使用 Intune 保护 Office 365 公司数据Protect Office 365 company data with Intune

大多数员工希望通过其移动设备做的第一件事是访问公司电子邮件和文档。The first thing most employees want on their mobile device is access to company email and documents. 他们希望设置步骤简单,不需要询问支持人员。And they expect to set it up without going through complex steps or calling the help desk. 另一方面,IT 希望确保公司数据保持安全,无需维护大型的本地基础结构。IT on the other hand wants to keep corporate data secure wherever it is without the headache of maintaining a large, on-premises infrastructure. 通过企业移动性 + 安全性 (EMS),可使员工通过使用其最喜欢的应用和设备提高工作效率,同时保护公司数据。With Enterprise Mobility + Security (EMS) you'll be able to keep your employees productive with their favorite apps and devices—and your company data protected. 敬请阅读,了解详情。Keep reading to see how.

企业移动性 + 安全性 (EMS) 可提供什么帮助?How can Enterprise Mobility + Security (EMS) help you?

EMS 是旨在本地保护用户用来工作的所有设备上的 Microsoft Office 电子邮件、文件和应用的唯一解决方案。EMS is the only solution that is designed to natively protect Microsoft Office email, files, and apps on all of the devices your users bring to work. EMS 在后台简化了将安全电子邮件传递给外出员工的过程,这是通过标识、设备、应用和数据的四层保护实现的。Behind the scenes EMS makes it easy to deliver secure email to employees on the go by working to provide four layers of protection across identities, devices, apps, and data. 通过 EMS,员工可以安全无缝地访问公司电子邮件和文档,体验到 Office Mobile 应用(如 Outlook、Word、Excel、PowerPoint 和 OneDrive)熟悉的电子邮件和工作效率。With EMS, your employees will get secure and seamless access to corporate email and documents as well as familiar email and productivity experiences with Office Mobile apps such as Outlook, Word, Excel, PowerPoint, and OneDrive.

Office 365 适用于随时随地可以办公但又不愿牺牲用户体验的员工。Office 365 is designed for employees who want the flexibility to take their work with them, wherever they go, without sacrificing the user experience. EMS 和 Office 365 的结合造就了完全托管的移动工作效率解决方案,可为用户带来绝对标准的工作效率,为 IT 人员提供深度集成的数据控件。Together, EMS and Office 365 offer a complete managed mobile productivity solution that equips your users with the gold standard of productivity and your IT staff with deeply integrated data controls.

使用 Intune,可轻松地授予员工几乎可从任何设备随时随地访问公司应用程序、数据和资源的权限,同时确保了公司信息安全。Using Intune you can easily provide employees access to company applications, data, and resources from virtually anywhere on any device, while helping to keep corporate information safe and secure at the same time. 与大多数传统本地解决方案相比,Intune 不仅更简便,而且还是更现代的一种保护公司数据的经济高效方式。In addition to just being easier, Intune is also a more modern and cost effective way to protect company data than most traditional on-premises solutions. 通过 Intune 保护 Office 365 数据,无需安装和维护任何本地基础结构或打开公司防火墙路由流量。With Intune securing Office 365 data, there’s no need to install and maintain any on-premises infrastructure or open your company firewall to route traffic through it.

以下短视频快速介绍了如何搭配使用 Intune 和 Office 365,为员工提供从 iOS、Android 和 Windows 设备安全访问公司数据的无缝体验:Here's a short video to give you a quick introduction to how Intune and Office 365 work together to provide a seamless experience for employees to access your company data securely from iOS, Android, and Windows devices:

实现本解决方案的方式How to implement this solution

此解决方案的其余部分分为以下各节,展示如何使用 Intune 保护 Office 365 公司数据:The rest of this solution is divided into the following sections that show you how to protect Office 365 company data with Intune:

  • 将移动设备和 Windows 电脑注册到管理Enroll mobile devices and Windows PCs into management. 本部分介绍如何使用 Intune 将设备(iOS、Android、Android for Work 和 Windows 电脑)注册到管理,以便向其部署保护 Office 365 公司数据的策略。This section describes how to enroll devices (iOS, Android, Android for Work, and Windows PCs) into management with Intune so that you deploy policies to them that protect Office 365 company data.
  • 安全访问 Office 365 服务Secure access to Office 365 services. 在本部分中,可以了解 Intune 合规性策略相关信息,以及如何管理 Exchange Online 和 SharePoint Online Office 365 服务的条件性访问。In this section you can learn about Intune compliance policies and how to manage conditional access to the Exchange Online and SharePoint online Office 365 services.
  • 保护公司数据Protect company data. 本部分演示如何将应用保护策略用于 Android 和 iOS 设备,以及如何利用 Windows 信息保护 (WIP) 策略来保护作为设备由 Intune 托管的 Windows 10 电脑上的公司应用数据。This section shows you how to use app protection policies for Android and iOS devices, and also how to leverage Windows Information Protection (WIP) policies to safeguard company app data on Windows 10 PCs managed as devices by Intune.
  • 有选择地擦除公司数据Selectively wipe company data. 本部分有助于了解当设备上的公司应用和数据不再需要或丢失被盗时,如何将其删除。This section helps you learn how to remove company apps and data from devices when they are no longer needed for work or have been lost or stolen.

将移动设备和 Windows 电脑注册到管理Enroll mobile devices and Windows PCs into management

使用 Intune 将设备和电脑注册到管理可确保为托管设备配置的所有策略和访问配置文件得到应用。Enrolling devices and PCs into management with Intune ensures all the policies and access profiles you’ve configured for managed devices are applied. 注册设备前,首先需要准备 Intune 服务,方法是将许可证分配给用户,设置移动设备管理机构并满足要管理的不同设备类型的各种注册要求。Before you can enroll devices, you will first need to prepare the Intune service itself by assigning licenses to users, setting the mobile device management authority, and satisfy the various enrollment requirements for the different device types that you want to manage. 此时,还应该使用支持信息和特定于公司的品牌自定义公司门户,为用户提供受信任的注册和支持体验。While you are at it, you should probably also customize the company portal with support information and company-specific branding to provide a trusted enrollment and support experience for your users.

Intune 服务准备就绪后,将设备注册到管理的过程就非常直接了,但各设备类型略有不同:After preparing the Intune service, the process to enroll devices into management is pretty straightforward, but slightly different for the various device types:

  • iOS 和 Mac 设备iOS and Mac devices. 注册 iPad、iPhone 或 Mac OS X 设备需要获取 Apple 推送通知服务 (APN) 证书。You'll need to get an Apple Push Notification service (APNs) certificate to enroll iPads, iPhones, or Mac OS X devices. 将 APN 证书上传到 Intune 后,可使用公司门户应用注册 iOS 设备并使用公司门户网站注册 Mac OS X 设备After you've uploaded your APNs certificate to Intune, you can enroll iOS devices using the Company Portal app and use the Company Portal website to enroll Mac OS X devices.
  • Android 设备Android devices. 将 Intune 服务注册到 Android 设备无需任何准备工作。There's nothing you need to do to get the Intune service ready to enroll Android devices. 用户可使用 Google Play 提供的公司门户应用将 Android 设备注册到管理。Users can just enroll their Android devices into management using the Company Portal app available from Google Play.
  • Android for WorkAndroid for Work. 若要为支持 Intune 所托管工作配置文件的 Android 5.0 Lollipop 及更高版本设备设置 Android for Work,组织需使用 Google 注册 Android for Work,然后在 Intune 管理控制台的管理员节点中配置 Android for Work 设置。To set up Android for Work for Android 5.0 Lollipop and later devices that support work profiles to be managed by Intune, your organization needs to sign up for Android for Work with Google and then configure Android for Work settings in the ADMIN node of the Intune administration console.
  • Windows Phone 和电脑Windows Phones and PCs. 要让注册 Windows 设备变得轻松,应设置注册服务器的 DNS 别名You should set a DNS alias for the enrollment server to make enrolling Windows devices easier. 另外,可以通过添加工作或学校帐户注册 Windows 设备Otherwise, you can enroll Windows devices by adding a work or school account.

