Understanding Information Rights Management in Exchange ActiveSync

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Information workers often use e-mail to exchange sensitive information. To help secure this information, organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content. Because mobile devices are increasingly being used to access e-mail, it's important that your mobile device users be able to create and consume IRM-protected content.

Contents

Differences Between Mobile IRM Protection in Exchange 2010 RTM and Exchange 2010 SP1

Requirements

Security

Enabling IRM in Exchange ActiveSync

Looking for management tasks related to IRM? See Managing Information Rights Management.

Differences Between Mobile IRM Protection in Exchange 2010 RTM and Exchange 2010 SP1

To enable IRM protection for mobile devices in the release to manufacturing (RTM) version of Microsoft Exchange Server 2010, the following requirements must be met:

  • The mobile devices must be running Windows Mobile 6.0 or later.

  • The Active Directory Rights Management Services (AD RMS) administrator must allow Read permissions and Read and Execute permissions on the mobile certification pipeline (using the MobileDeviceCertification.asmx file in the Inetpub\wwwroot\_wmcs\Certification folder on the AD RMS server). For more information, see Enable Certification of Mobile Devices.

  • Users must connect the device to a computer and activate it for IRM using one of the following methods:

    • Using the Windows Mobile Device Center on computers running the Windows 7 or Windows Vista operating systems

    • Using the Microsoft ActiveSync client application on computers running the Windows XP operating system

In Exchange 2010 Service Pack 1 (SP1), IRM in Microsoft Exchange ActiveSync allows your users to access rich IRM functionality on any supported Exchange ActiveSync device without having to configure AD RMS permissions or connect the device to a computer and activate it for IRM. Also, the mobile device doesn't need to be running Windows. Exchange ActiveSync is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and others. For a list of current Exchange ActiveSync licensees, see Exchange ActiveSync Protocol.

Using IRM in Exchange ActiveSync, mobile device users can:

  • Create IRM-protected messages.

  • Read IRM-protected messages.

  • Reply to and forward IRM-protected messages.

Return to top

Requirements

The following requirements apply:

  • The Client Access servers in your organization must be running Exchange 2010 SP1.

  • An AD RMS server must be deployed in your organization.

  • IRM must be enabled for internal messages. This is a prerequisite for all IRM features in Exchange 2010. For details, see Enable or Disable IRM for Internal Messages.

  • IRM must be enabled in the Exchange ActiveSync mailbox policy. You can enable or disable IRM for different sets of users using different Exchange ActiveSync mailbox policies.

  • Devices that support Exchange ActiveSync protocol version 14.1, including Windows phones, can support IRM in Exchange ActiveSync. The device's mobile e-mail application must support the RightsManagementInformation tag defined in Exchange ActiveSync version 14.1.

Return to top

Security

When you enable IRM in Exchange ActiveSync, the Client Access server decrypts IRM-protected messages before providing the messages for access by the supported mobile device. Upon synchronization, IRM-protected messages reside on the mobile device in an unencrypted format. IRM protection is enforced by the IRM-capable e-mail client application on the mobile device.

IRM in Exchange ActiveSync doesn't decrypt IRM-protected attachments on the Client Access server. Access to IRM-protected files is enforced by the application used to create or view the file. For example, on a Windows phone, IRM protection for Microsoft Office files is enforced by Microsoft Office Mobile. To access IRM-protected Office files, users must connect the device to a computer and activate Office Mobile with the RMS server.

When enabling IRM in Exchange ActiveSync, we recommend using the Exchange ActiveSync policy settings shown in the following table to help secure mobile devices.

Exchange ActiveSync policy settings

Setting Configure using the New Exchange ActiveSync Mailbox Policy wizard Configure using the New-ActiveSyncMailboxPolicy cmdlet

Require that the user enter a password to access information on their mobile device.

Select the Require password check box.

Set the DevicePasswordEnabled parameter to $true.

Enable encryption for the mobile device.

Select the Require password check box, and then select the Require encryption on device check box.

Set the RequireDeviceEncryption parameter to $true.

Important

When you set the RequireDeviceEncryption parameter to $true, mobile devices that don't support device encryption will be unable to connect.

Don't allow non-provisionable mobile devices to synchronize with the Exchange server.

Clear the Allow non-provisionable devices check box.

Set the AllowNonProvisionableDevices parameter to $false.

To learn more, see Understanding Exchange ActiveSync Mailbox Policies.

Return to top

Enabling IRM in Exchange ActiveSync

To enable IRM in Exchange ActiveSync, perform the following tasks:

  1. Add the Federation mailbox (a system mailbox created by Exchange 2010 Setup) to the super users group in AD RMS. This allows Exchange 2010 servers to access IRM-protected messages. For details, see Add the Federation Mailbox to the AD RMS Super Users Group.

  2. Use the Set-IRMConfiguration cmdlet in the Exchange Management Shell to enable IRM on the Client Access server. This enables IRM in Exchange ActiveSync and IRM in Microsoft Office Outlook Web App for your organization. For details, see Enable or Disable Information Rights Management on Client Access Servers.

Return to top

 © 2010 Microsoft Corporation. All rights reserved.