The AIP Scanner
is part of the AIP Client download. After you have downloaded and installed the
AIP Client you can start the installation and configuration. But bevor we start
the installation let’s have a look at some requirements:
- A Windows Server 2012 R2 or 2016 Server to run the service (For test and demo you can install it on a Win10 machine)
- A SQL Server 2012+ local or remote instance (Any version from Express or better is supported)
- Sysadmin role needed to install scanner service
- Service requires Log on locally right and Log on as a service right
- AIP Scanner is an AIP Premium P2/EMS E5 feature for more details review this article: https://azure.microsoft.com/en-us/pricing/details/information-protection/
A really
good steep-by-steep description about install and configure AIP Scanner is done
by Kevin McKinnerney and can be found here: https://blogs.technet.microsoft.com/kemckinn/2018/03/23/easy-configuration-of-the-azure-information-protection-scanner/
As you see in Kevins steep-by-steep guide the scanner runs as a service
and uses App Authentifiction to connect with the AIP Service. So we do not need
to authenticate to use the scanner.
The scanner has two main configurations which we need to configure using
PowerShell:
- Add-AIPScannerRepository or Set-AIPScannerRepository -> it is about the locations and the conditions for this location
- Set-AIPScannerConfiguration -> it is about what the scanner should do during the scan
Add-AIPScannerRepository
This cmdlet
adds a so called data repository to be scanned and creates a profile of
settings. For example, you can specify a default label for unlabeled files, and
whether to override an existing label or not. We can specify local folders, UNC
paths, and SharePoint Server URLs for SharePoint sites and libraries. The
scanner can handle more than one data repository. So you can configure a mix
of local folders, UNC paths and SharePoint Server URLs with different setting
covered by one AIP Scanner installation.
To change
this settings we can use: Set-AIPScannerRepository cmdlet. To remove a data repository use: Remove-AIPScannerRepository cmdlet.
Example:
Set-AIPScannerRepository -Path C:\Temp2
-SetDefaultLabel UsePolicyDefault -MatchPolicy On
To review the settings, we can use Get-AIPScannerRepository. As you can see in my example I have configured two repositories with different settings:
To review the settings, we can use Get-AIPScannerRepository. As you can see in my example I have configured two repositories with different settings:
To get more
examples and details review the official documentation: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/add-aipscannerrepository?view=azureipps
Set-AIPScannerConfiguration
Set-AIPScannerConfiguration
cmdlet is used to configure settings for the AIP Scanner. These settings
include:
- Discovery mode or applies labels
- File will be relabeled YES or NO
- File attributes are changed YES or NO
- What is logged in the reports
- Scanner runs once or continuously
- Justification message used when required
- Rights Management owner for protected files
Example:
Set-AIPScannerConfiguration -Enforce On
-Schedule Manual -DiscoverInformationTypes All
To get more examples
and details review the official documentation: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerconfiguration?view=azureipps
Set-AIPScannerScannedFileTypes
This cmdlet
is used to let the scanner know which files types should be scanned.
The cmdlet
sets a list of file types to scan or exclude from scanning. To scan all file
types, use *. To scan only specific file types use *.<file name
extension>. To
exclude specific file types from being scanned use -*.<file name
extension>. And to
reset the list back to default use @().
If no data
repository is specified the setup applies to all data repositories that do not
have their own list specified.
To get more examples and details review the
official documentation: https://docs.microsoft.com/en-us/powershell/module/azureinformationprotection/set-aipscannerscannedfiletypes?view=azureipps
Scenarios
The scanner can typically be used for the following scenarios. Reports
are stored in this location: %localappdata%\Microsoft\MSIP\Scanner\Reports
Scan for sensitive
information types
#Configure data
repository:
Add-AIPScannerRepository
-Path C:\Temp2
#Configure Scan: Scan for
all known sensitive types
Set-AIPScannerConfiguration
-Enforce Off -Schedule Manual -Type
Full -DiscoverInformationTypes All
#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset
Start-AIPScan -reset
Label / Protect files
#Configure data
repository:
Add-AIPScannerRepository
-Path C:\Temp2 -OverrideLabel On -DefaultLabelId
ae7eaeb0-cfdf-4217-a895-32a6b41311d9 -MatchPolicy Off
#Configure Scan: Scan for
all knowen sensitive types
Set-AIPScannerConfiguration
-Enforce On -Schedule Manual -ReportLevel Debug -Type Full
#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset
Scan for sensitive
information types and labels and protect files that match
#Configure data
repository:
Add-AIPScannerRepository -Path C:\Temp2 -OverrideLabel On -MatchPolicy
On
#Configure Scan: Scan for all knowen sensitive types
Set-AIPScannerConfiguration -Enforce On -Schedule Manual -Type Full -DiscoverInformationTypes All
#Start Scan
Start-Service AIPScanner
Start-AIPScan -reset
Related
posts:
Keine Kommentare:
Kommentar veröffentlichen