基本移动性和安全性的功能Capabilities of Basic Mobility and Security

基本移动性和安全性可帮助你保护和管理组织中授权 Microsoft 365 用户使用的移动设备,如 iPhone、iPad、Android 和 Windows Phones。Basic Mobility and Security can help you secure and manage mobile devices like iPhones, iPads, Androids, and Windows Phones used by licensed Microsoft 365 users in your organization. 可以使用可帮助控制对组织的 Microsoft 365 电子邮件和文档的访问(对于受支持的移动设备和应用)的设置创建移动设备管理策略。You can create mobile device management policies with settings that can help control access to your organization’s Microsoft 365 email and documents for supported mobile devices and apps. 如果设备丢失或被盗,你可以远程擦除设备以删除敏感的组织信息。If a device is lost or stolen, you can remotely wipe the device to remove sensitive organizational information.

支持的设备Supported devices

您可以使用基本移动性和安全性保护和管理以下设备。You can use Basic Mobility and Security to secure and manage the following devices.

  • iOS 11.0 或更高版本iOS 11.0 or later versions

  • Android 5.0 或更高版本3Android 5.0 or later versions3

  • Windows 8.11Windows 8.11

  • Windows 8.1 RT1Windows 8.1 RT1

  • Windows 102Windows 102

  • Windows 10 移动版 2Windows 10 Mobile2

1Windows 8.1 RT 设备的访问控制仅限于Exchange ActiveSync。1Access control for Windows 8.1 RT devices is limited to Exchange ActiveSync.

2Windows 8.1 RT 设备的访问控制仅限于Exchange ActiveSync。2Access control for Windows 8.1 RT devices is limited to Exchange ActiveSync. Windows 10 的访问控制需要包含 Azure AD Premium 的订阅,并且设备需要加入到 Azure Active Directory。Access control for Windows 10 requires a subscription that includes Azure AD Premium and the device needs to be joined to Azure Active Directory.

3Windows 8.1 RT 设备的访问控制仅限于Exchange ActiveSync。3Access control for Windows 8.1 RT devices is limited to Exchange ActiveSync. 2020 年 6 月之后,超过 9 的 Android 版本无法管理密码设置,但 Samsung Knox 设备上除外。After June 2020, Android versions later than 9 can't manage password settings except on Samsung Knox devices.

备注

已注册较早操作系统版本的设备仍可以继续运行,尽管这些功能可能会在不另行通知的情况下更改。Devices already enrolled with earlier OS versions continue to function although the capabilities might change without notice.

如果你的组织中人员使用的移动设备不受基本移动性和安全性支持,你可能希望阻止 Exchange ActiveSync 应用访问这些设备的 Microsoft 365 电子邮件,以帮助使组织的数据更安全。If people in your organization use mobile devices that aren't supported by Basic Mobility and Security, you might want to block Exchange ActiveSync app access to Microsoft 365 email for those devices, to help make your organization's data more secure. 有关阻止访问Exchange ActiveSync,请参阅基本移动性和安全性中的管理 设备访问设置For steps to block Exchange ActiveSync, see Manage device access settings in Basic Mobility and Security.

Microsoft 365 电子邮件和文档的访问控制Access control for Microsoft 365 email and documents

下表中支持的不同类型的移动设备的应用提示用户注册基本移动性和安全性,其中存在适用于用户设备且用户之前尚未注册该设备的新移动设备管理策略。The supported apps for the different types of mobile devices in the following table prompt users to enroll in Basic Mobility and Security where there is a new mobile device management policy that applies to a user’s device and the user hasn’t previously enrolled the device. 如果用户的设备不符合策略,具体取决于策略的设置方式,用户可能会被阻止访问这些应用中的 Microsoft 365 资源,或者他们可能具有访问权限,但 Microsoft 365 报告违反策略。If a user’s device doesn’t comply with a policy, depending on how you set the policy up, a user might be blocked from accessing Microsoft 365 resources in these apps, or they might have access but Microsoft 365 reports a policy violation.

产品Product iOS 10.0 或更高版本iOS 10.0 or later Android 5.0 或更高版本Android 5.0 or later
Exchange Exchange ActiveSync内置电子邮件和第三方应用(如 TouchDown)使用 Exchange ActiveSync 14.1 或更高版本。Exchange Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later. 邮件Mail 电子邮件Email
Office  和  OneDrive for BusinessOffice and OneDrive for Business OutlookOutlook
OneDriveOneDrive
WordWord
ExcelExcel
PowerPointPowerPoint
在手机和平板电脑上On phones and tablets:
OutlookOutlook
OneDriveOneDrive
WordWord
ExcelExcel
PowerPointPowerPoint
仅在电话上:On phones only:
Office MobileOffice Mobile

备注

  • 支持 iOS 10.0 及更高版本包括 iPhone 和 iPad 设备。Support for iOS 10.0 and later versions includes iPhone and iPad devices.

  • 基本安全性和移动性不支持管理 BlackBerry 操作系统设备。Management of BlackBerry OS devices isn’t supported by Basic Security and Mobility. 使用 BlackBerry 商业云服务 (BBCS) 管理 BlackBerry 操作系统设备。Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. 运行 Android 操作系统的 Blackberry 设备作为标准 Android 设备受到支持Blackberry devices running Android OS are supported as standard Android devices

  • 如果用户使用移动浏览器访问 Microsoft 365 SharePoint 网站、Office Online 中的文档或 Outlook Web App 中的电子邮件,将不会提示用户注册,也不会被阻止或报告违反策略。Users won’t be prompted to enroll and won’t be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.

下图显示了当具有新设备的用户登录支持具有基本移动性和安全性的访问控制的应用时会发生什么情况。The following diagram shows what happens when a user with a new device signs in to an app that supports access control with Basic Mobility and Security. 用户被阻止访问应用中的 Microsoft 365 资源,直到用户注册其设备。The user is blocked from accessing Microsoft 365 resources in the app until they enroll their device.

基本移动性和安全性访问控制

备注

在 Microsoft 365 商业标准的基本移动性和安全性中创建的策略和访问规则将Exchange ActiveSync Exchange 管理中心中创建的移动设备邮箱策略和设备访问规则。Policies and access rules created in Basic Mobility and Security for Microsoft 365 Business Standard will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. 在 Microsoft 365 商业标准版的基本移动性和安全性中注册设备后,将忽略应用于该设备的任何 Exchange ActiveSync 移动设备邮箱策略或设备访问规则。After a device is enrolled in Basic Mobility and Security for Microsoft 365 Business Standard, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. 若要了解有关 exchange online Exchange ActiveSync,请参阅 Exchange ActiveSync Exchange Online。To learn more about Exchange ActiveSync, see Exchange ActiveSync in Exchange Online.

移动设备的策略设置Policy settings for mobile devices

如果创建阻止访问的策略,但某些设置已打开,则当用户使用 Microsoft 365 电子邮件和文档的访问控制中列出的受支持应用时,将阻止用户访问 Microsoft 365 资源If you create a policy to block access with certain settings turned on, users are blocked from accessing Microsoft 365 resources when using a supported app that is listed in Access control for Microsoft 365 email and documents.

以下部分包含可阻止用户访问 Microsoft 365 资源的设置:The settings that can block users from accessing Microsoft 365 resources are in these sections:

  • 安全性Security

  • 加密Encryption

  • 已越狱Jail broken

  • 托管电子邮件配置文件Managed email profile

例如,下图显示了当已注册设备的用户不符合适用于其设备的移动设备管理策略中的安全设置时会发生什么情况。For example, the following diagram shows what happens when a user with an enrolled device isn’t compliant with a security setting in a mobile device management policy that applies to their device. 用户登录支持具有基本移动性和安全性的访问控制的应用。The user signs in to an app that supports access control with Basic Mobility and Security. 在设备符合安全设置之前,将阻止他们访问应用中的 Microsoft 365 资源。They are blocked from accessing Microsoft 365 resources in the app until their device complies with the security setting.

基本移动性和安全性合规性消息

以下部分列出了可用于帮助保护和管理连接到 Microsoft 365 组织资源的移动设备的策略设置。The following sections list the policy settings you can use to help secure and manage mobile devices that connect to your Microsoft 365 organization resources.

安全设置Security settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
要求使用密码Require a password Yes Yes Yes
阻止简单密码Prevent simple password Yes No No
需要字母数字密码Require an alphanumeric password Yes No No
最短密码长度Minimum password length Yes Yes Yes
擦除设备之前登录失败次数Number of sign-in failures before device is wiped Yes Yes Yes
设备锁定前不活动分钟数Minutes of inactivity before device is locked Yes Yes Yes
密码过期 (天数) Password expiration (days) Yes Yes Yes
记住密码历史记录并阻止重复使用Remember password history and prevent reuse Yes Yes Yes

加密设置Encryption settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
要求对设备1 进行数据加密Require data encryption on devices1 No Yes Yes

1使用 Samsung Knox,还可以要求对存储卡进行加密。1With Samsung Knox, you can also require encryption on storage cards.

已越狱设置Jail broken setting

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
设备无法越狱或具有 root 权限Device cannot be jail broken or rooted Yes Yes Yes

托管电子邮件配置文件选项Managed email profile option

以下选项可以阻止用户使用手动创建的电子邮件配置文件访问其 Microsoft 365 电子邮件。The following option can block users from accessing their Microsoft 365 email if they’re using a manually created email profile. iOS 设备上的用户必须先删除手动创建的电子邮件配置文件,然后才能访问电子邮件。Users on iOS devices must delete their manually created email profile before they can access their email. 删除配置文件后,将在设备上自动创建一个新配置文件。After they delete the profile, a new profile is automatically created on the device. 有关最终用户如何合规的说明,请参阅已找到现有 电子邮件帐户For instructions on how end users can get compliant, see An existing email account was found.

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
管理电子邮件配置文件Email profile is managed Yes No No

云设置Cloud settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
需要加密备份Require encrypted backup Yes No No
阻止云备份Block cloud backup Yes No No
阻止文档同步Block document synchronization Yes No No
阻止照片同步Block photo synchronization Yes No No
允许 Google 备份Allow Google backup 不适用N/A No Yes
允许 Google 帐户自动同步Allow Google account auto sync 不适用N/A No Yes

系统设置System settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
阻止屏幕捕获Block screen capture Yes No Yes
阻止从设备发送诊断数据Block sending diagnostic data from device Yes No Yes

应用程序设置Application settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
在设备上阻止视频会议Block video conferences on device Yes No No
阻止访问应用程序存储Block access to application store Yes No Yes
访问应用程序存储时需要密码Require password when accessing application store No Yes Yes

设备功能设置Device capabilities settings

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later Samsung KnoxSamsung Knox
使用可移动存储阻止连接Block connection with removable storage Yes Yes No
阻止蓝牙连接Block Bluetooth connection Yes Yes No

其他设置Additional settings

您可以使用安全与合规中心 PowerShell cmdlet &其他策略设置。You can set the following additional policy settings by using Security & Compliance Center PowerShell cmdlets. 有关详细信息,请参阅安全与 &中心 PowerShell。For more information, see Security & Compliance Center PowerShell.

设置名称Setting name iOS 7.1 及更高版本iOS 7.1 and later Android 5 及更高版本Android 5 and later
CameraEnabledCameraEnabled Yes Yes
RegionRatingsRegionRatings Yes No
MoviesRatingsMoviesRatings Yes No
TVShowsRatingTVShowsRating Yes No
AppsRatingsAppsRatings Yes No
AllowVoiceDialingAllowVoiceDialing Yes No
AllowVoiceAssistantAllowVoiceAssistant Yes No
AllowAssistantWhileLockedAllowAssistantWhileLocked Yes No
AllowPassbookWhileLockedAllowPassbookWhileLocked Yes No
MaxPasswordGracePeriodMaxPasswordGracePeriod Yes No
PasswordQualityPasswordQuality No Yes
SystemSecurityTLSSystemSecurityTLS Yes No
WLANEnabledWLANEnabled No No

Windows 支持的设置Settings supported by Windows

可以通过将 Windows 10 设备注册为移动设备来管理它们。You can manage Windows 10 devices by enrolling them as mobile devices. 部署适用的策略后,使用 Windows 10 设备的用户在首次使用内置电子邮件应用访问其 Microsoft 365 电子邮件 (需要 Azure AD Premium 订阅) 时,需要注册基本移动性和安全性。After an applicable policy is deployed, users with Windows 10 devices will be required to enroll in Basic Mobility and Security the first time they use the built-in email app to access their Microsoft 365 email (requires Azure AD premium subscription).

注册为移动设备的 Windows 10 设备支持以下设置。The following settings are supported for Windows 10 devices that are enrolled as mobile devices. 此设置不会阻止用户访问 Microsoft 365 资源。These setting won’t block users from accessing Microsoft 365 resources.

安全设置Security settings

  • 需要字母数字密码Require an alphanumeric password

  • 最短密码长度Minimum password length

  • 擦除设备之前登录失败次数Number of sign-in failures before device is wiped

  • 设备锁定前不活动分钟数Minutes of inactivity before device is locked

  • 密码过期 (天数) Password expiration (days)

  • 记住密码历史记录并阻止重复使用Remember password history and prevent reuse

备注

以下设置管理密码仅控制本地 Windows 帐户。The following settings regulating passwords only control local Windows accounts. 通过加入域或 Azure Active Directory 提供的 Windows 帐户不受这些设置的影响。Windows accounts provided through join a domain or Azure Active Directory aren't affected by these settings.

系统设置System settings

阻止从设备发送诊断数据。Block sending diagnostic data from device.

其他设置Additional settings

可以使用 PowerShell cmdlet 设置这些额外的策略设置:You can set these additional policy settings by using PowerShell cmdlets:

  • AllowConvenienceLogonAllowConvenienceLogon

  • UserAccountControlStatusUserAccountControlStatus

  • FirewallStatusFirewallStatus

  • AutoUpdateStatusAutoUpdateStatus

  • AntiVirusStatusAntiVirusStatus

  • AntiVirusSignatureStatusAntiVirusSignatureStatus

  • SmartScreenEnabledSmartScreenEnabled

  • WorkFoldersSyncUrlWorkFoldersSyncUrl

远程擦除移动设备Remotely wipe a mobile device

如果设备丢失或被盗,可以通过从安全与合规中心 > 数据丢失防护设备管理 执行擦除来删除敏感的组织数据,并帮助阻止访问 Microsoft 36 & 5 组织 > 资源If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your Microsoft 365 organization resources by doing a wipe from Security & Compliance center > Data loss prevention > Device management. 你可以执行选择性擦除以仅删除组织数据,也可以执行完全擦除,以从设备中删除所有信息,并还原到其出厂设置。You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.

有关详细信息,请参阅 Basic Mobility and Security中的擦除移动设备。For more information, see Wipe a mobile device in Basic Mobility and Security.

Microsoft 365 的基本移动性和安全性概述Overview of Basic Mobility and Security for Microsoft 365

在基本移动性和安全性中创建设备安全策略Create device security policies in Basic Mobility and Security