Use of Information Rights Management (IRM) for Email and File Protection

Quick Links

For new IRM users, to begin with, you are recommended to learn about the basic concepts of IRM:

Introduction

IRM (Information Rights Management) is a technology that allows individuals to set access permissions to files and email messages (including attachments). ITS adopted an IRM solution based on Microsoft Azure Information Protection (AIP). It helps prevent sensitive information from being printed, forwarded, or copied by unauthorized persons. By using IRM, access permission can be set in a file or an email and unintended recipients will not be able to access the files even they are sent to the wrong persons. The following types of control can be set by the document owners (or senders):
  • restrict documents from copy, edit or print
  • in-place protect files on local disk storage
  • set expiry date on document access
Note: Staff’s right to protect and access protected documents using IRM will expire immediately after an employment ends or retirement from the University.

Scope of Support on the use of IRM

Staff members and RPG students can use IRM to send and read protected emails and files.

Prerequisite

Please make sure the following items are ready before using IRM:
  • Microsoft Office 2013 or above (requires sign in using @hku.hk account).
  • Install “AIP” (“Azure Information Protection” client developed by Microsoft) for protecting and accessing files with protection on Windows.
  • Install “AIP” (“Azure Information Protection” viewer developed by Microsoft) for accessing files with protection on Android and iOS devices.
  • Install “RMS sharing application” (“Rights Management sharing application” developed by Microsoft) for accessing files with protection on Mac PCs.
Please follow the procedures below to install the AIP client and RMS sharing application:

Supported Platforms

The table below illustrates the supported operating systems and email systems:

Protect file using AIP client Open file protected by AIP client/RMS sharing application Write an email with protection Read an email with protection
Windows 8/10 Yes Yes (AIP client or AIP Viewer is required for reading non-MS Office files) Yes, using Outlook 2013/2016 or OWA Yes, using Outlook 2013/2016 or OWA
Mac OS X (version 10.9 or above) Not supported Yes (RMS sharing application is required) Yes, using Outlook 2016 for Mac or OWA Yes, using Outlook 2016 for Mac or OWA
Android Not supported Yes (AIP Viewer is required) Not supported Yes (AIP Viewer is required)
iPhone/iPad (iOS 7.0 or above) Not supported Yes (AIP Viewer is required) Yes, using OWA via web browser Yes (AIP Viewer is required)
* OWA stands for “Outlook Web Access” which is the webmail interface available under MyEmail tab of HKU Portal or webmail.hku.hk.

The following sections summarize different ways and levels of protection that can be set using IRM and the supported file types:  

Ways of Protection

(Note: Microsoft AIP labels are no longer supported under the new AIP client that ITS is supporting from 4 Jan 2021 onwards.)

Protecting Documents Using Microsoft AIP Custom Permissions

By using “Custom Permissions”, different levels of protection can be set for sending protected documents to HKU staff. For example, if you choose the moderate level permission “Reviewer”, the recipients can view, edit, reply, forward and save the document, but not copy and print.

Level of Security Protection Permission Level Access Permission Other Than the Owner
View Edit (for MS Office documents) Reply Copy (for MS Office documents) Print Save
Highest Only for me X X x x x x
High Viewer X x x x x
Moderate Reviewer x x
Lowest Co-author
Nil Co-owner (recipient will have full control of the document, including unprotect the document)

Protecting Email Message and Attachments

The “Do Not Forward” feature allows you to protect an email message which the recipients can view, edit, reply and save the email, but not copy, forward and print it. NOTE: You can attach any files protected by AIP in your email. If you are attaching an Microsoft Office file without protection, the “Do Not Forward” restriction will automatically be applied to the attached file.

Template View Edit (for MS Office attachment without protection) Reply Copy (for MS Office documents without protection) Forward (in email) Print Save
Do Not Forward x x x

Suggested Protection to Use

 Protection Method to UseRemarks
Send a protected email without attachmentDo not forwardProtection will be applied to email message.
Send a protected email with attachment (not protected prior to sending)Do not forward
If your attachment contains Microsoft Office file without any protection, protection configured to the email message will be applied to attachment(s) automatically.
Send an email with protected attachment(s)Custom Permissions using AIP client
  1. Email body will not be protected.
  2. Supported types of files:
    – Text (.txt) and image (.jpg, .png, .bmp) files
    – Microsoft Office (Word, Excel, PowerPoint) files
    – Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)
Send a protected email with protected attachment(s)

Custom Permissions using AIP client

+

Do not forward
 
  1. Supported types of files:
    – Text (.txt) and image (.jpg, .png, .bmp) files
    – Microsoft Office (Word, Excel, PowerPoint) files
    – Portable document format (.pdf)
    (no usage rights are enforced for non-supported types of files)
Protect file on hard disk for owner access onlyProtect by applying the label “Confidential” or “Restricted”Original files will be replaced e.g. .txt > .ptxt.

Please click here for more common usage scenarios.

Types of Files Supported

Types of files supporting full IRM protection protected using AIP:
  • Text (.txt) files
  • Image files (.jpg/.png/.bmp)
  • Microsoft Office (Word/Excel/PowerPoint) files
  • Portable document format (.pdf)
Types of files attached to a “Do Not Forward” email message that will be automatically applied with the “Do Not Forward” restriction if the documents are not protected with AIP:
  • Word documents (.doc/.docx/.docm/.dot/.dotx/.dotm)
  • Excel documents (.xls/.xlsx/.xlsm/.xlt/.xltx/.xltm/.xlsb/.xla/.xlam)
  • PowerPoint documents (.ppt/.pptx/.pptm/.pot/.potx/.potm/.pps/.ppsx/.ppsm/.thmx)
  • InfoPath files (.xsn)
  • XPS documents (.xps)
Notes:
  1. If an email is sent using “Do Not Forward” with a .pdf file not protected using AIP, only the email will be protected but not the .pdf file.
  2. If you attach Outlook message files (.msg) to a “Do Not Forward” email message (such as forwarding multiple Outlook messages within one message), the attached messages will not be protected.
Read Protected Files Platform Document Suggested application to use
MAC OS Protected MS Office documents MS Office*
Protected PDF documents (.pdf) Adobe Acrobat Reader Plug-in
Protected PDF documents by using old AIP client (classic client) (.ppdf) RMS sharing application
Protected emails MS Outlook*
Windows Protected MS Office documents MS Office*
Protected PDF documents (.pdf) Adobe Acrobat Reader Plug-in or AIP Viewer
Protected PDF documents (.ppdf) AIP Viewer
Protected emails MS Outlook*
Protect Files Windows MS Office documents AIP Client
PDF or other supported files AIP Client
Email MS Outlook*
Mac Email MS Outlook*

*no additional application is required to install

Protection and Encryption

  1. Apply Protection to a File (Windows only, please refer to Point 3 below for PDF files)
    1. Right click the target file and select “Classify and protect”.
    2. Right click menu classify and protect
    3. The AIP Client will be opened. Check the box “Protect with custom permissions” and select the desired protection from the drop-down menu.
    4. Setup protect with custom permissions Setup protect with custom permissions - dropdown list
    5. Under “Select users, groups or organizations”, enter the recipients’ email addresses, email groups or click the icon book iconto open the Global Address List to look up and select the recipients.
    6. Optional: Under “Expire access”, enter the expiry date of the access right. Recipients cannot access the file after the expiry date.
    7. Click “Apply” to confirm the protection setting.
    8. Apply protection
    9. Click “Close” to exit the setting page.
    10. Finish and close setup
  1. Remove Protection from a File (Windows only, please refer to Point 4 below for PDF files)
    1. Right click the protected file and select “Classify and protect”.
    2. Right click menu classify and protect
    3. The AIP Client will be opened. Uncheck the box “Protect with custom permissions” and click “Apply”.
    4. Uncheck Protect with custom permission
    5. Click “Close” to exit the setting page.
    6. Finish and close setup
  1. Apply Protection to PDF Files (Windows Only)
    1. Right click the PDF file and select “Classify and protect”.
    2. Right click menu classify and protect
    3. The AIP Client will be opened. Check the box “Protect with custom permissions” and select the desired protection from the drop-down menu.
    4. Setup protect with custom permissions
    5. Under “Select users, groups or organizations”, enter the recipients’ email addresses, email groups or click the icon book icon to open the Global Address List to look up and select the recipients.
    6. Optional: Under “Expire access”, enter the expiry date of the access right. Recipients cannot access the file after the expiry date.
    7. Click “Apply” to confirm the protection setting.
    8. Apply protection
    9. Click “Close” to exit the setting page.
    10. Finish and close setup
  1. Remove Protection from PDF Files (Windows Only)
    1. Right click the protected PDF file and select “Classify and protect”.
    2. Right click menu classify and protect
    3. The AIP Client will be opened. Uncheck the box “Protect with custom permissions” and click “Apply”.
    4. Apply protect with custom permissions
    5. Click “Close” to exit the setting page.
    6. Finish and close setup
  1. Install Adobe Acrobat Reader Plug-in to Open Protected PDF Files (Windows and Mac OS)
    1. To open protected PDF files, please download the Microsoft Information Protection (MIP) plug-in for Adobe Acrobat ReaderIf you open a protected PDF file without plug-in, you will see the following alert message:
    2. Open without plugin
    3. Check the version of your Adobe Acrobat Reader by clicking Help > About Adobe Acrobat Reader DC… .
    4. Check adobe version image 1 Check adobe version image 2
    5. Download the appropriate version of the plug-in.
    6. Download appropriate version
    7. Run the downloaded file to install the plug-in. Click “Finish” after the setup is completed.
    8. Install adobe plugin Finish Install adobe plugin
    9. After installing the plug-in, you will be prompted to enter your email address that is granted with the right to open the file, complete the authentication steps required and click “Accept” to accept the permission.Note: Acrobat Reader only support .PDF file. For previously protected PDF files (.PPDF), please use the AIP viewer (for Windows) or RMS client (for Mac).
    10. Prompt to ask email address Microsoft permission request dialog
    11. The protected PDF file will be opened and labelled with (SECURED).
    12. Opened secure PDF
    13. To check the label details, you can click the following icon and link:
    14. Check label details
  1. Open PPDF File from AIP Client
    1. Right click the PPDF file and select “Open”.
    2. Right click ppdf file to open
    3. The content will be displayed inside the AIP Client.
    4. PPDF Content
    5. You can click the “View Permission” button to check the protection details.
    6. View permission
  1. Apply Protection to an Email Using Microsoft Outlook 2013 or Above (Do Not Forward)
    1. Under the compose email window, select “Option” > “Permission” > “Do Not Forward”.
    2. Compose window set do not forward
    3. An alert on “Do Not Forward” will be displayed at top of the email.
    4. Add do not forward alert
    5. To remove “Do Not Forward”, select “Option” > “Permission” > “Do Not Forward” again.

Limitations

  • The list of platforms and file types supported by IRM can be referred to Sections 4 and 7 above.
  • IRM cannot prevent contents from being erased, stolen, corrupted, captured and transmitted by malicious programs or computer viruses. It also cannot prevent restricted contents from being hand-copied or retyped, or prevent a digital photograph or screen capture of the restricted contents from being taken.
0
0