I ran into an issue recently that had me stumped for quite a while. I had a client running a MIP pilot and had an encrypting MIP label missing the sensitivity drop-down options within Office Client Apps. All other labels were there (Public, Internal, Confidential, etc.), including the labels that were configured to encrypt. The only one that was missing was the restricted label. This one was also encrypted, but unlike the confidential label, which had the encryption groups configured on the label itself, the restricted label allowed users to set the encryption themselves. Keep in mind; this is expected behavior if you are working on the web version of Office, where any label that prompts users to set permissions is not supported. In this case, however, we were using the standard Office 365 client.