使用 Microsoft Intune 保护应用和数据Protect apps and data with Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Intune 通过多个技术层保护公司数据。Intune protects company data through multiple technology layers. 在标识层上,条件性访问通过仅允许从托管及合规设备进行访问来保护对服务的访问。At the identity layer, conditional access protects access to services by only allowing access from managed and compliant devices. 在客户端应用程序层上,移动应用管理 (MAM) 通过防止将数据移动到不受保护的应用或存储位置以及在设备丢失或被盗时擦除数据来防止数据丢失。At the client application layer, mobile application management (MAM) protects data loss by preventing data from moving to nonprotected apps or storage locations—and by wiping data when a device is lost or stolen. 应结合使用这两个保护层,在保持移动办公人员高效工作的同时保护数据。We recommend using these two layers of protection together to help secure data while keeping your mobile workforce productive.

保护公司数据的第一步是实施条件性访问,这一步非常重要。An important first step to protecting company data is to implement conditional access. 这可通过确保用于访问数据的设备使用强密码和加密等安全保护且未越狱来实现。You do this by making sure that devices that are used to access that data are using security protections like strong passwords and encryption, and are not jailbroken. 使用 Intune,可设置设备必须遵守才能访问公司电子邮件和数据的条件。Intune lets you set conditions that the devices have to comply with before they're allowed to access your company email and data.

条件性访问由可在 Intune 中设置的两种策略类型决定:Conditional access is determined by two types of policies that you can set in Intune:

  • 合规性策略用于确定设备的合规性。You use compliance policies to determine the compliance of a device. 它们评估以下设置和条件:They evaluate settings and conditions like:
    • PIN 和密码:可创建以下规则:必须提供密码才可解锁设备、设定密码的复杂性要求和其他密码设置。PINs and passwords: You can create rules to require passwords to unlock a device, for the complexity requirements of the password, and for other password settings.
    • 加密:你可以限制对加密设备的访问。Encryption: You can restrict access to devices that are encrypted.
    • 设备未越狱或取得 root 权限:Intune 可检测注册的设备是否已越狱。When a device is not jailbroken or rooted: Intune can detect if an enrolled device is jailbroken. 可以设置策略来阻止此类设备的访问。You can set the policy to block access on such devices.
  • 条件性访问策略专为 Exchange Online 或 SharePoint Online 等特定服务配置。You configure conditional access policies for a particular service, like Exchange Online or SharePoint Online. 对于每个服务,你可以定义这些策略应该应用到哪些用户组。For each service, you can define which groups of users these policies should apply to. 例如,你可以确保财务部门的每个人只能从注册的合规设备访问公司电子邮件。For example, you can make sure that everyone in the finance department can only access company email from enrolled and compliant devices.

保护对公司资源的访问只是保护公司数据的第一步。Securing access to company resources is just the first step to protecting company data. 在设备上访问数据后,仍需要保护数据的能力。You still need the ability to protect data after it's been accessed on the device. 现在可以将数据复制、移动、保存到其他位置,或进行共享。The data can now be copied, moved, saved to a different location, or shared. Intune 通过创建以下规则组来向你提供限制数据移动的能力,从而解决此问题:Intune solves this problem by providing you with the ability to restrict data movement by creating a set of rules like:

  • 阻止复制和粘贴,或防止将数据传输到工作环境之外。Blocking copy and paste, or preventing data transfer outside of the work context.
  • 防止备份到个人云存储位置,防止“另存为”等功能。Preventing backup to personal cloud storage and preventing "Save as".
  • 要求 PIN/密码或企业凭据,保障应用访问安全。Securing app access by requiring a PIN/passcode or corporate credentials.
  • 在 Intune 管理的浏览器中打开所有 Web 链接。Having all web links open within the Intune Managed Browser.

这些规则组被称为移动应用管理 (MAM) 策略These set of rules are referred to as mobile application management (MAM) policies. 可将 MAM 策略应用于设备上运行的应用,无论该设备是否受管理均是如此。You can apply MAM policies to apps that are running on devices that might or might not be managed by you.

可对已在 Intune 中注册的设备由其他第三方移动设备管理 (MDM) 解决方案注册或管理的设备,或者未在任何 MDM 解决方案中注册的设备(例如员工自有设备)应用 MAM 策略来保护公司数据。You can protect your company data by using MAM policies for devices that are enrolled in Intune, devices that are enrolled and managed by another third-party mobile device management (MDM) solution, or devices that are not enrolled in any MDM solution, like employee-owned devices.

若要将应用与 MAM 策略相关联,该应用必须包含 Microsoft Intune 应用软件开发工具包 (SDK),或者能够使用应用包装工具。To associate an app with a MAM policy, the app must incorporate the Microsoft Intune App Software Development Kit (SDK), or you can use the App Wrapping Tool.

与 Microsoft Office 应用类似的应用内置了 Intune 应用 SDK。Apps like Microsoft Office apps have the Intune App SDK built in. 若要查看所支持应用的完整列表,请转到 Microsoft Intune 应用程序合作伙伴页面上的 Microsoft Intune 移动应用程序库You can see the full list of supported apps in the Microsoft Intune mobile application gallery on the Microsoft Intune application partners page. 选择应用可查看支持的方案、平台以及应用是否支持多身份。Choose the app to see the supported scenarios and platforms, and whether the app supports multi-identity.

还可启用自定义构建的业务线应用,与 MAM 策略配合使用。You can also enable your custom-built line-of-business apps to use with MAM policies.

如果设备丢失或被盗,或者用户不再与公司合作,除了限制数据移动之外,还可选择性擦除公司数据,仅保留个人数据。In addition to restricting data movement, if a device gets lost or stolen or the user is no longer working with your company, you can selectively wipe company data, which leaves only personal data behind.