You are here

Use of Information Rights Management (IRM) for Email and File Protection

For new IRM users, to begin with, you are recommended to learn about the basic concepts of IRM:

  1. Introduction
  2. Applicable Users
  3. Prerequisite
  4. Supported Platforms

The following sections summarize different ways and levels of protection that can be set using IRM and the supported file types:  

  1. Ways of Protection
  2. Suggested Protection to Use
  3. Types of Files Supported

The Operation Guide lists out the step-by-step procedures on sending and reading protected email/file under different platforms.  Some illustrative examples are added for ease of understanding.  

  1. Operation Guide
Some common usage scenarios are described in the following section to illustrate the use of IRM in document protection:
  1. Common Usage Scenarios of Information Rights Management

Below are the FAQ and limitations of IRM:

  1. FAQ
  2. Limitations

1. Introduction

IRM (Information Rights Management) is a technology that allows individuals to set access permissions to files and email messages (including attachments). ITS adopted an IRM solution based on Microsoft Azure Information Protection (AIP, formerly known as Azure Rights Management Services). It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized persons.  By using IRM, access permission can be set in a file or an email and unintended receipents will not be able to access the files even they are sent to the wrong persons.  

The following types of control can be set by the document owners (or senders): 

  • restrict documents from copy, edit or print
  • in-place protect files on local disk storage
  • set expiry date on document access
  • track usage on shared documents
  • revoke access granted on shared documents
Note: Staff’s right to protect and access protected documents using IRM will expire immediately after an employment ends or retirement from the University.  

2. Scope of Support on the use of IRM

Currently, only HKU staff members using @hku.hk email address can use IRM to send and read protected emails and files.


3. Prerequisite

Please make sure the following items are ready before using IRM: 
  • Microsoft Office 2013/2016 (requires sign in using @hku.hk account).
  • Install “AIP” (“Azure Information Protection” client developed by Microsoft) for protecting and accessing files with protection on Windows.
  • Install "AIP” (“Azure Information Protection” viewer developed by Microsoft) for accessing files with protection on Android and iOS devices.
  • Install “RMS sharing application” (“Rights Management sharing application” developed by Microsoft) for accessing files with protection on Mac PCs
  • The function on Track and Revoke files requires an add-on license to work.  Such licenses are assigned to staff on Band G/H/I/J and Terms of Service I who joined the University before 1 June 2017.   These licenses may be reclaimed for assignment to other colleagues if they have not been used over a period of time.  If you wish to use these functions but have not been assigned with the said license, please send your HKU Portal UID to ithelp@hku.hk.
Please follow the procedures below to install the AIP client and RMS sharing application:
 

4. Supported Platforms

The table below illustrates the supported operating systems and email systems:

 

Protect file using AIP client

Open file protected by AIP client/RMS sharing application

Write an email with protection

Read an email with protection

Windows 8/10

Yes

Yes (AIP client is required)

Yes, using Outlook 2013/2016 or OWA

Yes, using Outlook 2013/2016 or OWA

Mac OS X

(version 10.9 or above)

Not supported

Yes (RMS sharing application is required)

Yes, using Outlook 2016 for Mac or OWA

Yes, using Outlook 2016 for Mac or OWA

Android

Not supported

Yes (AIP Viewer is required)

Not supported

Yes (AIP Viewer is required)

iPhone/iPad
(iOS 7.0 or above)

Not supported

Yes (AIP Viewer is required)

Yes, using OWA via web browser

Yes (AIP Viewer is required)

* OWA stands for “Outlook Web Access” which is the webmail interface available under MyEmail tab of HKU Portal or webmail.hku.hk.


5. Ways of Protection

5.1. Protecting Documents Using Microsoft AIP Labels

4 types of labels can be used to classify the nature of documents:

Name of Label

Level of Security Protection

Automate Protection upon Label Assignment

Access Permission Other Than the Owner

View

Edit (for MS Office documents)

Reply

Copy (for MS Office documents)

Print

Save

Restricted

Highest

Owner access only

X

X

X

X

X

X

Confidential

Internal

Nil

Nil

Public

5.2. Protecting Documents Using Microsoft AIP Custom Permissions

By using "Custom Permissions", different levels of protection can be set for sending protected documents to HKU staff. For example, if you choose the moderate level permission “Reviewer”, the recipients can view, edit, reply, forward and save the document, but not copy and print.

Level of Security Protection

Permission Level

Access Permission Other Than the Owner

View

Edit (for MS Office documents)

Reply

Copy (for MS Office documents)

Print

Save

Highest

Only for me

X

X

x

x

x

x

High

Viewer

X

x

x

x

x

Moderate

Reviewer

x

x

Lowest

Co-author

Nil

Co-owner (recipient will have full control of the document, including unprotect the document)

5.3. Protecting Email Message and Attachments

The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.

NOTE: You can attach any files protected by AIP in your email. If you are attaching an Microsoft Office file without protection, the "Do Not Forward" restriction will automatically be applied to the attached file.

Template

View

Edit (for MS Office attachment without protection)

Reply

Copy (for MS Office documents without protection)

Forward (in email)

Print

Save

Do Not Forward

x

x

x

 

6. Suggested Protection to Use

 

Protection Method to Use

Remarks

Send a protected email without attachment

Do not forward

Protection will be applied to email message.

Send a protected email with attachment (not protected prior to sending)

Do not forward

If your attachment contains Microsoft Office file without any protection, protection configured to the email message will be applied to attachment(s) automatically.

Send an email with protected attachment(s)

Custom Permissions using AIP client

  1. Email body will not be protected.
  2. Supported types of files:
    - Text (.txt) and image (.jpg, .png, .bmp) files
    - Microsoft Office (Word, Excel, PowerPoint) files
    - Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)

Send a protected email with protected attachment(s)

Custom Permissions using AIP client

+

Do not forward
 
  1. Supported types of files:
    - Text (.txt) and image (.jpg, .png, .bmp) files
    - Microsoft Office (Word, Excel, PowerPoint) files
    - Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)

Protect file on hard disk for owner access only

Protect by applying the label "Confidential" or "Restricted"

Original files will be replaced e.g. .txt > .ptxt.

Please click here for more common usage scenarios.


7. Types of Files Supported

7.1. Types of files supporting full IRM protection protected using AIP: 

  • Text (.txt) files
  • Image files (.jpg/.png/.bmp)
  • Microsoft Office (Word/Excel/PowerPoint) files
  • Portable document format (.pdf)

7.2. Types of files attached to a "Do Not Forward" email message that will be automatically applied with the "Do Not Forward" restriction if the documents are not protected with AIP:

  • Word documents (.doc/.docx/.docm/.dot/.dotx/.dotm)
  • Excel documents (.xls/.xlsx/.xlsm/.xlt/.xltx/.xltm/.xlsb/.xla/.xlam)
  • PowerPoint documents (.ppt/.pptx/.pptm/.pot/.potx/.potm/.pps/.ppsx/.ppsm/.thmx)
  • InfoPath files (.xsn)
  • XPS documents (.xps)

Notes: 

  1. If an email is sent using "Do Not Forward" with a .pdf file not protected using AIP, only the email will be protected but not the .pdf file.
  2. If you attach Outlook message files (.msg) to a "Do Not Forward" email message (such as forwarding multiple Outlook messages within one message), the attached messages will not be protected.

8. Operation Guide

The following sections illustrate the step-by-step procedures on sending and reading protected emails/files under different platforms. 

NOTE: RMS Sharing Application for Windows has been replaced by AIP (Azure Information Protection). Staff who installed RMS Sharing Application earlier please uninstall it and install AIP instead.

For the operation guide regarding RMS Sharing Application for Windows platform, please click here.

8.1. Sending and Reading a Protected Email (and attachments) using Policy Templates

8.1.1. Writing a protected email

  1. Outlook 2013/2016 in Windows
  2. Outlook 2016 in Mac
  3. OWA
  4. OWA for iOS

8.1.2. Opening a protected email

  1. Outlook 2013/2016 in Windows
  2. Outlook 2016 for Mac
  3. OWA
  4. OWA for iOS

8.2. Sending (by email) and Opening a Protected File Using Share Protected and Protect in-place

8.2.1. Protecting MS Office Documents Using Windows
8.2.2. Protecting Non-Microsoft Office Documents Using Windows
8.2.3. Opening a protected file

  1. Windows
  2. Mac
  3. iOS devices

8.3. Set expiry date on document access in Windows
8.4. Track and revoke files protected by AIP


9. Common Usage Scenarios of Information Rights Management


10. Frequently Asked Questions (FAQ)


11. Limitations

  • The list of platforms and file types supported by IRM can be referred to Sections 4 and 7 above.
  • IRM cannot prevent contents from being erased, stolen, corrupted, captured and transmitted by malicious programs or computer viruses. It also cannot prevent restricted contents from being hand-copied or retyped, or prevent a digital photograph or screen capture of the restricted contents from being taken.