保護的 iOS Outlook 與 Exchange Online 中的 android (英文)Securing Outlook for iOS and Android in Exchange Online

摘要: 如何在 Exchange Online 環境中啟用的 iOS Outlook 與 Android 以安全方式。Summary: How to enable Outlook for iOS and Android in your Exchange Online environment in a secure manner.

Outlook iOS 及 android (英文) 提供使用者快速且直覺式電子郵件和行事曆體驗的現代的行動裝置應用程式,從預期時所提供支援的 Office 365 的最佳功能僅應用程式的使用者。Outlook for iOS and Android provides users the fast, intuitive email and calendar experience that users expect from a modern mobile app, while being the only app to provide support for the best features of Office 365.

保護公司或組織使用者的行動裝置上的資料會變得極為重要。先檢閱iOS 及 Android 的 Outlook 設定,以確保您的使用者必須安裝的所有必要應用程式。之後,選擇其中一個來保護您的裝置和您的組織資料的下列選項:Protecting company or organizational data on users' mobile devices is extremely important. Begin by reviewing Setting up Outlook for iOS and Android, to ensure your users have all the required apps installed. After that, choose one of the following options to secure your devices and your organization's data:

  1. 建議: 如果您的組織具有企業行動性 + 安全性訂閱或分別取得 Microsoft Intune 和 Azure Active Directory Premium 授權,請遵循中的步驟運用企業行動性 + 安全性保護與 Outlook for iOS 及 Android 的公司資料套件保護公司資料與 Outlook for iOS android (英文)。Recommended: If your organization has an Enterprise Mobility + Security subscription, or has separately obtained licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android to protect corporate data with Outlook for iOS and Android.

  2. 如果您的組織都不會有企業行動性 + 安全性訂閱或 Microsoft Intune 和 Azure Active Directory 進階版授權遵循運用行動裝置管理 Office 365] 中的步驟及使用行動裝置您的 Office 365 訂閱中所列的 Office 365 功能的管理 (MDM)。If your organization doesn't have an Enterprise Mobility + Security subscription or licensing for Microsoft Intune and Azure Active Directory Premium, follow the steps in Leveraging Mobile Device Management for Office 365, and use the Mobile Device Management (MDM) for Office 365 capabilities that are included in your Office 365 subscription.

  3. 請遵循利用 Exchange Online 的行動裝置原則實作基本 Exchange 行動裝置信箱和裝置存取原則中的步驟。Follow the steps in Leveraging Exchange Online mobile device policies to implement basic Exchange mobile device mailbox and device access policies.

如果反之,您不想在組織中使用的 iOS Outlook 及 android (英文),請參閱封鎖 Outlook iOS 及 android (英文)If, on the other hand, you don't want to use Outlook for iOS and Android in your organization, see Blocking Outlook for iOS and Android.

注意

請參閱Exchange Web 服務 (EWS) 應用程式原則本文稍後的如果而是會實作 EWS 應用程式原則來管理在組織中的行動裝置存取。See Exchange Web Services (EWS) application policies later in this article if you'd rather implement an EWS application policy to manage mobile device access in your organization.

設定 Outlook for iOS 及 android (英文)Setting up Outlook for iOS and Android

使用者的裝置註冊在行動裝置管理 (MDM) 解決方案,將會使用 MDM 解決方案,例如 Intune 的公司入口網站,以安裝必要的應用程式: Outlook iOS 及 android (英文) 及 Microsoft 驗證器。For devices enrolled in a mobile device management (MDM) solution, users will utilize the MDM solution, like the Intune Company Portal, to install the required apps: Outlook for iOS and Android and Microsoft Authenticator.

未註冊 MDM 方案中的裝置,使用者必須安裝:For devices that are not enrolled in an MDM solution, users need to install:

  • IOS 及 Android 透過 Apple 應用程式商店或 Google 播放存放區的 outlookOutlook for iOS and Android via the Apple App Store or Google Play Store

  • 透過 Apple 應用程式商店或 Google 播放存放區的 Microsoft 驗證器應用程式Microsoft Authenticator app via the Apple App Store or Google Play Store

  • 透過 Apple 應用程式商店或 Google 播放存放區 Intune 的公司入口網站的應用程式Intune Company Portal app via Apple App Store or Google Play Store

應用程式安裝之後,使用者可以遵循下列步驟來新增其公司的電子郵件帳戶並設定基本的應用程式設定:Once the app is installed, users can follow these steps to add their corporate email account and configure basic app settings:

重要

若要利用應用程式為基礎的設定格式化的條件存取原則,iOS 裝置上必須安裝 Microsoft 驗證器應用程式。Android 裝置被利用 Intune 的公司入口網站應用程式。如需詳細資訊,請參閱應用程式型 intune 的設定格式化的條件存取To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional Access with Intune.

運用企業行動性 + 安全性套件保護公司資料與 Outlook for iOS android (英文)Leveraging Enterprise Mobility + Security suite to protect corporate data with Outlook for iOS and Android

訂閱企業行動性 + 安全性套件,其中包含 Microsoft Intune 和 Azure Active Directory Premium 功能,例如設定格式化的條件存取時,可使用 Office 365 資料豐富及最大保護功能。在最低限度下,您會想要部署只允許連線至 Outlook for iOS 條件式存取原則及 Android 從行動裝置與公司資料會確保 Intune app 保護原則受到保護。The richest and broadest protection capabilities for Office 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Azure Active Directory Premium features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that only allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the corporate data is protected.

注意

Enterprise 行動性 + 安全性時套件訂閱包括 Microsoft Intune 和 Azure Active Directory Premium、 客戶可以購買 Microsoft Intune 授權和 Azure Active Directory Premium 授權分開。所有使用者必須都授權才能利用條件式存取與本文中討論的 Intune 應用程式保護原則。While the Enterprise Mobility + Security suite subscription includes both Microsoft Intune and Azure Active Directory Premium, customers can purchase Microsoft Intune licenses and Azure Active Directory Premium licenses separately. All users must be licensed in order to leverage the conditional access and Intune app protection policies that are discussed in this article.

封鎖所有的電子郵件應用程式以外的 iOS Outlook 和使用設定格式化的條件 access android (英文)Block all email apps except Outlook for iOS and Android using conditional access

當組織決定標準化使用者如何存取 Exchange 資料為唯一的電子郵件應用程式使用的 iOS Outlook 及 Android 適用於使用者時,他們可以設定條件式存取原則來封鎖其他行動裝置存取方法。為達成此目的,您將需要兩個條件式存取原則,以目標為潛在的所有使用者的每個原則。建立這些的詳細資訊原則可以在Azure Active Directory 應用程式為基礎的設定格式化的條件 access中找到。When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android as the only email app for end users, they can configure a conditional access policy that blocks other mobile access methods. To do this, you will need two conditional access policies, with each policy targeting all potential users. Details on creating these polices can be found in Azure Active Directory app-based conditional access.

  1. 第一個原則允許的 iOS Outlook 以及 android (英文)、 和它會封鎖 OAuth 可使用 Exchange ActiveSync 用戶端連線至 Exchange Online。請參閱 「 步驟 1-Exchange online 設定 Azure AD 條件式存取原則 」。The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online."

  2. 第二個原則可防止運用連線至 Exchange Online 的基本驗證的 Exchange ActiveSync 用戶端。請參閱 「 步驟 2-Active Sync (EAS) 與 Exchange online 設定 Azure AD 條件式存取原則 」。The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

原則運用在需要核准的用戶端應用程式,這可確保已整合 Intune SDK Microsoft 應用程式所授與存取權授與控制項。The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have integrated the Intune SDK are granted access.

注意

已啟用的設定格式化的條件存取原則之後,可能需要最多 6 小時的任何先前已連線的行動裝置與成為封鎖。> 行動裝置存取規則 (允許、 封鎖或隔離) Exchange Online 中會略過時存取由包含 [需要標示為相容的裝置] 或 [需要核准用戶端應用程式的設定格式化的條件存取原則所管理。> 如何運用應用程式為基礎的設定格式化的條件存取原則,iOS 裝置上必須安裝 Microsoft 驗證器應用程式。Android 裝置被利用 Intune 的公司入口網站應用程式。如需詳細資訊,請參閱應用程式型 intune 的設定格式化的條件存取After the conditional access policies are enabled, it may take up to 6 hours for any previously connected mobile device to become blocked. > Mobile device access rules (allow, block, or quarantine) in Exchange Online are skipped when access is managed by a conditional access policy that includes either Require device to be marked as compliant or Require approved client app. > To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based Conditional Access with Intune.

保護的 iOS Outlook 及 Android 使用 Intune 應用程式保護原則中的公司資料Protect corporate data in Outlook for iOS and Android using Intune app protection policies

不論是否 MDM 方案、 應用程式保護原則需要 iOS 及 Android 應用程式],建立 Intune 中註冊裝置使用如何建立和指派應用程式保護原則中的步驟。這些原則,至少必須符合下列條件:Regardless of whether the device is enrolled in an MDM solution, an Intune app protection policy needs to be created for both iOS and Android apps, using the steps in How to create and assign app protection policies. These policies, at a minimum, must meet the following conditions:

  1. 其會包含所有 Microsoft 行動應用程式,例如 Word、 Excel、 或 PowerPoint,如此可確保使用者可存取及操作以安全方式任何 Microsoft 應用程式內的公司資料。They include all Microsoft mobile applications, such as Word, Excel, or PowerPoint, as this will ensure that users can access and manipulate corporate data within any Microsoft app in a secure fashion.

  2. 他們模仿 Exchange 提供,包括行動裝置的安全性功能:They mimic the security features that Exchange provides for mobile devices, including:

    • 需要 PIN 存取 (其中包括選取類型、 PIN 長度] 中,允許簡單的 pin 碼允許指紋)Requiring a PIN for access (which includes Select Type, PIN length, Allow Simple PIN, Allow fingerprint)

    • 加密應用程式資料Encrypting app data

    • 封鎖從"jailbroken"上執行管理應用程式和根裝置Blocking managed apps from running on "jailbroken" and rooted devices

  3. 他們被指派給所有使用者。這可確保所有使用者受到都保護,不論是否使用 Outlook for iOS 及 android (英文)。They are assigned to all users. This ensures that all users are protected, regardless of whether they use Outlook for iOS and Android.

除了上述最低原則需求,您應該考慮部署進階保護Restrict 剪下、 複製及貼上與其他應用程式以進一步防止公司資料外洩的原則設定。在可設定的詳細資訊,請參閱在 Microsoft Intune Android 應用程式保護原則設定iOS app 保護原則設定In addition to the above minimum policy requirements, you should consider deploying advanced protection policy settings like Restrict cut, copy and paste with other apps to further prevent corporate data leakage. For more information on the available settings, see Android app protection policy settings in Microsoft Intune and iOS app protection policy settings.

重要

若要套用 Intune 應用程式保護原則針對應用程式未註冊 Intune 的 Android 裝置,使用者還必須安裝 Intune 的公司入口網站。如需詳細資訊,請參閱所預期的結果時您 Android 的應用程式由應用程式保護原則所管理To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app protection policies.

利用 office 365 的行動裝置管理Leveraging Mobile Device Management for Office 365

如果您不打算運用企業行動性 + 安全性套件,您可以使用行動裝置管理 (MDM) for Office 365。此解決方案所需的行動裝置會註冊。當使用者嘗試存取 Exchange Online 與不註冊裝置時,使用者會封鎖直到其註冊裝置存取資源。If you don't plan to leverage the Enterprise Mobility + Security suite, you can use Mobile Device Management (MDM) for Office 365. This solution requires that mobile devices be enrolled. When a user attempts to access Exchange Online with a device that is not enrolled, the user is blocked from accessing the resource until they enroll the device.

由於這是裝置管理解決方案時,沒有來控制哪些應用程式可以使用即使註冊裝置的原生功能。如果您想要限制存取權的 iOS Outlook 及 android (英文),您必須取得 Azure Active Directory Premium 授權及運用以外的 iOS Outlook 及 Android 使用設定格式化的條件 access封鎖所有電子郵件應用程式中所討論的設定格式化的條件存取原則.Because this is a device management solution, there is no native capability to control which apps can be used even after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you will need to obtain Azure Active Directory Premium licenses and leverage the conditional access policies discussed in Block all email apps except Outlook for iOS and Android using conditional access.

Office 365 全域管理員必須完成下列步驟來啟動及設定 Office 365 MDM。請參閱設定設定行動裝置管理 (MDM) Office 365 中執行的步驟。總結來說,包括下列步驟:An Office 365 global admin must complete the following steps to activate and set up MDM for Office 365. See Set up Mobile Device Management (MDM) in Office 365 for complete steps. In summary, these steps include:

  1. 啟動 MDM for Office 365 遵循下列步驟安全性&規範中心。Activating MDM for Office 365 by following steps in the Security & Compliance Center.

  2. 新增網域至支援的網域名稱系統 (DNS) 記錄電話 Windows 及設定的 Office 365 by MDM,例如建立 APNs 憑證管理 iOS 裝置。Setting up MDM for Office 365 by, for example, creating an APNs certificate to manage iOS devices, and by adding a Domain Name System (DNS) record for your domain to support Windows phones.

  3. 建立裝置原則和套用至使用者群組。當您這麼做時,您的使用者將會得到註冊訊息在其裝置上。和其裝置完成他們已註冊,將會限制您已針對這些設定的原則。Creating device policies and apply them to groups of users. When you do this, your users will get an enrollment message on their device. And when they've completed enrollment, their devices will be restricted by the policies you've set up for them.

注意

Exchange 的行動裝置信箱原則和裝置存取規則在 Exchange 系統管理中心中建立的原則和 MDM 中建立的 Office 365 的存取規則會覆寫。裝置在 MDM 中註冊 Office 365 後,會被略過任何 Exchange 行動裝置信箱原則 」 或 「 裝置存取規則套用至該裝置。Policies and access rules created in MDM for Office 365 will override both Exchange mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange mobile device mailbox policy or device access rule that is applied to that device will be ignored.

利用 Exchange Online 的行動裝置原則Leveraging Exchange Online mobile device policies

如果您不打算運用企業行動性 + 安全性套件或 Office 365 功能 MDM,您可以實作 Exchange 行動裝置信箱原則來保護裝置、 及限制裝置連線的裝置存取規則。If you don't plan on leveraging either the Enterprise Mobility + Security suite or the MDM for Office 365 functionality, you can implement Exchange mobile device mailbox policy to secure the device, and device access rules to limit device connectivity.

行動裝置信箱原則Mobile device mailbox policy

IOS 及 Android outlook in Exchange Online 支援下列行動裝置信箱原則設定:Outlook for iOS and Android supports the following mobile device mailbox policy settings in Exchange Online:

  • 已啟用裝置加密Device encryption enabled

  • 最小密碼長度Min password length

  • 已啟用密碼Password enabled

如需如何建立或修改現有的行動裝置信箱原則的資訊,請參閱Exchange Online 中的行動裝置信箱原則For information on how to create or modify an existing mobile device mailbox policy, see Mobile device mailbox policies in Exchange Online.

此外,Outlook for iOS 及 Android 支援 Exchange Online 的裝置資料抹除功能。執行,會清除該應用程式,因為 Exchange Online 會考慮 iOS 及 Android 應用程式的行動裝置為 Outlook。如需如何執行遠端清除的詳細資訊,請參閱Office 365 的行動裝置In addition, Outlook for iOS and Android supports Exchange Online's device-wipe capability. When executed, only the app is wiped, because Exchange Online considers the Outlook for iOS and Android app as the mobile device. For more information on how to perform a remote wipe, see Wipe a mobile device in Office 365.

