Deploy Endpoint DLP policy using Endpoint Central

In this article, you'll explore the following topics:

1. File Access Settings
2. Email Client Settings
3. Removable Storage Settings
4. Printer Settings
5. File Upload Settings
6. File Download Settings
7. Screen Capture Restriction Settings
8. Clipboard Restriction Settings
9. Managing False Positives
10. Override Mail Configuration Settings

After creating a data rule, the next crucial step is deploying it. Deploying a policy ensures that the data rules are enforced on endpoints, providing real-time protection for sensitive information across your network.

1. To deploy a policy Go to Policy Deployment -> Associate Policy
2. In the Select Custom Group option, Select the Computer groups to associate with the policy

Data Discovery

Select the relevant data rules from the data classification set up earlier to apply within the policy.

Password-protected files can be classified as sensitive, with support for formats including 7z, zip, tar, Bzip2, xz, Gzip, RAR, RAR4, RAR5, WIM, ISO, ARG, and ISOUDF.

Data Leakage Prevention

To manage the various access control for sensitive files, navigate to Policy Deployment -> Data Loss Prevention

Application Access Settings

File Access

The File Access feature enables admins to specify which applications are permitted to access and open sensitive files.

• In Audit Only, all applications can access and read the data, but all activity is tracked and recorded, with detailed insights available for review.
• The Allow Within Trusted Applications feature enables admins to designate a list of trusted applications, ensuring that only the approved apps can access and open files classified as sensitive.
• For enhanced security, the preview pane in Windows File Explorer can be disabled.

Email Client

The Email Client feature allows admins to define how Outlook handles sensitive files, ensuring secure file management during email communication.

1. Not Applicable option is selected when file sharing is allowed without any restrictions, and no audit reports are generated.
2. Audit Only option is selected, all files can be shared, but any transfer of sensitive files will be tracked and audited.
3. Allow Within Trusted Domains feature restricts the sharing of sensitive files to configured email domains only. Any attempt to transfer sensitive files outside these email domains is blocked, ensuring files remain secure while allowing seamless sharing within the organization. This helps maintain productivity without compromising data security.
4. Block Emails with Sensitive Content/Attachments feature completely prevents the sharing of sensitive files through the email client, ensuring that sensitive data cannot be transmitted via email.

Navigate to Policy Deployment -> Configure consent settings
By enabling this consent, Endpoint DLP will be able to monitor the transfer of sensitive emails through the installation of Outlook add-ins. Without this consent, the add-ins will not be installed, and sensitive email transfers will go unmonitored.

Peripheral Device Settings

Removable Storage Devices

Admins can control how sensitive files are managed when using removable storage devices, ensuring secure handling and preventing unauthorized data transfers.

1. In Audit Only, files containing sensitive data can be transferred, but all such transfers are tracked and audited.
2. Allow Within Trusted Devices feature lets admins define a list of trusted devices. Transfer of sensitive files is permitted only between these approved devices, while transfers to all other devices are blocked.
3. The Block Sensitive File Transfers option completely restricts the transfer of files containing sensitive data to removable storage devices, ensuring that sensitive data cannot be moved or copied.

Printing

Admins can manage the handling of sensitive files during printing, ensuring secure processing and preventing unauthorized access or distribution.

1. In Audit Only, printing of sensitive documents is allowed, but all print activities are tracked and audited.
2. In Allow Within Trusted Devices, printing of sensitive files is permitted only on trusted printers, while printing on all other devices is blocked to ensure security.
3. In Block Sensitive File Prints, printing of sensitive files is completely restricted, preventing any unauthorized printing.

Note: Before a file is printed, its content is rescanned for sensitivity. Only files containing sensitive information are blocked from printing.

• Custom watermarks can be configured to print on documents from trusted sources (application included File Access and Outlook), adding an extra layer of identification and security.
• An option is available to allow users to override restrictions with business reasons, allowing the printing of sensitive content on other printers.

Web Application Settings

File Upload

Configure settings to prevent the upload of sensitive files to the web, ensuring that critical data remains secure.

1. Not Applicable is used when there is no intention to prevent the upload of sensitive files or to track or audit the data being uploaded.
2. Audit Only is used when there are no restrictions on data upload. However, when sensitive data is uploaded to non-trusted domains, the activity is audited.
3. Allow Within Trusted Domains permits the upload of sensitive data only through trusted domains, while uploads to untrusted domains are restricted.
4. Block sensitive file uploads completely restricts the upload of sensitive files

1. Choose the web browsers to monitor for file uploads.
2. add a list of trusted domains where sensitive file uploads should not be tracked.
3. File uploads are restricted using a browser extensions, so monitoring does not occur in Private Browsing or Guest Mode. It is recommended to disable these modes in managed browsers to ensure full tracking of file uploads.

Navigate to Policy Deployment -> Configure consent settings
Providing consent installs the browser plugin, allowing Endpoint DLP to block sensitive file uploads to the web. Without consent, the plugin will not be installed, and sensitive file uploads cannot be restricted.

File Download

Under the settings option, you can enable the feature to automatically mark files created from enterprise apps or downloaded from corporate web domains or emails as sensitive by default.

Clipboard settings

Screen Capture

The Screen Capture feature allows admins to enable or restrict screen capture.

PE
1. The Allow option permits all users to take screenshots of sensitive data without restrictions.
2. Block Within Trusted Applications restricts screenshots of sensitive data within any trusted application listed under the File Access settings, ensuring enhanced data security.

Note: The trusted applications are the taken from the application list of File Access

Clipboard Restrictions

The Clipboard Restriction option prevents copying information from trusted applications to untrusted ones, while still allowing file copying within the trusted applications listed.

Exclusion settings

False Positives

The Automatically Override if False-Positive feature allows users to bypass a block if they believe a non-sensitive file has been incorrectly flagged as sensitive. All overrides are logged in the audit for review. This option can be enabled temporarily until the DLP policy is fine-tuned, ensuring employee productivity remains unaffected.

Override Mail configuration

The "Override Mail Configuration" feature is used to immediately notify admins via email when an override incident occurs, ensuring prompt attention to potential issues.

1. Navigate to Settings -> Configure Mail Notification
2. Add the list of email addresses that need to be notified when an override is reported