Overview of Exchange 2016 Policy Tips

  • Article

Introduction
Policy tips are used to notify senders who are violating the company security policies. For example, if you have a DLP configured on your exchange to prevent users sending credit card numbers, this policy tip can notify end users about the risk of sending this email since you are violating the company’s compliance policy.

Also, there is an option to provide a business justification for the message that you are sending via policy tip. These policy tips are managed by the exchange administrator.

What is the difference between Mail tips & Policy Tips?

The policy tip configuration is applicable only to the DLP rules configured in your environment.

Mail tips settings are specific to each Exchange account that you have configured outlook to connect. There is an option to set mail tips preferences for each account by selecting that account in the application to this account.

An example below for mail tip:

https://exchangequery.files.wordpress.com/2016/06/m1.png?w=600

Mail Tips is an organizational config which can be viewed by running the below command:

Get-OrganizationalConfig | fl mail*

https://exchangequery.files.wordpress.com/2016/06/m2.png?w=600

How do policy tip and mail tips work?

EWS is the main component of both policy tips and mail tips.
The service configuration operation in EWS is responsible to get the configuration information for policy tips and mailtips. Service configuration uses WSDL (web service definition language) operation.

GetServiceConfiguration operation for policy tip returns  below things:

Policy nudges- Policy nudges for display in your client.
PolicyNudgeRulesServiceConfiguration – Contains the policy tip configuration data
PolicyNudgeRulesConfigurationType – Specifies the set of DLP rules and classification definitions that are sent to a client.
PolicyNudgeRulesType – Specifies a collection of DLP rules.
PolicyNudgeRuleType – Specifies a single DLP rule.

How Policy Tips functions in the background:

a) Sender composes a new message and addresses the message to a recipient.
b) During message composition, the client submits a GetServiceConfiguration (Policy Nudges) request through Exchange web services.The request is submitted as a SOAP message over HTTPS.
c) Exchange Web Service receives this SOAP request and uses the information to authenticate the SOAP request and then queries:
Active Directory – for the recipient. The Active Directory request is executed as an LDAP query.
Mailbox Servers – To retrieve DLP configuration and check the policy tips message notification configured for this DLP.
The Active Directory and mailbox servers then return the results to Exchange web services.
Exchange web services – returns the result to the client.
Client-  will be able to see the Policy Tip information for that user account who is trying to compose an email which does not meet the company compliance policy according to the configured DLP.

In order for the policy tip to work on Outlook the below option  policy tip notification must be enabled on the client side

https://exchangequery.files.wordpress.com/2016/06/p1.png?w=891

To enable the policy tip for the DLP we need to select either enforce or Test with policy tips option on the DLP we created an example below:

https://exchangequery.files.wordpress.com/2016/06/p2.png?w=891

We can further customize the policy tip from the below options

Notify Only – This shows an informative Policy Tip notification message about a policy violation.But the sender can send this message.
Allow the sender to override – Block the message unless it’s a false positive, Block the message, but allow the sender to override and send.
Block the message – Your text only appears when a Block the message action is initiated.
Link to compliance URL – This link is displayed in the Policy Tip when a user clicks the More details link.

https://exchangequery.files.wordpress.com/2016/06/p3.png?w=891

 

Further, the policy tip configuration can be viewed by running the below command:

Get-PolicyTipConfig | fl

** **

Note:

1.Policy Tips are available to people sending mail from Outlook 2013, Outlook Web App, or OWA for Devices.

2. Policy tips aren’t supported in Office 2010 or earlier versions of Office.