune 中的数据将与在本地和云中提供统一管理的 ConfigMgr 同步。In order to provide administrators with a unified view of their entire environment, the data from Intune is synchronized with ConfigMgr which provides unified management across both on-premises and in the cloud.
  5. 作为注册过程的一部分,将在 Active Directory 中创建一个新的设备对象。As part of the enrollment process, a new device object is created in Active Directory. 此设备对象用于在用户与其设备之间建立链接、将此链接告知设备管理解决方案,并允许对设备进行身份验证,从而有效形成无缝双重身份验证。This device object establishes a link between the user and their device, making it known to the device management solution, and allowing the device to be authenticated, effectively a seamless two-factor authentication.

根据你对步骤 1 中的问题的回答,你应该能够确定想要在移动设备管理解决方案中如何管理设备。Depending on how you answered the questions in Step 1, you should be able to determine how you want devices to be managed in the mobile device management solution. 下面的列表显示了每个预配选项的优缺点。The lists below show the advantages and disadvantages of each provisioning option.

Intune(独立版)Intune (standalone)

优点Advantages

  • 支持注册和预配所有主要的移动设备操作系统(Android、iOS、Windows 10、Windows 8.x 以及 Windows Phone)Supports enrolling and provisioning all major mobile device operating systems (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)
  • 基于云的服务,可在任何可以访问 Internet 的位置注册移动设备A cloud-based service, mobile devices can be enrolled from any location with Internet access
  • 可通过集中且可自定义的公司门户注册设备Devices may be enrolled via a centralized, customizable Company Portal
  • 移动设备的高级设备预配选项Advanced device provisioning options for mobile devices

缺点Disadvantages

  • (仅)在将本地管理平台用于非移动设备时,预配移动设备还有其他管理界面Additional management interface for provisioning mobile devices (only) if using an on-premises management platform for non-mobile devices
  • 适用于基于云的服务和本地管理平台的单独设备合规性和安全策略Separate device compliance and security policies for the cloud-based service and the on-premises management platform

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 与 Office 365 租户集成,从而为移动设备和 Office 365 租户服务(Exchange Online、SharePoint Online 和 Skype for Business )提供单个管理控制台Integrated with Office 365 tenants, providing a single management console for mobile devices and Office 365 tenant services (Exchange Online, SharePoint Online, and Skype for Business)
  • 支持注册和预配所有主要的移动设备操作系统(Android、iOS、Windows 10、Windows 8.1 以及 Windows Phone)Supports enrolling and provisioning all major mobile device operating systems (Android, iOS, Windows 10, Windows 8.1, and Windows Phone)
  • 移动设备的基本设备预配选项Basic device provisioning options for mobile devices

缺点Disadvantages

  • (仅)在将本地管理平台用于非移动设备时,预配移动设备还有其他管理界面Additional management interface for provisioning mobile devices (only) if using an on-premises management platform for non-mobile devices
  • 适用于基于云的服务和本地管理平台的单独设备合规性和安全策略Separate device compliance and security policies for the cloud-based service and the on-premises management platform
  • 普通设备预配选项Less advanced device provisioning options

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • Intune(基于云的设备管理服务)与 System Center 2012 Configuration Manager 和 System Center 2012 R2 Configuration Manager(本地设备管理平台)之间进行本机集成Native integration between Intune (cloud-based device management service) with System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager (on-premises device management platforms)
  • 支持注册和预配所有主要的移动设备操作系统(Android、iOS 和 Windows Phone),并包括预配所有主要的非移动设备操作系统Supports enrolling and provisioning all major mobile device operating systems (Android, iOS, and Windows Phone), and includes provisioning for all major non-mobile device operating systems
  • 通过 Intune 连接性支持移动设备的高级设备预配选项Supports advanced device provisioning options for mobile devices via Intune connectivity

缺点Disadvantages

  • 对于尚未配置当前 ConfigMgr 基础结构的组织,将需要在与 Intune 集成前进行规划、安装和配置For organizations that don’t have a current ConfigMgr infrastructure configured, it will need to be planned, installed and configured prior to integrating with Intune
  • 需要其他配置,以将 Intune 与本地 ConfigMgr 基础结构相连接Requires additional configuration to connect Intune with the on-premises ConfigMgr infrastructure

有关移动设备注册和预配选项的详细信息,请务必查看在 Intune 中如何启用移动设备注册,并将这些要求和步骤与在 ConfigMgr 和 MDM for Office 365 中启用移动设备注册的要求和步骤进行比较。For more details about mobile device enrollment and provisioning options, make sure to review how to enable mobile device enrollments in Intune and compare these requirements and procedures to enable mobile device enrollments in ConfigMgr and MDM for Office 365.