Microsoft Rights Management (RMS) Team Blog

The official team blog of Microsoft's Rights Management product team with news and updates for IT professionals using AD RMS or Azure RMS.

The NEW Microsoft RMS is live, in preview!

The NEW Microsoft RMS is live, in preview!

  • Comments 26
  • Likes

[Please see this post -- we've shipped!]

 

 

Hi folks,

We made it! Today we’re sharing with you a public preview of the massively updated rights management offering.  Let's jump right in...

The new Microsoft

RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive™/DropBox™/GDrive™.

Today we’re announcing the preview of SDKs, Apps, and Services, and we’re giving details on how you can explore each of them. If you’d like some background on Microsoft Rights Management, check out this TechEd Talk. I’ll also strongly recommend you read the new RMS whitepaper for added details.
 

Promises of the new Microsoft Rights Management services

    Users:

  • I can protect any file type
  • I can consume protected files on devices important to me
  • I can share with anyone
    • Initially, I can share with any business user; they can sign up for free RMS
    • I can eventually share with any individual (e.g. MS Account, Google IDs in CY14)
    • I can sign up for a free RMS capability if my company has yet to deploy RMS

    ITPro:

  • I can keep my data on-premise if I don’t yet want to move to the cloud
  • I am aware of how my protected data is used (near realtime logging)
  • I can control my RMS ‘tenant key’ from on-premise
  • I can rely on Microsoft in collaboration with its partners for complete solutions

These promises combine to create two very powerful scenarios:

  1. Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.
  2. ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal consumer-grade cloud drives).

 The RMS whitepaper offers plenty of added detail.

 

User experience of sharing a document

Here’s a quick fly-by thru one (of the many) end to end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):

 

You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

 

When you are done with addressing and selecting permissions, you invoke SEND. An email will be created that is ready to be sent but we let you edit it first:

 

The recipient of this email can simply open the document.

If you’re a hands-on learner, just send us an email using this link and we’ll invite
you to consume a protected document the same way partner of yours would.

 If the user does not have access to RMS, they can sign up for free (Yes, free). In this flow the user will simply provide the email address they use in their day to day business (Yes, we don’t make you create a parallel free ID to consume sensitive work documents). We’ll ask the user to verify possession via a challenge/response, and then give them access to both consume and produce RMS protected content (yes, they can not only consume but also share their own sensitive documents for free).

 

 

The user can consume the content. Here we’ll show you how that looks like on an iPhone. In this case they got an email with a protected image (PJPG). They open it and are greeted with a login prompt so we can verify their right to view the protected image. Once verified, the user is granted access to see the image and to review the rights offered to them (click on the info bar):

  

 

We hope you'll agree that the above is exciting stuff! With this covered, let’s jump into the specifics of what we’re releasing today…

 

Foundational Developer SDKs

Today we are offering you 5 SDKs in RELEASE form. Those SDKs target Windows for PCs, Windows Store Apps, Windows for Phone 8, iOS, and Android.

The Mac OS X SDK is available in PREVIEW form on CONNECT and will be released in October.  We’re intentionally holding back on the RESTful APIs documentation until we’re further along with application development. If you are a web site developer or printer/scanner manufacturer wanting to build against them, let us know and we can discuss options.  

It’s worth noting the Windows SDK offers a powerful FILE API that is targeted at solution providers and IT Pros. This SDK has already been released. It will let you protect any file via PowerShell script as well. E.g. Using the FileAPI and PowerShell you can protect a PDF without any additional software.

 

The RMS sharing application

Today we’re releasing the RMS sharing application for Windows.  

You can get the application and sign up for free RMS here.

While built, the mobile apps are not yet in their respective App Stores. Once approved we’ll have an RMS sharing application for: Windows PC, Windows store app, Windows Phone 8, iOS, Android and Mac OS X. If you can’t wait, your Microsoft field contact will know where to get these preview applications and can give you a live demo.

As a treat – we’ve not blogged about this before and it’s not in the whitepaper – here is some new scoop: The mobile applications enables consumption of RMS protected content as well as enables the user to create protected images from the camera or on-device camera roll. We call this the ‘Secure whiteboard’ feature: take a photo of the meeting room whiteboard and share it with all attendees, securely. This said, we recognize it can serve many other creative uses.

 

The Azure RMS Service

The above offers are bound to the Azure RMS service. This service has been in worldwide production since late 2012 as it powers the Office 365 integrated RMS features. We’ve added support for the new mobile SDKs and RESTful endpoints but overall, that servive has been up and running in 6 geographies worldwide (2x EU, 2x APAC, 2x US) and is fully fault tolerant (Active-Active for the SaaS geeks amongst you).

Today we’re also offering a preview of the BYOK – Bring Your Own Key – capability discussed in the whitepaper. This ensures that your RMS tenant key is treated with utmost care within a Thales hardware security module. This capability prevents export of the key even with a quorum of administrator cards! This same preview offer also enables near-realtime logging of all activities related to RMS and key usage.

 

The bridge to on premise

Today we’re also announcing the RMS Connector. This connector enables you to have your Exchange on premise and SharePoint on premise servers make use of all the above. It’s a simple relay that connects the two. The role is easy to configure and lightweight to run.   

To join this preview, follow this link.

The RMS for Individuals offer

As called out above, not everyone will have RMS in their company so we’re announcing today that we’ll offer RMS for free to individuals within organizations. This offer is hosted as http://portal.aadrm.com and, within the few temporary constraints of the preview phase, let you get RMS for free.  If you share with others, they can simply sign up. If you are the first one to the party, you can simply sign up. No strings attached.

  

Wrapping up, we hope you’ll agree that we did pretty well at solving a long standing issue. We’ve done so in a way that can also be used within your organization and that honors the critical needs of your IT staff. We’re offering you immediate access to evaluate all the relevant parts: SDKs, Apps, Azure service, connectors, and the self-sign up portal. For each, I’ve given shared with you links to help you get started. 

 In coming posts I’ll cover:

  • An Authoritative Evaluation Guide. We’ll answer to the common ask of “Is there a straight up, no-nonsense write up of what it means to get RMS going?”.
  • A Guided Tour of the Mobile Device applications. Since we’re on hold for the App Store approvals process, we’ll share with you what we have.
  • A Guided Tour of the Windows application. You can download this application today, but we’ll still take the time to explore the nooks and crannies of this little gem.
  • As an AD RMS user, what are my options? All of the above was bound to the Azure RMS server instance. Some of you are using Azure AD and want to better understand your options for migration and/or co-existence. We cover some of this in the whitepaper but we’ll also dive deep into this more complex topic.

 

We'd love to hear from you below or, more privately on mailto:AskIPTeam@microsoft.com?subject=Blog%20Feedback.

 

Cheers,
      Dan Plastina on behalf of the Microsoft RMS team

 

Comments
  • I'm working in an organsiation where my office AD is operating on a one-way forest trust mode with my HQ office AD. Only user information flows down from HQ to my office and not vice-versa (security reasons). Hence, will the RMS server be able to operate in such environment setup?

  • Windows Azure AD RM isn’t currently available to Office 365 Government G3 or Office 365 Government G4 customers.  

    Do we know why ?

    Do we have any idea if and when AADRM will be available to Office 365 Government G3 or Office 365 Government G4 customers?

  • @Dean: Yes, it will work. If you are talking about Microsoft RMS (the cloud service) you will need to synchronize the directory of the branch where the users of the solution will be with Azure AD (and optionally enable federation).

    If you are thinking about AD RMS on-premises (which today lacks several of the features mentioned in this post) you can deploy AD RMS in your branch and in the HQ forest, and then use a Trusted User domain (an AD RMS trust, independent from an AD trust) to integrate the two infrastructures. It would be recommended that you configure both forests to use for licensing the RMS cluster in the trusting forest (the forest that has the inbound trust) so there's full collaboration between users of both forests.

    See the article at technet.microsoft.com/.../dd983944(v=ws.10).aspx for more information about this architecture.

  • @ Kyle -- Yes, we have Power shell to enable both. Follow the 'PowerShell' link in the post.

    @mle -- Right now the offers we enable are Azure RMS with BYOK (and CyberSec did a great job at explaining that. Thanks) and we have AD RMS on premise. The latter leaves you in full control of your keys but currently lacks some of the features of Azure RMS. When I speak with larger organizations I tend to make one point pretty clear: If you want to collaborate with others, you have the RMS Server sitting in the DMZ. This means that you, or us, are running the RMS cloud service... but don't kid yourself, you ARE in the cloud. Now, if you want RMS for internal only communication, the AD RMS offer enables you to meet your goals and have your server within your perimeter. If you want to discuss further, hit us up on askIPTeam@microsoft.com.

    @Dominik -- We're working on it. It will ship this before spring (along with the also missing Windows store app) ... there's a placeholder for it on portal.aadrm.com/home/downloads ;)

    @everyone -- watch this blog for large number of posts in the coming weeks... we're very close to general availability.

  • @DEA -- we're working on it but have no dates to announce as of yet. We know there is a healthy pocket of 'security minded people' in that space.

  • Is this still in Preview?

  • I am using Microsoft RMS Ver 2.0.1004 and realized yesterday that my clerk was able to access item properties and change inventory quantities and the sale price - How do I block this

  • Great Information admin thanks For Your Blog and Any body wants learn Business Analyst through Online for Details

    Please go through the Link

    http://sunitlabs.com/sap-security-online-training/">SAP Security Online Training with real time projects

    Worldwide

    This Will Helps you alot.

  • Great Information admin thanks For Your Blog and Any body wants learn Business Analyst through Online for Details

    Please go through the Link

    http://sunitlabs.com/sap-webdynpro-online-training/">SAP WebDynPro Online Training with real time projects

    Worldwide

    This Will Helps you alot.

  • is possible define that all document by default have Policy RMS?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment