Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-13
Information workers often use e-mail to exchange sensitive information. To help secure this information, organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content. Because mobile devices are increasingly being used to access e-mail, it's important that your mobile device users be able to create and consume IRM-protected content.
Looking for management tasks related to IRM? See Information Rights Management Procedures.
Mobile IRM protection in Exchange 2013
In Exchange 2013, IRM in Microsoft Exchange ActiveSync allows your users to access rich IRM functionality on any supported Exchange ActiveSync device without having to configure AD RMS permissions or connect the device to a computer and activate it for IRM. Also, the mobile device doesn't need to be running Windows. Exchange ActiveSync is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and others. For a list of current Exchange ActiveSync licensees, see Exchange ActiveSync Protocol.
Using IRM in Exchange ActiveSync, mobile device users can:
- Create IRM-protected messages.
- Read IRM-protected messages.
- Reply to and forward IRM-protected messages.
The following requirements apply:
- The Client Access servers in your organization must be running
Exchange 2010 SP1 or later.
- An AD RMS server must be deployed in your
- IRM must be enabled for internal messages. This is a
prerequisite for all IRM features in Exchange 2010. For details,
see Enable or
Disable IRM for Internal Messages.
- IRM must be enabled in the Exchange ActiveSync mailbox policy.
You can enable or disable IRM for different sets of users using
different Exchange ActiveSync mailbox policies.
- Devices that support Exchange ActiveSync protocol version 14.1,
including Windows phones, can support IRM in Exchange ActiveSync.
The device's mobile e-mail application must support the
RightsManagementInformation tag defined in Exchange ActiveSync
When you enable IRM in Exchange ActiveSync, the Client Access server decrypts IRM-protected messages before providing the messages for access by the supported mobile device. Upon synchronization, IRM-protected messages reside on the mobile device in an unencrypted format. IRM protection is enforced by the IRM-capable e-mail client application on the mobile device.
IRM in Exchange ActiveSync doesn't decrypt IRM-protected attachments on the Client Access server. Access to IRM-protected files is enforced by the application used to create or view the file. For example, on a Windows phone, IRM protection for Microsoft Office files is enforced by Microsoft Office Mobile. To access IRM-protected Office files, users must connect the device to a computer and activate Office Mobile with the RMS server.
When enabling IRM in Exchange ActiveSync, we recommend using the Exchange ActiveSync policy settings shown in the following table to help secure mobile devices.
Exchange ActiveSync policy settings
|Setting||Configure using the New Exchange ActiveSync Mailbox Policy wizard||Configure using the New-ActiveSyncMailboxPolicy cmdlet|
Require that the user enter a password to access information on their mobile device.
Select the Require password check box.
Set the DevicePasswordEnabled parameter to
Enable encryption for the mobile device.
Select the Require password check box, and then select the Require encryption on device check box.
Set the RequireDeviceEncryption parameter to
Don't allow non-provisionable mobile devices to synchronize with the Exchange server.
Clear the Allow non-provisionable devices check box.
Set the AllowNonProvisionableDevices parameter to
To learn more, see Mobile Device Mailbox Policies.
Enabling IRM in Exchange ActiveSync
To enable IRM in Exchange ActiveSync, perform the following tasks:
- Add the Federation mailbox (a system mailbox created by
Exchange 2013 and Exchange 2010 Setup) to the super users group in
AD RMS. This allows Exchange 2013 and Exchange 2010 servers to
access IRM-protected messages. For details, see Add the Federation
Mailbox to the AD RMS Super Users Group.
- Use the Set-IRMConfiguration
cmdlet in the Exchange Management Shell to enable IRM on the Client
Access server. This enables IRM in Exchange ActiveSync and IRM in
Microsoft Office Outlook Web App for your organization. For
details, see Enable or Disable
Information Rights Management on Client Access Servers.