I have the honor of sharing that the new RMS offering is now live, in general availability! We’re announcing the final release of all SDKs, most Apps, related services, and we’re giving details on how you can explore each of them. Lots more news coming over the coming weeks so follow us on Twitter @TheRMSGuy for up to the moment updates.
Why should you care? The new Microsoft RMS enables organizations to share sensitive documents within their organization or to other organizations with unprecedented ease. These documents can be of any type, and you can consume them on any device. Given the protection scheme is very robust, the file can even be openly shared… even on consumer services like SkyDrive/DropBox/GDrive.
This is the first of many blogs on the final release. If you’d like more immediate background information on Microsoft Rights Management, check out this TechEd Talk. I’ll also strongly recommend you read the new RMS whitepaper for added details. We have an updated website with per role subsites and we’ll soon post RMS flyers. We also have user forums.
In short, here is what we’re promising at this juncture: Users:
These promises combine to create two very powerful scenarios:
The RMS whitepaper offers plenty of added detail.
User experience of sharing a document
Here’s a quick fly-by through one of the many end-to-end user experiences. We’ve chosen the very common ‘Sensitive Word document’ scenario. While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application):
You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:
When you have finished addressing and selecting permissions, click SEND. An email will be created that is ready to be sent but you we let you edit it first:
The recipient of this email can simply open the document.
If you’re a hands-on learner, just send us an email using this link and we’ll invite you to consume a protected document the same way partner of yours would.
If the user does not have access to RMS, they can sign up for free. (Yes, free). In this flow the user will simply provide the email address they use in their day-to-day business. (That’s right, you won’t need to create a parallel free-email account to consume sensitive work documents.) We’ll ask the user to verify possession via a challenge/response, and then give them access to both consume and produce RMS protected content. (Yes, they can not only consume but also share their own sensitive documents as a free evaluation.)
The user can consume the content. Here we’ll show you how that looks like on an iPhone. In this case they got an email with a protected image (PJPG). They open it and are greeted with a login prompt so we can verify their right to view the protected image. Once verified, the user is granted access to see the image and to review the rights offered to them (click on the info bar):
With this covered, let’s jump into the specifics of what we’re releasing…
Foundational Developer SDKs
Today we are offering you 6 SDKs in RELEASE form. Those SDKs target Windows for PCs, Windows Store Apps, Windows for Phone 8, iOS, Android, and Mac OSX.
It’s worth noting the Windows SDK offers a powerful FILE API that is targeted at solution providers and IT Pros. This Windows-based SDK has already been released. It will let you protect any file via PowerShell script as well. E.g. Using the FileAPI and PowerShell you can protect a PDF or an Office document, natively, without any additional software.
The RMS sharing application
Today we’re releasing the RMS sharing application. It is available on: Windows for PCs, Windows for Phone 8, iOS, and Android. The Windows store application and Mac OSX will be forthcoming (Spring CY14).
You can get the application and sign up for free RMS here.
The applications let you consume ‘generically protected’ content (PFILEs), protected text and image formats, and also now lets you generated protected images right from the device. We call this the ‘Secure whiteboard’ feature: Take a photo of the meeting room whiteboard and share it with all attendees, securely. This said, we recognize it can serve many other creative uses.
It's important to note that Office itself is not yet available in full form on all mobile devices so consumption of natively protected Office files is limited until such time that Microsoft Office is released on your desired platform. In the meantime, you can protect Office files using the [x] Allow consumption on all devices option. This will result in the share of a generically protected (PFILE) Office file. e.g.: Here we show that My Sensitive Document.Docx will be generically protected to the PFILE format. This results in the recipients getting a protected file -- one that requires authorization, that can be audited on each use, and that can expire on the date you set -- but this file will have to be shared without the finely granular rights that you might desire (thus the slider control is disabled). These good things will come in time. This said, it's worth calling out that this flow lets your iOS and Android recipients consume the protected content you send to them in their respective applications (e.g.: on iOS you can open the Word document in Pages).
The Azure RMS Service
The above offers are bound to the Azure RMS service. This service has been in worldwide production since late 2012 as it powers the Office 365 integrated RMS features. We’ve added support for the new mobile SDKs and RESTful endpoints but overall, that service has been up and running in 6 geographies worldwide (2x EU, 2x APAC, 2x US) and is fully fault tolerant (Active-Active for the SaaS geeks amongst you).
We’re also offering the BYOK – Bring Your Own Key – capability discussed in the whitepaper. This ensures that your RMS tenant key is treated with utmost care within a Thales hardware security module. This capability prevents export of the key even with a quorum of administrator cards! You can learn more about HSMs from partner Thales here.
We’re also offering near-realtime logging of all activities related to RMS and key usage. Simply point Azure RMS to Azure blob storage and the logging begins.
The bridge to on-premises
Today we’re also announcing the RMS connector. This connector enables your on-premises Exchange servers and on-premises SharePoint servers to make use of all the above. It’s a simple relay that ‘connects’ these servers to Azure RMS. The RMS connector is easy to configure and lightweight to run.
To download the connector: http://go.microsoft.com/fwlink/?LinkId=314106
RMS connector documentation: http://technet.microsoft.com/en-us/library/dn375964.aspx
The RMS for individuals offer
As called out above, not everyone will have RMS in their company, so we’ll offer RMS to individuals for free within organizations. This offer is located at http://portal.aadrm.com. If you share with others, they can simply sign up. If you are the first one to the party, you can simply sign up. No strings attached.
Wrapping up, we hope you’ll agree that we did pretty well at solving a long-standing issue of persistent data protection. We’ve done so in a way that can also be used within your organization and that honors the critical needs of your IT staff. We’re offering you immediate access to evaluate all the relevant parts: SDKs, Apps, Azure service, connectors, and the self-sign up portal. For each, I’ve given shared with you links to help you get started.
We’ve got a flurry of daily blog posts coming our over the next 2 weeks on Planning, Licensing, Step-by-Step guides, and some coverage of specific scenarios. Stay in touch via twitter: @TheRMSGuy Don't hesitate to let us know what you'd like to hear about!
Dan Plastina @TheRMSGuy on behalf of the Microsoft RMS team
@Mohamed -- The RMS app is free. It is used in conjunction with a service that comes at a fee. As more and more apps become enlightened, the need for the RMS all is reduced.
@BillZ -- See my reply to @ Robert G above. Proper protection of email with RMS will require Outlook (or other enlightened mail clients) to be more widespread. This said if you've got all Outlook in place, the act of protecting a message will protect all Office docs in that message. Outlook, in current incarnations, does not apply the new protection types (PTXT, PJP, PFILE, etc). For now, you can protect in the Windows Explorer and then simply attach.
I am having issues using the RMS Connector and Azure RMS. When running the installation, putting in credentials, i receive an error message "the remote server returned an error: 400 bad request"
Very vauge. I verified credentials, and user rights. Not sure what the problem might be.
I am using the RMS Connector release from Oct 31 1.0.1178.0
Hi Dominik, hit us up on firstname.lastname@example.org
Is new RMS client 2.1 compatible with Office 2007 and 2010?
What happens if we install RMS client on Windows 7 computer with Office 2010 installed?
Will users still be able to protect documents or installation of RMS client 2.1 will break somethig and will need to be uninstalled?
Is ther way to deploy RMS cient 2.1 using Group Policy?
If we only want to use RMS on premises without connection to Windows Azure. How will it all work?
Great news, hope to explore. Is there an on site version that offers same functionality? Is ADRMS in Server 2012 R2 offering same features?
@Thamola, and Anonymous -- yes, we're working on an ADRMS update. Preview in the later spring. More on that as we get closer. I'm also going to record some new talks on this year's wave of products shortly. Stay tuned.
@Anonymous-1: I'll suggest you hop on our public RMS forum to get a reply to your Q given it will be more of a convo than an simple blurb. https://www.yammer.com/AskIPTeam
Excellent work folks! Very exciting service!
We plan to use existing ADFS servers to Install Azure RMS connector. Is it supported
We plan to use existing ADFS servers to Install Azure RMS connector.