通过 Intune 和 Configuration Manager 使用条件访问Use conditional access with Intune and Configuration Manager

本主题假设你已在公司中使用 System Center Configuration Manager 和本地 Microsoft Exchange Server、Exchange Online 或两者的混合部署来管理电子邮件访问。This topic assumes that you are already using System Center Configuration Manager and Microsoft Exchange Server – with on-premises, Exchange Online, or a hybrid deployment of both – in your company to manage email access. 该解决方案将现有的 Configuration Manager 环境与 Intune 相结合,以便安全地管理所有类型设备上的电子邮件访问,而无需考虑设备的位置。This solution combines your existing Configuration Manager environment with Intune to safely manage email access on all types of devices, regardless of their location.

提示

可在 TechNet 库中获取本完整主题的可下载副本。Get a downloadable copy of this entire topic at the TechNet Gallery.

在开始之前Before you begin

在你开始使用条件性访问之前,请确保已经满足正确的要求:Before you start using conditional access, ensure that you have the correct requirements in place:

对于 Exchange OnlineFor Exchange Online

条件访问 Exchange Online 支持运行以下操作系统的设备:Conditional access to Exchange Online supports devices that run:

  • Windows 8.1 及更高版本(注册到 Intune 时)Windows 8.1 and later (when enrolled with Intune)

  • Windows 7.0 或更高版本(若已加入域)Windows 7.0 or later (when domain joined)

  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later

  • iOS 7.1 及更高版本iOS 7.1 and later

  • Android 4.0 及更高版本、Samsung Knox 标准版 4.0 及更高版本Android 4.0 and later, Samsung Knox Standard 4.0 and later

此外,设备必须通过 Azure Active Directory 设备注册服务 (AAD DRS) 进行注册。Additionally, devices must be registered with the Azure Active Directory Device Registration Service (AAD DRS).

AAD DRS 将对 Intune 和 Office 365 客户自动激活。AAD DRS will be activated automatically for Intune and Office 365 customers. 已经部署了 ADFS 设备注册服务的用户将不会在他们本地的 Active Directory 上看到已注册的设备。Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.

  • 你必须使用包含 Exchange Online(例如 E3)的 Office 365 订阅,并且用户必须获得 Exchange Online 许可。You must use an Office 365 subscription that includes Exchange Online (such as E3) and users must be licensed for Exchange Online.

  • 可选的 Microsoft Intune 服务间连接器将 Intune 连接到 Microsoft Exchange Online,并帮助你通过 Intune 控制台管理设备信息(请参阅使用 Exchange ActiveSync 和 Microsoft Intune 管理移动设备)。The optional Microsoft Intune service to service connector connects Intune to Microsoft Exchange Online and helps you manage device information through the Intune console (see Mobile device management with Exchange ActiveSync and Microsoft Intune). 你不需要使用连接器来使用合规性策略或条件性访问策略,但要求你运行帮助评估条件性访问影响的报告。You do not need to use the connector to use compliance policies or conditional access policies, but is required to run reports that help evaluate the impact of conditional access.

    如果你配置了连接器,那么 Intune 中的某些 Exchange ActiveSync 策略可能在 Office 控制台中可见,但没有设置为默认策略,因此不会影响设备。If you configure the connector, some Exchange ActiveSync policies from Intune might be visible in the Office console but are not set as default policies and do not affect devices.

    重要

    如果你要同时对 Exchange Online 和 Exchange 内部部署使用条件访问,则不要配置服务间连接器。Do not configure the service to service connector if you intend to use conditional access for both Exchange Online and Exchange on-premises.

    现在,你就可以了解如何使用 Intune 部署 Exchange OnlineNow you are ready to learn how to deploy Exchange Online with Intune.

对于本地 Exchange ServerFor Exchange Server on-premises

Exchange 内部部署支持的条件访问:Conditional access to Exchange on-premises supports:

  • Windows 8 及更高版本(注册到 Intune 时)Windows 8 and later (when enrolled with Intune)

  • Windows Phone 8 及更高版本Windows Phone 8 and later

  • 使用 Exchange ActiveSync (EAS) 电子邮件客户端的任何 iOS 设备Any iOS device that uses an Exchange ActiveSync (EAS) email client

  • Android 4 及更高版本Android 4 and later

此外:Additionally:

  • 你的 Exchange 版本必须是 Exchange 2010 或更高版本。Your Exchange version must be Exchange 2010 or later. 支持 Exchange Server 客户端访问服务器 (CAS) 配置。Exchange server Client Access Server (CAS) configuration is supported.

    提示

    如果你的 Exchange 环境在 CAS 服务器配置中,则必须将本地 Exchange 连接器配置为指向任一 CAS 服务器。If your Exchange environment is in a CAS server configuration, then you must configure the on-premises Exchange connector to point to any one of the CAS servers.

  • 可以基于身份验证或用户凭据条目使用证书来配置 Exchange ActiveSync。Exchange ActiveSync can be configured with certificate based authentication, or user credential entry.

  • 必须使用本地 Exchange 连接器,它将 Intune 连接到本地 Microsoft Exchange Server。You must use the on-premises Exchange connector which connects Intune to Microsoft Exchange Server on-premises. 这样就可以通过 Intune 控制台管理设备(请参阅使用 Exchange ActiveSync 和 Microsoft Intune 管理移动设备)。This lets you manage devices through the Intune console (see Mobile device management with Exchange ActiveSync and Microsoft Intune).

    重要

    请确保使用最新版本的本地 Exchange 连接器。Make sure that you are using the latest version of the on-premises Exchange connector. Intune 控制台中可供你使用的内部部署 Exchange 连接器特定于你的 Intune 租户,不能用于其他任何租户。The on-premise Exchange connector available to you in the Intune console is specific to your Intune tenant and cannot be used with any other tenant. 此外,还应确保仅在一台计算机(而不是多台计算机)上安装适用于你的租户的 Exchange 连接器。You should also ensure that the exchange connector for your tenant is installed on exactly one machine and not on multiple machines.

    现在,你就可以了解如何使用 Intune 部署本地 Exchange ServerNow you are ready to learn how to deploy Exchange Server on-premises with Intune.

如果你的环境包括 Exchange Online 和 Exchange 内部部署,你可以阅读使用 Microsoft Intune 和 Configuration Manager 部署 Exchange Online 和 Exchange 内部部署的相关信息。If your environment includes both Exchange Online and on-premises, you can read about deploying Exchange Online and on-premises with Microsoft Intune and Configuration Manager.