将 Microsoft Intune 和 Configuration Manager 与本地 Exchange Server 结合部署Deploy Exchange Server on-premises with Microsoft Intune and Configuration Manager

你已通读了有关保护公司电子邮件和文档的体系结构指南,现在可以继续部署解决方案。Now that you've read through the architecture guidance for protecting company email and documents, you are ready to proceed with deploying a solution.

如果你已在你的本地基础结构中使用 System Center Configuration Manager 和 Exchange,则你可以集成 Intune 来管理移动设备上的电子邮件访问和保护电子邮件数据。If you are already using System Center Configuration Manager and Exchange in your on-premises infrastructure, you can incorporate Intune to manage email access and protect email data on mobile devices. 用于实施此解决方案的高级别过程如下所示:The high-level process for implementing this solution is as follows:

  • 通过 Configuration Manager 控制台配置本地 Intune Exchange Connector,这会使 Configuration Manager 与托管移动设备的邮箱的 Exchange Server 进行通信。Configure the On-Premises Intune Exchange Connector through the Configuration Manager console, which will let Configuration Manager communicate with the Exchange Server that hosts the mobile devices’ mailboxes.

  • 运行 Exchange Server 连接器的完全同步,以便发现用户,并列出与本地 Exchange Server 连接的所有移动设备的 Exchange ActiveSync ID (EASID) 的清单。Run a full synchronization of the Exchange Server Connector to discover users and to inventory all of the mobile device Exchange ActiveSync IDs (EASIDs) that are connecting to Exchange Server on-premises.

  • 创建要在条件访问策略中包括或排除的用户组的用户集合。Create user collections for groups of users that will either be targeted or exempted from the conditional access policy. 然后创建合规性策略,这些策略用于定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Then create the compliance policies that define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices.

  • 开始实施条件访问。Begin enforcing conditional access.

本地 Exchange Server 的条件访问控制流Conditional access control flow for Exchange Server on-premises

下图显示客户端试图在本地 Exchange 中访问电子邮件的控制流。This diagram shows the control flow for clients attempting to access email in Exchange on-premises.

与 Intune 和本地 Exchange Server 结合使用的 Configuration Manager 中的条件访问控制流程图

  • Microsoft Intune:管理设备的合规性和条件访问策略Microsoft Intune: Manages the compliance and conditional access policies for the device

  • Microsoft Azure Active Directory:对用户进行身份验证,并提供设备的合规性状态Microsoft Azure Active Directory: Authenticates user and provides device compliance status

  • Configuration Manager:管理设备注册和提供报表Configuration Manager: Manages device enrollment and provides reporting

  • 本地 Exchange:根据设备状态执行对电子邮件的访问Exchange on-premises: Enforces access to email based on the device state

在开始之前Before you begin

确保你的环境满足实施此解决方案的要求。Make sure your environment includes these requirements for implementing this solution.

备注

如果你已将 Configuration Manager 配置为通过 Intune 服务管理移动设备,则你可以继续部署步骤If you have already configured Configuration Manager to manage mobile devices through the Intune service, you can proceed to the Deployment Steps.

  • 确认满足本地连接器的硬件要求Verify that you meet the hardware requirements for the on-premises connector.

  • 确认你运行的是具有累积更新包 1 或更高版本的 System Center 2012 R2 Configuration Manager SP1。Verify that you are running System Center 2012 R2 Configuration Manager SP1 with cumulative update 1 or later.

  • 确保已正确配置 Exchange Web 服务 (EWS) 终端用于发现。Ensure that the Exchange Web Services (EWS) endpoint is configured properly for discovery. 如有必要,请联系 Configuration Manager 支持团队,以获取一种可帮助识别 EWS 连接问题的工具。If necessary, contact your Configuration Manager Support team for a tool that can help identify EWS connection issues. EWS 通过使用标准 HTTP 使开发人员与 Exchange 邮箱和内容交互。EWS lets developers interact with Exchange mailboxes and contents by using standard HTTP.

  • 安装 Exchange 服务并分配到从受信任的公用证书颁发机构购买的有效数字证书Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority.

