什麼是 Intune?What is Intune?

適用於︰IntuneApplies to: Intune
本主題適用於 Azure 入口網站和傳統主控台中的 Intune。This topic applies to Intune in both the Azure portal and the classic console.

Intune 是以雲端為基礎的企業行動管理 (EMM) 服務,可協助讓您的工作人員提高生產力,同時保護公司資料。Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. 使用 Intune,您可以︰With Intune, you can:

  • 管理您的工作人員用來存取公司資料的行動裝置。Manage the mobile devices your workforce uses to access company data.
  • 管理您的工作人員使用的行動應用程式。Manage the mobile apps your workforce uses.
  • 藉由協助控制您的工作人員存取並共用公司資訊的方式,保護您的公司資訊。Protect your company information by helping to control the way your workforce accesses and shares it.
  • 確保裝置和應用程式都符合公司安全性需求。Ensure devices and apps are compliant with company security requirements.

Intune 和 Azure Active Directory (Azure AD) 緊密整合以進行身分識別和存取控制,並和 Azure 資訊保護緊密整合以進行資料保護。Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control, and Azure Information Protection for data protection.

Office 365 和 EMS 結合,能讓您的工作人員在所有裝置上都具有生產力,同時持續保護您的組織資訊。Together, Office 365 and EMS enable your workforce to be productive on all of their devices while keeping your organization's information protected. Office 365 和 EMS 是企業行動 (包括生產力、身分識別、存取控制、管理和資料保護) 的完整整合式套件。Office 365 with EMS is a complete, integrated suite for enterprise mobility inclusive of productivity, identity, access control, management, and data protection. 它可提供您在組織中部署和操作行動解決方案的有效方式。It gives you an effective way to deploy and operate a mobility solution in your organization.

Intune 如何運作?How does Intune work?

Intune 提供行動裝置管理 (MDM) 與行動應用程式管理 (MAM)。Intune provides mobile device management (MDM) and mobile app management (MAM). Intune 的 MDM 和 MAM 功能參與了資料保護與法規遵循案例的 EMS 套件。Intune’s MDM and MAM features then contribute to the EMS suite of data protection and compliance scenarios.

您使用 Intune MDM/MAM 功能以及 EMS 資料保護的方式,取決於您試圖解決的商務問題How you use the MDM/MAM features of Intune and EMS data protection depends on the business problem you’re trying to solve. 例如:For example:

  • 如果您要建立一次性裝置的集區,讓零售商店中的輪班工作者共用,則您會大量使用 MDM。You’ll make strong use of MDM if you're creating a pool of single-use devices to be shared by shift workers in a retail store.
  • 如果您允許工作人員使用其個人裝置存取公司資料 (BYOD),則會借助 MAM 和資料保護。You’ll lean on MAM and data protection if you allow your workforce to use their personal devices to access corporate data (BYOD).
  • 如果您要發出公司電話給資訊工作者,您將大量依賴所有技術。If you are issuing corporate phones to information workers, you’ll rely heavily on all of the technologies.

Intune 行動裝置管理 (MDM) 的解釋Intune mobile device management (MDM) explained

MDM 的運作方式是使用行動作業系統中可用的通訊協定或 API。MDM works by using the protocols or APIs that are available in the mobile operating systems. 它包含這類的工作︰It includes tasks like:

  • 註冊裝置管理,以便 IT 擁有存取公司服務的裝置清查Enrolling devices into management so IT has an inventory of devices that are accessing corporate services
  • 設定裝置,以確保它們符合公司安全性和健全狀況標準Configuring devices to ensure they meet company security and health standards
  • 提供憑證和 Wi-Fi/VPN 設定檔,以存取公司的服務Providing certificates and Wi-Fi/VPN profiles to access corporate services
  • 報告和測量裝置對於公司標準的合規性Reporting on and measuring device compliance to corporate standards
  • 從受管理的裝置移除公司資料Removing corporate data from managed devices

有時候,人們認為公司資料的存取控制是一項 MDM 功能。Sometimes, people think that access control to corporate data is an MDM feature. 我們不這麼認為,因為它不是行動作業系統提供的項目。We don’t think of it that way because it isn’t something that the mobile operating system provides. 而是由身分識別提供者所提供。Rather, it’s something the identity provider delivers. 在本例中,身分識別提供者是 Azure Active Directory (Azure AD),也就是 Microsoft 的身分識別與存取管理系統。In our case, the identity provider is Azure Active Directory (Azure AD), Microsoft’s identity and access management system.

Intune 整合了 Azure AD,以啟用一組廣泛的存取控制案例。Intune integrates with Azure AD to enable a broad set of access control scenarios. 例如,您可以要求行動裝置必須符合公司標準的規範,如 Intune 中所定義,然後裝置才能存取公司服務,例如 Exchange。For example, you can require a mobile device to be compliant with corporate standards as defined in Intune before the device can access a corporate service like Exchange. 同樣地,您可以將公司服務鎖定在一組特定的行動應用程式。Likewise, you can lock down the corporate service to a specific set of mobile apps. 例如,您可以將 Exchange Online 鎖定成只供 Outlook 或 Outlook Mobile 存取。For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.

Intune 行動應用程式管理 (MAM) 的解釋Intune mobile app management (MAM) explained

當我們談論 MAM 時,我們是在討論我們的解決方案能讓 IT 專業人員以行動應用程式達到的事,例如︰When we talk about MAM, we are talking about the set of things our solutions enable IT Pros to do with mobile apps, such as:

  • 發佈行動應用程式給員工Publishing mobile apps to employees
  • 設定應用程式Configuring apps
  • 控制公司資料在行動應用程式中的使用與共用Controlling how corporate data is used and shared in mobile apps
  • 從行動應用程式移除公司資料Removing corporate data from mobile apps
  • 更新行動應用程式Updating mobile apps
  • 報告行動應用程式清查Reporting on mobile app inventory
  • 追蹤行動應用程式使用方式Tracking mobile app usage

我們看到 MAM 一詞用來意指那些事的其中一者,或是意指特定的組合。We have seen the term MAM used to mean any one of those things individually or to mean specific combinations. 尤其是,人們很常將應用程式設定的概念 (亦即,使用像是在 iOS 上的受管理應用程式設定的技術) 與在行動應用程式內保護公司資料的概念混淆。In particular, it’s common for folks to conflate the concept of app configuration (that is, using technologies like managed app configuration on iOS) with the concept of securing corporate data within mobile apps. 這是因為某些行動應用程式公開了允許設定其資料安全性功能的設定。That’s because some mobile apps expose settings that allow their data security features to be configured.

再結合保護資料的作業系統功能 (例如 MDM 功能,像是 Windows 10 上的 Windows 資訊保護),這可為行動裝置上的資料帶來許多保護。That, in combination with operating system features for protecting data (for example, MDM features such as Windows Information Protection on Windows 10), gives a lot of protection to data on mobile devices.

當您使用 Intune 與 EMS 中的其他服務時,可以提供給組織的行動應用程式安全性,會比行動作業系統和行動應用程式本身透過應用程式設定所提供的安全性更高。When you use Intune with the other services in EMS, you can provide your organization mobile app security over and above what is provided by the mobile operating system and the mobile apps themselves through app configuration. 使用 EMS 管理的應用程式可以存取更廣泛的行動應用程式和資料保護,包括︰An app that is managed with EMS has access to a broader set of mobile app and data protections that includes:

顯示應用程式管理資料安全性層級的影像

Intune 行動應用程式安全性Intune mobile app security

提供應用程式安全性是 MAM 的一部分,而且在 Intune 中,當我們談到行動應用程式安全性,我們是指︰Providing app security is a part of MAM, and in Intune, when we talk about mobile app security, we mean:

  • 保持個人資訊隔離不被公司 IT 所知Keeping personal information isolated from corporate IT awareness
  • 限制使用者可用公司資訊採取的動作,例如複製、剪下/貼上、儲存和檢視Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
  • 從行動應用程式移除公司資料,也稱為「選擇性抹除」或「公司抹除」Removing corporate data from mobile apps, also known as selective wipe or corporate wipe

Intune 提供行動應用程式安全性的一種方式,是透過其應用程式保護原則功能。One way that Intune provides mobile app security is through its app protection policy feature. 應用程式保護原則會使用 Azure AD 身分識別,來隔離公司資料與個人資料。App protection policy uses Azure AD identity to isolate corporate data from personal data. 使用公司認證存取的資料將會得到額外的公司防護措施。Data that is accessed using a corporate credential will be given additional corporate protections.

當使用者以公司認證登入裝置時,她的公司身分識別可讓她存取個人身分識別遭拒的資料。When a user logs on to her device with her corporate credentials, her corporate identity allows her access to data that is denied to her personal identity. 使用該公司資料時,Intune 以及其他 EMS 技術,會控制如何儲存和共用它。As that corporate data is used, Intune, along with other EMS technologies, controls how it is saved and shared. 當使用者以個人身分識別登入裝置時,相同的保護不會套用到存取的資料。Those same protections are not applied to data that is accessed when the user logs on to her device with her personal identity. 如此一來,IT 能夠控制公司資料,而使用者則維護了對個人資料的控制權和隱私權。In this way, IT has control of corporate data while the end user maintains control and privacy over personal data.

需註冊裝置的 EMM 與不需註冊裝置的 EMMEMM with and without device enrollment

大部分的企業行動管理解決方案可支援基本的行動裝置和行動應用程式技術。Most enterprise mobility management solutions support basic mobile device and mobile app technologies. 這些通常會繫結至您組織的 MDM 解決方案中註冊的裝置。These are usually tied to the device being enrolled in your organization’s MDM solution. Intune 支援這些案例,而且還支援許多「不需註冊」的案例。Intune supports these scenarios and additionally supports many “without enrollment” scenarios.

組織會隨著它們採用「不需註冊」案例的程度而不同。Organizations differ to the extent they will adopt “without enrollment” scenarios. 有些組織會以它為標準。Some organizations standardize on it. 有些允許伴隨裝置,例如個人平板電腦。Some allow it for companion devices such as a personal tablet. 其他的組織則完全不支援。Others don’t support it at all. 即使在最後這個情況下,亦即組織要求所有員工裝置都在 MDM 註冊,這些組織通常會為承包商、廠商以及其他有特定豁免的裝置支援「不需註冊」的案例。Even in this last case, where an organization requires all employee devices to be enrolled in MDM, these organizations typically support "without enrollment" scenarios for contractors, vendors, and for other devices that have a specific exemption.

您甚至可以在已註冊的裝置上使用 Intune 的「不需註冊」技術。You can even use Intune’s “without-enrollment” technology on enrolled devices. 例如,在 MDM 中註冊的裝置可能會有行動作業系統所提供的已開啟保護。For example, a device enrolled in MDM may have open-in protections provided by the mobile operating system. (Open-in 保護是一項 iOS 功能,會限制您不能從某個 App (例如 Outlook) 開啟文件來進入另一個 App (例如 Word),除非兩個 App 均受 MDM 提供者管理。)此外,IT 可能會對 EMS 管理行動應用程式,套用應用程式保護原則來控制另存新檔,或是提供多因素驗證。(Open-in protection is an iOS feature that restricts you from opening a document from one app, like Outlook, into another app, like Word, unless both apps are managed by the MDM provider.) In addition, IT may apply the app protection policy to EMS-managed mobile apps to control save-as or to provide multi-factor authentication.

無論貴組織在註冊和未註冊的行動裝置和應用程式上的定位如何,Intune 作為 EMS 的一部分,都有工具可以協助提升工作人員產能,同時保護公司資料。Whatever your organization’s position on enrolled and unenrolled mobile devices and apps, Intune, as a part of EMS, has tools that will help increase your workforce productivity while protecting your corporate data.

Intune 協助解決的常見商務問題Common business problems that Intune helps solve

下列商務問題清單連結到關於我們所能提供之解決方案的更詳細資訊。The following list of business problems link to more detailed information about the solutions we can provide. 只有最後一個項目需要在解決方案中進行 MDM 註冊︰Only the last item requires MDM enrollment as part of the solution:

後續步驟Next steps

若要提交意見反應,請前往 Intune Feedback