cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Classified and Apply DLP on PDF files

dilanmic
Brass Contributor

‎Dec 07 2021 12:46 AM

‎Dec 07 2021 12:46 AM

Classified and Apply DLP on PDF files

Hi All,

 

I have a requirement of applying classification and DLP on pdf file.  We have label name "Internal" without protection enabled. I can do classification as Internal on pdf files using AIP UL client.

 

Appreciate if anyone can help on below concerns.

 

  • when I classified the label, its not visible after open the document. is there any possibility of Viewing the label on pdf documents after classified like Office application do?
  • I have set up a DLP policy to prevent sending documents with Internal label to outside, but when I attached classified document as "Internal" and Email as "Public", Still the DLP policy is not working. However, the DLP policy is working fine with words, Excel etc. is there anyway block sending pdf documents outside which classified as a Internal without protection enabled?

Thanks,

Dilan

 

8,162 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by dilanmic (Brass Contributor)
QJappie22

‎Dec 23 2021 02:02 AM

‎Dec 23 2021 02:02 AM

Solution

Re: Classified and Apply DLP on PDF files

Hi @dilanmic,

 

We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".

 

This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).

 

When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:

 

  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{AttachmentAction="Automatic"}
    • With this command, the email will automatically inherit the label that is applied to the attachment when that attachment is added to the email.
  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="ab12345c-d678-9012-34ef-56789g01h234,i5j6k78l-90mn-1o23-45pq-r678901234s5"}
    • With this command, the email will be blocked from being sent to external domains when the attachment or email is labeled with one of the labels provided in the commands. When using more labels, these has to be comma-seperated.
  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockTrustedDomains="<trusted domain>"}
    • With this command, you can whitelist certain external domains which can then receive emails other external domains cannot receive. It can be added as '@contoso.com' and these also need to be comma-seperated when using more domains.

Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.

 

Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!

 

More information about these PowerShell commands can be found here:

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-custom...

 

Wishing you all the best and a merry Christmas.

0 Likes
Reply
dilanmic

‎Dec 23 2021 08:42 PM

‎Dec 23 2021 08:42 PM

Re: Classified and Apply DLP on PDF files

thank you very much for the reply.

This would really help me.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by dilanmic (Brass Contributor)
QJappie22

‎Dec 23 2021 02:02 AM

‎Dec 23 2021 02:02 AM

Solution

Re: Classified and Apply DLP on PDF files

Hi @dilanmic,

 

We are having the exact same problem. We also discussed this with Microsoft in a ticket regarding the DLP policy activation on PDF files with a sensitivity label. It took them a while to come back with an answer which confirms that this is a 'weird' problem or maybe even a bug, but sadly the final answer was: "After discussion with my team and senior resource, we found that we do not have DLP available for PDF documents".

 

This means that we cannot prevent PDF files to be send outside when only using DLP policies. What we can do, is preventing all files which have a certain sensitivity label to be sent as an attachment via the Outlook client with the help of PowerShell commands. These cmdlets will only work when using the Outlook client and are based on the sensitivity label policy itself (so this has nothing to do with DLP).

 

When U install the AIP UL client on an endpoint device, you can then take advantage of these PowerShell commands:

 

  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{AttachmentAction="Automatic"}
    • With this command, the email will automatically inherit the label that is applied to the attachment when that attachment is added to the email.
  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="ab12345c-d678-9012-34ef-56789g01h234,i5j6k78l-90mn-1o23-45pq-r678901234s5"}
    • With this command, the email will be blocked from being sent to external domains when the attachment or email is labeled with one of the labels provided in the commands. When using more labels, these has to be comma-seperated.
  • Set-LabelPolicy -Identity "LabelPolicyName" -AdvancedSettings @{OutlookBlockTrustedDomains="<trusted domain>"}
    • With this command, you can whitelist certain external domains which can then receive emails other external domains cannot receive. It can be added as '@contoso.com' and these also need to be comma-seperated when using more domains.

Note that with these adjustments you are only blocking this from the installed Outlook client. For OWA users will still be able to sent non-Office documents when the email itself is not labeled and unfortunately you cannot enforce label inheritance from an attachment here.

 

Not the answer you where hoping for, at least I wasn't, but hopefully it's good for you to know how it works at this time. It would be great if Microsoft would support this in the future because I don't think we are the only ones who face this problem!

 

More information about these PowerShell commands can be found here:

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/clientv2-admin-guide-custom...

 

Wishing you all the best and a merry Christmas.

View solution in original post

0 Likes
Reply