Dec 07 2021 12:46 AM
Hi All,
I have a requirement of applying classification and DLP on pdf file. We have label name "Internal" without protection enabled. I can do classification as Internal on pdf files using AIP UL client.
Appreciate if anyone can help on below concerns.
Thanks,
Dilan
Dec 23 2021 02:02 AM
SolutionHi @dilanmic,
We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".
This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).
When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:
Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.
Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!
More information about these PowerShell commands can be found here:
Wishing you all the best and a merry Christmas.
Dec 23 2021 08:42 PM
Dec 23 2021 02:02 AM
SolutionHi @dilanmic,
We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".
This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).
When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:
Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.
Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!
More information about these PowerShell commands can be found here:
Wishing you all the best and a merry Christmas.