Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-07-14
Information workers often use e-mail to exchange sensitive information. To help secure this information, organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content. Because mobile devices are increasingly being used to access e-mail, it's important that your mobile device users be able to create and consume IRM-protected content.
Looking for management tasks related to IRM? See Managing Information Rights Management.
Differences Between Mobile IRM Protection in Exchange 2010 RTM and Exchange 2010 SP1
To enable IRM protection for mobile devices in the release to manufacturing (RTM) version of Microsoft Exchange Server 2010, the following requirements must be met:
- The mobile devices must be running Windows Mobile 6.0 or
- The Active Directory Rights Management Services (AD RMS)
administrator must allow Read permissions and Read and Execute
permissions on the mobile certification pipeline (using the
MobileDeviceCertification.asmx file in the
Inetpub\wwwroot\_wmcs\Certification folder on the AD RMS
server). For more information, see Enable Certification of Mobile Devices.
- Users must connect the device to a computer and activate it for
IRM using one of the following methods:
- Using the Windows Mobile Device Center on computers running the
Windows 7 or Windows Vista operating systems
- Using the Microsoft ActiveSync client application on computers
running the Windows XP operating system
- Using the Windows Mobile Device Center on computers running the Windows 7 or Windows Vista operating systems
In Exchange 2010 Service Pack 1 (SP1), IRM in Microsoft Exchange ActiveSync allows your users to access rich IRM functionality on any supported Exchange ActiveSync device without having to configure AD RMS permissions or connect the device to a computer and activate it for IRM. Also, the mobile device doesn't need to be running Windows. Exchange ActiveSync is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and others. For a list of current Exchange ActiveSync licensees, see Exchange ActiveSync Protocol.
Using IRM in Exchange ActiveSync, mobile device users can:
- Create IRM-protected messages.
- Read IRM-protected messages.
- Reply to and forward IRM-protected messages.
The following requirements apply:
- The Client Access servers in your organization must be running
Exchange 2010 SP1.
- An AD RMS server must be deployed in your
- IRM must be enabled for internal messages. This is a
prerequisite for all IRM features in Exchange 2010. For details,
see Enable or
Disable IRM for Internal Messages.
- IRM must be enabled in the Exchange ActiveSync mailbox policy.
You can enable or disable IRM for different sets of users using
different Exchange ActiveSync mailbox policies.
- Devices that support Exchange ActiveSync protocol version 14.1,
including Windows phones, can support IRM in Exchange ActiveSync.
The device's mobile e-mail application must support the
RightsManagementInformation tag defined in Exchange ActiveSync
When you enable IRM in Exchange ActiveSync, the Client Access server decrypts IRM-protected messages before providing the messages for access by the supported mobile device. Upon synchronization, IRM-protected messages reside on the mobile device in an unencrypted format. IRM protection is enforced by the IRM-capable e-mail client application on the mobile device.
IRM in Exchange ActiveSync doesn't decrypt IRM-protected attachments on the Client Access server. Access to IRM-protected files is enforced by the application used to create or view the file. For example, on a Windows phone, IRM protection for Microsoft Office files is enforced by Microsoft Office Mobile. To access IRM-protected Office files, users must connect the device to a computer and activate Office Mobile with the RMS server.
When enabling IRM in Exchange ActiveSync, we recommend using the Exchange ActiveSync policy settings shown in the following table to help secure mobile devices.
Exchange ActiveSync policy settings
|Setting||Configure using the New Exchange ActiveSync Mailbox Policy wizard||Configure using the New-ActiveSyncMailboxPolicy cmdlet|
Require that the user enter a password to access information on their mobile device.
Select the Require password check box.
Set the DevicePasswordEnabled parameter to
Enable encryption for the mobile device.
Select the Require password check box, and then select the Require encryption on device check box.
Set the RequireDeviceEncryption parameter to
Don't allow non-provisionable mobile devices to synchronize with the Exchange server.
Clear the Allow non-provisionable devices check box.
Set the AllowNonProvisionableDevices parameter to
To learn more, see Understanding Exchange ActiveSync Mailbox Policies.
Enabling IRM in Exchange ActiveSync
To enable IRM in Exchange ActiveSync, perform the following tasks:
- Add the Federation mailbox (a system mailbox created by
Exchange 2010 Setup) to the super users group in AD RMS. This
allows Exchange 2010 servers to access IRM-protected messages. For
details, see Add
the Federation Mailbox to the AD RMS Super Users Group.
- Use the Set-IRMConfiguration
cmdlet in the Exchange Management Shell to enable IRM on the Client
Access server. This enables IRM in Exchange ActiveSync and IRM in
Microsoft Office Outlook Web App for your organization. For
details, see Enable or Disable
Information Rights Management on Client Access Servers.