\n That’s why the information is classified. One extreme is to simply block, or make as hard as possible to access the information, case in which the solution will not be adopted by the users and will be expensive to implement and maintain. The other extreme is to not enforce any kind of protection, or control, case in which the trust is lost.<\/em>
\n The solution is somewhere in the middle – define ways to access classified information that prevents the majority of situations that can compromise \/ violate \/ cause damage.<\/em><\/p>\n
<\/p>\n
I personally think specific level of classified information can be accessed on mobile devices and in the same time still have specific level of control over it.<\/p>\n
<\/p>\n
Key technologies involved:<\/span><\/strong><\/p>\n <\/p>\n What\u2019s New with Information Rights Management in SharePoint and SharePoint Online?<\/a> <\/p>\n Use Office Online on your Android, iPhone, or Windows Phone<\/a> <\/p>\n IRM (Information Rights Management) features and limitations using Office Web Apps On-Premise<\/a> <\/p>\n Almost all the above links refers to official Microsoft sites where Office Web Apps is advertised as being mobile capable (render Office Documents in browser) and also capable to render protected documents.<\/p>\n <\/p>\n SharePoint + Office Web Apps + AD RMS can be<\/strong><\/span> an ideal platform to allow viewing sensitive documents on mobile devices. I implemented this setup and I experienced some limitations. I also discovered some security holes (in my opinion), but found ways to bypass them.<\/p>\n <\/p>\n The idea is simple:<\/span><\/p>\n <\/p>\n This setup is not “bullet proof”. The idea is to allow sensitive documents to be accessed from the mobile devices and in the same time apply some level of control and protection over the information delivered to those devices.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Indeed SharePoint + Office Web Apps + AD RMS are working almost<\/span><\/strong> as advertised in the above MS websites. I say almost<\/span><\/strong> because there are two things that bothers me<\/strong><\/span>.<\/p>\n <\/p>\n 1. The embed view does not work for the documents hosted by an IRM enabled document library.<\/strong><\/span> <\/p>\n <\/p>\n 2. The protection against copy & paste is available on the PC & tablet view of Office Web Apps for the IRM enabled document libraries, but is not available (copy and paste is possible) on the mobile view (smartphones).<\/strong><\/span> <\/p>\n Next, I will reproduce the issue and also provide a way to bypass it (a workaround, not a fix). <\/p>\n Example of PC view of Office Web Apps for the IRM enabled document libraries.<\/span> <\/p>\n Example of tablet (iPad) view of Office Web Apps for the IRM enabled document libraries.<\/span> <\/p>\n Example of smartphone (iPhone) view of Office Web Apps for the IRM enabled document libraries.<\/span> <\/p>\n <\/p>\n <\/p>\n <\/p>\n Workaround<\/strong><\/span> <\/p>\n Attempt 2 – successful<\/span> <\/p>\n Office Web Apps is a HTTP based solution and is heavily relying on the IIS web server. The workaround is simple. <\/p>\n The URL Rewrite module allows the web server administrators to control the userAgent string and change it as they wish. Office Web Apps server rely on the userAgent string to figure out what kind of response will provide (PC\/Tablet or mobile view). So, basically if we are able to control the userAgent string, we are able to control the Office Web Apps behavior.<\/p>\n <\/p>\n OK, but the PC\/Tablet view is not optimized for small screens (mobile devices). This is true, is not optimized, but is also not looking that bad (see the bellow screenshots – iPhone 5). <\/p>\n <\/p>\n How to configure IIS URL Rewrite to control the userAgent string?<\/strong><\/span> <\/p>\n 3.<\/strong> Add the following URL rewrite rule to the web.config located in C:\\Program Files\\Microsoft Office Web Apps\\RootWebSite.<\/p>\n This URL rewrite rule is simply catching all the requests sent by mobile devices (where the HTTP_USER_AGENT string matches mobile devices) and replace it with another string (in my case the iPad userAgent string).<\/p>\n Based on my checks the output provided by Office Web Apps to iPad is generally compatible \/ can be rendered without problems on all the other mobile devices. <\/p>\n","protected":false},"excerpt":{"rendered":" Each company has its own security policies and defines ways to access classified information. If we speak from security and technology point of view, a document can became unsecured as soon as is leaving the secured server where is stored. Encryption is indeed a good mechanism that allows classified information to be hosted for example … Continue reading Classified information and mobile devices (challenges with SharePoint + Office Web Apps + AD RMS)<\/span> \n
\n“Protected documents can be rendered in the browser\u000bAlso new to Office 2013, Office Web Apps can render protected documents. This means that if an authenticated user does not have a compatible Office client, they can still view the documents using Office Web Apps. Note that in the case of Web Apps, the document is presented in read-only mode. Also note that screen capturing of protected content in the browser is not blocked (as it is on clients), but, the information about the protected documents is cleared from the browser cache. Library admins can always prevent this capability by selecting the Prevent opening documents in the browser for this Document Library check box on the Information Right Management setting page (shown below in figure 5).”<\/em><\/p>\n
\n“Thanks to the web browser in your cell phone, your phone can display online documents, using the mobile version of Office Online: Office Mobile Viewers. Office Mobile Viewers display Word, Excel, and PowerPoint documents that are stored online, or sent to your Microsoft email account as attachments. The documents are open for viewing only, not editing.”<\/em><\/p>\n
\n“Office Web Apps does not support the following features normally offered for non-IRM protected documents.\u00a0 These features are currently suppressed from the user interface:<\/em><\/p>\n\n
\n
\nThis view is very useful because custom mobile apps can reuse this functionality (perfect for small screens). Microsoft is aware of this issue<\/a>, but still no fix released.
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_01.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_02.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_03.png\")
<\/a><\/p>\n
\nBasically the look and feel is not consistent across devices. Protection against copy & paste is kind of necessary in this case, otherwise I don’t see a big difference in not protecting at all the documents. It\u2019s again the “middle” scenario – you don’t block the access entirely, but for the majority of the users, preventing copy & paste represents some level of control over the classified information.<\/p>\n
\nI opened with Microsoft a support call [REG:114121212162050] and hopefully they will take it in consideration seriously – especially because this behavior is available also for the cloud version of SharePoint (SharePoint Online) and Office Web Apps (Office Online).<\/p>\n
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_04-1024x783.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_05-1024x784.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_06-1024x783.png\")
<\/a><\/p>\n
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_07-1024x768.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_08-1024x768.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_09-1024x768.png\")
<\/a><\/p>\n
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_10-169x300.png\")
<\/a>
\nIf we look carefully, we can notice the Microsoft Word Web App view is different from the one provided for PC, or tablet. That’s because indeed the view is different. This time the browser rendering points the smartphone directly to the Office Web Apps server (the protected-right-click-and-copy-paste SharePoint view is not involved anymore).<\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_11-169x300.png\")
<\/a>
\nAnd because the Office Web Apps server is not aware of the IRM policy, it will simply provide the view for the mobile devices, same as a regular unprotected files (where copy and paste functionality is present)<\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_12-169x300.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_13-169x300.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_14-300x169.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_15-300x169.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_16-169x300.png\")
<\/a>
\nThe mobile user can copy the URL of the mobile view, paste it into an e-mail and access the link on PC.<\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_17-169x300.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_18-1024x507.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_19-1024x783.png\")
<\/a>
\nCase in which the user was able to bypass the default protect view of Microsoft Word Web App (PC version).<\/p>\n
\nAttempt 1 – unsuccessful<\/span>
\n<\/span>Office Web Apps has the App_Browsers part of each mobile view. Unfortunately configuring the browser definition file doesn’t work for Office Web Apps.
\n<\/span>\u000bhttp:\/\/technet.microsoft.com\/en-us\/library\/ff393836(v=office.15).aspx<\/a>
\n<\/span>http:\/\/sharepoint.smayes.com\/tag\/compat-browser\/<\/span><\/a>
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_20.png\")
<\/a><\/p>\n
\nOn the Office Web Apps servers install URL Rewrite<\/a> IIS extension and configure the server to “believe” all the request sent by the mobile devices (defined in the compat.browser) are in fact requests sent by tablets.<\/p>\n
\nThe in-browser view of Office Documents for PCs and tablets is in fact a SharePoint page with an IFRAME where the Office Web Apps response is displayed.
\nOffice Web Apps server has a simplified view designed for mobile devices. When a user who’s using a smartphone connects on SharePoint and access for example a MS word document, he is accessing the same IFRAME’ed SharePoint page (as for PC and tablets), but this time the Office Web Apps response is “window.top.location.replace” who redirects the mobile device to the simplified view (the response is not trapped in the frame controlled\u00a0by the SharePoint page). \u000bThe problem now is the simplified mobile view doesn’t have any kind of copy & paste protection implemented for the IRM enabled document libraries.<\/p>\n
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_21-300x169.png\")
<\/a>
\nThe landscape view is quite close to how it looks on PC and tablet.<\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_22-169x300.png\")
<\/a>
\nThe portrait view is indeed not practical, but this time is the protected view (copy & paste not possible) and let’s not forget this is a workaround – provide the PC\/tablet view (not optimized for small screens) to mobile devices.<\/p>\n
\n1.<\/strong> You need to download<\/a> and install IIS URL Rewrite module on the Office Web Apps server.
\n2.<\/strong> At the server level<\/strong><\/span> configure HTTP_USER_AGENT as managed server variable.
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_23.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_24.png\")
<\/a><\/p>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_25.png\")
<\/a><\/p>\n\r\n<system.webServer>\r\n\t<rewrite>\r\n\t\t<rules>\r\n\t\t\t<rule name="IsNotMobile" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">\r\n\t\t\t\t<match url=".*" \/>\r\n\t\t\t\t<action type="None" logRewrittenUrl="true" \/>\r\n\t\t\t\t<serverVariables>\r\n\t\t\t\t\t<set name="HTTP_USER_AGENT" value="Mozilla\/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit\/537.51.2 (KHTML, like Gecko) Version\/7.0 Mobile\/11D257 Safari\/9537.53" \/>\r\n\t\t\t\t<\/serverVariables>\r\n\t\t\t\t<conditions>\r\n\t\t\t\t\t<add input="{HTTP_USER_AGENT}" pattern="((iPhone)|(HTC)|(SAMSUNG)|([Ss]amsung)|(Nokia)|(BlackBerry)|(SymbianOS)|(Android)|(Mobile)|(Dolfin)|(Windows Phone)|(Windows CE)|(DoCoMo)|(FOMA)|(UP.Browser)|(SoftBank)|(MIB)|(KDDI)|(KYOCERA)|(T-Mobile Dash)|(KUN)|(S[0-9]*HT)|(NetFront)|(Mozilla\/4.0 \\(compatible; MSIE 6.0; Windows NT 5.1; T-01A\\)))" \/>\r\n\t\t\t\t<\/conditions>\r\n\t\t\t<\/rule>\r\n\t\t<\/rules>\r\n\t<\/rewrite>\r\n<\/system.webServer>\r\n<\/pre>\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_26.png\")
<\/a><\/p>\n
\n![\"Classified](\"https:\/\/www.vioreliftode.com\/wp-content\/uploads\/2015\/01\/Classified_information_and_mobile_devices_challenges_with_SharePoint_Office_Web_Apps_AD_RMS_27-1024x845.png\")
<\/a><\/p>\n