Windows Mobile Considerations for AD RMS
Applies To: Windows Server 2008, Windows Server 2008 R2
Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile® in Windows Mobile 6 and later devices. End users can create and consume protected e-mail messages and can read protected Microsoft Office documents on their Windows Mobile device.
The following list describes the requirements for Microsoft Windows Mobile® and AD RMS integration. If these requirements are not met in your organization AD RMS functionality will not work on Windows Mobile devices:
An AD RMS cluster located in the same forest as the accounts of the users who will use AD RMS on their Microsoft Windows Mobile® device.
A domain-joined computer that is running Windows® 7, Windows Vista®, or Windows XP. The domain-joined computer must be able to access the AD RMS cluster, and must be able to connect to the Microsoft Windows Mobile® device. The mobile device is configured to work with the AD RMS cluster from the domain-joined computer.
Important If the domain-joined computer is running Windows XP, the Microsoft Windows Rights Management Services Client Service Pack 2 must be downloaded from http://go.microsoft.com/fwlink/?LinkId=76880 and installed before AD RMS can be enabled on the mobile device.
A Windows Mobile 6 or later device. Both Standard and Professional editions of Windows Mobile 6or later can use AD RMS.
A sync client installed on the domain-joined computer. For clients that are running Windows XP use Active Sync 4.5 (http://go.microsoft.com/fwlink/?LinkId=185270). For clients that are running Windows 7 or Windows Vista use Windows Mobile Device Center 6.1 (http://go.microsoft.com/fwlink/?LinkId=185624).
Recommended: Many mobile services use advanced Active Directory Domain Services (AD DS) functionality that is available only if all AD DS domain controllers are running Windows Server 2008 or Windows Server 2003. If you are using any mobile services, we recommend that all domain controllers be running Windows Server 2003 or later and that both the domain and forest functional levels be at least at Windows Server 2003.
AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later.
By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read & Execute permissions to the MobileDeviceCertification.asmx file. This file is located under %systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster.
Users can create and consume protected e-mail messages using their Windows Mobile 6 or later device. While users can consume e-mails protected by rights policy templates, Microsoft Windows Mobile® does not support protecting e-mails with rights policy templates. The only protection policy available when you create a protected e-mail message is “Do Not Forward.”
Microsoft Windows Mobile® users can consume protected Microsoft Word, Microsoft Excel, and Microsoft PowerPoint documents using Microsoft Office Mobile. However, users cannot protect Microsoft Office documents by using a Microsoft Windows Mobile® device. Some versions of Microsoft Office Mobile may require the Microsoft Office Mobile 6.1 Upgrade to support 2007 Microsoft Office system file formats. This upgrade is available for download on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=185627). Microsoft Windows Mobile® does not currently support XML Paper Specification (XPS) or Microsoft Office InfoPath 2007.
Windows Mobile clients cannot authenticate through Active Directory Federation Services (AD FS). Therefore, to be able to use AD RMS with Microsoft Windows Mobile® mobile users must reside in the same forest as an AD RMS server.
The AD RMS Prelicensing Agent is a feature introduced in Microsoft® Exchange Server 2007 Service Pack 1 and later versions. It allows the Exchange Server to call the AD RMS server directly on behalf of the user and fetch an end-use license to consume e-mail messages, instead of forcing the end user to do it when the content is first opened. By enabling AD RMS Prelicensing in Exchange, protected documents and e-mail messages are ready to be opened without any additional steps.
When the AD RMS Prelicensing Agent is enabled, end users who access e-mail through their Microsoft Windows Mobile® device can take advantage of this feature.
For more information about the AD RMS Prelicensing Agent see Managing the AD RMS Prelicensing Agent (http://go.microsoft.com/fwlink/?LinkId=185628).