Information Rights Management in Exchange ActiveSync

Applies to: Exchange Server 2013

Information workers often use e-mail to exchange sensitive information. To help secure this information, organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content. Because mobile devices are increasingly being used to access e-mail, it's important that your mobile device users be able to create and consume IRM-protected content.

Mobile IRM protection in Exchange 2013

In Exchange 2013, IRM in Microsoft Exchange ActiveSync allows your users to access rich IRM functionality on any supported Exchange ActiveSync device without having to configure AD RMS permissions or connect the device to a computer and activate it for IRM. Also, the mobile device doesn't need to be running Windows. Exchange ActiveSync is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and others. For a list of current Exchange ActiveSync licensees, expand the "Exchange ActiveSync Protocol" section on the Microsoft Technology Licensing page.

Using IRM in Exchange ActiveSync, mobile device users can:

  • Create IRM-protected messages.
  • Read IRM-protected messages.
  • Reply to and forward IRM-protected messages.

Requirements

The following requirements apply:

  • The Client Access servers in your organization must be running Exchange 2010 SP1 or later.

  • An AD RMS server must be deployed in your organization.

  • IRM must be enabled for internal messages. This is a prerequisite for all IRM features in Exchange 2010. For details, see Enable or Disable IRM for Internal Messages.

  • IRM must be enabled in the Exchange ActiveSync mailbox policy. You can enable or disable IRM for different sets of users using different Exchange ActiveSync mailbox policies.

  • Devices that support Exchange ActiveSync protocol version 14.1 can support IRM in Exchange ActiveSync. The device's mobile e-mail application must support the RightsManagementInformation tag defined in Exchange ActiveSync version 14.1.

Security

When you enable IRM in Exchange ActiveSync, the Client Access server decrypts IRM-protected messages before providing the messages for access by the supported mobile device. Upon synchronization, IRM-protected messages reside on the mobile device in an unencrypted format. IRM protection is enforced by the IRM-capable e-mail client application on the mobile device.

IRM in Exchange ActiveSync doesn't decrypt IRM-protected attachments on the Client Access server. Access to IRM-protected files is enforced by the application used to create or view the file. To access IRM-protected Office files, users must connect the device to a computer and activate Office Mobile with the RMS server.

When enabling IRM in Exchange ActiveSync, we recommend using the Exchange ActiveSync policy settings shown in the following table to help secure mobile devices.

Exchange ActiveSync policy settings

Setting Configure using the New Exchange ActiveSync Mailbox Policy wizard Configure using the New-ActiveSyncMailboxPolicy cmdlet
Require that the user enter a password to access information on their mobile device. Select the Require password check box. Set the DevicePasswordEnabled parameter to $true.
Enable encryption for the mobile device. Select the Require password check box, and then select the Require encryption on device check box. Set the RequireDeviceEncryption parameter to $true.

Important: When you set the RequireDeviceEncryption parameter to $true, mobile devices that don't support device encryption will be unable to connect.
Don't allow non-provisionable mobile devices to synchronize with the Exchange server. Clear the Allow non-provisionable devices check box. Set the AllowNonProvisionableDevices parameter to $false.

To learn more, see Mobile device mailbox policies.

Enabling IRM in Exchange ActiveSync

To enable IRM in Exchange ActiveSync, perform the following tasks:

  1. Add the Federation mailbox (a system mailbox created by Exchange 2013 and Exchange 2010 Setup) to the super users group in AD RMS. This allows Exchange 2013 and Exchange 2010 servers to access IRM-protected messages. For details, see Add the Federation Mailbox to the AD RMS Super Users Group.

  2. Use the Set-IRMConfiguration cmdlet in the Exchange Management Shell to enable IRM on the Client Access server. This enables IRM in Exchange ActiveSync and IRM in Microsoft Office Outlook Web App for your organization. For details, see Enable or Disable Information Rights Management on Client Access Servers.