使用 Intune 部署 Exchange 内部部署Deploy Exchange on-premises with Intune

你已通读了有关保护公司电子邮件和文档的体系结构指南,现在可以继续部署解决方案。Now that you've read through the architecture guidance for protecting company email and documents, you are ready to proceed with deploying a solution.

为了使 Intune 能够直接管理移动设备,用户需要将设备注册到 Intune 中。For Intune to directly manage mobile devices, users will need to enroll devices into Intune.

部署步骤Deployment Steps

请按照以下步骤使用 Intune 解决方案部署 Exchange 内部部署:Follow these steps to deploy the Exchange on-premises with Intune solution:

步骤 1:安装和配置 Microsoft Intune 本地 Exchange Server 连接器。Step 1: Install and configure the Microsoft Intune on-premises Exchange Server connector.

对于用户未注册的移动设备,你可以使用 Exchange Connector 启用 Exchange ActiveSync 管理。For mobile devices that users have not enrolled you can enable Exchange ActiveSync management using the Exchange connector. Exchange Connector 将你与 Exchange 部署连接,使你能通过 Intune 控制台管理移动设备。The Exchange connector connects you with your Exchange deployment and lets you manage mobile devices through the Intune console.

请按照为本地或托管 Exchange 配置 Microsoft Intune 本地连接器中的步骤下载、安装和配置 Microsoft Intune Exchange Connector。Follow the steps at Configure Microsoft Intune on-premises connector for on-premises or hosted Exchange to download, install and configure the Microsoft Intune Exchange Connector.

重要

对于每个 Intune 帐户,你只能建立一个 Exchange 连接。You can only set up one Exchange connection per Intune account. 如果尝试配置其他连接,则它会将原始连接替换为新连接。If you try to configure an additional connection, it will replace the original connection with the new one.

步骤 2:创建合规性策略,并部署到用户。Step 2: Create compliance policies and deploy to users.

合规性策略定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 请按照在 Microsoft Intune 中创建合规性策略中的步骤创建和部署合规性策略。Follow the steps at Create a compliance policy in Microsoft Intune to create and deploy compliance policies.

如果你希望在 iOS 设备不再属于公司之后,你能够从该设备中删除所有公司的电子邮件,那么你必须创建并部署电子邮件配置文件,然后设置合规性策略,该策略指定由 Intune 管理电子邮件配置文件。If you want the ability to remove all corporate email from an iOS device after it is no longer part of your company, you must create and deploy an email profile and then set the compliance policy that specifies that email profiles are managed by Intune. 你必须将电子邮件配置文件部署到此合规性策略针对的同一用户集。You must deploy the email profile to the same set of users that you target with this compliance policy. “Intune 创建策略”向导中“常规”选项卡上的“电子邮件配置文件”部分的屏幕截图,可以在该部分指定必须通过 Intune 管理电子邮件配置文件。Screenshot showing the "Email Profiles" section on the General tab of the Intune Create Policy wizard where you can specify that an email profile must be managed by Intune.

如果你指定此合规性策略,则已设置电子邮件帐户的用户必须手动删除它,之后 Intune 会通过条件访问的最终用户体验中描述的注册过程将其重新添加。If you specify this compliance policy, a user who has already set up their email account must manually remove it and then Intune will add it back in through the registration process described in End-user experience of conditional access.

重要

如果你尚未部署合规性策略,但是启用了 Exchange 条件访问策略,则将允许设定为目标的所有设备进行访问。If you have not deployed a compliance policy and then enable an Exchange conditional access policy, all targeted devices will be allowed access.

步骤 3:确定将会受到条件访问策略影响的用户。Step 3: Identify users who will be impacted by conditional access policy.

成功配置 Exchange Server 连接器后,它将开始列出尚未注册到 Intune、但使用 Exchange Active Sync 连接到你的组织的 Exchange 资源的设备清单。After the Exchange Server connector is successfully configured, it begins to inventory devices that are not yet enrolled to Intune, but are connecting to your organization’s Exchange resources using Exchange Active Sync.

请按照评估条件访问策略的效果中的说明确定会受到条件访问策略影响的用户。Follow the instructions at Evaluate the effect of the conditional access policy to identify those users who will be impacted by conditional access policy.

步骤 4:为条件访问策略配置用户组。Step 4: Configure user groups for the conditional access policy.

将条件访问策略的目标设定为不同的用户组,具体取决于策略类型。You target conditional access policies to different groups of users depending on the policy types. 这些组包含将作为目标的用户,或从策略中免除的用户。These groups contain the users that will be targeted, or exempt from the policy. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问电子邮件。When a user is targeted by a policy, each device they use must be compliant in order to access email.

有关详细信息,请参阅为条件访问策略配置用户组For more information, see Configure user groups for the conditional access policy.

步骤 5:配置条件访问策略。Step 5: Configure conditional access policy.

Exchange 内部部署的条件访问策略使用下面的流程来评估是允许还是阻止设备。The following flow is used by conditional access policies for an Exchange on-premises environment to evaluate whether to allow or block devices.

显示本地 Exchange Server 的条件访问策略如何评估是允许还是阻止设备的流程图

请按照配置条件访问策略中提供的信息设置你的条件访问策略。Follow the information provided under Configure a conditional access policy to set up your conditional access policy.

报表Reporting

监视遵从性和条件性访问策略Monitor the compliance and conditional access policies

查看被 Exchange 阻止的设备:To view devices that are blocked from Exchange:

在 Intune 仪表板上,单击“被 Exchange 阻止的设备”磁贴,以显示被阻止的设备的数目以及指向相关详细信息的链接。On the Intune dashboard, click the Blocked Devices from Exchange tile to show the number of blocked devices and links to more information. 在 Intune 仪表板上显示“被 Exchange 阻止的设备”磁贴的屏幕截图Screenshot showing the "Blocked Devices from Exchange" tile on the Intune dashboard

后续步骤Where to go from here

当你在移动设备上部署保护企业电子邮件和电子邮件数据的解决方案后,你可以了解有关条件访问的最终用户体验的详细信息。After you have deployed a solution for protecting corporate email and email data on mobile devices, you can learn more about the end-user experience of conditional access. 这将帮助你为最终用户注册其特定设备时可能出现的问题做好准备。This will help prepare you for issues that might arise when end users enroll their specific devices.