Alternatives for clients without IRM enabled applications

Applies To: Windows Server 2008, Windows Server 2008 R2

Since universal deployment of a specific application cannot be guaranteed, there exists alternative ways to access protected content without the presence of the original AD RMS-enabled application in the client. These ways are discussed in the following sections.

Office Viewers

One way to view AD RMS protected content that was created using Microsoft Office is through the use of the Microsoft Office Viewers. Office Word and Excel Viewers allow viewing, copying and printing IRM protected documents (according to the permissions set on the documents by their authors) on computers that either do not have Microsoft Office installed or have installed an edition that cannot open IRM protected documents such as Office XP or Office 2000.

In the cases where older editions of Office that do not support IRM protected content are installed, installing the stand alone document viewers can allow the users to consume existing IRM protected documents. However, the documents must be manually opened by the users with the document viewers (for example, by right-clicking on the file and selecting Open With… in the context menu) for the documents to be accessible from the IRM enabled application. This option does not enable editing or creation of IRM enabled documents.

The Office Viewers can be deployed to desktops as any normal installable application, either through unattended scripts, a mass deployment tool or Group Policy. They can also be integrated into an Operating System image, including the case where the image already includes a version of Office that does not support IRM protected documents.

For additional information on deploying AD RMS with the Microsoft Office viewers see: Active Directory Rights Management Services and Microsoft Office Deployment Reference

Rights Management Add-On

A second alternative that allows you to consume AD RMS protected content is through the use of Internet Explorer and the Rights Management Add-On. Once the RMS client is installed on a computer, the Rights Management Add-On (commonly referred to as RMA) can also be installed and enabled. This component is an Internet Explorer Add-On that enables viewing of AD RMS protected HTML content.

AD RMS documents can contain, in addition to their original format, an HTML rendered version of the contents in the Rights Managed HTML (RMH) format. This option depends on the capabilities of the source application to render documents in HTML format. Policies defined by the user protecting the document, can enable users that do not have a version of the source application or a compatible application that supports Rights Management capabilities to view the document within Internet Explorer. All IRM enabled versions of Microsoft Office already have this capability and it is up to the user to define if the protected documents will include RMH encoded versions of the document that enable viewing them on Internet Explorer. This option is disabled by default in Office 2007 applications and must be enabled via registry. Only protected documents in the Office 2003 file formats can be configured to include RMH encoded renderings of the document to be consumed in a browser.

For additional information on deploying AD RMS with the Microsoft Rights Management Add-On see: Rights Management Add-on for Internet Explorer

XPS Support

In some cases, the RMA might not be a valid solution. Some such cases are:

  • When the source applications do not support AD RMS protection directly

  • When it is necessary to distribute protected content to clients that do not have access to the source applications and the source applications do not support RMA

  • When more flexibility for viewing the content than the browser plug in allows is desired

In these cases where the Rights Management Add-On cannot be used, using the XPS format can still enable sharing protected content. Exporting the documents as XPS files and deploying the XPS files to the users allows them to view the documents with the free viewers and the viewers included with Windows Vista and with the .Net framework 3.0 SP1.

XPS is a Microsoft specification describing the architecture of the XPS Document file format, a representation of electronic paper based on XML. The XPS Document format is an open, cross-platform document format that allows customers to effortlessly create, share, print, and archive paginated documents.

XPS documents can be created by any application that can print documents running on Windows Vista, Windows Server 2008, Windows XP or Windows Server 2003. XPS documents can be viewed by users of those Operating Systems that have installed the .Net Framework 3.0 SP1 or the standalone XPS viewer (which come preinstalled with Windows Vista). By “printing” a document to the “Microsoft XPS Document Writer” virtual printer, a user creates a document in the XPS format that is visually identical to a printed copy of the document, and that can be shared with any user with a computer that can display XPS documents or that has the RMA installed.

XPS documents generated this way can also be edited by its recipients with a third party XPS editor, and they can also be printed and forwarded to third parties. In order to prevent or control this, the user that created the XPS document can open it in the XPS viewer and apply rights protection to it just as it would be done with IRM enabled Office applications. In this way, a user of any application that is able to print documents and that has the XPS writer installed can create documents that can be rights protected and shared with third parties in a controlled fashion without requiring that the same applications are installed in the recipient’s machine.

.Net framework 3.0 SP1 or later is required to use XPS correctly under supported platforms. There are two viewers available for Windows Vista, Windows XP, and Windows Server 2003. One is the XPS viewer, which comes preinstalled with Windows Vista and with the .Net framework 3.0 SP1. The XPS viewer is integrated with Internet Explorer 6.0 or higher with IRM support including rights protected XPS file creation. The other viewer, called the Microsoft XPS Essentials Pack, does not allow creating rights protected XPS documents. It only provides viewing capabilities for protected documents. To produce an IRM protected XPS file from any application that can print to a standard Windows compatible printer follow the steps indicated below:

  1. On an AD RMS XPS enabled client, log on as an AD RMS user.

  2. Open any non AD RMS enabled application that is able to print content by using standard Windows printing mechanisms and drivers, such as Office Visio.

  3. From the Print dialog box, in the printer selection list choose Microsoft XPS Document Writer.

  4. Select other options to format your printing. If your document is best viewed as a single page (such as a drawing or a diagram) you should choose options that lead to a single page printout. Then click on the appropriate button to initiate the print job (typically “Print” or “OK”).

  5. In the file selector choose a location and name for the XPS file that you want as output and click Save.

  6. In Windows Explorer navigate to the location where you saved the XPS file and open it by double clicking on the file icon.

  7. In the XPS viewer verify that your document is properly displayed, and then go to the Permissions menu and select Set Permissions…

  8. In the Document Permissions menu enter the email address of the user that you want to have access to the document or select the user from a list by using the Find users, contacts or groups button on the left. Click Add.

  9. Highlight the user from the list and indicate on the right panel what rights you want to grant to the user over the document.

  10. Repeat steps 7 and 8 for all the additional users you want to grant access to the document.

  11. Set expiration and additional permission request options on the lower part of the dialog, then click Save.

  12. The document can now be closed and sent to other users for viewing, in accordance to the permissions you just set on the XPS file.

The following link contains the download and more information on XPS viewer to view and generate XPS. View and Generate XPS

For additional information on deploying AD RMS with the XPS see: Active Directory Rights Management Services and Microsoft Office Deployment Reference

2007 Microsoft Office Add-in: Microsoft Save as XPS

The XPS viewer requires setting IRM permissions within the viewer itself so that they cannot use IRM functions directly from the 2007 Microsoft Office applications. This functionality is not included in Office 2007 RTM. The 2007 Microsoft Office add-in allows you to export and save to the XPS format directly in eight Microsoft Office 2007 programs. This functionality is provided in Office 2007 Service Pack 2.

  • Microsoft Office Access 2007

  • Microsoft Office Excel 2007

  • Microsoft Office InfoPath 2007

  • Microsoft Office OneNote 2007

  • Microsoft Office PowerPoint 2007

  • Microsoft Office Publisher 2007

  • Microsoft Office Visio 2007

  • Microsoft Office Word 2007

It also allows you to send files as e-mail attachments in the XPS format in a subset of these programs. This add-in keeps the rights assigned to the original document. To protect an IRM protected XPS file from the 2007 Microsoft Office Add-in: Microsoft Save as XPS, perform the following steps:

  1. On an AD RMS XPS enabled client, log on as an AD RMS user

  2. Click Start, point to All Programs, point to Microsoft Office, and then click an AD RMS-enabled Microsoft Office 2007 application

  3. Edit the content on a document

  4. On the Office Button menu, point to Prepare and then Restricted Access

  5. Apply IRM right permissions with users or/and groups

  6. On the Office Button menu, point to Save AS and then XPS

  7. Save as XPS file and Click Publish.

The following link contains the download and more information about the 2007 Microsoft Office Add-in: Microsoft Save as XPS.