Endpoint Data Loss Prevention
Endpoint Data Loss Prevention
Note
Contact your Sales Representative to enable this feature for your account.
Netskope Endpoint Data Loss Prevention (Endpoint DLP) provides data protection at the endpoint by utilizing Netskope’s cloud DLP capabilities. You can use Endpoint DLP to monitor and govern USB storage devices and printers connected to your endpoint. Endpoint DLP is an optional add-on capability to the Netskope Client and does not require deploying and managing a separate client or agent on the endpoint.
With Endpoint DLP, you can create Device Control and Content Control policies. Device Control policies enable granular control over which devices are allowed and which users can access them. Whereas, Content Control policies enable the full use of the Netskope DLP engine to inspect and control data movement between an endpoint and a USB mass storage device or printer.
Endpoint DLP allows you to manage and govern endpoints to prevent sensitive content from being transferred to USB storage devices, printers, Bluetooth, or network file share. You can:
- Govern endpoint devices by creating device control, content control, and file origin policies.
- Monitor endpoint activities and block or trigger alerts when users insert or remove USB storage devices, transfer sensitive files to USB storage devices, set up and configure printers, and print documents.
- Respond to incidents and alert the user of their actions.
- Coach the user through custom notification messages by allowing them to justify their actions or cancel them.
Benefits
Endpoint DLP provides the following benefits:
- Minimizes resource utilization at the endpoint for a better user experience.
- Inspects content for DLP violations for a stronger security posture.
- Leverages the DLP policy framework to generate alerts and incidents.
Requirements
Endpoint DLP runs on either Windows or macOS.
If on Windows, Endpoint DLP requires Windows 10 or Windows 11 on 64-bit processors.
If on macOS, Endpoint DLP requires macOS 11, 12, 13 or 14 running either on Intel x64 or Apple Silicon AND Full Disk Access.
The client must be able to reach https://epdlp-prod.netskope.io
Ensure you do the following before configuring Endpoint DLP:
- Provision users for the Netskope Client.
- Enable Endpoint DLP for the Netskope Client configurations.
Enabling Endpoint DLP on the Client for macOS
Endpoint DLP on macOS requires Full Disk Access to function properly. Follow the following instructions to provide the process with Full Disk Access. If the client machine is not managed through an MDM profile, then the user must manually provide the Full Disk Access to the EPDLP client.
For information regarding Full Disk Access, see Apple’s documentation regarding Controlling app access to files in macOS.
MDM Deployments on macOS
The Full Disk Access workflow is covered for the following MDM solutions:
- JAMF
- Workspace ONE (Formerly Airwatch)
- Microsoft Intune
- Kandji
Common steps are:
1. Install DLP on any test machine once.
2. Open Terminal and run the following command:
codesign -dr - /Library/Application\ Support/Netskope/EPDLP/Netskope\ Endpoint\ DLP.app
3. This will generate the following output:
Executable=/Library/Application Support/Netskope/EPDLP/Netskope Endpoint DLP.app/Contents/MacOS/Netskope Endpoint DLP
designated => anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
4. Copy the substring after the “designated =>” portion. For example,
anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
JAMF
See JAMF for more information.
5. Open the JAMF Dashboard and navigate to Computer > Configuration and open the configuration that was created for NSclient.
6. Search for Privacy Preference Policy Control.
7. Use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement.
8. Select “SystemPolicyAllFiles” under APP OR SERVICE and “Allow” under Access.
9. Save the configuration profile
Workspace ONE (Formerly Airwatch)
See Deploy Client on macOS Using VMware Workspace ONE for more information.
5. Navigate to Resources > Profiles and Baselines > Profiles.
6. Under Privacy Preferences, use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement. Set System Policy All Files to “Allow”.
Microsoft Intune
See Deploy Client on macOS Using Intune for more information
5. Navigate to Dashboard > Devices | macOS > Configuration Profiles.
6. Create an Identifier with “com.netskope.epdlp.client”.
7. Set Allowed to “True. Use “your copied substring in step 4 for Code Requirement and bundle ID” for Identifier Type . Set System Policy All Files to “Allow”.
Kandji
5. Navigate to Privacy Policy.
6. use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement. Set System Policy All Files to “Allow”.
Full Disk Access Error
If Full Disk Access is not enabled for the EPDLP client, the following error message may pop up after installing the EPDLP package through STAgent.pkg
The Proceed button opens the Full Disk Access Settings in System Preferences to add and enable the EPDLP client.
Enable the Full Disk Access to EPDLP client by adding and enabling “Netskope Endpoint DLP” in Full Disk Access settings.
System Preferences -> Security & Privacy -> Privacy -> Full Disk Access
Endpoint DLP is an add-on feature for the Netskope Client. To enable Endpoint DLP for the Netskope Client, contact your sales representative.
Once enabled, ensure you do the following before configuring Endpoint DLP:
You can define Device Control policies that allow users to access only corporate sanctioned USB devices or printers. You can leverage device control policies to take action based on the device.
-
In the Netskope UI, go to Policies > Endpoint Protection.
-
In the Device Control tab, click New Device Control Policy.
-
On the Endpoint Device Control Policy page:
-
Endpoint Protection: Select any of the following criteria for by the policy:
-
Users: Select the Users, User groups, or Organizational units affected by the policy. Click + Exclusions to select the users, user groups, or organizations you want to exclude from the policy.Device Classification: Choose to apply the policy to managed or unmanaged devices. You also can click to to go to the Device Classification page and configure rules.
-
Device Classification: Choose to apply the policy to Managed or Unmanaged devices. You also can click the Settings icon to go to the Device Classification page and configure rules.
Device Classification is only supported on Netskope Client devices running version 110.0.0+. This policy won’t be enforced on devices running older Netskope Client versions. -
-
Device: Select
-
USB storage device – To allow or block connected USB device on corporate laptops
-
Printer – To allow or block local/network printers used by endusers
-
Network File Share – To control which network file shares endpoints are allowed to access. NFS is supported on client versions running version 113.0.0+ on Windows and version 118.0.0+ on macOS.
-
Bluetooth File Control (Windows and MacOS) – To allow or deny outgoing file transfers over Bluetooth.
-
CD and DVD Drives (Windows) – To allow or deny writes to discs.
For each type of device except Bluetooth File Control, admins can define the following conditions:
-
Any: Select to apply this policy to all corporate sanctioned and unsanctioned devices.
-
Matches: Select the constraint profiles that contain the devices you want to include in the policy. For example, you can select a constraint profile that includes a particular brand of USB devices you want to limit access to. Click + Create New to create a new constraint profile. This policy only applies to devices that match the selected constraint profiles.
-
Does not match: Select the constraint profiles that contain the devices you want to exclude from the policy. For example, you can select a constraint profile that includes all local printer devices. Click + Create New to create a new constraint profile. This policy only applies to devices that don’t match the selected constraint profiles.
For detailed info on Constraint Profiles, see Constraint Profile.
-
-
Action: Select the action to be performed when the policy is triggered.
-
Allow: Select to allow users read and write access to the USB, printer, NFS or Bluetooth File Control.
-
Make Read-Only: Select to only allow users read access to the storage device. This is only available for USB devices.
WPD/phone devices do not support Read-Only policy actions. These devices will be blocked. -
Block: Select to block users from accessing the device.
-
-
Set Policy: Enter a policy name. You can only use alphanumeric characters and symbols such as underscore (_), dash (-), and square brackets ([ ]). You cannot use the greater-than (>) or less-than (<) symbols in policy names. Optionally, You can click + Policy Description to add notes or information and toggle
-
Status: Enable or disable the policy.
-
You can define Content Control policies to prevent users from copying or printing sensitive data to sanctioned USB devices and printers. You can leverage content control policies to take action based on the sensitive content in the file or where the file came from (i.e., file origin).
Content Control policies don’t apply to phones or WPD devices.
-
In the Netskope UI, go to Policies > Endpoint Protection.
-
Click the Content Control tab.
