The Information Rights Management features in Microsoft Exchange Server provide valuable data security for Exchange shops, but it is difficult to implement for mobile users. The soon-to-be-released Windows Phone 7.1 update will support this feature.
Here’s how Information Rights Management
Using IRM for data security
The main benefit of IRM is that it lets companies bind security features to email messages. For example, IRM can prevent certain email messages from being forwarded or printed.
Although IRM is essential in companies that require high security levels, it’s not as widely used for mobile messaging. Only a few mobile devices support using IRM and ActiveSync together and IRM in Exchange Server 2010 SP1 is currently only supported on Windows Mobile 6.1 and 6.5 devices.
The Exchange Server 2010 RTM required a Windows Mobile 6.0 or higher device for any user who wanted to access IRM-protected content on the go. When Microsoft released Exchange 2010 Service Pack 1 (SP1), it loosened the mobile-IRM requirements.
Now, rather than requiring Windows Mobile 6.x, Microsoft states that mobile devices must be equipped with Exchange ActiveSync version 14.1. Unfortunately,Apple iPhone, BlackBerry and Google Android devices still do not support IRM-protected messages.
Interestingly enough, Microsoft’s latest Windows Mobile operating system -- Windows Phone 7 -- does not natively support IRM either. However, the upcoming Windows Phone 7.1 update -- code-named Mango -- will include IRM support.
Windows Phone 7.1 IRM requirements
Microsoft has yet to release the exact IRM requirements for support on Windows Phone 7.1, but it has confirmed that IRM will work with Exchange 2010 SP1. So, Exchange shops that want to take advantage of IRM should make sure that their client access servers are running Exchange 2010 SP1. It’s possible that older versions of Exchange will be supported eventually, but Microsoft has yet to provide any indication of that.
You must also have an Active Directory Rights Management Services (AD RMS) server in your organization. This requirement isn’t specific to mobile messaging, but rather to IRM in general.
Once you have the infrastructure components in place, you must enable IRM for internal messages. This is accomplished with the following Exchange Management Shell command:
Set-IRMConfiguration –InternalLicensingEnabled $True
This command will not work unless your Active Directory (AD) RMS server is functioning correctly. In Figure 1, you’ll see that I received an error when I tried to execute the command with my AD RMS server offline. Beneath the error, you can see that the command completed successfully after I brought the AD RMS server back online.
Figure 1. Your Active Directory RMS server must be online before enabling IRM.
After enabling IRM for internal messages, you must also enable IRM over ActiveSync for your Exchange ActiveSync mailbox policies. Although the majority of the ActiveSync mailbox policy controls are available through the Exchange Management Console (EMC), IRM-related settings are only accessible through the EMS. To enable IRM over ActiveSync for your mailbox policies, use the following command:
Set-ActiveSyncMailboxPolicy –Identity “your policy name” –IRMEnabled $True
In Figure 2, you can see that I enabled IRM for the default Exchange ActiveSync mailbox policy.
Figure 2. You may need to enable IRM for your Exchange ActiveSync mailbox policies.
IRM device support
As I mentioned earlier, Windows Mobile 6.x devices are the only device types that support IRM. If your desktops have Windows 7 or Windows Vista, you can establish a partnership between your phone and your computer because both operating systems already have the necessary IRM client software. For computers running Windows XP, you must download the Windows RMS Client Service Pack (SP1).
Prior to Exchange 2010 SP1, admins were required to connect mobile devices to the Mobile Device Center (or the Microsoft ActiveSync Client Application on Windows XP systems) and then activate them for IRM. Windows Mobile 6.x devices are still provisioned in this way. However, this step is not required for Windows Mobile 7.1 (Mango).
Windows Phone 7.1 devices can be provisioned without establishing a partnership with a PC; this is also technically true of Windows Mobile 6.x devices. However, Windows Phone 7.1 devices should automatically support IRM-protected content as long as the necessary back-end infrastructure is in place.
ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.
This was first published in September 2011