Leverage the Mobile Device Extension for ad rms

Yüklə 3,87 Mb.
ölçüsü3,87 Mb.
  1   2   3   4   5   6   7   8   9   ...   20

ms logo.png

Leverage the Mobile Device Extension for AD RMS

Overview Technical Article

Microsoft France

Published: October 2014 (updated: March 2016)

Version: 1.0c

Authors: Philippe Beraud (Microsoft France)

Contributors/Reviewers: Martin Sieber (Microsoft Switzerland), Enrique Saggese, Sergey Simakov (Microsoft Corporation)
For the latest information on RMS, please see


Copyright © 2016 Microsoft Corporation. All rights reserved.
Abstract: Due to increased regulation, Consumerization of IT (CoIT) tendencies and “Bring Your Own Device” (BYOD) initiatives, the explosion of information with dispersed enterprise data, the Social Enterprise and its applications enabling new collaboration and other trends, organization of all sizes are facing growing needs to protect and control sensitive information on all important devices (smartphones, slates, tablets, and laptops).

This document provides information about the Mobile Device Extension for AD RMS, and how it can be deployed on top of existing Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to support the important devices with mobile RMS-enlightened applications.

By following the steps outlined in this document you should be able to successfully prepare your environment to deploy the Mobile Device Extension, and start using it within your organization to create and consume protected content on all the important devices.

Table of Contents

Notice 3

Feedback 4

Introduction 5

Objectives of this paper 7

Non-objectives of this paper 7

Organization of this paper 7

About the audience 8

Overview of the Mobile Device Extension for AD RMS 9

Prerequisites for the Mobile Device Extension 10

How mobile apps use the new service endpoints 11

Understanding how the service endpoints are located 13

Understanding how authentication works with the service endpoints 19

Reviewing the supported topologies for the Mobile Device Extension 21

Building an evaluation environment 27

Building an Azure-based lab environment 27

Preparing the local environment for Azure 30

Setting up the Windows Server 2012 R2 Base Configuration test lab 37

Deploying the base workloads in Azure 40

Configuring the domain controller 43

Configuring the root Enterprise CA 53

Deploying the federation server 58

Preparing the Internet-facing computer 60

Deploying the database server 71

Deploying the rights management server 76

Testing and evaluating the Mobile Device Extension for AD RMS 87

Configuring AD FS for the Mobile Device Extension for AD RMS 87

Specifying the service discovery records for the Mobile Device Extension for AD RMS 90

Deploying the Mobile Device Extension for AD RMS 96

Publishing the Mobile Device Extension endpoints over the Internet 98

Testing the Mobile Device Extension 99

Troubleshooting the Mobile Device Extension 99

Appendix 103

Setting UAC behavior of the elevation prompt for administrators 103

Simulating an Android device 103


For the latest information that pertains the Mobile Device Extension for AD RMS (MDE) as covered in this document, please refer to the Microsoft TechNet article Active Directory Rights Management Services Mobile Device Extension1.

This article constitutes the reference source on this extension for AD RMS.


For any feedback or comment regarding this document, please send a mail to AskIPteam@microsoft.com.


Every day, information workers use email messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.

With time, the type, volume and sensitivity of information that is exchanged has changed significantly. Mailboxes have transformed into repositories containing large amounts of potentially sensitive information.

Ever more powerful and more affordable devices (smartphones, slates, tablets, and laptops), converging technologies, and the widespread use of the Internet have replaced what were only (controlled and managed) laptops in past years.

Today, information workers are highly interconnected interacting with each other in new ways using social networks (Facebook, Google+, Yammer, etc.), and expect “always on” connectivity, and more of them are using the device of their choice to access emails and work-related documents from just about anywhere: at home, at work and everywhere in between… up to the point where personal and work communication can become indistinguishable.

CoIT is the current phenomenon whereby consumer technologies and consumer behavior are in various ways driving innovation for information technology within the organization. As people become more comfortable with technology innovation in their personal lives, they expect it in their professional lives.

While CoIT has remarkable potential for improving collaboration and productivity, this raises new challenges for security, privacy, and industry and regulatory compliance.

Note To help figure out how to face security, compliance and compatibility issues you might deal with and to give users access to corporate intellectual property from ubiquitous devices, both managed and unmanaged, you can refer to a series of documents on CoIT, i.e. Test Lab Guides (TLGs) available on the Microsoft Download Center2. The TLGs illustrate key CoIT scenarios with current Microsoft technologies and allow you to get hands-on experience using a pre-defined and tested methodology that results in working configurations.

Where information workers are more mobile, share information, and collaborate more than ever before, information leakage can be thus a serious threat to organizations. Leaks of confidential information can result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more.

The proliferation of consumer devices and ubiquitous information access is driving the organization to define a new model in which information workers use their (own) devices to access sensitive corporate data. The model must be flexible enough to meet their users’ needs while at the same time guarantee that sensitive corporate data are protected from unauthorized access regardless of whether the user’s device is completely managed and individually secured. To increase productivity, users also ask for a secure and consistent way to access and share sensitive information from their devices.

To tackle the issues described above, Microsoft has delivered a cloud-based digital information rights management solution on all important devices through the Azure Rights Management service (Azure RMS) offerings. This service enables users on all important devices to access and use sensitive information. As a transport and storage agnostic solution, it operates on all types of files. Dispersed enterprise data can be protected in a consistent way dictated by the policy no matter where it goes.

Note For an overview of Azure RMS, see the whitepaper Azure Rights Management services3, and the online documentation4.

However, such a support for all important devices was not available in the on-premises counterpart to Azure RMS, Microsoft Active Directory Right Management Services (AD RMS). First shipped for Windows Server 2003 and later evolved into a component of Windows Server 2008/2012, AD RMS is designed for organizations that need to protect sensitive and proprietary information and that are not ready to or cannot subscribe for any specific requirement or reason to a cloud service.

The Mobile Device Extension for AD RMS now enables Windows Server 2012 and Windows Server 2012 R2-based AD RMS clusters to support important mobile devices with mobile RMS-enlightened applications in the same way as Azure RMS does.

Note You don’t need the Mobile Device Extension for AD RMS to consume or author protected email on devices if they use mobile mail apps that support Exchange ActiveSync (EAS) Information Rights Management (IRM). This native support for AD RMS and mobile devices was introduced with Exchange 2010 Service Pack 1 (SP1).

Note The Microsoft Exchange ActiveSync (EAS)5 protocol provides synchronization of mailbox data between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on the go. EAS is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and mail client applications, and is thus supported by a wide range of mobile devices, including Windows Phone devices, Palm devices, Apple iPhone and iPad, and many Android phones. Implementation of specific EAS features may vary by device and manufacturer. A community-maintained comparison of how Exchange ActiveSync features are implemented by various mobile clients is available at this Comparison of Exchange ActiveSync Clients6 page on Wikipedia.
Note Devices supporting version 14.1 and above of the protocol can leverage the above EAS IRM capability. The mobile mail app on a device must support the RightsManagementInformation tag defined in this protocol version and above.

To learn more about EAS IRM for protecting mail messages and attachments and how to deploy it in Exchange 2010 SP1 and above, see the Microsoft TechNet article Understanding Information Rights Management in Exchange ActiveSync7.

The Mobile Device Extension for AD RMS is particularly intended for any mobile RMS-enlightened applications based on the latest Microsoft Rights Management (RMS) SDK, i.e. the RMS SDK 4.0, such as the RMS Sharing app. These applications generally need to be installed through the corresponding app stores for the device.

Note For more information on the RMS Sharing app, see the RMS sharing app guides (administration guide8 and user guide9) and the FAQ10 for mobile platforms on Microsoft TechNet.

Yüklə 3,87 Mb.

Dostları ilə paylaş:
  1   2   3   4   5   6   7   8   9   ...   20

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©www.genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə