Endpoint Data Loss Prevention

Endpoint Data Loss Prevention

Note

Contact your Sales Representative to enable this feature for your account.

Netskope Endpoint Data Loss Prevention (Endpoint DLP) provides data protection at the endpoint by utilizing Netskope’s cloud DLP capabilities. You can use Endpoint DLP to monitor and govern USB storage devices and printers connected to your endpoint. Endpoint DLP is an optional add-on capability to the Netskope Client and does not require deploying and managing a separate client or agent on the endpoint.

With Endpoint DLP, you can create Device Control and Content Control policies. Device Control policies enable granular control over which devices are allowed and which users can access them. Whereas, Content Control policies enable the full use of the Netskope DLP engine to inspect and control data movement between an endpoint and a USB mass storage device or printer.

Endpoint DLP allows you to manage and govern endpoints to prevent sensitive content from being transferred to USB storage devices or printers. You can:

  • Govern endpoint devices by creating device control, content control, and file origin policies.
  • Monitor endpoint activities and block or trigger alerts when users insert or remove USB storage devices, transfer sensitive files to USB storage devices, set up and configure printers, and print documents.
  • Respond to incidents and alert the user of their actions.
  • Coach the user through custom notification messages by allowing them to justify their actions or cancel them.

Benefits

Endpoint DLP provides the following benefits:

  • Minimizes resource utilization at the endpoint for a better user experience.
  • Inspects content for DLP violations for a stronger security posture.
  • Leverages the DLP policy framework to generate alerts and incidents.

Requirements

Endpoint DLP runs on either Windows or macOS.

If on Windows, Endpoint DLP requires Windows 10 or Windows 11 on 64-bit processors.

If on macOS, Endpoint DLP requires macOS 11, 12, or 13 running either on Intel x64 or Apple Silicon AND Full Disk Access .

The client must be able to reach https://epdlp-prod.netskope.io

Ensure you do the following before configuring Endpoint DLP:

Enabling Endpoint DLP on the Client for macOS

Endpoint DLP on macOS requires Full Disk Access to function properly. Follow the following instructions to provide the process with Full Disk Access. If the client machine is not managed through an MDM profile then, the user must manually has to provide the Full Disk Access to the EPDLP client.

MDM Deployments on macOS

The Full Disk Access workflow is covered for the following MDM solutions:

  • JAMF
  • Workspace ONE (Formerly Airwatch)
  • Microsoft Intune
  • Kandji

1. Install DLP on any test machine once.

2. Open Terminal and run the following command:

codesign -dr – /Library/Application Support/Netskope/EPDLP/netskopeendpointdlp.app

3. This will generate the following output:

Executable=/Library/Application Support/Netskope/EPDLP/netskopeendpointdlp.app/Contents/MacOS/netskopeendpointdlpdesignated => anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")

4. Copy the substring after the “designated =>” portion. For example,

anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")

JAMF

See JAMF for more information.

5. Open the JAMF Dashboard and navigate to Computer > Configuration and open the configuration that was created for NSclient.

6. Search for Privacy Preference Policy Control.

7. Use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement.

8. Select “SystemPolicyAllFiles” under APP OR SERVICE and “Allow” under Access.

JAMFMDM.png

9. Save the configuration profile

Workspace ONE (Formerly Airwatch)

See Deploy Client on macOS Using VMware Workspace ONE for more information.

5. Navigate to Resources > Profiles and Baselines > Profiles.

6. Under Privacy Preferences, use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement. Set System Policy All Files to “Allow”.

WorkspaceONEFullDiskAccess1.png
WorkspaceONEFullDiskAccess2.png

Microsoft Intune

See Deploy Client on macOS Using Intune for more information

5. Navigate to Dashboard > Devices | macOS > Configuration Profiles.

6. Create an Identifier with “com.netskope.epdlp.client”.

7. Set Allowed to “True. Use “your copied substring in step 4 for Code Requirement and bundle ID” for Identifier Type . Set System Policy All Files to “Allow”.

MDMIntune.png

Kandji

5. Navigate to Privacy Policy.

6. use “com.netskope.epdlp.client” for Identifier, “Bundle ID” for Identifier Type and your copied substring in step 4 for Code Requirement. Set System Policy All Files to “Allow”.

KandjiFDAMDM.png

Full Disk Access Error

If Full Disk Access is not enabled for the EPDLP client, the following error message may pop up after installing the EPDLP package through STAgent.pkg

FullDiskAccessError.png

The Proceed button opens the Full Disk Access Settings in System Preferences to add and enable the EPDLP client.

Enable the Full Disk Access to EPDLP client by adding and enabling “netskopeendpointdlp” in Full Disk Access settings.

System Preferences -> Security & Privacy -> Privacy -> Full Disk Access

FullDiskAccessMacOS.png

Enabling Endpoint DLP

Endpoint DLP is an add-on feature for the Netskope Client. To enable Endpoint DLP for the Netskope Client, contact your sales representative.

Once enabled, ensure you do the following before configuring Endpoint DLP:

Creating Endpoint Device Control Policies

You can define Device Control policies that allow users to access only corporate sanctioned USB devices or printers. You can leverage device control policies to take action based on the device.

  1. In the Netskope UI, go to Policies > Endpoint Protection.
  2. In the Device Control tab, click New Device Control Policy.
  3. On the Endpoint Device Control Policy page:
    • Endpoint Protection: Select any of the following criteria for by the policy:
      • Users: Select the users, user groups, or organizations affected by the policy. Click + Exclusions to select the users, user groups, or organizations you want to exclude from the policy.Device Classification: Choose to apply the policy to managed or unmanaged devices. You also can click The Settings icon. to to go to the Device Classification page and configure rules.

        Note

        Device Classification is only supported on Netskope Client devices running version 110.0.0+. This policy won’t be enforced on devices running older Netskope Client versions.

      Device: Select USB storage device, Printer, Network File Share (Windows), or Bluetooth File Control:
      • Any: Select to apply this policy to all corporate sanctioned and unsanctioned devices.Matches: Select the constraint profiles that contain the devices you want to include in the policy. For example, you can select a constraint profile that includes corporate sanctioned devices you want to limit access to. Click + Create New to create a new constraint profile. This policy only applies to devices that match the selected constraint profiles.Does not match: Select the constraint profiles that contain the devices you want to exclude from the policy. For example, you can select a constraint profile that includes all corporate sanctioned devices. Click + Create New to create a new constraint profile. This policy only applies to devices that don’t match the selected constraint profiles.
      Action: Select the action to be performed when the policy is triggered.
      • Allow: Select to allow users read and write access to the device or printer.Make Read-Only: Select to only allow users read access to the storage device. This is only available for USB devices.

        Note

        WPD/phone devices do not support Read-Only policy actions. These devices will be blocked.

        Block: Select to block users from accessing the device.
      Set Policy: Enter a policy name. You can only use alphanumeric characters and symbols such as underscore (_), dash (-), and square brackets ([ ]). You cannot use the greater-than (>) or less-than (<) symbols in policy names. Optionally, You can click + Policy Description to add notes or information.Status: Enable or disable the policy.
    The configured Endpoint Device Control Policy page. R105
  4. Click Save and then click Apply Changes.

Creating Endpoint Content Control Policies

You can define Content Control policies to prevent users from copying or printing sensitive data to sanctioned USB devices and printers. You can leverage content control policies to take action based on the sensitive content in the file or where the file came from (i.e., file origin).

Note

  • Printer support for Content Control policies is currently in Controlled GA. Contact your Sales Representative or Support to enable this feature.
  • Content Control policies don’t apply to phones or WPD devices.
    1. In the Netskope UI, go to Policies > Endpoint Protection.
    2. Click the Content Control tab.
    3. Click New Content Control Policy.
    4. On the Endpoint Content Control Policy page:
      • Endpoint Protection: Select any of the following criteria for by the policy:
        • Users: Select the users, user groups, or organizations affected by the policy. Click + Exclusions to select the users, user groups, or organizations you want to exclude from the policy.
        • Device Classification: Choose to apply the policy to managed or unmanaged devices. You also can click The Settings icon. to to go to the Device Classification page and configure rules.
        • Note

          Device Classification is only supported on Netskope Client devices running version 110.0.0+. This policy won’t be enforced on devices running older Netskope Client versions.

      • Destination: Select USB Storage Device and/or Printer (Windows) for the content destination.
        • Any: Select to apply this policy to all corporate sanctioned and unsanctioned USB storage devices.
        • Matches: Select the constraint profiles that contain the USB devices you want to include in the policy. For example, you can select a constraint profile that includes corporate sanctioned devices you want to limit access to. Click + Create New to create a new constraint profile. This policy only applies to devices that match the selected constraint profiles.
        • Does not match: Select the constraint profiles that contain the USB devices you want to exclude from the policy. For example, you can select a constraint profile that includes all corporate sanctioned devices. Click + Create New to create a new constraint profile. This policy only applies to devices that don’t match the selected constraint profiles.
      • File: Select the file information for the policy.
        • File Profile: Select the file profiles that define the files you want to allow or block users from copying to a USB storage device. Click The Netskope Add icon. to create a new file profile. You also can click The Settings icon. to go to the File Profile page.
        • File Origin: Select the predefined or custom applications and application instances that contain files you want to allow or block users from copying to a USB storage device. Under Exceptions, you can select the application instances you want to exclude from this policy. You also can click The Settings icon. to to go to the App Definition page and configure a custom app.
      • Profile & Action: Select the DLP profiles you want to use to inspect files for violations, and configure an action for each profile.
        • Allow: Select to allow users to transfer files that have no DLP violations from the USB storage device.
        • Alert: Select to receive alerts about files that are transferred to the USB storage device and contain DLP violations.
        • User Alert: Select to send a default or custom notification message to users when they transfer files with DLP violations to a USB storage device. Click + Create Template to create a notification message that allows them to proceed after they justify their reasons.
        • Block: Select to prevent users from transferring files to the USB storage device, and send a default or custom notification message to users when they transfer files with DLP violations. Click + Create Template to create a notification message that teaches them to adhere to your data policy.
      • Set Policy: Enter a policy name. You can only use alphanumeric characters and symbols such as underscore (_), dash (-), and square brackets ([ ]). You cannot use the greater-than (>) or less-than (<) symbols in policy names. Optionally, You can click + Policy Description to add notes or information.
      • Status: Enable or disable the policy.
      The configured Endpoint Content Control Policy page.
    5. Click Save and then click Apply Changes.

    Configuring the Content Control Policy Settings

    You can configure the fallback settings when the Netskope cloud can’t perform content inspection for an endpoint because it’s offline, the file size is too large, or there’s a system error.

    To configure the Content Control policy settings:

    1. In the Netskope UI, go to Policies > Endpoint Protection.
    2. Click the Content Control tab.
    3. Click Settings.
    4. In the Content Control Policy Settings window:
      • When endpoint is offline: Allow or block files from being copied to an endpoint device when the device is disconnected from the internet.
      • When file size exceeds DLP scan limit: Allow or block files from being copied to an endpoint device when the file size is larger than the DLP scan limit.
      • When system error occurs: Allow or block files from being copied to an endpoint device when there is a system error.
      The configured fallback actions in the Content Control Policy Settings window.
    5. Click Save and then click Apply Changes.
    Share this Doc

    Endpoint Data Loss Prevention

    Or copy link

    In this topic ...