使用 Intune 部署 Exchange OnlineDeploy Exchange Online with Intune

你已通读了有关保护公司电子邮件和文档的体系结构指南,现在可以继续部署解决方案。Now that you've read through the architecture guidance for protecting company email and documents, you are ready to proceed with deploying a solution.

为了使 Intune 直接管理移动设备,用户需将设备注册到 Intune 中。For Intune to directly manage mobile devices, users need to enroll devices into Intune.

部署步骤Deployment Steps

请按照以下步骤使用 Intune 解决方案部署 Exchange Online:Follow these steps to deploy the Exchange Online with Intune solution:

步骤 1:创建合规性策略,并部署到用户。Step 1: Create compliance policies and deploy to users.

合规性策略定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Compliance policies define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 请按照在 Microsoft Intune 中创建合规性策略中的步骤创建和部署合规性策略。Follow the steps at Create a compliance policy in Microsoft Intune to create and deploy compliance policies.

如果你希望在 iOS 设备不再属于公司之后,你能够从该设备中删除所有公司的电子邮件,那么你必须创建并部署电子邮件配置文件,然后设置合规性策略,该策略指定由 Intune 管理电子邮件配置文件。If you want the ability to remove all corporate email from an iOS device after it is no longer part of your company, you must create and deploy an email profile and then set the compliance policy that specifies that email profiles are managed by Intune. 你必须将电子邮件配置文件部署到此合规性策略针对的同一用户集。You must deploy the email profile to the same set of users that you target with this compliance policy.

“Intune 创建策略”向导中“常规”选项卡上的“电子邮件配置文件”部分的屏幕截图,可以在该部分指定必须通过 Intune 管理电子邮件配置文件。

如果你指定此合规性策略,则已设置电子邮件帐户的用户必须手动删除它,之后 Intune 会通过条件访问的最终用户体验中描述的注册过程将其重新添加。If you specify this compliance policy, a user who has already set up their email account must manually remove it and then Intune will add it back in through the registration process described in End-user experience of conditional access.

重要

如果你尚未部署合规性策略,但是启用了 Exchange 条件访问策略,则将允许设定为目标的所有设备进行访问。If you have not deployed a compliance policy and then enable an Exchange conditional access policy, all targeted devices will be allowed access.

步骤 2:评估条件访问策略的影响。Step 2: Evaluate the effect of the conditional access policy.

如果已通过使用 Microsoft Intune Service to Service Connector 在 Intune 和 Exchange 之间配置了连接,则可以使用移动设备清单报告来标识将在配置条件访问策略之后被阻止访问 Exchange 的 EAS 邮件客户端。If you have configured a connection between Intune and Exchange by using the Microsoft Intune service to service connector, you can use the Mobile Device Inventory Reports to identify EAS mail clients that will be blocked from accessing Exchange after you configure the conditional access policy.

请按照评估条件访问策略的效果中的说明确定会受到条件访问策略影响的用户。Follow the instructions at Evaluate the effect of the conditional access policy to identify those users who will be impacted by conditional access policy.

步骤 3:为条件访问策略配置用户组。Step 3: Configure user groups for the conditional access policy.

将条件访问策略的目标设定为不同的用户组,具体取决于策略类型。You target conditional access policies to different groups of users depending on the policy types. 这些组包含将作为目标的用户,或从策略中免除的用户。These groups contain the users that will be targeted, or exempt from the policy. 如果将某个用户设定为策略的目标,则其使用的每个设备必须合规才能访问电子邮件。When a user is targeted by a policy, each device they use must be compliant in order to access email.

有关详细信息,请参阅为条件访问策略配置用户组For more information, see Configure user groups for the conditional access policy.

步骤 4:配置条件访问策略。Step 4: Configure conditional access policy.

Exchange Online 的条件访问策略使用下面的流来评估是允许还是阻止设备。The following flow is used by conditional access policies for Exchange Online to evaluate whether to allow or block devices.

显示 Exchange Online 的条件访问策略如何评估是允许还是阻止设备的流程图。

请按照配置条件访问策略下提供的信息设置你的条件访问策略。Follow the information provided under Configure the conditional access policy to set up your conditional access policy.

报表Reporting

监视遵从性和条件性访问策略Monitor the compliance and conditional access policies

查看被 Exchange 阻止的设备:To view devices that are blocked from Exchange:

在 Intune 仪表板上,单击“被 Exchange 阻止的设备”磁贴,以显示被阻止的设备的数目以及指向相关详细信息的链接。On the Intune dashboard, click the Blocked Devices from Exchange tile to show the number of blocked devices and links to more information. 在 Intune 仪表板上显示“被 Exchange 阻止的设备”磁贴的屏幕截图。Screenshot showing the "Blocked Devices from Exchange" tile on the Intune dashboard.

后续步骤Where to go from here

当你在移动设备上部署保护企业电子邮件和电子邮件数据的解决方案后,你可以了解有关条件访问的最终用户体验的详细信息。After you have deployed a solution for protecting corporate email and email data on mobile devices, you can learn more about the end-user experience of conditional access. 这将帮助你为最终用户注册其特定设备时可能出现的问题做好准备。This will help prepare you for issues that might arise when end users enroll their specific devices.