共享设备模式的概述Overview of shared device mode

共享设备模式是 Azure Active Directory 的一项功能,使用该模式可以生成能够为一线工作人员提供支持的应用程序,并在部署给这些人员的设备上启用共享设备模式。Shared device mode is a feature of Azure Active Directory that allows you to build applications that support Firstline Workers and enable shared device mode on the devices deployed to them.

备注

此功能目前以公共预览版提供。This feature is in public preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

什么是一线工作人员?What are Firstline Workers?

一线工作人员是指不操作计算机的,或者不使用企业电子邮件进行协作的零售员工、维护和现场代理人、医疗人员以及其他用户。Firstline Workers are retail employees, maintenance and field agents, medical personnel, and other users that don't sit in front of a computer or use corporate email for collaboration. 以下部分将介绍为一线工作人员提供支持所要注意的各个方面和挑战,然后介绍 Microsoft 所提供的功能,这些功能使你的应用程序可供组织中的一线工作人员使用。The following sections introduce the aspects and challenges of supporting Firstline Workers, followed by an introduction to the features provided by Microsoft that enable your application for use by an organization's Firstline Workers.

为一线工作人员提供支持所要面对的挑战Challenges of supporting Firstline Workers

启用一线工作人员工作流涉及到普通信息工作者通常不会面临的挑战。Enabling Firstline Worker workflows includes challenges not usually presented by typical information workers. 此类挑战可能包括较高的人事变动率,以及工作人员不太熟悉组织的核心生产力工具。Such challenges can include high turnover rate and less familiarity with an organization's core productivity tools. 组织需要采用不同的策略来为其一线工作人员提供支持。To empower their Firstline Workers, organizations are adopting different strategies. 某些组织采用自带设备 (BYOD) 策略(在这种情况下,其员工可以在其个人手机上使用业务应用),而其他组织则为其员工提供 iPad 或 Android 平板电脑等共享设备。Some are adopting a bring-your-own-device (BYOD) strategy in which their employees use business apps on their personal phone, while others provide their employees with shared devices like iPads or Android tablets.

在专供一个用户使用的设备上支持多个用户Supporting multiple users on devices designed for one user

由于运行 iOS 或 Android 的移动设备是为单一用户设计的,因此,大多数应用程序的体验是针对供单个用户使用而优化的。Because mobile devices running iOS or Android were designed for single users, most applications optimize their experience for use by a single user. 这种经过优化的体验有一部分意味着,跨应用程序启用单一登录并使用户在其设备上保持登录状态。Part of this optimized experience means enabling single sign-on across applications and keeping users signed in on their device. 当用户从某个应用程序中删除其帐户时,该应用通常不会将此操作视为安全相关的事件。When a user removes their account from an application, the app typically doesn't consider it a security-related event. 许多应用甚至会就近保留用户的凭据,以便快速登录。Many apps even keep a user's credentials around for quick sign-in. 你甚至亲身体验过这种情况:从移动设备中删除了某个应用程序,再重新安装该应用程序,然后你发现自己仍保持登录状态。You may even have experienced this yourself when you've deleted an application from your mobile device and then reinstalled it, only to discover you're still signed in.

全局登录和注销 (SSO)Global sign-in and sign-out (SSO)

为使组织的员工能够在他们共享的整个设备池中使用其应用,开发人员需要启用相反的体验。To allow an organization's employees to use its apps across a pool of devices shared by those employees, developers need to enable the opposite experience. 员工应该能够从池中选取一个设备,并通过执行一个操作,使该设备在他们当班期间变成“专供其使用的设备”。Employees should be able to pick a device from the pool and perform a single gesture to "make it theirs" for the duration of their shift. 在其班次结束时,他们应该能够执行另一个操作以在设备上全局注销,并删除其所有个人信息和公司信息,以便可将该设备退回到设备池。At the end of their shift, they should be able to perform another gesture to sign out globally on the device, with all their personal and company information removed so they can return it to the device pool. 此外,如果某个员工忘记了注销,该设备应该在该员工的班次结束时和/或处于非活动状态一段时间后自动注销。Furthermore, if an employee forgets to sign out, the device should be automatically signed out at the end of their shift and/or after a period of inactivity.

Azure Active Directory 使用称作“共享设备模式”的功能来实现这些方案 。Azure Active Directory enables these scenarios with a feature called shared device mode.

