To cope with the Data Classification and Data Governance Policy for protecting University’s digital information, an information protection system with Microsoft Information Protection – MIP, (formerly Azure Information Protection-AIP and Rights Management Service – RMS), is implemented for protecting digital information according to the defined data class.
Available to
All Staff
Service Charge and Application
Free; no application required
Service Availability
Office hours
Support
Please submit to ITSC Service Desk, Information Security > General Enquiry or Azure Information Protection (AIP)
The University has endorsed the Data Classification and Data Governance Policy in Aug 2016 which aims to protect the University digital information from being accessed by unauthorized person. The paper proposes a comprehensive framework with 3 components:
Data Classification Standard – to define confidentiality level of data
Data Governance Policy – to define accountabilities and decision rights of people
Enforcement of data protection with Azure AIP – to enforce data security policies for the protection on various data class
Introduction
Microsoft Information Protection – MIP (formerly Azure Information Protection – AIP and Rights Management Service – RMS) is a data protection solution which helps you to classify, label and protect the documents according to the confidential level of the information. Once a document is classified and labelled, corresponding predefined security policy will be applied immediately to protect the document and limit the access against unauthorized person. Document owner can also monitor the access of the document and revoke the access of the document anytime if it is found misuse.
Implementation Scope
Include:
Microsoft Office (and AIP Client)
Exchange Online (including OWA for Exchange Online)
Q1: Could AIP encrypted MS documents be opened and edited in O365 on web or on mobile (Office 365 mobile apps for Android, Office 365 mobile apps for iOS) ?
A1: On web, AIP encrypted MS documents cannot be opened/edited in office 365 web app. However, it would prompt you to open a document locally (i.e. with local MS Office applications). After your editing and saving, the document would be automatically sync back to online storage such as OneDrive for Business or SharePoint Online.
On mobile, AIP encrypted MS documents can be opened/edited by Android and iOS office apps (Word, Excel, PowerPoint) developed by Microsoft.
Q2: For AIP encrypted (via outlook) emails , can recipients open and read them in Android and iPhone using the built-in mobile mail app but not an MS Outlook app?
A2: Protected emails will appear as an attachment with extension .rpmsg. You can open the message by AIP Viewer app. When you reply to this email, (1) conversation history would not be included in the reply message, and (2) reply message would not be encrypted/protected by AIP anymore.
Q3: Can AIP be applied to standalone forest (department AD) for the Data Governance Policy? We have our own Windows AD, is it necessary to join University AD?
A3: Currently, the University does not have any policies that mandatorily require department AD must be joined to the University’s AD. However, when sourcing solutions to support departments implementing IT policies, department managed IT resources may not be fully covered/supported owning to various factors.
To cope with the Data Classification and Data Governance Policy, the implementation of AIP can help to protect digital information according to defined data class. Departments with her AD joined to the University’s AD could enjoy benefits such as:
Single account and credential to sign in Office 365 and access AIP protected documents. User experience will be less complex and don’t need to remember multiple accounts when accessing department and university resources. Desktop support by LAN admin would be easier as well.
AIP configurations managed and updated by ITSC. ITSC will observe changes in Data Classification and Data Governance Policy and manage changes in AIP configurations. Such that changes in AIP would be tested and deployed to keep it complying with the policy.
Q4: Below is extracted from AIP User Guide, does ‘Offline Access’ mean that users can access confidential file without password in their mobile device for, say, 7 days?
Classification Label
PermissionGranted
Encryption
Visual Markings
Offline Access & Expiry Date
Confidential – All Staff
Editable by All CUHK Staff
Permission includes:
View, Edit, Save, Save as, Export, Copy, Print, Reply, Reply all, Forward
Yes
– Header & Footer in both MS Office files and emails
– Allow 7 days offline access
– No expiry date
Strictly Confidential – All Staff
Viewable by All CUHK Staff
Permission includes:
View, Reply, Reply all
Yes
– Header & Footer in both MS Office files and emails
– Watermark in MS Office files
– Allow 1 day offline access
– No expiry date
A4: Offline access is a feature in AIP to balance between security and convenience. Simply speaking, after each authorization against AIP cloud service, users can access protected documents on that particular device for, say, 7 days, without re-authorization. Therefore, within these 7 days the device could in offline mode, do not need internet connection or login to O365, and still can access the documents. Detail workflow as described below:
During first use of AIP client, or access to AIP protected documents, users will be prompted to input username/password for authentication.
Authentication credential will be cached for a period of time on AIP client, or Microsoft Office. So users only need to input password once until the cache expires or password changed.
Authorization is performed against AIP cloud service whenever users do not have a valid token for a document.
Authorization token for that document would be cached on user device for a number of days (the offline access setting).
If offline access is not set, authorization will be required on EVERY time users open the document. This requires an internet connection to AIP cloud service.
If offline access is set to very large, permission revoke could not be effective timely, until the authorization token expires on user device.
Q5: If the original owner of AIP-protected file left the University, can we still access the file or update the file owner?
A5: Even the original owner left the University, the file should still be accessible by authorized users. But if update of file owner is needed, department would need to submit to ITSC Service Desk, Information Security > General Enquiry / Azure Information Protection (AIP), or contact infosec@cuhk.edu.hk for arranging updates.
Installation
Q1: My computer is AD-joined and my AIP is installed by the software assignment through AD Group Policy. After the software assignment and rebooted my computer, I fail to locate AIP client.
A1: Yes, the installation of the AIP would be started after your computer is rebooted, and the process is so transparent that you may feel nothing happened. The installation requires a few minutes to finish. When it is successfully installed, the ‘Azure Information Protection Viewer’ would be appeared on the Windows START menu.
Usage
Q1: My colleague sent me an AIP protected email and I can’t open it using Outlook, it prompted out:
I clicked yes, it showed me that I already signed in:
I clicked on the current account and this pop-up windows closed. But I still failed to open the email.However, when I used web OWA, I can open the email. Don’t know if I have something mis-configured.
A1: We also experienced similarly before on AD joined computer where Office signed in automatically to on-premises AD account but not O365 account through ADFS. Please try to sign out your MS Office Application (in menu, File > Account > Sign out), and then sign in again.
Q2: My colleague sent me an AIP protected email and I can’t open it using my Outlook, it prompted out:
A2: Please check if the email could be read by using OWA (Direct link: https://outlook.office.com/owa/)? If it is readable on OWA, it means the permission should be correct. Please try to sign out your MS Outlook, and then sign in again.
Q3: It was told that protected emails sent to @cuhk.edu.hk had no expiry indicating that it could be always readable. However, protected emails sent to other domains (such as departmental email address or external email address) would be only readable in 60 days by default, and this default setting could not be amended. How should we interpret it?
A3: Please interpret as below:
The default labels (confidential / strictly confidential) will protect emails and allow access by accounts in @cuhk.edu.hk domain only.
If protected email sends to @cuhk.edu.hk directly, there is no expiry date and always readable.
If protected email sends to @cuhk.edu.hk then forwarded to @dept.cuhk.edu.hk, user need to access through the link to web portal and login using the @cuhk.edu.hk account, with 60 days expiry.
If protected email sends to @dept.cuhk.edu.hk directly, sorry there is no way to read.
Q4: Could I send protected emails or share protected documents with students?
A4: AIP is for CUHK staff (at their personal account – @cuhk.edu.hk) to apply protection on their emails or documents. You could use “custom permissions” to share a protected documents with other users (such as students) by specifying the students email addresses in the designated dialogue box.
Q5: I received an AIP protected excel file which I should have permission to open, but I can’t open it with my MS Excel even I’ve login my O365 account.
A5: If you encounter the problem with MS Office 2016, it is recommended to upgrade it to MS Office 2019 or later version.
Alternatively, please try another temporary solution, which is applicable for users using Kaspersky Endpoint Security Anti-virus software Version 11.1, with the steps below:
Find the Kaspersky antivirus software icon on Windows taskbar > right click the icon > click “Pause protection and control”;
Open the AIP protected documents again, and you should be able to open the file without problem;
Resume the Kaspersky antivirus protection immediately: Right click the Kaspersky icon on Windows taskbar > click “Resume protection and control”
You only need to perform the above steps once and should be able to open other AIP protected documents without error afterwards.
Q6: Can I open AIP protected PDF files directly with Acrobat Reader?
A6: Please check if your Acrobat Reader/DC version is the supported version mentioned in Adobe webpage (https://helpx.adobe.com/acrobat/kb/mip-plugin-download.html), if yes, you can download and install related MIP plugins from this page for opening AIP protected PDF files.
This website uses Cookies, including Cookies from Google Analytics, to ensure you get the best browsing experience. If you “Continue” to use this site, you consent to the use of Cookies. Read more about Cookies
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.