Contoso 移动设备管理Mobile device management for Contoso

适用于企业的 Microsoft 365 包括 Intune 和一组支持移动设备和应用程序管理和安全性的 Azure 服务。Microsoft 365 for enterprise includes Intune and a set of Azure services that support mobile device and application management and security.

Contoso 拥有许多启用了移动的员工。有些办公室在 Contoso 位置,有些则没有办事处。Contoso 需要一种方法来实现员工工作效率,但保留设备、存储在这些设备上的 Contoso 数据以及应用程序行为的安全性。Contoso has many mobile-enabled employees. Some have offices in Contoso locations, and some have no offices. Contoso needed a way to enable employee productivity but keep the devices, the Contoso data stored on those devices, and application behavior secure.


Contoso 确定了适用于企业的 Microsoft 365 移动设备管理的以下 Intune 使用案例:Contoso identified the following Intune use cases of mobile device management for Microsoft 365 for enterprise:

  • 保护 Exchange Online 电子邮件和数据,以便移动设备可以安全地访问这些电子邮件和数据。Protect Exchange Online email and data so it can be safely accessed by mobile devices.
  • 为 Contoso 员工实施现成的设备 (BYOD) 计划。Implement a bring-your-own-device (BYOD) program for Contoso employees.
  • 颁发组织拥有的电话,并将共享平板电脑限制为 Contoso 员工。Issue organization-owned phones and limited-use shared tablets to Contoso employees.

Contoso 不使用 Intune 执行以下操作:Contoso doesn't use Intune to:

  • 允许员工从非托管的公共展台安全访问 Microsoft 365。Allow employees to securely access Microsoft 365 from an unmanaged public kiosk.
  • 保护本地电子邮件和数据,以便移动设备可以安全地访问它,因为没有本地 Microsoft Exchange 服务器。Protect on-premises email and data so it can be safely accessed by mobile devices, because there are no on-premises Microsoft Exchange servers.


以下是 Contoso 设置其移动设备管理基础结构的方式:This is how Contoso set up their mobile device management infrastructure:

  • 将 Intune 设置为移动设备管理 (MDM) 颁发机构,并在 Azure 上使用 Intune 管理内容并管理设备Set Intune as the Mobile Device Management (MDM) authority, and use Intune on Azure to administer content and manage the devices

  • 为用于注册和 Intune 设置的设备的 azure AD) 组和基于设备的条件访问策略创建了 Azure Active Directory (的 Azure ADCreated Azure Active Directory (Azure AD) groups for devices for enrollment and Intune settings and device-based Conditional Access policies

    有关详细信息,请参阅 Contoso 条件访问策略For more information, see Contoso Conditional Access policies.

  • 启用 Apple 设备平台以支持员工使用 Ipad、Imac 和 Iphone 以及公司拥有的 IphoneEnabled the Apple device platform to support employees with iPads, iMacs, and iPhones, and corporate-owned iPhones

  • 创建了特定于 Contoso 的条款和条件策略,在移动设备上安装 Contoso 的公司门户时会看到这些策略Created Contoso-specific terms and conditions policies, which are seen during the installation of the Company Portal for Contoso on mobile devices

  • 对于未注册的设备,实现一组移动应用程序管理 (MAM) 策略,以要求对 Microsoft 365 服务的访问进行身份验证For devices that aren't enrolled, implemented a set of Mobile Application Management (MAM) policies to require authentication for access to Microsoft 365 services

  • 创建了强制实施以下内容的 Intune 策略:Created Intune policies that enforce:

    • 允许的应用。Allowed apps.
    • 设备加密以帮助防止未经授权的访问。Device encryption to help prevent unauthorized access.
    • 6位数的 PIN 或密码。A six-digit PIN or password.
    • 非活动超时时间。An inactivity-timeout period.
    • Windows 10 设备上的 Windows Defender 的防病毒和恶意软件防护以及签名更新。Antivirus and malware protection, and signature updates with Windows Defender on Windows 10 devices.
    • Windows 10 设备上的自动更新,其中包括最新的安全更新。Automatic updates on Windows 10 devices that include the latest security updates.
    • 将证书推送到托管设备。Pushing certificates to managed devices.
    • 商业与个人数据的明确区分。用户或管理员可以选择性地擦除设备中的公司数据,而将图片、个人电子邮件帐户和个人文件等个人数据保持不变。A clear separation of business and personal data. Users or admins can selectively wipe corporate data from the device, while leaving personal data such as pictures, personal email accounts, and personal files untouched.

Contoso 通过将 Pc 和公司拥有的智能手机和平板电脑添加到相应的 Intune 设备组来注册它们。Contoso enrolled deployed PCs and company-owned smartphones and tablets by adding them to the appropriate Intune device groups. 他们还为员工建立了用于注册其个人设备的 BYOD 计划。They also established a BYOD program for employees to enroll their personal devices. 已注册的设备接收 Intune 策略,这将导致受管理和安全的设备及其应用程序。Enrolled devices receive Intune policies, which results in managed and secured devices and their applications. 未注册的设备具有指定允许的应用程序 (MAM) 策略中的移动应用程序管理。Devices that aren't enrolled have Mobile Application Management (MAM) policies that specify allowed applications.

下面是 Contoso 移动设备管理部署体系结构。Here is the Contoso mobile device management deployment architecture.

Contoso 移动设备管理部署基础结构

后续步骤Next step

了解 Contoso 如何使用 Microsoft 365 for enterprise 的 信息保护功能 来分类、识别和保护整个组织中的重要数字资产。Learn how Contoso uses the information protection capabilities of Microsoft 365 for enterprise to classify, identify, and protect crucial digital assets across its organization.

另请参阅See also

适用于 Microsoft 365 的设备管理Device management for Microsoft 365

Microsoft 365 企业版概述Microsoft 365 for enterprise overview

测试实验室指南Test lab guides