-
Click New Content Control Policy.
-
On the Endpoint Content Control Policy page:
-
Endpoint Protection: Select any of the following criteria for by the policy:
-
User: Select the users, user groups, or organizational units affected by the policy. Click + Exclusions to select the users, user groups, or organizations you want to exclude from the policy.
-
Device Classification: Choose to apply the policy to managed or unmanaged devices. You also can click the Settings icon to go to the Device Classification page and configure rules.
Device Classification is only supported on Netskope Client devices running version 110.0.0+. This policy won’t be enforced on devices running older Netskope Client versions.
-
-
Destination: Select USB Storage Device and/or Printer for the content destination.
For both the devices, admins can select the following conditions:
-
Any: Select to apply this policy to all corporate sanctioned and unsanctioned USB storage devices.
-
Matches: Select the constraint profiles that contain the USB devices you want to include in the policy. For example, you can select a constraint profile that includes encrypted USB devices you want to limit access to. Click + Create New to create a new constraint profile. This policy only applies to devices that match the selected constraint profiles.
-
Does not match: Select the constraint profiles that contain the USB devices you want to exclude from the policy. For example, you can select a constraint profile that includes all local and network printer devices. Click + Create New to create a new constraint profile. This policy only applies to devices that don’t match the selected constraint profiles.
-
-
File: Select the file information for the policy.
-
File Profile: Select the file profiles that define the files you want to allow or block users from copying to a USB storage device or printing. For ex., you can create a file profile which includes text files and/or spreadsheets. Click + to create a new file profile. You also can click the Settings icon to go to the File Profile page.
-
File Origin: Select the predefined or custom applications and application instances that contain files you want to allow or block users from copying to a USB storage device or printing. For example, you can create a file origin with Slack Enterprise or Gmail application instances so that any file downloaded from these apps can be blocked from copying to devices. Under Exceptions, you can select the application instances you want to exclude from this policy. You also can click the Settings icon to go to the App Definition page and configure a custom app.
-
-
Profile & Action: Select the DLP profiles you want to use to inspect files for violations and configure an action for each profile.
-
Allow: Select to allow users to transfer files that have no DLP violations from the USB storage device.
-
Alert: Select to receive alerts about files that are transferred to the USB storage device and contain DLP violations.
-
User Alert: Select to send a default or custom notification message to users when they transfer files with DLP violations to a USB storage device. Click + Create Template to create a notification message that allows them to proceed after they justify their reasons.
-
Block: Select to prevent users from transferring files to the USB storage device, send a default or custom notification message to users when they transfer files with DLP violations. Click + Create Template to create a notification message that teaches them to adhere to your data policy.
-
-
Set Policy: Enter a policy name. You can only use alphanumeric characters and symbols such as underscore (_), dash (-), and square brackets ([ ]). You cannot use the greater-than (>) or less-than (<) symbols in policy names. Optionally, You can click + Policy Description to add notes or information.
-
Status: Enable or disable the policy.
-
-
Click Save and then click Apply Changes.
You can configure the fallback settings when the Netskope cloud can’t perform content inspection for an endpoint because it’s offline, the file size is too large, or there’s a system error.
To configure the Content Control policy settings:
- In the Netskope UI, go to Policies > Endpoint Protection.
- Click the Content Control tab.
- Click Settings.
- In the Content Control Policy Settings window:
- When endpoint is offline: Allow or block files from being copied to an endpoint device when the device is disconnected from the internet.
- When file size exceeds DLP scan limit: Allow or block files from being copied to an endpoint device when the file size is larger than the DLP scan limit.
- When system error occurs: Allow or block files from being copied to an endpoint device when there is a system error.
- Click Save and then click Apply Changes.
Original File Access
Similar to DLP incidents, when an EPDLP Incident is created, the original file that caused the incident will be available for download in WebUI.
Note that this applies to only to DLP content scan incidents, and the “Forensics enabled” configuration must be enabled.
.
See the following links for more information on Original File Access: Enable a Forensic Profile and Downloading DLP files