Useful Feature in Chromium-based Edge Browser
In December 2018, Adobe and Microsoft announced support in Adobe Acrobat Reader for PDF files protected with Microsoft Information Protection. An older format for protected PDFs (ppdf) was replaced by one based on V1.7 of the ISO specification for PDF, which allows for rights-management based protection of the kind used by Office 365 sensitivity labels.
Applying Sensitivity Labels to PDFs
You can’t apply sensitivity labels to PDFs inside Office 365. Instead, you apply labels through the Classify and protect option that’s added to Windows File Explorer when the Unified labeling client is installed on a workstation. Explorer launches the client to apply a label to the PDF (Figure 1).
You can also apply a label with PowerShell using the Set-AIPFileLabel cmdlet, which is installed with the unified labeling client. You can find the GUID for a sensitivity label with the Get-Label cmdlet.
Set-AIPFileLabel -Path "c:\temp\July 9 - Protected.pdf" -LabelId 81955691-b8e8-4a81-b7b4-ab32b130bff5
FileName Status Comment
-------- ------ -------
c:\temp\July 9 - Protected.pdf Success
Reading Protected PDFs
All of this is good, but there’s no point in protecting PDFs if they can’t be read. To read a protected PDF, you need a reader which understands how protection works. Microsoft posts a list of supported readers online, the most common being Adobe Acrobat (Figure 2).
Reading PDFs in Edge Chromium
It’s nice to have a supported reader; it’s even better when the browser supports access to protected PDFs. The latest version of the Chromium-based Edge browser can read protected PDFs (I base this article on Version 83.0.478.61). Reading protected PDFs doesn’t work with private browser sessions, probably because some dependency exists on having a signed-in account.
Browser support for reading protected PDFs means that you can open protected PDFs from the SharePoint Online or OneDrive for Business browser clients or OWA. In this case of SharePoint Online, the protection can stop people taking screen captures. If you try to grab a capture (I tried with Snagit), you end up with a capture that’s all black. As Figure 3 shows, I was forced to take a photo of the screen to illustrate the point.
Some get very worried when applications don’t prevent users copying information from protected content. As demonstrated with SharePoint Online, the application can take the steps necessary to block access, but inventive people will find a way to share the information.
You can’t apply, change, or remove sensitivity labels from PDFs stored in SharePoint Online or OneDrive for Business. Instead, you must download the file and process it with the unified labeling client, and then upload it again.
Reading Protected PDFs with OWA
To test how OWA deals with protected PDFs, I attached the same file to an email and sent it. As you can see in Figure 4, OWA doesn’t stop screen captures even though the same permissions are assigned to the reader. The upside is that you can see the permissions and visual markings used to highlight the protected nature of the content to users.
Reading PDFs in Other Browsers
To show what happens when you try to access a protected PDF with another browser, I opened a SharePoint session with Brave. Figure 5 shows what results when I chose to open the file in the browser. The same is true in Chrome or Internet Explorer. To read the file, I had to download it and open the PDF with Acrobat Reader.
Good Feature to Have as Sensitivity Labels Become More Common
Some might consider building the ability to read protected PDFs into Edge a small and unimportant feature. It might not be the killer feature to convince people to move from Chrome or another browser, but I think the capability will be more appreciated over time, especially as the usage of protected content grows within Office 365 and more protected files are stored in SharePoint Online and Exchange Online.
Need more information about Office 365 sensitivity labels? Look no further than Chapter 24 of the Office 365 for IT Pros eBook. Its 60 pages will inform and delight you about how to use rights management to protect content in Office 365.