RMS with Microsoft SharePoint © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. TechReady 18 10/14/2018 RMS with Microsoft SharePoint EMS Partner Bootcamp

SharePoint Server IRM Integration Provides Information Rights Management capabilities to SharePoint Server 2013/2010 Integrated with document lifecycle management of files stored into Document Libraries Assigns Office IRM permissions based on SharePoint permissions Optimizes policy enforcement by applying content-based protection without user intervention SharePoint rights IRM permissions Manage Permissions Manage Web Full Control Edit List Items Manage List Add and Customize Pages Edit, Copy, and Save View List Item Read All Other Rights No IRM mapping In SharePoint Server, organizations can use Information Rights Management (IRM) to limit the actions that users can take on files that have been downloaded from SharePoint lists or libraries. This is a new feature introduced in SharePoint 2007 and it is not available on Windows SharePoint Services. Windows SharePoint Services did have the ability to upload a protected document. However, there were no search or indexing capabilities in SharePoint and no automatic protection of documents as they are downloaded. IRM gives you tight control over business data by imposing usage restrictions at the document level, regardless of where the document is stored after being downloaded. SharePoint permissions assure only authorized users are able to download documents from a library. IRM prevents those authorized users from modifying, copying or printing or forwarding that information in an unauthorized manner. SharePoint will take the SharePoint permissions defined for the document in the document library and assign equivalent Office IRM permissions at the moment the document is downloaded, without any user or administrator intervention and without the need to maintain two different sets of permissions (one for the document library and another one for IRM).

How Does SharePoint IRM Work? Documents are stored in the database as they come in Provides indexing and search capabilities Content listed on search based on ACLs Documents are protected each time a user downloads the file After a user selects a file, it is protected and provided to the client Protection derived from the user’s permissions in the library If connection fails, the file won’t be provided to the client When a previously protected file is re-uploaded to the portal, the content protection is removed This feature optimizes document lifecycle into SharePoint Only for documents protected by SharePoint Other protected documents treated as opaque “blobs” SharePoint Server will store the uploaded documents in clear text in its SQL Server database. The SharePoint database should be stored in a secure server and managed according to the criticality of the data stored in it, so having the documents themselves stored in unencrypted form should pose no additional security risk. Storing the documents in unencrypted form allows SharePoint to index and search information normally, with no impact from the IRM integration. The content list returned by the search query uses the SharePoint side and document library permissions (ACLs) to block users from seeing unauthorized content. SharePoint IRM will protect the document as users download it from a protected library. After the user selects a file, a file- format protector running inside SharePoint applies AD RMS based protection to the file with rights that restrict consumption to the specific user account downloading the document before providing the file to the user. Upon download, the use license is assigned to the specific user meaning that only the user will be able to open that file, and the permissions defined in the publishing license will reflect the permissions assigned to the user in the document library. This enforces users to edit and share documents using SharePoint, rather than downloading the document and sending it via email or other method.   When the user eventually uploads the protected file back to the SharePoint portal, the content protection is automatically removed, optimizing the document lifecycle operations. It is important to note that SharePoint will only strip protection from a document when it’s uploaded if the document was originally protected by SharePoint. If a document protected independently by a user is uploaded to SharePoint, SharePoint will not alter the existing protection and that document will be stored in protected form in the database. When such a previously protected file is downloaded by a user, SharePoint will maintain the original rights applied before uploading the file. SharePoint will connect to the AD RMS cluster every time a user downloads a protected file. If the connection between SharePoint and the AD RMS cluster fails, the file won’t be provided to the client.

