收集数据保护要求Gather your data protection requirements

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

为了帮助定义你的组织对移动设备的数据保护要求,首先思考你的组织现有的数据保护要求很有帮助。To help define your organization’s data protection requirements for mobile devices, it helps to first think about data protection requirements that your organization already has in place. 例如,你的公司可能必须符合特定的法规,或者你可能已经有一个关于数据保护的策略。For example, perhaps your company has to comply with specific regulations, or you might already have a policy regarding data protection.

首先记下这些高级别要求,然后你将有询问更细化的问题的依据,这些问题将有助于引导你为 MDM 解决方案做出更好的设计决策。Make note of these high-level requirements first, and then you’ll have a basis for asking more granular questions that will help lead you to better design decisions for your MDM solution. 在定义这些要求时,请考虑以下事项:When defining these requirements, consider the following:

  • 处于静态的数据加密:如图 8 所示,公司数据将存储在用户的移动设备上。Data encryption at rest: As shown in Figure 8, company data will be stored on the user’s mobile device. 请考虑以下事项对你的公司是否重要:Consider if the following is important to your company:
    • MDM 解决方案是否支持加密整个移动设备磁盘和 SD 卡?Does the MDM solution support encrypting the entire mobile device disk and SD cards?
      • 如果是,对于哪些操作系统支持?If yes, for which operating systems?
    • MDM 解决方案是否支持应用数据加密?Does the MDM solution support app data encryption?
      • 如果是,对于哪些操作系统支持?If yes, for which operating systems?
      • 如果是,对于哪些应用支持?If yes, for which apps?
  • 传输过程中的数据加密:无论谁拥有数据,在数据通信过程中的某个时间点,该数据会在移动设备和公司服务器之间(或 Web 服务)进行传输。Data encryption in transit: Regardless who owns the data, at some point during data communication, the data is in transit between the mobile device and a company server (or web service). 为了在传输过程中保护数据,你必须了解 MDM 解决方案具有哪些功能。You must understand what capabilities the MDM solution has in order to protect data in transit. 请考虑以下事项对你的公司是否重要:Consider if the following is important to your company:
    • MDM 解决方案是否支持传输过程中的数据加密?Does the MDM solution support data encryption in transit?
      • 如果是,对于哪些操作系统支持?If yes, for which operating systems?
      • 如果是,提供哪些功能?If yes, which capabilities are available?
    • MDM 解决方案有哪些用于在传输过程中保护数据的选项?What options does the MDM solution have to protect data while in transit?
  • 数据分隔:了解是否应将公司数据与用户数据区别对待也很重要。Data segregation: It’s also important to understand if your company’s data should be treated differently from the user’s data. 分隔、分离或隔离是用于描述此功能的一些术语。Segregation, separation, or isolation are some terms that can be used to describe this capability. 在设计 MDM 解决方案时,请考虑:When designing your MDM solution, consider:
    • MDM 解决方案是否支持数据加密?Does the MDM solution support data separation?
      • 如果是,是否可以擦除公司数据,同时保留移动设备用户数据?If yes, is it possible to erase your company’s data, while preserving the mobile device user’s data?
    • MDM 数据分离功能是否可确保仅受信任的应用可以访问位于移动设备上的数据?Does the MDM data separation capability ensure that only trusted apps can access data located on the mobile device?
    • MDM 解决方案是否根据用户的身份支持数据隔分隔?Does the MDM solutions support data separation according to the user’s identity?
    • MDM 解决方案是否支持容器化?Does the MDM solution support containerization?
      • 如果是,是否可以加密位于特定容器中的数据?If so, is it possible to encrypt data located in a particular container?
  • 强化移动设备:由于组织中可能使用不同的移动设备平台,因此你应了解每个移动设备平台中提供哪些强化功能。Hardening mobile devices: Since there might be different mobile device platforms used in your organization, you should understand what hardening capabilities are available in each mobile device platform. 每个移动设备平台可以使用不同的方法和不同的粒度级别来控制和强化设备。Each mobile device platform may control and harden devices using different methods and at different levels of granularity. 如果一组移动设备具有一组比其他组设备更细化的配置,则你将需要一组通用的选项来强化这些设备,同时使用自定义策略增强你的组织所支持的每个移动设备平台的安全性。If one set of mobile devices has a more granular set of configuration than others, you’ll need a common set of options to harden the devices while using custom policies to enhance the security for each mobile device platform that your organization supports.

下面的列表包含应受 MDM 解决方案支持以强化移动设备的通用选项:The list below includes common options that should be supported by the MDM solution to harden mobile devices:

  • 需要密码来解锁移动设备Requiring a password to unlock mobile devices
  • 需要密码键入 - 最小字符数和字符类型Requiring a password type – minimum number of characters and character types
  • 最短密码长度Minimum password length
  • 在擦除移动设备前允许的重复登录失败次数Number of repeated sign-in failures to allow before the mobile device is wiped
  • 设备屏幕关闭前处于不活动状态的分钟数Minutes of inactivity before the device screen turns off
  • 记住密码历史记录 - 防止重复使用以前的密码Remembering password history – preventing the reuse of previous passwords
  • 密码过期(天)Password expiration (days)
  • 需要对移动设备进行加密Requiring encryption on the mobile device
  • 需要对存储卡进行加密Requiring encryption on storage cards
  • 允许不使用密码的空闲返回Allowing idle return without a password
提示

在 Windows Phone 8.1 中,可以使用Windows Phone 8.1 企业设备管理协议配置允许不使用密码的空闲返回策略。In Windows Phone 8.1, the policy Allow idle return without password can be configured using Windows Phone 8.1 Enterprise Device Management Protocol.