通过 Microsoft Intune 使用适用于 iOS 和 Android 的 Teams 来管理消息协作访问Manage team collaboration access by using Teams for iOS and Android with Microsoft Intune

Microsoft Teams 是 Microsoft 365 中的团队协作中心,它集成了团队需要的人员、内容和工具,可以提高团队的参与度和效率。Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the people, content, and tools your team needs to be more engaged and effective.

订阅企业移动性 + 安全性套件(包括 Microsoft Intune 和 Azure Active Directory Premium 功能,如条件访问)可获得最丰富和最广泛的 Microsoft 365 数据保护功能。The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. 最基础的层面来说,你需要部署一个条件访问策略,该策略允许从移动设备连接到适用于 iOS 和 Android 的 Teams,还需要部署 Intune 应用保护策略确保协作体验受到保护。At a minimum, you will want to deploy a conditional access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected.

应用条件访问Apply Conditional Access

组织可以使用 Azure AD 条件访问策略来确保用户只能使用适用于 iOS 和 Android 的 Teams 访问工作或学校内容。Organizations can use use Azure AD Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. 为此,你需要一个面向所有潜在用户的条件访问策略。To do this, you will need a conditional access policy that targets all potential users. 有关创建此策略的详细信息,请参阅通过条件访问要求访问云应用时具有应用保护策略Details on creating this policy can be found in Require app protection policy for cloud app access with Conditional Access.

  1. 请遵循“步骤 1:为 Office 365 配置 Azure AD 条件访问策略”(方案 1:Office 365 应用要求批准的应用具有应用保护策略),这允许使用适用于 iOS 和 Android 的 Teams,但阻止支持 OAuth 的第三方移动设备客户端连接到 Office 365 终结点。Follow "Step 1: Configure an Azure AD Conditional Access policy for Office 365" in Scenario 1: Office 365 apps require approved apps with app protection policies, which allows Teams for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Office 365 endpoints.

    备注

    此策略可确保移动用户可以使用适用的应用访问所有 Office 终结点。This policy ensures mobile users can access all Office endpoints using the applicable apps.

创建 Intune 应用保护策略Create Intune app protection policies

应用保护策略 (APP) 定义允许的应用以及这些应用可对组织的数据执行的操作。App Protection Policies (APP) define which apps are allowed and the actions they can take with your organization's data. APP 中可用的选项使组织能够根据特定需求调整保护。The choices available in APP enable organizations to tailor the protection to their specific needs. 对于某些组织而言,实现完整方案所需的策略设置可能并不明显。For some, it may not be obvious which policy settings are required to implement a complete scenario. 为了帮助组织确定移动客户端终结点强化的优先级,Microsoft 为其面向 iOS 和 Android 移动应用管理的 APP 数据保护框架引入了分类法。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

APP 数据保护框架分为三个不同的配置级别,每个级别基于上一个级别进行构建:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • 企业基本数据保护(级别 1)可确保应用受 PIN 保护和经过加密处理,并执行选择性擦除操作。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 对于 Android 设备,此级别验证 Android 设备证明。For Android devices, this level validates Android device attestation. 这是一个入门级配置,可在 Exchange Online 邮箱策略中提供类似的数据保护控制,并将 IT 和用户群引入 APP。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • 企业增强型数据保护(级别 2)引入了 APP 数据泄露预防机制和最低 OS 要求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 此配置适用于访问工作或学校数据的大多数移动用户。This is the configuration that is applicable to most mobile users accessing work or school data.
  • 企业高级数据保护(级别 3)引入了高级数据保护机制、增强的PIN 配置和 APP 移动威胁防御。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 此配置适用于访问高风险数据的用户。This configuration is desirable for users that are accessing high risk data.

若要查看每个配置级别的具体建议以及必须受保护的核心应用,请查看使用应用保护策略的数据保护框架To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

无论设备是否已注册统一终结点管理 (UEM) 解决方案,都需要使用如何创建和分配应用保护策略中的步骤来为 iOS 和 Android 应用创建 Intune 应用保护策略。Regardless of whether the device is enrolled in an unified endpoint management (UEM) solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. 这些策略必须至少满足以下条件:These policies, at a minimum, must meet the following conditions:

  1. 包括所有 Microsoft 365 移动应用程序(如 Edge、Outlook、OneDrive、Office 或 Teams),因为这样可以确保用户在任何 Microsoft 应用中均能够以安全的方式访问和处理工作或学校数据。They include all Microsoft 365 mobile applications, such as Edge, Outlook, OneDrive, Office, or Teams, as this ensures that users can access and manipulate work or school data within any Microsoft app in a secure fashion.

