什麼是 Intune?What is Intune?

Intune 是企業行動管理 (EMM) 空間中的雲端式服務,可協助讓您的工作人員提高生產力,同時保護公司資料。Intune is a cloud-based service in the enterprise mobility management (EMM) space that helps enable your workforce to be productive while keeping your corporate data protected. 使用 Intune,您可以︰With Intune, you can:

  • 管理您的工作人員用來存取公司資料的行動裝置。Manage the mobile devices your workforce uses to access company data.
  • 管理您的工作人員使用的行動應用程式。Manage the mobile apps your workforce uses.
  • 藉由協助控制您的工作人員存取並共用公司資訊的方式,保護您的公司資訊。Protect your company information by helping to control the way your workforce accesses and shares it.
  • 確保裝置和應用程式都符合公司安全性需求。Ensure devices and apps are compliant with company security requirements.

Intune 協助解決的常見商務問題Common business problems that Intune helps solve

Intune 如何運作?How does Intune work?

Intune 是管理行動裝置和應用程式的 Enterprise Mobility + Security (EMS) 元件。Intune is the component of Enterprise Mobility + Security (EMS) that manages mobile devices and apps. 它會與 Azure Active Directory (Azure AD) 這類其他 EMS 元件緊密整合以進行身分識別和存取控制,以及與 Azure 資訊保護緊密整合以進行資料保護。It integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection. 將它與 Office 365 搭配使用時,您可以讓您的工作人員在所有裝置上都具有生產力,同時持續保護您的組織資訊。When you use it with Office 365, you can enable your workforce to be productive on all their devices, while keeping your organization's information protected.

Intune 架構的影像

檢視較大版本的 Intune 架構圖。View a larger version of the Intune architecture diagram.

您使用 Intune 的裝置和應用程式管理功能以及 EMS 資料保護的方式,取決於您試圖解決的商務問題How you use the device and app management features of Intune and EMS data protection depends on the business problem you’re trying to solve. 例如:For example:

  • 如果您要建立一次性裝置的集區,讓零售商店中的輪班工作者共用,則您會大量使用裝置管理。You’ll make strong use of device management if you're creating a pool of single-use devices to be shared by shift workers in a retail store.
  • 如果您允許工作人員使用其個人裝置存取公司資料 (BYOD),則會借助應用程式管理和資料保護。You’ll lean on app management and data protection if you allow your workforce to use their personal devices to access corporate data (BYOD).
  • 如果您要發出公司電話給資訊工作者,則將依賴所有技術。If you are issuing corporate phones to information workers, you’ll rely on all of the technologies.

說明的 Intune 裝置管理Intune device management explained

Intune 裝置管理的運作方式是使用行動作業系統中可用的通訊協定或 API。Intune device management works by using the protocols or APIs that are available in the mobile operating systems. 它包含這類的工作︰It includes tasks like:

  • 註冊裝置管理,以便 IT 部門擁有存取公司服務的裝置清查Enrolling devices into management so your IT department has an inventory of devices that are accessing corporate services
  • 設定裝置,以確保它們符合公司安全性和健全狀況標準Configuring devices to ensure they meet company security and health standards
  • 提供憑證和 Wi-Fi/VPN 設定檔,以存取公司的服務Providing certificates and Wi-Fi/VPN profiles to access corporate services
  • 報告和測量裝置對於公司標準的合規性Reporting on and measuring device compliance to corporate standards
  • 從受管理的裝置移除公司資料Removing corporate data from managed devices

有時候,人們認為公司資料的存取控制是一項裝置管理功能。Sometimes, people think that access control to corporate data is a device management feature. 我們不這麼認為,因為它不是行動作業系統提供的項目。We don’t think of it that way because it isn’t something that the mobile operating system provides. 而是由身分識別提供者所提供。Rather, it’s something the identity provider delivers. 在本例中,身分識別提供者是 Azure Active Directory (Azure AD),也就是 Microsoft 的身分識別與存取管理系統。In our case, the identity provider is Azure Active Directory (Azure AD), Microsoft’s identity and access management system.

Intune 整合了 Azure AD,以啟用一組廣泛的存取控制案例。Intune integrates with Azure AD to enable a broad set of access control scenarios. 例如,您可以先要求行動裝置符合 Intune 中所定義公司標準的規範,裝置才能存取公司服務,例如 Exchange。For example, you can require a mobile device to be compliant with corporate standards that you define in Intune before the device can access a corporate service like Exchange. 同樣地,您可以將公司服務鎖定在一組特定的行動應用程式。Likewise, you can lock down the corporate service to a specific set of mobile apps. 例如,您可以將 Exchange Online 鎖定成只供 Outlook 或 Outlook Mobile 存取。For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.

說明的 Intune 應用程式管理Intune app management explained

當我們談到應用程式管理時,指的是:When we talk about app management, we are talking about:

  • 將行動應用程式指派給員工Assigning mobile apps to employees
  • 使用應用程式執行時所使用的標準設定來設定應用程式Configuring apps with standard settings that are used when the app runs
  • 控制公司資料在行動應用程式中的使用與共用Controlling how corporate data is used and shared in mobile apps
  • 從行動應用程式移除公司資料Removing corporate data from mobile apps
  • 更新應用程式Updating apps
  • 報告行動應用程式清查Reporting on mobile app inventory
  • 追蹤行動應用程式使用方式Tracking mobile app usage

我們看到行動應用程式管理 (MAM) 一詞用來意指那些事的其中一者,或是意指特定的組合。We have seen the term mobile app management (MAM) used to mean any one of those things individually or to mean specific combinations. 尤其是,人們很常將應用程式設定的概念與在行動應用程式內保護公司資料的概念混淆。In particular, it’s common for folks to conflate the concept of app configuration with the concept of securing corporate data within mobile apps. 這是因為某些行動應用程式公開了允許設定其資料安全性功能的設定。That’s because some mobile apps expose settings that allow their data security features to be configured.

當我們談到應用程式設定和 Intune 時,具體指的是 iOS 上的 Managed 應用程式設定這類技術。When we talk about app configuration and Intune, we are referring specifically to technologies like managed app configuration on iOS.

當您使用 Intune 與 EMS 中的其他服務時,可以提供給組織的行動應用程式安全性,會比行動作業系統和行動應用程式本身透過應用程式設定所提供的安全性更高。When you use Intune with the other services in EMS, you can provide your organization mobile app security over and above what is provided by the mobile operating system and the mobile apps themselves through app configuration. 使用 EMS 管理的應用程式可以存取更廣泛的行動應用程式和資料保護,包括︰An app that is managed with EMS has access to a broader set of mobile app and data protections that includes:


Intune 應用程式安全性Intune app security

提供應用程式安全性是應用程式管理的一部分,而且在 Intune 中,當我們談到行動應用程式安全性,我們是指︰Providing app security is a part of app management, and in Intune, when we talk about mobile app security, we mean:

  • 保持個人資訊隔離不被公司 IT 所知Keeping personal information isolated from corporate IT awareness
  • 限制使用者可用公司資訊採取的動作,例如複製、剪下/貼上、儲存和檢視Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
  • 從行動應用程式移除公司資料,也稱為「選擇性抹除」或「公司抹除」Removing corporate data from mobile apps, also known as selective wipe or corporate wipe

Intune 提供行動應用程式安全性的一種方式,是透過其應用程式保護原則功能。One way that Intune provides mobile app security is through its app protection policy feature. 應用程式保護原則會使用 Azure AD 身分識別,來隔離公司資料與個人資料。App protection policy uses Azure AD identity to isolate corporate data from personal data. 使用公司認證存取的資料將會得到額外的公司防護措施。Data that is accessed using a corporate credential will be given additional corporate protections.

例如,當使用者以公司認證登入裝置時,使用者的公司身分識別可讓其存取個人身分識別遭拒的資料。For example, when a user logs on to her device with her corporate credentials, her corporate identity allows her access to data that is denied to her personal identity. 使用該公司資料時,應用程式保護原則會控制其儲存和共用方式。As that corporate data is used, app protection policies control how it is saved and shared. 當使用者以個人身分識別登入裝置時,相同的保護不會套用到存取的資料。Those same protections are not applied to data that is accessed when the user logs on to her device with her personal identity. 如此一來,IT 能夠控制公司資料,而使用者則維護了對個人資料的控制權和隱私權。In this way, IT has control of corporate data while the end user maintains control and privacy over personal data.

需註冊裝置的 EMM 與不需註冊裝置的 EMMEMM with and without device enrollment

大部分的企業行動管理解決方案可支援基本的行動裝置和行動應用程式技術。Most enterprise mobility management solutions support basic mobile device and mobile app technologies. 這些通常會繫結至您組織的行動裝置管理 (MDM) 解決方案中註冊的裝置。These are usually tied to the device being enrolled in your organization’s mobile device management (MDM) solution. Intune 支援這些案例,而且還支援許多「不需註冊」的案例。Intune supports these scenarios and additionally supports many “without enrollment” scenarios.

組織會隨著它們採用「不需註冊」案例的程度而不同。Organizations differ to the extent they will adopt “without enrollment” scenarios. 有些組織會以它為標準。Some organizations standardize on it. 有些允許伴隨裝置,例如個人平板電腦。Some allow it for companion devices such as a personal tablet. 其他的組織則完全不支援。Others don’t support it at all. 即使在最後這個情況下,亦即組織要求所有員工裝置都在 MDM 註冊,他們通常會為承包商、廠商以及其他有特定豁免的裝置支援「不需註冊」的案例。Even in this last case, where an organization requires all employee devices to be enrolled in MDM, they typically support "without enrollment" scenarios for contractors, vendors, and for other devices that have a specific exemption.

您甚至可以在已註冊的裝置上使用 Intune 的「不需註冊」技術。You can even use Intune’s “without-enrollment” technology on enrolled devices. 例如,在 MDM 中註冊的裝置可能會有行動作業系統所提供的 "open-in" 保護。For example, a device enrolled in MDM may have "open-in" protections provided by the mobile operating system. ("open-in" 保護是一項 iOS 功能,會限制您不能從某個應用程式 (例如 Outlook) 開啟文件來進入另一個應用程式 (例如 Word),除非兩個應用程式均受 MDM 提供者管理)。"Open-in" protection is an iOS feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless both apps are managed by the MDM provider. 此外,IT 可能會對 EMS 管理行動應用程式,套用應用程式保護原則來控制另存新檔,或是提供多因素驗證。In addition, IT may apply the app protection policy to EMS-managed mobile apps to control save-as or to provide multi-factor authentication.

無論貴組織在註冊和未註冊的行動裝置和應用程式上的定位如何,Intune 作為 EMS 的一部分,都有工具可以協助提升工作人員產能,同時保護公司資料。Whatever your organization’s position on enrolled and unenrolled mobile devices and apps, Intune, as a part of EMS, has tools that will help increase your workforce productivity while protecting your corporate data.

接下來的步驟Next steps