We recently blogged about unified labeling and delivered a webcast explaining what it means to you. The unified labeling platform provides lots of benefits.
AIP Customers that enable unified labeling not only get the best features of a more modern platform for Information Protection, they also gain built-in support for sensitivity labels in Mac and Mobile platforms.
In addition to this, they can take advantage of integrations across the Microsoft platform:
- Microsoft Cloud App Security (MCAS);
- Windows Information Protection (WIP) built into Windows 10 1809+; and
- Microsoft Defender ATP (MDTAP).
With more integrations coming soon:
- SharePoint Online;
- Teams;
- Exchange Online; and
- Power BI.
Plus, you get significant new features, such as the new client-side content discovery capabilities recently announced.
While you can enable unified labeling without upgrading your existing AIP clients, once you enable Unified Labeling in your organization you are also able to upgrade to the new AIP unified labeling client for Windows, which provides superior content scanning and autoclassification and has the ability to add protection to already labeled documents after a policy change among other benefits.
Some customers are afraid that they will lose functionality when moving to the unified labeling client. In our documentation we have provided a detailed list of differences between the AIP unified labeling client and the AIP Classic client because we wanted to be completely transparent, but the downside is that the long list might make it look worse than it really is, since the majority of these documented limitations have solid mitigations which remove the issues in practice for most organizations. Also, the few ones that can’t be mitigated and are actual gaps in functionality are related to features that are in use by a limited number of customers so they might not affect you at all.
The user interface differences between the two clients are minimal:
AIP Classic client:
AIP unified labeling client:
This means you can upgrade to the unified labeling client with a small effort and without users getting lost or suffering any significant impact. In fact, the main change in the unified labeling user interface is a change in the labeling icon in Office applications to make it consistent across platforms (it now looks the same on Windows as on a Mac and also in the upcoming web app update) so users should actually welcome the consistency.
Below is a list of the differences between the AIP unified labeling client and the AIP Classic client, and the mitigating factors that might make these differences a non-issue for you. At this point, most organizations should run the unified labeling client by default and the classic client by exception.
If you use this feature in the AIP Classic client | Can you use the Unified labeling client? |
Advanced settings management UI | Yes, you can configure Equivalent advanced settings for the unified labeling client using PowerShell |
User-defined permissions (UDP) | Yes, the AIP unified labeling client supports User Defined Permissions and this option can be configured from both the Azure portal or the Security and Compliance Center. This capability is often confused with Custom Permissions, see the entry below. |
Custom permissions | Yes, users can still select File Info > Protect Document > Restrict Access to get equivalent functionality.   Custom Permissions was an option unrelated to labeling, so it was removed from the labeling menu. But if you liked having the Custom Permissions option under the Label menu, you can always create a label named “Custom Permissions” with the User Defined Permissions option, and put it at the bottom of your labels. The result will look just like the old one did. |
Information Protection bar in Office apps | The Information Protection bar is hidden by default but can be centrally enabled via an Advanced Setting.
|
Visual markings (header, footer, watermark) | The unified labeling client can apply visual markings, with the following considerations:
These options are seldom used in most organizations. If needed, you can replace most of the variables with equivalent Document Properties by inserting them as a Quick Part in the document (see this for an example of using Document Properties in documents), while our team works to add this feature to the Unified Labeling client. |
File Explorer, right-click actions (e.g. to protect PDF documents). | Yes. The unified labeling client uses the new PDFv2 format which is supported by Adobe and other applications. The client can consume protected PDF files in both the new and previous formats (e.g. PPDF). Please note that when protecting files with File Explorer and PowerShell commands (not from Office) the unified labeling client must be connected to the service. |
PowerShell commandlets | Yes, with the same capabilities as the Classic PowerShell commandlets (plus some new options), with the exception of the ability to remove protection from container files (zip, .rar, .7z, .msg, and .pst) to which it was applied previously. It is important to highlight that if an organization has applied protection to such files and needs to remove it in bulk, they can continue using the Classic PowerShell module *in that system* while using unified labeling everywhere else. |
Support for disconnected computers with manual policy file management | The AIP unified labeling client must connect to the Internet at least once to download the policy. After that it can work offline. If you have air-gapped computers that can’t ever connect to the online service, you can continue using the Classic client in those devices while using the unified labeling client in all other systems. |
HYOK support | The unified labeling client does not support applying Hold your own Key labels (but it can consume content protected with HyoK labels). If your organization has devices that need to label content using Hold your own Key use the Classic client for those devices. |
Usage logging | Yes, the unified labeling client logs labeling and protection information to the AIP Analytics portal instead of the local Event Viewer like the classic Client, which makes the logs much easier to analyze and consume. |
Display the Do Not Forward button in Outlook | Yes, while the DNF button has been removed from the UL client default toolbar, this option can be added through Office ribbon customization. Do Not Forward is also still available by default via the File/Info menu. |
Scanner for on-premises data stores | The unified labeling Scanner is currently in preview, but you can continue using the Classic AIP Scanner even after enabling unified labeling and deploying the unified labeling client to all devices. |
Track and revoke | For content tracking by administrators and auditors, we have improved the AIP Analytics portal to include tracking information enabling its use for this scenario. It provides more flexibility, has filtering capabilities, includes information on all protected documents and can support custom queries, among other advantages. As an example of the usage of these logs for content tracking we have built sample code for both end-user and admin tracking. You can learn about these in more recent blog posts. We are analyzing revocation scenarios to define the best way to support the actions users need to perform. |
Protection-only mode using templates (no labels) | The unified labeling client requires labels to be used when applying protection. As such, it only works with Azure Information Protection, not with AD RMS stand-alone or Azure RMS stand-alone. The AIP unified labeling client can open documents protected with AD RMS when you deploy the Active Directory Rights Management Services Mobile Device Extension |
As you go through the list you might notice that the scenarios where there’s a loss of functionality likely do not apply to your organization, and that the work-arounds provided for all other issues are suitable to your needs. If this is not the case, please comment below which are the most important gaps we need to address in an upcoming release of the AIP unified labeling client.
But even if you decide that you can’t use the current version of the unified labeling client in every scenario in your organization, we must highlight that AIP Clients and the AIP Scanner were designed to be backwards and forward compatible with labels defined and managed through both the Security and Compliance Center and the AIP portal in Azure. This means that you can enable Unified Labeling from the AIP portal and start using the Office 365 Security and Compliance Center to manage your labels today, even if you want to keep using the AIP classic client for some particular scenario where the UL client doesn’t yet meet your needs. Even if you decide not to deploy the unified labeling client anywhere at this stage, there should be no reason NOT to enable unified labeling in your organization to gain support for manual labeling in Mac and Mobile devices and other systems while you use the classic client in Windows devices.
And just as the unified labeling client and classic client can be run on different computers in the same organization using the same labels, so can the PowerShell commandlets and the AIP Scanner. This means you can enable unified labeling and run the unified labeling client wherever it meets your needs, and use the classic client, the classic AIP Scanner and the classic client’s PowerShell commandlets only in those limited situations (if any) where you find the unified labeling client does not yet meet your needs.
Please let us know what you think, and help us prioritize our efforts by commenting on any of the differences mentioned above where you think the mitigations provided are not sufficient to meet your needs.