To cope with the Data Classification and Data Governance Policy for protecting University’s digital information, an information protection system with Azure Information Protection – AIP, (formerly Right Management Service – RMS), is implemented for protecting digital information according to the defined data class.
Free; no application required
Please submit to ITSC Service Desk, Information Security > General Enquiry or Azure Information Protection (AIP)
The University has endorsed the Data Classification and Data Governance Policy in Aug 2016 which aims to protect the University digital information from being accessed by unauthorized person. The paper proposes a comprehensive framework with 3 components:
Azure Information Protection – AIP (formerly Right Management Service – RMS) is a data protection solution which helps you to classify, label and protect the documents according to the confidential level of the information. Once a document is classified and labelled, corresponding predefined security policy will be applied immediately to protect the document and limit the access against unauthorized person. Document owner can also monitor the access of the document and revoke the access of the document anytime if it is found misuse.
Download the installation file “AZInfoProtection.exe” from Microsoft website at https://www.microsoft.com/en-us/download/details.aspx?id=53018. (For Windows only)
Remarks: For central deployment, you may download the MSI file “AZInfoProtection_MSI_for_central_deployment.msi” instead.
Q1: Could AIP encrypted MS documents be opened and edited in O365 on web or on mobile (Office 365 mobile apps for Android, Office 365 mobile apps for iOS) ?
A1: On web, AIP encrypted MS documents cannot be opened/edited in office 365 web app. However, it would prompt you to open a document locally (i.e. with local MS Office applications). After your editing and saving, the document would be automatically sync back to online storage such as OneDrive for Business or SharePoint Online.
On mobile, AIP encrypted MS documents can be opened/edited by Android and iOS office apps (Word, Excel, PowerPoint) developed by Microsoft.
Q2: For AIP encrypted (via outlook) emails , can recipients open and read them in Android and iPhone using the built-in mobile mail app but not an MS Outlook app?
A2: Protected emails will appear as an attachment with extension .rpmsg. You can open the message by AIP Viewer app. When you reply to this email, (1) conversation history would not be included in the reply message, and (2) reply message would not be encrypted/protected by AIP anymore.
Q3: Can AIP be applied to standalone forest (department AD) for the Data Governance Policy? We have our own Windows AD, is it necessary to join University AD?
A3: Currently, the University does not have any policies that mandatorily require department AD must be joined to the University’s AD. However, when sourcing solutions to support departments implementing IT policies, department managed IT resources may not be fully covered/supported owning to various factors.
To cope with the Data Classification and Data Governance Policy, the implementation of AIP can help to protect digital information according to defined data class. Departments with her AD joined to the University’s AD could enjoy benefits such as:
Q4: Below is extracted from AIP User Guide, does ‘Offline Access’ mean that users can access confidential file without password in their mobile device for, say, 7 days?
|Classification Label||PermissionGranted||Encryption||Visual Markings||Offline Access & Expiry Date|
|Confidential – All Staff||Editable by All CUHK Staff||Permission includes:
View, Edit, Save, Save as, Export, Copy, Print, Reply, Reply all, Forward
|Yes||– Header & Footer in both MS Office files and emails||– Allow 7 days offline access
– No expiry date
|Strictly Confidential – All Staff||Viewable by All CUHK Staff||Permission includes:
View, Reply, Reply all
|Yes||– Header & Footer in both MS Office files and emails
– Watermark in MS Office files
|– Allow 1 day offline access
– No expiry date
A4: Offline access is a feature in AIP to balance between security and convenience. Simply speaking, after each authorization against AIP cloud service, users can access protected documents on that particular device for, say, 7 days, without re-authorization. Therefore, within these 7 days the device could in offline mode, do not need internet connection or login to O365, and still can access the documents. Detail workflow as described below:
Q5: If the original owner of AIP-protected file left the University, can we still access the file or update the file owner?
A5: Even the original owner left the University, the file should still be accessible by authorized users. But if update of file owner is needed, department would need to submit to ITSC Service Desk, Information Security > General Enquiry / Azure Information Protection (AIP), or contact firstname.lastname@example.org for arranging updates.
Q1: My computer is AD-joined and my AIP is installed by the software assignment through AD Group Policy. After the software assignment and rebooted my computer, I fail to locate AIP client.
A1: Yes, the installation of the AIP would be started after your computer is rebooted, and the process is so transparent that you may feel nothing happened. The installation requires a few minutes to finish. When it is successfully installed, the ‘Azure Information Protection Viewer’ would be appeared on the Windows START menu.
Q1: My colleague sent me an AIP protected email and I can’t open it using Outlook, it prompted out:
I clicked yes, it showed me that I already signed in:
I clicked on the current account and this pop-up windows closed. But I still failed to open the email.However, when I used web OWA, I can open the email. Don’t know if I have something mis-configured.
A1: We also experienced similarly before on AD joined computer where Office signed in automatically to on-premises AD account but not O365 account through ADFS. Please try to sign out your MS Office Application (in menu, File > Account > Sign out), and then sign in again.
Q2: My colleague sent me an AIP protected email and I can’t open it using my Outlook, it prompted out:
A2: Please check if the email could be read by using OWA (Direct link: https://outlook.office.com/owa/)? If it is readable on OWA, it means the permission should be correct. Please try to sign out your MS Outlook, and then sign in again.
Q3: It was told that protected emails sent to @cuhk.edu.hk had no expiry indicating that it could be always readable. However, protected emails sent to other domains (such as departmental email address or external email address) would be only readable in 60 days by default, and this default setting could not be amended. How should we interpret it?
A3: Please interpret as below:
Q4: Could I send protected emails or share protected documents with students?
A4: AIP is for CUHK staff (at their personal account – @cuhk.edu.hk) to apply protection on their emails or documents. You could use “custom permissions” to share a protected documents with other users (such as students) by specifying the students email addresses in the designated dialogue box.
Q5: I received an AIP protected excel file which I should have permission to open, but I can’t open it with my MS Excel even I’ve login my O365 account.
A5: If you encounter the problem with MS Office 2016, it is recommended to upgrade it to MS Office 2019 or later version.
Alternatively, please try another temporary solution, which is applicable for users using Kaspersky Endpoint Security Anti-virus software Version 11.1, with the steps below:
You only need to perform the above steps once and should be able to open other AIP protected documents without error afterwards.