使用 Intune 在不管理设备的情况下保护公司数据Protect company data without managing devices with Intune

我们生活在一个移动的世界,员工需要在其移动设备上移动访问公司数据和高效率工具。We live in a mobile world where employees require on the go access to corporate data and productivity tools on their own mobile devices. 由于其普及性和重要性,许多组织通过在保留出色的最终用户体验的同时防止数据从 Office 移动应用丢失,寻求对 Office 365 数据的进一步保护。Because of its popularity and importance, many organizations are looking to further protect Office 365 data by preventing data loss from Office mobile apps while preserving great end user experiences. IT 需要保护对 Office 365 的访问,并防止公司数据从组织不拥有或管理的移动设备和应用丢失。IT needs to protect access to Office 365 and prevent data loss of corporate data from mobile devices and apps that the organization does not own or manage. 问题在于,IT 需要保护公司数据的安全,但许多员工对 IT 取得其个人设备的控制权有隐私方面的顾虑。Trouble is, while IT needs to keep corporate data secure, many employees have a privacy concern when IT takes control over their personal device.

企业移动性 + 安全性 (EMS) 可提供什么帮助?How can Enterprise Mobility + Security (EMS) help you?

Microsoft Intune 中的 EMS 提供了创新的数据丢失防护功能。EMS delivers innovative data loss protection capabilities with Microsoft Intune. 通过此功能,可保护公司数据并保留员工熟悉的 Office 365 应用的出色用户体验。With it, you can protect company data and preserve the great user experience with Office 365 apps that employees are accustomed to. 无需用户注册其设备进行管理也可实现,这可显著增加自带设备办公计划成功的可能性以及 IT 策略的最终用户合规性。And you can do it without requiring users to enroll their devices for management, which can significantly increase the chances of success of your BYOD program and end user compliance with IT policies. 你获取所需的控制,用户则享受他们所期望的新式体验。You get the control you need and users enjoy modern experience they've come to expect. 由于可直接将 Microsoft Intune 用于 Azure Active Directory 和 Office 365 以管理对公司数据的访问并保护公司数据,所以无需安装和维护本地基础结构或通过其路由所有流量。Because Microsoft Intune works directly with Azure Active Directory and Office 365 to manage access and protect company data, there’s no need to install and maintain an on-premises infrastructure or to route all traffic through it.

Microsoft Intune 使组织能够在不要求员工注册到设备管理的情况下,提供对移动应用的访问并防止 Office 365 数据泄露。Microsoft Intune empowers organizations to provide access to mobile apps and protect Office 365 data leaks without requiring employees to enroll into device management. 如有需要,仍可完成设备管理 (MDM),但现在不是必需。Device management (MDM) can still be done if needed, but it is now optional. Intune 强大的应用程序保护功能可帮助 IT 保护应用级别的公司数据,无需管理实际设备。Intune's powerful application protection capabilities help IT protect company data at the app level without having to manage actual devices. 对于高度机密的数据,可通过 Azure 信息保护进一步将保护扩展到文件级别。For highly confidential data, protection can be extended even further to the file level with Azure Information Protection. 员工、供应商和合作伙伴可使用他们最喜欢的移动设备访问熟悉的高效率工具和公司数据,无需担心侵犯隐私的风险。Employees, vendors, and partners can use their favorite mobile devices to access familiar productivity tools and corporate data without risking intrusion on their privacy. 如果 IT 已采用了一个 MDM 解决方案,Intune 可添加高级 Office 365 访问控制数据丢失防护,无需将设备从当前 MDM 解决方案中注销后重新注册到 Intune MDM 中。And if IT already has an MDM solution in place, Intune can add advanced Office 365 access control data loss protection without requiring devices be unenrolled from the current MDM solution and re-enrolled into Intune MDM.

请观看此演示,了解如何使用不需要用户设备注册到 Intune MDM 的 Intune 创新性应用程序保护功能,防止数据从移动应用丢失(包括 O365 和内部业务线 (LOB) 应用):Watch this demo to see how you can prevent data loss from mobile apps (including O365 and your internal line-of-business (LOB) apps) using Intune’s innovative application protection capabilities that do not require enrollment of user devices into Intune MDM:

实现本解决方案的方式How to implement this solution

此解决方案的其余部分分为以下各节,展示如何使用 Intune 保护 Office 365 公司数据:The rest of this solution is divided into the following sections that show you how to protect Office 365 company data with Intune:

  • 使用 Intune 移动应用保护策略保护应用数据Protect app data with Intune mobile app protection policies. 本部分介绍如何创建和部署 Microsoft Intune 应用程序保护策略,向非托管移动设备的用户提供数据丢失防护功能(如复制/粘贴/另存为/PIN/加密/选择性擦除/等)。This section describes how to create and deploy Microsoft Intune application protection policies to provide data loss prevention capabilities (like copy/paste/save as/PIN/encryption/selective wipe/etc.) to users of unmanaged mobile devices.

