将 Microsoft Intune 和 Configuration Manager 与 Exchange Online 结合部署Deploy Exchange Online with Microsoft Intune and Configuration Manager

你已通读了有关保护公司电子邮件和文档的体系结构指南,现在可以继续部署解决方案。Now that you've read through the architecture guidance for protecting company email and documents, you are ready to proceed with deploying a solution.

如果你已使用 System Center Configuration Manager 和 Exchange Online,则你可以集成 Intune 来管理移动设备上的电子邮件访问和保护电子邮件数据。If you are already using System Center Configuration Manager and Exchange Online, you can incorporate Intune to manage email access and protect email data on mobile devices. 用于实施此解决方案的高级别过程如下所示:The high-level process for implementing this solution is as follows:

  • 创建合规性策略,这些策略用于定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Create the compliance policies that define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices.

  • 开始实施条件访问。Begin enforcing conditional access.

  • 或者,为 Exchange Online 配置 Exchange Server 连接器。此连接器仅供报表使用。Optionally, configure the Exchange Server connector for Exchange Online This connector is required for reporting purposes only. 启用条件访问不需要此连接器。It is not required to enable conditional access.

Exchange Online 的条件访问控制流Conditional access control flow for Exchange Online

下图显示客户端试图在 Exchange Online 中访问电子邮件的控制流。This diagram shows the control flow for clients attempting to access email in Exchange Online. 实施条件访问之前可能先执行 A 和 B。A and B might be performed prior to enforcing conditional access.

与 Intune 和 Exchange Online 结合使用的 Configuration Manager 中的条件访问流程图

  • Microsoft Intune:管理设备的合规性和条件访问策略Microsoft Intune: Manages the compliance and conditional access policies for the device

  • Microsoft Azure Active Directory:对用户进行身份验证,并提供设备的合规性状态Microsoft Azure Active Directory: Authenticates user and provides device compliance status

  • Configuration Manager:管理设备注册和提供报表(如果已启用)Configuration Manager: Manages device enrollment and provides reporting, if enabled

  • Exchange Online:根据设备状态执行对电子邮件的访问Exchange Online: Enforces access to email based on the device state

在开始之前Before you begin

确保你的环境满足实施此解决方案的要求。Make sure your environment includes these requirements for implementing this solution.

  • 安装 Exchange 服务并分配到从受信任的公用证书颁发机构购买的有效数字证书Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority.

  • 确认你运行的是具有累积更新包 1 或更高版本的 System Center 2012 R2 Configuration Manager SP1。Verify that you are running System Center 2012 R2 Configuration Manager SP1 with cumulative update 1 or later.

  • 配置具有运行以下 Exchange Server cmdlet 的权限的帐户(本地或域管理员):Configure an account (local or domain admin) with permissions to run the following Exchange Server cmdlets:

    Clear-ActiveSyncDeviceClear-ActiveSyncDevice

    Get-ActiveSyncDeviceGet-ActiveSyncDevice

    Get-ActiveSyncDeviceAccessRuleGet-ActiveSyncDeviceAccessRule

    Get-ActiveSyncDeviceStatisticsGet-ActiveSyncDeviceStatistics

    Get-ActiveSyncMailboxPolicyGet-ActiveSyncMailboxPolicy

    Get-ActiveSyncOrganizationSettingsGet-ActiveSyncOrganizationSettings

    Get-ExchangeServerGet-ExchangeServer

    Get-RecipientGet-Recipient

    Set-ADServerSettingsSet-ADServerSettings

    Set-ActiveSyncDeviceAccessRuleSet-ActiveSyncDeviceAccessRule

    Set-ActiveSyncMailboxPolicySet-ActiveSyncMailboxPolicy

    Set-CASMailboxSet-CASMailbox

    New-ActiveSyncDeviceAccessRuleNew-ActiveSyncDeviceAccessRule

    New-ActiveSyncMailboxPolicyNew-ActiveSyncMailboxPolicy

    Remove-ActiveSyncDeviceRemove-ActiveSyncDevice

部署步骤Deployment Steps

请按照以下步骤来部署 Exchange Online 解决方案:Follow these steps to deploy the Exchange Online solution:

步骤 1:创建合规性策略,并部署到用户。Step 1: Create compliance policies and deploy to users.

