You are here

Use of Information Rights Management (IRM) for email and file protection

How to make reference to this User Guide

You can first learn the basic concepts of IRM and what you need to prepare for using IRM:

  1. Introduction
  2. Scope of Support on the use of IRM
  3. Prerequisite
  4. Supported Platforms

The detailed explanation of the ways of protection, suggestion for usage and the files types supported can be found in the following sections.

  1. Ways of Protection
  2. Suggested Protection to Use
  3. Types of Files Supported

The Operation Guide illustrates step-by-step procedures on sending and reading protected email/file under different platforms, from which you can use the appropriate method to protect your email/file using IRM in accommodate with your needs.  Some examples are outlined to facilitate understanding.

  1. Operation Guide
The following common usage scenarios illustrate how colleagues work together to use IRM to protect documents:
  1. Common Usage Scenarios of Information Rights Management

You can also refer to the list of Frequently Asked Questions under FAQ and IRM’s Limitations below:

  1. FAQ
  2. Limitations

1. Introduction

IRM (Information Rights Management) is a technology that allows individuals to set access permissions to files and email messages (including attachments). ITS adopted an IRM solution based on Microsoft Azure Information Protection (AIP, formerly known as Azure Rights Management Services).. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file or an email is restricted by using IRM, the access and usage restrictions are enforced even if the file/email reaches unintended recipients.

IRM is currently available for use by staff for email communication. It enables the control of information to be accessed securely (through the use of encryption) by the right persons (through proper rights assignment). The following types of control can be applied by the senders:

  • restrict documents from copy, edit or print
  • in-place protect files on disk
  • set expiry date on document access
  • track usage on shared documents
  • revoke access granted on shared documents
Note: Staff’s right to protect and access protected documents using IRM will expire immediately after an employment ends or retirement from the University.  

2. Scope of Support on the use of IRM

Currently, only HKU staff members using the central email address (i.e. @hku.hk) are supported to send and receive protected emails and files using the IRM service.


3. Prerequisite

Please ensure the followings are in place in order to use IRM:
  • Microsoft Office 2013/2016 (requires sign in using @hku.hk account).
  • Install “AIP” (“Azure Information Protection” client developed by Microsoft) for protecting and accessing files with protection on Windows.
  • Install "AIP” (“Azure Information Protection” viewer developed by Microsoft) for accessing files with protection on Android and iOS devices.
  • Install “RMS sharing application” (“Rights Management sharing application” developed by Microsoft) for accessing files with protection on Mac PCs
  • The function on Track and Revoke files requires an add-on license to work.  Such licenses are assigned to staff on Band G/H/I/J and Terms of Service I who joined the University before 1 June 2017.   These licenses may be reclaimed for assignment to other colleagues if they have not been used over a period of time.  If you wish to use these functions but have not been assigned with the said license, please send your HKU Portal UID to ithelp@hku.hk.
Please follow the procedures below to install RMS sharing application and AIP client:
 

4. Supported Platforms

The table below illustrates the supported operating systems together with its corresponding supported email systems.

 

Protect file using AIP client

Open file protected by AIP client/RMS sharing application

Write an email with protection

Read an email with protection

Windows 7/8/10

Yes

Yes (AIP client is required)

Yes, using Outlook 2013/2016 or OWA

Yes, using Outlook 2013/2016 or OWA

Mac OS X

(version 10.9 or above)

Not supported

Yes (RMS sharing application is required)

Yes, using Outlook 2016 for Mac or OWA

Yes, using Outlook 2016 for Mac or OWA

Android

Not supported

Yes (AIP Viewer is required)

Not supported

Yes (AIP Viewer is required)

iPhone/iPad
(iOS 7.0 or above)

Not supported

Yes (AIP Viewer is required)

Yes, using OWA via web browser

Yes (AIP Viewer is required)

* OWA stands for “Outlook Web Access”, which means the webmail interface available under MyEmail tab under HKU Portal or webmail.hku.hk.


5. Ways of Protection

5.1. Protecting Documents Using Microsoft AIP Labels

4 types of labels can be used to classify nature of documents:

Name of Label

Level of security protection

Automate Protection upon label assignment

Access permission other than owner

View

Edit (for MS Office documents)

Reply

Copy (for MS Office documents)

Print

Save

Restricted

Highest

Owner access only

X

X

X

X

X

X

Confidential

Internal

Nil

Nil

Public

5.2. Protecting Documents Using Microsoft AIP Custom Permissions

By using "Custom Permissions", different levels of protection can be set for sending the protected documents to HKU staff. For example, if you choose the moderate level permission “Reviewer”, the recipients can view, edit, reply, forward and save the document, but not copy and print.

Level of security protection

Permission level

Access permission other than owner

View

Edit (for MS Office documents)

Reply

Copy (for MS Office documents)

Print

Save

Highest

Only for me

X

X

x

x

x

x

High

Viewer

X

x

x

x

x

Moderate

Reviewer

x

x

Lowest

Co-author

Nil

Co-owner (recipient will have full control of the document, including unprotect the document)

5.3. Protecting Email Message and Attachments

The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.

NOTE: You can attach any files protected by AIP with your email. If you are attaching a Microsoft Office file without protection, the "Do Not Forward" restriction will automatically be applied to the attached file.

Template

View

Edit (for MS Office attachment without protection)

Reply

Copy (for MS Office documents without protection)

Forward (in email)

Print

Save

Do Not Forward

x

x

x

 

6. Suggested Protection to Use

 

Protection method to use

Remarks

Send a protected email without attachment

Do not forward

Protection will be applied to email message.

Send a protected email with attachment (not protected prior to sending)

Do not forward

If your attachment contains Microsoft Office file without any protection, protection configured to the email message will be applied to attachment(s) automatically.

Send an email with protected attachment(s)

Custom Permissions using AIP client

  1. Email body will not be protected.
  2. Supported types of files:
    - Text (.txt) and image (.jpg, .png, .bmp) files
    - Microsoft Office (Word, Excel, PowerPoint) files
    - Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)

Send a protected email with protected attachment(s)

Custom Permissions using AIP client

+

Do not forward
 
  1. Supported types of files:
    - Text (.txt) and image (.jpg, .png, .bmp) files
    - Microsoft Office (Word, Excel, PowerPoint) files
    - Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)

Protect file on hard disk for owner access only

Protect by applying the label "Confidential" or "Restricted"

Original files will be replaced e.g. .pdf > .ppdf.

Please click here for more common usage scenarios.


7. Types of Files Supported

7.1. Types of files supporting full IRM protection protected using AIP: 

  • Text (.txt) files
  • Image files (.jpg/.png/.bmp)
  • Microsoft Office (Word/Excel/PowerPoint) files
  • Portable document format (.pdf)

7.2. Types of files attached to a "Do Not Forward" email message that will be automatically applied with the "Do Not Forward" restriction if the documents are not protected with AIP:

  • Word documents (.doc/.docx/.docm/.dot/.dotx/.dotm)
  • Excel documents (.xls/.xlsx/.xlsm/.xlt/.xltx/.xltm/.xlsb/.xla/.xlam)
  • PowerPoint documents (.ppt/.pptx/.pptm/.pot/.potx/.potm/.pps/.ppsx/.ppsm/.thmx)
  • InfoPath files (.xsn)
  • XPS documents (.xps)

Notes: 

  1. If an email is sent using "Do Not Forward" with a .pdf file not protected using AIP, only the email will be protected but not the .pdf file.
  2. If you attach Outlook message files (.msg) to a "Do Not Forward" email message (such as forwarding multiple Outlook messages within one message), the attached messages will not be protected.

8. Operation Guide

The following sections illustrate step-by-step procedures on sending and reading protected email/file under different platforms, in which you can choose the different methods of protecting your email/file using IRM appropriate to your needs.

NOTE: RMS Sharing Application for Windows is being replaced by AIP (Azure Information Protection). Staff who installed RMS Sharing Application earlier please uninstall the retiring version and install AIP instead.

For the operation guide regarding RMS Sharing Application for Windows platform, please click here.

8.1. Sending and Reading a Protected Email (and attachments) using Policy Templates

8.1.1. Writing a protected email

  1. Outlook 2013/2016 in Windows
  2. Outlook 2016 in Mac
  3. OWA
  4. OWA for iOS

8.1.2. Opening a protected email

  1. Outlook 2013/2016 in Windows
  2. Outlook 2016 for Mac
  3. OWA
  4. OWA for iOS

8.2. Sending (by email) and Opening a Protected File using Share Protected and Protect in-place

8.2.1. Protecting MS Office Documents Using Windows
8.2.2. Protecting Non-Microsoft Office Documents Using Windows
8.2.3. Opening a protected file

  1. Windows
  2. Mac
  3. iOS devices

8.3. Set expiry date on document access in Windows
8.4. Track and revoke files protected by AIP


9. Common Usage Scenarios of Information Rights Management


10. Frequently Asked Questions (FAQ)


10. Limitations

  • The list of platforms and the file types supported by IRM can be referred to in sections 4 and 7 correspondingly.
  • IRM cannot prevent content from being erased, stolen, corrupted, or captured and transmitted by malicious programs or computer viruses. It also cannot prevent restricted content from being hand-copied or retyped, or prevent a digital photograph or screen capture being taken of the restricted content.