了解如何部署用于保护公司电子邮件和文档的解决方案Learn how to deploy a solution for protecting company email and documents

越来越多的公司允许员工通过其移动设备访问电子邮件、文档和公司资源,从而提高工作效率。More and more, companies are allowing employees to increase their productivity by accessing email, documents, and company resources through their mobile devices. 但是,存储在公司电子邮件和文档中的机密数据量会为公司带来重大的安全风险。However, the amount of confidential data that is stored within corporate emails and documents presents a significant security risk for companies.

本指南适用于你(即 IT 专业人员),可帮助为公司确定然后部署最佳解决方案,以便采用如下所述的配置之一来实施条件访问。This guide is intended for you, the IT professional, to help determine and then deploy the best solution for your company to enforce conditional access in one of the configurations as described below. 这会使员工可以使用其移动设备访问公司电子邮件,同时仍保护公司的数据。This will let employees use their mobile devices to access corporate email while still protecting your company’s data.

本节讨论如何部署用于保护公司电子邮件和文档的解决方案。This section discusses how to deploy a solution for protecting company email and documents. 有关这些解决方案的体系结构的详细信息,请参阅有关保护公司电子邮件和文档的体系结构指南For details about the architecture of these solutions, see Architecture guidance for protecting company email and documents.


可在 TechNet 库中获取本完整主题的可下载副本。Get a downloadable copy of this entire topic at the TechNet Gallery.


保护公司数据至关重要,而随着更多员工使用其移动设备访问公司资源(包括电子邮件和电子邮件附件),这成为了越来越具有挑战性的任务。Protecting your company's data is vitally important, and is an increasingly challenging task as more employees are using their mobile devices to access company resources, including email and email attachments. 作为 IT 管理员,你要确保即使在那些移动设备不在公司的物理位置范围中时,公司数据也受到保护。As an IT administrator, you want to make sure that company data is protected even when those mobile devices are not within the company’s physical location.

Microsoft 企业移动性 + 安全性 (EMS) 通过跨四个层(标识、设备、应用程序和数据)提供公司电子邮件和文档的全面保护,来应对此挑战。The Microsoft Enterprise Mobility + Security (EMS) solves this challenge by delivering comprehensive protection of corporate email and documents across four layers – Identity, Device, Application, and Data. EMS 以及其他功能确保员工只能从由 Microsoft Intune 管理并符合 IT 策略的设备访问公司电子邮件。Among other capabilities, EMS ensures that employees can access corporate email only from devices that are managed by Microsoft Intune and compliant with IT policies.

保护企业电子邮件涉及两个主要目标:Protecting corporate email involves two main objectives:

  • 只允许合规设备访问企业的电子邮件: 保护企业数据的一个重要步骤是限制对未使用强密码、未破解或未加密的设备的访问。Allow only compliant devices to access your company’s email: An important step to protecting corporate data is restricting access to devices that don’t use a strong password, are not jailbroken, or not encrypted. Microsoft Intune 可让你设定条件,用户必须满足这些条件,才能访问公司资源。Microsoft Intune gives you the ability to set conditions that your users must meet to gain access to your company resources. 这称为条件性访问。This is known as conditional access.

  • 保护电子邮件和附件中的内容: 虽然条件访问使你可以确保只有合规设备才能访问电子邮件,但是仍存在保护电子邮件和电子邮件附件中的内容的问题。Protecting the content in email and attachments: While conditional access allows you to make sure only compliant devices are able to access email, there is still the question of protecting the content in the email and email attachments. 内容可以复制、移动、保存到其他位置,或与其他用户共享。The content can be copied, moved, saved to a different location, or shared with another user. EMS 使用移动应用程序管理策略解决了这一问题。EMS solves this problem using mobile application management policies.

    托管应用是应用了移动应用程序管理策略的应用,这些策略使它们符合公司的安全要求。Managed apps are apps that have mobile application management policies applied to them that make them compliant with your company’s security requirements. 利用这些应用,你可以直接控制部署、行进中管理(如储存或更新),以及选择性擦除应用及其关联数据。With these apps, you have direct control over deployment, ongoing management like inventory or updates, and selective wipe of the apps and their associated data. 此外,通过一组移动应用程序管理 (MAM) 策略,Intune 可让你修改应用的功能并限制数据的共享。Additionally, through a set of mobile application management (MAM) policies, Intune lets you modify the functionality of apps, and restrict sharing of data. 有关此解决方案的工作原理的详细信息(包括体系结构的详细信息),请参阅保护公司电子邮件和文档For more details on how this solution works including architecture details see Protect corporate email and documents.


    可以创建和部署电子邮件配置文件,然后设置指定电子邮件配置文件必须由 Intune 进行管理(推荐)的合规性策略。You can create and deploy an email profile, then set a compliance policy that specifies that email profiles must be managed by Intune (recommended). 这使你能够从注销的设备中擦除电子邮件,并可确保对于 iOS,附件只能在 Intune 管理的应用程序中打开。This gives you the ability to wipe email from retired devices, and it ensures that for iOS, attachments can only be opened in applications managed by Intune. 请参阅步骤 5:创建合规性策略,并部署到用户。See Step 5: Create compliance policies and deploy to users. 获取更多相关信息。for more information.

本文中涵盖的解决方案Solutions covered in this article

本部分提供有关每个解决方案(具有 Intune 实现的 Configuration Manager、Intune 本身、移动应用管理和 Azure 信息保护)的高级概述。This section provides a high-level overview of each solution – Configuration Manager with Intune implementation, Intune by itself, mobile application management, and Azure Information Protection.

  • 使用条件访问管理对电子邮件的访问:可以混合使用 Configuration Manager 与 Intune,或仅仅使用 Intune 本身,以及 Exchange Online 或 Exchange Server 内部部署对所有类型的电脑和移动设备(不考虑其位置)管理和实施条件访问。Manage access to email using Conditional access: You can use a hybrid of Configuration Manager with Intune, or just use Intune by itself, along with Exchange Online or Exchange Server on-premises to manage and enforce conditional access on all types of PCs and mobile devices, regardless of their location. 通过在此类型的环境中实施条件访问,你可以让用户提高工作效率,同时使公司数据保持安全。Enforcing conditional access in this type of environment lets you enable the user to be more productive, while still keeping company data secure.

  • 使用 MAM 解决方案保护电子邮件附件和数据:可以在 Intune 中实施移动应用程序管理 (MAM) 策略,以修改在公司中部署的应用的功能。Protect email attachments and data using the MAM solution: You can enforce mobile application management (MAM) policies in Intune to modify the functionality of apps that you deploy in your company. 例如,你可以限制在托管的应用内进行剪切、复制和粘贴操作,或配置应用以在托管的浏览器内打开所有 Web 链接。For example, you can restrict cut, copy and paste operations within a managed app, or configure an app to open all web links inside a managed browser. 这可确保这些应用符合公司合规性和安全策略。This ensures that these apps are in line with your company compliance and security policies.

  • 用于数据丢失防护策略的 Azure 信息保护:Azure 信息保护(先前的 Azure RMS)利用加密、标识和授权策略来帮助跨多个设备(如手机、平板电脑和 PC)保护文件和电子邮件。Azure information protection for data loss prevention policies: Azure Information Protection (formerly Azure RMS) uses encryption, identity, and authorization policies to help secure your files and email across multiple devices, such as phones, tablets, and PCs. 信息可以在公司内部和外部得到保护,因为保护会随数据而保持,即使在数据离开公司边界时。Information can be protected both within your company and outside your company because protection remains with the data, even when it leaves your company’s boundaries.

评估所需实现Evaluating your desired implementation

面对用于管理移动设备的所有不同设计和配置选项时,难以确定可最好地满足公司需求的组合。With all of the different design and configuration options for managing mobile devices, it’s difficult to determine which combination will best meet the needs of your company. 移动设备管理设计注意事项指南可帮助你了解移动设备管理设计要求,并详细介绍了一系列步骤和任务,你可以遵循这些步骤和任务来设计最符合公司的业务和技术需求的解决方案。The Mobile Device Management Design Considerations Guide helps you understand mobile device management design requirements and details a series of steps and tasks that you can follow to design a solution that best fits the business and technology needs for your company.

高级最终用户体验High level end-user experience

实现解决方案之后,最终用户只能在托管合规的设备上访问公司电子邮件。After the solution is implemented, end-users will only be able to access the company email on managed and compliant devices. 一旦他们能够在设备上访问电子邮件,公司数据便受到保护并且包含在应用生态系统内,只能由预期用户使用。Once they have the ability to access the email on the devices, the company data is protected and contained within the app ecosystem and only available to the intended users. 如果设备不合规,则可以随时撤消访问权限。Access can be revoked at any time if the device becomes noncompliant.

具体而言,在 Intune 中设置的条件访问策略可确保仅当设备符合所设置的合规性策略时,它们才能访问电子邮件。Specifically, the conditional access policies set in Intune ensure that the devices can only access email if they are compliant with the compliance policies you set. 可以使用移动应用程序管理策略来限制诸如复制和粘贴或保存到个人云存储服务这类操作。Actions such as copy and paste or saving to personal cloud storage services can be restricted using mobile application management policies. Azure 信息保护可用于确保只有预期收件人才能读取敏感电子邮件数据和转发的附件。Azure Information Protection can be used to ensure that the sensitive email data, and forwarded attachments, can only be read by intended recipients. 有关最终用户体验更详细的描述,请参阅条件访问的最终用户体验The end-user experience is described in more detail in End-user experience of conditional access.

后续步骤Where to go from here

你已经通读了本主题,现在可以依据你的环境,了解有关如何部署用于保护公司电子邮件和文档的特定解决方案的详细信息:Now that you've read through this topic, you can learn more about how to deploy a specific solution for protecting company email and documents, depending on your environment: