使用 Intune 保护本地公司数据Protect on-premises company data with Intune

只使用防火墙不再能提供足够的公司安全边界。Firewalls alone can no longer provide an adequate corporate security boundary. 当今,安全边界必须包括最终用户及其访问、使用和共享公司数据的方式。Today, security boundaries must include the end-user and how they access, use, and share company data. 无论使用智能手机、平板电脑或是笔记本电脑,信息工作者希望可在任何位置、任何设备、任何需要的时候访问资源。Whether working on their smart phones, tablets, or laptops, information workers expect frictionless access to resources from anywhere, on any device, and whenever they need it. 为用户启用访问和保护功能对想要确保公司数据受到保护的 IT 管理员来说是个挑战。Enabling access and protection capabilities for users can be a challenge for IT administrators who also need to make sure company data is protected. 借助企业移动性 + 安全性 (EMS),可使员工通过使用其最喜欢的应用和设备提高工作效率,同时保护本地公司数据。With Enterprise Mobility + Security (EMS) you'll be able to keep your employees productive with their favorite apps and devices while also keeping your on-premises company data protected. 继续阅读,了解详情。Continue reading to see how.

企业移动性 + 安全性 (EMS) 可提供什么帮助?How can Enterprise Mobility + Security (EMS) help you?

企业移动性 + 安全性 (EMS) 是一个不仅从设备自身本机保护公司数据,还采用身份、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively protects corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data. 借助 EMS,员工可安全顺畅地访问公司电子邮件和文档,同时 IT 可确信公司数据受到保护。With EMS, your employees will get secure and seamless access to corporate email and documents while IT is confident that company data is protected.

使用 Microsoft Intune,可远程配置资源访问配置文件策略,从而自动设置电子邮件帐户、访问 WiFi 或 VPN 设置等配置文件、提供确保设备只接受和安装受信任配置的证书配置文件。Using Microsoft Intune, you can remotely configure resource access profile policies to auto-provision email accounts, access profiles like WiFi or VPN settings, and provide certificate profiles that ensure devices accept and install only trusted configurations.

除提供访问权限外,Intune 对本地 Microsoft Exchange 2010 或更高版本服务器的条件性访问可确保只有托管和合规设备才能访问公司电子邮件。In addition to providing access, Intune’s conditional access to on-premises Microsoft Exchange 2010, or later, servers ensures that only managed and compliant devices can access company email. 将管理扩展到设备本身之外,还可使用 Intune 的 Cisco 标识服务引擎 (ISE)(很快将推出其他合作伙伴标识服务引擎),将访问公司网络的设备限制为只有使用 Intune 注册到管理且符合公司策略的设备。Expanding management beyond the devices themselves, you can also use Intune’s Cisco Identity Services Engine (ISE), and soon other partners, to restrict access to the company network to only devices that are enrolled into management with Intune and compliant with company policies. 通过利用 Azure Active Directory 应用程序代理,甚至可在没有 VPN、DMZ 或本地反向代理的情况下提供对本地应用程序的安全访问。You can even provide secure access to on-premises applications without VPNs, DMZs, or on-premises reverse proxies by leveraging the Azure Active Directory Application Proxy. 最重要的是,所有这些无需安装或维护其他本地基础结构,无需打开通过其路由流量的公司防火墙即可完成。Best of all, all of this can be done without installing or maintaining additional on-premises infrastructure or opening your company firewall to route traffic through it.

以下短视频快速介绍了 EMS 的条件性访问如何提供顺畅体验,让员工从 iOS、Android 和 Windows 设备安全访问公司数据:Here's a short video to give you a quick introduction about how conditional access with EMS provides a seamless experience for employees to access your company data securely from iOS, Android, and Windows devices:

实现本解决方案的方式How to implement this solution

此解决方案的其余部分分为以下各节,展示如何使用 Intune 保护 Office 365 公司数据:The rest of this solution is divided into the following sections that show you how to protect Office 365 company data with Intune:

  • 将移动设备和 Windows 电脑注册到管理Enroll mobile devices and Windows PCs into management. 本部分介绍如何使用 Intune 将设备(iOS、Android、Android for Work 和 Windows 电脑)注册到管理,以便配置对本地资源的安全访问。This section describes how to enroll devices (iOS, Android, Android for Work, and Windows PCs) into management so that you can configure secure access to on-premises resources with Intune.
  • 访问和保护公司电子邮件Access and protect company email. 本部分介绍 Intune 如何自动为用户配置本机应用电子邮件设置,以及如何提供对本地 Exchange Server 的条件性访问。This section shows you how Intune can automatically configure native app email settings for your users and how to provide conditional access to your on-premises Exchange Server.
  • 提供对其他本地公司资源的访问Provide access to other on-premises company resources. 本部分介绍如何通过使用 Wi-Fi、VPN 或 Azure Active Directory 应用程序代理向员工提供对本地网络资源的安全访问。This section describes how to provide employees with secure access to on-premises network resources by using Wi-Fi, VPN, or the Azure Active Directory Application Proxy.
  • 使用证书来保护公司资源访问Use certificates to secure company resource access. 本部分有助于创建和部署 PKCS #12 (.PFX) 或简单证书注册协议 (SCEP) 证书来保护对公司资源的用户访问。This section helps you create and deploy either a PKCS #12 (.PFX) or Simple Certificate Enrollment Protocol (SCEP) certificate to secure user access to company resources.

将移动设备和 Windows 电脑注册到管理Enroll mobile devices and Windows PCs into management

使用 Intune 将设备和电脑注册到管理可确保为托管设备配置的所有策略和访问配置文件得到应用。Enrolling devices and PCs into management with Intune ensures all the policies and access profiles you’ve configured for managed devices can be applied. 注册设备前,首先需要准备 Intune 服务,方法是将许可证分配给用户,设置移动设备管理机构并满足要管理的不同设备类型的各种注册要求。Before you can enroll devices, you will first need to prepare the Intune service itself by assigning licenses to users, setting the mobile device management authority, and satisfy the various enrollment requirements for the different device types that you want to manage. 此时,还应该使用支持信息和特定于公司的品牌自定义公司门户,为用户提供受信任的注册和支持体验。While you are at it, you should probably also customize the company portal with support information and company-specific branding to provide a trusted enrollment and support experience for your users.

Intune 服务准备就绪后,将设备注册到管理的过程就非常直接了,但各设备类型略有不同:After preparing the Intune service, the process to enroll devices into management is straightforward, but differs slightly for the various device types:

  • iOS 和 Mac 设备iOS and Mac devices. 注册 iPad、iPhone 或 Mac OS X 设备需要获取 Apple 推送通知服务 (APN) 证书。You'll need to get an Apple Push Notification service (APNs) certificate to enroll iPads, iPhones, or Mac OS X devices. 将 APN 证书上传到 Intune 后,用户可使用公司门户应用注册 iOS 设备,并使用公司门户网站注册 Mac OS X 设备After you've uploaded your APNs certificate to Intune, users can enroll iOS devices using the Company Portal app and use the Company Portal website to enroll Mac OS X devices.
  • Android 设备Android devices. 将 Intune 服务注册到 Android 设备无需任何准备工作。There's nothing you need to do to get the Intune service ready to enroll Android devices. 用户可使用 Google Play 提供的公司门户应用将 Android 设备注册到管理。Users can just enroll their Android devices into management using the Company Portal app available from Google Play.
  • Android for WorkAndroid for Work. 若要为支持 Intune 所托管工作配置文件的 Android 5.0 Lollipop 及更高版本设备设置 Android for Work,组织需使用 Google 注册 Android for Work,然后在 Intune 管理控制台的管理员节点中配置 Android for Work 设置。To set up Android for Work for Android 5.0 Lollipop and later devices that support work profiles to be managed by Intune, your organization needs to sign up for Android for Work with Google and then configure Android for Work settings in the ADMIN node of the Intune administration console.
  • Windows Phone 和电脑Windows Phones and PCs. 要让注册 Windows 设备变得轻松,应设置注册服务器的 DNS 别名You should set a DNS alias for the enrollment server to make enrolling Windows devices easier. 另外,可以通过添加工作或学校帐户注册 Windows 设备Otherwise, you can enroll Windows devices by adding a work or school account.

