步驟 5:Step 5. 適用于企業承租人的 Microsoft 365 裝置和應用程式管理Device and app management for your Microsoft 365 for enterprise tenants

Microsoft 365 for enterprise 包含一些功能,可協助您管理裝置,並在組織內使用行動裝置管理 (MDM) 和行動應用程式管理 (MAM) 來管理裝置及使用這些裝置上的應用程式。Microsoft 365 for enterprise includes features to help manage devices and the use of apps on those devices within your organization with mobile device management (MDM) and mobile application management (MAM). 您可以管理 iOS、Android、macOS 和 Windows 裝置,以保護您組織的資源(包括您的資料)的存取。You can manage iOS, Android, macOS, and Windows devices to protect access to your organization's resources, including your data. 例如,您可以防止將電子郵件傳送給組織外部的人員,或從工作者個人裝置上的個人資料隔離組織資料。For example, you can prevent emails from being sent to people outside your organization or isolate organization data from personal data on your worker's personal devices.

以下是使用者、其裝置的驗證和管理,以及其使用本機和雲端生產力應用程式(如 Microsoft 團隊)的範例。Here is an example of the validation and management of users, their devices, and their use of local and cloud productivity apps like Microsoft Teams.

使用者、裝置及應用程式的驗證與管理

為了協助您保護組織的資源,Microsoft 365 for enterprise 包含協助管理裝置及其存取應用程式的功能。To help you secure and protect your organization's resources, Microsoft 365 for enterprise includes features to help manage devices and their access to apps. 裝置管理有兩個選項:There are two options for device management:

  • Microsoft Intune,是企業的綜合裝置和應用程式管理解決方案。Microsoft Intune, which is a comprehensive device and app management solution for enterprises.
  • 基本行動性和安全性,這是包括所有 Microsoft 365 產品的 Intune 服務的子集,用來管理組織中的裝置。Basic Mobility and Security, which is a subset of Intune services included with all Microsoft 365 products for managing devices in your organization. 如需詳細資訊,請參閱 基本行動性和安全性的功能For more information, see Capabilities of Basic Mobility and Security.

如果您有 Microsoft 365 E3 或 E5,您應該使用 Intune。If you have Microsoft 365 E3 or E5, you should use Intune.

Microsoft IntuneMicrosoft Intune

您可以使用 Microsoft Intune 管理使用 MDM 或 MAM 對您組織的存取。You use Microsoft Intune to manage access to your organization using MDM or MAM. MDM 是使用者在 Intune 中「註冊」其裝置的時間。MDM is when users "enroll" their devices in Intune. 裝置註冊後,它就是受管理的裝置,而且可以接收您組織的原則、規則和設定。After a device is enrolled, it is a managed device and can receive your organization's policies, rules, and settings. 例如,您可以安裝特定的應用程式、建立密碼原則、安裝 VPN 連線等等。For example, you can install specific apps, create a password policy, install a VPN connection, and more.

具有自己個人裝置的使用者可能不想要註冊其裝置,或由 Intune 和您組織的原則進行管理。Users with their own personal devices may not want to enroll their devices or be managed by Intune and your organization's policies. 不過,您仍然需要保護組織的資源和資料。But you still need to protect your organization's resources and data. 在此案例中,您可以使用 MAM 來保護您的應用程式。In this scenario, you can protect your apps using MAM. 例如,您可以使用需要使用者在存取裝置上的 SharePoint 時輸入 PIN 碼的 MAM 原則。For example, you can use an MAM policy that requires a user to enter a PIN when accessing SharePoint on the device.

您也會決定要如何管理個人裝置和組織所擁有的裝置。You'll also determine how you're going to manage personal devices and organization-owned devices. 您可能想要視裝置的用途而異。You might want to treat devices differently, depending on their uses.

身分識別與裝置存取設定Identity and device access configurations

Microsoft 提供一組身分 識別與裝置存取 設定,以確保安全且生產力的工作力。Microsoft provides a set of configurations for identity and device access to ensure a secure and productive workforce. 這些設定包括使用:These configurations include the use of:

  • Azure AD 條件式存取原則Azure AD Conditional Access policies
  • Microsoft Intune 裝置合規性和應用程式保護原則Microsoft Intune device compliance and app protection policies
  • Azure AD 身分識別保護使用者風險原則Azure AD Identity Protection user risk policies
  • 其他 cloud 應用程式的原則Additional policies of cloud apps

以下是應用這些設定和原則的範例,以驗證及限制使用者、其裝置,以及其使用本機和雲端生產力應用程式(如 Microsoft 團隊)。Here is an example of the application of these settings and policies to validate and restrict users, their devices, and their use of local and cloud productivity apps like Microsoft Teams.

身分識別與裝置存取設定,以瞭解使用者的需求和限制、裝置及其應用程式的使用

如需裝置存取和應用程式管理,請使用下列文章中的設定:For device access and app management, use the configurations in these articles:

步驟 5 的結果Results of Step 5

針對 Microsoft 365 租使用者的裝置和應用程式管理,您已決定 Intune 設定和原則,以驗證及限制使用者、其裝置,以及其使用本機和 cloud 生產工具的應用程式。For device and app management for your Microsoft 365 tenant, you have determined the Intune settings and policies to validate and restrict users, their devices, and their use of local and cloud productivity apps.

以下是具有 Intune 裝置和應用程式管理的承租人範例,新的元素會反白顯示。Here is an example of a tenant with Intune device and app management with the new elements highlighted.

包含 Intune 裝置和應用程式管理的承租人範例

在此圖中,租使用者有:In this illustration, the tenant has:

  • 在 Intune 中註冊的組織擁有的裝置。Organization-owned devices enrolled in Intune.
  • 已登記和個人裝置的 Intune 裝置和應用程式原則。Intune device and app policies for enrolled and personal devices.

裝置和應用程式管理的持續維護Ongoing maintenance for device and app management

您可能需要進行下列作業:On an ongoing basis, you might need to:

  • 管理裝置註冊。Manage device enrollment.
  • 修改其他應用程式、裝置及安全性需求的設定和原則。Revise your settings and policies for additional apps, devices, and security requirements.