用于通过 Microsoft 企业移动性 + 安全性 (EMS) 启用 BYOD 的技术决策Technology decisions for enabling BYOD with Microsoft Enterprise Mobility + Security (EMS)

为使员工能够在自己的设备上远程办公 (BYOD) 而制定策略时,需要针对以下方案做出关键决策:启用 BYOD 以及如何保护公司数据。As you develop your strategy to enable employees to work remotely on their own devices (BYOD), you need to make key decisions in the scenarios to enable BYOD and how to protect your corporate data. 幸运的是,EMS 提供了一套全面解决方案所需的全部功能。Fortunately, EMS offers all of the capabilities you need in a comprehensive set of solutions.

在本主题中,我们会查看启用 BYOD 使员工有权访问企业电子邮件的简单用例。In this topic, we examine the simple use case of enabling BYOD access to corporate email. 我们会重点关注是需要管理整个设备还是只需要管理应用程序,这两者都是完全有效的选择。We'll focus on whether or not you need to manage the entire device or just the applications, both of which are completely valid choices.

假设Assumptions

  • 具备 Azure Active Directory 和 Microsoft Intune 的基础知识You have basic knowledge of Azure Active Directory and Microsoft Intune
  • 电子邮件帐户托管在 Exchange Online 中Your email accounts are hosted in Exchange Online

管理设备 (MDM) 的常见原因Common reasons to manage the device (MDM)

通过在 Exchange Online 上部署条件访问策略,可轻松地让用户在设备管理中注册其设备。You can easily drive users to enroll their devices into device management by deploying a Conditional Access policy on Exchange Online. 下面是可能需要管理个人设备的原因:Here are the reasons you might want to manage personal devices:

WiFi/VPN - 如果用户需要企业连接配置文件高效工作,可无缝配置此配置文件。WiFi/VPN – If your users need a corporate connectivity profile to be productive, this can be seamlessly configured.

应用程序 - 如果用户需要将一组应用推送到设备中,可无缝地传递这些应用。Applications – If your users need a set of apps to be pushed to their device, these can be seamlessly delivered. 这包括出于安全目的考虑而需要的应用程序,例如移动威胁防御应用。This includes applications that you might require for security purposes, like a Mobile Threat Defense app.

符合性 - 某些组织需要符合法规或调用特定 MDM 控制的其他策略的要求。Compliance – Some organizations need to comply with regulatory or other policies that call out specific MDM controls. 例如,需要 MDM 加密整个设备,或者生成设备上所有应用的报告。For example, you need MDM to encrypt the entire device or to produce a report of all apps on the device.

只管理应用 (MAM) 的常见原因Common reasons to only manage the apps (MAM)

对支持 BYOD 的组织而言,不进行 MDM 而进行 MAM 是非常普遍的。MAM without MDM is very popular for organizations that support BYOD. 通过在 Exchange Online 上部署条件访问策略,可让用户从支持 MAM 保护的 Outlook Mobile 中访问电子邮件。You can drive users to access email from Outlook Mobile (which supports MAM protections) by deploying a Conditional Access policy on Exchange Online. 下面是可能只需要管理个人设备上的应用的原因:Here are the reasons you might want to only manage apps on personal devices:

用户体验 - MDM 注册包括许多由平台强制执行的警告提示,这些提示通常会导致用户最终决定不在其个人设备上访问电子邮件。User experience – MDM enrollment includes many warning prompts (enforced by the platform) that often result in the user deciding they would rather not access their email on their personal device after all. MAM 大大减少了用户的担忧,因为他们一次只会收到一个弹出窗口,以知晓 MAM 保护已到位。MAM is much less alarming to users, as they simply get a pop-up one time to let them know MAM protections are in place.

符合性 - 某些组织需要符合一些策略的要求,这些策略对个人设备需要较少的管理功能。Compliance – Some organizations need to comply with policies that require less management capabilities on personal devices. 例如,MAM 只能删除应用中的公司数据,与此相反,MDM 能够删除设备中的所有数据。For example, MAM is only able to remove corporate data from the apps, as opposed to MDM which is able to remove all data from the device.

对移动设备上的设备和应用管理的比较图

详细了解设备管理和应用管理的生命周期Learn more about device management and app management lifecycles.

MDM 与 MAM 的功能比较MDM vs MAM capability comparison

如前所述,条件访问可让用户注册其设备或使用 Outlook Mobile 等托管应用。As already mentioned, Conditional Access can drive a user to enroll their device or use a managed app like Outlook Mobile. 在任一情况下都可应用许多其他条件,包括:Many other conditions can be applied in either case, including:

  • 尝试访问的用户Which user is attempting the access
  • 位置是否可信任Whether the location is trusted or untrusted
  • 登录风险级别Sign-in risk level
  • 设备平台Device platform

尽管如此,许多组织通常有自身关注的特定风险。Still, many organizations often have specific risks they're concerned about. 下表列出了常见风险,以及 MDM 与 MAM 应对该风险的方法。The table below lists the common concerns and MDM vs MAM response to that concern.

风险Concern MDMMDM MAMMAM
数据访问未经授权Unauthorized data access 需要组成员身份Require group membership 需要组成员身份Require group membership
数据访问未经授权Unauthorized data access 需要注册设备Require device enrollment 需要受保护的应用Require protected app
数据访问未经授权Unauthorized data access 需要采用特定位置Require specific location 需要采用特定位置Require specific location
用户帐户遭到泄露Compromised user account 需要进行 MFARequire MFA 需要进行 MFARequire MFA
用户帐户遭到泄露Compromised user account 阻止高风险用户Block high risk users 阻止高风险用户Block high risk users
用户帐户遭到泄露Compromised user account 设备 PINDevice PIN 应用 PINApp PIN
设备或应用遭到泄露Compromised device or app 需要兼容设备Require a compliant device 应用启动时进行越狱/root 检查Jailbreak/root check on app launch
设备或应用遭到泄露Compromised device or app 加密设备数据Encrypt device data 加密应用数据Encrypt app data
设备丢失或被盗Lost or stolen device 删除所有设备数据Remove all device data 删除所有应用数据Remove all app data
意外共享数据,或将数据保存到不安全的位置Accidental data sharing or saving to unsecured locations 限制设备数据备份Restrict device data backups 限制组织数据备份Restrict backups of org data
意外共享数据,或将数据保存到不安全的位置Accidental data sharing or saving to unsecured locations 限制另存为Restrict save-as 限制另存为Restrict save-as
意外共享数据,或将数据保存到不安全的位置Accidental data sharing or saving to unsecured locations 禁用打印Disable printing 禁用组织数据打印Disable printing of org data

后续步骤Next steps

现在是时候决定是否要在组织中启用 BYOD 了,可以选择是重点关注设备管理、应用管理还是上述两者的组合。Now it's time to decide if you are going to enable BYOD in your organization by focusing on device management, app management, or a combination of the two. 实现选择由你掌控,可以确信的是 Azure AD 提供的标识和安全功能在任何时候都可用。The implementation choice is yours, where you can rest assured that the identity and security features available with Azure AD will be available regardless.

使用 Intune 规划指南来制定下一级别的规划。Use the Intune Planning Guide to map out your next level of planning.