Moving back to the general DLP settings in the Microsoft compliance center, we will now cover the specific settings that are available for Endpoint DLP. The solution enables you to audit and act on several activities users take on sensitive items. The activities available for monitoring are as follows:
- Upload to cloud service, or access by unallowed browser: Detects when an individual tries to upload a protected item to a restricted service domain or access the item through an unallowed browser.
- Copy to other app: Detects when an individual tries to copy sensitive information from a protected item and then paste it into another application, item, or process.
- Copy to USB removable media: Detects when an individual tries to copy information or an item to a USB device or other removable media.
- Copy to a network share: Detects when an individual tries to copy an item to a mapped network share.
- Print a document: Detects printing attempts of sensitive information.
- Copy to a remote session: Detects attempts to copy sensitive information to a remote desktop session.
- Copy to a Bluetooth device: Detects copy attempts to unallowed Bluetooth apps (as defined in the general settings for Endpoint DLP for Unallowed Bluetooth apps).
- Create an item: Detects when a user creates an item. This setting is only auditable.
- Rename an item: Detects when a user renames an item. This setting is only auditable.
The following screenshot from a DLP policy highlights the specific Endpoint DLP settings:
Figure 8.8 – Overview of Endpoint DLP settings in a DLP policy
There are several settings available for the feature as well; these apply to all onboarded devices, as the previous settings shown in Figure 8.8 only apply to the specific policy for which it is enabled.
The global Endpoint DLP settings are as follows:
- File path exclusions: Files in these Windows device locations will not be monitored by DLP policies.
- Unallowed apps: Prevents specific apps from accessing files protected by a DLP policy.
- Unallowed Bluetooth apps: Prevents transfer via Bluetooth for files protected by your policies.
- Browser and domain restrictions to sensitive data: Restricts the usage of unallowed browsers when handling sensitive information or prevents the uploading of said information to unallowed service domains.
- Additional settings for Endpoint DLP: Controls how your users interact with the justification pop-up windows that appear if the policy is set to Block with override, with the following options: Show default options with custom text box, Only show default options, and Only show custom text box.
- Always audit file activity for devices: The default setting here is Active and when devices are onboarded, activity for Office, PDF, and CSV files is automatically audited.
If you are interested in learning even more about these settings, refer to https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-using?view=o365-worldwide#dlp-settings.
Let’s dive in to how we create a DLP policy meant for endpoints, where we will use the settings we just covered in practice.
Leave a Reply