  • 仅允许支持应用保护策略的移动应用访问 Office 365 服务Allow only mobile apps that support app protection policies to access Office 365 services. 在此部分,将了解如何创建仅允许支持 Intune MAM 策略的移动应用访问 O365 服务(如 Exchange Online)的策略。In this section you learn how create a policy that allows only mobile apps that support Intune MAM policies to access O365 services like Exchange Online.

使用 Intune 移动应用保护策略保护应用数据Protect app data with Intune mobile app protection policies

在非托管设备上保护应用数据时,部署应用的方式与在托管设备上的部署方式不同。When protecting app data on unmanaged devices, you don’t deploy apps like you would with managed devices. 用户会在他们个人的 iOS 或 Android 设备上从公共应用商店下载 Office 365 应用,然后照常使用他们的工作帐户登录。Instead, users download Office 365 apps from the public app store on their personal iOS or Android devices and then log in with their work accounts just like usual.

在 Azure 门户可轻松为 iOS 和 Android 设备创建用于这些应用的应用保护策略。App protection policies for those apps are simple to create for iOS and Android devices in the Azure portal. 这类策略允许限制用户操作(如剪切、复制、粘贴和另存为)或者强制实施 PIN、要求加密以及选择性地从移动应用擦除公司数据。These kinds of policies allow you to restrict user actions like cut, copy, paste, and save as or enforce a PIN, require encryption, and selectively wipe company data from mobile apps. 将它们分配给用户时,应用保护策略将自动由 Intune 应用,并强制在个人和工作帐户与应用之间实施。When they are assigned to users, app protection policies are automatically applied by Intune and enforced between personal and work accounts and apps. 因为 Intune 与 Azure AD 和 Office 365 无缝集成,所以保护工作数据的同时,相同 Office 应用中的个人数据保持不变。Because Intune is seamlessly integrated with Azure AD and Office 365, work data is protected while personal data in the same Office apps remains untouched.


这类应用保护策略适用于 Intune 使用 Windows 信息保护 (WIP) 策略作为移动设备管理的 Windows 10 计算机。App protection polices like these are available for Windows 10 computers managed by Intune as mobile devices using Windows Information Protection (WIP) policies.

下面介绍了如何轻松选择要保护的应用、配置应用保护策略设置,并在登录 Azure 门户后将策略部署到最终用户的组:Here’s how easy it is to select apps to protect, configure app protection policy settings, and deploy policy to groups of end users after you log into the Azure portal:


要查找 Intune 应用保护策略设置,只需使用 Intune 管理员凭据登录 Azure 门户,并在门户顶部的“搜索资源”框中搜索 Intune 应用保护即可。To find the Intune app protection policy settings, just log into the Azure portal with your Intune administrator credentials and search for Intune App Protection in the Search resources box at the top of the portal. 从该位置完成所有以下步骤。All of the following steps are completed from there.

  • 创建移动应用保护策略。Create a mobile app protection policy. 除为策略命名(以及有选择性地提供说明)外,要创建应用保护策略只需定义平台、选择想要保护的应用并配置要强制实施的策略设置即可:Other than naming (and optionally providing a description) for the policy, all you need to do to create an app protection policy is to define the platform, select the apps you want to protect, and configure the policy settings to enforce:

定义平台:创建新策略时能够选择 iOS 或 Android 平台,但不能在此处创建适用于 Windows 设备的应用保护策略。Define the platform: You’ll be able to select either the iOS or Android platforms when creating a new policy, but you won’t be able to create app protection policies for Windows devices here. 可改为使用 Windows 信息保护 (WIP) 策略Instead, you can use Windows Information Protection (WIP) policies.

从可在非托管设备上得到保护的可用应用列表中选择一个或多个应用作为目标。Select one or more apps to target from the list of available apps capable of being protected on unmanaged devices. 随着受支持的应用越来越多,它们会自动添加到可用应用列表中。As more apps become supported, they’ll automatically be added to the list of available apps. 默认情况下,不会选中任何应用,但可按住 Ctrl 并单击选择多个想要使用策略进行保护的应用。By default, none are selected, but you can CTRL+Click to multi-select as many apps as you’d like to protect with the policy. 或者,也可以添加我们自己的适用于 iOS 或 Android 的业务线 (LOB) 应用Alternatively, you can add our own line of business (LOB) app for iOS or Android.

为 iOS 或 Android配置所需策略设置用于数据重定位(剪切、复制、粘贴、另存为、加密等)和访问(需要 PIN、脱机时间间隔等)。Configure required policy settings for iOS or Android for Data Relocation (cut, copy, paste, save as, encryption, etc.) and Access (require a PIN, offline interval, etc.).

  • 通过选择将应用策略的用户组向用户组部署应用保护策略Deploy the app protection policy to user groups by selecting the user groups the policies will apply to. 可以是已在 Office 365 中管理的相同组或在 Azure Active Directory 中可用的任何组。This can be the same groups you already manage in Office 365 or any group available in Azure Active Directory.

最终用户首次打开受应用保护策略保护的应用时,将收到一条消息,告知他们 IT 部门现在正在应用中保护公司数据。The first time an end user opens an app protected by an app protection policy, they will receive a message telling them that their IT department is now protecting company data in the app. 如果已将策略“访问权限”设置配置为需要 PIN 或密码,系统还会提示用户先创建一个 PIN 或密码,然后才可获得访问 Android 设备中受保护应用的权限,如下所示:If the policy Access settings have been configured to require a PIN or password, the user will also be prompted to create one before gaining access the protected app as shown below from an Android device:

应用保护策略 PIN 要求

因为应用保护策略适用于应用级别,而不适用于设备级别,因此 Intune 通过限制在托管应用和个人应用之间,以及相同应用内的公司帐户和个人帐户之间共享公司数据,并且仅允许公司数据保存到已批准位置,使 IT 部门可轻松保护公司数据。Because app protection polices work at the application instead of device level, Intune makes it easy for IT to protect company data by restricting the sharing of company data between managed and personal apps, between corporate and personal accounts within the same app, and only allowing corporate data to be saved to approved locations. 若要在移动时获得访问重要公司工具和数据的权限,使用移动设备的员工无需再放弃对其设备的控制权。Mobile employees no longer need to give up control of their devices to get access to vital corporate tools and data on the go.


对于高度机密的数据,可通过 Azure 信息保护使用的保护技术将保护进一步扩展到文件级别:Azure 权限管理 (Azure RMS)。For highly confidential data, protection can be extended even further to the file level with the protection technology used by Azure Information Protection: Azure Rights Management (Azure RMS).

仅允许支持应用保护策略的移动应用访问 Office 365 服务Allow only mobile apps that support app protection policies to access Office 365 services

默认情况下,所有用户和所有应用都有权访问 Exchange Online 托管的公司信息。By default, all users and all apps have access to company information hosted by Exchange Online. 借助 Intune,可通过仅对支持 Intune 应用保护策略的应用配置限制访问 Office 365 服务的应用条件性访问策略,轻松控制向其授予访问权限的人员和应用。With Intune you can easily control who and what apps are granted access by configuring app conditional access policies that restrict access to Office 365 services to only apps that support Intune’s app protection policies. 例如,从 Azure 门户,可仅对 Android 和 iOS(无论设备是否进行了托管)上的特定组和应用创建限制访问 Exchange Online 的策略。For example, from the Azure portal you can create a policy that restricts access to Exchange Online to only certain groups and apps on Android and iOS whether the device is managed or not.

  • 对 Exchange Online 创建应用保护条件性访问策略。Create an app protection conditional access policy to Exchange Online. 这些策略的创建位置与之前讨论的应用保护策略的创建位置相同。These policies are created in the same place as the app protection polices discussed earlier. 除了定义允许访问 Exchange Online 的应用外,还需要定义用户访问组,管理与 Exchange Online 的连接。In addition to defining the apps allowed to access Exchange Online, you’ll also need to define user access groups to manage connections to Exchange Online.

  • 用户首次尝试使用受策略支持的应用访问 Exchange Online 时,需要配置代理应用Users will need to configure a broker app the first time that they try to use a policy supported app to access Exchange Online. 对于 iOS 设备,代理应用是 Microsoft Authenticator 应用,而 Android 设备需要安装 Intune 公司门户应用。For iOS devices the broker app is the Microsoft Authenticator app and Android devices will need to install the Intune Company Portal app. 虽然这些代理应用将向 Azure AD 注册设备以提供设备标识验证,但它们不会将设备注册到管理中。While these broker apps will register the device with Azure AD to provide device identity verification, they will not enroll the device into management.

借助用于 Exchange Online 的条件性访问策略,用户尝试使用如 Android 设备上所示的本机电子邮件客户端访问其公司电子邮件时,将收到一封电子邮件,如下所示:With the conditional access policy for Exchange Online in place, users will receive an email similar to the following when they try to access their corporate email using the native email client as shown on an Android device:

应用保护策略 Outlook 应用要求

最终用户点击电子邮件中的“立即开始”链接时,设备的默认 Web 浏览器将打开并显示 https://portal.manage.microsoft.com/OutlookRedirect.aspx。When the end user taps the Get started now link in the email, the default web browser for the device opens and displays https://portal.manage.microsoft.com/OutlookRedirect.aspx. 此时,系统将提示用户从设备使用的应用商店安装免费的 Microsoft Outlook 应用。From there, the user is prompted to install the free Microsoft Outlook app from the app store used by the device.

了解详细信息Learn more

开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

Microsoft 企业移动性Microsoft Enterprise Mobility