Transcription

Microsoft Information Protection (MIP) UserGuidePrepared ByITSCVersion: 5.0[Last update: Jan 2021][Initial version: Nov 2017]Page 1

Table of Contents1.About MIP . 32.Client Installation . 3Supported Environment. 3Download AIP Client Installation File . 4AIP Client Installation . 4Sign in for MIP Protection . 63.MIP Policy, Classification, Labeling and Protection . 11Pre-defined Classification Labels and Permission Controls . 11Custom Permissions . 124.File Protection in Windows . 13Create a Protected File with Classification . 13Create a Protected File with Custom Permission . 16Open a Protected file and View Permission. 20Change Classification and Protection . 285.Email Protection for O365 Email . 32Send Protected Email with AIP Client . 32Send Protected Email with Subject Tag . 39Read Protected Email . 416.File Protection in SharePoint Online & OneDrive . 48Create a Protected document in SharePoint Online & OneDrive . 48Open a Protected document in SharePoint Online & OneDrive . 48Page 2

1. About MIPMicrosoft Information Protection (MIP) helps you to classify, label and protect your data at the time of creation based on the sensitivity of data. Labels, andprotection are persistent, traveling with the data throughout its lifecycle, so that it’s detectable and controlled at all times – regardless of where it’s storedor with whom it’s shared – internally or externally.2. Client InstallationSupported EnvironmentThe following table shows the required applications and supporting environment to protect and/or access the files and emails:Supported OSSupported Office Versions Required applicationsOperations can be doneWindows:- Office 365 ProPlus- Azure Information Protection client (v2.x)- Protect MS Office files with AIP toolbar in Office- Win 10applications- Office Pro Plus 2019- Win 8.1Protect non-MS Office files with AIP client- Office Pro Plus 2016- Access all protected files with Office applications(Office files) or AIP client (non-Office files)Mac OS 10.9 oraboveiOS 11.0 or above-Office 365Office 2019 for Mac-Office 2016 for Mac-Latest MicrosoftOffice app- RMS Sharing app- Protect MS Office files with Sensitivity button inOffice applications- Access all protected files with Office applications(Office files) or AIP client (non-Office files)- Access all protected files with Office applications(Office files) obr AIP client (non-Office files)- Azure Information Protection apps (v2.x)- Access all protected files with Office applications(Office files) or AIP client (non-Office files)Android OS 6.0 orabovePage 3

Download AIP Client Installation FileFor Windows:For standalone installation, you may download and extract the installation file“AZInfoProtection UL.exe” at spx?id 53018.For central deployment,you may download and extract the MSI file“AZInfoProtection UL MSI for central deployment.msi” at px?id 53018.For Mac OS X:Download the “RMS Sharing” app from App Store.For iOS and Android OS:Download the “Azure Information Protection” app from Apple Store (iOS) and Google Play (AndroidOS).AIP Client Installation2.3.1. In WindowsSteps:1. Close all Office applications and all instances of File Explorer.2. Double click the installation file “AzInfoProtection UL.exe”.3. Install the AIP Client:3.1. Deselect Help improve Azure Information Protection by sending usage statistics toMicrosoft.3.2. Click I agree to install the client.Page 4

4. When the installation completes, click Close.2.3.2. In Mac OS XSteps:1. After download the RMS Sharing app, it will be installed automatically.2.3.3. In iOS & Android OSSteps:1. Download the Azure Information Protection app, and they will be installed automatically.Page 5

Sign in for MIP ProtectionAfter the AIP Client is installed, please sign in (i) AIP client and (ii) MS Office applications with yourCUHK O365 account in order to download the AIP policies for CUHK users.2.4.1. Sign in AIP ClientSteps:1. When you open any MS Office application, e.g. MS Word, the following screen to loginMicrosoft Azure Information Protection appears. Sign in with your CUHK O365 accountemail address and click Next button, then enter your OnePass password and click Sign inbutton.Page 6

Page 7

2.4.2. Sign in MS Office applicationSteps:1. Start MS office application e.g. Word, Excel or PowerPoint, if you have not sign in your CUHKO365 account, please click Sign in on the top right hand corner.2. Sign in with your CUHK O365 account email address and click Next button, then enter yourOnePass password and click Sign in button.Page 8

3. After sign in successfully, you can find your name on the top right-hand corner.Also, you can see a Sensitivityicon appear on the ribbon.Page 9

2. Click the Sensitivity icon and select Show Bar, then a new AIP bar is shown.You can use it to label and protect your documents if necessary.Page 10

3. MIP Policy, Classification, Labeling and Protection3 default settings in the MIP policy are configured:- It is NOT mandatory to have a classification label for all documents or emails.- There is NO default classification label for documents or emails.- It is REQUIRED to provide justification to remove the classification label and protection in a protected document or email.When you are going to protect your documents, you can either use:1. the pre-defined classification labels with permission controls2. the custom permission which allows more flexibility for selecting the authorized persons, permissions and expiry date.Pre-defined Classification Labels and Permission ControlsThe following table describes the details about the default Classification, Labeling and Protection controls pre-defined.Classification LabelPermissions GrantedProtection Visual MarkingswithEncryptionConfidential Confidential – All StaffEditable byPermission includes:Yes- Header & Footer inAll CUHK Staff - View, Edit, Save, Saveboth MS Office filesas, Export, Copy, Print,and emailsReply, Reply all, ForwardStrictlyStrictly Confidential –Viewable byPermission includes:Yes- Header, Footer &Confidential All StaffAll CUHK Staff - View, Reply, Reply allWatermark in MSOffice files- Header & Footer inemailsTPage 11Offline Access andExpiry Date- Allows 7 daysoffline access- No expiry date- Allows 1 daysoffline access- No expiry date

Custom PermissionsIf it is not applicable to use the pre-defined classification labels in Section 3.1, you can use the custom permissions by assigning the appropriate user role:User RoleViewerReviewerCo-AuthorCo-OwnerOperations for authorized personPermissions GrantedViewEdit,Save As,SaveExportView the protected file onlyYView and edit the protected file only YYAll permissions as the document YYYownerexceptchangingthepermissionsFull control as the document ownerYYYCopyPrintYYReply,Reply AllYYYYYYForwardYFull ControlYYAlso, you can freely select different individuals or groups of users who can access to the file, and define the expiry date as well.Page 12Y

4. File Protection in WindowsCreate a Protected File with ClassificationAfter AIP client is installed, and signed-in your CUHK O365 account, you can start to label and protect(with encryption) your files if necessary. However, the labeling and protection steps on MS Officefiles (i.e. Word, Excel & PowerPoint) and non-MS Office files are different.4.1.1. For MS Office FilesSteps: (The following steps can be applied to MS Excel & PowerPoint as well)1. Open MS Word, on the Information Protection toolbar, select an appropriate classificationlabel to classify and protect the document with pre-defined permissions.For example, select Confidential, then Confidential – All Staff.2. After the classification, you can see the sensitivity has changed to “Confidential” and visualmarkings, header and footer in this case, also indicate the current classification level.Classification Label appliedVisual Marking: headerPage 13

4.1.2. For Non-MS Office FilesSteps:1. Select a non-MS Office file, e.g. jpg, txt or pdf file, right click and select “Classify and protect”on the context menu.2. All available classification labels are shown, select an appropriate classification label and sublabel to classify and protect the file with pre-defined permissions.For example, click Confidential and Confidential – All Staff, then click Apply button.Page 14

3. Click Close button to close the window.4. After the classification is applied, the file format has changed to an AIP protected file format.You can see aon the file icon which indicates that the file is AIP protected.Also, the file extension is changed from *.jpg to *.pjpg which indicates that it is a protectedjpeg file.Page 15

Create a Protected File with Custom PermissionIf the pre-defined classification labels are not suitable, you may apply custom permissions.4.2.1. For MS Office FileSteps:1. Click File Info Protect Document Restrict Access Restricted Access.Page 16

2. A custom permission window open, check the box “Restrict permission to this document”,then you can grant different permissions to different persons. You can click “MoreOptions ” button to find more permission options.Page 17

4.2.2. For MS-Office & Non-MS Office FileSteps:1. Select a file, e.g. jpg, pdf or MS Office file, right click and select “Classify and protect” on thecontext menu.2. On the pop-up window, check the box “Protect with custom permissions”.Page 18

3. Select an appropriate permission, there are 5 types of permission available. Details about thepermissions can be found in Section 3.2 .Select user, from the Global Address List or type in the email address directly.Select the date for expire access, if necessary.Then, click “Apply” button to confirm the protection settings.Page 19

Open a Protected file and View Permission4.3.1. In Windows4.3.1.1. View a Protected MS Office FileSteps:1. To access an AIP-protected MS Office file that granted the access to you, please make sureyou have signed-in your CUHK O365 account in the Office application.2. Open the protected file, an information bar indicating the sensitivity level (confidential, orstrictly confidential) and the permission of the file would be shown.If the file is protected with custom permissions, information about ‘only specified userscan access’ and other information would be shown.Page 20

3. Click View Permission button, you can view details permissions granted to you.Your O365 accountSensitivitylabelapplied onthis fileDetailspermissionsgranted4. If your account is not authorized to view the file, below message box will be prompted.Page 21

4.3.1.2. View a Protected Non-MS Office FileYou need to have the Azure Information Protection Client installed before you can open aprotected non-MS Office file.Steps:1. Double click to open the protected non-MS Office file, e.g. *.pjpg or *.ppdf, it will launchthe Azure Information Protection Viewer automatically which allow you see the contentinside the protected (encrypted) file.2. Click “View Permission” button to view details permissions granted to ilspermissionsgrantedPage 22

3. If your account is not authorized to view the file, below message box will be prompted.Page 23

4.3.2. In iOS & AndroidMost probably, in mobile platforms, you would receive a protected file via emails.In order to open the protected file, you need to download and install the following apps in yourmobile in advance (as mentioned in Sec 2.1):Microsoft Word, Excel, and PowerPoint apps for opening MS Office filesAIP Viewer app for opening non-MS Office filesAfter the above apps are installed, login these apps with your O365 account for authenticationand authorization checking when you open any protected files.Page 24

4.3.2.1. Open the Protected Word file (MS Office file)Steps:[Take iOS as an example, you can apply similar steps in Android OS.]1. Click on the MS Word attachment in the email.2. If the file access is granted to you, and you had login your O365 account, it will open the Wordapp automatically and open the protected word file.Click onicon, you can check the Sensitivity label applied on this document.Page 25

4.3.2.2. Open the protected JPG file (non-Office file)Steps:[Take iOS as an example, you can apply similar steps in Android OS.]1. Click on the file JPG attachment in the email.2. Click on theicon and click Share File via , then choose AIP Viewer app to open the file.Page 26

3. If you have not sign in AIP Viewer before, the AIP Viewer apps will be triggered, sign in withyour CUHK O365 account, and you can open the file if permission is granted to you.4. After the file is opened, click onicon, you can view the permission applied on this file.Page 27

Change Classification and ProtectionPlease note that only the file owner can change the classification or permission of a protected file.4.4.1. For MS Office FileSteps:1. Click the Edit Label icon to edit classification label.2. You can select another appropriate label or delete current selected label:3. If delete a classification label, or change the label to a lower level, you need to provide thejustification to explain the reason.Page 28

4. If a custom permission was applied on the document, you can click Change Permission buttonto change the permission or add other user with different permissions.5. Click “More Options” button to view all users, edit their rights and other settings.Page 29

4.4.2. For Non-MS Office FileSteps:1. Right click the file icon and select “Classify and protect” in the context menu.2. You can select another classification label, or delete current label with the Delete Label button,then click “Apply” button to confirm.Page 30

