步骤 5.Step 5. Microsoft 365 企业版租户的设备与应用管理Device and app management for your Microsoft 365 for enterprise tenants

Microsoft 365 企业版包括以下功能:通过移动设备管理 (MDM) 和移动应用程序管理 (MAM) 帮助管理设备以及在这些设备上使用应用。Microsoft 365 for enterprise includes features to help manage devices and the use of apps on those devices within your organization with mobile device management (MDM) and mobile application management (MAM). 你可以管理 iOS、Android、macOS 和 Windows 设备,以保护对组织资源(包括数据)的访问。You can manage iOS, Android, macOS, and Windows devices to protect access to your organization's resources, including your data. 例如,可以阻止向组织外部人员发送电子邮件,或将组织数据与工作者的个人设备中的个人数据隔离。For example, you can prevent emails from being sent to people outside your organization or isolate organization data from personal data on your worker's personal devices.

下面是验证和管理用户及其设备,以及用户对本地和云生产力应用(如 Microsoft Teams)的使用的示例。Here is an example of the validation and management of users, their devices, and their use of local and cloud productivity apps like Microsoft Teams.

用户、设备和应用的验证和管理

为了帮助你保护组织的资源,Microsoft 365 企业版包含可帮助管理设备及其对应用的访问权限的功能。To help you secure and protect your organization's resources, Microsoft 365 for enterprise includes features to help manage devices and their access to apps. 设备管理有两个选项:There are two options for device management:

  • Microsoft Intune,它是一款全面的企业设备和应用管理解决方案。Microsoft Intune, which is a comprehensive device and app management solution for enterprises.
  • 基本移动性和安全性,它是所有 Microsoft 365 产品中包含的 Intune 服务的子集,用于管理组织中设备。Basic Mobility and Security, which is a subset of Intune services included with all Microsoft 365 products for managing devices in your organization. 有关详细信息,请参阅Capabilities of Basic Mobility and Security。For more information, see Capabilities of Basic Mobility and Security.

如果你有 Microsoft 365 E3 或 E5,你应该使用 Intune。If you have Microsoft 365 E3 or E5, you should use Intune.

Microsoft IntuneMicrosoft Intune

使用 Microsoft Intune 通过 MDM 或 MAM 管理对组织的访问权限。You use Microsoft Intune to manage access to your organization using MDM or MAM. MDM 是用户在 Intune 中"注册"其设备时。MDM is when users "enroll" their devices in Intune. 注册设备后,该设备即为托管设备,可接收组织的策略、规则和设置。After a device is enrolled, it is a managed device and can receive your organization's policies, rules, and settings. 例如,你可以安装特定应用、创建密码策略、安装 VPN 连接等。For example, you can install specific apps, create a password policy, install a VPN connection, and more.

具有其自己的个人设备的用户可能不希望注册其设备或由 Intune 和组织的策略进行管理。Users with their own personal devices may not want to enroll their devices or be managed by Intune and your organization's policies. 但仍需要保护组织的资源和数据。But you still need to protect your organization's resources and data. 在此方案中,可以使用 MAM 保护应用。In this scenario, you can protect your apps using MAM. 例如,可以使用要求用户在设备上访问 SharePoint 时输入 PIN 的 MAM 策略。For example, you can use an MAM policy that requires a user to enter a PIN when accessing SharePoint on the device.

你还将确定如何管理个人设备和组织拥有的设备。You'll also determine how you're going to manage personal devices and organization-owned devices. 你可能希望以不同方式处理设备,具体取决于设备的用途。You might want to treat devices differently, depending on their uses.

标识和设备访问配置Identity and device access configurations

Microsoft 提供了一组用于标识 和设备访问的配置 ,以确保员工安全高效。Microsoft provides a set of configurations for identity and device access to ensure a secure and productive workforce. 这些配置包括使用:These configurations include the use of:

  • Azure AD 条件访问策略Azure AD Conditional Access policies
  • Microsoft Intune 设备合规性应用保护策略Microsoft Intune device compliance and app protection policies
  • Azure AD Identity Protection 用户风险策略Azure AD Identity Protection user risk policies
  • 云应用的其他策略Additional policies of cloud apps

下面是应用这些设置和策略以验证和限制用户及其设备,以及用户对本地和云生产力应用(如 Microsoft Teams)的使用的示例。Here is an example of the application of these settings and policies to validate and restrict users, their devices, and their use of local and cloud productivity apps like Microsoft Teams.

针对用户、设备及其应用使用的要求和限制的标识和设备访问配置

对于设备访问和应用管理,请使用以下文章中的配置:For device access and app management, use the configurations in these articles:

步骤 5 的结果Results of Step 5

对于 Microsoft 365 租户的设备和应用管理,你已确定 Intune 设置和策略,以验证和限制用户、其设备以及本地和云生产力应用的使用。For device and app management for your Microsoft 365 tenant, you have determined the Intune settings and policies to validate and restrict users, their devices, and their use of local and cloud productivity apps.

下面是一个租户示例,其中突出显示了新元素的 Intune 设备和应用管理。Here is an example of a tenant with Intune device and app management with the new elements highlighted.

使用 Intune 设备和应用管理的租户示例

在此图中,租户具有:In this illustration, the tenant has:

  • 在 Intune 中注册的组织拥有的设备。Organization-owned devices enrolled in Intune.
  • 适用于已注册和个人设备的 Intune 设备和应用策略。Intune device and app policies for enrolled and personal devices.

持续维护设备和应用管理Ongoing maintenance for device and app management

您可能需要持续:On an ongoing basis, you might need to:

  • 管理设备注册。Manage device enrollment.
  • 针对其他应用、设备和安全要求修改设置和策略。Revise your settings and policies for additional apps, devices, and security requirements.