01-16-2018 02:50 AM - edited 01-16-2018 03:22 AM
01-16-2018 02:50 AM - edited 01-16-2018 03:22 AM
I'm playing around with an Enterprise Mobility + E3 license and security and I was following the next tutorial/document from Microsoft: https://docs.microsoft.com/en-gb/information-protection/get-started/infoprotect-quick-start-tutorial
However, after completing every step the following error will pop up when trying to select a custom policy. I have tried creating different policies with different setups in vain:
I wonder what else is needed?
01-16-2018 02:12 PM
01-17-2018 02:14 AM - edited 01-17-2018 02:17 AM
I'm afraid that didn't work, I originally used this installer by the way.
Looking at Microsoft's documentation, and as far as I know, it should be working as it is but I can't get it to work. Any ideas? Could something in the computer set-up be affecting the client?
Thank you for the help :)
01-17-2018 02:35 AM
Please try the following to completely remove AIP client:
1. Uninstall AzIP client either in control panel or by running AzInfoProtection.exe /uninstall
2. Access Registry (RegEdit.exe) and delete: HKEY_CURRENT_USER\Software\Microsoft\MSIP
3. Clear IE cookies
4. Delete folder: C:\Users\<user name>\AppData\Local\Microsoft\MSIP
5. Clear Windows credentials and sign-out of Office account
6. Restart and run AzInfoProtection.exe again
01-17-2018 04:05 AM - edited 01-17-2018 04:15 AM
Thank you for that, unfortunately it still displays that error with custom policies.
I have had access to another device today and the very same error pops up there, so I'm assuming the problem must be in the setup.
EDIT: By the looks of it adding protection is causing the issue. The predefine policies which do not have protection activated (therefor are merely a visual thing) do work, however modifying them and adding protection "Azure (cloud key)" will cause this error to pop up.
Again, everything that is needed for this to work (according to the Microsoft documentation) has been done.
01-17-2018 04:51 AM
Ok then, please check requirements, mainly Office version required:
01-17-2018 05:33 AM
01-17-2018 06:09 AM - edited 01-17-2018 06:16 AM
My apologies I did not see this post before, answering your question: No we don't, in fact, our Domain users are not linked in any way to those in Azure and 365.
01-17-2018 06:28 AM
Great. Are you able to right click a file in File Explorer and apply AIP protection (Classify and protect)?
01-17-2018 08:04 AM - edited 01-17-2018 08:06 AM
If I try to apply the custom policy the following error will be displayed:
Failed: Rights management template not found
If I try to create a custom permission from the file explorer the following will be displayed:
Failed: Azure information Protection cannot apply this label because it encountered a problem trying to apply protection. If the problem persists, contact your help desk or administrator.
The predefined policies with no protection do work of course. I'll have a look at the first error which does look promising, if you have any thoughts about it however they're most welcome :)
Thank you for your help so far!
01-17-2018 08:16 AM
Good, I would check that Azure RMS Service and Templates in Azure portal, just to make sure everything is OK there. After that you can refresh templates on your machine following these steps:
01-18-2018 06:10 AM
01-18-2018 07:42 AM
I assume your Office 365 license supports Azure RMS, right?
If so, then most likely it's firewall or proxy blocking IPs or URLs like azurerms.com
01-18-2018 08:19 AM
01-18-2018 04:20 PMSolution
In addition to checking the firewall isn't blocking IP addresses and URLs, check it's not terminating your TLS connection, which breaks certificate pinning. I've added a tip how to check for this client-side, if you don't manage the firewall yourself. See https://docs.microsoft.com/en-us/information-protection/get-started/requirements#firewalls-and-netwo...
01-19-2018 01:42 AM - edited 01-19-2018 06:24 AM
Spot on, the Microsoft certificate isn't displayed and in fact I can view a Fortinet message instead.
I also got a message from our vendor stating that they think something in the list might be performing packet inspections.
Once this is sorted I'll get back with more information to leave a record of it in case someone in the future runs into this post with a similar problem.
My most sincere thanks for all the assistance.
EDIT: The firewall was simply intercepting the SSL stream and replacing the certificate with its own.
01-19-2018 10:15 AM
Thanks for the update - really appreciate that, and also knowing that the newly added tip in the documentation worked for you. Hopefully, it will help the next person as well!
Firewall issues are always tricky to pin down, with unpredictable symptoms. Then the problem is compounded when you don't manage the firewall yourself and have to rely on others to check the requirements for you and make changes. This tip that was passed on to me (by Tom Moser in our Customer Success team) is a great way to either help eliminate this possible cause, or provide specific information to whoever manages your firewall.