使用 Intune 來啟用 BYODEnable BYOD with Intune

本主題提供設定 Intune 來為您的組織啟用「攜帶您自己的裝置」(BYOD) 解決方案的高階工作流程。This topic provides a high-level workflow for setting up Intune to enable a bring-your-own-device (BYOD) solution to your organization. 它會將工作組織成三個程序,並連結至支援的使用說明主題。It organizes the task into three processes and links to supporting how-to topics.

工作流程分成下列三個程序。The workflow is divided into the following three processes. 您可以調整每個程序的層面,以符合您組織的需求。You can tailor aspects of each process to meet your organization’s requirements.

  • 註冊裝置及檢查合規性說明如何讓使用者利用 Intune 註冊其個人裝置以納入管理。Enroll devices and check for compliance describes how to enable users to enroll their personal devices into management with Intune. Intune 可管理 iOS、macOS、Android 和 Windows 裝置。Intune manages iOS, macOS, Android, and Windows devices. 本節也說明如何將原則部署到裝置,以及確保它們符合基本的安全性需求。This section also describes how to deploy policies to devices and ensure they meet basic security requirements.

  • 提供公司資源存取為您示範如何讓使用者輕鬆且安全地存取公司資源。Provide access to company resources shows you how you can enable users to access company resources easily and securely. 您可以將存取設定檔部署到受管理的裝置來完成這項操作。You do this by deploying access profiles to managed devices. 本節也說明如何使用 Intune 管理大量採購的應用程式部署。This section also explains how to manage volume-purchased app deployments with Intune.

  • 保護公司資料可協助您了解如何提供公司資源的條件式存取、避免資料遺失,以及當工作不再需要裝置、裝置遺失或遭竊時,如何移除裝置上的公司應用程式與資料。Protect company data helps you learn how to provide conditional access to company resources, prevent data loss, and remove company apps and data from devices when they are no longer needed for work or have been lost or stolen.

使用 Microsoft Intune 來啟用 BYOD 的高階工作流程圖表High-level workflow diagram for enabling BYOD with Microsoft Intune

開始之前Before you begin

在使用者註冊裝置之前,您必須先準備 Intune 服務本身。Before users can enroll devices, you first need to prepare the Intune service itself. 若要這樣做,請指派授權給使用者設定行動裝置管理授權單位To do so, assign licenses to users and set the mobile device management authority.

當您進行這項操作時,也應該自訂公司入口網站While you're at it, you should also customize the company portal. 新增公司品牌並向使用者提供支援資訊。Add company branding and provide users with support information. 這會為您的使用者建立可信任的註冊和支援體驗。This creates a trusted enrollment and support experience for your users. 您也可以建立使用者在註冊前必須接受的使用規定,或用來指定支援哪些平台的裝置限制You can also create terms of use that users must accept before enrolling, or device restrictions to specify which platforms you support.

註冊裝置及檢查合規性Enroll devices and check for compliance

準備好 Intune 服務之後,您必須符合想要管理之不同裝置類型的各種註冊需求。After you prepare the Intune service, you need to meet the various enrollment requirements for the different device types that you want to manage. 註冊裝置以納入管理的程序很簡單,但根據裝置類型會略有不同。The process to enroll devices into management is straightforward, but differs slightly based on device type.

  • iOS 和 Mac 裝置:您必須取得 Apple MDM Push Certificate,才能註冊 iPad、iPhone 或 macOS 裝置。iOS and Mac devices You need to get an Apple MDM push certificate to enroll iPads, iPhones, or macOS devices. 將 MDM Push Certificate 上傳至 Intune 之後,使用者可以使用公司入口網站應用程式註冊 iOS 裝置,並使用公司入口網站註冊 macOS 裝置After you've uploaded your MDM push certificate to Intune, users can enroll iOS devices using the Company Portal app and use the Company Portal website to enroll macOS devices.

  • Android 裝置 您不需要準備 Intune 服務即可註冊 Android 裝置。Android devices There's nothing you need to do to get the Intune service ready to enroll Android devices. 使用者只要使用 Google Play 提供的公司入口網站應用程式即可註冊 Android 裝置Users can just enroll their Android devices into management using the Company Portal app available from Google Play.

  • Windows 手機和電腦:您可以進行額外設定來註冊 Windows 裝置。Windows Phones and PCs Windows devices can be enrolled with additional configuration. 您可以在 Azure Active Directory (AD) Premium 中啟用 Windows 10 電腦和 Windows 10 行動裝置的自動註冊,以簡化您的使用者體驗。You can enable automatic enrollment for Windows 10 PCs and Windows 10 mobile devices in Azure Active Directory (AD) Premium to simplify the end user experience. 如果您沒有 Azure AD Premium 或需要支援 Windows 8.1,您可以建立註冊伺服器的 DNS 別名來簡化註冊。If you don't have Azure AD Premium or if you need to support Windows 8.1, you can create a DNS alias for the enrollment server to make enrollment easier.

請確定受管理的裝置符合基本安全性需求Make sure that managed devices meet basic security requirements

在使用者註冊其裝置以納入管理之後,IT 必須確定用來存取公司應用程式和資料的裝置必須符合基本安全性需求。After users enroll their devices into management, IT needs to make sure that devices used to access company apps and data meet basic security requirements. 這些規則可能包括使用 PIN 來存取裝置,以及為裝置中儲存的資料加密。These rules might include using a PIN to access devices and encrypting data stored on devices. 這組規則稱為合規性政策A set of such rules is called a compliance policy.

當您為使用者部署合規性原則時,Intune 會檢查使用者使用 Intune 所管理的每部裝置,以確認裝置符合您 BYOD 原則中定義的基本安全性需求。When you deploy a compliance policy to a user, Intune checks each device the user has managed by Intune to see if the device meets the basic security requirements you defined as part of your BYOD policy. 裝置經過原則合規性評估之後,會向 Intune 回報其狀態。After a device has been evaluated for policy compliance, it reports its status back to Intune. 在某些情況下,可能會要求使用者修正設定,例如其 PIN 或裝置加密。In some cases, users might be asked to fix settings, such as their PIN or device encryption. 其他時候,公司入口網站應用程式只會通知使用者有關任何不符合原則的設定。Other times, the company portal app simply notifies the user about any settings that don't meet your policy.

提供公司資源存取Provide access to company resources

大部分員工想在其行動裝置上存取的第一個項目,就是公司電子郵件和文件。The first thing most employees want to access on their mobile device is company email and documents. 他們希望不經複雜的步驟或呼叫技術支援中心,就能完成設定。They expect to set it up without going through complex steps or calling the help desk. Intune 可讓您為預先安裝在行動裝置上的原生電子郵件應用程式,輕鬆建立及部署電子郵件設定Intune makes it easy for you to create and deploy email settings for native email apps that are pre-installed on mobile devices.


Intune 支援 Google Play 商店中 Gmail 和 Nine Work 電子郵件應用程式的 Android for Work 電子郵件設定檔設定。Intune supports Android for Work email profile configuration for the Gmail and Nine Work email apps found in the Google Play store.

Intune 也可在您於異地工作時,協助您控制及保護對內部部署公司資料的存取。Intune also helps you control and protect access to on-premises company data when users work offsite. Intune Wi-FiVPN 和電子郵件設定檔一起運作,允許隨時隨地存取完成工作所需的檔案及資源。Intune Wi-Fi, VPN, and email profiles work together to permit access to the files and resources that they need to do their work wherever they are. 貴公司內部部署裝載的 Web 應用程式和服務,也可以使用 Azure Active Directory 應用程式 Proxy 和條件式存取進行安全存取和保護。Your company's web applications and services hosted on-premises can also be securely accessed and protected using the Azure Active Directory Application Proxy and conditional access.

管理大量購買的應用程式Manage volume-purchased apps

利用 Intune,輕鬆地:With Intune, it is easy to:

  • 從任一應用程式市集匯入大量授權資訊Import the volume license information from either app store
  • 檢視您有多少份可用的授權Track how many licenses you have used
  • 避免您的使用者安裝超過擁有數目的應用程式複本Prevent your users from installing more copies of the app than you own
  • 將市集應用程式傳遞給受管理的裝置Deliver store apps to managed devices
  • 使用公司入口網站,將應用程式目標設為未受管理的裝置Target apps to unmanaged devices using the company portal website

Intune 也可讓您管理及部署從 iOS 應用程式市集和商務用 Microsoft 網上商店所大量購買的應用程式。Intune also allows you to manage and deploy apps that you purchased in volume from the iOS app store and the Microsoft Store for Business. 這可協助您降低追蹤大量採購應用程式的管理負荷。This helps you reduce the administrative overhead of tracking volume-purchased apps.


您可以使用 Azure AD Connect 設定單一登入 (SSO) You can configure Single Sign On (SSO) with Azure AD Connect. SSO 可讓使用者利用內部部署所使用的網域使用者名稱和密碼來登入應用程式。SSO lets users sign into apps with the domain user name and password they use on-premises. 此外,您還可以使用 Azure Active Directory 應用程式 Proxy,為內部部署裝載的 Web 應用程式提供網際網路存取Also, you can provide internet-based access to web apps hosted on-premises using the Azure Active Directory Application Proxy.

保護公司資料Protect company data

Intune 透過多個技術層級保護公司資料。Intune protects company data through many technology layers. 在身分識別層中,條件式存取可保護服務存取。At the identity layer, conditional access protects access to services. 條件式存取僅允許受管理及符合標準的裝置存取公司資源。Conditional access only allows managed and compliant devices to access company resources. 在用戶端應用程式層,應用程式保護原則可避免資料遺失。At the client app layer, app protection policies protects against data loss. 應用程式保護原則可防止資料移至未受保護的應用程式或儲存位置。App protection policies prevent data from moving to apps or storage locations that are not protected. 這些原則也可讓您在裝置遺失或遭竊時抹除公司資料。These policies also let you wipe company data when a device is lost or stolen.

強制執行公司資源的條件式存取Enforce conditional access to company resources

您可以合併合規性原則與條件式存取原則,以檢查裝置是否符合 BYOD 原則所要求的基本安全性需求。You can combine compliance policies with conditional access policies to check if devices meet the basic security requirements that your BYOD policy requires. 如果裝置不符合需求,則會強制執行規則並拒絕存取,直到該裝置符合原則需求為止。If a device doesn't meet the requirements, rules are enforced and access is denied until the device meets policy requirements. 如此可確保只有受管理和符合標準的裝置可以從 Exchange (Exchange 內部部署Exchange Online)、SharePoint Online、商務用 Skype Online 等服務來存取公司資料。This ensures that only managed and compliant devices can access company data from services like Exchange (Exchange On-premises or Exchange Online, SharePoint Online, Skype for Business Online, and others.


如果沒有可驗證相容性的相容性原則,條件式存取原則即無法運作。Conditional access policies will not work if there is no compliance policy in place to validate compliance.

使用應用程式保護原則來避免公司資料遺失Prevent data loss of company data with app protection policies

利用 Intune 應用程式保護原則,不論裝置是否已註冊,您都可以選擇資料存取方式。With Intune app protection policies, you can choose how your data is accessed, with or without device enrollment. 這項彈性可讓您保護公司資料,即使使用者未在 Intune 中註冊其裝置,他們仍然可以安全地存取公司資料。This versatility lets you protect company data so that even if a user doesn't enroll their device into Intune, they can still access company data securely.

您可以使用 Intune 應用程式保護原則,協助保護 iOS 和 Android 裝置存取的公司資料。You can use Intune app protection policies to help protect company data that is accessed by iOS and Android devices. 使用這些應用程式層級原則時,即使裝置本身不是由 Intune 所管理,您也可以控制員工使用與共用公司資料的方式When you use these app-level policies, you can control how company data is used and shared by employees even if the device itself isn’t managed by Intune

使用 Windows 資訊保護 (WIP),可為受管理的 Windows 10 裝置執行相同動作。Use Windows Information Protection (WIP) to do the same for managed Windows 10 devices. 這些原則的運作不會干擾員工的體驗。These policies work without interfering with the employee experience. 它們不需要變更您的網路環境或其他應用程式。They do not require changes to your network environment or other apps.

移除公司資料,但完整保留個人資料Remove company data while leaving personal data intact

當裝置不再用於工作、要重新決定用途或遺失時,您可以從中移除公司的應用程式和資料。When a device is no longer needed for work, is being repurposed, or has gone missing, you can remove company apps and data from it. 若要這樣做,您可以使用 Intune 的移除公司資料和恢復出廠預設值功能。To do this, you can use Intune's remove company data and factory reset capabilities. 如果已在 Intune 中註冊使用者的個人自有裝置,您的使用者也可以從 Intune 公司入口網站遠端重設這些裝置。Your users can also remotely reset their own personally owned devices from the Intune Company Portal if those devices are enrolled in Intune.

恢復出廠預設值會將裝置還原為其出廠預設值、移除使用者資料和設定,並從 Intune 管理項目移除裝置。A factory reset restores a device to its factory default settings, removes user data and settings, and removes the device from Intune management. 移除公司資料只會從裝置移除公司資料,但完整保留使用者的個人資料。Remove company data removes only company data from the device but leaves users’ personal data intact.

只要一啟動,裝置就會立即開始重設程序。Once initiated, the device immediately begins the reset process. 當程序完成時,會刪除所有的公司資料,並從 Intune 移除裝置名稱。When the process is complete, all company data is deleted and the device name is removed from the Intune. 這會結束裝置管理生命週期。This ends the device management lifecycle.