With the release of newer version of WorxApps comes added features. One of the long awaited one was, support for IRM(Information Rights Management) on iOS WorxMail. Earlier release of WorxMail had a support for IRM on only Android devices,with the release of 10.0.7 and above WorxMail is also now supported on iOS platforms.

Go to the below Citrix eDocs link to find out more about IRM support in WorxMail and also the list of attributes which are currently supported.


There are various blogs which talks about how to setup and configure RMS, i will not go though it in this blog but if you have any specific question on RMS installation please do ask in the comments section.

Ensure that the following has been configured on the Active Directory and Exchange Server

1)    Rights Management Server role on the Active Directory.

2)   AD RMS Super Users group on Active Directory.

3)   Federated Delivery Mailbox user account added to this super users group on Exchange Server.

4)   Super Users group feature enabled using the AD RMS management tool on Active Directory.

You should be able to test the IRM configuration after the above 4 points have been met. Point of 3 and 4 above has been covered in this blog.

How to validate IRM Configuration

Use Get and Test cmdlets to validate RMS, use to below cmdlet in Exchange Management Shell to Get IRM config:


If the InternalLicensingEnabled is False run the cmdlet in Exchange Management Shell:

Set-IRMConfiguration -InternalLicensingEnabled $true

and re-run the Get-IRMConfiguration

Use the Test-IRMConfiguration cmdlet to test Information Rights Management (IRM) configuration and functionality.

Test-IRMConfiguration -Sender smith@bklab.local

OverAll result should show as PASS

Alright, after the IRM config is validated successfully, let’s go through other configurations required:

  1. MDX policy configuration for WorxMail in XMS server.
  2. Creation of RMS templates.
  3. End User Experience while using IRM enabled WorxMail on iOS.

1) WorxMail MDX policy for IRM.

Assuming that you have XMS initial setup done and WorxMail 10.0.x added in XMS server as an App, IRM configuration is pretty straight forward in iOS app.

Login to the XMS admin portal. Go to Configure –>Apps–> iOS–>WorxMail–>Edit, scroll down till you see Information Rights Management option. Slide the IRM option to ON as shown in the screen shot below.

Click on Next after making the changes.Click Next again on the Approvals(Optional).

On the Next screen select the Delivery Group in AD you would like to provide access to the WorxMail application and Save it. I have select All Users, since i wanted to deploy it to all the users XMS is configured with.

That is all you need to do on XMS server.

Before you proceed with the template make sure you have already done with the below two steps:

1. Federated Delivery Mailbox user account added to this super users group on Exchange Server.

Use the Exchange Management Shell to add the Federated Delivery Mailbox user account to the Super user group.

Go to Exchange Server–>Open Exchnage Management Shell–>Enter

Add-DistributionGroupMember -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 –Identity RMS_SUPER_USER.

2. Super Users group feature enabled using the AD RMS management tool on Active Directory

To Enable Super User go to Securities Policies in cluster –>Super Users–>Enable Super User under Actions in right panel. In the pop up screen specify the email address of the Super User group you created in AD. I have created

RMS_SUPER_USER distribution group in AD with an email address. That email address is being used here to enable the User group.

2) Creation of RMS templates.

Follow the below instructions to create a template on Rights Management Server(RMS). below screen shot are assuming you have installed RMS on a Windows 2008 R2 system.

Go To Active Directory Rights Management Service–>Expand cluster–>Select Rights Policy Template–>On right panel, select Create Distribution Rights Template

Click on Add

In the screen shot below I have created a template named “Do Not Forward”

Fill in Name and Description and Hit Next

Browser to a group or a user you want to grant rights to work with the protected content.

On the next screen you can select the Content expiration, I have left it as Never Expires.

Click Next on the Extended Policy.

Click Finish on the Revocation Policy.

3) End User Experience

Assuming, that end user has already enrolled. Added the WorxMail app from the WorxStore to the device and is already configure ithe app with the exchange settings.

IRM enabled users will see IRM icon while composing an email, as shown below in the screen shot.Click on the icon will display the list of Restrictions Profiles configured in AD RMS server.

Below is another screen shot with the details of the Restrictions. In this screen shot you can see that recipient of this email can read this message but can’t Forward, Print or Copy Content.

In the next Screen shot, at the bottom you can see that the Forward option is greyed out for the recipient.

Here is a screen shot of Android WorxMail where user is restricted to Forward and take print of  the email messages

Disclaimer:  The environment that I have used is strictly for demonstration purposes, please make sure that you keep track of third party licenses and copyrights when using a third party product.