合规性策略定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 请按照 Configuration Manager 中的合规性策略中的步骤创建合规性策略。Follow the steps at Compliance Policies in Configuration Manager to create compliance policies.

如果你希望在 iOS 设备不再属于公司之后,你能够从该设备中删除所有公司的电子邮件,那么你必须创建并部署电子邮件配置文件,然后设置合规性策略,该策略指定由 Intune 管理电子邮件配置文件。If you want the ability to remove all corporate email from an iOS device after it is no longer part of your company, you must create and deploy an email profile and then set the compliance policy that specifies that email profiles are managed by Intune. 你必须将电子邮件配置文件部署到此合规性策略针对的同一用户集。You must deploy the email profile to the same set of users that you target with this compliance policy.

显示“创建符合性策略向导”的“规则”页面的屏幕截图,你可以在该页面指定电子邮件配置文件必须由 Intune 管理

如果你指定此合规性策略,则已设置电子邮件帐户的用户必须手动删除它,之后 Intune 会通过条件访问的最终用户体验中描述的注册过程将其重新添加。If you specify this compliance policy, a user who has already set up their email account must manually remove it and then Intune will add it back in through the registration process described in End-user experience of conditional access.

创建合规性策略后,在列表中选择合规性策略的名称,然后单击“部署” 。After the compliance policy is created, select the compliance policy name in the list and click Deploy.

步骤 2:配置条件访问策略。Step 2: Configure conditional access policy.

首先,确定以何种方式、何时实施条件访问,以及将影响哪些员工。First, decide how and when you want to enforce conditional access and which employees will be affected. 然后,按照 Configuration Manager 中的针对 Exchange 电子邮件的条件访问中的步骤为 Exchange Online 启用条件访问策略。Then, follow the steps at Conditional Access for Exchange Email in Configuration Manager to enable the conditional access policy for Exchange Online.

备注

必须在 Intune 控制台中配置条件访问策略。Conditional access policy must be configured in the Intune console. 以下步骤从通过 Configuration Manager 访问 Intune 控制台开始。These steps begin by accessing the Intune console through Configuration Manager. 如果出现提示,请使用在 Configuration Manager 与 Intune 之间设置连接器时的相同凭据登录。If prompted, log in using the same credentials that were used to set up the connector between Configuration Manager and Intune.

步骤 3:(可选)安装和配置 Exchange Server 连接器。Step 3: (Optional) Install and configure an Exchange Server connector.

Configuration Manager 仅支持一个 Exchange 组织包含一个连接器。Configuration Manager supports only one connector in an Exchange organization.

重要

在安装 Exchange Server 连接器之前,请确认 Configuration Manager 支持你所使用的 Microsoft Exchange 的版本。Before you install the Exchange Server connector, confirm that Configuration Manager supports the version of Microsoft Exchange that you are using. 有关详细信息,请参阅 Configuration Manager 支持的配置For more information, see Supported Configurations for Configuration Manager.

按照如何使用 Configuration Manager 和 Exchange 管理移动设备中的步骤安装并配置 Exchange Server 连接器。Follow the steps at How to Manage Mobile Devices by Using Configuration Manager and Exchange to install and configure the Exchange Server connector.

验证步骤Verification Steps

如果为此解决方案配置了可选的 Exchange Server 连接器,则可以使用 Configuration Manager 跟踪日志工具打开 EasDisc.log 文件(位于安装 Configuration Manager 的 Microsoft Configuration Manager/Logs 文件夹)。If you configured the optional Exchange Server connector for this solution, you can use the Configuration Manager Trace Log Tool to open the EasDisc.log file (located in the Microsoft Configuration Manager/Logs folder where you installed Configuration Manager). 在日志文件中搜索 "Exchange Connector" 以查找有关 Exchange Connector 是否正在运行以及连接的设备数量的信息。Search the log file for “Exchange Connector” to find information about whether the Exchange Connector is running and how many devices are connected.

显示 EasDisc 日志文件在 Configuration Manager 跟踪日志工具中打开的屏幕截图

Configuration Manager 跟踪日志工具包含在 System Center 2012 R2 Configuration Manager 工具包中。The Configuration Manager Trace Log Tool is included in the System Center 2012 R2 Configuration Manager Toolkit.

报表Reporting

如果配置了可选的 Exchange Server 连接器,则可以使用 Configuration Manager 控制台查看有关 Exchange Connector 已发现的设备的特定信息。If you configured the optional Exchange Server connector, you can use the Configuration Manager console to view specific information about devices that have been discovered by the Exchange Connector. 对于已实施条件访问的设备,你可以查看每个设备的当前状态、最后一次使用 Exchange Server 连接设备的时间等等。For devices on which conditional access is enforced, you can view the current status of each device, the last time the device was connected with the Exchange server, and so on.

在 Configuration Manager 控制台中,单击“资产和合规性” ,然后单击“设备” 。In the Configuration Manager console, click Assets and Compliance and then click Devices. 在“Exchange 访问状态”列中可以查看每个设备的当前状态(隔离或允许) 。You can view the current status of each device (Quarantined or Allowed) in the Exchange Access State column. 如果该列尚未显示,可以右键单击列标题栏区域来添加该列。Add this column if not already shown by right-clicking in the column title bar area. 通过添加“上次成功同步到 Exchange Server 的时间” 列,还可以查看如 Exchange 报告的每个设备的上次成功同步时间。You can also view the last successful synchronization time for each device as reported by Exchange by adding the Last Success Sync Time To Exchange Server column.

显示 Configuration Manager 控制台中的设备列表的屏幕截图

如果你正在运行 SQL Server Reporting Service (SSRS),则可以查看条件访问报表,其中显示了设备的合规性状态、是否已安装并运行 Exchange Connector,以及 EAS 访问状态。If you are running SQL Server Reporting Services (SSRS), you can view a conditional access report that shows the compliance state of devices, whether there is an Exchange connector installed and running, and the EAS Access state. 该报表还将提供有关 Active Directory 注册、EAS 激活,以及设备所有者的信息。It will also provide information about Active Directory registration, EAS activation, as well as the device owner.

显示 SQL Server Reporting Services 报表的一个示例的屏幕截图

要查看 SSRS 报表,必须在主服务器上安装报表角色:To view SSRS reports, you must have a reporting role installed on the primary server:

  1. 在配置管理器中,单击“管理”>“层次结构配置”>“站点配置”>“服务器和站点系统角色”。In Configuration Manager, click Administration > Hierarchy configuration > Site Configuration > Servers and Site System Roles.

  2. 选择一个服务器,然后单击“添加站点系统角色” 以打开“添加站点系统角色”向导。Select a server and click Add Site System Role to open the Add Site System Role wizard.

  3. 在“系统角色选择”页面上,选择“报表服务点” 复选框。On the System Role Selection page, select the Reporting services point checkbox. 报表服务点将显示与客户端管理相关的报表。The reporting services point displays reports related to client management.

  4. 单击“下一步” 。Click Next.

下面显示了配置策略的部署状态:The following shows the deployment status of the configuration policy:

显示配置策略的部署状态的屏幕截图

延迟Latency

使用新式的身份验证方法的设备将立即应用条件访问。Devices that use modern authentication have conditional access applied immediately. 对于通过 EAS 协议进行连接的设备,根据默认设置,在实施条件访问之前会有高达 6 小时的延迟时间。For devices connecting through the EAS protocol, there can be a lag time of up to six hours before conditional access is enforced, based on the default setting. 设备在此期间可视为合规。During that time, a device might be considered compliant.

后续步骤Where to go from here

当你在移动设备上部署保护企业电子邮件和电子邮件数据的解决方案后,你可以了解有关条件访问的最终用户体验的详细信息。After you have deployed a solution for protecting corporate email and email data on mobile devices, you can learn more about the end-user experience of conditional access. 这将帮助你为最终用户注册其特定设备时可能出现的问题做好准备。This will help prepare you for issues that might arise when end users enroll their specific devices.