Configuring MIP Decryption
You can configure to decrypt and analyze Microsoft Office files encrypted by Microsoft Information Protection (MIP).
You must select one of the following appropriate options in the MIP decryption section on the Microsoft Information Protection Properties page:
- Enable MIP decryption on endpoint channels:
Forcepoint DLP integrates with Microsoft Information Protection (MIP) to apply DLP policies to MIP-encrypted files on Windows endpoints. This feature enables enterprises to maintain sensitive data visibility and control for files protected using MIP. Forcepoint DLP interacts directly with MIP, enabling MIP to work both on and off the network. It can also be used to better understand how MIP is being used by employees to protect sensitive data.
Use the Enable MIP decryption on endpoint channels option to configure Forcepoint DLP to decrypt and analyze Microsoft Office files that were encrypted by MIP on Windows endpoints. This includes files found on Windows endpoints (discovery) or sent via any endpoint channel.
Note: The MIP decryption feature relies on the Microsoft RDS SDK. Therefore, for MIP decryption to work, Microsoft Remote Desktop Services must be running on the endpoints.Office files that are protected by MIP include Office File Formats based on OCP (Office 2010 and later), legacy Office File Formats (Office 2007), PDF files, Generic PFILE support, and files that support Adobe XMP.
The system uses logged-in user credentials to access the MIP server. As the system runs under the security context of the logged-in user, it uses the same permissions as the user has, and, therefore, can read everything that allows the user to read. For example, when a user creates a document, the user gets the permission to read the document and so does the system. When the user has read permissions to the document, explicitly or as part of an Active Directory group, so does the system. In case of any errors, the transaction is permitted without analysis and the error is recorded in a log file.
The MIP file detection feature has the following prerequisites:- The endpoint machine must be in your organization’s domain.
- Forcepoint DLP Endpoint version 19.xx or higher must be installed.
- Azure Active Directory/Office 365 single sign-on (SSO) between the local active directory and the Azure active directory must be configured and working. Users must be able to MIP-decrypt a document without a login request.
To view MIP-related incidents in the Data Security module of the Forcepoint Security Manager, navigate to the page .
See Microsoft documentation for more information on MIP:Note: The following are not supported:- Decryption of MIP-encrypted file can only be done for single logged-in user. Multiple users logged into the same machine is not supported.
- RPMSG message (RMS protected mail message) are not supported
- Enable MIP decryption on non-endpoint channels:
Forcepoint DLP integrates with MIP to apply DLP policies to MIP-encrypted files on the following non-endpoint channels:
- Windows servers for network discovery channel
- Protectors certified upon Red Hat Enterprise Linux 8 only for both Network Email and Network Web channels.
- Data Protection Service for the following channels (stay tuned for further announcements regarding general availability):
- Cloud web (by Forcepoint ONE SWG or Web Security Cloud)
- Cloud email (by Forcepoint Email Security Cloud)
- Cloud Proxy and Cloud API (by Forcepoint ONE CASB)
Note: RMS protected mail message (RPMSG) are not supported for non-endpoint channels.