确定 SaaS 解决方案基础结构集成需求Identify SaaS solution infrastructure integration needs

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

在考虑使用 SaaS 解决方案管理移动设备时,需要进行的主要决策之一是:One of the primary decisions that need to be made when considering managing mobile devices with a SaaS solution are:

  • 你的现有用户和设备本地目录帐户将如何与 SaaS 解决方案集成?How will your existing user and device on-premises directory accounts integrate with the SaaS solution?
  • 你是否需要将 SaaS 解决方案与现有本地客户端管理平台集成?Do you need to integrate the SaaS solution with existing on-premises client management platforms?

你在这两个方面所做的决策将显著影响你的移动设备管理解决方案的总体部署、管理和最终用户体验。The decisions you make in these two areas will significantly impact the overall deployment, administration, and end-user experiences for your mobile device management solution.

身份和目录连接性Identity and directory connectivity

将本地用户和设备帐户目录与 SaaS 解决方案连接和同步是真正将用户、移动设备、移动应用程序和移动设备管理连接起来的纽带。Connecting and synchronizing your on-premises user and device account directory with the SaaS solution is really the glue that truly connects users, mobile devices, mobile applications, and mobile device management. 了解用户是谁(身份)并将该身份与特定移动设备相关联对于从移动设备管理对公司资源和数据的访问至关重要。Knowing who a user is (identity) and associating the identity to specific mobile devices is critical in managing access to company resources and data from the mobile device. 在许多方面,最大程度提高这些领域与 SaaS 解决方案的连接程度决定了对你和你的移动设备用户的总体价值。In many ways, maximizing how these areas are connected to the SaaS solution determines the overall value to both you and your mobile device users. 无处不在的连接性意味着用户和设备可以在任何地方使用设备和应用程序,并且使用户身份管理与此连接性的需求保持同步很重要。Ubiquitous connectivity means that people and devices can use devices and applications anywhere, and it’s essential that user identity management keeps pace with the demands of this connectivity. 你管理身份和用户身份验证的方式对移动设备管理解决方案的成功至关重要,这一点怎样强调都不为过。It can’t be stressed enough that how you manage identity and user authentication is critical to the success of your mobile device management solution.

将本地目录服务同步到 SaaS 解决方案是在定义移动设备管理策略时应考虑的另一个重要方面。Synchronizing on-premises directory services to the SaaS solution is another key area to consider when defining your mobile device management strategy. 大多数组织倾向于维持本地用户和设备目录基础结构,但需要将这些帐户扩展到各种基于云的服务。Most organizations prefer to maintain an on-premises user and device directory infrastructure, but need to extend these accounts to a variety of cloud-based services. 这可能仅包括基于 SaaS 的移动设备管理解决方案,但在大多数情况下,组织需要将用户和设备帐户集成到多个不同类型的基于云的服务。This may include only a SaaS-based mobile device management solution, but in most scenarios organizations need to integrate user and device accounts into several different types of cloud-based services. 这可能包括基于云的应用程序、数据或第三方 Web 服务。This may include cloud-based applications, data, or 3rd party web services. 保持用户和设备目录帐户同步是精心设计的身份管理解决方案的基础。Keeping your user and device directory accounts synchronized is the cornerstone of a well-designed identity management solution. 将本地目录与云目录集成后,你还可以启用单一登录 (SSO) 来允许用户使用他们的本地凭据登录到所有服务。Once you integrate your on-premises directory with cloud directory, you can also enable single sign-on (SSO) to allow users to sign into all services using their on-premises credentials. Intune 和 Office 365 都可利用此集成来为组织希望使用的 SaaS 应用启用 SSO。Both Intune and Office 365 can take advantage of this integration to enable SSO with SaaS apps that the organization might want to use.

身份和目录连接Identity and directory connectivity questions

作为 SaaS 管理生命周期规划的一部分,你需要回答以下有关规划身份管理和目录连接的问题:As part of SaaS management lifecycle planning, you’ll want to answer the following planning questions about identity management and directory connectivity:

