实现用于保护电子邮件和附件的解决方案Implementing your solution for protecting email and attachments

本文将帮助你做好准备,然后实现用于保护公司电子邮件内容和附件的解决方案。This article helps you prepare for and then implement a solution for protecting company email content and attachments.

规划实现时应该考虑以下因素:What you should consider when planning your implementation:

  • 设备平台支持:你还必须考虑是否允许在 Intune 不支持的平台上访问电子邮件。Device platform support: You must also consider if you want to allow email access on platforms that are not supported by Intune. Intune 移动设备管理支持下列操作系统:Intune mobile device management supports the following operating systems:

    • Apple iOS 7.1 及更高版本 (以前注册的 iOS 6.0 和 7.0 设备保持已注册状态,但新设备无法注册)Apple iOS 7.1 and later (previously enrolled iOS 6.0 and 7.0 devices remain enrolled but new devices cannot enroll)

    • Google Android 2.3.4 及更高版本(包括 Samsung KNOX)Google Android 2.3.4 and later (includes Samsung KNOX)

    • Windows Phone 8.0 及更高版本Windows Phone 8.0 and later

    • Windows RT 及更高版本Windows RT and later

    • Windows 8.1 计算机及更高版本Windows 8.1 computers and later

  • 电子邮件应用的类型:EMS 解决方案当前支持使用 EAS 协议的客户端和 Outlook 应用(之前 iOS 和 Android 上的 Accompli)。Type of email apps: The EMS solution currently supports clients that use EAS protocol, and Outlook apps (previously Accompli on iOS and Android).

  • 策略:EMS 解决方案及其组件具有多个管理安全和访问权限的策略。Policies: The EMS solution and its components have several policies through which security and access is managed. 确定你的 IT 管理员需要配置何种策略。Determine what policies your IT admin needs to configure. 保障电子邮件和电子邮件数据的访问安全时,用于研究和计划的三个主要策略是:The three key policies to be used for research and plan when securing access to email and email data are:

    • 设备合规性策略:确定合规对你公司的意义。Device Compliance Policies: Determine what compliance means for your company. Intune 包含你可以设定的多条规则,但所有这些规则可能适用也可能不适用于你的公司。Intune includes several rules that you can set, but all of those rules may or may not apply to your company. 你可以随时更改策略,但最好的做法是为你的公司确定一组基本的策略。You can change policies anytime, but it is good practice to determine a basic set of policies for you company. 合规性策略主要针对 Intune 用户组和设备组。Compliance policies are targeted at Intune user groups and device groups.

    • 条件访问策略:条件访问策略主要针对 Azure AD 安全组。Conditional Access Policies: Conditional access policies are targeted at Azure AD Security Groups. 确定策略针对哪些用户以及是否有需要免除的用户。Determine which users will be targeted by the policies and if there are users who need to be exempt. 基于云的解决方案和混合实现均支持条件性访问。Conditional Access is supported by both the cloud based solution and the hybrid implementation.

    • 移动应用程序管理:确定应管理的应用和需要应用于这些应用的 MAM 策略。Mobile Application Management: Determine what apps should be managed and the MAM policies you need to apply to these apps.

  • 设备管理注意事项:在实现解决方案之前,选择最适合组织需求的设备管理选项。Device management considerations: Select the device management option that best meets the requirements for your organization before you implement the solution. 共有两个选项:There are two options:

    • 结合使用 System Center Configuration Manager 和 Microsoft Intune,通过单一控制台管理所有设备。Unify System Center Configuration Manager with Microsoft Intune to manage all devices through a single console. 这称为 混合实现This is called the Hybrid implementation. 这种方法的优点:Advantages of this approach:

      • 单一管理控制台含有丰富的权限管理控件,可同时管理本地 PC 和移动设备Single management console with rich rights-management controls to manage both on-premises PCs as well as mobile devices

      • 丰富的目标定位和部署功能Rich targeting and deployment capabilities

      • 高扩展性,适合极大型企业High scale for very large enterprises

    • 使用 System Center Configuration Manager 单独从本地设备通过 Microsoft Intune 管理移动设备。Manage the mobile devices through Microsoft Intune separately from the on-premises devices using System Center Configuration Manager. 这称为 Intune 独立实现This is called Intune Stand-alone implementation. 这种方法的优点:Advantages of this approach:

      • 基于 Web 的简易控制台,专门定制用于管理移动设备Simple web-based console tailored specifically for mobile device management

      • 快速访问最新的功能Rapid access to the latest features

    尽管迁移始终可行,我们仍强烈建议在实现之前做此决定,因为这会影响你在转出过程中做出的很多决策。While migration is always possible, we strongly recommend that you make this decision before implementing it, since it will influence a lot of the decisions you will make in the roll out process.

  • 你的 Exchange 环境Your Exchange environment:

    • 部署 Exchange 连接器以及其在实现网络负载均衡器时的连接方式。Deployment of Exchange connectors and how they connect when network load balancers are implemented.

    • Exchange Online – 是多租户还是专用租户?Exchange Online – is it multi-tenant or dedicated? 如果是专用租户,则查明租户所在的体系结构。If it is dedicated, find out which architecture your tenant is on. 这将确定是否可以使用基于 Azure AD 的条件性访问,或者是否需要本地连接器。This will determine whether Azure AD-based conditional access can be used, or if an on-premises connector is required.

  • Azure AD 同步和 Active Directory 联合身份验证服务 (ADFS) 或其他第三方联合身份验证服务Azure AD synchronization and Active Directory Federated Services (ADFS), or another third-party federated service:

    • 条件性访问设计用于已将标识服务联合至 ADFS 的客户。Conditional Access is designed to work for customers who have federated their identity service to ADFS. 通常客户端访问规则仍将应用,但建议进行全面测试。Client access rules will generally still apply, however it is recommended that full testing be conducted. 对目录同步和 ADFS 的要求与对 Office 365 的要求相同。Requirements for directory synchronization and ADFS are no different than for Office 365.

    • Ping 等第三方联合服务也应发挥作用。Third-party federation services like Ping should also work. 建议在实现之前进行测试。Testing before implementation is recommended.

本地实现On-premises implementation

如果已具备现有的 System Center Configuration Manager、Active Directory 和/或 Exchange Server 实现,则可以通过与 Intune、Azure AD 和 Office 365 集成来扩展现有的体系结构。If you have an existing implementation of System Center Configuration Manager, Active Directory and/or Exchange Server you can extend the existing infrastructure by integrating with Intune, Azure AD and Office 365. 你可以使用此混合实现在所有本地和云设备上提供一致的管理体验。Using this hybrid implementation, you can provide a consistent management experience across devices on-premises and in the cloud. Intune 和 Configuration Manager 提供一组类似的功能,允许根据设备状态限制对电子邮件的访问。Intune and Configuration Manager offer a similar set of capabilities to allow restricted email access based on the device state.

对于 Exchange Online Dedicated 实现,是否可以利用前述的基于云的解决方案,或使用混合实现,这都取决于你当前的实现。For Exchange Online Dedicated implementations, whether you can take advantage of the cloud based solution described previously, or the hybrid implementation depends on what your current implementation looks like. 请咨询帐户团队以确定将采用哪种实现。Talk to your account team to determine what your implementation will involve.

操作和事件响应Operations and Incidence Response

实现解决方案后,你需要管理环境并确定潜在的安全风险。Once you have implemented the solution, you need to manage the environment and identify potential security risks. Intune 和 Azure AD 都具有监视和报告功能,这些功能可帮助监视和快速响应安全事件。Both Intune and Azure AD have monitoring and reporting capabilities that can help in monitoring and responding quickly in case of a security incident.

下面是部分报告功能:Here are some of the reporting capabilities:

  • Intune 报告和警报可帮助你监视 Intune 所管理设备的状态和运行状况。Intune reports and alerts help you monitor the status and health of devices managed by Intune.

  • Azure AD 具有审核和活动日志记录功能。Azure AD has auditing and activity logging. 你可以监视密码更改和用户管理等事务。You can monitor things like password changes and user management. Azure Active Directory Premium 包含高级异常安全报告和警报。Azure Active Directory premium includes advanced anomaly security reports and alerts. 这些警报基于详细的机器学习报告,报告中显示登录活动、不一致的访问模式和潜在的威胁领域。These alerts are based on detailed machine learning based reports showing sign in activity, inconsistent access patterns, and potential threat areas.

后续步骤Where to go from here

有关如何部署用于保护公司电子邮件内容和附件的解决方案的分步说明,请参阅下面的一个主题,具体视你的特定环境而定:For step-by-step instructions on how to deploy a solution for protecting company email content and attachments, see one of these topics, depending on your specific environment: