Exchange 2016 Policy Tips
Microsoft Exchange offers a service called policy tips.
This service notifies email senders in Microsoft Outlook when they are about to violate any Data Loss Prevention (DLP) policies while they are sending any offending email message.
For instance, in an organization, if a DLP is configured in Exchange that restricts a user from sending credit card numbers or other sensitive details through emails, then a policy tip will notify a user about the risk of sending such an email. If the user still sends an offending email, then it will be considered as a violation of the organization’s compliance policy. Further, there is one option using which a user can provide business justification for sending such a message using policy tip. An exchange administrator manages such policy tips.
Difference between Mail Tips and Policy Tips:
Policy tip settings are applicable only to the DLP rules that are specific to an environment.
Mail tips configurations are applicable to each exchange account that is configured in Outlook. An option for configuring mail tips preferences is provided in case of each account by selecting that particular account from the Apply to this account drop-down list.
Run the following command to view mail tips settings for an organization:
Get-OrganizationalConfig | fl mail*
The Working of Policy Tips and Mail Tips:
The main component used in the working of policy tips and mail tips is EWS. In EWS, the service configuration operation retrieves the configuration settings for policy tips and mail tips. In order to provide these configuration settings information, service configuration uses Web Service Definition Language (WSDL) operation.
In case of policy tips, the GetServiceConfiguration operation returns the following configuration information:
- Policy nudges: Policy nudges that are used for displaying at client end.
- PolicyNudgeRulesServiceConfiguration: Holds the policy tip configuration setting information
- PolicyNudgeRulesConfigurationType: Gets a collection of DLP rules and classification definitions that are forwarded to a client.
- PolicyNudgeRulesType: Gets a set of DLP rules.
- PolicyNudgeRuleType: Gets a single DLP rule.
Background Working of Policy Tips Functions:
The following points illustrate the functioning of policy tips in the background:
- Email sender composes a new email message and specifies the recipient’s email address.
- The client submits a GetServiceConfiguration request for policy nudges while composing an email message using the Exchange Web service. This request is then sent as a Simple Object Access Protocol (SOAP) message over HyperText Transfer Protocol Secure (HTTPS).
- Exchange Web service gets the SOAP request sent and utilizes the information received to authenticate the SOAP request and queries the following:
- Active Directory: The Exchange Web service requests active directory for the recipient details. This request is executed as an LDAP query.
- Mailbox Servers: The Exchange Web service requests mailbox servers to get DLP configuration settings and to see and verify the policy tips message notification set for the DLP.
4. The Active Directory and Mailbox Servers provide the required details to the Exchange Web service.
5. The Exchange Web service then provides the details to the client.
6. The client is then able to view the policy tip details of the user account who is trying to send an offending email message which fails to meet the compliance policy of the organization as set in the DLP.
To enable the policy tip to function well in Outlook, it must be enabled on the client system. For that, in the Outlook Options dialog box, one must first select the Mail tab and within the MailTips Options dialog box, select the Policy tip notification check box.
In case of DLP, the policy tip can be enabled by selecting either Enforce or Test with Policy Tips links.
The policy tip can be customized further using the following options:
- Notify the sender: Prompts a policy tip notification to the email sender about a possible violation of company policy. However, the sender can still send this message.
- Allow the sender to override: Helps in block the message. However, it allows the sender to override the message and send it.
- Block the message: The message text will be shown only when the “Block the message action” option is selected.
- Link to compliance URL: This link is shown to the sender in the policy tip, if a user clicks the More details link.
By running the following command, the policy tip configuration settings can be displayed:
Get-PolicyTipConfig | fl
Note that policy tips service is provided to users who send email messages using Outlook 2013, Outlook Web App, or OWA for Devices. Further, policy tips service is not available in Office 2010 or earlier versions of Office.
Create or Modify a Notify-Only Policy Tip:
This procedure displays a policy tip notification to an email sender when some specific conditions are fulfilled. A sender can prevent such a policy tip from appearing in the case of Outlook with the help of a Policy Tip Options dialog box. The following is the procedure to set notify-only policy tips by using EAC:
- Go to Compliance management – Data loss prevention option in the EAC.
- Double-click any one of the DLP policies and select the Edit option.
- Select the Rules option on the Edit DLP
policy page.
- Highlight the rule and select the Edit option to add policy tips to an existing rule. A new blank rule can be added, which can be customized later by selecting the Add + option and then selecting the Create a new rule option.
- Select the The message contains sensitive information option in Apply this rule if. It is mandatory to select this condition.
- Select +, select all the required sensitive information types and then select Add. Further, select OK and again select OK.
- Select the Notify the sender with a Policy Tip option in the Do the following box. Then, select an option from the Choose whether the message is blocked or can be sent drop-down list and select OK.
-
Select More options to add further conditions or actions.
Note that only the following conditions can be used:
- SentTo (The recipient is)
- SentToScope (The recipient is located)
- From (The sender is)
- FromMemberOf (The sender is a member of)
- FromScope (The sender is located)
Note that the following actions cannot be used:
- RejectMessageReasonText (Reject the message and include an explanation)
- RejectMessageEnhancedStatusCode (Reject the message with the enhanced status code of)
- DeletedMessage (Delete the message without notifying anyone)
9. Select whether the rule needs to be enforced or not in the Choose a mode for this rule list. It is recommended to test the rule first.
10. Select Save to complete the editing of the rule and save the changes made.
To verify whether a policy tip is created successfully or not, perform the following steps:
- Go to Compliance management—> Data loss prevention option in the EAC.
- Select the newly created policy.
- Select Edit and then select Rules.
- Select the rule that contains the notification message.
- Verify that the Notify the sender action appears at the bottom of the rule summary.
Create or Modify a Block-Message Policy Tip
This procedure displays a policy tip notification to an email sender indicating the rejection of the message and the fact that the message will not be sent to the recipient till the offending condition is present. The sender can specify that the email message does not have the offending condition. This is also called as a false-positive override. In case, the sender prefers to select such an option then the message is sent from the outbox and the sender’s report is audited. However, Exchange blocks the message from sending.
The following is the procedure to set block-message policy tips by using EAC:
- Go to Compliance management–> Data loss prevention option in the EAC.
- Double-click any one of the DLP policies and select the Edit option.
- Select the Rules option on the Edit DLP
policy page.
- Highlight the rule and select the Edit option to add policy tips to an existing rule.
- Select the Add + option to add a new blank rule to customize it later.
- Select More options to add an action for disclosing a policy tip and select the Add action button.
- Select the Notify the sender with a Policy Tip option from the drop-down list and select Block the message.
- Select the OK button and select Save to complete the modification of the rule and save the required changes.
To verify whether a reject message policy tip is created successfully or not, perform the following steps:
- Go to Compliance management –> Data loss prevention option in the EAC.
- Select one time to highlight the policy that consists of a notification message.
- Select Edit and then select Rules.
- Select one time to highlight the specific rule that contains the notification message.
- Verify that the Notify the sender
that the message can’t be sent action appears at the bottom of the rule summary.
Create or Modify a Block-Message Policy Tip
This procedure displays a policy tip notification to an email sender indicating the rejection of the message and the fact that the message will not be sent to the recipient till the offending condition is present.
The following is the procedure to set block-message policy tips by using EAC:
- Go to Compliance management –>Data loss prevention option in the EAC.
- Double-click any one of the DLP policies and select the Edit option.
- Select the Rules option on the Edit DLP
policy page.
- Highlight the rule and select the Edit option to add policy tips to an existing rule.
- Select the Add + option to add a new blank rule to customize it later and then select More options.
- Select the Add action button to add the action that discloses a policy tip.
- Select the Notify the sender with a Policy Tip option from the drop-down list and select Block the message, but allow the sender to override and send.
- Select the OK button and select Save to complete the modification of the rule and save the necessary changes.
Create or Modify a Block-Unless-Override Policy Tip
To verify whether a reject unless overrides message policy tip is created successfully or not, perform the following steps:
- Go to Compliance management –> Data loss prevention option in the EAC.
- Select one time to highlight the policy that consists of a notification message.
- Select Edit and then select Rules.
- Select one time to highlight the specific rule that contains the notification message.
- Verify that the Block the message, but allow the sender to override and send action appears at the bottom of the rule summary.
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru.com