什么是 Microsoft Intune?What is Microsoft Intune?

Intune 是企业移动管理 (EMM) 领域中基于云的服务,可帮助员工提高工作效率,同时保护企业数据。Intune is a cloud-based service in the enterprise mobility management (EMM) space that helps enable your workforce to be productive while keeping your corporate data protected. 与其他 Azure 服务一样,Microsoft Intune 也可在 Azure 门户中使用。Similar to other Azure services, Microsoft Intune is available in the Azure portal. 通过 Intune,还可以:With Intune, you can:

  • 管理工作人员用来访问公司数据的移动设备和 PC。Manage the mobile devices and PCs your workforce uses to access company data.
  • 管理员工使用的移动应用。Manage the mobile apps your workforce uses.
  • 通过帮助控制员工访问和共享公司信息的方式来保护公司信息。Protect your company information by helping to control the way your workforce accesses and shares it.
  • 确保设备和应用符合公司安全要求。Ensure devices and apps are compliant with company security requirements.

Intune 可帮助解决的常见业务问题Common business problems that Intune helps solve

Intune 如何工作?How does Intune work?

Intune 是企业移动性 + 安全性 (EMS) 的组件,可用于管理移动设备和应用。Intune is the component of Enterprise Mobility + Security (EMS) that manages mobile devices and apps. 它与 Azure Active Directory (Azure AD) 等其他 EMS 组件紧密集成以实现标识和访问控制,并与 Azure 信息保护集成以实现数据保护。It integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection. 将它与 Office 365 结合使用时,员工可以在其设备上高效工作,同时保护组织的信息。When you use it with Office 365, you can enable your workforce to be productive on all their devices, while keeping your organization's information protected.

Intune 体系结构示意图

查看 Intune 体系结构示意图的大图View a larger version of the Intune architecture diagram.

Intune 设备和应用管理功能和 EMS 数据保护功能的使用方式取决于尝试解决的业务问题How you use the device and app management features of Intune and EMS data protection depends on the business problem you’re trying to solve. 例如:For example:

  • 如果要创建一系列一次性设备供零售商店中的轮班员工共享,那么应该充分利用设备管理。You’ll make strong use of device management if you're creating a pool of single-use devices to be shared by shift workers in a retail store.
  • 如果允许员工使用其个人设备访问公司数据 (BYOD),则会依赖于应用管理和数据保护。You’ll lean on app management and data protection if you allow your workforce to use their personal devices to access corporate data (BYOD).
  • 如果要向信息工作者发放公司电话,那么将依赖所有这些技术。If you are issuing corporate phones to information workers, you’ll rely on all of the technologies.

Intune 设备管理介绍Intune device management explained

Intune 设备管理通过使用移动操作系统中的可用协议或 API 来实现。Intune device management works by using the protocols or APIs that are available in the mobile operating systems. 它包括类似以下的任务:It includes tasks like:

  • 向管理系统注册设备,以便 IT 部门具有访问公司服务的设备清单Enrolling devices into management so your IT department has an inventory of devices that are accessing corporate services
  • 配置设备,确保其满足公司安全和健康标准Configuring devices to ensure they meet company security and health standards
  • 提供证书和 Wi-Fi / VPN 配置文件以访问公司服务Providing certificates and Wi-Fi/VPN profiles to access corporate services
  • 报告和衡量设备是否符合公司标准Reporting on and measuring device compliance to corporate standards
  • 从托管设备中删除公司数据Removing corporate data from managed devices

有时,人们认为“对公司数据的访问控制”是一种设备管理功能。Sometimes, people think that access control to corporate data is a device management feature. 我们不这样认为,因为它不是由移动操作系统提供。We don’t think of it that way because it isn’t something that the mobile operating system provides. 确切地说,它是由标识提供程序提供。Rather, it’s something the identity provider delivers. 在本例中,标识提供程序是 Azure Active Directory (Azure AD)、Microsoft 的标识和访问管理系统。In our case, the identity provider is Azure Active Directory (Azure AD), Microsoft’s identity and access management system.

通过与 Azure AD 集成,Intune 实现了一系列广泛的访问控制方案。Intune integrates with Azure AD to enable a broad set of access control scenarios. 例如,可以要求移动设备符合 Intune 中定义的公司标准,然后才允许设备访问 Exchange 之类的公司服务。For example, you can require a mobile device to be compliant with corporate standards that you define in Intune before the device can access a corporate service like Exchange. 同样,可以将公司服务锁定到特定的一组移动应用。Likewise, you can lock down the corporate service to a specific set of mobile apps. 例如,可以锁定 Exchange Online,只允许由 Outlook 或 Outlook Mobile 进行访问。For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.

Intune 应用管理介绍Intune app management explained

我们所说的应用管理是指:When we talk about app management, we are talking about:

  • 向员工分配移动应用Assigning mobile apps to employees
  • 使用应用运行时的标准设置来配置应用Configuring apps with standard settings that are used when the app runs
  • 控制在移动应用中使用和共享公司数据的方式Controlling how corporate data is used and shared in mobile apps
  • 从移动应用中删除公司数据Removing corporate data from mobile apps
  • 更新应用Updating apps
  • 报告移动应用清单Reporting on mobile app inventory
  • 跟踪移动应用使用情况Tracking mobile app usage

我们见到过将移动应用管理 (MAM) 这一术语用于单独表示这些操作中的任何一项或任意几项的组合。We have seen the term mobile app management (MAM) used to mean any one of those things individually or to mean specific combinations. 特别是,人们常常会将应用配置的概念与在移动应用中保护公司数据的概念相混淆。In particular, it’s common for folks to conflate the concept of app configuration with the concept of securing corporate data within mobile apps. 这是因为某些移动应用具有允许配置数据安全功能的设置。That’s because some mobile apps expose settings that allow their data security features to be configured.

我们说到应用配置和 Intune 时,特指 iOS 上的托管应用配置等技术。When we talk about app configuration and Intune, we are referring specifically to technologies like managed app configuration on iOS.

当在 EMS 中结合其他服务使用 Intune 时,可以通过应用配置提供高于移动操作系统和移动应用本身提供的组织移动应用安全。When you use Intune with the other services in EMS, you can provide your organization mobile app security over and above what is provided by the mobile operating system and the mobile apps themselves through app configuration. 使用 EMS 管理的应用可以访问更多的移动应用和数据保护,包括:An app that is managed with EMS has access to a broader set of mobile app and data protections that includes:

显示应用管理数据安全级别的图片

Intune 应用安全性Intune app security

提供应用安全性是应用管理的一部分,在 Intune 中,谈及移动应用安全性时,我们指的是:Providing app security is a part of app management, and in Intune, when we talk about mobile app security, we mean:

  • 将个人信息与企业 IT 识别保持隔离Keeping personal information isolated from corporate IT awareness
  • 限制用户可以对公司信息执行的操作,如复制、剪切/粘贴、保存和查看Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
  • 从移动应用中删除公司数据,也称为选择性擦除或公司擦除Removing corporate data from mobile apps, also known as selective wipe or corporate wipe

Intune 提供移动应用安全的一种方法是通过其应用保护策略功能。One way that Intune provides mobile app security is through its app protection policy feature. 应用保护策略使用 Azure AD 标识来隔离公司数据与个人数据。App protection policy uses Azure AD identity to isolate corporate data from personal data. 将为使用公司凭据访问的数据提供额外的企业保护。Data that is accessed using a corporate credential will be given additional corporate protections.

例如,用户使用公司凭据登录到其设备时,公司标识允许她访问使用个人标识无法访问的数据。For example, when a user logs on to her device with her corporate credentials, her corporate identity allows her access to data that is denied to her personal identity. 用户使用该公司数据时,应用保护策略会控制数据的保存方式和共享方式。As that corporate data is used, app protection policies control how it is saved and shared. 这些相同的保护措施将不会应用于用户通过个人标识登录其设备访问的数据。Those same protections are not applied to data that is accessed when the user logs on to her device with her personal identity. 这样,IT 能够控制公司数据,而最终用户可以保持对个人数据的控制性和私密性。In this way, IT has control of corporate data while the end user maintains control and privacy over personal data.

需要和无需设备注册的 EMMEMM with and without device enrollment

大多数企业移动性管理解决方案支持基本的移动设备和移动应用技术。Most enterprise mobility management solutions support basic mobile device and mobile app technologies. 这些通常与在组织的移动设备管理 (MDM) 解决方案中注册过的设备相关联。These are usually tied to the device being enrolled in your organization’s mobile device management (MDM) solution. Intune 支持这些方案,此外还支持许多“无需注册”方案。Intune supports these scenarios and additionally supports many “without enrollment” scenarios.

