AD RMS On-Premise and Outlook 2016 for Mac OS - Requirements?

Hi, 

I have a AD RMS 8.0 Cluster (Server 2012 R2) on-premise and Exchange 2013 IRM Transport Rules, corretly set up.

Users are able to send IRM protected mails with OWA, ActiveSync and Outlook 2010/2013 on Windows 7/8.1/10.

But Im having trouble with Mac OS clients, using Outlook 2016. The constantly get prompted for password and also they get this error: You do not have permission to open this message.

I installed all updates for Office 2016 as stated in this article:

https://social.technet.microsoft.com/Forums/en-US/4808ea98-1132-4995-8653-1e63e79fa513/office-for-mac-2016?forum=rms

No luck, the problem persist.

So... I found this article that indicates that it is nececessary to intall "Active Directory Rights Management Services Mobile Device Extension":

https://cloudblogs.microsoft.com/enterprisemobility/2014/11/03/new-outlook-for-mac-now-available-with-azure-rms-support/

Note: If you are part of an organization that uses AD RMS, you need to install the new Mobile Device Extension package as described here. This is because Outlook IRM depends on the new RMS SDK 4.1, which uses OAuth 2.0 to authenticate users.

When I read the deployment guide, i was surprised to find out that ADFS is a requirement...

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn673574(v=ws.11)

For Mac computers and Office 2016 for Mac:

• If you have already installed the mobile device extension, check that it supports this latest Office version. Look for Active Directory Rights Management Services Mobile Device Extension listed in Programs and Features and confirm that the version is at least 1.0.0112.0630. If it is not, follow the deploying instructions in this article to install the latest version from the Download Center. There's no need to manually uninstall the old version first; the Setup wizard can upgrade an existing version

I don't have a ADFS infrastructure, and besides don't want to publish ADFS to internet....

Is it necessary for real? Why would I need to expose my infrastructure to internet to use INTERNAL Outlook clients?

Is it possible to configure the Mobile Extension without publishing those services? For example, using an internal ADFS? This service will be only internally consumed...

Regards!