3. If you delete a label, click Delete label button and then click Apply button, you will be askedto provide an explanation.Page 31

5. Email Protection for O365 EmailSend Protected Email with AIP ClientAs the AIP is integrated with the MS Exchange Online, users of the Exchange servers which had beenjoined to the CUHK University AD can use the AIP to protect their emails.Prerequisites: Departmental Exchange server joined to the University AD Client PC installed AIP Client (refer to Section 2.3.1)5.1.1. In MS Outlook 2016, 2019, Office 3655.1.1.1. Activate AIP Protection in MS Outlook for WindowsSteps:1. Open MS Outlook.2. Login with your CUHK Exchange account.3. Click ‘New Email’ icon on the toolbar4. In the new compose window, if you have not signed-in to the AIP service before, click Signin button and sign in with your O365 account.Page 32

5. When you are signed-in, click ‘Sensitivity’ icon, then click Show Bar, the AIP bar wouldappear.The AIP toolbar with pre-defined classification labels will be shown.Page 33

5.1.1.2. Apply a Classification Label in MS OutlookSteps:1. Click ‘New Email’ icon on the toolbar in MS Outlook2. Choose a classification label, for example, click Confidential on the AIP toolbar.Classification LabelPermission ownerThe information about the permission granted will be shown.3. If there are more than 1 profile in your MS Outlook, please make sure to select the correctpermission owner for applying a classification label.To select the permission owner, in your email composing window, click File Info SetPermissions, then select the permission owner and apply the classification label.Page 34

5.1.1.3. Change / Delete the Classification Label in MS Outlook WindowsSteps:1. You can click Edit Label iconto change the classification label.2. To remove the classification label, click Edit Label iconand then Delete Label icon.The classification is Not set now.Page 35

5.1.1.4. Attach File in a Protected EmailSteps:1. In a protected email with classification label applied, you can attach any file as usual byclicking the Attach File icon.Different classification / protection between email and attachment would have differentbehavior:EmailAttachmentBehavior in ctedUnprotected Classification label Can access Cannot accessapplied to theboth email and both email andemail will beattachmentattachmentapplied to attachedMS Office files aswell, while non-MSOffice remainsunprotectedProtectedProtectedEmail and Can access Cannot accessattachment willboth email and both email andapply their ownattachmentattachmentclassification label.Unprotected ProtectedNo protection Can access Can access thewould be appliedboth email and emailto the email.attachment Cannot accessthe attachmentUnprotected Unprotected No change in both Can access Can access bothemail andboth email and email andattachmentattachmentattachmentPage 36

5.1.2. In Outlook Web Access (OWA)In OWA, 4 types of protection can be applied to an email:Types of protectionConfidentialStrictly ConfidentialEncryptDo Not ForwardDescriptionEncryption would be applied to the email.Accessible by all CUHK Staff onlyPermission includes:View, Edit, Save, Save as, Export, Copy, Print, Reply, Reply all,ForwardEncryption would be applied to the email.Viewable by all CUHK Staff onlyPermission includes:View, Reply, Reply allEncryption would be applied to the email.Recipients can read the email, but they cannot forward, print, orcopy content.5.1.2.1. Apply a Permission in OWASteps:1. Login your O365 account in OWA, click New message button for composing a new email:Page 37

2. In the New Email window, click Sensitivity button, then select the classification label, e.g.Confidential All Staff.The information about the classification label chosen will be shown.Page 38

Send Protected Email with Subject TagIn Exchange Online, 2 transport rules had been setup for email protection in case AIP client is notapplicable in some platforms, e.g. mobile environment.You can include the following tags in the email subject to apply the same permission control as theclassification labels in MS Outlook.-Email subject with keyword “#Confidential”o Apply permission control: Confidential – All CUHK StaffEmail subject with keyword “#StrictlyConfidential”o Apply permission control: Strictly Confidential – All CUHK StaffFor example, try to send an email with the email client in your mobile device, include with keyword“#StrictlyConfidential” in the email subject.Page 39

After the email is sent:i.Authorized recipient can access the email content & see the classification and permissiongranted.Permission grantedEmail Contentii.If you are unauthorized recipient, you cannot access the email and below message aboutthe email is AIP protected would be shown.Page 40

Read Protected Email5.3.1. In Outlook for WindowsSteps:1. Open MS Outlook.2. Login with your CUHK Exchange account.3. Locate the protected email in your mailbox, there is aicon indicating the email is protected.4. Open the protected email by double clicking the email subject.Authorized recipient can access the email content & attachment according to the permissiongranted.Classification LabelDescription about theClassification LabelEmail ContentHeader & Footer for the classification labelPage 41

5. If you are unauthorized recipient, you will not be able to access the content of email and theattachment. In the reading pane, the following message about the email is AIP protected wouldbe shown.The protected email with *.rpmsg extension (i.e. rightprotected message).Open the protected email by double clicking the email subject, the following message will popup.Click Yes to open the email with an authorized account, click No to close the window.Page 42

5.3.2. In Outlook for iOS and AndroidSteps:1. Open MS Outlook.2. Login with your CUHK Exchange account.3. Locate the protected email in your mailbox, and click on the email to view details. Authorizedrecipient can access the email content & attachment according to the permission granted.Classification LabelHeader & Footer forthe classification labelEmail Content4. Click on the Permissions, details permissions would be shown.Page 43

5. Back to the email content, you need specific apps to open the protected attachments.You need to download and install the following apps in your mobile in advance (refer to Section2.1):oMicrosoft Word, Excel, and PowerPoint for opening MS Office filesoAzure Information Protection for opening non-MS Office filesAfter the above apps are installed, login your O365 account with these apps for authenticationand authorization checking when you open any protected files.Page 44

6. To open the protected Word file (Office file), click on the MS Word attachment in the email.In iOS:Click on the MS Word app to open the file. Alternatively, you can clickto Word to open it by MS Word apps.icon and click CopyORIn Android OS:Open with the MS Word apps.Page 45

7. To open the protected JPG file (non-Office file), click on the file JPG attachment in the email.In iOS:Click on theicon and click Copy to AIP Viewer to open it by AIP Viewer.In Android OS:It will call the AIP Viewer directly and open the file.Page 46

5.3.3. In Outlook Web Access (OWA)Steps:1. Login O365 Mail, locate the protected email in your mailbox, there is aemail is protectedicon indicating the2. Open the protected email by double clicking the email subject.Authorized recipient can access the email content & attachment according to the permissiongranted.Classification Labeland descriptionEmail ContentHeader & Footer for theclassification label3. If you are unauthorized recipient, below message about the email is AIP protected would beshown.Page 47

6. File Protection in SharePoint Online & OneDriveCreate a Protected document in SharePoint Online & OneDriveCurrently, AIP is not integrated in MS SharePoint Online and OneDrive. However, you can upload aAIP protected file to these environment as usual, and the file should be protected in your localcomputer in advance. Detailed steps about File Protection can be found in Section 4.Open a Protected document in SharePoint Online & OneDriveProtected documents in SharePoint Online and OneDrive cannot be opened and edited with theOffice Web App, error message would be shown.Steps:1.Open a protected Word document in SharePoint Online, the following message box will beshown:2. Click Edit in Word to launch the MS Word in your local computer and access to the protectedfile.3. If you have the permission to edit the file, you can edit and save the file as usual, the updatedfile would be saved in SharePoint or OneDrive.Page 48

- Office 365 ProPlus - Office Pro Plus 2019 - Office Pro Plus 2016 - Azure Information Protection client (v2.x) - Protect MS Office files with AIP toolbar in Office applications - Protect non-MS Office files with AIP client - Access all protected files with Office applications (Office files) or AIP client (no