  2. 它们将分配给所有用户。They are assigned to all users. 这可确保所有用户都受到保护,不管他们使用的是适用于 iOS 还是 Android 的 Teams。This ensures that all users are protected, regardless of whether they use Teams for iOS or Android.

  3. 确定哪一个框架级别满足你的要求。Determine which framework level meets your requirements. 大多数组织应实现企业增强型数据保护(级别 2)中定义的设置,因为这样可以启用数据保护和访问要求控制。Most organizations should implement the settings defined in Enterprise enhanced data protection (Level 2) as that enables data protection and access requirements controls.

有关可用设置的详细信息,请参阅 Android 应用保护策略设置iOS 应用保护策略设置For more information on the available settings, see Android app protection policy settings and iOS app protection policy settings.

重要

若要针对未在 Intune 中注册的 Android 设备上的应用应用 Intune 应用保护策略,用户还必须安装 Intune 公司门户。To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. 有关详细信息,请参阅 Android 应用由应用保护策略托管时会出现的情况For more information, see What to expect when your Android app is managed by app protection policies.

利用应用配置Utilize app configuration

适用于 iOS 和 Android 的 Teams 支持允许统一终结点管理(例如允许 Microsoft Endpoint Manager 和管理员自定义应用的行为)的应用设置。Teams for iOS and Android supports app settings that allow unified endpoint management, like Microsoft Endpoint Manager, administrators to customize the behavior of the app.

可以通过已注册设备上的移动设备管理 (MDM) OS 通道(iOS 上为 Managed App Configuration 通道,Android 上为 Android in the Enterprise 通道)来交付应用配置,也可以通过 Intune 应用保护策略 (APP) 通道来交付应用配置。App configuration can be delivered either through the mobile device management (MDM) OS channel on enrolled devices (Managed App Configuration channel for iOS or the Android in the Enterprise channel for Android) or through the Intune App Protection Policy (APP) channel. 适用于 iOS 和 Android 的 Teams 支持以下配置方案:Teams for iOS and Android supports the following configuration scenarios:

  • 仅允许工作或学校帐户Only allow work or school accounts

重要

对于需要在 Android 上进行设备注册的配置方案,必须在 Android Enterprise 中注册设备,并且必须通过托管的 Google Play 商店部署适用于 Android 的 Teams。For configuration scenarios that require device enrollment on Android, the devices must be enrolled in Android Enterprise and Teams for Android must be deployed via the Managed Google Play store. 有关详细信息,请参阅 设置 Android Enterprise 工作配置文件设备的注册为托管的 Android Enterprise 设备添加应用配置策略For more information, see Set up enrollment of Android Enterprise work profile devices and Add app configuration policies for managed Android Enterprise devices.

每个配置方案都强调了其特定要求。Each configuration scenario highlights its specific requirements. 例如,配置方案是否需要进行设备注册以便能够用于任何 UEM 提供程序,或者是否需要 Intune 应用保护策略。For example, whether the configuration scenario requires device enrollment, and thus works with any UEM provider, or requires Intune App Protection Policies.

备注

使用 Microsoft Endpoint Manager 的情况下,通过 MDM OS 通道交付的应用配置称为托管设备应用配置策略 (ACP);通过应用保护策略通道交付的应用配置称为托管应用应用配置策略 。With Microsoft Endpoint Manager, app configuration delivered through the MDM OS channel is referred to as a Managed Devices App Configuration Policy (ACP); app configuration delivered through the App Protection Policy channel is referred to as a Managed Apps App Configuration Policy.

仅允许工作或学校帐户Only allow work or school accounts

体现 Microsoft 365 价值的关键是遵从最大范围和高度管控客户的数据安全和合规性策略。Respecting the data security and compliance policies of our largest and highly regulated customers is a key pillar to the Microsoft 365 value. 一些公司要求捕获其公司环境内的所有通信信息,并确保设备仅用于公司通信。Some companies have a requirement to capture all communications information within their corporate environment, as well as, ensure the devices are only used for corporate communications. 为了支持这些要求,可以将已注册设备上适用于 iOS 和 Android 的 Teams 配置为仅允许在该应用中预配一个公司帐户。To support these requirements, Teams for iOS and Android on enrolled devices can be configured to only allow a single corporate account to be provisioned within the app.

下面的资源详细介绍了如何配置组织允许的帐户模式设置:You can learn more about configuring the org allowed accounts mode setting here:

此配置方案仅适用于已注册的设备。This configuration scenario only works with enrolled devices. 但是,它支持所有 UEM 提供程序。However, any UEM provider is supported. 如果未使用 Microsoft Endpoint Manager,则需要参阅 UEM 文档,了解如何部署这些配置项。If you are not using Microsoft Endpoint Manager, you need to consult with your UEM documentation on how to deploy these configuration keys.

后续步骤Next steps