保护企业电子邮件和文档Protecting corporate email and documents

保护企业电子邮件涉及两个主要目标:Protecting corporate email involves two main objectives:

  • 只允许合规设备访问企业的电子邮件Allow only compliant devices to access your company’s email

  • 保护电子邮件和附件中的内容Protect the content in email and attachments

只允许合规设备访问企业的电子邮件Allow only compliant devices to access your company’s email

保护企业数据的一个重要步骤是限制对未使用强密码、未破解或未加密的设备的访问。An important step to protecting corporate data is restricting access to devices that don’t use a strong password, are not jailbroken, or not encrypted. Microsoft Intune 可让你设定条件,用户必须满足这些条件,才能访问公司资源。Microsoft Intune gives you the ability to set conditions that your users have to meet to gain access to your company resources. 这称为条件性访问。This is known as conditional access.

条件性访问由可在 Intune 中设置的两种类型的策略决定:Conditional access is determined by two types of policies you can set in Intune:

合规性策略 确定设备的合规性。Compliance policies determine the compliance of a device. 它们评估以下设置和条件:They evaluate settings and conditions like:

  • PIN 和密码:IT 部门可以创建以下规则:必须提供密码才可解锁设备,设定密码的复杂性、密码过期和其他密码设置。PIN and passwords: Your IT can create rules to require passwords before unlocking a device, the complexity of the password, password expiration, and other password settings.

  • 加密:IT 部门可以限制对加密设备的访问。Encryption: Your IT can restrict access to devices that are encrypted.

  • 设备未越狱或取得 root 权限:Intune 可以检测注册的设备是否已越狱,而 IT 部门可以设置策略来阻止此类设备上的访问。Device is not jailbroken or rooted: Intune can detect if an enrolled device is jailbroken, and your IT can set the policy to block access on such devices.

条件性访问策略 专为 Exchange Online 或 SharePoint Online 等特定服务配置。Conditional access policies are configured for a particular service like Exchange Online or SharePoint Online. 对于每个服务,你可以定义这些策略应该应用到哪些用户组。For each service, you can define which groups of users these policies should apply to. 例如,你可以确保财务部门的每个人只能从注册的合规设备访问公司电子邮件。For example, you can make sure that everyone in the finance department can only access company email from enrolled and compliant devices.

高级最终用户体验High level end-user experience

实现解决方案之后,最终用户将只能在托管且合规的设备上访问公司电子邮件。After the solution is implemented, end-users will only be able to access the company email on managed and compliant devices. 一旦他们能够在设备上访问电子邮件,公司数据便受到保护并且包含在应用生态系统内,只能由预期用户使用。Once they have the ability to access the email on the devices, the company data is protected and contained within the app ecosystem and only available to the intended users. 如果设备不合规,则可以随时撤消访问权限。Access can be revoked at any time if the device becomes noncompliant.

具体而言,在 Intune 中设置的条件访问策略可确保仅当设备符合所设置的合规性策略时,它们才能访问电子邮件。Specifically, the conditional access policies set in Intune ensure that the devices can only access email if they are compliant with the compliance policies you set. 可以使用移动应用程序管理策略来限制诸如复制和粘贴或保存到个人云存储服务这类操作。Actions such as copy and paste or saving to personal cloud storage services can be restricted using mobile application management policies. Azure 信息保护可用于确保只有预期收件人才能读取敏感电子邮件数据和转发的附件。Azure Information Protection can be used to ensure that the sensitive email data, and forwarded attachments, can only be read by intended recipients. 有关最终用户体验更详细的描述,请参阅条件访问的最终用户体验The end-user experience is described in more detail in End-user experience of conditional access.

观看 这段 四分钟的视频,了解条件性访问会如何影响最终用户。Watch this four minute video to see how conditional access affects your end users.

为什么体系结构很重要Why Architecture Matters

EMS 和 Office 365 的不同组件构建用于在云中运行。The different components of EMS and Office 365 are built for and designed to run in the cloud. 这带来了云的所有好处:可扩展性、灵活性和易管理性。This brings all the benefits that the cloud offers: scalability, flexibility, and ease of management.

由于不同的业务有不同的要求,EMS 专门针对与 Active Directory、Exchange Server 或 System Center Configuration Manager 等现有本地体系结构集成而设计。Since different businesses have different requirements, EMS is designed to integrate with existing on-premises infrastructure such as Active Directory, Exchange Server, or System Center Configuration Manager. 这样,你就可以将已在网络建立的凭据用于本地和云资源。This allows you to use the credentials already established in your network for both on-premises and cloud resources.

以下各节主要介绍设计在云中运行的体系结构,并简要谈及本地选项。The following sections describe the architecture as designed to run in the cloud, and touch briefly on the on-premises option.

电子邮件访问流程Email Access Flow

根据用于访问 Exchange Online 的电子邮件应用程序的类型,建立安全访问电子邮件的路径可能略有不同。Depending on the type of email application that you use to access Exchange online, the path to establishing secured access to email can be slightly different. 但是,关键组件 Azure Active Directory (Azure AD)、Office 365/Exchange Online 和 Microsoft Intune 是相同的。However, the key components: Azure Active Directory (Azure AD), Office 365/Exchange Online, and Microsoft Intune, are the same. IT 体验和最终用户体验也很相似。The IT experience, and end-user experience also are similar. EMS 目前支持本机电子邮件应用以及适用于 iOS 和 Android 的 Microsoft Outlook 应用。EMS currently supports native email apps and the Microsoft Outlook app for iOS and Android.

本机电子邮件应用程序的访问控制流程Access control flow for native email applications

尝试访问 Exchange Online 中的电子邮件的 Exchange ActiveSync (EAS) 需针对以下属性接受评估:Exchange ActiveSync (EAS) clients attempting to access email in Exchange Online will be evaluated for the following properties:

  • 这是 Intune 管理的设备吗?Is the device managed by Intune?

  • 设备注册了 Azure Active Directory 吗?Is the device registered with Azure Active Directory?

  • 设备合规吗?Is the device compliant?

  • 客户端 EAS ID 映射到了已注册的设备吗?Is the client EAS ID mapped to a registered device?

为达到合规性状态,运行 EAS 客户端的设备需要:To get to a compliant state, the device on which the EAS client is running needs to:

在大多数平台上,注册期间 Azure Active Directory 设备会自动注册。On most platforms, the Azure Active Directory device registration happens automatically during enrollment. 设备状态由 Intune 写入 Azure Active Directory,然后由 Exchange Online 在下次 EAS 客户端尝试获取电子邮件时进行读取。The device states are written by Intune into Azure Active Directory, and then read by Exchange Online the next time the EAS client tries to get email. 如果设备未注册,则用户收件箱中会收到一封邮件,其中会提供注册(也称登记)步骤的说明。If the device is not registered, the user will get a message in their inbox with instructions on how to register (also known as enrolling). 如果设备不符合要求,则用户会收到一封不同的电子邮件,将他们重定向到 Intune Web 门户,用户可在此了解有关合规性问题以及修正方式的详细信息。If the device is not compliant, the user will get a different email that redirects them to the Intune web portal where they can get more information on the compliance problem and how to remediate it.

Azure AD对用户和设备进行身份验证,Microsoft Intune 管理合规性和条件性访问策略, Exchange Online 基于设备状态管理对电子邮件的访问。Azure AD, authenticates the user and the device, Microsoft Intune manages the compliance and conditional access policies, and Exchange Online manages access to email based on the device state.

iOS 和 Android 设备上的本机电子邮件应用程序的访问控制流程图

Outlook 应用程序的访问控制流程Access control flow for Outlook applications

与 EAS 客户端类似,尝试访问 Exchange Online 中的电子邮件的 Outlook 电子邮件应用需针对以下属性接受评估:Similar to the EAS client, the Outlook email app attempting to access mail in Exchange Online will be evaluated for the following properties:

  • 这是 Intune 管理的设备吗?Is the device managed by Intune?

  • 设备注册了 Azure Active Directory 吗?Is the device registered with Azure Active Directory?

  • 设备合规吗?Is the device compliant?

设备合规性的建立与 EAS 客户端访问控制流程中所述大致相同。The device compliance is established in much in the same way as described in the EAS client access control flow. 但是对于 Outlook 应用而言,组件之间的流程略有不同。However, for Outlook apps, the flow between the components is slightly different. Outlook 应用尝试获取电子邮件时会被重定向到 Azure AD。When the Outlook app attempts to get email, it is redirected to Azure AD. 如果设备成功评定为已注册且合规,则 Azure AD 会发布安全令牌。Azure AD issues a security token if the device is successfully evaluated to be enrolled and compliant. 随后,安全令牌将用于从 Exchange Online 获取企业电子邮件。The security token is then used to get corporate email from Exchange Online. 电子邮件同步实际是通过 Outlook 云服务进行的,云服务代表用户获取 EAS 服务访问令牌以完成身份验证并传送电子邮件。The email sync is actually brokered through the Outlook cloud service, which gets an EAS service access token on behalf of the user to complete the authentication and delivers the email.

Outlook 应用程序的访问控制流程图

IT 管理员体验:The IT admin experience:

Azure AD 或 Exchange 无需复杂的体系结构设置即可实现此目标。There is no complex infrastructure setup required for Azure AD or Exchange to make this happen. 你的 IT 管理员:Your IT admins:

  • 配置和部署用于评估设备合规性状态的合规性策略。Configure and deploy the compliance polices that are used to evaluate the compliance status of the device.

  • 配置 Exchange Online 的条件性访问策略,并指定将受/不受这些策略影响的 Azure AD 安全组。Configure the Exchange Online conditional access policy, and specify which Azure AD security groups will be affected by, or exempted from these policies.

  • 选择允许或阻止无法注册 Intune 的设备。Choose to allow or block devices that are not capable of enrolling in Intune. 稍后将列出移动设备支持的操作系统的完整列表。The list of supported operating systems for mobile devices is listed later.

还有一个可能需要的可选设置阶段。There is an optional setup stage that may be needed. 用于管理和监视设备访问和状态的报告需要设置 Microsoft Intune 服务间连接器。The reporting that is used to manage and monitor device access and status requires the Microsoft Intune service to service connector to be set up.

最终用户体验:The End-user experience:

当用户首次尝试访问设备上的电子邮件或随后同步时,将检查设备注册和合规性状态。When the user attempts to access email on the device for the first time, or sync subsequently, the device enrollment and compliance status is checked. 注册或修复合规性问题的过程是一种指导式体验。The process of enrolling or fixing compliance issues is a guided experience. 将向最终用户显示注册设备并让其合规的必要步骤,用户无需联系 IT 支持人员:The end-user is shown the necessary steps to enroll their device and make it compliant without needing to call your IT help desk:

  • 如果设备未注册,登录页面将显示访问被拒绝并提示你进行注册。If the device is not enrolled, the sign-in page will show access denied and will prompt for enrollment. 注册时,设备会自动注册 Azure Active Directory。On enrollment, the device is automatically registered in Azure Active Directory. Intune 检查设备是否合规,并提供修正措施以解决任何非合规性问题。Intune checks the device for compliance and provides remediation steps to resolve any non-compliance issues. 设备合规后,Intune 将使用 Azure Active Directory 设定设备的合规性状态。Once the device is compliant, Intune sets the device compliance status with Azure Active Directory.

  • 如果设备已注册但不合规,则将向设备发送包含问题修正措施的链接。If the device is enrolled but is not in compliance, a link with steps to remediate the issues is sent to the device. 最终用户纠正此问题后(例如设置密码、加密),管理合规性策略的 Intune 将在 Azure AD 中更新设备的合规性状态。When the end-user corrects the issue (for example, set password, encryption), Intune which manages the compliance policies updates the compliance status of the device in Azure AD.

设备被评定为已注册且合规后,几分钟内即会进行电子邮件同步。Once the device is evaluated as enrolled and compliant, the email sync should happen within a few minutes.

后续步骤Where to go from here

你已了解了保护企业电子邮件和文档的相关内容,现在可以阅读有关如何保护电子邮件附件的详细信息。Now that you understand about protecting corporate email and documents, you can read about how to protect email attachments. 或者,如果你已准备好了,则可详细了解如何实现保护你的企业电子邮件的解决方案Or if you are ready, learn more about implementing a solution to protect your corporate email.