Data Loss Prevention

 View Only

  • 1.  Mac Only Response Rule

    Posted Apr 30, 2020 12:17 PM
    Edited by 54 Apr 30, 2020 12:37 PM

    The response rule "Endpoint Prevent: User Cancel" is only supported on Windows.  If a user on a Mac triggers the same policy the traffic is allowed. I cannot find a way to put a condition on RR based on agent OS.  I can't find a "Stop Processing Rules" trigger either.

    I am trying to create the following RR's for a single Endpoint policy

    1. Endpoint Prevent: User Cancel (Windows)
    2. Endpoint Prevent: Notify (Mac)

    DeviceID only looks at removable media not the OS.  

    Anyone got a clever idea on this one?

    ------------------------------
    If it were easy it would have been done already. -Peter H. Diamandis
    ------------------------------


  • 2.  RE: Mac Only Response Rule

    Posted May 01, 2020 02:27 PM
    Edited by Maveryc May 01, 2020 02:27 PM
    Why not use two policies, one for Windows and one for Mac?



    Original Message


  • 3.  RE: Mac Only Response Rule

    Posted May 01, 2020 04:42 PM
    That would work if I could figure out how to specify an OS in an endpoint policy.  Any tricks?

    ------------------------------
    If it were easy it would have been done already. -Peter H. Diamandis
    ------------------------------

    Original Message


  • 4.  RE: Mac Only Response Rule

    Posted May 04, 2020 03:39 PM
    Edited by Maveryc May 04, 2020 03:38 PM
    I don't think you can specify an OS directly in the policy. You could create a policy group specific for MacOS policies and then assign that policy group to a specific server. And then put all the MacOS machines on that server.

    This is not an easy solution and would require some effort, but it's the only way I can think of to accomplish what you're trying to do.



    Original Message


  • 5.  RE: Mac Only Response Rule

    Posted May 04, 2020 06:25 PM

    I think you're right.  We are probably going to do this with the next upgrade. 

    We did notice one possible trick.

    • Windows - User Name = {DOMAIN}\,{DOMAIN2}\,
    • Macintosh - User Name = {Last char of asset tag}\{first char of samaccountname} 
    It looks ugly but it seems to work.  Just need to let if chug along for a few days to see if there are any gotcha's.
    Original Message


  • 6.  RE: Mac Only Response Rule

    Posted Jun 18, 2020 06:39 AM
    Edited by Krista Rivera Jun 20, 2020 03:37 AM
    i agree We are probably going to do this with the next upgrade
    Your information is very interesting. Thank you for sharing
    Original Message