Exchange 2016 policy tips explained

Policy tips are used to notify senders who are violating the company security policies.
For example if you have a DLP configured on your exchange to prevent users sending credit card numbers, this policy tip can notify end users about the risk of sending this email since you are violating the company’s compliance policy.

Also there is an option to provide a business justification for the message that you are sending  via policy tip.These policy tips are managed by the exchange administrator

What is the difference between Mail tips & Policy Tips ?

The policy tip configuration are applicable only to the DLP rules configured in your environment.

Mail tips settings are specific to each exchange account that you have configured outlook to connect  . There is an option to set mail tips preferences for each account by selecting that account in the apply to this account.

An example below for mail tip

M1

Mail Tips is an organizational config which can be viewed by running the below command

Get-OrganizationalConfig | fl mail*

M2

How does policy tip and mail tips work?

EWS is the main component for both policy tips and mail tips.
The service configuration operation in ews is responsible to get the configuration information for policy tips and mailtips.Service configuration uses WSDL (web service definition language) operation.

GetServiceConfiguration operation for policy tip returns  below things:

Policy nudges- Policy nudges for display in your client.
PolicyNudgeRulesServiceConfiguration – Contains the policy tip configuration data
PolicyNudgeRulesConfigurationType – Specifies the set of DLP rules and classification definitions that are sent to a client.
PolicyNudgeRulesType – Specifies a collection of DLP rules.
PolicyNudgeRuleType – Specifies a single DLP rule.

How Policy Tips functions in the background:

a) Sender Composes a new message and addresses the message to a recipient.
b) During message composition the client submits a GetServiceConfiguration (Policy Nudges) request  through the  Exchange web services.The request is submitted as a SOAP message over HTTPS.
c) Exchange Web Service receives this SOAP request and uses the information to authenticate the SOAP request and then queries:
Active Directory – for the recipient. The active directory request is executed as an LDAP query.
Mailbox Servers – To retrieve DLP configuration and check the policy tips message notification configured for this DLP.
The Active Directory and mailbox servers then return the results to exchange web services.
Exchange web services – returns the result to the client.
Client-  will be able to see the Policy Tip information for that user account who is trying to compose an email which does not meet the company compliance policy according to the configured DLP.

In-order for the policy tip to work on Outlook the below option  policy tip notification must be enabled on the client side.

p1 (1).png

To enable the policy tip for the DLP we need to select either enforce or Test with policy tips option on the DLP we created like an example below

P2

We can further customize the policy tip from the below options

Notify Only – This shows an informative Policy Tip notification message about a policy violation.But the sender can send this message.
Allow the sender to override – Block the message unless it’s a false positive, Block the message, but allow the sender to override and send.
Block the message – Your text only appears when a Block the message action is initiated.
Link to compliance URL – This link is displayed in the Policy Tip when a user clicks the More details link.

P3

 

Further the policy tip configuration can be viewed by running the below command

Get-PolicyTipConfig | fl 

Note:

1.Policy Tips are available to people sending mail from Outlook 2013, Outlook Web App, or OWA for Devices.

2. Policy tips aren’t supported in Office 2010 or earlier versions of Office.

Thanks & Regards

Sathish Veerapandian
MVP – Office Server and Services

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: