Microsoft Information Protection (MIP)

The University has endorsed the Data Classification and Data Governance Policy in Aug 2016 which aims to protect the University digital information from being accessed by unauthorized person. The paper proposes a comprehensive framework with 3 components:

1. Data Classification Standard – to define confidentiality level of data
2. Data Governance Policy – to define accountabilities and decision rights of people
3. Enforcement of data protection with Azure AIP – to enforce data security policies for the protection on various data class

Introduction

Microsoft Information Protection – MIP (formerly Azure Information Protection – AIP and Rights Management Service – RMS) is a data protection solution which helps you to classify, label and protect the documents according to the confidential level of the information.  Once a document is classified and labelled, corresponding predefined security policy will be applied immediately to protect the document and limit the access against unauthorized person.  Document owner can also monitor the access of the document and revoke the access of the document anytime if it is found misuse.

Implementation Scope

Include:

• Microsoft Office (and AIP Client)
• Exchange Online (including OWA for Exchange Online)

Supported Platforms

• Windows 8, 10
• Mac OS
• iOS
• Android

• Full MIP User Guide
• Briefing Sessions: Registration and Presentation Notes

For standalone installation:

• For standalone installation, you may download and extract the AIP unified labeling client (v2) installation file “AZInfoProtection_UL.exe” at https://www.microsoft.com/en-us/download/details.aspx?id=53018.

For central deployment:

• For central deployment, you may download and extract the AIP unified labeling client (v2) MSI file “AZInfoProtection_UL_MSI_for_central_deployment.msi” at https://www.microsoft.com/en-us/download/details.aspx?id=53018.

General

Q1: Could AIP encrypted MS documents be opened and edited in O365 on web or on mobile (Office 365 mobile apps for Android, Office 365 mobile apps for iOS) ?

A1: On web, AIP encrypted MS documents cannot be opened/edited in office 365 web app. However, it would prompt you to open a document locally (i.e. with local MS Office applications). After your editing and saving, the document would be automatically sync back to online storage such as OneDrive for Business or SharePoint Online.

On mobile, AIP encrypted MS documents can be opened/edited by Android and iOS office apps (Word, Excel, PowerPoint) developed by Microsoft.

Q2: For AIP encrypted (via outlook) emails , can recipients open and read them in Android and iPhone using the built-in mobile mail app but not an MS Outlook app?

A2: Protected emails will appear as an attachment with extension .rpmsg. You can open the message by AIP Viewer app. When you reply to this email, (1) conversation history would not be included in the reply message, and (2) reply message would not be encrypted/protected by AIP anymore.

Q3: Can AIP be applied to standalone forest (department AD) for the Data Governance Policy? We have our own Windows AD, is it necessary to join University AD?

A3: Currently, the University does not have any policies that mandatorily require department AD must be joined to the University’s AD. However, when sourcing solutions to support departments implementing IT policies, department managed IT resources may not be fully covered/supported owning to various factors.

To cope with the Data Classification and Data Governance Policy, the implementation of AIP can help to protect digital information according to defined data class. Departments with her AD joined to the University’s AD could enjoy benefits such as:

• Single account and credential to sign in Office 365 and access AIP protected documents. User experience will be less complex and don’t need to remember multiple accounts when accessing department and university resources. Desktop support by LAN admin would be easier as well.
• AIP configurations managed and updated by ITSC. ITSC will observe changes in Data Classification and Data Governance Policy and manage changes in AIP configurations. Such that changes in AIP would be tested and deployed to keep it complying with the policy.

Q4: Below is extracted from AIP User Guide, does ‘Offline Access’ mean that users can access confidential file without password in their mobile device for, say, 7 days?

A4: Offline access is a feature in AIP to balance between security and convenience. Simply speaking, after each authorization against AIP cloud service, users can access protected documents on that particular device for, say, 7 days, without re-authorization. Therefore, within these 7 days the device could in offline mode, do not need internet connection or login to O365, and still can access the documents. Detail workflow as described below:

1. During first use of AIP client, or access to AIP protected documents, users will be prompted to input username/password for authentication.
2. Authentication credential will be cached for a period of time on AIP client, or Microsoft Office. So users only need to input password once until the cache expires or password changed.
3. Authorization is performed against AIP cloud service whenever users do not have a valid token for a document.
4. Authorization token for that document would be cached on user device for a number of days (the offline access setting).
5. If offline access is not set, authorization will be required on EVERY time users open the document. This requires an internet connection to AIP cloud service.
6. If offline access is set to very large, permission revoke could not be effective timely, until the authorization token expires on user device.

Q5: If the original owner of AIP-protected file left the University, can we still access the file or update the file owner?

A5: Even the original owner left the University, the file should still be accessible by authorized users. But if update of file owner is needed, department would need to submit to ITSC Service Desk, Information Security > General Enquiry / Azure Information Protection (AIP), or contact infosec@cuhk.edu.hk for arranging updates.

Installation

Q1: My computer is AD-joined and my AIP is installed by the software assignment through AD Group Policy. After the software assignment and rebooted my computer, I fail to locate AIP client.

A1: Yes, the installation of the AIP would be started after your computer is rebooted, and the process is so transparent that you may feel nothing happened. The installation requires a few minutes to finish. When it is successfully installed, the ‘Azure Information Protection Viewer’ would be appeared on the Windows START menu.

Usage

Q1: My colleague sent me an AIP protected email and I can’t open it using Outlook, it prompted out:

     I clicked yes, it showed me that I already signed in:

I clicked on the current account and this pop-up windows closed. But I still failed to open the email.However, when I used web OWA, I can open the email. Don’t know if I have something mis-configured.

A1: We also experienced similarly before on AD joined computer where Office signed in automatically to on-premises AD account but not O365 account through ADFS. Please try to sign out your MS Office Application (in menu, File > Account > Sign out), and then sign in again.

Q2: My colleague sent me an AIP protected email and I can’t open it using my Outlook, it prompted out:

A2: Please check if the email could be read by using OWA (Direct link: https://outlook.office.com/owa/)? If it is readable on OWA, it means the permission should be correct. Please try to sign out your MS Outlook, and then sign in again.

Q3: It was told that protected emails sent to @cuhk.edu.hk had no expiry indicating that it could be always readable. However, protected emails sent to other domains (such as departmental email address or external email address) would be only readable in 60 days by default, and this default setting could not be amended. How should we interpret it?

A3: Please interpret as below:

• The default labels (confidential / strictly confidential) will protect emails and allow access by accounts in @cuhk.edu.hk domain only.
• If protected email sends to @cuhk.edu.hk directly, there is no expiry date and always readable.
• If protected email sends to @cuhk.edu.hk then forwarded to @dept.cuhk.edu.hk, user need to access through the link to web portal and login using the @cuhk.edu.hk account, with 60 days expiry.
• If protected email sends to @dept.cuhk.edu.hk directly, sorry there is no way to read.

Q4: Could I send protected emails or share protected documents with students?

A4: AIP is for CUHK staff (at their personal account – @cuhk.edu.hk) to apply protection on their emails or documents​. You could use “custom permissions” to share a protected documents with other users (such as students) by specifying the students email addresses in the designated dialogue box.

Q5: I received an AIP protected excel file which I should have permission to open, but I can’t open it with my MS Excel even I’ve login my O365 account.

A5: If you encounter the problem with MS Office 2016, it is recommended to upgrade it to MS Office 2019 or later version.

Alternatively, please try another temporary solution, which is applicable for users using Kaspersky Endpoint Security Anti-virus software Version 11.1, with the steps below:

1. Find the Kaspersky antivirus software icon on Windows taskbar > right click the icon > click “Pause protection and control”;
2. Open the AIP protected documents again, and you should be able to open the file without problem;
3. Resume the Kaspersky antivirus protection immediately: Right click the Kaspersky icon on Windows taskbar > click “Resume protection and control”

You only need to perform the above steps once and should be able to open other AIP protected documents without error afterwards.

Q6: Can I open AIP protected PDF files directly with Acrobat Reader?

A6: Please check if your Acrobat Reader/DC version is the supported version mentioned in Adobe webpage (https://helpx.adobe.com/acrobat/kb/mip-plugin-download.html), if yes, you can download and install related MIP plugins from this page for opening AIP protected PDF files.