共享设备模式简介Introducing shared device mode

如前所述,共享设备模式是 Azure Active Directory 的一项功能,可用于:As mentioned, shared device mode is a feature of Azure Active Directory that enables you to:

  • 生成可为一线工作人员提供支持的应用程序Build applications that support Firstline Workers
  • 将设备部署给一线工作人员并启用共享设备模式Deploy devices to Firstline Workers and turn on shared device mode

生成可为一线工作人员提供支持的应用程序Build applications that support Firstline Workers

若要在应用程序中为一线工作人员提供支持,可以使用 Microsoft 身份验证库 (MSAL) 和 Microsoft Authenticator 应用来启用称作“共享设备模式”的设备状态 。You can support Firstline Workers in your applications by using the Microsoft Authentication Library (MSAL) and Microsoft Authenticator app to enable a device state called shared device mode. 当设备处于共享设备模式时,Microsoft 将为应用程序提供所需的信息,使应用程序能够根据设备上用户的状态修改其行为,从而保护用户数据。When a device is in shared device mode, Microsoft provides your application with information to allow it to modify its behavior based on the state of the user on the device, protecting user data.

支持的功能包括:Supported features are:

  • 通过任何受支持的应用程序在整个设备上将用户登录 。Sign in a user device-wide through any supported application.
  • 通过任何受支持的应用程序在整个设备上将用户注销 。Sign out a user device-wide through any supported application.
  • 查询设备的状态,以确定应用程序是否位于处于共享设备模式的设备上 。Query the state of the device to determine if your application is on a device that's in shared device mode.
  • 查询设备上用户的设备状态,以确定自上次使用应用程序以来是否发生了任何更改 。Query the device state of the user on the device to determine if anything has changed since the last time your application was used.

支持共享设备模式应被视为应用程序的安全增强和功能升级,并且有助于提高应用程序在严格管制的环境(例如医疗保健和金融行业)中的采用率。Supporting shared device mode should be considered both a security enhancement and feature upgrade for your application, and can help increase its adoption in highly regulated environments like healthcare and finance.

用户依赖于你来确保其数据不会泄露给其他用户。Your users depend on you to ensure their data isn't leaked to another user. 共享设备模式提供了有用的信号,用于向应用程序指示已发生了需要处理的更改。Share Device Mode provides helpful signals to indicate to your application that a change you should manage has occurred. 每次使用你的应用程序时,该应用都要负责检查设备上用户的状态,并清除以前的用户数据。Your application is responsible for checking the state of the user on the device every time the app is used, clearing the previous user's data. 这还包括检查应用是不是从正在执行多个任务的后台重新加载的。This includes if it is reloaded from the background in multi-tasking. 发生用户更改后,你应确保前一个用户的数据已清除,并且应用程序中显示的所有缓存数据已删除。On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed. 在向应用添加共享设备模式功能后,我们建议始终执行全面的安全评审过程。We recommend you always perform a thorough security review process after adding shared device mode capability to your app.

有关如何修改应用程序以支持共享设备模式的详细信息,请参阅本文末尾的后续步骤部分。For details on how to modify your applications to support shared device mode, see the Next steps section at the end of this article.

将设备部署给一线工作人员并启用共享设备模式Deploy devices to Firstline Workers and turn on shared device mode

一旦应用程序支持共享设备模式并包含所需的数据和安全更改,你就可以播发这些更改,使其可供一线工作人员使用。Once your applications support shared device mode and include the required data and security changes, you can advertise them as being usable by Firstline Workers.

组织的设备管理员可以通过 Microsoft Intune 等移动设备管理 (MDM) 解决方案,将其设备和你的应用程序部署到其存储和工作区中。An organization's device administrators are able to deploy their devices and your applications to their stores and workplaces through a mobile device management (MDM) solution like Microsoft Intune. 预配过程的一部分工作是将设备标记为共享设备 。Part of the provisioning process is marking the device as a Shared Device. 管理员通过部署 Microsoft Authenticator 应用并通过配置参数设置共享设备模式来配置共享设备模式。Administrators configure shared device mode by deploying the Microsoft Authenticator app and setting shared device mode through configuration parameters. 执行这些步骤后,所有支持共享设备模式的应用程序都将使用 Microsoft Authenticator 应用程序来管理其用户状态,并为设备和组织提供安全功能。After performing these steps, all applications that support shared device mode will use the Microsoft Authenticator application to manage its user state and provide security features for the device and organization.

后续步骤Next steps

我们支持在 iOS 和 Android 平台中使用共享设备模式。We support iOS and Android platforms for shared device mode. 请查看以下适用于你的平台的文档,以便开始在应用程序中为一线工作人员提供支持。Review the documentation below for your platform to begin supporting Firstline Workers in your applications.