  • 配置具有运行以下 Exchange Server cmdlet 的权限的帐户(本地或域管理员):Configure an account (local or domain admin) with permissions to run the following Exchange Server cmdlets:

    Clear-ActiveSyncDeviceClear-ActiveSyncDevice

    Get-ActiveSyncDeviceGet-ActiveSyncDevice

    Get-ActiveSyncDeviceAccessRuleGet-ActiveSyncDeviceAccessRule

    Get-ActiveSyncDeviceStatisticsGet-ActiveSyncDeviceStatistics

    Get-ActiveSyncMailboxPolicyGet-ActiveSyncMailboxPolicy

    Get-ActiveSyncOrganizationSettingsGet-ActiveSyncOrganizationSettings

    Get-ExchangeServerGet-ExchangeServer

    Get-RecipientGet-Recipient

    Set-ADServerSettingsSet-ADServerSettings

    Set-ActiveSyncDeviceAccessRuleSet-ActiveSyncDeviceAccessRule

    Set-ActiveSyncMailboxPolicySet-ActiveSyncMailboxPolicy

    Set-CASMailboxSet-CASMailbox

    New-ActiveSyncDeviceAccessRuleNew-ActiveSyncDeviceAccessRule

    New-ActiveSyncMailboxPolicyNew-ActiveSyncMailboxPolicy

    Remove-ActiveSyncDeviceRemove-ActiveSyncDevice

重要

如果你尝试在没有所需 cmdlet 的情况下安装或使用 Exchange Server 连接器,你将看到以下消息记录的错误:站点服务器计算机上的 EasDisc.log 文件中_调用 cmdlet <cmdlet>失败_。If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message: Invoking cmdlet <cmdlet> failed in the EasDisc.log file on the site server computer.

部署步骤Deployment Steps

请按照以下步骤来部署本地 Exchange 解决方案:Follow these steps to deploy the Exchange on-premises solution:

步骤 1:确保安装了 Intune Connector 角色。Step 1: Ensure that Intune Connector role is installed.

确保已安装 Intune Connector 角色,以便 Configuration Manager 可以与 Intune 进行交互。Make sure that the Intune Connector role is installed so that Configuration Manager can interact with Intune. 有关详细信息,请参阅使用 Configuration Manager 和 Intune 管理移动设备See Manage Mobile Devices with Configuration Manager and Intune for more information.

步骤 2:安装和配置 Exchange Server 连接器。Step 2: Install and configure an Exchange Server connector.

Configuration Manager 仅支持一个 Exchange 组织包含一个连接器。Configuration Manager supports only one connector in an Exchange organization.

重要

在安装 Exchange Server 连接器之前,请确认 Configuration Manager 支持你所使用的 Microsoft Exchange 的版本。Before you install the Exchange Server connector, confirm that Configuration Manager supports the version of Microsoft Exchange that you are using. 有关详细信息,请参阅 Configuration Manager 支持的配置For more information, see Supported Configurations for Configuration Manager.

按照如何使用 Configuration Manager 和 Exchange 管理移动设备中的步骤安装并配置 Exchange Server 连接器。Follow the steps at How to Manage Mobile Devices by Using Configuration Manager and Exchange to install and configure the Exchange Server connector.

步骤 3:运行完全同步来发现用户。Step 3: Run a full synchronization to discover users.

  1. 在 Configuration Manager 控制台中,单击“管理” ,展开“层次结构配置” ,然后选择“Exchange Server 连接器” 。In the Configuration Manager console, click Administration, expand Hierarchy Configuration, and then select Exchange Server Connectors.

  2. 选择在步骤 2 中安装的 Exchange Server 连接器。Select the Exchange Server Connector that you installed in Step 2.

  3. 单击“立即同步” 。Click Synchronize Now.

    显示在何处对 Configuration Manager 控制台执行完全同步的屏幕截图

此完全同步可能需要几个小时才能完成,具体取决于设备的数目。This full synchronization can take several hours to complete, depending on the number of devices. 默认情况下,完全同步每 24 小时运行一次。A full synchronization will run once every 24 hours by default. 增量同步将发现自上次完全同步之后的设备连接,并且按照你在安装 Exchange Server 连接器时设置的间隔时间执行同步。A delta synchronization discovers device connections since the previous full synchronization and occurs per the interval you set during installation of the Exchange Server Connector. 这可以确保快速发现新用户和新的 Exchange 用户,以便应用条件访问。This ensures that new users and new Exchange users are discovered quickly so that conditional access can be applied.

