Enable or Disable Information Rights Management on Client Access Servers

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Enabling Information Rights Management (IRM) on Client Access servers enables the following features:

Microsoft Office Outlook Web App
IRM in Microsoft Exchange ActiveSync

When IRM is enabled on Client Access servers, Outlook Web App users can IRM-protect messages by applying an Active Directory Rights Management Services (AD RMS) template created on your AD RMS cluster. Outlook Web App users can also view IRM-protected messages and supported attachments. Before you enable IRM on Client Access servers, you must add the Federation mailbox to the super users group on the AD RMS cluster.

Important:
Members of the super users group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content by that cluster.

You can use the Set-IRMConfiguration cmdlet to enable or disable IRM in Outlook Web App and IRM in Exchange ActiveSync for the entire Exchange 2010 organization.

You can also control IRM in Outlook Web App at the following levels:

Per-Outlook Web App virtual directory To enable or disable IRM in Outlook Web App for an Outlook Web App virtual directory, use the Set-OWAVirtualDirectory cmdlet and set the IRMEnabled parameter to $false or $true (default). This allows you to disable IRM in Outlook Web App for one virtual directory on an Exchange 2010 Client Access server, while keeping it enabled on another virtual directory on a different Client Access server.
Per-Outlook Web App mailbox policy To enable or disable IRM in Outlook Web App for an Outlook Web App mailbox policy, use the Set-OWAMailboxPolicy cmdlet and set the IRMEnabled parameter to $false or $true (default). This allows you to enable IRM in Outlook Web App for one set of users and disable it for another set of users by assigning them a different Outlook Web App mailbox policy.

You can also control IRM in Exchange ActiveSync per Microsoft ActiveSync mailbox policy. To disable or enable IRM in Exchange ActiveSync for an ActiveSync mailbox policy, use the Set-ActiveSyncMailboxPolicy cmdlet and set the IRMEnabled parameter to $false or $true (default). This allows you to enable IRM in Exchange ActiveSync for one set of users and disable it for another set of users by assigning them a different ActiveSync mailbox policy.

Note:
In the release to manufacturing (RTM) version of Microsoft Exchange Server 2010, the OWAEnabled parameter is used to enable or disable IRM in Outlook Web App. In Microsoft Exchange Server 2010 Service Pack 1 (SP1), the OWAEnabled parameter is replaced by the ClientAccessServerEnabled parameter, which enables or disables IRM in Outlook Web App and IRM in Exchange ActiveSync (provided that the other requirements for these features are met).

Note:

In the release to manufacturing (RTM) version of Microsoft Exchange Server 2010, the OWAEnabled parameter is used to enable or disable IRM in Outlook Web App. In Microsoft Exchange Server 2010 Service Pack 1 (SP1), the OWAEnabled parameter is replaced by the ClientAccessServerEnabled parameter, which enables or disables IRM in Outlook Web App and IRM in Exchange ActiveSync (provided that the other requirements for these features are met).

Looking for other management tasks related to rights protection? Check out Managing Information Rights Management.

Prerequisites

An AD RMS cluster is installed in the Active Directory forest.
The Federation mailbox has been added to the AD RMS super users group. For detailed instructions, see Add the Federation Mailbox to the AD RMS Super Users Group.
IRM features are enabled for the organization. For detailed instructions, see Enable or Disable IRM for Internal Messages.

Use the Shell to enable IRM on Client Access servers

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.

Note:
You can't use the EMC to enable IRM on Client Access servers.

This example enables IRM on a Client Access server for an Exchange 2010 organization.

	Copy Code
Set-IRMConfiguration -ClientAccessServerEnabled $true

For detailed syntax and parameter information, see Set-IRMConfiguration.

Use the Shell to disable IRM on Client Access servers

Note:
You can't use the EMC to disable IRM on Client Access servers.

This example disables IRM on a Client Access server for an Exchange 2010 organization.

	Copy Code
Set-IRMConfiguration -ClientAccessServerEnabled $false

For detailed syntax and parameter information, see Set-IRMConfiguration.

Other Tasks

After you enable IRM on Client Access servers, you may also want to: