保护电子邮件和附件,防止数据泄露Protect email and attachments from data leakage

保护企业电子邮件和文档讨论了如何能确保只有合规的设备才可以访问企业电子邮件。Protecting corporate email and documents talked about how you can make sure that only compliant devices can access corporate email. 但是,仅仅是保护访问权限并无法保护电子邮件和邮件附件中的内容。However, the content in the email and email attachments is not protected just by securing access. 内容可以复制、移动、保存到其他位置,或与其他用户共享。The content can be copied, moved, saved to a different location, or shared with another user. EMS 使用移动应用程序管理 (MAM) 策略解决了这一问题。EMS solves this problem using mobile application management (MAM) policies.

托管应用是由 IT 管理员部署的符合公司安全要求的应用。Managed apps are apps that are deployed by your IT admin that comply with your companies security requirements. 利用这些应用,IT 部门可以直接控制部署、行进中管理(如储存或更新),以及选择性擦除应用及其关联数据。With these apps, IT has direct control over deployment, ongoing management like inventory or updates, and selective wipe of the apps and their associated data. 此外,通过一组移动应用程序管理 (MAM) 策略,Intune 允许你修改应用的功能并限制数据的共享,例如:Additionally, through a set of mobile application management (MAM) policies, Intune lets you modify the functionality of apps, and restrict sharing of data like:

  • 阻止复制和粘贴,或阻止从托管应用传输数据到不含 MAM 策略的应用。Block copy and paste, or prevent data transfer from a managed app to an app without MAM policy.

  • 防止备份到个人云存储空间,阻止另存为等功能。Prevent backup to personal cloud storage, preventing Save as, etc.

  • 在受 MAM 保护的应用上要求 PIN/密码或企业凭据,保障应用访问安全。Secure app access by requiring PIN/passcode or corporate credentials on a MAM-protected app.

  • 配置应用程序在 Intune 托管浏览器内打开所有 Web 链接。Configure the application to open all web links inside the Intune Managed Browser.

  • 选择性地仅擦除与托管应用相关的数据。Selectively wipe only data that is associated with the managed app. 当设备丢失、被盗或不再由 IT 管理时,选择性擦除可以删除应用中的所有公司数据,仅保留个人应用数据。When a device is lost, stolen, or is no longer managed by your IT, a selective wipe can remove all corporate data from the apps, leaving only personal app data behind. 这称为多身份。This is known as multi-identity.

利用 Azure 信息保护,可通过以下方式扩展电子邮件保护:With Azure Information Protection, you can extend email protection in the following ways:

  • 可以对电子邮件加密,这样无论在公司内部或外部,仅有符合规定的用户才可以读取或查看邮件内容。Email messages can be encrypted so only the right users can read or view the content whether within your company or outside the company.

  • 用户可以保护电子邮件消息,收件人可以读取和使用发送给他们的受保护电子邮件。Users can protect email messages and the recipient can read and use protected email messages sent to them.

  • 管理员可设定规则以:An administrator can set rules to:

    • 自动将规则应用于一组指定的收件人或为特定部门创建模板。Automatically apply the rules to a specified group of recipients or create templates for specific departments.

    • 自动检测规则并将其应用于包含敏感内容的电子邮件。Automatically detect and apply rules to email messages with sensitive content. 规则可以基于发件人、收件人、邮件主题或内容。The rule can be based on sender, recipient, message subject, or content.

    • 检测敏感内容并发出警报提醒发件人在发送电子邮件之前应用保护规则。Detect sensitive content and alert the sender to apply the protection rules before sending the email.

托管应用组件Managed App Components

  • 你可以在 Microsoft Intune 中配置策略、将策略与应用关联,或使用应用包装工具启用内部应用以使用移动应用程序管理策略。Microsoft Intune is where you configure the policies, associate the policies with the app, or use the app wrapping tool to enable an in-house app to use mobile application management policies.

  • 公司门户 是在每个设备上本机运行或是基于浏览器的应用。The Company portal is an app that either runs natively on each device or is browser based. IT 部门会将托管应用部署到用户或设备,而最终用户可以从门户安装应用。Your IT deploys the managed apps to users or devices, and end-users can install the app from the portal. 与应用关联的策略将转移至安装了应用的设备。The policies associated with the apps are carried over to the device with the apps.

显示如何通过公司门户和 Microsoft Intune 处理用于托管应用的策略的图形

IT 管理员体验:The IT admin experience:

IT 管理员创建移动应用程序管理策略、将策略关联至应用,并将其部署到用户或设备。Your IT admin creates the mobile application management policies, associates the policy to the app, and deploys it to users or devices. 在设备上安装托管应用后,应用限制即会生效。When the managed app is installed on the device, the app restrictions take effect. 创建和部署托管应用只需花费极少或无需花费任何额外精力:Creating and deploying managed apps involve little or no additional effort:

  • 存在已有应用 SDK 的应用让你可以将限制应用到应用。There are existing apps that already have the App SDK which allows you to apply restrictions to the app. 无需进行其他处理,只需添加指向应用商店(如 iTunes 或 Google Play)的链接即可。These require no other processing, but just adding a link pointing to an app store such as iTunes or Google Play. 阅读这篇文章以查看托管应用的列表。Read this article to see the list of managed apps.

  • 如果想要管理在内部创建的应用,则可以使用 Microsoft Intune 应用包装工具重新打包应用。If you want to manage apps that are created in-house, you can repackage the apps with Microsoft Intune App Wrapping tool. 该工具会重新打包应用,从而让你可将限制应用到应用。The tool repackages the app which allows you to apply restrictions to the app.

最终用户体验The End-user experience

最终用户可以安装托管应用并使用它们来完成工作。End-users can install managed apps and use them to do their work. 他们只能移动或共享托管应用之间的数据。They will only be able to move or share data between managed apps. 任何将数据移出托管应用生态系统的尝试都会被阻止。Any attempt to move data out of the managed app ecosystem will be blocked.

后续步骤Where to go from here

你已了解了保护企业电子邮件和文档以及电子邮件附件的相关内容,现在可以详细了解如何实现保护你的企业电子邮件的解决方案Now that you understand about protecting corporate email and documents and email attachments, you can learn about how to implement a solution to protect your corporate email.