SharePoint (and Project Server) Shenanigans

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Parts 1 to 5 discuss IRM capability from a SharePoint perspective.  Details:

Part 1: https://spandps.com/2015/09/21/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-1/

In the second article we covered file type support.

Part 2: https://spandps.com/2015/09/22/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-2/

In the third article we covered file type support in detail as well as the document library experience.

Part 3: https://spandps.com/2015/09/23/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-3/

In the fourth article we covered IRM permissions in comparison with SharePoint permissions.

Part4: https://spandps.com/2015/09/24/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-4/

In the fifth article we looked at the different clients across Windows, Mac and Mobile to see how they reacted to a protected file.

Part 5: https://spandps.com/2015/10/03/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-5/

So we have covered the SharePoint IRM capabilities a lot and in the conclusion to this series of articles, we shall discuss the various merits of the IRM implementation in SharePoint vs. AD RMS capabilities.

Before we do that however, we need to discuss Azure AD RMS (Active Directory Rights Management Server.

To put things into context, SharePoint IRM is essentially a subset of the functionality of Azure AD RMS (Source(s): https://technet.microsoft.com/en-us/magazine/2009.04.insidesharepoint.aspx?pr=blog, https://social.technet.microsoft.com/forums/windowsserver/en-US/d5c64cfe-0778-4a3b-a02e-4eae3ca9ac43/what-is-difference-between-ad-rms-and-irm) and in my initial interaction, the two capabilities don’t quite interact with each other in the way you would expect (the very reason this series of articles started in fact!)

Let’s get started….

What is Azure RMS?

So my biggest suggestion to answer this would be to take a look at these set of articles:

• What is Azure RM: https://technet.microsoft.com/en-us/library/jj585026.aspx
• Terminology: https://technet.microsoft.com/en-us/library/dn595132.aspx
• Azure Rights Management requirements: https://technet.microsoft.com/en-us/library/dn655136.aspx
• Compare Azure RMS with AD RMS (On-Premise): https://technet.microsoft.com/en-us/library/jj739831.aspx

High level… like the SharePoint IRM O365 solution we have been looking at in the previous articles, it would appear that Azure RMS is a superset of the SharePoint IRM functionality.  By this I mean that Azure RMS is the overriding technology and SharePoint IRM is a small portion of the overall capability.

How does it work with standard office files?

Take a look at this article:

• Azure RMS client device support: https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedDevices

Which gives us a good indication of the potential support for this solution but is the reality for users… lets take a look:

Microsoft Office Interaction (Desktop)

After you install the Azure RMS client application in Windows or Mac OSX, you have an add-in added to your Microsoft Office suite like this:

By clicking on Share Protected the following screen pops up with various options including:

• Policy selection (standard ones and corporate specific setup by your company)
• Expiration of the permissions which will lock down the document once the date has passed
• Document tracking notifications via email
• Ability to revoke permission as required.

You can target these permissions to specific user email address and the address entered can have blacklists (for example outlook.com etc.)

Once you click send, this pops up as it works its protection voodoo magic:

Then outlook pops up with a pre-formatted message with not just a Word document but also a Protected PDF also!  (This is also the case with the add-in for Excel and PowerPoint)

If you do this same option from within an Outlook email.  You must have an attachment on the email, it will then run through the same process, create a Protected PDF as well and send the email.

The Microsoft Azure RMS service also sends you a follow up email straight away with confirmation of who you sent it to and details on how to track and revoke access:

Clicking on the tracking link gives you an overview of the document, with tracking details and the ability to control the access.

From this screen you can see who has access currently, when  (Timeline) & Where (Map) they accessed the document.  Settings also controls your notifications.

At the bottom of the screen you can get an excel report of the activity on the document as well as the ability to revoke access.

How does it work with file formats outside of Microsoft Office?

For any other file type, extensions to Windows Explorer have been added in the right click context menu of the file(s) selected.  Just to note, you cannot protect a folder.

Once you select the permission type, the file is protected in place.

If you select Custom Permissions… the same dialogue appears as before whilst we were in the MS Office application allowing you to select permissions and notification options.

Now, because you are protecting a file that may not have built in support for the Azure RMS capabilities, as part of the client install for Azure RMS, you have a file viewer.

So for the Yammer Logo png that we have above, we get the following when we double click the protected file:

As you can see, it has changed the file extension to a ppng file type and now Windows opens it inside the Microsoft Rights Management viewer.  I wrapper if you will that will check the file permissions centrally within Azure RMS before you can open the file.

How can I get this capability – Server Setup?

Start by looking here: https://technet.microsoft.com/en-us/library/dn440580.aspx

Essentially you login to your tenant admin and you can choose to use Microsoft’s security keys and activate the service.

How can I get this capability – Client Setup?

The Office add-in and the Windows Explorer options are installed using a free client available here: https://portal.aadrm.com/home/download

Next Post(s)

Ok, these posts appear to get very long as I start to delve into things… so we are splitting things up further…  next up, we shall explore the permission options including revoking access to documents from a central location.

We will also, in a future post compare this solution with the SharePoint IRM capability, which we know is related but in my brief experience is not necessarily the same!

So until I find time to do the next post… stay nerdy peeps!

This article is part of a series:

In the first article of this series we discussed what IRM was, some scenarios and high level device supportability.

Part 1: https://spandps.com/2015/09/21/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-1/

In the second article we covered file type support.

Part 2: https://spandps.com/2015/09/22/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-2/

In the third article we covered file type support in detail as well as the document library experience.

Part 3: https://spandps.com/2015/09/23/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-3/

In the fourth article we covered IRM permissions in comparison with SharePoint permissions.

Part4: https://spandps.com/2015/09/24/o365-sharepoint-onlineinformation-rights-management-irmwhat-works-what-doesnt-in-a-business-context-part-4/

Ok, next up is the client experience.  We all work in a connected world with multiple devices from mobile to desktop to web.

Let’s take a look at the experience people get across the various devices.  The devices I shall be looking at are:

• Windows
• Mac OSX
• iOS – iPhone
• iOS – iPad
• Android
• Windows Mobile
• Web

For this test, I have a Word document which had its IRM rights applied last week with an expiry set to 1 day.

This is an example of the settings I am using against my list:

So without further ado:

Windows – Microsoft Word 2016

As per Word 2013 on windows, Word 2016 asks you to login to your work account to proceed.

Windows – Microsoft Word 2013

As we showed in earlier posts – expired content asks for it to be re-authenticated when off the network where the document came from.

Interestingly, if you are already on the same network, it re-authenticates in the background and it just opens the document.

Windows – Microsoft Word – Universal App

Now that we have Windows 10 upon us and the new rules around the Microsoft Office Mobile Apps being free (screens 10.1” or under), this feels likes a perfect opportunity to try this out on my HP Stream 7 running Windows 10 with the Microsoft Word Universal App.

As you can see, it recognizes the file and is prompting for the credentials to open the file!  Editing is not supported yet, but with the appropriate credentials it can call home and you can view the content.

Windows – Word Pad

The hacker in me likes to try other, non-standard avenues… WordPad doesn’t know what to do with the document…

Windows – Open Office

OpenOffice (Apache Foundation – 4.1.1 – latest) doesn’t know what to do either.  It doesn’t recognize the file format.

Windows – Libre Office

Libre Office, also based on Open Office, opens the file and it appears corrupted.  You cannot tell any of the original contents.

Mac OSX – Microsoft Word 2016

With the 2016 revision you can see it fully recognizes the file format and gives the ability to login with your work account!

Mac OSX – Word 2013

In Word 2013 on the Apple Mac, we can see that the document is protected but we do not have the ability to open with our work account.

iOS iPhone – Microsoft Word

Word on the iPhone supports IRM protection and in this scenario, I was off the network using my non-company account.

As you can see, it tries to load, tells me there’s a problem and states that it is under rights management.  Exactly the experience you would hope for from the Microsoft suite of applications.

I suspect a future release will expand on this area.

iOS iPhone – Documents Free (Mobile Office Suite)

No support for IRM on a free MS Word alternative on the App Store.  Further proving that the protection is in the file as expected!

iOS iPad – Microsoft Word

As per the iPhone app, we get the same experience.  In a future release I suspect we will see a more expansive feature set when it comes to IRM.

iOS iPad – Documents Free (Mobile Office Suite)

No support for IRM on a free MS Word alternative on the App Store.  Further proving that the protection is in the file as expected!

Android – Microsoft Word

As you can see, the Android version of Office also supports IRM in terms of detection, but not in terms of opening or editing.  I suspect this will appear in a future release.

Windows Mobile 8.1 – Microsoft Word

As we can see, Word on Windows Mobile as expected doesn’t open the protected file, but rather than recognizing that it is protected with IRM, we get this…

Web – Office Online – Microsoft Word

Office Online understands that it is protected by IRM and stops access.

Interestingly however you cannot edit IRM protected documents online, which means you have to use the desktop application to update the documents.

You get a clue when you try to preview the document from within the library:

Then when you open it in Word Online, you have no option to edit:

From a usability point of view, I will be recommending to my users to always ensure that this setting is enabled to avoid confusion:

This will stop the preview of the document showing and it will only open in Microsoft Word

Web – Google Docs

We just get an unknown error from Google Docs…

Conclusions

So there you have it.  Although this doesn’t consider all applications, it covers most common and some uncommon applications across the majority of platforms (Sorry Blackberry users… just didn’t have the platforms around to test.).

It is fair to say that whether the application supports the SharePoint implementation of IRM or not, you are protected.  It is also fair to say that really you should limit your experience of updating files to the Microsoft Office suite.

To summarize the above findings; take a look at the table below:

Although I focused on the Word application in this post, Excel and PowerPoint on the core platforms (Windows, Apple OSX) work in the same way.

We are assured that the mobile apps that Microsoft produce for iOS, Android and Windows Mobile will support IRM properly soon, but no timeline has been given at the time of writing for this article.  (Please note we will be looking at Azure RMS support in the next few articles where mobile capabilities are available with latest releases)

Next Post(s)

I think we have covered the SharePoint IRM enough… Let’s take a look at Microsoft RMS (Rights Management Server) in Azure next.  It is a similar technology but not the same as IRM (Information Rights Management).

After we have had a look at that, I’ll compare and contrast against my scenarios here at work!

Till the next time… stay nerdy!