Leverage the Mobile Device Extension for AD RMS

Overview Technical Article

Microsoft France

Published: October 2014 (updated: March 2016)

Version: 1.0c

Authors: Philippe Beraud (Microsoft France)

Contributors/Reviewers: Martin Sieber (Microsoft Switzerland), Enrique Saggese, Sergey Simakov (Microsoft Corporation)

For the latest information on RMS, please see

www.microsoft.com/rms

Abstract: Due to increased regulation, Consumerization of IT (CoIT) tendencies and “Bring Your Own Device” (BYOD) initiatives, the explosion of information with dispersed enterprise data, the Social Enterprise and its applications enabling new collaboration and other trends, organization of all sizes are facing growing needs to protect and control sensitive information on all important devices (smartphones, slates, tablets, and laptops).

This document provides information about the Mobile Device Extension for AD RMS, and how it can be deployed on top of existing Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to support the important devices with mobile RMS-enlightened applications.

By following the steps outlined in this document you should be able to successfully prepare your environment to deploy the Mobile Device Extension, and start using it within your organization to create and consume protected content on all the important devices.

Table of Contents

Notice 3

Feedback 3

Introduction 4

Objectives of this paper 6

Non-objectives of this paper 6

Organization of this paper 6

About the audience 7

Overview of the Mobile Device Extension for AD RMS 8

Prerequisites for the Mobile Device Extension 9

How mobile apps use the new service endpoints 10

Understanding how the service endpoints are located 12

Understanding how authentication works with the service endpoints 19

Reviewing the supported topologies for the Mobile Device Extension 22

Building an evaluation environment 28

Building an Azure-based lab environment 28

Preparing the local environment for Azure 32

Setting up the Windows Server 2012 R2 Base Configuration test lab 38

Deploying the base workloads in Azure 41

Configuring the domain controller 45

Configuring the root Enterprise CA 55

Deploying the federation server 60

Preparing the Internet-facing computer 63

Deploying the database server 73

Deploying the rights management server 78

Testing and evaluating the Mobile Device Extension for AD RMS 90

Configuring AD FS for the Mobile Device Extension for AD RMS 90

Specifying the service discovery records for the Mobile Device Extension for AD RMS 93

Deploying the Mobile Device Extension for AD RMS 99

Publishing the Mobile Device Extension endpoints over the Internet 102

Testing the Mobile Device Extension 102

Troubleshooting the Mobile Device Extension 103

Appendix 107

Setting UAC behavior of the elevation prompt for administrators 107

Simulating an Android device 107

Notice

For the latest information that pertains the Mobile Device Extension for AD RMS (MDE) as covered in this document, please refer to the Microsoft TechNet article Active Directory Rights Management Services Mobile Device Extension[1].

This article constitutes the reference source on this extension for AD RMS.

Feedback

For any feedback or comment regarding this document, please send a mail to .

Introduction

Every day, information workers use email messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.

With time, the type, volume and sensitivity of information that is exchanged has changed significantly. Mailboxes have transformed into repositories containing large amounts of potentially sensitive information.

Ever more powerful and more affordable devices (smartphones, slates, tablets, and laptops), converging technologies, and the widespread use of the Internet have replaced what were only (controlled and managed) laptops in past years.

Today, information workers are highly interconnected interacting with each other in new ways using social networks (Facebook, Google+, Yammer, etc.), and expect “always on” connectivity, and more of them are using the device of their choice to access emails and work-related documents from just about anywhere: at home, at work and everywhere in between… up to the point where personal and work communication can become indistinguishable.

CoIT is the current phenomenon whereby consumer technologies and consumer behavior are in various ways driving innovation for information technology within the organization. As people become more comfortable with technology innovation in their personal lives, they expect it in their professional lives.

While CoIT has remarkable potential for improving collaboration and productivity, this raises new challenges for security, privacy, and industry and regulatory compliance.

Note To help figure out how to face security, compliance and compatibility issues you might deal with and to give users access to corporate intellectual property from ubiquitous devices, both managed and unmanaged, you can refer to a series of documents on CoIT, i.e. Test Lab Guides (TLGs) available on the Microsoft Download Center[2]. The TLGs illustrate key CoIT scenarios with current Microsoft technologies and allow you to get hands-on experience using a pre-defined and tested methodology that results in working configurations.

Where information workers are more mobile, share information, and collaborate more than ever before, information leakage can be thus a serious threat to organizations. Leaks of confidential information can result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more.

The proliferation of consumer devices and ubiquitous information access is driving the organization to define a new model in which information workers use their (own) devices to access sensitive corporate data. The model must be flexible enough to meet their users’ needs while at the same time guarantee that sensitive corporate data are protected from unauthorized access regardless of whether the user’s device is completely managed and individually secured. To increase productivity, users also ask for a secure and consistent way to access and share sensitive information from their devices.

To tackle the issues described above, Microsoft has delivered a cloud-based digital information rights management solution on all important devices through the Azure Rights Management service (Azure RMS) offerings. This service enables users on all important devices to access and use sensitive information. As a transport and storage agnostic solution, it operates on all types of files. Dispersed enterprise data can be protected in a consistent way dictated by the policy no matter where it goes.

Note For an overview of Azure RMS, see the whitepaper Azure Rights Management services[3], and the online documentation[4].

However, such a support for all important devices was not available in the on-premises counterpart to Azure RMS, Microsoft Active Directory Right Management Services (AD RMS). First shipped for Windows Server 2003 and later evolved into a component of Windows Server 2008/2012, AD RMS is designed for organizations that need to protect sensitive and proprietary information and that are not ready to or cannot subscribe for any specific requirement or reason to a cloud service.

The Mobile Device Extension for AD RMS now enables Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to support important mobile devices with mobile RMS-enlightened applications in the same way as Azure RMS does.

Note You don’t need the Mobile Device Extension for AD RMS to consume or author protected email on devices if they use mobile mail apps that support Exchange ActiveSync (EAS) Information Rights Management (IRM). This native support for AD RMS and mobile devices was introduced with Exchange 2010 Service Pack 1 (SP1).

Note The Microsoft Exchange ActiveSync (EAS)[5] protocol provides synchronization of mailbox data between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on the go. EAS is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and mail client applications, and is thus supported by a wide range of mobile devices, including Windows Phone devices, Palm devices, Apple iPhone and iPad, and many Android phones. Implementation of specific EAS features may vary by device and manufacturer. A community-maintained comparison of how Exchange ActiveSync features are implemented by various mobile clients is available at this Comparison of Exchange ActiveSync Clients[6] page on Wikipedia.

Note Devices supporting version 14.1 and above of the protocol can leverage the above EAS IRM capability. The mobile mail app on a device must support the RightsManagementInformation tag defined in this protocol version and above.

To learn more about EAS IRM for protecting mail messages and attachments and how to deploy it in Exchange 2010 SP1 and above, see the Microsoft TechNet article Understanding Information Rights Management in Exchange ActiveSync[7].

The Mobile Device Extension for AD RMS is particularly intended for any mobile RMS-enlightened applications based on the latest Microsoft Rights Management (RMS) SDK, i.e. the RMS SDK 4.0, such as the RMS Sharing app. These applications generally need to be installed through the corresponding app stores for the device.

Note For more information on the RMS Sharing app, see the RMS sharing app guides (administration guide[8] and user guide[9]) and the FAQ[10] for mobile platforms on Microsoft TechNet.

Objectives of this paper

Please note that the detailed step by step guidance in this paper covers not only the deployment of the Mobile Device Extension, but also the installation and configuration of AD RMS, the domain controllers that support the environment, Active Directory Federation Services (AD FS) servers, the virtual machines to host those components and other required components. If this guide is used to support the deployment of MDE in an existing environment, only specific sections of the detailed procedures will apply, while others will have to be modified.

