Forum Discussion
How do you work around the client restrictions for opening encrypted documents?
That statement is essentially correct. Here’s the unavoidable reality:
| Client/Tool | Can open RMS encrypted docs? |
|---|---|
| Office Desktop (modern) | Yes |
| Office for web (SharePoint/OneDrive) | Yes |
| Outlook desktop / web (via OME) | Yes |
| Google Workspace apps | No |
| Third-party PDF viewers | No |
| Most browsers without native support | No |
Sensitivity label encryption is based on Microsoft Information Protection / IRM, which requires the application opening the file to be MIP-aware (“enlightened”). Only apps that understand IRM can decrypt the content and enforce restrictions like no print or no copy. Today, that realistically means Office desktop apps and Office on the web.
If the recipient uses non-Office tools (for example Google Workspace), they will not be able to open encrypted documents. There isn’t a workaround for this — it’s a fundamental design constraint of IRM-based encryption.
Because of that, most organizations end up at the same trade-off:
- Use encrypted labels for internal users or known partners with Office
- Use non-encrypted labels (with visual markings, DLP, and auditing) for broad external sharing
Trying to apply encryption universally for all external recipients usually isn’t practical unless you control the client environment.