使用 Configuration Manager 跟踪日志工具,可以打开 EasDisc.log 文件(位于安装 Configuration Manager 的 Microsoft Configuration Manager/Logs 文件夹)以验证连接器是否正在运行和查询设备连接。Using the Configuration Manager Trace Log Tool, you can open the EasDisc.log file (located in the Microsoft Configuration Manager/Logs folder where you installed Configuration Manager) to verify that the connector is running and querying for device connections. 完全同步完成后,该工具将列出与本地 Exchange 连接的所有移动设备的 Exchange ActiveSync ID (EASID) 的清单。After full sync completes, it will inventory all of the mobile device Exchange ActiveSync IDs (EASIDs) that are connecting to Exchange On-premises.

步骤 4:创建用户集合Step 4: Create user collections.

确定条件访问策略将要针对的 Intune 用户组。Determine the Intune user groups for whom the conditional access policy will be targeted. 然后,创建要在条件访问策略中包括或排除的用户组的用户集合。Then, create user collections for groups of users that will either be targeted or exempted from the conditional access policy. 你可以在以后实施条件访问时指定这些组。You will specify these groups when you enforce conditional access later on.

请按照如何在 Configuration Manager 中创建集合的步骤创建用户集合。Follow the steps at How to Create Collections in Configuration Manager to create user collections.

步骤 5:创建合规性策略,并部署到用户。Step 5: Create compliance policies and deploy to users.

合规性策略定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 请按照 Configuration Manager 中的合规性策略中的步骤创建合规性策略。Follow the steps at Compliance Policies in Configuration Manager to create compliance policies.

如果你希望在 iOS 设备不再属于公司之后,你能够从该设备中删除所有公司的电子邮件,那么你必须创建并部署电子邮件配置文件,然后设置合规性策略,该策略指定由 Intune 管理电子邮件配置文件。If you want the ability to remove all corporate email from an iOS device after it is no longer part of your company, you must create and deploy an email profile and then set the compliance policy that specifies that email profiles are managed by Intune. 你必须将电子邮件配置文件部署到此合规性策略针对的同一用户集。You must deploy the email profile to the same set of users that you target with this compliance policy.

显示“创建符合性策略向导”的“规则”页面的屏幕截图,你可以在该页面指定电子邮件配置文件必须由 Intune 管理

如果你指定此合规性策略,则已设置电子邮件帐户的用户必须手动删除它,之后 Intune 会通过条件访问的最终用户体验中描述的注册过程将其重新添加。If you specify this compliance policy, a user who has already set up their email account must manually remove it and then Intune will add it back in through the registration process described in End-user experience of conditional access.

创建合规性策略后,在列表中选择合规性策略的名称,然后单击“部署” 。After the compliance policy is created, select the compliance policy name in the list and click Deploy.

步骤 6:配置条件访问策略。Step 6: Configure conditional access policy.

首先,确定以何种方式、何时实施条件访问,以及将影响哪些员工。First, decide how and when you want to enforce conditional access and which employees will be affected. 然后,按照 Configuration Manager 中针对 Exchange 电子邮件的条件访问中的步骤为本地 Exchange 配置条件访问策略。Then, follow the steps at Conditional Access for Exchange Email in Configuration Manager to configure the conditional access policy for Exchange on-premises.

步骤 7:监视注册情况并实施条件访问。Step 7: Monitor enrollments and enforce conditional access.

如果 Intune 中已经注册大量符合条件访问的用户,则你可以开始实施条件访问,方法是每天向大约 500 个用户推出条件访问。If you already have a significant number of users enrolled in Intune and compliant, you can start enforcing conditional access by rolling it out to about 500 users per day. 对于 70,000 个用户,这将需要花费大约 4 到 5 个月的时间,并且你需要解决在未限制太多用户在同一时间访问电子邮件的情况下可能产生的任何问题。This will take about 4 to 5 months for 70,000 users and lets you sort out any issues that might arise without restricting email access to too many users at the same time.

如果 Intune 中尚未注册大量用户,则条件访问将为用户提供针对注册的引导式体验,如条件访问的最终用户体验中所述。If you don’t have a large number of users already enrolled in Intune, conditional access provides them with a guided experience for enrollment, as described in End-user experience of conditional access.

验证步骤Verification Steps

使用 Configuration Manager 跟踪日志工具,可以打开 EasDisc.log 文件(位于安装 Configuration Manager 的 Microsoft Configuration Manager/Logs 文件夹)。Using the Configuration Manager Trace Log Tool, open the EasDisc.log file (located in the Microsoft Configuration Manager/Logs folder where you installed Configuration Manager). 在日志文件中搜索 "Exchange Connector" 以查找有关 Exchange Connector 是否正在运行以及连接的设备数量的信息。Search the log file for “Exchange Connector” to find information about whether the Exchange Connector is running and how many devices are connected.

