New OME Encryption Template, Criticism Revisited…Alex Fields
Spooky. Lately it’s like Microsoft is following this blog or something. I have been working on a number of posts that I’m rather excited about.
First, I had one of my biggest wishes come true, with the release of Files On-Demand for OneDrive (included in Fall Creator’s update).
Additionally, I’ve been piloting Microsoft 365 (not Office 365), and find that it is indeed answering some of my long-standing requests for simplified security & cloud-based device management, to help us wean off on-premises AD solutions of old (new post coming soon on that).
And now, just a week or two after I openly complained about the new Office Message Encryption (OME) features, I find that they are making strides toward fixing those, too.
New template: Encrypt
The major issue with the new release, version 2.0 as they call it, is that the only option for applying message encryption was Do Not Forward. It was either that, or one of the Confidential templates. The latter were only good for sharing content internally. The former was fairly limited, as it forced you to apply the permissions for Do Not Forward, meaning that the messages and their attachments were fairly… how do I put this nicely??
Enter the new “Encrypt” template. I hope they make this the default for the “Protect” button in OWA too (it is still set to Do Not Forward). With the new Encrypt template, you can apply just message encryption, which the users cannot remove. However, they can still forward, print, copy and edit any attached document. If they forward the message, it will remain encrypted on down the line, to the next recipients, etc.
If you are already using the new message encryption, you can see this feature from OWA immediately; just choose Protect on a new message, then Change Permissions.
From the drop-down menu, select Encrypt rather than Do Not Forward.
If you have any transport rules setup that apply Do Not Forward for encryption, I’d recommend updating them to Encrypt (unless you really like the DNF template).
In Outlook, I note that the content does not open directly in the application, like it does with Do Not Forward. Instead, Outlook will have you sign-in to view the message via a web link, but the link is presented right in the message, similar to how a Gmail or other external user would see it. I really like the consistency of experience here actually. One of the more frustrating parts about the way it used to work was that it would be different depending on who was receiving the message. This makes it difficult for companies to provide recipients with instruction. So kudos, MS. This is definitely a step in the right direction.
Click to sign-in to the message, and you will have an OWA-like web page, from which you can reply OR forward. WHAT?!!
The attachments also will have a different set of permissions, much preferable to the Do Not Forward variety:
UPDATE 06/18/2018: One of our community members found an excellent article to supplement this piece–thanks Jacob! It is also possible to “disable” the IRM permissions which get applied to attachments entirely, when using the Encrypt template. The cmdlet for doing so (when you are connected to Exchange Online via PowerShell), is:
Set-IRMConfiguration -DecryptAttachmentFromPortal $true
For more details on how this changes attachments when using the “Encrypt” template, see this article.
In short, it’s basically exactly what we’ve been asking for. Thank you, Microsoft, for listening to your customers (I’m positive I could not have been the only person asking about this, either–I’m sure it wasn’t because of this blog, but the timing for this was just funny).