使用 Microsoft Intune 的电子邮件配置文件配置对公司电子邮件的访问Configure access to corporate email using email profiles with Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

许多移动平台包含一个作为操作系统一部分附带的本机电子邮件客户端。Many mobile platforms include a native email client that ships as part of the operating system. 可使用本主题中所述的电子邮件配置文件对这些客户端中的某一些进行设置。Some of these clients can be set up by using email profiles, as described in this topic.

电子邮件配置文件设置可用于设置移动设备上特定电子邮件客户端的电子邮件访问设置。Email profile settings can be used to set up email access settings for specific email clients on mobile devices. 在受支持的平台上,可以使用 Microsoft Intune 设置本机电子邮件客户端,以使用户能够在不进行任何其他设置的情况下在个人设备上访问公司电子邮件。On supported platforms, the native email clients can be set up by Microsoft Intune to let users access their corporate email on their personal devices, without any additional setup.

如果需要采取额外的措施进行数据丢失防护,请使用条件性访问,它可以控制对任何电子邮件客户端(包括本机电子邮件客户端)的用户邮箱的访问。If you need to take additional measures for data loss prevention, use Conditional access, which controls access to the user's mailbox for any email client, including native email clients.

IT 管理员或用户还可以选择安装备用电子邮件客户端(例如,Microsoft Outlook for Android 或 iOS)。IT admins or users may also choose to install alternative email clients (for example, Microsoft Outlook for Android or iOS). 这些电子邮件客户端可能不支持电子邮件配置文件,并且不能使用 Intune 电子邮件配置文件进行设置。These email clients may not support email profiles, and can't be set up by using Intune email profiles.

你可以使用电子邮件配置文件配置下列设备类型上的本机电子邮件客户端:You can use email profiles to configure the native email client on the following device types:

  • Windows Phone 8.1 及更高版本Windows Phone 8.1 and later
  • Windows 10 桌面版、Windows 10 移动版及更高版本Windows 10 (for the desktop), Windows 10 Mobile, and later
  • iOS 8.0 及更高版本iOS 8.0 and later
  • Samsung KNOX 标准版(4.0 及更高版本)Samsung KNOX Standard (4.0 and later)
  • Android for Work(第三方电子邮件应用,本机电子邮件应用仅为个人配置文件)Android for Work (third-party email apps, native email app is personal-profile only)

除了在设备上设置电子邮件帐户外,还可以设置要同步的电子邮件数量,并且根据设备类型设置要同步的内容类型。In addition to setting up an email account on the device, you can set up how much email to synchronize, and depending on the device type, which content types to synchronize.

如果用户在通过 Intune 设置配置文件前已安装了电子邮件配置文件,则 Intune 电子邮件配置文件部署的结果将取决于设备平台:If the user has installed an email profile prior to set up of a profile by Intune, the result of the Intune email profile deployment depends on the device platform:

iOSiOS
基于主机名和电子邮件地址检测到现有的重复电子邮件配置文件。An existing, duplicate email profile is detected based on host name and email address. 用户创建的重复电子邮件配置文件会阻止由 Intune 管理员创建的配置文件的部署。The duplicate email profile created by the user blocks the deployment of an Intune admin-created profile. 这是一个常见问题,因为 iOS 用户通常会创建电子邮件配置文件,然后注册。This is a common problem, as iOS users typically create an email profile, then enroll. 公司门户将通知用户由于他们的电子邮件配置文件是手动配置的,因此他们不合规,并提示用户删除该配置文件。The company portal informs the user that they are not compliant due to their manually-configured email profile, and prompts the user to remove that profile. 用户应删除其电子邮件配置文件,以便设置 Intune 配置文件。The user should remove their email profile, so the Intune profile can be set up. 为防止此问题,请告知用户在安装电子邮件配置文件前进行注册,并允许 Intune 设置配置文件。To prevent the problem, instruct your users to enroll before installing an email profile, and to allow Intune to set up the profile.

WindowsWindows
基于主机名和电子邮件地址检测到现有的重复电子邮件配置文件。An existing, duplicate email profile is detected based on host name and email address. Intune 会覆盖由用户创建的现有电子邮件配置文件。Intune overwrites the existing email profile created by the user.

Samsung KNOXSamsung KNOX
基于电子邮件地址检测到现有的重复电子邮件帐户,并使用 Intune 配置文件将其覆盖。An existing, duplicate email profile is detected based on the email address, and overwrites it with the Intune profile. 如果用户设置该帐户,则 Intune 配置文件将再次覆盖该帐户。If the user sets up that account, it is overwritten again by the Intune profile. 请注意,这可能会使用户感到迷惑。Note that this may cause some confusion to the user.

由于 Samsung KNOX 不使用主机名来识别配置文件,因此我们建议不要创建多个电子邮件配置文件并在不同主机的同一邮件地址中使用,因为它们会相互覆盖。Since Samsung KNOX does not use host name to identify the profile, we recommend that you not create multiple email profiles to use on the same email address on different hosts, as these overwrite each other.

Android for WorkAndroid for Work
Intune 提供两个 Android for Work 电子邮件配置文件,分别用于 Gmail 和 Nine Work 电子邮件应用。Intune provides two Android for Work email profiles, one for each of the Gmail and Nine Work email apps. 这些应用在 Google Play 商店中提供,且安装在设备工作配置文件中,因此它们不会导致出现重复的配置文件。These apps are available in the Google Play Store, and install in the device work profile, so they can't result in duplicate profiles. 这两个应用支持到 Exchange 的连接。Both apps support connections to Exchange. 若要启用电子邮件连接,请将其中一个电子邮件应用部署到用户的设备,然后创建并部署相应的电子邮件配置文件。To enable the email connectivity, deploy one of these email apps to your users' devices, and then create and deploy the appropriate email profile. Nine Work 等电子邮件应用可能需付费使用。Email apps such as Nine Work might not be free. 若有任何问题,请查看应用的许可详细信息或与应用公司联系。Review the app’s licensing details or contact the app company with any questions.

保护电子邮件配置文件Secure email profiles

可以使用证书或密码保护电子邮件配置文件。You can secure email profiles using either a certificate or a password.

证书Certificates

当你创建电子邮件配置文件时,你可以选择之前在 Intune 中创建的证书配置文件。When you create the email profile, you choose a certificate profile that you have previously created in Intune. 该配置文件又称为身份证书,用于根据受信任的证书配置文件(或根证书)进行身份验证,以确定用户的设备可以连接。This is known as the identity certificate, and is used to authenticate against a trusted certificate profile (or a root certificate) to establish that the user’s device is allowed to connect. 受信任的证书会部署到对电子邮件连接进行身份验证的计算机(通常是本机邮件服务器)。The trusted certificate is deployed to the computer that authenticates the email connection, typically, the native mail server.

有关如何在 Intune 中创建和使用证书配置文件的详细信息,请参阅使用证书配置文件的安全资源访问For more information about how to create and use certificate profiles in Intune, see Secure resource access with certificate profiles.

用户名和密码User name and password

用户通过提供其用户名和密码向本机邮件服务器进行身份验证。The user authenticates to the native mail server by providing their user name and password.

密码不包含在电子邮件配置文件中,因此用户在连接到电子邮件时需要提供密码。The password is not contained in the email profile, so the user needs to supply this when they connect to email.

创建一个电子邮件配置文件Create an email profile

  1. Microsoft Intune 管理控制台中,选择“策略”>“添加策略”。In the Microsoft Intune administration console, choose Policy > Add Policy.

  2. 设置以下策略类型之一:Set up one of the following policy types:

    • Samsung KNOX 标准(4.0 及更高版本)的电子邮件配置文件Email Profile for Samsung KNOX Standard (4.0 and later)

    • 电子邮件配置文件(iOS 8.0 及更高版本)Email Profile (iOS 8.0 and later)

    • 电子邮件配置文件(Windows Phone 8.1 及更高版本)Email Profile (Windows Phone 8.1 and later)

    • 电子邮件配置文件(Windows 10 桌面版和移动版及更高版本)Email Profile (Windows 10 Desktop and Mobile and later)

    • 电子邮件配置文件 (Android for Work - Gmail)Email Profile (Android for Work - Gmail)

    • 电子邮件配置文件 (Android for Work - Nine Work)Email Profile (Android for Work - Nine Work)

    你只能创建和部署自定义电子邮件配置文件策略。You can only create and deploy a custom email profile policy. 建议的设置不可用。Recommended settings are not available.

  3. 使用下表来帮助设置电子邮件配置文件设置:Use the following table to help you set up email profile settings:

设置名Setting name 更多信息More information
NameName 电子邮件配置文件的唯一名称。Unique name for the email profile.
描述Description 可帮助你识别此配置文件的说明。A description that helps you identify this profile.
主机Host 托管本机电子邮件服务的公司服务器的主机名。The host name of your company server that hosts your native email service.
帐户名Account name 电子邮件帐户的显示名称,因为它将在用户的设备上显示。The display name for the email account as it will appear to users on their devices.
用户名Username 这是 Active Directory (AD) 或 Azure AD 中的属性,将用于生成此电子邮件配置文件的用户名。This is the attribute in Active Directory (AD) or Azure AD, that will be used to generate the username for this email profile. 选择主 SMTP 地址,例如 user1@contoso.com 或用户主体名称(如 user1user1@contoso.com)。Select Primary SMTP Address, such as user1@contoso.com or User Principal Name, such as user1 or user1@contoso.com.
电子邮件地址Email address 每个设备上用户电子邮件地址的生成方式。How the email address for the user on each device is generated. 选择“主 SMTP 地址”以使用主 SMTP 地址登录到 Exchange,或使用“用户主体名称”以使用完整主体名称作为电子邮件地址。Select Primary SMTP Address to use the primary SMTP address to log into Exchange or use User Principal Name to use the full principal name as the email address.
身份验证方法(Android for Work、Samsung KNOX 和 iOS)Authentication method (Android for Work, Samsung KNOX and iOS) 选择“用户名和密码”或“证书”作为电子邮件配置文件所用的身份验证方法。Select either Username and Password or Certificates as the authentication method used by the email profile.
为客户端身份验证选择客户端证书(身份证书)(Android for Work、Samsung KNOX 和 iOS)Select a client certificate for client authentication (Identity Certificate) (Android for Work, Samsung KNOX and iOS) 请选择之前创建的、将用于对 Exchange 连接进行身份验证的客户端 SCEP 证书。Select the client SCEP certificate that you previously created that will be used to authenticate the Exchange connection. 有关如何在 Intune 中使用证书配置文件的详细信息,请参阅使用证书配置文件的安全资源访问For more information about how to use certificate profiles in Intune, see Secure resource access with certificate profiles. 仅当身份验证方法为“证书”时才会显示此选项。This option is displayed only when the authentication method is Certificates.
使用 S/MIME(Samsung KNOX 和 iOS)Use S/MIME (Samsung KNOX and iOS) 使用 S/MIME 签名发送传出的电子邮件。Send outgoing email using S/MIME signing.
签名证书(Samsung KNOX 和 iOS)Signing certificate (Samsung KNOX and iOS) 选择将用于签署发送电子邮件的签名证书。Select the signing certificate that will be used to sign outgoing email. 仅当你选择使用 S/MIME时才会显示此选项。This option is displayed only when you select Use S/MIME.
要同步的电子邮件的天数Number of days of email to synchronize 你想要同步的电子邮件的天数,或选择“无限制”以同步所有可用的电子邮件。The number of days of email that you want to synchronize, or select Unlimited to synchronize all available email.
同步计划(Android for Work、Samsung KNOX、Windows Phone 8 及更高版本、Windows 10)Sync schedule (Android for Work, Samsung KNOX, Windows Phone 8 and later, Windows 10) 选择设备同步 Exchange Server 的数据所依据的计划。Select the schedule by which devices will synchronize data from the Exchange server. 你还可以选择“在邮件到达时”(在邮件到达时同步数据),或选择“手动”(设备用户必须启动同步)。You can also select As Messages arrive, which synchronizes data as soon as it arrives, or Manual, where the user of the device must initiate the synchronization.
使用 SSLUse SSL 发送电子邮件、接收电子邮件以及与 Exchange Server 通信时,请使用安全套接字层 (SSL) 通信。Use Secure Sockets Layer (SSL) communication when sending emails, receiving emails, and communicating with the Exchange server. 对于运行 Samsung KNOX 4.0 或更高版本的设备,必须导出 Exchange Server 的 SSL 证书并将其部署为 Intune 中的 Android 可信证书配置文件。For devices that run Samsung KNOX 4.0 or later, you must export your Exchange Server SSL certificate, and deploy it as an Android Trusted Certificate Profile in Intune. 如果此证书通过其他方式安装在 Exchange Server 上,则 Intune 不支持对其进行访问。Intune does not support accessing this certificate if it is installed on the Exchange server by other means.
要同步的内容类型(所有平台,Android for Work Gmail 除外)Content type to synchronize (all platforms except Android for Work Gmail) 请选择想要同步到设备的内容类型。Select the content types that you want to synchronize to devices.
允许从第三方应用程序发送电子邮件(仅针对 iOS)Allow email to be sent from third party applications (iOS only) 允许用户选择此配置文件作为用于发送电子邮件的默认帐户,并允许第三方应用程序在本机电子邮件应用中打开电子邮件,例如,将文件附加到电子邮件。Allow the user to select this profile as the default account for sending email, and allow third-party applications to open email in the native email app, for example, to attach files to email.

重要

如果你部署了一个电子邮件配置文件,之后想要更改“主机”或“电子邮件地址”的值,则必须删除现有的电子邮件配置文件并创建一个具有所需值的新配置文件。If you have deployed an email profile and then wish to change the values for host or Email address, you must delete the existing email profile and create a new one with the required values.

  1. 完成后,请单击“保存策略” Save PolicyWhen you are finished, click Save Policy.

新的策略将在“策略” 工作区的“配置策略” 节点处显示。The new policy displays in the Configuration Policies node of the Policy workspace.

部署策略Deploy the policy

  1. 在“策略”工作区中,选择想要部署的策略,然后选择“管理部署”。In the Policy workspace, select the policy you want to deploy, and then choose Manage Deployment.

  2. 在“管理部署” 对话框中:In the Manage Deployment dialog box:

    • 部署策略选择想要向其部署策略的一个或多个组,然后选择“添加”>“确定”。To deploy the policy - Select one or more groups to which you want to deploy the policy, and then choose Add > OK.

    • 关闭对话框而不部署 — 选择取消To close the dialog box without deploying it - Choose Cancel.

“策略” 工作区“概述” 页的状态摘要和警报可识别需要关注的策略问题。A status summary and alerts on the Overview page of the Policy workspace identify issues with the policy that require your attention. 此外,状态摘要会显示在“仪表板”工作区中。Additionally, a status summary appears in the Dashboard workspace.

备注

  • 对于 Android for Work,请确保除了部署相应的电子邮件配置文件外,还部署了 Gmail 或 Nine Work 应用。For Android for Work, make sure you also deploy the Gmail or Nine Work apps in addition to the appropriate email profile.
  • 如果想要从设备中删除电子邮件配置文件,则请编辑部署并删除包含该设备的任何组。If you want to remove an email profile from a device, edit the deployment and remove any groups of which the device is a member. 请注意,如果电子邮件配置文件是设备上唯一的电子邮件配置文件,则无法通过此方法将其删除。Note that you cannot remove an email profile in this way if it is the only email profile on a device.
  • 如果更改以前部署的电子邮件配置文件,最终用户可能会看到一条消息,请求他们批准重新配置其电子邮件设置。If you make changes to an email profile you previously deployed, end users might see a message asking them to approve the reconfiguration of their email settings.