Non-objectives of this paper

This document doesn’t provide a full description of AD RMS. It rather focuses on key aspects that aims at providing the readers an understanding on how to leverage and deploy the Mobile Device Extension on their existing on-premises corporate AD RMS infrastructure.

Note For additional information on AD RMS, see the Microsoft TechNet article Active Directory Rights Management Services Overview[11], as well as the several posts of the AD RMS Team Blog[12].

It doesn’t provide neither guidance for setting up and configuring AD RMS in a production environment nor a complete technical reference for AD RMS.

Organization of this paper

To cover the aforementioned objectives, this document is organized in the following four sections:

§ Overview of the Mobile Device Extension.

§ Building a test lab environment.

§ Setting up the Windows Server 2012 R2 Base Configuration test lab.

§ Testing and evaluating the Mobile Device Extension for AD RMS.

These sections provide the information details necessary to (hopefully) successfully build a working environment with the Mobile Device Extension for AD RMS. They must be followed in order.

About the audience

This document is intended for system architects and IT professionals who are interested in understanding how to enable and configure the Mobile Device Extension for AD RMS on their existing on-premises AD RMS infrastructure.

Overview of the Mobile Device Extension for AD RMS

As introduced before, the Mobile Device Extension for AD RMS lets users who have mobile devices protect and consume sensitive data when their device supports the latest RMS client (also known as the mobile client) and uses RMS-enlightened apps. For example, users on these devices can do the following:

§ Use the RMS sharing app to consume protected text files in different formats (including .txt, .csv, and .xml).

§ Use the RMS sharing app to consume protected image files (including .jpg, .gif, and .tif).

§ Use the RMS sharing app to open any file that have been generically protected (.pfile format).

§ Use the RMS sharing app to open an Office or PDF file encoded in PPDF format (to learn more about the PPDF format see the relevant section in the RMS Sharing app documentation).

§ Use the RMS sharing app to protect image files on the device.

§ Use an RMS-enlightened PDF viewer for mobile devices to open PDF files that were protected with the RMS sharing app for Windows, or another RMS-enlightened application.

§ Use other apps from software vendors who provide RMS-enlightened apps that support file types that natively support RMS.

§ Use your internally developed RMS-enlightened apps that were written by using the lightweight Microsoft Rights Management SDK (RMS SDK) 4.0.

The first mobile client that was based on the RMS SDK 3.0 was initially intended to work only in conjunction with Azure RMS. More specifically, it was designed to interact with the highly abstracted and simplified REST APIs exposed by Azure RMS through rights management service endpoints - along with a service discovery process - for authoring of new content and for consumption of protected content on mobile devices.

To enable the above usage scenario, the Mobile Device Extension for AD RMS enables an on-premises AD RMS clusters to expose similar service endpoints as the ones exposed by Azure RMS.

Such an approach leverages a common logic to locate via a service discovery process the REST service endpoints of the RMS service, whether it is an on-premises AD RMS cluster with the Mobile Device Extension or Azure RMS.

The newly introduced RMS SDK 4.0 for creating rights-enabled applications integrates this common logic and abstracts all access to service endpoints in a platform agnostic manner for the REST APIs. This version of the RMS SDK thus enables to develop RMS-enlightened apps on mobile devices with the new AD RMS server's Mobile Device Extension.

Important note The RMS SDK 4.0 supersedes the RMS SDK 3.0, which is now deprecated.

Note The RMS SDK 4.0 is a simplified, next-generation API that enables a lightweight development experience in building or upgrading device apps with information protection via the RMS service, whether it is an on-premises AD RMS cluster with the Mobile Device Extension or Azure RMS.

Its APIs support standard programming languages and models for each operating system so, they are easy and familiar to work with. The RMS SDK 4.0 provides support in mobile devices (Android[13], iOS[14], Mac OS X[15], Windows Phone, and Windows RT).

For additional information on the RMS SDK 4.0, see the eponym MSDN page Microsoft Rights Management SDK 4.0[16].

Prerequisites for the Mobile Device Extension

The Mobile Device Extension supports the following RMS clients: