在 Exchange Online 中启用 Outlook for iOS和 Outlook for AndroidSecuring Outlook for iOS and Android in Exchange Online

摘要: 如何启用 Outlook 针对 iOS 和 Android Exchange Online 环境中,以安全方式。Summary: How to enable Outlook for iOS and Android in your Exchange Online environment in a secure manner.

Outlook 开发 iOS 和 Android 提供用户快速、 直观电子邮件和日历体验,用户希望从现代的移动应用程序时要仅应用程序的 Office 365 的最佳功能提供支持。Outlook for iOS and Android provides users the fast, intuitive email and calendar experience that users expect from a modern mobile app, while being the only app to provide support for the best features of Office 365.

保护公司或组织用户的移动设备上的数据是非常重要。首先,查看设置 Outlook 的 iOS 和 Android,以确保您的用户具有安装所有所需应用程序。之后,选择以下选项之一以保护您的设备和贵组织的数据:Protecting company or organizational data on users' mobile devices is extremely important. Begin by reviewing Setting up Outlook for iOS and Android, to ensure your users have all the required apps installed. After that, choose one of the following options to secure your devices and your organization's data:

  1. 推荐: 如果您的组织具有企业移动 + 安全订阅或单独获得许可 Microsoft Intune 和 Azure Active Directory Premium,请按照本文利用企业移动 + 安全套件保护公司数据适用于 iOS 的 Outlook 和 Android来保护与适用于 iOS 的 Outlook 和 Android 的公司数据。Recommended: If your organization has an Enterprise Mobility + Security subscription, or has separately obtained licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android to protect corporate data with Outlook for iOS and Android.

  2. 如果您的组织没有企业移动 + 安全订阅或 Microsoft Intune 和 Azure Active Directory Premium 许可Office 365 利用移动设备管理,请按照和使用移动设备包含 Office 365 订阅中的 Office 365 功能的管理 (MDM)。If your organization doesn't have an Enterprise Mobility + Security subscription or licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Mobile Device Management for Office 365, and use the Mobile Device Management (MDM) for Office 365 capabilities that are included in your Office 365 subscription.

  3. 按照利用 Exchange Online 的移动设备策略,以实现基本 Exchange 移动设备邮箱和设备访问策略中的步骤。Follow the steps in Leveraging Exchange Online mobile device policies to implement basic Exchange mobile device mailbox and device access policies.

如果另一方面,您不希望在组织中使用 Outlook 针对 iOS 和 Android,请参阅阻止 Outlook 中的 iOS 和 AndroidIf, on the other hand, you don't want to use Outlook for iOS and Android in your organization, see Blocking Outlook for iOS and Android.

备注

如果而不需要实现 EWS 应用程序策略来管理您的组织中的移动设备访问,请参阅Exchange Web Services (EWS) 应用程序策略本文更高版本。See Exchange Web Services (EWS) application policies later in this article if you'd rather implement an EWS application policy to manage mobile device access in your organization.

设置适用于 iOS 的 Outlook 和 AndroidSetting up Outlook for iOS and Android

用户的设备中移动设备管理注册 (MDM) 解决方案,将利用 MDM 解决方案,如 Intune 的公司门户,以安装需要的应用程序: iOS 和 Android 和 Microsoft Authenticator Outlook。For devices enrolled in a mobile device management (MDM) solution, users will utilize the MDM solution, like the Intune Company Portal, to install the required apps: Outlook for iOS and Android and Microsoft Authenticator.

对于不报名 MDM 解决方案中的设备,用户需要安装:For devices that are not enrolled in an MDM solution, users need to install:

  • Outlook 开发 iOS 和 Android 通过 Apple App Store 或 Google 播放存储Outlook for iOS and Android via the Apple App Store or Google Play Store

  • 通过 Apple App Store 或 Google 播放存储 Microsoft Authenticator 应用程序Microsoft Authenticator app via the Apple App Store or Google Play Store

  • 通过 Apple App Store 或 Google 播放存储 Intune 的公司门户应用程序Intune Company Portal app via Apple App Store or Google Play Store

安装应用程序后,用户可以执行以下步骤来添加其公司的电子邮件帐户并配置基本应用程序设置:Once the app is installed, users can follow these steps to add their corporate email account and configure basic app settings:

重要

若要利用基于应用程序的条件访问策略,必须在 iOS 设备上安装 Microsoft Authenticator 应用程序。对于 Android 设备,所以利用 Intune 的公司门户应用程序。有关详细信息,请参阅基于应用程序的条件访问 IntuneTo leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional Access with Intune.

利用企业移动 + 安全套件保护 Android 适用于 iOS 的 Outlook 与企业数据Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android

当您订阅企业移动 + 安全套件,包括 Microsoft Intune 和 Azure Active Directory Premium 功能,如条件的访问,Office 365 数据丰富和最全面保护功能可用。至少要部署只允许连接到 Outlook 适用于 iOS 的条件的访问策略和 Android 移动设备和 Intune 应用程序保护策略,以确保企业数据从受保护。The richest and broadest protection capabilities for Office 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the corporate data is protected.

备注

企业移动 + 安全时套件订阅包括 Microsoft Intune 和 Azure Active Directory Premium、 客户可以单独购买 Microsoft Intune 许可证和 Azure Active Directory Premium 许可证。所有用户必须被都许可以便利用条件访问令牌和本文中讨论的 Intune 应用程序保护策略。While the Enterprise Mobility + Security suite subscription includes both Microsoft Intune and Azure Active Directory Premium, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All users must be licensed in order to leverage the conditional access and Intune app protection policies that are discussed in this article.

阻止除适用于 iOS 的 Outlook 和 Android 使用条件访问的所有电子邮件应用程序Block all email apps except Outlook for iOS and Android using conditional access

当组织决定标准化用户如何访问 Exchange 数据,针对最终用户作为唯一的电子邮件应用程序使用适用于 iOS 的 Outlook 和 Android 时,他们可以配置一个条件访问策略以阻止其他移动访问方法。若要执行此操作,您需要两个条件的访问策略,与设定潜在的所有用户的每个策略。创建这些的详细信息策略可在Azure Active Directory 的基于应用程序的条件访问中找到。When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android as the only email app for end users, they can configure a conditional access policy that blocks other mobile access methods. To do this, you will need two conditional access policies, with each policy targeting all potential users. Details on creating these polices can be found in Azure Active Directory app-based conditional access.

  1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online."The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online."

  2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have integrated the Intune SDK are granted access.The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have integrated the Intune SDK are granted access.

备注

启用了条件访问策略后,可能需要最多为 6 小时成为阻止任何先前连接的移动设备。> 移动设备访问规则 (允许、 阻止或隔离) 在 Exchange Online 中不跳过时包括需要标记为兼容的设备需要批准客户端应用程序的条件的访问策略管理的访问。> 到利用基于应用程序的条件访问策略,必须在 iOS 设备上安装 Microsoft Authenticator 应用程序。对于 Android 设备,所以利用 Intune 的公司门户应用程序。有关详细信息,请参阅基于应用程序的条件访问 IntuneAfter the conditional access policies are enabled, it may take up to 6 hours for any previously connected mobile device to become blocked. > Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is managed by a conditional access policy that includes either Require device to be marked as compliant or Require approved client app. > To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional Access with Intune.

保护适用于 iOS 的 Outlook 和 Android 使用 Intune 应用程序保护策略中的企业数据Protect corporate data in Outlook for iOS and Android using Intune app protection policies

无论在 MDM 解决方案中,需要创建 iOS 和 Android 应用程序,应用程序保护策略 Intune 是否注册设备使用如何创建和分配应用程序保护策略中的步骤。这些策略,至少必须满足以下条件:Regardless of whether the device is enrolled in an MDM solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a minimum, must meet the following conditions:

  1. They include all Microsoft mobile applications, such as Word, Excel, or PowerPoint, as this will ensure that users can access and manipulate corporate data within any Microsoft app in a secure fashion.They include all Microsoft mobile applications, such as Word, Excel, or PowerPoint, as this will ensure that users can access and manipulate corporate data within any Microsoft app in a secure fashion.

  2. They mimic the security features that Exchange provides for mobile devices, including:They mimic the security features that Exchange provides for mobile devices, including:

    • Requiring a PIN for access (which includes Select Type, PIN length, Allow Simple PIN, Allow fingerprint)Requiring a PIN for access (which includes Select Type, PIN length, Allow Simple PIN, Allow fingerprint)

    • Encrypting app dataEncrypting app data

    • Blocking managed apps from running on "jailbroken" and rooted devicesBlocking managed apps from running on "jailbroken" and rooted devices

  3. They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook for iOS and Android.They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook for iOS and Android.

In addition to the above minimum policy requirements, you should consider deploying advanced protection policy settings like Restrict cut, copy and paste with other apps to further prevent corporate data leakage. For more information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.In addition to the above minimum policy requirements, you should consider deploying advanced protection policy settings like Restrict cut, copy and paste with other apps to further prevent corporate data leakage. For more information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.

重要

To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.

利用 Office 365 的移动设备管理Leveraging Mobile Device Management for Office 365

如果您不打算利用企业移动 + 安全套件,您可以对 Office 365 使用移动设备管理 (MDM)。此解决方案要求移动设备进行注册。当用户尝试访问 Exchange Online 与未注册的设备时,将阻止用户访问资源,直至它们注册设备。If you don't plan to leverage the Enterprise Mobility + Security suite, you can use Mobile Device Management (MDM) for Office 365. This solution requires that mobile devices be enrolled. When a user attempts to access Exchange Online with a device that is not enrolled, the user is blocked from accessing the resource until they enroll the device.

这是一个设备管理解决方案,因为没有本机功能来控制可使用的应用程序,即使注册设备。如果您想要限制对适用于 iOS 的 Outlook 和 Android 的访问,您将需要获得 Azure Active Directory Premium 许可证并利用讨论除适用于 iOS 的 Outlook 和 Android 使用条件访问阻止所有电子邮件应用程序中的条件的访问策略.Because this is a device management solution, there is no native capability to control which apps can be used even after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium licenses and leverage the conditional access policies discussed in Block all email apps except Outlook for iOS and Android using conditional access.

Office 365 全局管理员必须完成以下步骤来激活并针对 Office 365 设置 MDM。有关的完整步骤,请参阅设置向上移动设备管理 (MDM) 在 Office 365 中。在摘要,包括以下步骤:An Office 365 global admin must complete the following steps to activate and set up MDM for Office 365. See Set up Mobile Device Management (MDM) in Office 365 for complete steps. In summary, these steps include:

  1. 按照 Office 365 步骤中安全性的激活 MDM&合规性中心。Activating MDM for Office 365 by following steps in the Security & Compliance Center.

  2. 通过添加以支持您的域的域名系统 (DNS) 记录 Windows 电话和 Office 365 的设置 MDM,例如,创建 APNs 证书管理 iOS 设备。Setting up MDM for Office 365 by, for example, creating an APNs certificate to manage iOS devices, and by adding a Domain Name System (DNS) record for your domain to support Windows phones.

  3. 创建设备策略并将其应用到用户组。当执行此操作时,用户将在其设备上获取注册消息。和它们已完成注册,其设备将受限制的已为其设置的策略。Creating device policies and apply them to groups of users. When you do this, your users will get an enrollment message on their device. And when they've completed enrollment, their devices will be restricted by the policies you've set up for them.

备注

Exchange 移动设备邮箱策略和在 Exchange 管理中心中创建的设备访问规则,将覆盖策略和在 MDM for Office 365 中创建的访问规则。设备中 MDM 注册 Office 365 后,将忽略任何 Exchange 移动设备邮箱策略或设备访问规则应用于该设备。Policies and access rules created in MDM for Office 365 will override both Exchange mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange mobile device mailbox policy or device access rule that is applied to that device will be ignored.

利用 Exchange Online 的移动设备策略Leveraging Exchange Online mobile device policies

如果您不打算利用企业移动 + 安全套件或 Office 365 功能 MDM,您可以实现 Exchange 移动设备邮箱策略,以确保以安全设备和设备访问规则,以限制设备连接。If you don't plan on leveraging either the Enterprise Mobility + Security suite or the MDM for Office 365 functionality, you can implement Exchange mobile device mailbox policy to secure the device, and device access rules to limit device connectivity.

移动设备邮箱策略Mobile device mailbox policy

Outlook 开发 iOS 和 Android Exchange Online 中支持以下移动设备邮箱策略设置:Outlook for iOS and Android supports the following mobile device mailbox policy settings in Exchange Online:

  • 启用设备加密Device encryption enabled

  • 最短密码长度Min password length

  • 启用密码Password enabled

有关如何创建或修改现有的移动设备邮箱策略的信息,请参阅Exchange Online 中的移动设备邮箱策略For information on how to create or modify an existing mobile device mailbox policy, see Mobile device mailbox policies in Exchange Online.

此外,适用于 iOS 的 Outlook 和 Android 支持 Exchange Online 设备擦除功能。执行时,仅应用程序被之前,因为 Exchange Online 认为 iOS 和为移动设备的 Android 应用 Outlook。有关如何执行远程擦除的详细信息,请参阅擦除 Office 365 中的移动设备In addition, Outlook for iOS and Android supports Exchange Online's device-wipe capability. When executed, only the app is wiped, because Exchange Online considers the Outlook for iOS and Android app as the mobile device. For more information on how to perform a remote wipe, see Wipe a mobile device in Office 365.

备注

Outlook 开发 iOS 和 Android 仅支持"擦除数据"远程擦除命令,不支持"帐户只能进行远程擦除设备"。Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only Remote Wipe Device."

设备访问策略Device access policy

默认情况下应启用 outlook for iOS 和 Android,但在某些现有的 Exchange Online 环境中可能的原因有多种阻止应用程序。一旦组织决定标准化用户访问 Exchange 数据和使用适用于 iOS 的 Outlook 和 Android 作为唯一的电子邮件应用程序的最终用户的方式,您可以配置用户的 iOS 和 Android 设备上运行其他电子邮件应用程序的块。可以针对开始之前中 Exchange Online 这些块的两个选项: 第一个选项阻止所有设备,而只允许使用适用于 iOS 的 Outlook 和 Android;第二个选项可阻止使用本机 Exchange ActiveSync 应用程序的单个设备。Outlook for iOS and Android should be enabled by default, but in some existing Exchange Online environments the app may be blocked for a variety of reasons. Once an organization decides to standardize how users access Exchange data and use Outlook for iOS and Android as the only email app for end users, you can configure blocks for other email apps running on users' iOS and Android devices. You have two options for instituting these blocks within Exchange Online: the first option blocks all devices and only allows usage of Outlook for iOS and Android; the second option allows you to block individual devices from using the native Exchange ActiveSync apps.

选项 1: 阻止 Outlook 针对 iOS 和 Android 除外的所有电子邮件应用程序Option 1: Block all email apps except Outlook for iOS and Android

您可以定义默认阻止规则和使用下面的 Exchange 命令行管理程序命令的 Outlook 用于 iOS 和 Android,以及 Windows 设备,然后配置允许规则。此配置可防止任何 Exchange ActiveSync 的本机应用程序连接,并将只允许适用于 iOS 的 Outlook 和 Android。You can define a default block rule and then configure an allow rule for Outlook for iOS and Android, and for Windows devices, using the following Exchange Management Shell commands. This configuration will prevent any Exchange ActiveSync native app from connecting, and will only allow Outlook for iOS and Android.

  1. 创建默认阻止规则:Create the default block rule:

    Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
    
  2. 为 Outlook for iOS 和 Outlook for Android 创建允许规则Create an allow rule for Outlook for iOS and Android

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Allow
    
  3. 可选: 创建规则,允许在 Exchange ActiveSync 连接的 Windows 设备上的 Outlook (WP 指的是 Windows Phone、 WP8 引用为 Windows Phone 8 和更高版本,和 WindowsMail 指的是 Windows 10 中的邮件应用程序):Optional: Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app included in Windows 10):

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP8" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WindowsMail" -AccessLevel Allow
    

    选项 2:在 Android 和 iOS 设备上阻止本机 Exchange ActiveSync 应用Option 2: Block native Exchange ActiveSync apps on Android and iOS devices

或者,可以在特定 Android 和 iOS 设备或其他类型的设备上阻止本机 Exchange ActiveSync 应用。Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types of devices.

  1. 确认存在阻止 Outlook for iOS 和 Outlook for Android 的 Exchange ActiveSync 设备访问规则:Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and Android:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | ft Name,AccessLevel,QueryString -auto
    

    如果找到任何阻止 Outlook for iOS 和 Outlook for Android 的设备访问规则,请键入以下内容以将其删除:If any device access rules that block Outlook for iOS and Android are found, type the following to remove them:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | Remove-ActiveSyncDeviceAccessRule
    
  2. 可以使用以下命令阻止大部分 Android 和 iOS 设备:You can block most Android and iOS devices with the following commands:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Android" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPod" -AccessLevel Block
    
  3. 并非所有 Android 设备制造商都将"Android"指定为 DeviceType。制造商可以为每个版本指定唯一值。要查找正在访问你的环境的其他 Android 设备,请执行以下命令,以生成具有活跃 Exchange ActiveSync 合作伙伴关系的所有设备报告:Not all Android device manufacturers specify "Android" as the DeviceType. Manufacturers may specify a unique value with each release. In order to find other Android devices that are accessing your environment, execute the following command to generate a report of all devices that have an active Exchange ActiveSync partnership:

    Get-MobileDevice | Select-Object DeviceOS,DeviceModel,DeviceType | Export-CSV c:\temp\easdevices.csv
    
  4. 根据步骤 3 中的结果创建其他阻止规则。例如,如果发现环境对 HTCOne Android 设备的使用率较高,则可以创建阻止该特定设备的 Exchange ActiveSync 设备访问规则,强制用户使用 Outlook for iOS 和 Outlook for Android。在此示例中,你可以键入:Create additional block rules, depending on your results from Step 3. For example, if you find your environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this example, you would type:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "HTCOne" -AccessLevel Block
    

    备注

    QueryString 参数不接受通配符或部分匹配。The QueryString parameter does not accept wildcards or partial matches.

    其他资源Additional resources:

阻止 Outlook for iOS 和 Outlook for AndroidBlocking Outlook for iOS and Android

如果您不希望用户在访问 Exchange 数据适用于 iOS 的 Outlook 和 Android 贵组织中,可以采用的方法取决于您使用的 Azure Active Directory 条件访问策略或 Exchange Online 的设备访问策略。If you don't want users in your organization to access Exchange data with Outlook for iOS and Android, the approach you take depends on whether you are using Azure Active Directory conditional access policies or Exchange Online's device access policies.

使用条件访问策略选项 1: 阻止移动设备访问Option 1: Block mobile device access using a conditional access policy

Azure Active Directory 条件访问不提供由此可以明确阻止适用于 iOS 的 Outlook 和 Android 同时允许其他 Exchange ActiveSync 客户端的机制。也就是说,条件访问策略可用于阻止移动设备访问以下两种方式:Azure Active Directory conditional access does not provide a mechanism whereby you can specifically block Outlook for iOS and Android while allowing other Exchange ActiveSync clients. With that said, conditional access policies can be used to block mobile device access in two ways:

  • 选项 a: 阻止 iOS 和 Android 平台上的移动设备访问Option A: Block mobile device access on both the iOS and Android platforms

  • 选项 b: 阻止特定移动设备平台上的移动设备访问Option B: Block mobile device access on a specific mobile device platform

    选项 a: 阻止 iOS 和 Android 平台上的移动设备访问Option A: Block mobile device access on both the iOS and Android platforms

如果您想要阻止所有用户或使用条件访问的用户的子集的移动设备访问按照以下步骤。If you want to prevent mobile device access for all users, or a subset of users, using conditional access, follow these steps.

创建面向所有用户或用户通过安全组的子集的每个策略条件访问策略。在Azure Active Directory 应用程序基于条件 access,详细信息。Create conditional access policies, with each policy either targeting all users or a subset of users via a security group. Details are in Azure Active Directory app-based conditional access.

  1. 第一个策略阻止 Outlook iOS 和 Android 和其他 OAuth 能够 Exchange ActiveSync 客户端连接到 Exchange Online。请参阅"步骤 1-exchange Online,配置 Azure AD 条件访问策略",但对于第五个步骤中,选择阻止访问The first policy blocks Outlook for iOS and Android and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for the fifth step, choose Block access.

  2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

    选项 b: 阻止特定移动设备平台上的移动设备访问Option B: Block mobile device access on a specific mobile device platform

如果您想要阻止的特定移动设备平台同时允许适用于 iOS 的 Outlook 和 Android 连接使用该平台,连接到 Exchange Online 中,创建以下条件的访问策略,与面向所有用户的每个策略。在Azure Active Directory 应用程序基于条件 access,详细信息。If you want to prevent a specific mobile device platform from connecting to Exchange Online, while allowing Outlook for iOS and Android to connect using that platform, create the following conditional access policies, with each policy targeting all users. Details are in Azure Active Directory app-based conditional access.

  1. 第一个策略允许适用于 iOS 的 Outlook 和 Android 在特定移动设备的平台和块其他 OAuth 能够 Exchange ActiveSync 客户端连接到 Exchange Online。请参阅"步骤 1-exchange Online,配置 Azure AD 条件访问策略",但的步骤 4a,选择仅所需的移动设备平台 (如 iOS) 您要允许访问。The first policy allows Outlook for iOS and Android on the specific mobile device platform and blocks other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for step 4a, select only the desired mobile device platform (such as iOS) to which you want to allow access.

  2. 第二个策略阻止特定移动设备平台和其他 OAuth 能够 Exchange ActiveSync 客户端连接到 Exchange Online 上的应用程序。请参阅"步骤 1-exchange Online,配置 Azure AD 条件访问策略",但的步骤 4a 选择仅所需的移动设备平台 (如 Android) 要阻止的访问,并为步骤 5 中,选择阻止访问The second policy blocks the app on the specific mobile device platform and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for step 4a, select only the desired mobile device platform (such as Android) to which you want to block access, and for step 5, choose Block access.

  3. 第三个策略禁止利用连接到 Exchange Online 的基本身份验证的 Exchange ActiveSync 客户端。请参阅"步骤 2-配置 Active Sync (EAS) 与 Exchange Online 的 Azure AD 条件访问策略"。The third policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

选项 2: 阻止 Outlook for iOS 和 Android 使用 Exchange 移动设备访问规则Option 2: Block Outlook for iOS and Android using Exchange mobile device access rules

如果您正在管理您的移动设备访问通过 Exchange Online 的设备访问规则,您有两个选项:If you are managing your mobile device access via Exchange Online's device access rules, you have two options:

  • IOS 和 Android iOS 和 Android 平台上的选项 a: 阻止 OutlookOption A: Block Outlook for iOS and Android on both the iOS and Android platforms

  • 选项 b: 阻止 Outlook iOS 和 Android 上的特定移动设备平台Option B: Block Outlook for iOS and Android on a specific mobile device platform

每个 Exchange 组织都具有关于安全和设备管理的不同策略。如果某个组织认为 Outlook for iOS 和 Outlook for Android 不能满足其需求,或不是其最佳解决方案,管理员可阻止该应用。阻止应用后,组织内的移动 Exchange 用户可使用 iOS 和 Android 上的内置邮件应用程序继续访问自己的邮箱。Every Exchange organization has different policies regarding security and device management. If an organization decides that Outlook for iOS and Android doesn't meet their needs or is not the best solution for them, administrators have the ability to block the app. Once the app is blocked, mobile Exchange users in your organization can continue accessing their mailboxes by using the built-in mail applications on iOS and Android.

New-ActiveSyncDeviceAccessRule cmdlet具有 Characteristic 参数,并且存在三个 Characteristic选项可供管理员用于阻止 Outlook for iOS 和 Outlook for Android 应用。选项分别为 UserAgent、DeviceModel 和 DeviceType。在以下部分中描述的两个阻止选项中,你将使用一个或多个这些特征值来限制 Outlook for iOS 和 Outlook for Android 对组织中邮箱的访问权限。The New-ActiveSyncDeviceAccessRule cmdlet has a Characteristic parameter, and there are three Characteristic options that administrators can use to block the Outlook for iOS and Android app. The options are UserAgent, DeviceModel, and DeviceType. In the two blocking options described in the following sections, you will use one or more of these characteristic values to restrict the access that Outlook for iOS and Android has to the mailboxes in your organization.

每个特征的值均将显示在下表中:The values for each characteristic are displayed in the following table:

特征Characteristic 适用于 iOS 的字符串String for iOS 适用于 Android 的字符串String for Android
DeviceModelDeviceModel
适用于 iOS 和 Android 的 OutlookOutlook for iOS and Android
ITPro_R4_Stub_79Outlook for iOS and Android
DeviceTypeDeviceType
OutlookOutlook
OutlookOutlook
UserAgentUserAgent
Outlook-iOS/2.0Outlook-iOS/2.0
Outlook-Android/2.0Outlook-Android/2.0

IOS 和 Android iOS 和 Android 平台上的选项 a: 阻止 OutlookOption A: Block Outlook for iOS and Android on both the iOS and Android platforms

通过 New-ActiveSyncDeviceAccessRule cmdlet,你可以使用 DeviceModelDeviceType 特征来定义设备访问规则。在这两种情况下,访问规则会阻止所有平台上的 Outlook for iOS 和 Outlook for Android,并且会阻止 iOS 平台和 Android 平台上的任何设备通过该应用访问 Exchange 邮箱。With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule, using either the DeviceModel or DeviceType characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an Exchange mailbox via the app.

以下是设备访问规则的两个示例。第一个示例使用 DeviceModel 特征;第二个示例使用 DeviceType 特征。The following are two examples of a device access rule. The first example uses the DeviceModel characteristic; the second example uses the DeviceType characteristic.

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Outlook" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block

选项 b: 阻止 Outlook iOS 和 Android 上的特定移动设备平台Option B: Block Outlook for iOS and Android on a specific mobile device platform

通过 UserAgent 特征,你可以定义在特定平台上阻止 Outlook for iOS 和 Outlook for Android 的设备访问规则。此规则会阻止设备使用 Outlook for iOS 和 Outlook for Android 连接到你指定的平台。以下示例演示如何使用 UserAgent 特征的设备特定值。With the UserAgent characteristic, you can define a device access rule that blocks Outlook for iOS and Android across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on the platform you specify. The following examples show how to use the device-specific value for the UserAgent characteristic.

若要阻止 Android 且允许 iOS:To block Android and allow iOS:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Allow

若要阻止 iOS 且允许 Android:To block iOS and allow Android:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Block

Exchange Web 服务 (EWS) 应用程序策略Exchange Web Services (EWS) application policies

超出 Microsoft Intune MDM Office 365 和 Exchange 移动设备策略,您还可以管理移动设备具有与您通过 EWS 应用程序策略的组织中的信息的访问权。EWS 应用程序策略可以控制允许应用程序可以利用 REST API。请注意,当您配置仅允许您的邮件环境特定应用程序访问 EWS 应用程序策略,您必须为 Outlook for iOS 添加的用户代理字符串和 Android EWS 到允许列表。Beyond Microsoft Intune, MDM for Office 365, and Exchange mobile device policies, you can also manage the access that mobile devices have to information in your organization through EWS application policies. An EWS application policy can control whether or not applications are allowed to leverage the REST API. Note that when you configure an EWS application policy that only allows specific applications access to your messaging environment, you must add the user-agent string for Outlook for iOS and Android to the EWS allow list.

以下示例演示如何将 user-agent 字符串添加到 EWS 允许列表:The following example shows how to add the user-agent strings to the EWS allow list:

Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-Android/*"}