Thursday, December 22, 2016

AIP Custom Condition (Regular Expression) Tips

Today I will share my experience on configuring regular expression for automatic or recommended classification. The configuration in Azure Portal is quite straight forward. If you wish to know how to configure, Microsoft actually documented well. Refer to https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-classification

This is how the configuration looks like:

image

Okay, back to the custom condition, it supports Word, Phrase, and Regular Expression. Talking about Regular Expression, there is a lot regular expression tester out there. I personally like this one, http://regexr.com/.

image

Taking (#[A-Z][A-Z&][A-Z][0-9][0-9][0-9][0][2]#) as example, after I built the regular expression, I can test it out at the bottom, and it will be highlighted in blue if it match the regular expression. It is so easy and convenient. After you satisfied, copy the regular expression and paste it to the Azure Portal. Enjoy!!

Tuesday, December 13, 2016

Azure AIP/RMS: SharePoint Permission vs IRM Permission Mapping

Mr.Customer asked me about how SharePoint Permission map to IRM Permission? Will the IRM Permission takeover or replace the SharePoint Permission granted to user?

https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1 This article actually explained the questions above. However, there is a little doubt here. Do we need all the Permission configured on the left in order to map the IRM Permissions?

For example: To map the Full Control IRM Permission. Do we need both Manage Permissions, and Manage Web Site in SharePoint Permission? Or we just need only one of the SharePoint Permission?

image

To answer the little doubt above, I ran few rounds of test in my environment. The answer is any one of the SharePoint Permission. You need either Manage Permissions OR Manage Web Site in SharePoint Permission to map the Full Control IRM Permission.

Another example, if Edit Items SharePoint Permission assigned to the user, he/she will have the Edit, Copy, and Save IRM Permissions. It Doesn’t Requires All 3 SharePoint Permissions (Edit Items, Manage Lists, Add and Customize Pages) To Be Assigned In Order To Map The Edit, Copy, and Save IRM Permissions !! Anyone will do….

I did some further testing by enabling “Allow viewers to write on a copy of the downloaded document” This setting will allow the user to download and edit the downloaded/offline copy. This setting OVERWRITE those with View Items SharePoint Permission OR Read IRM Permission to edit the downloaded /offline copy.

image

My two cents is View Items SharePoint Permission OR Read IRM Permission is meant to control the documents so that user can View only (cannot edit, modify, copy, save, etc). By enabling the “Allow viewers to write on a copy of the downloaded document” simply defeat the purpose of trying to control the documents. Enabling this setting wisely.

So long, and Thanks for reading!

Wednesday, December 7, 2016

Past due – Will be installed

Today I helped this new customer to deploy the Microsoft RMS Sharing App and Azure Information Protection Client to a couple of pilot computers. The deployment is deployed as Required, as soon as possible, and installation can be performed outside maintenance window.

Both applications get downloaded in the ccmcache, ContentTransferManager.log and DataTransferService.log showed download is completed. However, the Software Center showed the status as Past due – Will be installed.

So I did additional check on the computer client status, it is Approved, No Block, Not Obsolete, Active, Receiving Policy, and so on. I even restarted the targeted computer.

With luck, I found the answer in Technet forum, which is the setting in Computer Agent. “Additional software manages the deployment of applications and software updates”

image

The setting was set to Yes, which the default setting is No. According to Microsoft:https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings

image

“If you select this option when neither of these conditions apply, software updates and required applications will not install on clients.”

image

I asked them changed the setting back to default No. And then ran Machine Policy Retrieval & Evaluation Cycle and Application Deployment Evaluation Cycle on the targeted computer. Both applications get installed automatically as expected. Enjoy!!

Credits to st.kristobal, https://social.technet.microsoft.com/Forums/en-US/60f9f20f-3603-4d57-b4c0-13bb3e77a734/past-due-will-be-installed?forum=configmanagerapps