Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
How you can use the AIP unified labeling client TODAY
Published Sep 17 2019 05:48 PM 14.8K Views
Microsoft

We recently blogged about unified labeling and delivered a webcast explaining what it means to you. The unified labeling platform provides lots of benefits.

AIP Customers that enable unified labeling not only get the best features of a more modern platform for Information Protection, they also gain built-in support for sensitivity labels in Mac and Mobile platforms.

Sensitivity Labels on Mac.png

 

In addition to this, they can take advantage of integrations across the Microsoft platform: 

  • Microsoft Cloud App Security (MCAS); 
  • Windows Information Protection (WIP) built into Windows 10 1809+; and 
  • Microsoft Defender ATP (MDTAP). 

With more integrations coming soon: 

  • SharePoint Online; 
  • Teams; 
  • Exchange Online; and 
  • Power BI. 

Plus, you get significant new features, such as the new client-side content discovery capabilities recently announced

While you can enable unified labeling without upgrading your existing AIP clients, once you enable Unified Labeling in your organization you are also able to upgrade to the new AIP unified labeling client for Windows, which provides superior content scanning and autoclassification and has the ability to add protection to already labeled documents after a policy change among other benefits.

 

Some customers are afraid that they will lose functionality when moving to the unified labeling client. In our documentation we have provided a detailed list of differences between the AIP unified labeling client and the AIP Classic client because we wanted to be completely transparent, but the downside is that the long list might make it look worse than it really is, since the majority of these documented limitations have solid mitigations which remove the issues in practice for most organizations. Also, the few ones that can't be mitigated and are actual gaps in functionality are related to features that are in use by a limited number of customers so they might not affect you at all.

The user interface differences between the two clients are minimal:

 

AIP Classic client:

clipboard_image_1.png

AIP unified labeling client:

clipboard_image_0.png

This means you can upgrade to the unified labeling client with a small effort and without users getting lost or suffering any significant impact. In fact, the main change in the unified labeling user interface is a change in the labeling icon in Office applications to make it consistent across platforms (it now looks the same on Windows as on a Mac and also in the upcoming web app update) so users should actually welcome the consistency.

Below is a list of the differences between the AIP unified labeling client and the AIP Classic client, and the mitigating factors that might make these differences a non-issue for you. At this point, most organizations should run the unified labeling client by default and the classic client by exception.

 

If you use this feature in the AIP Classic client

Can you use the Unified labeling client?

Advanced settings management UI

Yes, you can configure Equivalent advanced settings for the unified labeling client using PowerShell

User-defined permissions (UDP)

Yes, the AIP unified labeling client supports User Defined Permissions, just like the Classic client did. 

clipboard_image_5.png

This capability is often confused with Custom Permissions, see the entry below.

Custom permissions

In the AIP classic there was a Custom Permissions option unrelated to labeling in the Label menu, so it was removed from that location, but the option is still available from the File menu: File Info > Protect Document > Restrict Access, which has the same capabilities previously available in Custom Permissions but with more flexibility (e.g. the user can grant different permissions to different users in the same document).

clipboard_image_6.pngclipboard_image_7.png

But if you liked having the Custom Permissions option under the Label menu, you can always create a label named “Custom Permissions” with the User Defined Permissions option, and put it at the bottom of your labels. The result will look just like the old one did.

Information Protection bar in Office apps

The Information Protection bar is hidden by default but can be centrally enabled via an Advanced Setting.

clipboard_image_1.png

The Unified Labeling bar only one minor difference with the one in the Classic client: In the Classic client you could change the name of the labeling action from Sensitivity to a different name, and you were able to customize the tooltip. Even though these options are not customizable from the Security and Compliance Center user interface, both strings ca be changed for the Unified Client via the label localization capabilities.

PowerShell commandlets

Yes, with the same capabilities as the Classic PowerShell commandlets (plus some new options). Only change is that the ability to remove protection from container files (zip, .rar, .7z, .msg, and .pst) to which it was applied previously is disabled by default and must be enabled by using the Set-LabelPolicy commandlet. 

HYOK support

The unified labeling client does not support applying Hold your own Key labels (but it can consume content protected with HyoK labels). If your organization has devices that need to label content using Hold your own Key use the Classic client for those devices. Double Key Encryption is a feature that's currently in preview for the Unified labeling client and that should be able to replace HyoK for most customers. 

Usage logging

Yes, the unified labeling client logs labeling and protection information to the AIP Analytics portal instead of the local Event Viewer like the classic Client, which makes the logs much easier to analyze and consume.

Display the Do Not Forward button in Outlook

Yes, while the DNF button has been removed from the unified labeling client default toolbar, this option can be added through Office ribbon customization. Do Not Forward is also still available by default via the File/Info menu and in the ribbon under Options/Encrypt.

Track and revoke

For content tracking by administrators and auditors, we have improved the AIP Analytics portal to include tracking information enabling its use for this scenario. It provides more flexibility, has filtering capabilities, includes information on all protected documents and can support custom queries, among other advantages. 

As an example of the usage of these logs for content tracking we have built sample code for both end-user and admin tracking. You can learn about these in more recent blog posts

We are analyzing revocation scenarios to define the best way to support the actions users need to perform.

Protection-only mode using templates (no labels)

The unified labeling client requires labels to be used when applying protection.

As such, it only works with Azure Information Protection, not with AD RMS stand-alone or Azure RMS stand-alone.

The AIP unified labeling client can open documents protected with AD RMS when you deploy the Active Directory Rights Management Services Mobile Device Extension

 

As you go through the list you might notice that the scenarios where there's a loss of functionality likely do not apply to your organization, and that the work-arounds provided for all other issues are suitable to your needs. If this is not the case, please comment below which are the most important gaps we need to address in an upcoming release of the AIP unified labeling client.

But even if you decide that you can’t use the current version of the unified labeling client in every scenario in your organization, we must highlight that AIP Clients and the AIP Scanner were designed to be backwards and forward compatible with labels defined and managed through both the Security and Compliance Center and the AIP portal in Azure. This means that you can enable Unified Labeling from the AIP portal and start using the Office 365 Security and Compliance Center to manage your labels today, even if you want to keep using the AIP classic client for some particular scenario where the UL client doesn't yet meet your needs. Even if you decide not to deploy the unified labeling client anywhere at this stage, there should be no reason NOT to enable unified labeling in your organization to gain support for manual labeling in Mac and Mobile devices and other systems while you use the classic client in Windows devices. 

Please let us know what you think, and help us prioritize our efforts by commenting on any of the differences mentioned above where you think the mitigations provided are not sufficient to meet your needs. 

 

Edit: updated to reflect the elimination of a few of the remaining gaps in the latest Unified Labeling client.

8 Comments
Version history
Last update:
‎May 11 2021 01:57 PM
Updated by: