Executive Overview:
Information Rights Management (IRM) features in Exchange 2013 are used to prevent information leakage or loss of potentially sensitive information, which can be costly to an organization and include financial loss, erosion of competitive advantage and damage to image and credibility.
Notable Features:
- Active Directory Rights Management Services (RMS)
- AD RMS Rights Policy Templates
- Outlook/Transport Protection Rules
- E-mail/ OWA & ActiveSync support
- In-place eDiscovery support
- Hybrid and Cross-forest deployments
Architecture/Components:
IRM features are deployed in conjunction with Microsoft Active Directory Rights Management Services (AD RMS). Using policy templates, an administrator can quickly deploy a wide array of policies to protect and secure potentially-sensitive data across a variety of client access methods (Outlook/OWA/ActiveSync), while still providing full support for eDiscovery and Journaling processes.
- AD RMS rights policy templates: RMS rights policy templates are XrML documents that contain a predefined usage policy that can be applied to protect an item of content. Templates can contain the following information:
- A template name and description.
- Users and groups that can be granted content licenses.
- The rights and associated conditions granted to the users.
- The content expiration policy.
- A set of extended policies.
- The template revocation policy.
- A revocation list.
- A revocation list refresh interval.
- A public key file for the revocation list.
- IRM Agents: IRM is implemented in Exchange 2013 using transport agents in the Transport service on a Mailbox server. Agents include the following (RMS Decryption Agent | Transport Rules Agent | RMS Encryption Agent | Prelicensing Agent | Journal Report Decryption Agent
- Transport Protection Rules: A transport protection rule is used to apply persistent rights protection to messages based on properties such as sender, recipient, message subject, and content.
- Outlook Protection Rules: An AD RMS template can be applied to Outlook 2010 or other RMS-enabled applications in order to protect messages before they are sent.
- Transport Decryption: This feature allows the Transport Service to inspect the content of an IRM protected message in order to apply policies or rules to the message.
- In-place eDiscovery: You can configure IRM to allow Exchange Search to index IRM-protected messages, in order to support an In-place eDiscovery search that is performed by members of the Discovery Management role group.
- Journal report Decryption: This allows the Journaling agent to attach a decrypted copy of a rights-protected message to the journal report. This requires the Federated Delivery mailbox to be added to the super users group on the AD RMS server.
- IRM in OWA: The following IRM functionality is available from OWA (Send/ Read IRM-protected messages | Send IRM protected attachments | WebReady Document Viewing
- IRM in Exchange ActiveSync: Organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content when accessed from mobile devices. Mobile device users can create/read/reply to and forward IRM-protected messages.
Common Administrative Tasks:
- Configuring IRM: Set-IRMConfiguration: Set-IRMConfiguration -InternalLicensingEnabled $true
- Create a Transport Protection Rule: via EAC or Cmdlet
Retrieve all RMS templates: Get-RMSTemplate | format-list
Create rule: New-TransportRule -Name “New rule” -SubjectContainsWords “Dirty Bananas” -ApplyRightsProtectonTemplate “Do Not Forward” - Create an Outlook Protection Rule: New-OutlookProtectionRule -Name “Project Bananasplit” -SentTo “DL-BananasplitRnD@chimpcorp.com” -ApplyRightsProtectionTemplate “Business Critical”
- Add the Federation System Mailbox to AD RMS Super Users Group :
Create a dedicated Super User Group: New-DistributionGroup -Name ADRMS SuperUsers -Alias “ADRMS Super Users”
Add the Federated system mailbox to the group: Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 - Enable/Disable Transport Decryption: Set-IRMConfiguration -TransportDecryptionSetting Mandatory
- Enable IRM to support In-place eDiscovery:
Enable Exchange Search: Set-IRMConfiguration -SearchEnabled $true
Enable eDiscovery: Set-IRMConfiguration -EDiscoverySuperUserEnabled $true - Enable/Disable Journal Report Decryption: Set-IRMConfiguration -JournalReportDecryptionEnabled $true
- Enable/Disable IRM OWA support:
Configure on each OWA Virtual Directory: Set-OWAVirtualDirectory -IRMEnabled $true
or Configure on each OWA Mailbox Policy: Set-OWAMailboxPolicy -IRMEnabled $true - Enable/Disable IRM Exchange ActiveSync support:
Add the Federation System Mailbox to AD RMS Super Users Group (Step 4)
Top PowerShell Commands/Tools:
– Set/Get-IRMConfiguration
– Get-RMSTemplate
– New/Get-TransportRule (ApplyRightsProtectionTemplate)
– New/Get-OutlookProtectionRule
– Test-IRMConfiguration
Reference/Links:
Technet: Information Rights Management
Technet: Common IRM tasks
Technet: Configure permissions
Cmdlets: Messaging policy and compliance
Reference: AD RMS Rights Policy Templates
List of supported file types covered by IRM policies when attached to messages