强化移动设备Hardening mobile devices

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

在为移动设备创建配置基线以根据你的业务需求强化其功能时,请确保平衡可用性与安全性。When creating a configuration baseline for mobile devices to harden its capabilities according to your business needs, make sure that you are balancing usability with security. 非常严格的强化模板可能会使你的员工遇到可用性和访问问题,这将破坏帮助用户通过使用其设备访问公司资源来提高效率的目的。A very strict hardening template can cause usability and access problems for your employees, which defeats the purpose of helping users be productive by accessing company resources with their devices.

此外,请记住并非所有策略都可用于所有移动设备平台。Also, keep in mind that not all security policies are available for all mobile device platforms. 你可能需要平衡允许组织中的移动设备平台与强化设备的安全合规性要求之间的优先级。You may need to balance priorities for allowing mobile device platforms in your organization with your security compliance requirements for hardening devices. 处理移动设备强化的一个方式是使用不同层的安全性。One way to approach mobile device hardening is by having different layers of security. 可用于每个层的设置也可能因 MDM 解决方案而异。The settings that are available for each layer can also vary, depending on your MDM solution. 下图显示了如何设置此分层方法的示例。The figure below shows an example of how this layered approach be set up.

安全层

移动设备强化的不同区域Different areas of mobile device hardening

每个层可用于对必须符合你的业务安全要求的区域进行分组。Each layer can be used to group areas that must be compliant with your business security requirements. 例如,可以配置 Intune 以部署专门用于强化系统设置并启用加密的设备的安全策略For example, you can configure Intune to deploy security policies for devices that are specifically for hardening system settings and enable encryption. 这些策略还将通过创建访问允许列表来确保仅兼容应用可在移动设备上进行安装。The policies can also help ensure that only compliant apps are available to be installed on mobile devices by creating an access white list.

在运行 Windows 8.1 企业版的 BYOD 设备上,AppLocker 使您可以基于应用的文件路径、哈希或在应用程序更新中保持原样的属性(如发布者名称、产品名、文件名和文件版本)允许或阻止应用。On BYOD devices running Windows 8.1 Enterprise, AppLocker enables you to allow or block an app based on its file path, hash, or properties that persist across application updates (e.g., publisher name, product name, file name, and file version). 在 Windows 10 中,添加新的 AppLocker 配置服务提供程序以允许您通过使用 MDM 服务器来启用 AppLocker 规则。In Windows 10, a new AppLocker configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. 有关 Windows 10 中这一新功能的详细信息,请阅读 AppLocker CSPRead AppLocker CSP for more information on this new capability in Windows 10.

应该控制的另一个方面是用户的移动浏览体验。Another area that should be controlled is users’ mobile browsing experience. 托管浏览器策略包括允许或阻止列表,用于限制托管浏览器的用户可以访问的网站。A managed browser policy includes and allow or block list that restricts the websites that users of the managed browser can visit. 有关如何在 Intune 中配置这些策略的详细信息,请阅读通过 Microsoft Intune 使用托管浏览器策略管理 Internet 访问Read Manage Internet access using managed browser policies with Microsoft Intune for more information on how to configure these policies in Intune.

在具有本地 ConfigMgr 的混合环境中,你可以创建配置基线以设置托管移动设备的基本强化状态。In a hybrid environment with ConfigMgr on-premises, you can create a configuration baseline to set a basic hardening state for managed mobile devices. 自定义此基线以包括所有所需的设置,然后将其部署到移动设备。You can customize this baseline to include all required settings, and then deploy it to your mobile devices. 合规性设置选项将因移动设备平台而异,因此有关可用于每个设备的选项的详细信息,请阅读 Configuration Manager 中的移动设备的合规性设置Compliance settings options vary according to the mobile device platform, so read Compliance Settings for Mobile Devices in Configuration Manager for more information about the options available for each device.

适用于 Office 365 的 MDM 还有一组针对以下类别协助你强化移动设备的功能:MDM for Office 365 also has a set of capabilities to assist you in hardening mobile devices for the following categories:

  • 安全Security
  • 加密Encryption
  • 已越狱Jailbroken
  • 托管电子邮件配置文件Managed email profile

有关如何为强化这些选项设置安全策略的详细信息,请阅读文章内置的适用于 Office 365 的移动设备管理的功能Read the article Capabilities of built-in Mobile Device Management for Office 365 for more information on how to set up security policies for enforcing these options.

强化移动设备平台对于在保护公司数据的同时允许用户在不影响安全性的情况下使用他们的移动设备起到了重要的作用。Hardening the mobile device platform plays an important role in keeping your company data protected while allowing users to use their mobile device without compromising security. 使用下表作为参考协助你选择最符合组织的数据强化要求的 MDM 选项。Use the table below as a reference to assist you choosing the MDM option that best fits your organization’s data hardening requirements.

Intune(独立版)Intune (standalone)

优点Advantages

  • 允许你为注册设备强制执行策略:加密、恶意软件、应用、电子邮件、电子邮件配置文件、越狱、系统和安全Allows you to enforce policies for enrolled devices: encryption, malware, apps, emails, email profile, jailbroken, system and security
  • 支持主要移动设备平台的策略部署,包括(Android、iOS、Windows 10、Windows 8.x 和 Windows Phone)Supports policy deployment for major mobile device platforms, including (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)

缺点Disadvantages

  • 缺乏与当前本地 MDM 平台的集成,将引入一个附加的管理接口供你在管理移动设备时使用Lacks integration with current on-premises MDM platform, will introduce an additional management interface for you to use when managing mobile devices
  • 某些策略可能不适用于某些移动平台Some policies may not be available for some mobile platforms

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 允许你为注册设备强制执行策略:加密、应用、越狱和安全Allows you to enforce policies for enrolled devices: encryption, apps, jailbroken and security
  • 支持主要移动设备平台的策略部署,包括(Android、iOS、Windows 10、Windows 8.x 和 Windows Phone)Supports policy deployment for major mobile device platforms, including (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)

缺点Disadvantages

  • 缺乏与当前本地 MDM 平台的集成,将引入一个附加的管理接口供你在管理移动设备时使用Lacks integration with current on-premises MDM platform, will introduce an additional management interface for you to use when managing mobile devices
  • 某些策略可能不适用于某些移动平台Some policies may not be available for some mobile platforms
  • 不允许与 Intune 相当的粒度Doesn’t allow as much granularity as Intune

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 允许你为注册设备强制执行策略:加密、恶意软件、应用、电子邮件、系统、安全和越狱Allows you to enforce policies for enrolled devices: encryption, malware, apps, emails, system, security and jailbroken
  • 支持主要移动设备平台的策略部署,包括(Android、iOS、Windows 10、Windows 8.x 和 Windows Phone)Support policy deployment for major mobile device platforms, including (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)
  • 从云和本地设备注册的移动设备的单个管理控制台Single management console for mobile devices registered from the cloud and on-premises devices

缺点Disadvantages

  • 如果你的公司没有当前本地 ConfigMgr 基础结构,它将在集成前需要资源来规划、安装和配置 ConfigMgrIf your company doesn’t have a current on-premises ConfigMgr infrastructure, it will require resources to plan, install and configure ConfigMgr prior to integration
提示

请在 Microsoft Intune 的移动设备管理策略设置中阅读有关可在 Microsoft Intune 移动设备安全策略中配置的移动设备管理设置的详细信息。Read more about mobile device management settings that you can configure in a Microsoft Intune mobile device security policy at Mobile device management policy settings for Microsoft Intune.