在 Azure AD (Premium) 中启用自动注册功能,用户可更轻松地注册 Windows 设备。You can make enrolling Windows devices even easier for your users by enabling the automatic enrollment feature in your Azure AD (Premium). 执行该操作时,如果用户添加工作或学校帐户来注册其个人设备,或者如果公司所拥有设备加入组织的 Azure AD,则设备将通过 Intune 自动注册到管理。When you do that, devices will automatically be enrolled into management with Intune when a user adds a work or school account to register their personal device or a company owned device joins your organization’s Azure AD.

安全访问 Office 365 服务Secure access to Office 365 services

用户希望使用 Office 365 移动应用时可访问所有公司电子邮件和文件,但也需要确保仅受信任的设备连接到公司资源。Your users expect to get access to all of their company email and files when using Office 365 mobile apps, but you also need to be sure that only trusted devices are connecting to company resources. 为此,可使用 Intune 条件访问策略,确保员工仅从托管设备和符合策略的设备访问 Office 365 云服务。To help accomplish this, you can use Intune conditional access policies to make sure that employees access Office 365 cloud services only from managed and policy compliant devices.

若要使用条件访问策略,首先必须定义 Intune 设备合规性策略For conditional access policies to work you first have to define an Intune device compliance policy. 这些类型的 Intune 策略在首次注册时检查设备,以后会定期检查,以确保设备设置按预期配置。These kinds of Intune policies check devices, both when first being enrolled and periodically afterwards, to ensure devices settings are configured the way you want them to be. 这样就可以轻松确保仅满足安全要求的设备可访问公司资源。This makes it easy for you to be sure only devices that meet your security requirements can access company resource. 可通过创建 Intune 设备合规性策略并将其部署到用户来自行定义设备合规性(例如,解锁需密码、允许或拒绝简单密码、密码最短长度、未越狱等)。Just define for yourself what makes a device compliant (e.g. require password to unlock, allow or deny simple passwords, minimum password length, not jailbroken, etc.) by creating an Intune device compliance policy and then deploy it to users.


如果用于验证合规性的合规性策略未准备就绪,则无法使用条件访问策略。Conditional access policies will not work if there is no compliance policy in place to validate compliance.

条件访问策略可用于安全访问 Office 365 服务,例如 Dynamics CRM Online1、Exchange Online2、SharePoint Online2 和 Skype for Business Online1Conditional access policies can be used to secure access to Office 365 services such as Dynamics CRM Online1, Exchange Online2, SharePoint Online2, and Skype for Business Online1. 以下示例中,将为 Exchange Online 和 SharePoint Online 配置条件访问策略。Conditional access policies will be configured for Exchange Online and SharePoint Online in the following examples.

1 仅限 iOS 和 Android。1 iOS and Android only.

2 iOS、Android 和 Windows 设备。2 iOS, Android, and Windows devices.

安全访问 Exchange OnlineSecure access to Exchange Online

通过 Intune,可根据用户设置的条件访问和合规性策略保护公司的 Exchange Online 电子邮件。With Intune, your company’s Exchange Online email is protected according to the conditional access and compliance policies that you set. 例如,可将 Exchange Online 电子邮件的访问限制为不使用强密码、未越狱且未加密的设备。For example, you can restrict access to Exchange Online email to devices that don’t use a strong password, are not jailbroken, and are not encrypted.

以下是在已配置使用条件访问策略访问 Exchange Online 后,用户尝试使用不由 Intune 托管的设备查看其电子邮件时发生的情景:Here's what happens when a user tries to check their email using a device that is not managed by Intune when you have configured conditional access policies to get to Exchange Online:

  1. 用户尝试使用其未托管的 Android 设备上的本机电子邮件应用阅读 Exchange online 公司电子邮件。The user tries to read their Exchange online company email using the native email app on their unmanaged Android device. 对电子邮件的访问被拒绝,因为此设备不由 Intune 托管且不符合合规性策略。Access to email is denied because the device is not being managed by Intune and so is not compliant with your compliance policy.
  2. 用户看到的唯一的电子邮件来自 Intune 服务,告知其设备不符合公司策略,需要先注册此设备才能访问电子邮件。The only email the user sees is from the Intune service telling them that their device is not compliant with company policies and that they need to enroll it before getting access to their email.
  3. 注册设备并评估为符合公司策略后,将恢复对公司电子邮件的完全访问权限。After the device is enrolled, and evaluated as compliant with company policies, full access to company email is restored.

显示条件访问如何作用于 Exchange Online 的图像

安全访问 SharePoint OnlineSecure access to SharePoint Online

Intune 也可使用条件访问轻松地安全访问 SharePoint Online文件。Intune can also easily secure access to SharePoint Online files using conditional access. 就像保护对电子邮件的访问权限一样,用户需要设置启用访问权限必须满足的两个策略:确保设备遵循公司策略的设备合规性策略以及设置访问服务必须满足的条件的条件访问策略。Just like protecting access to email, you'll need to set up two policies that must be satisfied to enabled access: a device compliance policy to make sure company policies are being followed on the device and a conditional access policy that sets conditions that must be meet to access the service.

用户尝试使用非托管设备连接由 Intune 条件访问策略保护的 SharePoint Online 服务时,将发生以下情景:When a user attempts to use an unmanaged device to connect to the SharePoint online service protected by Intune conditional access policies this happens:

  1. 用户对 SharePoint Online 资源的访问被拒绝,并获得一条告知其加强安全性的消息以及将设备注册到 Intune 管理的链接。The user is denied access to SharePoint Online resources and instead gets a message to beef up security and links to enroll their device into Intune management.
  2. 通过拒绝访问消息提供的链接,用户可注册设备。Following the links provided by the access denied message, the user enrolls their device.
  3. 注册设备并评估为符合公司策略后,将恢复对公司 SharePoint Online 数据的完全访问权限。After the device is enrolled, and evaluated as compliant with company policies, full access to company SharePoint Online data is restored.

显示条件访问如何作用于 SharePoint Online 的图像

保护公司数据Protect company data

你可能已知道大多数员工将移动设备同时用于个人和工作用途。You probably already know that most employees use their mobile devices for both personal and work reasons. 特别是现在,随着越来越多的员工自有设备用于工作,通过不受控的应用和服务(如电子邮件、社交媒体和公有云)产生的意外数据泄露风险也在不断增加。Especially now with the increase of employee-owned devices now being used for work, there’s an increasing risk of accidental data leaks through apps and services, like email, social media, and the public cloud which are outside of your control. 例如,某位员工从其个人电子邮件帐户发送最新的工程图片、将产品信息复制并粘贴到推文,或将正在进行的销售报表保存到他的公有云存储。For example, when an employee sends the latest engineering pictures from their personal email account, copies, and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. 因此,你所面临的挑战是需要在保持员工工作效率的同时防止有意和无意的公司数据泄露。So, the challenge for you is that while you need to keep employees productive, you must also do what you can to prevent both intentional and unintentional company data leaks.

虽然通过条件访问策略可确保仅合规设备和用户可访问电子邮件,但保护电子邮件本身及其附加文件也存在问题。While conditional access policies allow you to make sure only compliant devices and users can access email, there is still the question of protecting the emails themselves along with any attached files. 如何防止内容被复制、移动、保存到其他位置或与他人分享?How do you stop that content from being copied, moved, saved to a different location, or shared with others? Intune 通过用于 iOS 和 Android 设备的移动应用程序管理 (MAM) 策略和用于 Windows 10 电脑和移动设备的 Windows 信息保护 (WIP) 策略解决了此问题。Intune solves this problem by using Mobile Application Management (MAM) policies for iOS and Android devices and Windows Information Protection (WIP) policies for Windows 10 PCs and mobile devices.

用于托管 iOS 和 Android 移动设备的 MAMMAM for managed iOS and Android mobile devices

可使用 Intune 移动应用管理 (MAM) 策略帮助保护由用户的 iOS 和 Android 设备访问的公司数据。You can use Intune mobile app management (MAM) policies to help protect company data that is accessed by your users' iOS and Android devices. 通过实施这些应用级策略,可控制员工使用和共享公司数据的方式。By implementing these app-level policies, you are able to control how company data is used and shared by employees.


只要用户分配有 Intune 许可证,就可独立于任何移动设备管理 (MDM) 解决方案使用 Intune MAM 策略。Intune MAM policies can be used independent of any mobile-device management (MDM) solution as long as the user has been assigned an Intune license. 这意味着无论是否将设备注册到 Intune 管理,都可保护公司数据,即使非 Microsoft MDM 服务管理设备也是如此。This means that you can protect your company’s data with or without enrolling devices into Intune management or even if a non-Microsoft MDM service manages the device.

作为管理员,可从 Azure 管理门户配置 Intune MAM 应用策略设置As an admin, you configure Intune MAM app policy settings from the Azure admin portal. MAM 策略中包含的两种设置是“数据重定位”和“访问”设置。The two types of settings included in MAM policies are data relocation and access settings. 数据重定位策略定义使用受保护应用中的数据的方式。Data relocation policies define how data from a protected app can be used. 例如,可禁止“另存为”或剪切、复制、粘贴功能。For example, you can prevent “Save As” or cut, copy, paste functions. 访问策略设置可决定你期望员工使用应用所需的设备安全级别。Access policy settings determine the level of device security you think is necessary for employees to use the app. 通过这些设置,可要求使用其他应用 PIN,或阻止应用在已越狱或取得 root 权限的设备上运行。With these settings you can require an additional app PIN or keep the app from even running on jailbroken or rooted devices.

以下屏幕截图显示使用 Intune MAM 策略保护应用的一些方法。The following screen shots show some ways to protect an app using Intune MAM policies. 在此示例中,需要 PIN 才能访问应用(访问设置)以及通过拒绝将公司信息粘贴到非托管应用来保护公司数据(数据重定位设置):In this example a PIN is required to access the app (an access setting) and company data is protected by denying pasting company information to unmanaged apps (data relocation setting):

  1. 首次启动托管应用(此示例中是 Yammer for iOS)时,系统提示用户创建 PIN 以访问应用。The first time the managed app (Yammer for iOS in this example) is started, the user is prompted to create a PIN to access the app. 以后每次启动应用时,用户需要输入此 PIN。Afterwards, they'll have to enter that PIN every time the app starts.
  2. 用户可复制 Yammer 对话等公司数据,并将其粘贴到其他托管应用。The user can copy company data like Yammer conversations and paste it into other managed apps.
  3. 但是,如果用户尝试将此内容粘贴到文本消息(或其他非托管应用),粘贴功能将不可用。However, when the user tries to paste that content into a text message (or any other unmanaged app) the paste function will not be available.

显示 MAM 策略工作原理的图像

用于托管的 Windows 10 电脑和移动设备的 Windows 信息保护 (WIP)Windows Information Protection (WIP) for managed Windows 10 PCs and mobile devices

Intune 的 WIP 策略有助于防止托管的 Windows 10 设备发生潜在的数据泄露。Intune's WIP policies help protect against potential data leaks from managed Windows 10 devices. 最重要的是,这些策略不会影响员工体验,也无需对网络环境或其他应用进行更改。Best of all, these policies work without interfering with the employee experience or requiring changes to your network environment or other apps.

以下是其工作原理:企业数据从企业源加载到托管 Windows 设备上后,或者员工将数据标记为“工作”(而不是标记为“个人”)后,这些数据将自动加密。Here's how it works: enterprise data is automatically encrypted after it’s loaded on a managed Windows device from an enterprise source or if an employee marks the data as work (versus personal). 企业数据写入磁盘时,WIP 使用 Windows 提供的加密文件系统 (EFS) 保护数据并将其与企业标识关联。When enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. 制定 Intune WIP 策略时,请定义允许访问和修改公司数据的受信任应用的列表。When you make an Intune WIP policy, you define a list of trusted apps that are allowed to access and modify company data. 然后,AppLocker 功能在后台运行,而操作系统控制哪些应用可运行以及访问和共享公司数据的方式。Next, AppLocker functionality works in the background with the operating system to control what apps can run as well as how company data can be accessed and shared. 不必修改允许的应用以打开公司数据,因为这些应用包含在允许 Windows 为其授予公司数据访问权限的列表中。Allowed apps don’t have to be modified to open company data because they're on the list that allows Windows to grant them access to company data.


WIP 策略保护应用和公司数据时,最终用户将在设备的“开始”菜单中看到每个允许的应用名称上附加了“已托管”。When WIP policies are protecting apps and company data, end-users will see “Managed” in addition to each of the allowed app names in the Start Menu on their devices. 除标准应用图标外,应用快捷方式和保存的文件还会显示 WIP 公文包图标。App shortcuts and saved files will also show the WIP briefcase icon in addition to the standard app icons. Image showing how WIP policies affect the Start Menu and files

通过 WIP 配置策略设置,可在 Intune 管理控制台中设置不同级别的控制和审核。WIP configuration policy settings allow you to set different levels of control and auditing from within the Intune administrator console. 数据保护级别从“无提示”(仅记录 WIP 活动)一直到“阻止”(完全阻止用户共享受保护应用的所有内容)。Data protection levels range from Silent (log WIP activity only) to Block which will completely stop users from sharing any content from protected apps. “替代”是一种中间设置,允许用户将公司数据共享到不受保护的应用(带警告),但同时记录所有此类操作供以后查看。Override is a middle setting that will enable users to share company data to unprotected apps with a warning, but also log all such actions for later review.

以下是 Intune WIP 策略帮助保护托管的 Windows 10 设备上的公司数据的方式:This is how Intune WIP policies can help protect company data on managed Windows 10 devices:

  1. 从 Intune 管理员控制台创建新的 WIP 策略并部署到用户。A new WIP policy is created and deployed to users from the Intune administrator console.
  2. 在此示例中,Microsoft Word 的 AppLocker 信息用于将 Word 2016 添加到允许的应用列表,策略限制级别设置为“替代”,策略部署到用户。In this example, the AppLocker information for Microsoft Word is used to add Word 2016 to the list of allowed apps, the policy restriction level is set to Override, and the policy is deployed to users.
  3. 用户尝试将从受保护的 Word 2016 文档复制的公司数据粘贴到新建未受保护的记事本实例。A user attempts to paste company data copied from a protected Word 2016 document into a new, unprotected instance of Notepad. 系统立即提示验证从工作到个人分类的这项更改是否在计划内,并且跟踪此操作。They are immediately prompted to verify this change from work to personal classification is planned and that the action will be tracked.

显示 WIP 策略工作原理的图像

有选择地擦除公司数据Selectively wipe company data

如果不再需要某设备用于办公、设备改变用途或丢失,则需要从此设备删除公司的应用和数据。When a device is no longer needed for work, is being repurposed, or maybe has just gone missing, you need to be able to remove company apps and data from it. 为此,可使用 Intune 的选择性擦除和完全擦除功能。To do this you can leverage Intune's selective wipe and full wipe capabilities. 用户也可从 Intune 公司门户远程擦除注册到管理的自有设备。Your users can also remotely wipe their own personally owned devices they've enrolled into management from the Intune Company Portal.

可以不使用完全擦除将设备恢复出厂默认设置并删除用户数据和设置,而是使用选择性擦除功能可以仅删除设备上的公司数据,同时保留用户个人数据完整性。Rather than doing a full wipe that restores a device to its factory default settings and removes user data and settings, you can use selective wipe functionality to only remove company data from the device while leaving users’ personal data intact.

执行选择性擦除设备非常简单,只需右键单击设备名称,选择“停用/擦除”,然后选择“选择性擦除设备”:Performing a selective wipe of a device is as easy as right-clicking a device name, selecting Retire/Wipe, and then the Selectively wipe the device:

Intune 控制台中选择性擦除选项的图像

启动后,设备将立即开始选择性擦除流程,从管理中删除。Once initiated, the device will immediately begin the selective wipe process to be removed from management. 流程完成后,将删除所有公司数据,设备名称将从 Intune 管理员控制台中删除,设备管理生命周期结束。When the process is complete, all company data is deleted and the device name will be removed from the Intune administrator console completing the device management lifecycle.

了解详细信息Learn more

开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

Microsoft 企业移动性Microsoft Enterprise Mobility