Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Microsoft Information Protection SDK 1.5: Now Available
Published Mar 02 2020 02:57 PM 4,459 Views
Microsoft

We're pleased to announce that the Microsoft Information Protection SDK version 1.5 is now generally available via NuGet and Download Center.

 

Highlights

 

  • TLS 1.2 is now mandatory. Clients that don't support TLS 1.2 will fail to connect to the service.
  • MIP SDK Java Wrapper for Windows is in private preview.
  • Data sent to AIP Analytics can be masked via mip::TelemetryConfiguration::maskedProperties
  • Improved exception details across all APIs.
  • Improved C API result and error details.
  • mip::FileHandler::IsLabledOrProtected()
  • Policy SDK supports dynamic content marking.
  • Label policy cache now expires after 30 days if it hasn't been refreshed.

 

Java Wrapper

We're sharing our Java Wrapper for Windows on a private preview basis. If you're interested in participating, please fill out the form at https://aka.ms/mipsdkjavapreview!

 

Once we're satisfied with the Windows release, we plan to expand support to other platforms.

 

Dynamic Content Marking

In AIP Classic, a feature existed that would allow admins to define variables in content marking. These variables would be populated with information about the lable, user, or event time. We've built this functionality in to MIP SDK so that our partners and customers can take advantage of the same dynamic content marking.

 

Dynamic content marking is supported for watermark, header, or footer actions. Supported variables are:

 

Variable Description
${Item.Label} The name of the label applied to the item.
${Item.Name} The name of the item.
${Item.Location} The path to the item.
${User.Name} The name of the user owner of the document.
${User.PrincipalName} The UPN of the owner of the document.
${Event.DateTime} The time that the label was written.

 

This content marking is configurable via mip::PolicyEngine::Settings::SetVirableTextMarkingType().

 

To set the friendly username, use mip::Identity and construct with the user-friendly name field.

 

Breaking Changes

  • C++ API:
    • mip::ProtectionEngine::GetTemplates() vector<shared_ptr> return value replaced with vector<shared_ptrmip::TemplateDescriptor>
    • mip::ProtectionEngine::Observer::OnGetTemplatesSuccess() callback shared_ptr<vector> parameter replaced with vector<shared_ptrmip::TemplateDescriptor>
  • C# API:
    • Updated PolicyEngine.Settings.LabelFilter from list of enums to nullable bitfield
    • IProtectionEngine.GetTemplates|Async() return value List replaced with List.
  • C API:
    • Updated most functions to include mip_cc_error* parameter, can be NULL
    • MIP_CC_ProtectionEngine_GetTemplates() mip_cc_guid* param replaced with mip_cc_template_descriptor*

 

Full Change Log

Review the version release history for a full list of changes to this release.

 

-Tom Moser and the MIP SDK Team

28 Comments
Copper Contributor

Hello,

 

Tried running this RHEL 7.7 and I get segmentation fault for sample binary (protection_sample). Anyone been able to install and use this program on RHEL7.7 by any chance?

 

thanks

Microsoft

We tested on RHEL7.5. I'll need to check with engineering to see if it's been tested on 7.7, but I believe the answer is no. 

Copper Contributor

@Tom Moser  I trying to port sdk in android app , sdk provided for android is written in c++ , do you have any plans to provide jni wrapper for android

also another question .so files are 32 bit , as now android made it mandatory to have 64 bit bin file   so any plans for that as well.
Thanks

Microsoft

Hi @ravish315 

 

We are working on the Java wrapper, but don't yet have a timeline of when we'll be able to release.

 

The informationprotection.aar file should include the 64-bit bins. 

 

 

Copper Contributor

@Tom Moser  working on  iOS, do you have any plans for Swift wrapper.Can you please provide if any samples available for iOS?. 

MIP SDK for iOS only contains Protection and Policy api's, do you have plans for file API?

Copper Contributor

Hi @Tom Moser 
Thanks for your response , while doing the integration most of the code i wrote in c++ with JNI layter,
i am seeing below error related to aria-android-java-sdk.aar file .

E/void (anonymous namespace)::InitLogManager(JNIEnv *, jclass, jobject, const std::__ndk1Initializing Aria LogManager
 A/zygote64: java_vm_ext.cc:504] JNI DETECTED ERROR IN APPLICATION: JNI NewGlobalRef called with pending exception java.lang.ClassNotFoundException: Didn't find class "com.microsoft.applications.telemetry.core.InternalMgrImpl" on path: DexPathList[[directory "."]

Need to know in android where exactly we need to keep this library ?
any help or link will be helpful
thanks

Microsoft

@Sanka2385 

We have no plans for a Swift wrapper at the moment. Unfortunately, I don't have a sample available for iOS, yet, but I hope to publish one in the next couple of months. We have no plans for File API on mobile platforms at the moment.

Copper Contributor

@Tom Moser Thanks for the reply . Working on decrypting the word file(Applied label using MSWord) from MIP iOS Module, It is failing to get serializedPublishingLicense 

Also I was able to protect the document with my MIP POC module and unprotect the same file with the POC Module, but unable to open that file using word. Is there anything I am missing here?

Copper Contributor

Hi,

Can you please look into this forum post (related to MIP SDK), whenever you have time.

https://stackoverflow.com/questions/61127217/decrypting-an-encrypted-office-365-email-using-mip-sdk/...

 

Thank you.

Copper Contributor

Hello Tom,

   I am wondering if MIP SDK works on OS X? Is there a wrapper for Objective c?

 

       Thank you

Microsoft

Hi @Gabi_Kalmar , 

 

We don't have a wrapper for Objective C today. Most of our partners have made this work by building their own thin wrapper for just the functionality they require. 

Copper Contributor

Hi Tom ,

My question is around cached type options you have in upe sdk i am using for android  , so for OnDiskEncrypted option can you explain how db is encrypted , what algorithm etc. 

also does sdk provide any handle to control how it will be encrypted or encryption using my own key ?

Microsoft

Hi @ravish315 

 

The cache encryption exists only to prevent the user from browsing the cache data. It's not intended to completely protect the cache state, nor is it intended to allow external control of the keys.

 

The encryption key is generated by the device in the context of the user and stored in a manner that is accessible to the user/application. 

 

We use JavaKeyStore to store an AES key, then encrypt the policy information in SQLite storage using that encryption key. 

 

https://developer.android.com/reference/java/security/KeyStore

 

Copper Contributor

Hi @Tom Moser 

 

I am looking for Dynamic Content Marking using supported variables. Could you please let us know how do we achieve this ? Where can we set below variables for dynamic content marking ?  Basically we want to customize watermark text dynamically..  Example: Set watermark text with currently logged-in user email address. 

 

Variables:

==========

${Item.Label}
${Item.Name}
${User.Name}

 

Thanks in advance.

 

Br,

Srini K

Microsoft

@srini-k16 are you using the File SDK or Policy? 

Copper Contributor

Thank you for quick response  @Tom Moser  I have tried Policy as we as File. Both I couldn't find option to update/customize the watermark text.

Policy:  https://github.com/tommoser/MipSdk-Dotnet-Policy-Quickstart/
File:   https://github.com/Azure-Samples/MipSdk-Dotnet-File-ServicePrincipalAuth

Microsoft

The File SDK doesn't support content marking at all. It'll only tag the document with the ContentBits attribute that tells the AIP client to apply the content marking at next save.

 

The Policy SDK allows you to use these dynamic fields by simply setting those variables in the label settings. 

 

https://docs.microsoft.com/en-us/azure/information-protection/configure-policy-markings#using-variab...

 

The SDK will expand the variables based on inputs to the ExecutionState implementation and mip::Identity. 