注意

IOS 及 Android outlook 僅支援 「 擦去資料 」 遠端抹除命令並不支援 」 帳戶僅限遠端抹除裝置 」。Outlook for iOS and Android only supports the "Wipe Data" remote wipe command and does not support "Account Only Remote Wipe Device."

裝置存取原則Device access policy

Outlook iOS 及 Android 應啟用根據預設,但可能原因各種封鎖一些現有的 Exchange Online 環境中應用程式。一旦組織決定標準化使用者存取 Exchange 資料和適用於使用者使用 Outlook for iOS 及 android (英文) 為唯一的電子郵件應用程式的方式,您可以設定使用者的 iOS 及 Android 裝置上執行其他電子郵件應用程式的區塊。您有兩個選項設立這些區塊內 Exchange Online: 第一個選項封鎖所有裝置並只允許流量的 iOS Outlook 及 android (英文);第二個選項可讓您封鎖無法使用原生的 Exchange ActiveSync 應用程式的個別裝置。Outlook for iOS and Android should be enabled by default, but in some existing Exchange Online environments the app may be blocked for a variety of reasons. Once an organization decides to standardize how users access Exchange data and use Outlook for iOS and Android as the only email app for end users, you can configure blocks for other email apps running on users' iOS and Android devices. You have two options for instituting these blocks within Exchange Online: the first option blocks all devices and only allows usage of Outlook for iOS and Android; the second option allows you to block individual devices from using the native Exchange ActiveSync apps.

做法 1: 封鎖 Outlook for iOS 和 Android 除外的所有電子郵件應用程式Option 1: Block all email apps except Outlook for iOS and Android

您可以定義預設封鎖規則並再設定 outlook iOS 及 android (英文),以及 Windows 裝置使用下列 Exchange 管理命令介面命令的 [允許規則。此設定會防止任何 Exchange ActiveSync 原生應用程式連線,並只允許的 iOS Outlook 及 android (英文)。You can define a default block rule and then configure an allow rule for Outlook for iOS and Android, and for Windows devices, using the following Exchange Management Shell commands. This configuration will prevent any Exchange ActiveSync native app from connecting, and will only allow Outlook for iOS and Android.

  1. 建立預設封鎖規則:Create the default block rule:

    Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
    
  2. 建立允許規則的 iOS Outlook 及 android (英文)Create an allow rule for Outlook for iOS and Android

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Allow
    
  3. 選用: 建立規則可讓 Exchange ActiveSync 連線的 Windows 裝置上的 Outlook (WP 指的是 Windows Phone、 WP8 所指的是 Windows Phone 8 和更新版本、 和 WindowsMail 指的是包含 Windows 10] 中的郵件應用程式):Optional: Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app included in Windows 10):

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP8" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WindowsMail" -AccessLevel Allow
    

    選項 2: 封鎖在 Android 和 iOS 裝置的原生 Exchange ActiveSync 應用程式Option 2: Block native Exchange ActiveSync apps on Android and iOS devices

或者,您可以封鎖特定的 Android 和 iOS 裝置或其他類型的裝置上的原生 Exchange ActiveSync 應用程式。Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types of devices.

  1. 確認不有任何 Exchange ActiveSync 裝置存取規則備妥封鎖的 iOS Outlook 及 android (英文):Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and Android:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | ft Name,AccessLevel,QueryString -auto
    

    如果找到封鎖的 iOS Outlook 和 Android 任何裝置存取規則,請輸入下列命令以移除這些:If any device access rules that block Outlook for iOS and Android are found, type the following to remove them:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | Remove-ActiveSyncDeviceAccessRule
    
  2. 您可以封鎖大部分的 Android 和 iOS 裝置和下列命令:You can block most Android and iOS devices with the following commands:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Android" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPod" -AccessLevel Block
    
  3. 並非所有 Android 裝置製造商指定 DeviceType"Android"。製造商可能會使用每個版本指定唯一的值。若要尋找其他 Android 裝置要存取您的環境,請執行下列命令以產生報表有作用中的 Exchange ActiveSync 合作關係的所有裝置:Not all Android device manufacturers specify "Android" as the DeviceType. Manufacturers may specify a unique value with each release. In order to find other Android devices that are accessing your environment, execute the following command to generate a report of all devices that have an active Exchange ActiveSync partnership:

    Get-MobileDevice | Select-Object DeviceOS,DeviceModel,DeviceType | Export-CSV c:\temp\easdevices.csv
    
  4. 建立其他封鎖規則,根據您從步驟 3 的結果。例如,若找到您的環境具有 HTCOne Android 裝置高流量,您可以建立封鎖該特定裝置的 Exchange ActiveSync 裝置存取規則強制進行使用者使用 Outlook for iOS 及 android (英文)。在這個範例中,您可以鍵入:Create additional block rules, depending on your results from Step 3. For example, if you find your environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this example, you would type:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "HTCOne" -AccessLevel Block
    

    注意

    QueryString 參數不接受萬用字元或部分的相符項目。The QueryString parameter does not accept wildcards or partial matches.

    其他資源Additional resources:

封鎖 Outlook for iOS 及 android (英文)Blocking Outlook for iOS and Android

如果您不希望使用者存取 Exchange 資料的 iOS Outlook 及 android (英文) 您組織中,所採取的方法會取決於您使用 Azure Active Directory 設定格式化的條件存取原則或 Exchange Online 的裝置存取原則。If you don't want users in your organization to access Exchange data with Outlook for iOS and Android, the approach you take depends on whether you are using Azure Active Directory conditional access policies or Exchange Online's device access policies.

使用設定格式化的條件存取原則的選項 1: 封鎖行動裝置存取Option 1: Block mobile device access using a conditional access policy

Azure Active Directory 設定格式化的條件存取不提供讓您可以特別封鎖的 iOS Outlook 和 Android 同時讓其他 Exchange ActiveSync 用戶端的機制。這說,設定格式化的條件存取原則可用來封鎖行動裝置存取功能以兩種方式:Azure Active Directory conditional access does not provide a mechanism whereby you can specifically block Outlook for iOS and Android while allowing other Exchange ActiveSync clients. With that said, conditional access policies can be used to block mobile device access in two ways:

  • 選項 a: 封鎖 iOS 及 Android 的平台上的行動裝置存取Option A: Block mobile device access on both the iOS and Android platforms

  • 選項 b: 封鎖特定行動裝置的平台上的行動裝置存取Option B: Block mobile device access on a specific mobile device platform

    選項 a: 封鎖 iOS 及 Android 的平台上的行動裝置存取Option A: Block mobile device access on both the iOS and Android platforms

如果您想要讓行動裝置存取的所有使用者或使用條件式存取的使用者子集遵循下列步驟。If you want to prevent mobile device access for all users, or a subset of users, using conditional access, follow these steps.

建立條件式存取原則] 中的每個原則目標的所有使用者或使用者透過安全性群組的子集。詳細資料會在Azure Active Directory 應用程式為基礎的設定格式化的條件 accessCreate conditional access policies, with each policy either targeting all users or a subset of users via a security group. Details are in Azure Active Directory app-based conditional access.

  1. 第一個原則封鎖 Outlook iOS 及 Android 和其他 OAuth 可使用 Exchange ActiveSync 用戶端連線至 Exchange Online。請參閱 「 步驟 1-Online、 Exchange 設定 Azure AD 條件式存取原則 」,但第五個步驟中,選擇 [封鎖的存取The first policy blocks Outlook for iOS and Android and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for the fifth step, choose Block access.

  2. 第二個原則可防止運用連線至 Exchange Online 的基本驗證的 Exchange ActiveSync 用戶端。請參閱 「 步驟 2-Active Sync (EAS) 與 Exchange online 設定 Azure AD 條件式存取原則 」。The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

    選項 b: 封鎖特定行動裝置的平台上的行動裝置存取Option B: Block mobile device access on a specific mobile device platform

如果您想要阻止特定行動裝置平台連線至 Exchange Online 中,同時讓 Outlook 針對 iOS 及 android (英文) 使用該平台,連線建立下列條件式存取原則,以目標為所有使用者的每個原則。詳細資料會在Azure Active Directory 應用程式為基礎的設定格式化的條件 accessIf you want to prevent a specific mobile device platform from connecting to Exchange Online, while allowing Outlook for iOS and Android to connect using that platform, create the following conditional access policies, with each policy targeting all users. Details are in Azure Active Directory app-based conditional access.

  1. 第一個原則允許 iOS 的 Outlook 及 android (英文) 上的特定行動裝置平台和封鎖其他 OAuth 可使用 Exchange ActiveSync 用戶端連線至 Exchange Online。請參閱 「 步驟 1-Online、 Exchange 設定 Azure AD 條件式存取原則 」,但針對步驟 4a 中選取 [只想要的行動裝置平台 (例如 iOS) 您要允許存取。The first policy allows Outlook for iOS and Android on the specific mobile device platform and blocks other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for step 4a, select only the desired mobile device platform (such as iOS) to which you want to allow access.

  2. 第二個原則會封鎖特定行動裝置平台和其他 OAuth 可使用 Exchange ActiveSync 用戶端連線至 Exchange Online 上的應用程式。請參閱 「 步驟 1-Online、 Exchange 設定 Azure AD 條件式存取原則 」,但針對步驟 4a 中選取 [只想要的行動裝置平台 (例如 Android) 您要封鎖存取,並針對步驟 5 中,選擇 [封鎖的存取The second policy blocks the app on the specific mobile device platform and other OAuth capable Exchange ActiveSync clients from connecting to Exchange Online. See "Step 1 - Configure an Azure AD conditional access policy for Exchange Online," but for step 4a, select only the desired mobile device platform (such as Android) to which you want to block access, and for step 5, choose Block access.

  3. 第三個原則可防止運用連線至 Exchange Online 的基本驗證的 Exchange ActiveSync 用戶端。請參閱 「 步驟 2-Active Sync (EAS) 與 Exchange online 設定 Azure AD 條件式存取原則 」。The third policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. See "Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)."

IOS 及 Android 使用 Exchange 行動裝置存取規則的選項 2: 封鎖 OutlookOption 2: Block Outlook for iOS and Android using Exchange mobile device access rules

如果您正在管理您的行動裝置存取透過 Exchange Online 的裝置存取規則,則有兩個選項:If you are managing your mobile device access via Exchange Online's device access rules, you have two options:

  • 選項 a: 封鎖 Outlook iOS 及 Android iOS 及 Android 的平台Option A: Block Outlook for iOS and Android on both the iOS and Android platforms

  • 選項 b: 封鎖 Outlook iOS 及 Android 特定行動裝置的平台上Option B: Block Outlook for iOS and Android on a specific mobile device platform

每個 Exchange 組織擁有不同有關的安全性及裝置管理的原則。如果組織決定的 iOS Outlook 及 Android 不符合其需求或不是最適合的這些解決方案,系統管理員已封鎖應用程式的功能。一旦封鎖應用程式,您組織中的行動裝置 Exchange 使用者可以繼續使用 iOS 及 android (英文) 上的內建的郵件應用程式存取其信箱。Every Exchange organization has different policies regarding security and device management. If an organization decides that Outlook for iOS and Android doesn't meet their needs or is not the best solution for them, administrators have the ability to block the app. Once the app is blocked, mobile Exchange users in your organization can continue accessing their mailboxes by using the built-in mail applications on iOS and Android.

New-ActiveSyncDeviceAccessRule指令程式具有Characteristic參數,且有三個Characteristic系統管理員可用來封鎖 Outlook iOS 及 Android 應用程式的選項。UserAgent、 DeviceModel,以及 DeviceType 所的選項。在下列各節所述的兩個封鎖選項,您將會使用一或多個特性值限制存取該 Outlook iOS 且 Android 貴組織中的信箱。The New-ActiveSyncDeviceAccessRule cmdlet has a Characteristic parameter, and there are three Characteristic options that administrators can use to block the Outlook for iOS and Android app. The options are UserAgent, DeviceModel, and DeviceType. In the two blocking options described in the following sections, you will use one or more of these characteristic values to restrict the access that Outlook for iOS and Android has to the mailboxes in your organization.

下表中顯示每個特性的值:The values for each characteristic are displayed in the following table:

特性Characteristic IOS 字串String for iOS 字串 for android (英文)String for Android
DeviceModelDeviceModel
Outlook for iOS 和 AndroidOutlook for iOS and Android
Outlook for iOS 和 AndroidOutlook for iOS and Android
DeviceTypeDeviceType
OutlookOutlook
OutlookOutlook
UserAgentUserAgent
Outlook-iOS/2.0Outlook-iOS/2.0
Outlook-Android/2.0Outlook-Android/2.0

選項 a: 封鎖 Outlook iOS 及 Android iOS 及 Android 的平台Option A: Block Outlook for iOS and Android on both the iOS and Android platforms

使用New-ActiveSyncDeviceAccessRule指令程式,您可以定義裝置存取規則,使用下列任一DeviceModelDeviceType特性。在這兩種情況下,存取規則封鎖的 iOS Outlook 及 Android 跨所有平台,並會防止 iOS 平台及 Android 的平台上的任何裝置存取 Exchange 信箱透過應用程式。With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule, using either the DeviceModel or DeviceType characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an Exchange mailbox via the app.

以下是兩個範例的裝置存取規則。第一個範例會使用DeviceModel特性 ;第二個範例會使用DeviceType特性。The following are two examples of a device access rule. The first example uses the DeviceModel characteristic; the second example uses the DeviceType characteristic.

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Outlook" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block

選項 b: 封鎖 Outlook iOS 及 Android 特定行動裝置的平台上Option B: Block Outlook for iOS and Android on a specific mobile device platform

使用UserAgent特性,可定義跨特定的平台會封鎖的 iOS Outlook 及 Android 裝置存取規則。此規則會防止連線在您指定的平台上使用的 iOS Outlook 及 Android 裝置。下列範例顯示如何使用的裝置特定值UserAgent特性。With the UserAgent characteristic, you can define a device access rule that blocks Outlook for iOS and Android across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on the platform you specify. The following examples show how to use the device-specific value for the UserAgent characteristic.

若要封鎖 Android 並允許 iOS:To block Android and allow iOS:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Allow

若要封鎖 iOS 並允許 android (英文):To block iOS and allow Android:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Block

Exchange Web 服務 (EWS) 應用程式原則Exchange Web Services (EWS) application policies

超過 Microsoft Intune、 MDM Office 365 和 Exchange 的行動裝置原則,您也可以管理行動裝置必須透過 EWS 應用程式原則您組織中的資訊的存取。EWS 應用程式原則可以控制應用程式可以運用 REST API。請注意當您設定僅允許特定應用程式存取您的郵件環境的 EWS 應用程式原則,您必須新增的使用者代理程式字串 iOS 的 outlook 而 ews Android 允許清單。Beyond Microsoft Intune, MDM for Office 365, and Exchange mobile device policies, you can also manage the access that mobile devices have to information in your organization through EWS application policies. An EWS application policy can control whether or not applications are allowed to leverage the REST API. Note that when you configure an EWS application policy that only allows specific applications access to your messaging environment, you must add the user-agent string for Outlook for iOS and Android to the EWS allow list.

下列範例會示範如何新增 ews 的使用者代理程式字串允許清單:The following example shows how to add the user-agent strings to the EWS allow list:

Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-Android/*"}