  • SaaS 解决方案是否支持集成的用户身份验证服务?Does the SaaS solution support integrated user authentication services? 如果是,它是否支持你在本地基础结构中使用的目录服务类型?If so, does it support the type of directory services you’re using in your on-premises infrastructure?
  • 你是否需要支持本地和/或内部应用程序或服务的用户和移动设备身份验证?Do you need to support user and mobile device authentication for on-premises and/or internal applications or services?
  • SaaS 解决方案是否支持第三方或其他外部基于 SaaS 的应用程序或服务的用户和移动设备身份验证?Does the SaaS solution support user and mobile device authentication for 3rd party or other external SaaS-based applications or services?
  • SaaS 解决方案如何管理与身份相关的威胁和异常情况?How does the SaaS solution manage identity-related threats and abnormalities?
  • SaaS 解决方案是否支持实现和管理多因素身份验证 (MFA)?Does the SaaS solution support implementing and managing multi-factor authentication (MFA)?
  • 你需要将哪些类型的目录服务对象扩展到 SaaS 解决方案?What types of directory services objects do you need to extend to the SaaS solution? SaaS 解决方案是否对某些对象类型有任何限制?Does the SaaS solution have any restrictions for certain object types?
  • 将目录服务扩展到 SaaS 解决方案需要哪些本地要求?What on-premises requirements are needed to extend your directory services to the SaaS solution?
  • 连接到 SaaS 解决方案后,如何复制用户和移动设备目录对象或将其与云服务同步?Once connected to the SaaS solution, how are user and mobile device directory objects replicated or synchronized with the cloud service? 同步设置是否可自定义或修复?Are synchronization settings customizable or fixed?
  • 是否所有目录对象属性都与 SaaS 解决方案同步?Are all directory object attributes synchronized with the SaaS solution? 你是否需要同步自定义目录对象属性?Do you need to synchronize custom directory object attributes?
  • 本地目录服务是否托管在单个位置或逻辑分组中?Are on-premises directory services hosted in a single location or logical grouping? 如果否,SaaS 解决方案是否支持同步来自多个位置和逻辑分组的多个目录服务?If not, does the SaaS solution support synchronizing multiple directory services from multiple locations and logical groupings?

与现有客户端管理平台连接Connecting with existing client management platforms

大多数组织都有现有本地客户端管理平台,用于管理台式计算机和服务器。Most organizations have an existing on-premises client management platform to manage desktop computers and servers. 你将移动设备管理集成到此系统中的方式可能对 IT 基础结构成本、设备管理管理进程、设备清单和报告支持以及与其他业务关键应用程序和服务的总体集成产生重大影响。How you integrate the management of mobile devices into this system is likely to have a substantial impact on IT infrastructure costs, device management administration processes, device inventory and reporting support, and overall integration with other business-critical applications and services. 通过连接这两个平台,组织能够利用单个、统一管理平台的规模经济效应。By connecting these two platforms, organizations are able to leverage the economies of scale of a single, unified management platform.

与现有客户端管理平台连接Connecting existing client management platforms questions

作为 SaaS 管理生命周期规划的一部分,你需要回答以下有关规划将 SaaS 解决方案与现有客户端管理平台连接的问题:As part of SaaS management lifecycle planning, you’ll want to answer the following planning questions about connecting the SaaS solution with existing client management platforms:

  • 你的本地客户端管理平台是否支持与 SaaS 解决方案的集成?Does your on-premises client management platform support integration with SaaS solution? 如果是,是否存在:If so, are there:
    • 对 SaaS 解决方案类型的限制?Limitations on the type of SaaS solution?
    • 对受支持设备类型的限制?Limitations on the types of supported devices?
  • 将本地客户端管理平台连接到 SaaS 解决方案有哪些要求?What are the requirements to connect your on-premises client management platform to the SaaS solution? 具体而言,是否存在:Specifically, are there:
    • 物理服务器或设备要求?Physical server or device requirements?
    • 目录服务或目录架构要求?Directory services or directory schema requirements?
    • 域名服务 (DNS) 要求?Domain Name Services (DNS) requirements?
    • 身份要求?Identity requirements?
    • 客户端管理平台升级或配置要求?Client management platform upgrades or configuration requirements?
    • 网络连接和/或网络安全配置要求?Network connectivity and/or network security configuration requirements?
  • SaaS 解决方案中是否可以共享或利用现有客户端或设备配置信息(策略、配置文件和设置)?Can existing client or device configuration information (policies, profiles, and settings) be shared or leveraged in the SaaS solution? 是否必须重新创建此信息?Will this information have to be recreated?
  • 连接两个平台后,如何管理客户端?After the two platforms are connected, how are clients managed? 在统一的管理系统中管理不同类型的客户端还是单独管理它们?Are different types of clients managed in a unified administration system or are they managed separately?
  • SaaS 解决方案中的更新和更改如何与本地客户端管理平台集成?How are updates and changes in the SaaS solution integrated with the on-premises client management platform? 这是一个自动还是手动配置过程?Is this an automatic or manual configuration process?
提示

请务必记录下每个答案,并了解答案背后的基本原理。Make sure to take notes of each answer and understand the rationale behind the answer. 之后的任务将详细阐述可用选项以及每个选项的优点/缺点。Later tasks will go over the options available and advantages/disadvantages of each option. 回答这些问题将帮助你选择最符合你的业务需求的选项。Answering these questions will help you select the option that best suits your business needs.