Configuring MIP for endpoint decryption

Forcepoint DLP integrates with Microsoft Information Protection (MIP) to apply DLP policies to MIP-encrypted files on Windows endpoints. This feature enables enterprises to maintain sensitive data visibility and control for files protected using MIP. Forcepoint DLP interacts directly with MIP, enabling MIP to work both on and off the network. It can also be used to better understand how MIP is being used by employees to protect sensitive data.

Use the MIP Decryption tab of the Settings > General > Services page to configure Forcepoint DLP to decrypt and analyze Microsoft Office files that were encrypted by Microsoft Information Protection on Windows endpoints. This includes files found on Windows endpoints (discovery) or sent via any endpoint channel.

By default, this setting is disabled.

To enable MIP decryption, select Enable MIP decryption, then click OK.

Note: The MIP decryption feature relies on the Microsoft RDS SDK. Therefore, for MIP decryption to work, Microsoft Remote Desktop Services must be running on the endpoints.

Office files that are protected by Microsoft Information Protection include Office File Formats based on OCP (Office 2010 and later), legacy Office File Formats (Office 2007), PDF files, Generic PFILE support, and files that support Adobe XMP.

The system uses logged-in user credentials to access the MIP server. Because the system runs under the security context of the logged-in user, it uses the same permission as the user and, therefore, can read everything the user can read. For example, when a user creates a document, the user has permission to read the document and so does the system. When the user has read permissions to the document, explicitly or as part of an Active Directory group, so does the system. In case of errors, the transaction is permitted without analysis and the error is recorded in a log file.

The Microsoft Information Protection file detection feature has the following prerequisites:

  1. The endpoint machine must be in your organization’s domain.
  2. Forcepoint DLP Endpoint version 19.xx or higher must be installed.
  3. Azure Active Directory/Office 365 single sign-on (SSO) between the local active directory and the Azure active directory must be configured and working. Users must be able to MIP-decrypt a document without a login request.

To view MIP-related incidents in the Data Security module of the Security Manager, navigate to the page Main > Reporting > DLP > Incidents - Last 3 days.

See Microsoft documentation for more information on MIP: