Yes James! thanks. Starting from pre-requirements : https://learn.microsoft.com/es-es/azure/information-protection/deploy-aip-scanner-prereqs
it says that : "If you can't meet all the requirements in the table because they are prohibited by your organization policies, see the alternative configurations section.".
In the alternative configurations sections, the first restriction talks about no-internet connectivity: "Restriction: The scanner server cannot have internet connectivity".
Docs is clear in this point: "While the unified labeling client cannot apply protection without an internet connection, the scanner can still apply labels based on imported policies". We don't want to use AIP for RMS, but only for labels. It fit perfect for us. the tricky point comes after the first required step:
1.-Configure labels in your policy, and then use the procedure to support disconnected computers to enable offline classification and labeling..
Here is the tricky point. If you navigate to the "procedure tu support disconnected computers", says that: "If you have computers that cannot connect to the internet for a period of time, you can export and copy files that manually manages the policy for the unified labeling client."
The scanner is supposed to have no-internet connection in any time, so there is no "period of time" as the docs says.
After folliwing all the steps:
- Set the scanner to function in offline mode, using the Set-AIPScannerConfiguration cmdlet.
- Configure the scanner in the Azure portal by creating a scanner cluster. For more information, see Configure the scanner in the Azure portal.
- Export your content job from the Azure Information Protection - Content scan jobs pane using the Export option.
- Import the policy using the Import-AIPScannerConfiguration cmdlet.
- Results for offline content scan jobs are located at: %localappdata%\Microsoft\MSIP\Scanner\Reports
There are no reports located in that folder (after Start-AIPScan), and MSIPScanner Logs show the next:
Warn 2020-10-06 10:07:02.2797 MSIP.Scanner MSIP.Scanner (536) Failed to validate policy and confiuguration "System.InvalidOperationException: Engine is not initialized, bootstrap might have failed ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'login.windows.net'
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
Is trying to connect, and it seems that need to validate in order to perform a scan.
Thanks in advance, @JamesTran-MSFT