使用 Intune 保护对 Exchange 内部部署和旧版 Exchange Online Dedicated 的电子邮件访问Protect email access to Exchange on-premises and legacy Exchange Online Dedicated with Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

可通过 Microsoft Intune 配置对 Exchange 内部部署或旧版 Exchange Online Dedicated 的条件性访问,以控制电子邮件的访问。You can configure conditional access control email access to Exchange on-premises or to legacy Exchange Online Dedicated by using Microsoft Intune. 若要了解有关条件性访问如何工作的详细信息,请阅读文章保护对电子邮件和 O365 服务的访问To learn more about how conditional access works, read the Protect access to email and O365 services article.

备注

如果具有 Exchange Online Dedicated 环境并需要确定其采用的是新配置还是旧配置,请与帐户管理员联系。If you have an Exchange Online Dedicated environment and need to find out whether it's in the new or the legacy configuration, contact your account manager.

在开始之前Before you begin

请务必验证以下各项:Make sure to verify the following:

  • 你的 Exchange 版本必须是 Exchange 2010 或更高版本Your Exchange version must be Exchange 2010 or later. 支持 Exchange Server 客户端访问服务器 (CAS) 阵列。Exchange Server Client Access Server (CAS) arrays are supported.

  • 必须使用 Intune 本地 Exchange Connector,该连接器可将 Intune 连接到 Exchange 本地环境。You must use the Intune on-premises Exchange connector, which connects Intune to Exchange on-premises. 这样就可以通过 Intune 控制台管理设备。This lets you manage devices through the Intune console.

    • Intune 控制台中可供你使用的本地 Exchange Connector 特定于你的 Intune 租户,且不能用于其他任何租户。The on-premises Exchange connector that is available to you in the Intune console is specific to your Intune tenant and can't be used with any other tenant. 建议你同时确保仅在一台计算机上安装适用于你的租户的 Exchange Connector。We recommend that you also ensure that the Exchange connector for your tenant is installed on only one machine.

      可从 Intune 管理控制台下载连接器。You can download the connector from the Intune admin console. 有关如何配置本地 Exchange Connector 的演练,请参阅为本地或托管 Exchange 配置 Exchange 本地连接器For a walkthrough on how to configure the on-premises Exchange connector, see configure Exchange on-premises connector for on-premises or hosted Exchange.

    • 可在任何计算机上安装该连接器,只要该计算机可与 Exchange 服务器通信。You can install the connector on any machine as long as that machine can communicate with the Exchange server.

    • 此连接器支持 Exchange CAS 环境The connector supports the Exchange CAS environment. 从技术上讲,如果你愿意,可直接在 Exchange CAS 服务器上安装该连接器。You can technically install the connector on the Exchange CAS server directly if you want to. 但不建议这样做,因为这样做会增加服务器上的负载。However, we don't recommend it because it increases the load on the server. 配置连接器时,必须对其进行设置,以便与其中一个 Exchange CAS 服务器通信。When you configure the connector, you must set it up to communicate with one of the Exchange CAS servers.

  • 必须使用基于证书的身份验证或用户凭据条目来配置 Exchange ActiveSyncYou must configure Exchange ActiveSync with certificate-based authentication or user credential entry.

设备合规性要求Device compliance requirements

配置条件性访问策略并将它们面向用户时,在用户可以连接到其电子邮件前,他们使用的设备必须:When you configure conditional access policies and target them to a user, before a user can connect to their email, the device they use must be:

  • 是已加入域的电脑或已向 Intune 注册Either a domain-joined PC or enrolled with Intune.

  • 已在 Azure Active Directory 中注册Registered in Azure Active Directory. 此外,还必须向 Azure Active Directory 注册客户端 Exchange ActiveSync ID。Additionally, the client Exchange ActiveSync ID must be registered with Azure Active Directory.

    Azure Active Directory 设备注册服务自动对 Intune 和 Office 365 客户激活。The Azure Active Directory Device Registration service is activated automatically for Intune and Office 365 customers. 已经部署了 ADFS 设备注册服务的用户不会在本地 Active Directory 上看到已注册的设备。Customers who have already deployed the ADFS Device Registration service will not see registered devices in on-premises Active Directory. 这不适用于 Windows 电脑和 Windows Phone 设备This does not apply to Windows PCs and Windows Phone devices.

  • 符合任何部署到该设备的 Intune 符合性策略。Compliant with any Intune compliance policies that are deployed to that device.

条件性访问对 Exchange 内部部署的作用方式How conditional access works with Exchange on-premises

下图显示了 Exchange 内部部署的条件性访问策略用于评估是允许还是阻止设备的流程。The following diagram illustrates the flow that conditional access policies for Exchange on-premises use to evaluate whether to allow or block devices.

图示显示了确定是允许访问还是阻止设备访问 Exchange 内部部署的决策点

如果未满足条件访问策略,则用户在登录时,收到以下隔离邮件之一与设备被阻止之间的时间间隔为 10 分钟:If a conditional access policy isn't met, there is a 10 minute window between the device being blocked and the user receiving one of the following quarantine messages when they sign in:

  • 如果设备未向 Intune 注册,或未在 Azure Active Directory 中注册,则会显示一条消息,其中包含有关如何安装公司门户应用、注册设备和激活电子邮件的说明。If the device isn't enrolled with Intune or isn't registered in Azure Active Directory, a message is displayed with instructions about how to install the Company Portal app, enroll the device, and activate email. 此过程也将设备的 Exchange ActiveSync ID 和 Azure Active Directory 中的设备记录相关联。This process also associates the device’s Exchange ActiveSync ID with the device record in Azure Active Directory.

  • 如果设备不符合策略,则会显示一条消息,将用户定向到 Intune 公司门户网站或公司门户应用,用户可在其中找到有关该问题及其修正方法的信息。If the device isn't compliant, a message is displayed that directs the user to the Intune Company Portal website or the Company Portal app, where they can find information about the problem and how to remediate it.

对移动设备的支持Support for mobile devices

支持以下设备:The following are supported:

  • Windows Phone 8.1 及更高版本。Windows Phone 8.1 and later.

  • iOS 上的本机电子邮件应用。The native email app on iOS.

  • Exchange ActiveSync 邮件客户端(如 Android 4 或更高版本上的 Gmail)。Exchange ActiveSync mail clients, such as Gmail on Android 4 or later.

  • Android for Work 设备上的 Exchange ActiveSync 邮件客户端:Android for Work 设备上仅支持工作配置文件中的 GmailNine Work 应用。Exchange ActiveSync mail clients on Android for Work devices: Only Gmail and Nine Work apps in the work profile are supported on Android for Work devices. 若要使条件访问可适用于 Android for Work,必须为 Gmail 或 Nine Work 应用部署电子邮件配置文件,还要将这些应用部署为必需安装。For conditional access to work with Android for Work, you must deploy an email profile for the Gmail or Nine Work app, and also deploy those apps as a required installation.

备注

不支持 Android 和 iOS 上的 Microsoft Outlook 应用。The Microsoft Outlook app for Android and iOS isn't supported.

对 PC 的支持Support for PCs

支持以下项:The following is supported:

  • Windows 8.1 及更高版本上的邮件应用程序(向 Intune 注册电脑时)。The Mail application on Windows 8.1 and later (when the PC is enrolled with Intune).

配置条件性访问策略Configure a conditional access policy

  1. Microsoft Intune 管理控制台中,选择策略 > 条件性访问 > Exchange 本地策略In the Microsoft Intune administration console, choose Policy > Conditional Access > Exchange on-premises policy. IntuneSA5aSelectExchOnPremPolicyIntuneSA5aSelectExchOnPremPolicy

  2. 使用所需的设置来配置策略:Exchange 内部部署策略页面的屏幕截图Configure the policy with the settings that you require: Screenshot of the Exchange on-premises policy page

    • 如果设备不符合策略或未向 Microsoft Intune 注册,则阻止电子邮件应用访问本地 Exchange:选择此选项时,会阻止未受 Intune 管理的设备或不符合策略的设备访问 Exchange 服务。Block email apps from accessing Exchange on-premises if the device isn't compliant or isn't enrolled with Microsoft Intune: When you select this option, devices that aren't managed by Intune or aren't compliant with a compliance policy are blocked from accessing Exchange services.

    • 替代默认规则 - 始终允许已注册并符合要求的设备访问 Exchange:选择此选项时,允许已在 Intune 中注册并符合合规性策略的设备访问 Exchange。Default rule override - Always allow enrolled and compliant devices to access Exchange: When you select this option, devices that are enrolled in Intune and are compliant with the compliance policies are allowed to access Exchange. 此规则将替代“默认规则”,这意味着,即使将“默认规则”设置为隔离或阻止访问,已注册并符合要求的设备也仍然能够访问 Exchange。This rule overrides the Default Rule, which means that even if you set the Default Rule to quarantine or block access, enrolled and compliant devices are still able to access Exchange.

    • 目标组:选择 Intune 用户组,这些用户组必须先向 Intune 注册其设备,然后才能访问 Exchange。Targeted Groups: Select the Intune user groups that must enroll their device with Intune before they can access Exchange.

    • 免除组:选择将从条件性访问策略中免除的 Intune 用户组。Exempted Groups: Select the Intune user groups that are exempt from the conditional access policy. 此列表中的用户将会被免除,即使它们也位于“目标组”列表中。Users in this list are exempt even if they're also in the Targeted Groups list.

    • 平台例外:选择“添加规则”配置一个规则,为指定的移动设备系列和模型定义访问级别。Platform Exceptions: Choose Add Rule to configure a rule that defines access levels for specified mobile device families and models. 因为这些设备可为任何类型,所以还可配置不受 Intune 支持的设备类型。Because these devices can be of any type, you can also configure device types that aren't supported by Intune.

    • 默认规则:对于不受其他任何规则约束的设备,可选择允许或阻止其访问 Exchange,也可以隔离它。Default Rule: For a device that isn't covered by any of the other rules, you can choose to allow it to access Exchange, block it, or quarantine it. 对于已注册并合规的设备,如果将该规则设置为允许访问,将会自动向 iOS、Windows 和 Samsung KNOX 设备授予电子邮件访问权限。When you set the rule to allow access, for devices that are enrolled and compliant, email access is granted automatically for iOS, Windows, and Samsung KNOX devices. 用户不必执行任何过程即可获取其电子邮件。The user doesn't have to go through any process to get their email.

      • 在不运行 Samsung KNOX 的 Android 设备上,用户会收到一封包含指导性演练的隔离电子邮件,用于验证注册和合规性,验证后他们才能访问电子邮件。On Android devices that don't run Samsung KNOX, users get a quarantine email, which includes a guided walkthrough to verify enrollment and compliance before they can access email. 如果将该规则设置为阻止访问或隔离设备,将阻止所有设备访问 Exchange,无论设备是否已在 Intune 中注册。If you set the rule to block access or quarantine devices, all devices are blocked from getting access to Exchange, regardless of whether they're already enrolled in Intune or not. 若要防止已注册并符合要求的设备受此规则影响,请选中“替代默认规则”框。To prevent enrolled and compliant devices from being affected by this rule, check the Default Rule Override box. >[!TIP] >如果想在授予电子邮件访问权限之前先阻止所有设备,请选择“阻止访问”规则或“隔离”规则。If your intention is to first block all devices before granting access to email, choose the Block access rule or the Quarantine rule. 默认规则适用于所有设备类型,因此作为平台例外配置且不受 Intune 支持的设备类型也会受到影响。The default rule applies to all device types—so device types that you configure as platform exceptions that aren't supported by Intune are also affected.
    • 用户通知:除了 Exchange 发送的通知电子邮件之外,Intune 还将发送一封包含取消阻止设备的步骤的电子邮件。User Notification: In addition to the notification email that Exchange sends, Intune sends an email that contains steps to unblock the device. 你可以根据需求来自定义编辑默认消息。You can edit the default message to customize it to your needs. 如果用户的设备在接收包含修正说明的 Intune 通知电子邮件之前已被阻止(此电子邮件发送到用户的 Exchange 邮箱),则用户可使用取消阻止的设备或其他方法来访问 Exchange 并查看该邮件。In the event that the user’s device is blocked before they receive the Intune notification email that contains remediation instructions (this email is delivered to the user’s Exchange mailbox), they can use an unblocked device or another method to access Exchange and view the message.

      • 当“默认规则”设置为阻止或隔离时尤其如此。This is especially true when the Default Rule is set to block or quarantine. 在这种情况下,用户必须转到其应用商店,下载 Microsoft 公司门户应用并注册其设备。In this case, the user has to go to their app store, download the Microsoft Company Portal app, and enroll their device. 这适用于 iOS、Windows 和 Samsung KNOX 设备。This is applicable to iOS, Windows, and Samsung KNOX devices. 对于不运行 Samsung KNOX 的设备,需要将隔离电子邮件发送到备用电子邮件帐户。For devices that don't run Samsung KNOX, you need to send the quarantine email to an alternate email account. 用户必须将电子邮件复制到其被阻止的设备,以完成注册和符合性过程。The user has to copy the email to their blocked device to complete the enrollment and compliance process. > [!NOTE] > 若要让 Exchange 能够发送通知电子邮件,必须指定用于发送通知电子邮件的帐户。In order for Exchange to be able to send the notification email, you must specify the account that is used to send the notification email. > > 有关详细信息,请参阅为本地或托管 Exchange 配置 Exchange 内部部署连接器For details, see Configure Exchange on-premises connector for on-premises or hosted Exchange.
  3. 完成后,选择“保存”。When you're done, choose Save.

  • 不需要部署条件访问策略—它会立即生效。You don't have to deploy the conditional access policy—it takes effect immediately.

  • 用户设置 Exchange ActiveSync 配置文件后,可能需要 1-3 小时设备才会被阻止(如果它不由 Intune 管理)。After a user sets up an Exchange ActiveSync profile, it might take from one to three hours for the device to be blocked (if it isn't managed by Intune).

  • 如果被阻止的用户随后向 Intune 注册设备并更正不符合性,将在两分钟内解除电子邮件访问阻止。If a blocked user then enrolls the device with Intune and remediates noncompliance, email access will be unblocked within two minutes.

  • 如果用户从 Intune 取消注册,可能需要 1-3 小时设备才会被阻止。If the user unenrolls from Intune, it might take from one to three hours for the device to be blocked.

若要查看如何配置条件性访问策略以保护设备访问的示例方案,请参阅保护电子邮件访问的示例方案To see some example scenarios of how you would configure a conditional access policy to protect device access, see Protect email access example scenarios.

后续步骤Next steps