PEM and MIP Labeling Setup Guide


Create the application in Azure

There are two ways to create an application in Azure, manually or automated by using a PKWARE created PowerShell script.

We strongly advise the use of the PowerShell script to create the App in Azure, because it requires much less manual input and activity.



Creating the App via the PowerShell script

This script creates the required application configuration elements and inputs the values directly into Azure. As part of creating the application the script performs the following:

  • Creates the Tenant ID, Client ID and Client Secret
  • Configures the basic API permissions
  • Sets the owner of the application as the user who logged into Azure


Important Manual Steps:

  1. If you want to add the SuperUser API permission, this must be added manually (step 8, above)
  2. After the script is run, the user must go into the newly created app in Azure, select ‘API permissions’ and choose ‘Grant admin consent for PKWARE, Inc’ (step 9, above)

The script also creates a ‘createdLabelApps.html’ file placed in whichever directory the script resides that contains information about the azure apps it has created. This file is for reference only and doesn’t need to be retained, however it can be used to find the application details required when creating the application in the PEM.


Calling the script without any parameters:

* .\CreateAzureLabelApp.ps1

* This will take you through entering an app name and popping up a browser window to log into the Azure tenant you wish to create a label app for


Calling the script with parameters:

* .\CreateAzureLabelApp.ps1 `"-appName <Label app name> -Credential <Azure tenant login credentials> -TenantID <The ID of a specific tenant you want to use> -enableSuperUserPermissions <To add the Content.SuperUser permission to Microsoft Rights Management Services>"`

* If using the Credential parameter directly, it is a PSCredential.

* This means this parameter needs both a username and password.

* The username and password should be what you use to login into an Azure tenant.

* See the following lines for how to make a PSCredential and run CreateAzureLabelApp.ps1

            * $secpasswd = ConvertTo-SecureString `"ENTER_PASSWORD_HERE"` -AsPlainText -Force

* $mycreds = New-Object System.Management.Automation.PSCredential (`"ENTER_LOGIN_HERE"`, $secpasswd)

            * .\CreateAzureLabelApp.ps1 -Credential $mycreds


You can access the script from the following location:

 

Creating the App Manually

Create the App

  1. Log into the Azure portal (https://portal.azure.com)
  2. Select ‘App Registrations’ from the register and applications screen
  3. From the Register and application screen
    1. Enter and application name
    2. Select ‘Accounts in this organization directory only (PKWARE, Inc. only – Single tenant)’
  4. Click ‘Register’ from the application overview page
  5. Note the ‘Application (client) ID’ and the ‘Directory (tenant) ID’. Copy these values as you’ll need to input them when configuring the application in the PEM

Configuring API Permissions

  1. Select ‘API permissions’
  2. Select ‘Add a permission'
    1. Find ‘Azure Rights Management Services’, select ‘Application Permissions’
      1. Select the checkbox for ‘content.SuperUser’ and select ‘Add permissions’
    2. At this point you should have both ‘User.Read’ and ‘content.SuperUser’ permissions listed
      1. SuperUser permissions will allow the application to read all protected content. If not added, the application will only be able to read content for specific users; as defined in the permissions of the MIP labels in Azure
      2. When creating assignments in the PEM, if a user is in the scope of the assignment to apply a MIP label but they are not in the permissions of the label defined in Azure, they will not be able to apply or open a file with that label, and an error will be generated
      3. To avoid these scenarios, it’s advised that the SuperUser permission be added and used
  3. Select ‘Grant admin consent for PKWARE, Inc’


Obtain the Client Secret

  1. Select ‘Certificates & secrets’
  2. Click ‘+ New client secret’
    1. Enter the name you wish to use for the Client secret in the ‘description’ field
    2. Select the expiration term for the secret. It’s advisable to select ‘Never’ as the client secret expiration, to avoid issues at a later time
    3. At this point Azure will create the Client secret and display it at the bottom of the page
    4. It’s advisable to select ‘Never’ as the client secret expiration, to avoid issues at a later time.
  3. Be sure to copy the Client secret (in the ‘value’ column), it will need to be input into the PEM when configuring the application


 

Create the application in Smartcrypt

  1. Log into the PEM (https://pkwareops.smartcrypt.com/mds)
  2. Go to the MIP > Applications tab, and select ‘Add’
  3. Enter a name for the application
    1. It’s best to use the same name as the one that was created in Azure
  4. Enter the Tentant ID, Client ID and Client Secret values that were used in the configuration of the App in Azure
  5. Select ‘Has Super User Permissions’ if the SuperUser API permission was added when the App was configured in Azure

 

Using MIP Labels in Smartcrypt

Importing MIP Labels

  1. Go to the MIP > Labels tab and select ‘Import’
  2. Smartcrypt will call out to Azure, to retrieve the labels configured in MIP
  3. From the list of labels returned, select the labels you wish to import for use with the application you have created, and select ‘Import’ again
    1. Then labels you import will appear in the drop-down list of applicable labels when you create your MIP remediations


Create MIP Label Remediations

  1. Go to the Archive > Remediations tab and select ‘Add’
  2. Create a name for the remediation
    1. It’s a good idea to create the remediation name, with the name of the label for easier reference in the future
  3. From the remediations action page select the ‘MIP’ checkbox, choose the appropriate application name and click in the ‘Label’ field to choose from the available labels you previously imported
  4. Click ‘Save’


Create an Assignment or Locker to Apply a MIP Label

  1. Go to Archive > Assignments and select ‘Add’
  2. Input and select the standard information required for the creation of an assignment
    1. Ensure you’re selecting ‘Discovery’ as the ‘Mode’ setting
  3. As with all standard Discovery Assignments configure your remediation by selecting a Smart Filter Bundle and/or File Filter, then select the Remediation Action.
    1. The MIP label remediation action will appear with all other defined remediation actions in the drop-down list
  4. Click ‘Save’ and your assignment will be run just like any other standard Assignment.


Create an Assignment or Locker to Discover a MIP Label Name, For the Purpose of Re-Labeling or Removing it

Create the Smartfilter Bundle

  1. Go to Archive > Discovery select ‘Patterns’
  2. Select ‘Add Custom Dictionary’ and input the name of the MIP label you wish to discover in the Keywork field and click ‘Save’
    1. NOTE: The pattern value must match the label name identically, characters, spaces, etc
  3. From Archive > Discovery select ‘Add Discovery’
  4. Create the Smart Filter Bundle by providing a Filter Name and selecting the Pattern for the MIP label name you defined in the prior step, and click ‘Save’


Create the Assignment or Locker

  1. Go to Archive > Assignments and select ‘Add’
  2. Input and select the standard information required for the creation of an assignment
    1. Ensure you’re selecting ‘Discovery’ as the ‘Mode’ setting
  3. Define the remediation action by clicking ‘Add’ and selecting the MIP label Smart Filter Bundle from the drop-down list
  4. Select the desired remediation, from the ‘Remediation Action’ drop-down list  
  5. Click ‘Save’ and your assignment will be run just like any other standard Assignment