在 Azure AD (Premium) 中启用自动注册功能,用户可更轻松地注册 Windows 设备。You can make enrolling Windows devices even easier for your users by enabling the automatic enrollment feature in your Azure AD (Premium). 执行该操作时,如果用户添加工作或学校帐户来注册其个人设备,或者如果公司所拥有设备加入组织的 Azure AD,则设备将通过 Intune 自动注册到管理。When you do that, devices will automatically be enrolled into management with Intune when a user adds a work or school account to register their personal device or a company owned device joins your organization’s Azure AD.

访问和保护公司电子邮件Access and protect company email

大多数员工希望通过其移动设备做的第一件事是访问公司电子邮件和文档。The first thing most employees want on their mobile device is access to company email and documents. 他们希望设置步骤简单,不需要询问支持人员。And they expect to set it up without going through complex steps or calling the help desk. Microsoft Intune 让你轻松为预安装在组织所用移动设备上的本机电子邮件应用创建和部署电子邮件设置。Microsoft Intune makes it easy for you to create and deploy email settings for native email apps that are pre-installed on mobile devices used by your organization.

将 Intune 条件访问策略用于 Exchange 內部部署,可确保仅 Azure Active Directory 中注册的托管且符合策略的设备可访问公司的本地 Exchange Server 信息。Using Intune Conditional Access policies for Exchange on-premises, you can be sure that only managed, and policy compliant, devices registered in Azure Active Directory can access your company’s on-premises Exchange Server information.

在托管设备上为本机电子邮件应用配置 Exchange 电子邮件设置Configure Exchange email settings for native email apps on managed devices

通过创建电子邮件配置文件配置策略并将其部署到用户,可在以下设备上轻松配置本机电子邮件应用设置You can easily configure native email app settings on the following devices by creating email profile configuration policies and deploying them to users:

  • Windows Phone 8 及更高版本。Windows Phone (8 and later).
  • Windows 10 桌面版和移动版Windows 10 Desktop and Mobile
  • iOS 8.0 及更高版本iOS (8.0 and later)
  • Android、Samsung Knox 标准版 4.0 及更高版本以及 Android for WorkAndroid (Samsung Knox Standard 4.0 and later or Android for Work)

Intune 支持 Google Play 商店中的 Gmail 和 Nine Work 电子邮件应用使用 Android for Work 电子邮件配置文件配置。Intune supports Android for Work email profile configuration for the Gmail and Nine Work email apps found in the Google Play store.

保护对本地 Exchange Server 的访问Protect access to your on-premises Exchange Server

除使用 Intune 来提供用于连接到本地 Exchange 服务器的电子邮件配置设置外,还可使用 Intune 通过 Intune 本地 Exchange 连接器控制对本地 Exchange Server(2010 或更高版本)的电子邮件访问。In addition to using Intune to provide email configuration settings to connect to on-premises Exchange servers, you can also use Intune to control email access to an on-premises Exchange Servers (2010 or later) through the Intune on-premises Exchange connector.

如果设备未注册或不符合公司策略,则用户会看到如何将设备注册到管理或如何更正阻止其访问电子邮件的合规性问题的相关信息。If a device is not enrolled or compliant with company policies, the user is presented with information about how to either enroll their device into management or how to remediate compliance issues blocking their access to email.


查看这些示例方案,了解有关如何使用 Intune 条件访问来保护公司 Exchange 电子邮件的更多想法。Have a look at these example scenarios for more ideas about how you can use Intune conditional access to protect your company’s Exchange email.

可为组织中在用的以下设备类型配置 Exchange 内部部署的条件访问策略You can configure a conditional access policy to Exchange on-premises for the following device types in use by your organization:

  • Windows Phone 8.1 及更高版本Windows Phone (8.1 and later)
  • iOS 8.0 及更高版本iOS (8.0 and later)
  • Android 4.0 或更高版本和 Samsung Knox 标准版 4.0Android (4.0 or later and Samsung Knox Standard 4.0)
  • Android for Work(当前仅支持用于 Gmail 和 Nine Work 应用电子邮件配置文件)Android for Work (currently only supported for Gmail and Nine Work app email profiles)
  • 托管的 Windows 电脑上的邮件应用The Mail application on managed Windows PCs

Intune 条件访问策略仅适用于设备上的本机电子邮件应用,但用于 Android for Work 的工作配置文件中的 Gmail 和 Nine Work 本机电子邮件应用除外。Intune conditional access policies only work with the native email apps on devices except for the Gmail and Nine Work email apps in the work profile for Android for Work. 用于 Android 和 iOS 的 Microsoft Outlook 应用当前不受支持,但计划在将来进行支持。The Microsoft Outlook app for Android and iOS is currently not supported, but planned to be supported in the future.

提供对其他本地公司资源的访问Provide access to other on-premises company resources

除了电子邮件,EMS 还有助于控制访问权限和保护正从外部传统公司安全边界访问的本地公司数据。In addition to email, EMS also helps you control access and protect on-premises company data being accessed from outside traditional corporate security boundaries. Microsoft Intune Wi-Fi、VPN 和电子邮件配置文件协同工作,以便帮助你的用户获得对完成其工作所需的文件和资源的访问权限,无论他们身在何处。Microsoft Intune Wi-Fi, VPN, and email profiles work together to help your users gain access to the files and resources that they need to do their work wherever they are. 使用 Azure Active Directory 应用程序代理和条件性访问,也可实现对公司 Web 应用程序和本地托管服务的安全访问和保护。Your company's web applications and services hosted on-premises can also be securely accessed and protected using the Azure Active Directory Application Proxy and conditional access.

将 Wi-Fi 设置部署到托管设备Deploy Wi-Fi settings to managed devices

Intune Wi-Fi 配置策略可轻松实现将无线网络设置部署到用户Intune Wi-Fi configuration policies make it easy for you to deploy wireless network settings to your users. 通过这些设置,用户无需在以下任何受支持设备上手动配置 Wi-Fi 设置,就可轻松连接到公司网络:These settings make it easy for your users to connect to the corporate network without manually configuring Wi-Fi settings on any of the following supported devices:

  • Android 4.0 及更高版本、Samsung KNOX 标准版和 Android for Work1Android (4.0 and later, Samsung KNOX Standard, and Android for Work)1
  • iOS 8.0 及更高版本1iOS (8.0 and later)1
  • Mac OS X 10.9 及更高版本1Mac OS X (10.9 and later)1
  • Windows 设备(Windows 8.1 及更高版本的电脑、Windows Phone 8.1 或 Windows 10 移动版及更高版本的设备)2Windows devices (Windows 8.1 and later PCs, Windows Phone 8.1 or Windows 10 Mobile and later)2

1可使用内置 Intune Wi-Fi 配置策略。1You can use a built-in Intune Wi-Fi configuration policy.

2导入以前导出的 Wi-Fi 设置 .xml 配置文件。2You can import a previously exported Wi-Fi settings .xml configuration profile.

将 VPN 设置部署到托管设备Deploy VPN settings to managed devices

用户需远程连接到其移动设备上的公司资源时,将用到 VPN 连接。VPN connections are used when your users need to remotely connect to company resources on their mobile devices. 借助 Intune,可创建和部署 VPN 配置文件,使用户能轻松安全地访问公司网络资源,无需手动配置 VPN 服务器或身份验证方法信息。With Intune, you can create and deploy VPN configuration profiles that enable users to easily and securely access the corporate network resources without manually configuring VPN server or authentication method information.

可在以下类型的设备上为多种 Intune 支持的 VPN 连接类型配置 VPN 设置:You can configure VPN settings for the many VPN connection types supported by Intune on the following kinds of devices:

  • Android 4.0 及更高版本、Samsung KNOX 标准版和 Android for WorkAndroid (4.0 and later, Samsung KNOX Standard, and Android for Work)
  • iOS 8.0 及更高版本iOS (8.0 and later)
  • Mac OS X 10.9 及更高版本Mac OS X (10.9 and later)
  • Windows 设备(Windows 8.1 及更高版本的电脑、Windows Phone 8.1 和 Windows 10 移动版及更高版本的设备)Windows devices (Windows 8.1 and later PCs, Windows Phone 8.1 and Windows 10 mobile and later)

保护网络访问Protect network access

如同仅允许托管且合规的设备访问公司 Exchange 信息,可使用 Cisco 标识服务引擎 (ISE) 网络策略来保护对网络环境的访问。Just like allowing access company Exchange information to only managed and compliant devices, you can use Cisco Identity Services Engine (ISE) network policies to secure access to your network environment. Cisco ISE 是基于策略的网络访问控制系统,可跨支持 802.1X 有线、无线和 VPN 的企业基础结构对其进行部署。Cisco ISE is a policy-based network access control system that can be deployed across enterprise infrastructures supporting 802.1X wired, wireless, and VPNs.

对 Cisco ISE 托管网络的设备访问在 Cisco ISE 服务器上进行配置,而非在 Intune 管理控制台中配置设置。Rather than configure settings in the Intune administration console, device access to Cisco ISE managed networks is configured on the Cisco ISE server. 只需赋予 Cisco ISE 服务器访问 Intune 租户的权限,然后使用 Cisco ISE 策略将访问网络环境的设备限制为托管且合规的设备。All you need to do is give the Cisco ISE server permissions to access your Intune tenant and then use Cisco ISE policies to allow access to your network environment to only managed and compliant devices.


利用此种保护需要 Cisco ISE 许可证,它不包括在 EMS 中。Cisco ISE licenses, not included with EMS, are required to leverage this protection.

也可使用 Azure AD 应用程序代理为本地托管的 Web 应用程序启用单一登录 (SSO) 和安全远程访问的条件性访问。You can also enable single sign-on (SSO) and conditional access to secure remote access for web applications hosted on-premises using the Azure AD Application Proxy. Azure AD 应用程序代理让用户轻松访问本地托管的 Web 应用程序,如 SharePoint 站点、Outlook Web Access 或其他 LOB Web 应用程序,而不需要使用 VPN。The Azure AD Application Proxy makes it easy for your uses to access web applications hosted on-premises like SharePoint sites, Outlook Web Access, or other LOB web applications without requiring a VPN. 连接到 Web API 以支持远程桌面网关后所托管的各种设备和应用也受到支持。Connections to Web APIs to support different devices and apps hosted behind a Remote Desktop Gateway can also be secured.

设置 Azure Active Directory 应用程序代理很容易。Setting up the Azure Active Directory Application Proxy is easy to do. 只需在 Azure AD(基本版或高级版)中启用该功能,然后在网络内部安装称为连接器的小型 Windows Sever 服务,再向其发布应用程序即可。Just enable the feature in Azure AD (Basic or Premium), install a small Windows Server service called a connector inside your network, and then publish applications to it. 无需打开任何入站防火墙端口,也无需在 DMZ 中放入任何东西。There’s no need to open any inbound firewall ports or put anything in a DMZ. 对其进行设置后,通过单一登录到 Azure AD 即可访问本地 Web 应用程序。Once you have it set up, access to on-premises web applications is provided by single sign on to Azure AD. 条件访问规则提供额外的安全防护措施,如当员工不在工作时要求进行多重身份验证或阻止其访问Conditional Access rules, like requiring multi-factor authentication or blocking access when employees aren’t at work, provide additional safeguards

使用证书来保护公司资源访问Use certificates to secure company resource access

当通过 VPN、Wi-Fi 或电子邮件配置文件给予用户对公司资源的访问权限时,可使用每个用户设备上安装的证书对该访问进行保护,而不是依靠简单的用户名和密码进行身份验证。When you give users access to company resources through VPN, Wi-Fi, or email profiles, you can secure that access by using a certificate that is installed on each user device rather than depend on a simple user name and password for authentication.

可创建和部署 PKCS #12 (.PFX),或者在这些设备平台上请求身份验证证书的设备要使用的简单证书注册协议 (SCEP) 证书配置文件:You can create and deploy either a PKCS #12 (.PFX) or Simple Certificate Enrollment Protocol (SCEP) certificate profile to be used by devices requesting authentication certificates on these device platforms:

  • iOS 8.0 及更高版本iOS (8.0 and later)
  • Mac OS X 10.9 及更高版本Mac OS X (10.9 and later)
  • Android 4.0 及更高版本和 Android for WorkAndroid (4.0 and later, and Android for Work)
  • Window 8.1 及更高版本Window 8.1 (and later)
  • Windows Phone 8.1 及更高版本Windows Phone (8.1 and later)
  • Windows 10(桌面版和移动版)及更高版本Windows 10 (desktop and mobile) and later

虽然需要企业证书颁发机构 (CA) 来进行公司的任何基于证书的身份验证,在使用 SCEP 或 .PFX 证书前还须满足其他先决条件,从而安全访问公司资源。Although you need an Enterprise Certification Authority (CA) to do any certificate-based authentication for you company, there are other prerequisites that must be met before using either SCEP or .PFX certificates to secure access to company resources.

  • 必须首先配置 SCEP 证书基础结构,然后才能使用 Intune 创建和部署 SCEP 证书配置文件。Before you can use Intune to create and deploy SCEP certificate profiles, you must first configure the certificate infrastructure for SCEP. 此步骤需要配置数个本地服务器,包括企业证书颁发机构 (CA)、网络设备注册服务器 (NDES) 和 Microsoft Intune 证书连接器服务器。This step requires configuring several on-premises servers including an Enterprise Certification Authority (CA), a Network Device Enrollment Server (NDES), and the Microsoft Intune Certificate Connector servers.
  • 除企业证书颁发机构外,若要使用 .PFX 证书配置文件(受信任的移动设备证书),需要 Intune 证书连接器(可在 CA 上安装)。To use .PFX certificate profiles (trusted mobile device certificates) in addition to the Enterprise Certification Authority, you need the Intune Certificate Connector (can be installed on the CA). 不需要 NDES。NDES is not required.

可以选择将 Web 应用程序代理 (WAP) 服务器与 SCEP 和 .PFX 证书一起使用,从而使设备能够通过 Internet 连接接收和续订证书。A web application proxy (WAP) server is optional for use with both SCEP and .PFX certificates to enable devices to receive and renew certificates using an internet connection.

向用户部署证书配置文件时,将在其设备上安装受信任的 CA 证书。When you deploy certificate profiles to users, the trusted CA certificate is installed on their device. 然后设备使用 SCEP 或 .PFX 证书配置文件为自身创建证书请求。The device then uses the SCEP or .PFX certificate profile to create a certificate request for itself. 证书请求完成时,通过选择证书(而非用户名和密码)策略身份验证方法选项,可使用证书对 Wi-Fi、VPN 和电子邮件配置文件配置策略进行身份验证。When the certificate request is competed, you can use certificates to authenticate Wi-Fi, VPN, and email profile configuration policies by selecting the certificates (instead of username and password) policy authentication method option.

了解详细信息Learn more

开始使用企业移动性 + 安全性Start using Enterprise Mobility + Security

Microsoft 企业移动性Microsoft Enterprise Mobility