电子邮件管理选项Email management options

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

通常,实现移动设备管理解决方案的主要是为了提供从移动设备访问企业电子邮件的托管权限。The main reason for implementing a mobile device management solution is usually to provide managed access to corporate email from mobile devices. 例如,在 Office 365 的 MDM中,你可以创建提供托管在 Exchange Online 中的电子邮件邮箱的基本托管访问权限或(在 iOS 和 Android 上)通过 Office 应用提供访问权限的安全策略For example, in MDM for Office 365, you can create a security policy that provide basic managed access to email mailboxes hosted in Exchange Online or access through Office apps (on iOS and Android). 在设备允许连接到用户邮箱前,该策略强制执行基本移动设备合规性设置,例如要求设备密码和设备加密。This policy enforces basic mobile device compliance settings, such as requiring a device password and device encryption, before the device is allowed to connect to a user mailbox.

在 Intune、混合 Intune 和 ConfigMgr部署中配置电子邮件管理选项时应遵循类似的过程。You follow a similar process to configure email management options in Intune, and hybrid Intune and ConfigMgr deployments. 主要区别在于你可以比在 Office 365 的 MDM 中实现更高级的电子邮件管理选项。The primary difference is that you can implement more advanced email management options than you can in MDM for Office 365. 例如,使用 Intune 独立版可以配置条件电子邮件访问以允许访问托管在 Exchange Online 和本地 Exchange 上的邮箱,还可以配置自定义的电子邮件配置文件。For example, using Intune standalone, you can configure conditional email access to allow access mailboxes hosted on both Exchange Online and Exchange on-premises, as well as configure customized email profiles. Intune 通过使用配置和合规性策略启用这些功能。Intune enables these features by using configuration and compliance policies. 混合 Intune 和 ConfigMgr 部署也支持条件电子邮件访问,但仅限于托管在 Exchange Online 上的邮箱Hybrid Intune and ConfigMgr deployments also supports conditional email access, but only for mailboxes hosted on Exchange Online

在下图 6 所示的方案中,用户已在 Intune 中注册设备,现在正尝试使用 Office 365 或本地 Exchange 访问其企业电子邮件。In the scenario shown below in Figure 6, the user has enrolled their device in Intune and is now trying to access their corporate email using Office 365 or Exchange on-premises. 根据公司 IT 管理员定义的设置,Intune 运行策略验证过程。Based on the settings defined by the IT administrator at their company, Intune runs a policy verification process. 在此方案中,如果设备已加密、密码已设置并且设备没有越狱或没有获取根权限,将授予用户访问权限。In this scenario, the user’s access is granted if the device is encrypted, a passcode is set, and the device isn’t jail broken or rooted. 如果用户尝试访问企业电子邮件但其设备尚未注册,或与 IT 管理员定义的设置不兼容,他将收到一封电子邮件,说明访问受阻的原因以及如何解决该问题的步骤。If a user tries to access corporate email and their device is not enrolled, or not compliant based upon settings defined by the IT admin, the user will receive an email explaining why their access has been blocked along with steps for how to resolve the issue.

条件性访问

条件性访问Conditional access

对步骤 1 中的问题的回答可以帮助你确定想要如何使用移动设备管理解决方案管理设备。Your answers to the questions in Step 1 can help you determine how you want devices to be managed in the mobile device management solution. 下表列出了每个 MDM 解决方案的电子邮件管理的优缺点。The lists below outline the advantages and disadvantages of email management for each MDM solution.

Intune(独立版)Intune (standalone)

优点Advantages

  • 支持所有主要的移动设备操作系统(Android、iOS、Windows 10、Windows 8.x 以及 Windows Phone)的电子邮件管理Supports email management for all major mobile device operating systems (Android, iOS, Windows 10, Windows 8.x, and Windows Phone)
  • 可以通过与 Exchange ActiveSync 集成来利用本机移动设备电子邮件应用程序Can leverage native mobile device email applications via integration with Exchange ActiveSync
  • 通过服务间连接器与 Exchange Online 集成允许在 Intune 和 Office 365 之间进行跨平台监视和报告Integration with Exchange Online via the Service-to-Service connector to allow cross-platform monitoring and reporting between Intune and Office 365
  • 支持配置用于管理移动设备上基于 Exchange ActiveSync 的设置的电子邮件配置文件Supports configuration of email profiles for managing Exchange ActiveSync-based settings on mobile devices
  • 资源的有条件电子邮件访问权限Conditional email access to resources

缺点Disadvantages

  • 基于 Android 的移动设备不支持电子邮件配置文件Email profiles aren’t supported for Android-based mobile devices

Office 365 的 MDMMDM for Office 365

优点Advantages

  • 允许 Exchange ActiveSync 支持密码、加密和 root 设备合规性Allows Exchange ActiveSync support for password, encryption, rooted device compliance
  • 在授予 Office 和 OneDrive for Business 应用(iOS 和 Android)的访问权限前,允许执行设备管理策略和所需设备注册Allows device management policies and requiring device enrollment before access is granted to Office and OneDrive for Business apps (iOS and Android)
  • 资源的有条件电子邮件访问权限Conditional email access to resources

缺点Disadvantages

  • 不支持某些高级电子邮件管理选项Some advanced email management options aren’t supported
  • 不支持部署电子邮件配置文件(iOS 除外)Deploying email profiles isn’t supported (except iOS)

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 适用于混合连接 Exchange Online 的 Intune 本地连接器Intune On-premises Connector for hybrid connectivity with Exchange Online
  • 与 Exchange ActiveSync 集成(已强制执行最严格的策略设置)Integration with Exchange ActiveSync (most strict policy setting is enforced)
  • 电子邮件配置文件Email profiles
  • 将电子邮件访问权限限制到 Exchange Online 的有条件访问权限Conditional access to restrict email access to Exchange Online
  • 定义设备为允许访问服务而必须遵守的规则和设置的合规性策略Compliance policies to define the rules and settings the device must comply with in order to be allowed access to the services
  • 每项服务的条件访问策略,定义安全组、Intune 组或如何管理未注册设备的规则Conditional access policies for each service, define rules for security groups, Intune groups, or how unenrolled devices are managed

缺点Disadvantages

  • 电子邮件的托管访问仅适用于托管在 Exchange Online 上的邮箱,而非托管在本地 Exchange 上的邮箱Managed access to email only available for mailboxes hosted on Exchange Online, not mailboxes hosted on Exchange on-premises
  • 如果你为 Exchange Online 和本地 Exchange 启用了条件访问,则不应配置服务间的连接器Configuring the service-to-service connector should not be configured if you enable conditional access for both Exchange Online and Exchange on-premises

查看以下内容,了解有关移动设备电子邮件配置管理选项的详细信息:Explore the details about mobile device email configuration management options by reviewing the following: