Use of Information Rights Management (IRM) for Email and File Protection

Quick Links

For new IRM users, to begin with, you are recommended to learn about the basic concepts of IRM:

Introduction

IRM (Information Rights Management) is a technology that allows individuals to set access permissions to files and email messages (including attachments). ITS adopted an IRM solution based on Microsoft Purview Information Protection (PIP). It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized persons. By using IRM, access permission can be set in a file or an email and unintended recipients will not be able to access the files even they are sent to the wrong persons.

The following types of control can be set by the document owners (or senders):

  • restrict documents from copy, edit or print
  • in-place protect files on local disk storage
  • set expiry date on document access
Note: Staff’s right to protect and access protected documents using IRM will expire immediately after an employment ends or retirement from the University.

Scope of Support on the use of IRM

Staff members and RPG students can use IRM to send and read protected emails and files.

Prerequisite

Please make sure the following items are ready before using IRM:
  • Microsoft Office 2013 or above (requires sign in using @hku.hk account).
  • Install “PIP” (“Purview Information Protection” client developed by Microsoft) for protecting and accessing files with protection on Windows.
  • Install “PIP” (“Purview Information Protection” viewer developed by Microsoft) for accessing files with protection on Android and iOS devices.
  • Install “RMS sharing application” (“Rights Management sharing application” developed by Microsoft) for accessing files with protection on Mac PCs.
Please follow the procedures below to install the AIP client and RMS sharing application:

Supported Platforms

The table below illustrates the supported operating systems and email systems:

 Protect file using PIP clientOpen file protected by PIP client/RMS sharing applicationWrite an email with protectionRead an email with protection
Windows 10/11YesYes (PIP client or PIP Viewer is required for reading non-MS Office files)Yes, using Outlook 2013/2016 or OWAYes, using Outlook 2013/2016 or OWA

Mac OS X

(version 10.9 or above)

Not supportedYes (RMS sharing application is required)Yes, using Outlook 2016 for Mac or OWAYes, using Outlook 2016 for Mac or OWA
AndroidNot supportedYes (AIP Viewer is required)Not supportedYes (AIP Viewer is required)
iPhone/iPad
(iOS/iPadOS 11.0 or above)
Not supportedYes (AIP Viewer is required)Yes, using OWA via web browserYes (AIP Viewer is required)

* OWA stands for “Outlook Web Access” which is the webmail interface available under MyEmail tab of HKU Portal or webmail.hku.hk.

The following sections summarize different ways and levels of protection that can be set using IRM and the supported file types:  

Ways of Protection

(Note: Microsoft AIP labels are no longer supported under the new AIP client that ITS is supporting from 4 Jan 2021 onwards.)

Protecting Documents Using Microsoft PIP Custom Permissions

By using “Custom Permissions”, different levels of protection can be set for sending protected documents to HKU staff. For example, if you choose the moderate level permission “Reviewer”, the recipients can view, edit, reply, forward and save the document, but not copy and print.

Level of Security Protection Permission Level Access Permission Other Than the Owner
View Edit (for MS Office documents) Reply Copy (for MS Office documents) Print Save
Highest Only for me X X x x x x
High Viewer X x x x x
Moderate Reviewer x x
Lowest Co-author
Nil Co-owner (recipient will have full control of the document, including unprotect the document)

Protecting Email Message and Attachments

The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it.

NOTE: You can attach any files protected by PIP in your email. If you are attaching an Microsoft Office file without protection, the “Do Not Forward” restriction will automatically be applied to the attached file.

TemplateViewEdit (for MS Office attachment without protection)ReplyCopy (for MS Office documents without protection)Forward (in email)PrintSave
Do Not Forwardxxx

 

Suggested Protection to Use

 Protection Method to UseRemarks
Send a protected email without attachmentDo not forwardProtection will be applied to email message.
Send a protected email with attachment (not protected prior to sending)Do not forward
If your attachment contains Microsoft Office file without any protection, protection configured to the email message will be applied to attachment(s) automatically.
Send an email with protected attachment(s)Custom Permissions using PIP client
  1. Email body will not be protected.
  2. Supported types of files:
    – Text (.txt) and image (.jpg, .png, .bmp) files
    – Microsoft Office (Word, Excel, PowerPoint) files
    – Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)
Send a protected email with protected attachment(s)

Custom Permissions using PIP client

+

Do not forward
 
  1. Supported types of files:
    – Text (.txt) and image (.jpg, .png, .bmp) files
    – Microsoft Office (Word, Excel, PowerPoint) files
    – Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)
Protect file on hard disk for owner access onlyProtect by applying the label “Confidential” or “Restricted”Original files will be replaced e.g. .txt > .ptxt.

Please click here for more common usage scenarios.

Types of Files Supported

Types of files supporting full IRM protection protected using PIP:
  • Text (.txt) files
  • Image files (.jpg/.png/.bmp)
  • Microsoft Office (Word/Excel/PowerPoint) files
  • Portable document format (.pdf)
Types of files attached to a “Do Not Forward” email message that will be automatically applied with the “Do Not Forward” restriction if the documents are not protected with PIP:
  • Word documents (.doc/.docx/.docm/.dot/.dotx/.dotm)
  • Excel documents (.xls/.xlsx/.xlsm/.xlt/.xltx/.xltm/.xlsb/.xla/.xlam)
  • PowerPoint documents (.ppt/.pptx/.pptm/.pot/.potx/.potm/.pps/.ppsx/.ppsm/.thmx)
  • InfoPath files (.xsn)
  • XPS documents (.xps)

Notes:

  1. If an email is sent using “Do Not Forward” with a .pdf file not protected using AIP, only the email will be protected but not the .pdf file.
  2. If you attach Outlook message files (.msg) to a “Do Not Forward” email message (such as forwarding multiple Outlook messages within one message), the attached messages will not be protected.
Read Protected FilesPlatformDocumentSuggested application to use
MAC OSProtected MS Office documentsMS Office*
Protected PDF documents (.pdf)Adobe Acrobat Reader Plug-in
Protected PDF documents by using old AIP client (classic client) (.ppdf)RMS sharing application
Protected emailsMS Outlook*
WindowsProtected MS Office documentsMS Office*
Protected PDF documents (.pdf)Adobe Acrobat Reader Plug-in or AIP Viewer
Protected PDF documents (.ppdf)AIP Viewer
Protected emailsMS Outlook*
Protect FilesWindowsMS Office documentsPIP Client
PDF or other supported filesPIP Client
EmailMS Outlook*
MacEmailMS Outlook*

*no additional application is required to install

Protection and Encryption

  1. Apply Protection to a File (Windows only, please refer to Point 3 below for PDF files
    1. Right click the target file and select “Apply sensitivity label with Microsoft Purview”.

      Right click the target file and select “Apply sensitivity label with Microsoft Purview”.

    2. The PIP Client will be opened. Check the box “Protect with custom permissions” and select the desired protection from the drop-down menu.

      The PIP Client will be opened. Check the box “Protect with custom permissions” 

      and select the desired protection from the drop-down menu.

    3. Under “Select users, groups or organizations”, enter the recipients’ email addresses, email groups or click the icon irm icon to open the Global Address List to look up and select the recipients.
    4. Optional: Under “Expire access”, enter the expiry date of the access right. Recipients cannot access the file after the expiry date.
    5. Click “Apply” to confirm the protection setting.

      Click “Apply” to confirm the protection setting.

    6. Click “Close” to exit the setting page.

      Click “Close” to exit the setting page.
  1. Remove Protection from a File (Windows only, please refer to Point 4 below for PDF files)
    1. Right click the protected file and select “Apply sensitivity label with Microsoft Purview”. I.	Right click the protected file and select “Apply sensitivity label with Microsoft Purview”.
    2. The PIP Client will be opened. Select “Delete Label” and uncheck the box “Protect with custom permissions” and click “Apply”. The PIP Client will be opened. Select “Delete Label” and uncheck the box “Protect with custom permissions” and click “Apply”.
    3. Click “Close” to exit the setting page. Click “Close” to exit the setting page.
  1. Apply Protection to PDF Files (Windows Only)
    1. Right click the PDF file and select “Apply sensitivity label with Microsoft Purview”.

      Right click the PDF file and select “Apply sensitivity label with Microsoft Purview”

      The PIP Client will be opened. Check the box “Protect with custom permissions” and select the desired protection from the drop-down menu.

      The PIP Client will be opened. Check the box “Protect with custom permissions” and select the desired protection from the drop-down menu.

    2. Under “Select users, groups or organizations”, enter the recipients’ email addresses, email groups or click the icon irm icon to open the Global Address List to look up and select the recipients.
    3. Optional: Under “Expire access”, enter the expiry date of the access right. Recipients cannot access the file after the expiry date.
    4. Click “Apply” to confirm the protection setting.

      Click “Apply” to confirm the protection setting.

    5. Click “Close” to exit the setting page.

      Click “Close” to exit the setting page.
  1. Remove Protection from PDF Files (Windows Only)
    1. Right click the protected PDF file and t “Apply sensitivity label with Microsoft Purview”.

      I.	Right click the protected PDF file and t “Apply sensitivity label with Microsoft Purview”.

    2. The AIP Client will be opened. Uncheck the box “Protect with custom permissions” and click “Apply”.

      The AIP Client will be opened. Uncheck the box “Protect with custom permissions” and click “Apply”.

    3. Click “Close” to exit the setting page.

      Click “Close” to exit the setting page.
  1. Install Adobe Acrobat Reader Plug-in to Open Protected PDF Files (Windows and Mac OS)
    1. To open protected PDF files, please download the Microsoft Information Protection (MIP) plug-in for Adobe Acrobat ReaderIf you open a protected PDF file without plug-in, you will see the following alert message:

      To open protected PDF files, please download the Microsoft Information Protection (MIP) plug-in for Adobe Acrobat ReaderIf you open a protected PDF file without plug-in, you will see the following alert message:

    2. Check the version of your Adobe Acrobat Reader by clicking Help > About Adobe Acrobat Reader DC… .

      Check the version of your Adobe Acrobat Reader by clicking Help > About Adobe Acrobat Reader DC… .

      About Adobe Acrobat Reader DC… .

    3. Download the appropriate version of the plug-in.

      Download the appropriate version of the plug-in.

    4. Run the downloaded file to install the plug-in. Click “Finish” after the setup is completed.

      Run the downloaded file to install the plug-in. Click “Finish” after the setup is completed.

      IV.	Run the downloaded file to install the plug-in. Click “Finish” after the setup is completed.

    5. After installing the plug-in, you will be prompted to enter your email address that is granted with the right to open the file, complete the authentication steps required and click “Accept” to accept the permission.Note: Acrobat Reader only support .PDF file. For previously protected PDF files (.PPDF), please use the PIP viewer (for Windows) or RMS client (for Mac).

      After installing the plug-in, you will be prompted to enter your email address that is granted with the right to open the file, complete the authentication steps required and click “Accept” to accept the permission.Note: Acrobat Reader only support .PDF file. For previously protected PDF files (.PPDF), please use the PIP viewer (for Windows) or RMS client (for Mac).

      After installing the plug-in, you will be prompted to enter your email address that is granted with the right to open the file, complete the authentication steps required and click “Accept” to accept the permission.Note: Acrobat Reader only support .PDF file. For previously protected PDF files (.PPDF), please use the PIP viewer (for Windows) or RMS client (for Mac).

    6. The protected PDF file will be opened and labelled with (SECURED).

      The protected PDF file will be opened and labelled with (SECURED).

    7. To check the label details, you can click the following icon and link:

      To check the label details, you can click the following icon and link:
  1. Open PPDF File from PIP Client
    1. Right click the PPDF file and select “Open”.
    2. The content will be displayed inside the AIP Client.

      6.	Open PPDF File from PIP Client
I.	Right click the PPDF file and select “Open”.
II.	The content will be displayed inside the AIP Client.
 
III.	You can click the “View Permission” button to check the protection details.

    3. You can click the “View Permission” button to check the protection details.

      You can click the “View Permission” button to check the protection details.
  1. Apply Protection to an Email Using Microsoft Outlook 2013 or Above (Do Not Forward)
    1. Under the compose email window, select “Option” > “Permission” > “Do Not Forward”.

      7.	Apply Protection to an Email Using Microsoft Outlook 2013 or Above (Do Not Forward)
I.	Under the compose email window, select “Option” > “Permission” > “Do Not Forward”.
 
II.	An alert on “Do Not Forward” will be displayed at top of the email.
 
III.	To remove “Do Not Forward”, select “Option” > “Permission” > “Do Not Forward” again.

    2. An alert on “Do Not Forward” will be displayed at top of the email.

      An alert on “Do Not Forward” will be displayed at top of the email.

    3. To remove “Do Not Forward”, select “Option” > “Permission” > “Do Not Forward” again.

Limitations

  • The list of platforms and file types supported by IRM can be referred to Sections 4 and 7 above.
  • IRM cannot prevent contents from being erased, stolen, corrupted, captured and transmitted by malicious programs or computer viruses. It also cannot prevent restricted contents from being hand-copied or retyped, or prevent a digital photograph or screen capture of the restricted contents from being taken.
0
1