显示 EasDisc 日志文件在 Configuration Manager 跟踪日志工具中打开的屏幕截图

Configuration Manager 跟踪日志工具包含在 System Center 2012 R2 Configuration Manager 工具包中。The Configuration Manager Trace Log Tool is included in the System Center 2012 R2 Configuration Manager Toolkit.

报表Reporting

可以使用 Configuration Manager 控制台以查看有关 Exchange Connector 已发现的设备的特定信息。You can use the Configuration Manager console to view specific information about devices that have been discovered by the Exchange Connector. 对于已实施条件访问的设备,你可以查看每个设备的当前状态、最后一次使用 Exchange Server 连接设备的时间等等。For devices on which conditional access is enforced, you can view the current status of each device, the last time the device was connected with the Exchange server, and so on.

在 Configuration Manager 控制台中,单击“资产和合规性” ,然后单击“设备” 。In the Configuration Manager console, click Assets and Compliance and then click Devices. 在“Exchange 访问状态”列中可以查看每个设备的当前状态(阻止或允许) 。You can view the current status of each device (Blocked or Allowed) in the Exchange Access State column. 如果该列尚未显示,可以右键单击列标题栏区域来添加该列。Add this column if not already shown by right-clicking in the column title bar area. 通过添加“上次成功同步到 Exchange Server 的时间” 列,还可以查看如 Exchange 报告的每个设备的上次成功同步时间。You can also view the last successful synchronization time for each device as reported by Exchange by adding the Last Success Sync Time To Exchange Server column.

显示 Configuration Manager 控制台中的设备列表的屏幕截图

如果你正在运行 SQL Server Reporting Service (SSRS),则可以查看条件访问报表,其中显示了设备的合规性状态、是否已安装并运行 Exchange Connector,以及 EAS 访问状态。If you are running SQL Server Reporting Services (SSRS), you can view a conditional access report that shows the compliance state of devices, whether there is an Exchange connector installed and running, and the EAS Access state. 该报表还将提供有关 Active Directory 注册、EAS 激活,以及设备所有者的信息。It will also provide information about Active Directory registration, EAS activation, as well as the device owner.

显示 SQL Server Reporting Services 报表的一个示例的屏幕截图

要查看 SSRS 报表,必须在主服务器上安装报表角色:To view SSRS reports, you must have a reporting role installed on the primary server:

  1. 在 Configuration Manager 中,依次单击“管理” 、“层次结构配置” 、“站点配置” 和“服务器和站点系统角色” 。In Configuration Manager, click Administration, click Hierarchy configuration, click Site Configuration, and then click Servers and Site System Roles.

  2. 选择一个服务器,然后单击“添加站点系统角色” 以打开“添加站点系统角色”向导。Select a server and click Add Site System Role to open the Add Site System Role wizard.

  3. 在“系统角色选择”页面上,选择“报表服务点” 复选框。On the System Role Selection page, select the Reporting services point checkbox. 报表服务点将显示与客户端管理相关的报表。The reporting services point displays reports related to client management.

  4. 单击“下一步” 。Click Next.

下面显示了配置策略的部署状态:The following shows the deployment status of the configuration policy:

显示配置策略的部署状态的屏幕截图

延迟Latency

当 Exchange Connector 发现设备后,设备即被阻止。A device is blocked as soon as it is discovered by the Exchange connector. 阻止的延迟时间取决于完全同步和增量同步所配置的时间间隔以及设备连接到 Exchange Server 时这两个时间间隔之间的时间。The latency of blocking depends on the configured intervals for Full synchronization and delta synchronization and the time in between these intervals when the device connects to the Exchange server. 默认情况下,完全同步每 24 小时执行一次,增量同步每 240 分钟执行一次。By default, a Full synchronization occurs every 24 hours while a delta synchronization occurs every 240 minutes. 设备在延迟期间视为合规。During this latency period, a device might be considered compliant.

后续步骤Where to go from here

当你在移动设备上部署保护企业电子邮件和电子邮件数据的解决方案后,你可以了解有关条件访问的最终用户体验的详细信息。After you have deployed a solution for protecting corporate email and email data on mobile devices, you can learn more about the end-user experience of conditional access. 这将帮助你为最终用户注册其特定设备时可能出现的问题做好准备。This will help prepare you for issues that might arise when end users enroll their specific devices.