How Does SharePoint IRM Work? 1) User uploads an unprotected document to a protected document library in SharePoint 2) SharePoint stores the document in clear text. If the document is protected by the same library, SharePoint strips the protection The user uploads an unprotected document to SharePoint. SharePoint stores the document in clear text. If the document was originally protected by SharePoint, the protection is stripped. The user with access to the library requests access to the document. SharePoint will then use the user’s RAC to request a use license with permissions corresponding to those in the document library. SharePoint IRM will protect the document as users download it from a protected library. After the user selects a file, a file- format protector running inside SharePoint applies AD RMS based protection to the file with rights that restrict consumption to the specific user account downloading the document before providing the file to the user. Only the user will be able to open that file, and the permissions defined in the publishing license will reflect the permissions assigned to the user in the document library. When the user uploads the protected file back to the SharePoint portal, the content protection is automatically removed, optimizing the document lifecycle operations. It is important to note that SharePoint will only strip protection from a document when it’s uploaded if the document was originally protected by SharePoint. 3) User with permissions to the library requests the document 4) SharePoint uses the user’s identity to request a Publishing License for the user with permissions corresponding to those in the document library 5) SharePoint sends the protected document to the user 6) User opens the document with limited permissions

File Formats Microsoft Office PDF Office 2003 and later Word, Excel, PowerPoint, InfoPath PDF Available in SharePoint 2013 and SharePoint Online Requires RMS-aware PDF reader File formats for which you install a SharePoint IRM Protector Available via partners The following file formats are natively supported by SharePoint IRM integration: Microsoft Office 2003 Word, Excel, and PowerPoint binary formats (.doc, .xls, and .ppt) Microsoft Office 2007 Open XML file formats (.docx, .xlsx, .pptx) Microsoft Office 2007 InfoPath Microsoft Office 2010 Open XML file formats Microsoft Office 2010 InfoPath Microsoft Office 2013 Open XML file formats Microsoft Office 2013 InfoPath Microsoft XML Paper Specification (XPS) format Additional file formats can be supported with the proper file-format protectors provided by third parties. Independent software vendors can develop their own protectors by using the AD RMS Software Development Kit

Administrator Experience SharePoint IRM integration enabled across the organization Protection for document libraries enabled per library Enabling IRM functionality in SharePoint Server is first done at server farm level. In the SharePoint 3.0 Central Administration site, the server farm administrator should enable IRM integration by specifying whether to use the Service Connection Point (SCP) to locate the AD RMS cluster, or to override the SCP and specify which RMS cluster will be used for licensing After specifying the AD RMS cluster on the server farm level, IRM is then enabled at the document library level using the Document Library Settings page. The following definitions are configured there: Policy title and description: this information appears in the Office client application. In the description field, you can explain why the corporation restricted access to the document, or give details about the policy. Print: there is no good mapping to a WSS right, so it is a separate setting on each document library. Any user who has the View right can print the document if the checkbox is selected. Allow users to access content programmatically: allows users to run macros in protected documents. Use offline for X days: allows users to continue accessing the document after its downloaded for a specified number of days. Even if offline access to a document has expired, users can still upload the document to the server, so they will not lose their work in progress. Reject files: checking this checkbox results in the document library rejecting documents that: (a) do not support IRM (e.g., text files) and (b) are already protected and not by this library. Remove protection on a particular date: will stop applying protection to documents in the library after specific date. Usage scenario: Once the quarterly statement is published, the corporate policy on a financial documents library changes.

Additional options in SharePoint Group protection grants an additional group the same rights as the downloading user Block uploading of files that can’t be protected by SharePoint Controlling print and other rights that have no direct equivalent in SharePoint permissions Policy name and description There is no difference in features or functionality between SharePoint Online and SharePoint Server. In fact, you enable IRM in SharePoint and protect SharePoint document libraries using the same steps in both SharePoint Online and SharePoint 2013. There are some slight UI differences in SharePoint 2010, but the basic steps remain the same.

SharePoint Online RMS Capabilities SharePoint Online has the same RMS capabilities as SharePoint 2013 Enabled and configured in the same manner No functional difference between SharePoint Online and SharePoint Server There is no difference in features or functionality between SharePoint Online and SharePoint Server. In fact, you enable IRM in SharePoint and protect SharePoint document libraries using the same steps in both SharePoint Online and SharePoint 2013. There are some slight UI differences in SharePoint 2010, but the basic steps remain the same.