组织采取“无需注册”方案的程度有所不同。Organizations differ to the extent they will adopt “without enrollment” scenarios. 一些组织对其实现标准化。Some organizations standardize on it. 一些组织允许它用于配套设备,如个人平板电脑。Some allow it for companion devices such as a personal tablet. 其他组织则完全不支持。Others don’t support it at all. 即使在最后一种情况下(组织要求所有员工设备注册到 MDM),这些组织通常也会对承包商、供应商以及具有特定豁免权的其他设备支持“无需注册”方案。Even in this last case, where an organization requires all employee devices to be enrolled in MDM, they typically support "without enrollment" scenarios for contractors, vendors, and for other devices that have a specific exemption.

甚至可以在已注册的设备上使用 Intune 的“无需注册”技术。You can even use Intune’s “without-enrollment” technology on enrolled devices. 例如,在 MDM 中注册的设备可能会有移动操作系统提供的 open-in 保护。For example, a device enrolled in MDM may have "open-in" protections provided by the mobile operating system. “Open-in”保护是一种 iOS 功能,防止将一种应用(如 Outlook)中的文档在另一种应用(如 Word)中打开,除非这两种应用都由 MDM 提供程序托管。"Open-in" protection is an iOS feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless both apps are managed by the MDM provider. 此外,IT 可能会将应用保护策略应用于 EMS 托管的移动应用,以控制另存为或提供多重身份验证。In addition, IT may apply the app protection policy to EMS-managed mobile apps to control save-as or to provide multi-factor authentication.

无论组织在已注册和未注册移动设备和应用方面的态度如何,作为 EMS 的一部分,Intune 包含一种能够在保护公司数据的同时提高员工工作效率的工具。Whatever your organization’s position on enrolled and unenrolled mobile devices and apps, Intune, as a part of EMS, has tools that will help increase your workforce productivity while protecting your corporate data.

Azure 门户中的 Microsoft IntuneMicrosoft Intune in the Azure portal

可在 Azure 门户中找到 Microsoft Intune 服务。The Azure portal is where you can find the Microsoft Intune service.

Azure 门户中 Microsoft Intune 的重要功能包括:Highlights of the Microsoft Intune experience in the Azure portal include:

  • 用于所有企业移动性 + 安全性 (EMS) 组件的集成控制台An integrated console for all your Enterprise Mobility + Security (EMS) components
  • 基于 Web 标准构建的基于 HTML 的控制台An HTML-based console built on web standards
  • 可自动执行多种操作的 Microsoft Graph API 支持Microsoft Graph API support to automate many actions
  • Azure Active Directory (AD) 组提供跨所有 Azure 应用程序的兼容性Azure Active Directory (AD) groups to provide compatibility across all your Azure applications
  • 支持大多数新式 Web 浏览器Support for most modern web browsers

若要获取自定义门户体验的快速指南,请参阅开始使用 Azure 门户中的 IntuneFor a quick guide to customize your portal experience, see Getting started with Intune in the Azure portal.

备注

如果已使用以前版本的 Microsoft Intune,可参考以下信息:If you've used a previous version of Microsoft Intune, you may find the following information helpful:

开始之前Before you start

若要使用 Azure 门户中的 Intune,必须拥有 Intune 管理员和租户帐户。To use Intune in the Azure portal, you must have an Intune admin and tenant account. 如果尚没有帐户,请注册帐户Sign up for an account if you don't already have one.

受 Azure 门户支持的 Web 浏览器Supported web browsers for the Azure portal

Azure 门户在大多数新式电脑、Mac 和平板电脑上都可以运行。The Azure portal runs on most modern PCs, Macs, and tablets. 不支持移动电话。Mobile phones are not supported. 目前,支持以下浏览器:Currently, the following browsers are supported:

  • Microsoft Edge(最新版本)Microsoft Edge (latest version)
  • Microsoft Internet Explorer 11Microsoft Internet Explorer 11
  • Safari(最新版本,仅限 Mac)Safari (latest version, Mac only)
  • Chrome(最新版本)Chrome (latest version)
  • Firefox(最新版本)Firefox (latest version)

请查看 Azure 门户,了解支持的浏览器的最新相关信息。Check the Azure portal for the latest information about supported browsers.

后续步骤Next steps