Azure Information Protection: If OS {7, 8, 10} and Office {2010, 2013, 2016, 365} which Clients do I need for AIP?

Currently many customers are looking for a solution to protect their content, and finding themself within the Microsoft Office 365 and Azure Ecosystem, and realizing, that they might already been able to use a solution for Information Protection. But this leads often to the Question, how can I, and more important, how can my users take advantage of Azure Information Protection (AIP)?
I will try to answer those questions within this Blog Post.

So the first question might be:
Which Windows Version do I need, to be able to use AIP?
This first one is quite easy, currently all Supported Microsoft Client Operating Systems do not support Azure Information Protection. Starting with Windows Vista (or Windows Server 2008), all operating Systems bring the Rights Management Services (RMS) Client (also called as MSIPC), which is required for using Azure RMS or also the Active Directory RMS (which is the On-Premise Service). Any Application that has implemented the RMS Features can then use the protection options of a connected RMS source.
But in fact, not the current Version of the RMS Client is included within the operating system, and you may not get it through Windows Updates. From the FAQ of the RMS Client Version 2:

Is the RMS client included by default when I install a supported operating system?
No. This version of the RMS client ships as an optional download that can be installed separately on computers running supported versions of the Microsoft Windows operating system.

So we don’t have to deploy the RMS Client Version 2 separately, as we can see on the later Topics, it will be included in the other Packages, and for the regular Application purposes the default RMS Client will work.
See the RMS Client Documentation Deployment Notes for more information:

This brings us to our next question:
Do I need additional Software to use RMS within Applications?
The answer is simply: No, you don’t, but for AIP you will.
And you might want to, because within the Operating System shipped Version of the RMS Client, you can only use those commands, which a Developer has included in their products. For example within Microsoft Office from Version 2010 (with required Service Pack) until the current Version of Office, you can use the protect command within Word or Excel:
RMS in Office Application
This image show the Integration of the RMS Client within the Office Products out of the Box. The User can select an pre-existent Template to protect a Document, but he/she will not be able to select only a few Users, or to assign the protection on a simple way.
But to close the gap to a more user-friendly presentation, there exists two different clients to extend the RMS Client functionality, I will point out those later on.
For automation purposes, you can also use a connector between your On-Premise Resource and Azure RMS, and automatically protect Files within SharePoint or on a FileServer using the File and Resource Manager Feature.

I have talked about those additions to the RMS Clients, which are available from Microsoft. There are two of them and one is called RMS Sharing Application, where the other one is simply called Microsoft Azure Information Protection. Let me first talk about the new and improved Microsoft Azure Information Protection client, so here it comes, the:
What can I do with the Microsoft Azure Information Protection?
This client helps you (or your IT) and your End-Users aswell. For the End-User Perspective, he will receive a new bar within Office (and other Products where it is supported, see this List for more Information, where he can select the purpose of the document:
Azure Information Protection Office Integration
After a click on a Sensitivity option on which template is assigned (the assignment of a template will be done through the Azure Portal), the Documents gets protected and will show this to the User:
AIP Office Permissions
As an author, all the Permissions are granted to my Account.
You can trigger this protection automatically based on content or other Data of the Document, even Regular Expressions to detect Personal ID-Numbers can be implemented.
The document itself looks like a regular Word Document:
Protected Word Document
When you open the file again, based on the RMS template you might be asked to authenticate, and you can view or edit the document like before. Co-Workers can open the file aswell, if the template allows them to do so.
You can find the AIP Client in the Microsoft Download Center: download link

Last but not least, the
What is the Rights Management sharing application?
This application was the first Azure RMS related client, that was introduced to manage protection more easily, and also within the File-Explorer for not natively Supported Document Applications (like Notepad or PDF). But even in the early days, there was only a short amount of time, until the first publishers have implemented RMS in their products, Foxit PDF Reader is one of those examples.
So how can End-User use the features of the sharing application? The Sharing App adds another Button to the Office Products:
RMS sharing application
Within the opened wizard, the user can select, which permission are granted, and to whom.
Another option is to protect documents, that are not recognized by the sharing application. Just open the File Explorer and navigate to the File, and right-click to open the context menu:
RMS Sharing Application File Explorer
When the protection was successful, the file-ending gets a leading p:
RMS Protected bmp
The RMS sharing Application brings for a small set of file types (like txt) a reader, thus a file does not be unprotected to read. Those readers can be triggered by double-click on a protected file, like “this_is_a_textfile.ptxt”.
You can find the RMS sharing application on the Microsoft download Center: download link

And I also want to mention, that RMS is not limited to Microsoft Operating Systems, and there are a lot more features than I explained in this blog, which is looking at the client side. It is really worth to check the availability of RMS for your company, and check where protection and tracking (See how tracking works) is required.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.