we are using Windows Terminal Services / Citrix and want to deploy the latest AIP client (not the UL version!) to our Terminal users (~2000 users). But I can't find any documentation about AIP and WTS support. Is it supported? Is there an official statement available?
Hi. We have several customers using AIP in TS and Citrix environments. It works and is supported, but there are some restrictions customers have identified, I include their observations below:
Azure Information Protection in VDI deployments
Azure Information Protection (AIP) is an Information protection software for labeling and protection of classified files, based on a central policy. This is a description of what to consider when deploying AIP in virtualized or remotely accessed environments (as RDP) AIP runsand is supported on virtual environments with no specific requirements by default.
AIP client software components
AIP client software is composed of Office Add-ons for Word, Excel, PowerPoint, and Outlook from an OS shell extension (provide a right click context menu), the AIP viewer and PowerShell modules. All software component is included in the AIP client software package. For installation instruction of the AIP client refer to the AIP Administrator guide
AIP configuration is retrieved along with the client policyand stored in %localAppData%/Microsoft/MSIP and %localAppData%/Microsoft/MSIPC in a non persistent VDI, the implication is a few seconds delay in the first run in which AIP retrieves the configuration and sets all requirements for normal operation, as long as the user is already logged in into Office 365, no user interaction is required.
AIP activity logs
AIP activity logs are stored under %localAppData%/Microsoft/MSIP/Logs and %localAppData%/Microsoft/MSIPC/Logs under the user profile and in the windows event logs. If you are required to store the logs between reboots make you can store the user profile in a persistent. The Activity logs are also collected under the windows event log.
Logs are also collected also in azure log analytics, which make them independent of the client machine.
Persistent vs Non persistent VDI
If you are running persistent VM’s AIP should just work, as on any normal workstation, and all controls and configurations are valid.
If you are running in a non-persistent environment you can still run AIP, as the client refreshes its policy on every login.However, there are a few recommendations that can minimize the configuration updates required during login to the VDI.
Distribute the policy in you VDI image.
Update Registry changes using GPO to make sure the are applied at login time
If your VDI infrastructure permit, maintain the following locations persistent: