Microsoft Intune 的常見使用方式Common ways to use Microsoft Intune

深入實作工作時,契合貴公司的企業行動力專案關係人與業務目標很重要。Before diving into implementation tasks, it's important to align your company’s enterprise mobility stakeholders around the business goals. 不論您是企業行動力新手,還是從另一個產品移轉而來,這一點都很重要。This is important whether you're brand new to enterprise mobility or migrating from another product.

對於企業行動力的需求一直在大幅進化,Microsoft 用來解決這些需求的方法有時與市場上的其他解決方案不同。The needs around enterprise mobility are dynamically evolving, and Microsoft's approach to addressing them is sometimes different from other solutions in the market. 契合業務目標的最佳方式是以您想要為員工、協力廠商和 IT 部門塑造的環境,表達您的目標。The best way to align around business goals is to express your goals in terms of the scenarios you want to enable for your employees, partners, and IT department.

以下簡介六個依賴 Intune 的常見案例,以及如何規劃及部署每個案例的詳細資訊連結。Following are short introductions to the six most common scenarios that rely on Intune, accompanied with links to more information about how to plan and deploy each of them.


您是否想要了解 Microsoft IT 如何使用 Intune,讓 Microsoft 在其行動裝置上存取公司資源,同時保護公司資料?Do you want to know how Microsoft IT uses Intune to give Microsoft access to corporate resources on their mobile devices while also keeping corporate data protected? 閱讀此技術性案例研究,詳細查看 Microsoft IT 如何使用 Intune 與其他服務來管理身分識別、裝置、應用程式和資料。Read this technical case study to see in detail how Microsoft IT uses Intune and other services to manage identity, devices, and apps, and data.


我們想要確保行動裝置對於最近在 iOS 裝置上的 "Trident" 惡意程式碼攻擊,處於最新狀態。We want to ensure that mobile devices are up-to-date In light of the recent "Trident" malware attacks on iOS devices. 因此我們發佈了一篇部落格文章,稱為 Ensuring mobile devices are up to date using Microsoft Intune (使用 Microsoft Intune 確定行動裝置為最新狀態)。So we've published a blog post that's called Ensuring mobile devices are up-to-date using Microsoft Intune. 它提供 Intune 可協助保持您的裝置安全且最新的不同方式的相關資訊。It provides information about the different ways that Intune can help keep your devices secure and up-to-date.

保護內部部署電子郵件和資料,以透過行動裝置安全存取Protecting your on-premises email and data so it can be safely accessed by mobile devices

大部分企業行動力策略計劃一開始都是讓員工,在連接網際網路的行動裝置上安全地存取電子郵件。Most enterprise mobility strategies begin with a plan to enable secure access to email for employees with mobile devices that connect to the Internet. 許多組織仍然有內部部署資料和應用程式伺服器,例如裝載在其公司網路上的 Microsoft Exchange。Many organizations still have on-premises data and application servers, such as Microsoft Exchange, that are hosted on their corporate network.

Intune 和 Microsoft Enterprise Mobility + Security (EMS) 提供唯一的 Exchange Server 整合條件式存取解決方案 (傳統入口網站),確保在裝置向 Intune 註冊前,沒有任何行動應用程式可以存取電子郵件。Intune and Microsoft Enterprise Mobility + Security (EMS) provide a uniquely integrated conditional access solution (Classic portal) for Exchange Server, which ensures that no mobile app can access email until that device is enrolled with Intune. 您不必在公司網路邊緣部署另一部閘道電腦,就能完全做到。You can do this all without deploying another gateway machine to the edge of your corporate network.

Intune 支援也能存取需要安全存取內部部署資料的行動應用程式,像是商務營運應用程式伺服器。Intune also supports enabling access to mobile apps that require secure access to on-premises data, such as line-of-business app servers. 這通常會使用 Intune 管理的憑證 (傳統入口網站) 來完成,適用於在周邊網路結合標準 VPN 閘道或 Proxy 的存取控制,例如 Microsoft Azure Active Directory 應用程式 Proxy。This is typically done using Intune-managed certificates (Classic portal) for access control, combined with a standard VPN gateway or proxy in the perimeter such as Microsoft Azure Active Directory Application Proxy.

在這些情況下,存取公司資料的唯一方法就是註冊裝置進行管理。In these cases, the only way to access corporate data is to enroll the device into management. 註冊裝置之後,管理系統會先確保它們符合您的原則,然後才能存取公司資料。Once the devices are enrolled, the management system ensures that they are compliant with your policies before they can access corporate data. 此外,Intune 的 App Wrapping Tool 與 App SDK 可協助包含企業營運應用程式中的存取資料,讓它無法將公司資料傳遞至取用者應用程式或服務。Additionally, Intune’s App Wrapping Tool and App SDK can help contain the accessed data within your line-of-business app, so that it can’t pass corporate data to consumer apps or services.

保護 Office 365 電子郵件和資料,以透過行動裝置安全存取Protecting your Office 365 email and data so it can be safely accessed by mobile devices

您可以更容易,您的使用者也以更順暢地在 Office 365 中保護公司資料 (電子郵件、文件、立即訊息、連絡人)。Protecting corporate data in Office 365 (email, documents, instant messages, contacts) could not be easier for you or more seamless for your users.

Intune 與 Enterprise Mobility Suite + Security 解決方案特別加入了條件式存取功能,確保只有符合您公司之相容性需求 (已執行多重要素驗證、已在 Intune 註冊,並使用受管理的 App、受支援的 OS 版本、裝置 PIN 碼、低使用者風險設定檔等等) 的使用者、應用程式或裝置,才能存取 Office 365 資料。Intune and Microsoft Enterprise Mobility + Security provide a uniquely integrated conditional access solution that ensures no users, apps, or devices can access Office 365 data unless they meet your company’s compliance requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS version, device pin, low user risk profile, etc.).

各自應用程式市集裡的 Office 行動應用程式已經準備好開始使用資料內含項目原則,您可以透過 Intune 進行設定。The Office mobile apps in their respective app stores are ready to go with data containment policies that you can configure via Intune. 這可讓您避免與應用程式 (例如原生電子郵件應用程式) 及不受 IT 管理的儲存位置 (例如 Dropbox) 共用資料。This enables you to prevent data from being shared with apps (for example, with native email apps) and storage locations (for example, Dropbox) that aren’t managed by IT. 這項功能內建於 Office 365 和 EMS。All this functionality is built into Office 365 and EMS. 您不需要部署額外的基礎結構即可取得此值。You don't have to deploy additional infrastructure to get this value.

常見的 Office 365 部署作法是要求註冊裝置加以管理,但前題是它們需要使用公司應用程式、憑證、Wi-Fi 或 VPN 設定以完整設定,這是公司擁有的裝置常見情況。A common Office 365 deployment practice is to require devices to enroll into management if they need to be fully set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned devices.

不過,如果使用者只需要存取公司電子郵件與文件 (通常是個人擁有的裝置情況),則可要求使用者使用您已套用應用程式保護原則 (傳統入口網站) 的 Office 行動應用程式,並完全略過註冊裝置。However, if your user simply needs to access corporate email and documents, which is often the case for personally owned devices, then you can require the user to use the Office mobile apps (to which you have applied app protection policies (Classic portal) and skip enrolling the device altogether.

無論如何,將由已定義的原則保護 Office 365 資料。Either way, the Office 365 data will be secured by policies you’ve defined.

將攜帶您自己的裝置計劃提供給所有員工Offer a bring your own device program to all employees

攜帶您自己的裝置 (BYOD) 會繼續在組織間受歡迎,為員工減少硬體支出或提高行動產能選擇。Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce hardware expenditures or increase mobile productivity choices for employees. 目前幾乎每個人都有手機,因此為什麼不在口袋內再放一支?Just about everyone has a personal phone these days so why put another one in their pocket? 主要的挑戰一直都是說服員工註冊其個人裝置加以管理,因為它們害怕 IT 部門會看到並使用他們的裝置做其他事。The main challenge has always been to convince employees to enroll their personal device into management, as they are fearful of what their IT department will be able to see and do with their device.

當裝置註冊不可行時,Intune 提供一個 BYOD 替代方法來簡單管理包含公司資料的應用程式 (傳統入口網站)。When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply managing the apps that contain corporate data (Classic portal). Intune 可保護公司資料,即使有問題的應用程式存取公司和個人資料也可以,此情況適用於 Office 行動應用程式。Intune protects the corporate data even if the app in question accesses both corporate and personal data, as is the case for Office mobile apps.

身為系統管理員,您可以要求使用者從 Office 行動應用程式存取 Office 365,並使用保護資料的原則來設定應用程式 (例如將它加密、使用 PIN 來保護它等等)。As an administrator, you can require users to access Office 365 from the Office mobile apps and configure the apps with policies that keep the data protected (such as encrypting it, protecting it with a pin, and so on). 這些應用程式保護原則會防止因未受管理的應用程式和儲存位置而遺失資料 - 應用程式內部或外部。These app protection policies prevent data loss from unmanaged apps and storage locations -- inside or outside of those apps. 例如,這些原則會防止使用者將公司電子郵件設定檔的文字複製到取用者的電子郵件設定檔,即使兩個設定檔都是在 Outlook Mobile 中設定也是如此。For example, the policies prevent a user from copying text from a corporate email profile into a consumer email profile even if both profiles are configured within Outlook Mobile. 可針對您的 BYOD 使用者需要的其他服務及應用程式部署類似設定。Similar configurations can be deployed for other services and applications that are required by your BYOD users.

向您的員工發放屬於公司的電話Issue corporate-owned phones to your employees

現今有許多員工用行動裝置工作,這讓行動裝置生產力成為競爭力的要件。Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive. 這些員工隨時隨地都需要順暢地存取所有公司應用程式和資料。These employees need seamless access to all corporate apps and data, at any time, wherever they are. 您需要確保公司資料安全且具有低管理成本。You need to ensure that corporate data is secure and administrative costs are low.

Intune 提供了大量佈建和管理解決方案 (傳統入口網站),可以與目前市場上的主要企業裝置管理平台整合,包括 Apple 裝置註冊計劃和 Samsung Knox 行動安全性平台。Intune offers bulk provisioning and management solutions (Classic portal) that are integrated with the major corporate device management platforms on the market today, including the Apple Device Enrollment Program and the Samsung Knox mobile security platform. 使用 Intune 集中撰寫裝置設定,有助於高度自動化佈建某些公司裝置。Centralized authoring of device configurations with Intune helps make provisioning of corporate devices something that can be highly automated.

試想一下︰將未拆封的 iPhone 手機交給員工。Picture this: hand an employee an unopened iPhone box. 員工開啟手機電源,然後瀏覽他們必須自行驗證之帶有公司品牌的安裝流程。The employee powers it on and is walked through a corporate-branded setup flow where they must authenticate themselves. 已順利使用安全性原則 (傳統入口網站) 設定 iPhone。The iPhone is seamlessly configured with security policies (Classic portal).

接著,員工啟動 Intune 公司入口網站應用程式以存取提供給他們的選擇性公司應用程式。Then the employee launches the Intune Company Portal app to access the optional corporate apps that are available to them.

將使用受限的共用平板電腦發放給您的員工Issue limited-use shared tablets to your employees

有越來越多員工使用行動技術。Employees are increasingly making use of mobile technologies. 例如,共用的平板電腦現在經常由零售商店員工使用。For example, shared tablets are now commonly used by retail store employees. 不論是用來處理銷售或立即檢查庫存,平板電腦皆有助於大幅提升與客戶的互動。Whether they're used to process a sale or instantly check inventory, tablets help create great customer interactions.

在此情況下,簡單的使用者體驗很重要。Simplicity of the user experience is critical in this case. 基於這個理由,通常會將有限用途模式下的平板電腦散發給員工,例如,單一特定業務應用程式是員工可進行互動的唯一工具。For this reason, tablets are usually handed to employees in a limited-use mode, such that a single line-of-business app is the only thing that the employee can interact with. Intune 可讓您大量佈建、保護和集中管理這些共用的 iOS 與 Android (傳統入口網站) 裝置,而這些裝置可設定為在此有限用途模式下執行。Intune enables you to bulk provision, secure, and centrally manage these shared iOS and Android (Classic portal) devices that can be configured to run in this limited-use mode.

讓您的員工從未受管理的公用 kiosk 中安全存取 Office 365Enable your employees to securely access Office 365 from an unmanaged public kiosk

有時候您的員工需要使用您無法管理的裝置、應用程式或瀏覽器,例如商展和旅館的公用電腦。Sometimes your employees need to use devices, apps, or browsers that you can’t manage, such as the public computers at trade shows and in hotel lobbies.

您應該允許員工從中存取公司電子郵件?Should you allow your employees to access corporate email from them? 您可以利用 Intune 與 Microsoft Enterprise Mobility + Security,藉由限制您組織所管理之裝置的電子郵件存取權 (傳統入口網站),告訴大家「不行」。With Intune and Microsoft Enterprise Mobility + Security, the answer can simply be “no”, by limiting email access to devices that are managed by your organization (Classic portal). 這可確保經過嚴格驗證的員工不會不小心將公司資料放在不受信任的電腦上。This ensures that your strongly authenticated employee doesn't accidentally leave corporate data on the untrusted computer.