Copper Contributor

@Tom Moser We have a requirement to show the email address of the user accessing the PDF document as a watermark in the middle of the document when it is opened, to avoid sensitive data leakage. Is this achievable through MIP SDK. Can we use a privileged user to impersonate the current user and make a temporary copy of the document with the accessing user as the owner. And then use the Policy SDK to set the contentbits for the document with the ${User.Name}, and serve the document to the user, so when they open in an AIP enabled clients will the watermark show? 

 

IS this something that will work?

 

Thanks,

Vinod

Copper Contributor

Hi @Tom Moser,

 

File SDK works good for word document. That is, we can see label on word document after apply. However for PDF, I couldn't see the label after apply. 

I have tried adobe pdf viewer and browser, on both label is not showing for PDF. Am I missing anything ? Also how can we see header/footer/watermark for pdf. I have tried AIP client to view, but couldn't find. Please suggest. 

Microsoft

The label is probably there, but those applications don't display it. If you use the SDK to read the label, does it indicate that it's present? 

 

We don't support content marking in PDFs. We apply the ContentBits attribute that indicates that the item should be marked by the consuming application. The consuming application must read the ContentBits attribute from the label metadata, then understand how to apply the label. I'm unaware of any PDF viewers that do this today. 

Copper Contributor

@Tom Moser 

 

I am trying to protect a word doc using Protection API.  For this I am creating a protection handler using template ID. When I observe this protection handler rights it has only Owner and don't see any other rights.

But when I apply a label using word document , I see a bunch of rights assigned. 

Is there any thing I am missing ?.

 

Thanks 

Kiran

 

 

Copper Contributor

@Tom Moser Yes Tom, using SDK I am able to read the label from PDF. Thank you for clarifying.

Microsoft

@Sanka2385 You'll need to use the File SDK. The Protection SDK deals only in bytes. I assume you're using the sample application. If you review the code in the sample, you'll find that it's just taking the entire file bytes and encrypting them. It's not parsing the file at all, so you won't get a useful output.

 

Copper Contributor

@Tom Moser For mobile as we don't have File SDK, I am trying to achieve same thing with Protection API. I am able to unprotect the word document using protection API by providing right info from the word document. Now trying to protect the document using protection API.  For this I am using template for creating Protection Handler and constructing back the word document . When I try to open the document I see the below error.

 

Tried debugging the protection handler that I used for protecting and I observe the rights are missing which might be cause of below issue?.

 

Can you please help me what I am missing here?

 

Note: When I don't change Label and use the same protection handler from the word document to protect , I was able to open with word App.

 

As IScreen Shot 2020-08-10 at 12.55.43 PM.png

Microsoft

@Sanka2385 That looks like the file is corrupt and can't be opened by Office. Are you following a specific specification writing your parser?

Copper Contributor

@Tom Moser 

 

Thanks for the reply . Yes after protecting the data I am replacing packages in protected word document with the help of parser.  When tried protecting the modified data with the available info from the word doc the file looks fine and able to open with word document

 

But when applied a new label which means I need to create new  protection handler and use that for protecting the document. With the help of parser I replaces the package  but word complains with above error

 

When I compare the existing word protection handler with newly created protection handler as a part of label change, I do observe the rights mismatch .

 

I was able to unprotect the document with the newly created protection handler but the word shows the error.

 

Not sure wether this rights mismatch causing the issue? or is there anything I am missing?

 

 

Copper Contributor

@Tom MoserOne quick question. I am trying to download existing pdf document (having MIP encryption), then decrypt the PDF file, modify content in PDF and then encrypt back. I am using File SDK. Till modifying content I am able to perform, now I want to encrypt back the file. That is, while setting the Label (having encryption enabled from protection.office.com), getting error as "TemplateNotFoundException: Unrecognized template ID.,". What could be the issue? Please suggest.

 

error1.png

Copper Contributor

Hi Tom, 

We are trying to set custom permission to file. Is there anyway to accomplish using MIP SDK C# ?

srini-k16_0-1604053412862.png

 

Version history
Last update:
‎May 11 2021 02:08 PM
Updated by: