Microsoft Rights Management (RMS) Team Blog

The official team blog of Microsoft's Rights Management product team with news and updates for IT professionals using AD RMS or Azure RMS.

The NEW Microsoft RMS is live, in preview!

The NEW Microsoft RMS is live, in preview!

  • Comments 22
  • Likes

[Please see this post -- we've shipped!]

 

 

Hi folks,

We made it! Today we’re sharing with you a public preview of the massively updated rights management offering.  Let's jump right in...

The new Microsoft

RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive™/DropBox™/GDrive™.

Today we’re announcing the preview of SDKs, Apps, and Services, and we’re giving details on how you can explore each of them. If you’d like some background on Microsoft Rights Management, check out this TechEd Talk. I’ll also strongly recommend you read the new RMS whitepaper for added details.
 

Promises of the new Microsoft Rights Management services

    Users:

  • I can protect any file type
  • I can consume protected files on devices important to me
  • I can share with anyone
    • Initially, I can share with any business user; they can sign up for free RMS
    • I can eventually share with any individual (e.g. MS Account, Google IDs in CY14)
    • I can sign up for a free RMS capability if my company has yet to deploy RMS

    ITPro:

  • I can keep my data on-premise if I don’t yet want to move to the cloud
  • I am aware of how my protected data is used (near realtime logging)
  • I can control my RMS ‘tenant key’ from on-premise
  • I can rely on Microsoft in collaboration with its partners for complete solutions

These promises combine to create two very powerful scenarios:

  1. Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.
  2. ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal consumer-grade cloud drives).

 The RMS whitepaper offers plenty of added detail.

 

User experience of sharing a document

Here’s a quick fly-by thru one (of the many) end to end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):

 

You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

 

When you are done with addressing and selecting permissions, you invoke SEND. An email will be created that is ready to be sent but we let you edit it first:

 

The recipient of this email can simply open the document.

If you’re a hands-on learner, just send us an email using this link and we’ll invite
you to consume a protected document the same way partner of yours would.

 If the user does not have access to RMS, they can sign up for free (Yes, free). In this flow the user will simply provide the email address they use in their day to day business (Yes, we don’t make you create a parallel free ID to consume sensitive work documents). We’ll ask the user to verify possession via a challenge/response, and then give them access to both consume and produce RMS protected content (yes, they can not only consume but also share their own sensitive documents for free).

 

 

The user can consume the content. Here we’ll show you how that looks like on an iPhone. In this case they got an email with a protected image (PJPG). They open it and are greeted with a login prompt so we can verify their right to view the protected image. Once verified, the user is granted access to see the image and to review the rights offered to them (click on the info bar):

  

 

We hope you'll agree that the above is exciting stuff! With this covered, let’s jump into the specifics of what we’re releasing today…

 

Foundational Developer SDKs

Today we are offering you 5 SDKs in RELEASE form. Those SDKs target Windows for PCs, Windows Store Apps, Windows for Phone 8, iOS, and Android.

The Mac OS X SDK is available in PREVIEW form on CONNECT and will be released in October.  We’re intentionally holding back on the RESTful APIs documentation until we’re further along with application development. If you are a web site developer or printer/scanner manufacturer wanting to build against them, let us know and we can discuss options.  

It’s worth noting the Windows SDK offers a powerful FILE API that is targeted at solution providers and IT Pros. This SDK has already been released. It will let you protect any file via PowerShell script as well. E.g. Using the FileAPI and PowerShell you can protect a PDF without any additional software.

 

The RMS sharing application

Today we’re releasing the RMS sharing application for Windows.  

You can get the application and sign up for free RMS here.

While built, the mobile apps are not yet in their respective App Stores. Once approved we’ll have an RMS sharing application for: Windows PC, Windows store app, Windows Phone 8, iOS, Android and Mac OS X. If you can’t wait, your Microsoft field contact will know where to get these preview applications and can give you a live demo.

As a treat – we’ve not blogged about this before and it’s not in the whitepaper – here is some new scoop: The mobile applications enables consumption of RMS protected content as well as enables the user to create protected images from the camera or on-device camera roll. We call this the ‘Secure whiteboard’ feature: take a photo of the meeting room whiteboard and share it with all attendees, securely. This said, we recognize it can serve many other creative uses.

 

The Azure RMS Service

The above offers are bound to the Azure RMS service. This service has been in worldwide production since late 2012 as it powers the Office 365 integrated RMS features. We’ve added support for the new mobile SDKs and RESTful endpoints but overall, that servive has been up and running in 6 geographies worldwide (2x EU, 2x APAC, 2x US) and is fully fault tolerant (Active-Active for the SaaS geeks amongst you).

Today we’re also offering a preview of the BYOK – Bring Your Own Key – capability discussed in the whitepaper. This ensures that your RMS tenant key is treated with utmost care within a Thales hardware security module. This capability prevents export of the key even with a quorum of administrator cards! This same preview offer also enables near-realtime logging of all activities related to RMS and key usage.

 

The bridge to on premise

Today we’re also announcing the RMS Connector. This connector enables you to have your Exchange on premise and SharePoint on premise servers make use of all the above. It’s a simple relay that connects the two. The role is easy to configure and lightweight to run.   

To join this preview, follow this link.

The RMS for Individuals offer

As called out above, not everyone will have RMS in their company so we’re announcing today that we’ll offer RMS for free to individuals within organizations. This offer is hosted as http://portal.aadrm.com and, within the few temporary constraints of the preview phase, let you get RMS for free.  If you share with others, they can simply sign up. If you are the first one to the party, you can simply sign up. No strings attached.

  

Wrapping up, we hope you’ll agree that we did pretty well at solving a long standing issue. We’ve done so in a way that can also be used within your organization and that honors the critical needs of your IT staff. We’re offering you immediate access to evaluate all the relevant parts: SDKs, Apps, Azure service, connectors, and the self-sign up portal. For each, I’ve given shared with you links to help you get started. 

 In coming posts I’ll cover:

  • An Authoritative Evaluation Guide. We’ll answer to the common ask of “Is there a straight up, no-nonsense write up of what it means to get RMS going?”.
  • A Guided Tour of the Mobile Device applications. Since we’re on hold for the App Store approvals process, we’ll share with you what we have.
  • A Guided Tour of the Windows application. You can download this application today, but we’ll still take the time to explore the nooks and crannies of this little gem.
  • As an AD RMS user, what are my options? All of the above was bound to the Azure RMS server instance. Some of you are using Azure AD and want to better understand your options for migration and/or co-existence. We cover some of this in the whitepaper but we’ll also dive deep into this more complex topic.

 

We'd love to hear from you below or, more privately on mailto:AskIPTeam@microsoft.com?subject=Blog%20Feedback.

 

Cheers,
      Dan Plastina on behalf of the Microsoft RMS team

 

Comments
  • On Premises its called

  • You stated that there are "5 SDKs in RELEASE form", including Windows for PCs.  However, the Windows Desktop SDK download is not available on the linked page.  Will that be available soon?

  • Will the on premise AD RMS be able to leverage those SDKs/RMS applications in the near future?

  • Do you trust this service as Microsoft is one of the biggest PRISM client?

  • @Jesper -- I think you may have hit POST too soon. Can you repost?

    @Rob -- the Windows SDK is the MSDRM v2 SDK (aka MSIPC).

    @Joe -- there is not plan at this time for the reasons cited in the whitepaper: "For a variety of reasons, we strongly favor the use of the Azure-hosted Rights Management offering over the existing AD RMS offering. They are: frictionless B2B collaboration, rich mobile device offers, far faster agility in adding new capabilities, support for Ad-hoc RMS user accounts for the recipients of your sensitive documents, and easy of deployment"

    @ Tanto -- Quite sensational but may I suggest factually incorrect. I'd suggest you take a peek at this post. blogs.technet.com/.../responding-to-government-legal-demands-for-customer-data.aspx

  • @Rob - See this: blogs.msdn.com/.../microsoft-rights-management-ready-for-your-real-world-apps.aspx

  • Jesper is right - there is no such thing as "on-premise"; the phrase is "on-premises".

    A premise is a statement assumed to be true from which a conclusion can be drawn.  If you look up the word in the dictionary it doesn't have a secondary definition of "on site".

    The correct phrase to use is on-premises.  The singular of "premises" just happens to be the exact same word "premises".  It's like "one sheep two sheep", except the word happens to end in an "s" which confuses people into thinking that its plural form can be singularised by dropping the "s".

    The number of times that the phrase "on-premise" has been creeping into MSDN blogs and documentation lately is truly shocking!

  • Enhancing the old RMS service has been a long time waiting. However, I am curious how enterprises will be able to define and manare the RMS Super User functionality which allows access to a user's encrpyted data during times of investigations and e-Discovery legal requirements. On-premise solutoin allows this to be defined and managed. We can also defined who is permitted to encrypt data with RMS solution. Will there be recommendations avaliable for enterprises as to methods to prevent domain users from utilizing this service?

    Thanks,

    BB

  • Hi Bobby,

    Yes, post-preview (in a couple of weeks) we're integrating some added IT controls specifically for the reasons you cite. e.g.: A tenant admin can block the ad-hoc accounts. They can 'scoop up' these ad-hoc accounts into a sanctioned tenant where the IT Pro does have access to the RMS tenant key. The whitepaper touches on some of these points.

  • Will there be support with Azure RMS to use the bulk protection tool and FCI if an organization decides to leave its file shares on the local network instead of pushing out to SharePoint Online?  Looking through the documentation it mentions that you have to authorize servers/service accounts to use the connector. Would you authorize the file servers and allow them to use the connector?

    Thanks,

    Kyle

  • @ tanto, the new Azure Microsoft Rights Management Service supports what we call BYOK (Bring your own Key), which means that if you are a cloud hesitant Customer affraid of all the FUD around NSA you can opt for a solution with an on-premises Hardware Security Module (HSM) which will keep your own tenant Key secure.

    For this scenario Microsoft will have an HSM on their own datacenters, locked and certified by 3rd-party auditors, the way you transport your tenant key to there can only be done by the Customer (you will have to fly to there) or by the well know Thales.that can provide a secure transport of your key (leading company on this). You will have an on-premises conector with the tenant key protect by HSM and the communication is processed to the Azure RM which also has your tenant key protect by an HSM where no one can access.

    Microsoft will never have access to your tenant key, do bear in mind that this bring you the responsability to take care of your tenant key, if you destroy or lose your tenant key Microsoft is uncapable to recover or access it and you may have an issue to access your Protected data.

  • @CyberSec - is it possible to use our own key management for the new RMS purposes?. We have  highly protected HSMs and a appropriate key management lifecycles and want to use them for Rights Management.

  • What is the Status of Azure RMS and the Max OS ?

  • If the document's access rights has been set to be seen only by 4 people (Viewer permission) in the organisation and the owner left (resigned) the organisation, does that mean the document can never be editable any more? Does that mean we'll be stuck with that non-editable document? Is there a "key" that can over-write the owner's (who had left) rights?

  • @Dean: Even if the document owner left the organization, Super Users (technet.microsoft.com/.../ee849845(v=WS.10).aspx) will still have full rights to the document.

    The organization can choose to restrict Super Users group to a very small subset of people/email id

    Thanks,

    Gagan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment