Secure your Emails and Documents with Azure Information Protection (AIP) Sensitivity labels in Workspace ONE Boxer

With Azure Information Protection (AIP), you can secure your emails and documents that you exchange within or outside your organization.

Microsoft Azure is a public cloud computing platform developed to provide a set of cloud services to address your business challenges. It gives you the ability to build, manage, and deploy applications across a massive global network using your favorite tools and frameworks. Azure Information Protection (AIP) is one of the services offered by Microsoft Azure.

AIP protects the sensitive information of your company. It allows your organization to encrypt, classify, and protect your emails and documents at the time of creation or modification. With AIP, you can:

Manually or automatically add labels and classify emails and documents based on business rules.
Enforce encryption on your emails and documents.
Protect your information by applying header and footer text to the email.

AIP provides an excellent end-user experience by allowing users to secure their information by simply applying the label. Organizations can also boost their security and Data Loss Prevention policies with a comprehensive and unified approach for the data protection.

For more information on AIP, see What is Azure Information Protection?.

Supported Features of AIP

The AIP feature supports only Modern authentication.
With AIP, you can encrypt the content of your email with a label. By default, the Azure Cloud key is used for encryption, but you can also set additional encryption at the server level by configuring the Protection template ID of the label.
AIP supports the Watermark feature. You can add a watermark by applying header and footer text to your email.
The default label is a label that automatically applies to the new email that you compose.
AIP feature permits you to apply only one label per email.
You can apply restrictions on your emails and documents based on the following categories:
- User actions - You can restrict users to perform the following actions on the received emails.
  - View
  - Reply
  - Reply All
  - Do not forward
- User groups - You can allow only selected users and groups to access your email.
- Time - You can set few days or a specific date for the users to access your email. When the time expires, users cannot access the email.
You can configure AIP to request for justification when users try to downgrade or remove a label.
Each email in a thread can have a different label.
If you configure the sensitivity labels in Workspace ONE UEM console, users cannot view the IRM templates in Workspace ONE Boxer.

Enable Azure Information Protection (AIP) Sensitivity Labels for Your Organization

As an admin, you can use the Azure portal to configure the Azure Information Protection sensitivity labels for your organization. You must also configure Workspace ONE Boxer using a key-value pair to enable the AIP feature.

Sign in to the Azure portal. For more information about the Azure portal, see Configuring the Azure Information Protection policy.
Enable the following options in the organization settings of your Office 365 account.

a. Azure Information Protection

b. Microsoft Information Protection API
Activate the Data Protection and the Unified labeling options in AIP.
Configure the labels in the Classification settings of AIP.
Add and enable the PolicySensitivityLabelsEmailClassification key in the Workspace ONE UEM console. To know how to configure this key, see Enable AIP Sensitivity Labels in Workspace ONE Boxer.

When you enable the PolicySensitivityLabelsEmailClassification key,
- It deactivates the default Boxer policies (Classifications and IRM templates) for end users and replaces it with a set of AIP sensitivity labels, as set in Azure.
- The following key-value pairs become inactive and cannot be enabled:
  - PolicyClassMarkingsEnabled
  - PolicyClassMarkingsXHeader
  - PolicyClassVersion
  - PolicyClassMarkings
  - PolicyClassMarkingsRankEnabled
  - PolicyClassMarkingsDefaultClass Note:
- As an admin, you must provide consent to your tenant users to use the sensitivity labels. Otherwise, each user has to consent manually. Users cannot use the labels without the consent.
- Labels might take 24 hours to synchronize from Azure to Workspace ONE Boxer.

Configure Azure Information Protection (AIP) Sensitivity Labels in Workspace ONE Boxer

If your administrator has not provided you the consent to access the AIP sensitivity labels, you must consent manually.

To enable the sensitivity labels in Workspace ONE Boxer, tap the Enable option in the banner displayed on the inbox screen.
If you have multiple managed accounts and you are on All Accounts screen, you must select an account for which you want to enable the sensitivity labels. When you have a single managed account, you are directly redirected to the Microsoft page, where you have to consent manually.
Tap Accept on the Microsoft page and consent manually.

After receiving the consent, Boxer fetches all the labels from Azure. You can apply these labels to your emails and also receive emails with labels.
To update the older emails with sensitivity labels, you can resynchronize Boxer.

Even if you do not receive the consent, you can still access the emails, but you cannot apply any restrictions and classification to the email content.

Apply Azure Information Protection (AIP) Sensitivity labels to Emails

You can apply a sensitivity label when you compose a new email, reply, or forward a received email. To apply a label on your email, you must tap the label icon. Upon tapping, you can see a list of all the labels configured in Azure.

General Information:

You cannot select the parent labels. You can only select the child labels.
If the default label functionality is enabled in Azure, you can see that the label has already been applied to the list.
When you apply a label to an email, you can see the following things in the email body:
- Snackbar to confirm that you have applied a label.
- The label icon turns red.
- A solid red line appears under the subject of the email.
  
  Note: Sensitivity labels do not support delegated accounts.

Receiving Emails with Azure Information Protection (AIP) Sensitivity Labels

When you receive an email with an applied sensitivity label, you can see the name of the applied label and a label icon marked in red. You can also see the header and footer text if the label has the settings for it. The header and footer text that appears in the email body is according to the label settings in Azure.

Based on the settings of the label, sender can restrict you to perform actions such as Reply, Reply all, or Forward on the received email.

When you tap the label name, you can view the additional label details such as name, permissions, and restrictions applied on the received email. If the sender gives you the permission, you can also change the label of the received email. Sometimes you are asked to provide a valid reason for changing the label. The policy setting in Azure controls such requests.

You cannot access sensitivity labels in the cases where:

Your admin has enabled the PolicySensitivityLabelsEmailClassification key in the Workspace ONE UEM console, but has not configured the sensitivity labels in Azure.
The Boxer application fails to connect to the Azure server.

Combination of IRM templates and Sensitivity labels

When you receive an email with an already applied IRM template, then a default sensitivity label configured by the Azure admin is applied to that email. You can also apply the labels manually.
If you receive an email with an applied sensitivity label, you can use a different sensitivity label if you are allowed to do so.

Combination of S/MIME and Sensitivity labels

When you receive a signed or encrypted email and you apply a sensitivity label to it, the signing or encryption level of protection is removed from that email.
If you receive an email with an already applied sensitivity label, the label is removed automatically when you sign or encrypt that email.