移动设备的 Exchange 访问规则Exchange access rules for mobile devices

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

移动设备的 Exchange 访问规则决定这些设备对 Exchange ActiveSync 拥有的访问级别。Exchange access rules for mobile devices determine the level of access that those devices have to Exchange ActiveSync. 这些设置会影响所有移动设备,包括未在 Microsoft Intune 中注册的设备。These settings affect all mobile devices, including those that aren't enrolled in Microsoft Intune. 可以先定义“默认规则”,该规则应用于未应用自定义规则的任何移动设备。You can start off by defining a Default Rule, which applies to any mobile device that does not have a custom rule applied to it.

下表包含 Exchange ActiveSync 管理的访问级别:The following table contains the access levels that are managed by Exchange ActiveSync:

访问级别Access level 描述Description
允许设备访问 ExchangeAllow the devices to access Exchange 在“允许访问”状态下,移动设备可以通过 Exchange ActiveSync 进行同步,并连接到 Exchange 服务器以检索电子邮件和管理日历、联系人、任务和批注。In the allow access state, mobile devices can sync through Exchange ActiveSync and connect to the Exchange server to retrieve email and manage Calendar, Contacts, Tasks, and Notes. 只要设备符合你在 Exchange 中配置的 Exchange ActiveSync 邮箱策略,就可继续执行此操作,除非 Exchange 管理员阻止了用户或特定移动设备。This continues as long as the device complies with any Exchange ActiveSync mailbox policy that you have configured in Exchange, unless the user or the specific mobile device has been blocked by the Exchange administrator.
阻止设备访问 ExchangeBlock the devices from accessing Exchange 在“阻止访问”状态下,移动设备会受阻,不允许连接到 Exchange 服务器。In the block access state, mobile devices are blocked and aren't allowed to connect to the Exchange server. 设备会收到 HTTP 403 禁止错误。Devices receive an HTTP 403 Forbidden error. 用户会收到来自 Exchange 服务器的电子邮件,告知他们已阻止移动设备访问其邮箱。The user receives an email message from the Exchange server telling them that the mobile device was blocked from accessing their mailbox. 此邮件不能处于阻止的移动设备上。This message cannot be on the blocked mobile device. 可以使用“设置用户通知”任务为此邮件添加自定义的文本,来为其设备被阻止的用户提供说明。By using the Set User Notification task, you can add customized text to this message to provide instructions for users whose devices are blocked.
隔离这些设备,以便以后可允许或阻止其访问Quarantine the devices so that you can allow or block them later 某移动设备被隔离时,允许该移动设备连接到 Exchange 服务器。When a mobile device is quarantined, the mobile device is allowed to connect to the Exchange server. 但是,只授予它对数据的有限访问权限。However, it is given only limited access to data. 用户可以向其自己的日历、联系人、任务和批注文件夹中添加内容,但是服务器不允许设备检索任何来自用户邮箱的内容。The user can add content to their own Calendar, Contacts, Tasks, and Notes folders but the server doesn't allow the device to retrieve any content from the user's mailbox. 用户会收到一封单独的电子邮件,指示移动设备被隔离。The user receives a single email message stating that the mobile device is quarantined. 此邮件发送至设备以及用户的邮箱。This message is sent to the device and to the user's mailbox. 可以使用“设置用户通知”任务为此邮件添加自定义的文本,来为其设备被隔离的用户提供说明。By using the Set User Notification task, you can add customized text to this message to provide instructions for users whose devices are quarantined.

访问策略是默认规则与适用于连接到 Exchange 的所有移动设备的平台例外的组合。An access strategy is a combination of a Default Rule and Platform Exceptions that apply to all mobile devices that are connected to Exchange. 下表列出了一些示例的访问策略。The following table lists some example access strategies.

访问策略Access strategy 说明Description
允许列表Allow list 可以使用“允许列表”授予对已知设备列表的访问权限,并限制其他设备的访问权限。You can use an allow list to grant access to a list of known devices and restrict access for all other devices. 若要执行此操作,必须创建自定义规则,以便允许的设备平台能访问用户的邮箱。To do this, you must create custom rules for device platforms that are allowed to access a user's mailbox. 一旦你创建了此类规则,你就必须设置默认访问规则以阻止或隔离所有其他的设备。As soon as you create such a rule, you must set the default access rule to block or quarantine all other devices. 若要将新设备添加到允许列表,请创建新的自定义规则。To add a new device to the allow list, create a new custom rule.
阻止列表Block list 你可以使用“阻止列表”在默认情况下对所有设备授予访问权限,但对于你不想让其访问你的组织的设备集,则可阻止其进行访问。You can use a block list to grant access to all devices by default, but to block access for a set of devices that you do not want to access your organization. 通过创建自定义规则来创建一个阻止列表,以阻止你不想让其与组织的邮箱进行同步的设备平台。Create a block list by creating custom rules to block device platforms that you do not want to sync with the organization’s mailboxes. 我们建议将默认规则设置为允许访问现有规则未明确阻止的所有设备。We recommend setting the default rule to allow access to all devices that are not explicitly blocked by the existing rules. 若要将新设备或设备集添加到阻止列表,请创建新的自定义规则。To add a new device or set of devices to the block list, create a new custom rule.
允许和阻止相混合Mixed allow and block 除了创建允许和阻止列表外,你还可以在新的移动设备引入到组织中而你需要对其进行评估时将其隔离。In addition to creating allow and block lists, you can quarantine new mobile devices as they are introduced into the organization while you evaluate them. 例如,如果你有组织中所不允许的移动设备的阻止列表,以及组织中所允许的移动设备的允许列表,则你可以将默认规则设置为隔离。For example, if you have a block list for mobile devices that are not allowed within your organization, and an allow list for mobile devices that are allowed within the organization, you can set the default rule to quarantine. 所有其他设备会自动隔离。All other devices are automatically quarantined. 这使你可以在新设备引入到组织中时发现它们,并决定是否要将它们添加到允许或阻止列表。This lets you discover new devices as they are introduced to the organization and decide whether to add them to the allow or block lists.

下面的过程描述如何创建自定义规则。The following procedure describes how to create a custom rule.

创建默认访问规则Create a default access rule

  1. Microsoft Intune 管理控制台中,选择“策略”>“Exchange ActiveSync”。In the Microsoft Intune administration console, choose Policy > Exchange ActiveSync.

  2. 在“默认规则”列表中,选择要应用于规则或个人例外未涵盖的所有移动设备的访问规则。In the Default Rule list, select the Access Rule that you want to apply to all mobile devices that aren't covered by a rule or personal exemption. 选择“保存”。Choose Save.

下面的过程描述如何创建自定义规则:The following procedure describes how to create a custom rule:

创建自定义访问规则Create a custom access rule

  1. Microsoft Intune 管理控制台中,选择“策略”>“Exchange ActiveSync”。In the Microsoft Intune administration console, choose Policy > Exchange ActiveSync.

  2. 在“平台例外”列表中,选择“添加规则”,然后创建自定义规则。In the Platform Exceptions list, Choose Add Rule, and then create a custom rule. 选择“保存”。Choose Save.