了解 MDM 的生命周期Understand the MDM lifecycle


本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

了解管理移动设备的不同方面在设计移动设备管理解决方案时很重要。Understanding the different areas of managing mobile devices is important when designing your mobile device management solution. 下图概述了整个移动设备管理生命周期的各个阶段。The figure below outlines the overall mobile device management lifecycle stages. 每个阶段都有你在计划解决方案时需要考虑的独特要求和问题。Each stage has unique requirements and questions for you to consider when planning your solution. 我们将从本部分中的注册阶段开始,并且将在整个指南中对其他阶段进行更为详细的介绍。We’ll start with the enrollment stage in this section, and the other stages will be covered in more detail throughout this guide.


移动设备管理生命周期的各个阶段Mobile device management lifecycle stages

设备注册和配置Device enrollment and configuration

移动设备管理从初始注册设备并将其配置到移动设备管理解决方案开始。Mobile device management starts with the initial enrollment and configuration of devices into your mobile device management solution. 在移动设备管理生命周期中,注册的简洁性和方便性是成功的关键因素。Simplicity, ease of registration, and enrollment are the key factors for success in the mobile device management lifecycle. 如果初始设备注册有难度或过度令人费解,那么你和你的用户可能都不情愿继续执行移动设备管理解决方案,这意味着你无法使用该解决方案提供的功能、好处和保护。If initial device enrollment is difficult or overly confusing, both you and your users may be reluctant to go ahead with a mobile device management solution, which means you couldn’t leverage the features, benefits, and protections that the mobile device management solution can deliver.

移动设备管理解决方案中的移动设备注册的启动方式通常有两种:Mobile device enrollment in mobile device management solutions are typically initiated in two ways:

  • 管理员管理的注册Administrator-managed enrollment
  • 用户/所有者自行注册User/owner self-enrollment

管理员管理的注册提供集中管理的注册体验,并且通常集中在使用一个目录帐户批量注册多台设备。Administrator-managed enrollment offers a centrally managed enrollment experience, and typically is centered on bulk enrollment of multiple devices using a single directory account. 这在需要将公司所拥有的多台设备注册到移动设备管理解决方案时会很有用。This is useful if you need to enroll many company-owned devices into your mobile device management solution.

而在自行注册时,将由设备用户/所有者在移动设备管理解决方案中自行注册其设备。With self-enrollment, the device user/owner enrolls their device in the mobile device management solution. 这通常用于“自带设备办公”(BYOD) 方案,不过它也可以用于公司拥有设备的方案。This is typically used in “bring your own device” (BYOD) scenarios, although it can also be used in scenarios where the company owns the device. 这种注册通常使用“基于推送”的注册模式,即在用户尝试从设备连接到企业网络或网络资源时,将自动触发设备,使它在移动设备管理解决方案中完成注册。This type of enrollment typically uses a “push-based” enrollment model, where devices are automatically triggered to enroll in the mobile device management solution when the user tries to connect to the corporate network or network resource from the device. 有时,用户也可以在连接到组织网络或资源前选择注册自己的设备。Users can sometimes also elect to enroll their devices before connecting to an organization’s network or resources.

注册和配置移动设备包括以下内容:Enrolling and configuring mobile devices includes the following:

  • 部署、访问并管理内部和外部应用程序及服务Deploying, accessing, and managing internal and external applications and services
  • 强制执行设备安全和访问配置Enforcing device security and access configurations
  • 保护设备免受安全威胁Protecting devices from security threats

在大多数情况下,当移动设备在移动设备管理解决方案中注册时,将自动为该设备分配相关的策略和权限,这些策略和权限已经与设备的用户目录帐户和/或设备本身在目录服务中的关联组相关联。In most cases, when a mobile device is enrolled in a mobile device management solution, the device is automatically assigned policies and permissions that you have associated with the device user’s directory account and/or the group the device itself is associated with in directory services. 根据移动设备管理解决方案,大多数设备策略和权限的配置和预配在设备注册前就已完成。Depending on the mobile device management solution, most of the configuring and provisioning of device policies and permissions is done before device enrollment. 之后,策略和合规性设置会在设备注册后立即生效,从而避免了注册和合规性之间的断链。Then policy and compliance settings take effect as soon as the devices enroll, avoiding gaps between enrollment and compliance.

设备注册和配置规划Device enrollment and configuration planning questions

若要计划 MDM 生命周期管理,请回答以下关于规划设备注册和配置的问题:To plan for MDM lifecycle management, answer the following planning questions about device enrollment and configuration:

  • 移动设备是由你、用户还是双方注册?Will mobile devices be enrolled by you, by users, or both?
  • 你需要批量注册移动设备吗?Do you need to ability to bulk-enroll mobile devices?
  • 你最多需要批量注册多少个设备?What is the maximum number of devices you’ll need to bulk-enroll?
  • 你的组织中的移动操作系统平台需要不同的批量注册要求和资源吗?Do the mobile operating system platforms in your organization require different bulk enrollment requirements and resources?
  • 每位用户通常使用和需要注册多少台设备?How many devices will each user typically use and need to enroll?
  • 移动设备管理解决方案是否有基于每位用户的设备注册限制?Does the mobile device management solution have a per-user device enrollment limit?
  • 用户自动注册设备的(连接、应用程序、管理代理、公司门户、支持)要求有哪些?What are the requirements (connectivity, application, management agent, company portal, support) for users to self-enroll devices?
  • 这与管理员管理的注册的要求有区别吗?Is this different from the requirements for administrator-managed enrollment?
  • 你需要支持的每个设备操作系统的注册要求是什么?What are the enrollment requirements for each device operating system you need to support?
  • 你的组织中的移动设备操作系统有特殊或独特的注册要求吗?Do the mobile device operating systems in your organization require special or unique enrollment requirements?
  • 移动设备管理解决方案同时支持连接和无线注册吗?Does the mobile device management solution support both connected and over-the-air enrollments?
  • 支持设备注册有哪些硬件要求(如果有)?What are the hardware requirements (if any) for supporting device enrollments?
  • 支持设备注册的网络连接和网络安全要求有哪些?What are the network connectivity and network security requirements for supporting device enrollments?
  • 在初始注册时,你需要将特定设备合规性策略应用到设备吗?Do you need specific device compliance policies applied to devices upon initial enrollment?
  • 在初始注册时,你需要将特定设备安全策略应用到设备吗?Do you need specific device security policies applied to devices upon initial enrollment?
  • 初始注册后,你需要具有针对预配设备策略配置或设置最长或最短时限的能力吗?Do you need the ability to configure or set a maximum or minimum time limit for provisioning device policies after initial enrollment?
  • 你需要在注册失败时自动触发特殊预配策略吗?Do you require special provisioning policies to be automatically triggered in the event of enrollment failures?

设备管理Device management

无论从你还是从设备用户的角度来看,移动设备的管理方式都是移动设备管理解决方案的关键组成部分。How mobile devices are managed, both from your perspective and the device user’s perspective, is a key component of a mobile device management solution.

例如,你可能想要将移动设备的管理方式与非移动设备(服务器、台式计算机和其他联网设备)的管理方式集成。For example, you may want to integrate the way mobile devices are managed with how non-mobile devices (servers, desktops, other networked devices) are managed. 非移动设备管理解决方案可能早在移动设备引入组织的之前就已存在,具体视组织而定。Depending on the organization, non-mobile device management solutions may have been in place long before mobile devices were introduced to the organization. 这可能花费了高昂的成本,并且可能在这些管理解决方案中包括了长期投资。This may have been at considerable cost and may include long-term investments in these management solutions.

在设计满足组织需要的移动设备管理解决方案时,全面了解组织如何将移动设备管理解决方案与现有非移动设备管理解决方案集成可能是要完成的最重要的活动之一。Thoroughly understanding how your organization can integrate mobile device management solutions with existing non-mobile device management solutions is likely one of the most important activities to complete when designing a mobile device management solution that meets the needs of your organization.

移动设备管理通常包括以下几个管理领域:Mobile device management typically involves several administrative areas:

  • 设备安全和配置:移动设备安全包括各种可以部署到组织中托管设备的设置。Device security and configuration: Mobile device security includes a wide range of settings that you can deploy to managed devices in your organization. 设置包括指定计时、到期时间以及设备密码访问、设备加密和从丢失或被盗设备擦除数据所要求的特征。Settings can include specifying the timing, expiration, and required characteristics for device passcode access, device encryption, and erasing data from lost or stolen devices. 有关安全和配置的更多详细信息,请参阅主题步骤 3 - 保护移动设备More details about security and configuration are in the Step 3 - Plan for securing mobile devices topic.
  • 应用程序管理:该领域包括管理应用程序部署、安装、更新和管理状态以及应用程序删除。Application management: This area includes managing application deployment, installation, updating and managing status, and application removal. 你还可以管理针对某些不符合标准的应用程序的限制,这对于整个合规性和安全策略而言很重要。You can also manage restrictions on certain non-compliant applications, which can be central to an overall compliance and security strategy. 也可能存在需要管理移动设备上的应用程序,但不想将设备注册到移动设备管理平台的的应用程序管理方案。There may also be application management scenarios where you need to manage applications on mobile devices, but don’t want to enroll the devices into the mobile device management platform.
  • 公司资源访问: MDM 还可以帮助管理针对本地网络资源的访问,例如电子邮件服务器、Wi-Fi 网络和已启用 VPN 的资源。Company resource access: MDM can also help manage access to on-premises network resources, such as email servers, Wi-Fi networks, and VPN-enabled resources. 这不仅有助于确保安全合规性,还让移动设备用户可以根据公司策略更加轻松地访问公司资源,可谓一举两得。This serves a dual purpose of helping to insure security compliance and making it easier for mobile device users to access company resources according to company policy. 如果访问组织资源对于移动设备用户而言过于复杂或有难度,他们可以选择使用未经批准的公司资源来存储公司数据,因为这样做更为简单。If accessing organization resources is overly complex or difficult for mobile device users, they may opt to use non-approved company resources to store company data because it’s easier.
  • 清单和报告:在管理移动设备时,你会想要记录并分析移动设备和平台事件,以跟踪组织中的管理策略的遵守情况。Inventory and reporting: When you manage mobile devices, you’ll want to record and analyze mobile device and platform events to track compliance with the management policies in your organization. 详细报告还将向你提供实时统计信息和数据,以便你可以基于移动设备状态和移动设备用户更快、更好地制定决策。Detailed reporting can also provide you with real-time statistics and data so that you can make faster, better decisions based on the status of mobile devices and mobile device users. 将在后面的部分中提供有关清单和报告的详细信息。More details about inventory and reporting is included in a later section.

设备管理规划Device management planning questions

当前只需关注关键的管理方面,因为你还在确定要求。For now, focus only in the key administration aspects as you are still defining the requirements. 当以迭代方式制定计划时,你可以完善这些要求,从而能更好地了解组织的整体需求。回答以下有关设备管理的计划问题:You can refine these requirements as you iterate on your plan and better understand the overall needs of your organization.Answer the following planning questions about device management:

  • 是否需要将特定管理策略应用到用户组、设备组和/或设备操作系统组?Do you need specific management policies applied to groups of users, groups of devices, and/or groups of device operating systems?
  • 是否需要用于不同种类的设备的特定管理策略,Do you need specific management policies for different types of devices? 例如,分别针对用户所有或公司所有的设备应用不同的策略,或者分别针对移动设备或非移动设备应用不同的策略?For example, separate policies for user-owned or company-owned devices, or mobile devices and non-mobile devices?
  • 是否需要在多个 IT 角色或职位中划分设备管理权限?Do you need to separate device management rights and permissions among several IT roles or positions? 如果是的话:If so:
    • 划分权限级别的要求是什么?What separation of permission levels is required?
    • 解决方案支持的权限级别是否需要是可自定义的?Do the permission levels supported by the solution need to be customizable?
    • 权限是否需要集成到你的现有帐户目录服务中?Do the permissions need to be integrated into your existing account directory services?
  • 是否需要同时具有手动和自动部署移动设备管理解决方案代理或软件的能力?Do you need the ability to both manually and automatically deploy the mobile device management solution agents or software?
  • 是否需要管理移动设备上的应用程序,但是无需将设备注册到移动设备管理平台(新的或现有的)?Do you need the ability to manage applications on mobile devices, but don’t need to enroll the device into a mobile device management platform (either new or existing)?
  • 是否希望将管理移动设备与现有非移动设备管理解决方案集成?Do you want to integrate managing mobile devices with an existing non-mobile device management solution? 如果是的话:If so:
    • 是否希望通过统一的管理控制台或门户管理所有设备?Do you want to manage all devices from a unified management console or portal?
    • 现有的非移动设备管理解决方案的集成要求是什么?What are the integration requirements for your existing non-mobile device management solution?
    • 现有的非移动设备管理解决方案如何支持所需的管理角色和权限?How does your existing non-mobile device management solution support required management roles and permissions?
    • 如果要在移动设备管理和非移动设备管理解决方案之间连接管理服务,那么是否有硬件或网络要求?Are there hardware or networking requirements to connect management services between the mobile device management and the non-mobile device management solutions?
    • 这两种解决方案是否都有单独的或集成清单和报告系统?Do both solutions have separate or integration inventory and reporting systems?
  • 移动设备管理解决方案是否有可供用户安装其应用的公司门户?Does the mobile device management solution have a company portal for users to install their apps?
  • 移动设备管理解决方案是否能满足你公司的可扩展性要求?Does the mobile device management solution meet your company’s scalability requirements?
  • 移动设备管理解决方案是否支持远程管理?Does the mobile device management solution support remote administration?
  • 移动设备管理解决方案是否支持自动化?Does the mobile device management solution support automation?

应用管理App management

某些情况下,你可能不想将移动设备注册到设备管理系统,但是需要管理设备上的应用程序,以阻止公司数据被泄露给设备上的其他使用者应用或服务。Some cases, you may not want to enroll a mobile device into a device management system but still need to manage applications on the device to prevent company data from being leaked to other consumer apps or services on the device. 在 BYOD 方案中,甚至在需要在一台设备上管理移动设备,在另一个设备管理平台上管理应用程序的方案中,这可能适用于使用个人设备访问公司资源的员工。This could apply to employees using personal devices to access company resources in a BYOD scenario, or even in scenarios where you need to manage mobile devices on one device management platform and manage applications on another device management platform.

应用管理规划App management planning questions

若要规划应用管理注意事项,请回答以下计划问题:To plan for app management considerations, answer the following planning questions:

  • 公司数据是否需要与移动设备上的应用程序中的使用者数据进行隔离?Does company data need to be isolated from consumer data within apps on mobile devices?
  • 是否需要阻止通过剪切/复制/粘贴在移动设备上的公司和个人应用之间共享数据?Do you need to prevent data from being shared via cut/copy/paste across company and personal apps on mobile devices?
  • 是否需要阻止应用将数据备份或保存到其他应用或服务?Do you need to prevent apps from backing up or saving data to other apps or services?
  • 是否需要为每个应用启用数据丢失阻止策略?Do you need to enable per-App data loss prevention policies?
  • 是否需要限制托管浏览器中显示的 Web 内容?Do you need to restrict web content displayed in a managed browser?

设备停用/注销Device retirement/unenrollment

当用户离开组织或者移动设备已停用或替换时,你需要确保企业数据未丢失或泄露。When users leave your organization or mobile devices are retired or replaced, you need to make sure that corporate data isn’t lost or compromised. 通常情况下,移动设备管理解决方案支持重置和注销 IT 管理的和用户管理的设备。Typically, mobile device management solutions support both IT-managed and user-managed device resets and unenrollment. 对于大多数移动设备而言,注销首先要将设备重置为出厂默认设置,或选择性地擦除所有企业数据和应用程序。With most mobile devices, unenrollment starts with resetting the device to factory defaults or performing a selective wipe of all corporate data and applications. 然后删除设备注册与管理解决方案之间的连接。Then the device enrollment connection to the management solution is removed. 但是,该过程在移动设备制造商和设备操作系统平台之间会有所不同。However, the process varies between mobile device manufacturers and device operating system platforms.

设备停用/注销规划Device retirement/unenrollment planning questions

回答以下有关规划设备停用/注销的问题:Answer the following planning questions about device retirement and unenrollment:

  • 你需要 IT 和用户都能够注销移动设备吗?Do you need the ability for both IT and users to unenroll mobile devices?
  • 如果设备要选择性地擦除,它应该自动从移动设备管理解决方案中注销吗?If a device is selectively wiped, should it be automatically unenrolled from the mobile device management solution?
  • 如果移动设备用户可以注销自己的移动设备,那么该如何验证是否已删除企业数据和应用程序呢?If mobile device users can unenroll their mobile devices, how will the removal of corporate data and applications be verified?
    • 这对于选择性擦除的设备和重置为出厂默认设置的设备是不是不一样?Is this different for devices that are selectively wiped and devices that are reset to the factory default setting?

请务必记录下每个答案,并了解答案背后的基本原理。Make sure to take notes of each answer and understand the rationale behind the answer. 之后的任务将详细阐述可用选项以及每个选项的优点/缺点。Later tasks will go over the options available and advantages/disadvantages of each option. 回答这些问题将帮助你选择最符合你的业务需求的选项。Answering these questions will help you select the option that best suits your business needs.