AD RMS: How to Exclude an Application from Accessing Your RMS Cluster
You can specify the version of an RMS-enabled application that all licensing requests are checked against. Application exclusion stamps every use license with a condition that the license can bind only to the rights-protected content for which it is issued if the application that is requesting the license is not on the excluded list.
This may be useful, for example, when an enterprise deploys a security update for an application. System administrators can use their usual mechanism to cause client computers to install the security update. They can then set application exclusion policies that are defined by the version information of the application that is using the administration Web site. This exclusion policy restricts RMS from issuing licenses to clients that are running previous versions of the software.
RMS-enabled applications are excluded by their file name and version number. You might want to do this to make sure that users install a newer, more secure version of an application when it becomes available. For example, you may have version 1.0.4.2315 of an RMS-enabled application that is deployed in your organization. Then the application developer discovers a security problem and issues version 1.0.4.4200 that eliminates the problem. In addition to rolling out the new version of the application, you can establish an exclusion policy that prevents users from consuming protected content until they upgrade to the latest version of the RMS-enabled application.
As with other types of exclusion, you must configure application exclusion on each cluster for which you want it to take effect.
When you apply this exclusion policy on your server, clients cannot use the excluded application to request and bind new use licenses to rights-protected content. However, clients can continue to use the excluded application to consume previously licensed files.
To Exclude Applications
To perform this procedure, you must be logged on locally to the administration Web site with a domain user account that is a member of the Administrators group. As a security best practice, consider using Run as to perform this procedure:
Exclusion policies are enforced by the client at the time the use license is bound to the protected content.
Log on to the computer with a user account that is a member of the local Administrators group.
Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.
Next to the Web site on which you want to control which versions of applications can be used with rights-protected content, click Administer RMS on this Web site.
In the Administration links area, click Exclusion policies.
In the Application exclusion area, click Enable to exclude an RMS-enabled application or component.
To disable application exclusion, click Disable.
Type the file name of the application or component to be excluded, type the minimum and maximum versions to be excluded (in the format x.x.x.x), and then click Exclude this application. If your application version is a 2 or 3-digit and period-delimited number, then append a .0 as appropriate to make the version number match the format required by RMS.
To delete an application (or component) from the exclusion list, select the file name, and then click Delete selected applications from the exclusion list.