Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Work 2.17
  3. Configuring Office 365 Modern Authentication for BlackBerry Dynamics Apps
  4. Enable modern authentication for the Docs service in BEMS
  5. Configuring Docs for Rights Management Services

Configuring 
Docs
 for Rights Management Services

Active Directory
 Rights Management Services (AD RMS) and 
Azure
-IP RMS from 
Microsoft
 allows documents to be protected against access by unauthorized people by storing permissions to the documents in the document file itself. Access restrictions can be enforced wherever the document resides or is copied or forwarded to. For documents to be protected with AD RMS or 
Azure
-IP RMS, the app that the document is associated with must be RMS aware. For more information about AD RMS and 
Azure
-IP RMS, visit Comparing Azure Information Protection and AD RMS.
For this release, 
BEMS
 doesn't support both the AD RMS and 
Azure
-IP RMS in the same environment. 
Support for RMS protected documents is provided through two methods: 
  • In 
    Docs
     and 
    BlackBerry Work
    , support for RMS protected documents is provided through the 
    Microsoft Office Web Apps
     server with viewing and editing enabled through the 
    BlackBerry Access
     browser. Note that while 
    BlackBerry Access
     browser is a 
    BlackBerry Dynamics
     app with all the secure features it provides, it has only partial support for RMS features.  
  • In 
    BlackBerry Work
    , support for RMS protected documents is provided directly in 
    BlackBerry Work
     and through 
    BlackBerry Work
    .  
The following table compares the features of RMS protected documents in 
BlackBerry Work
 and through 
BlackBerry Access
. These features require a client that is RMS aware.
RMS protected documents directly in 
BlackBerry Work
RMS protected documents through 
BlackBerry Access
Features
  • View protected documents directly in 
    BlackBerry Work
    .  This feature requires 
    BEMS
     2.10 or later.
  • Protect unprotected documents in 
    BlackBerry Work
    . This feature requires 
    BEMS
     2.12 or later.
  • Change permissions for documents in 
    BlackBerry Work
    . This feature requires 
    BEMS
     2.12 or later.
  • Upload a new file and save it as protected. This feature requires 
    BEMS
     2.12 or later and 
    BlackBerry Work
     app 2.18 or later.  
  • View and edit protected documents in  
    Docs
     and  
    BlackBerry Work
     through the 
    BlackBerry Access
     browser.
Security 
  • Users can save what is on screen as a web clip and this screenshot file can be shared with other 
    BlackBerry Dynamics
     apps. Mitigation is to disable web clips in the 
    BlackBerry Access
     policy.
  • Share the 
    Microsoft Office Web Apps
     URL that is used to render the document viewing or editing with other 
    BlackBerry Dynamics
     apps. The URL expires in thirty minutes but during this time, other 
    BlackBerry Dynamics
     apps might be able to access it without any authentication. For example, if it is shared with 
    BlackBerry Work
    , the URL can be emailed to others. If it is shared with a 
    BlackBerry Dynamics
     app that allows printing, then the page that is rendered might be printed. Mitigation would be to enable user agent in the 
    BlackBerry Access
     policy and then use it to create filtering rules in the 
    Microsoft Office Web Apps
     server so that only 
    BlackBerry Access
     is able to access the URL. The 
    Microsoft
     IIS URL Rewrite extension can be used to create the rules.
  • Users can save what is on screen as a web clip and this screenshot file can be shared with other 
    BlackBerry Dynamics
     apps. Mitigation is to disable web clips in 
    BlackBerry Access
     policy.
  • When editing a document, by default, copy and paste of content would be possible by default polices only within the 
    BlackBerry Dynamics
     secure container environment. Ensure that the protection provided is adequate given these limitations and satisfies your RMS protection requirements before enabling this support.