Selecting endpoint destination channels to monitor

Administrator Help | Forcepoint DLP | Version 8.5.x

Endpoint data sent to destination channels like removable media (including USB drives, CD/DVD, and other external drives), the Web, printers, and software applications can be monitored and analyzed.

To target a specific device, first add the device to the resources list:

Go to the Main > Policy Management > Resources page in the Data Security module of the Security Manager.

Click Endpoint Devices, then click New (see Defining Resources).

To select endpoint destinations for monitoring in a policy:

Go to the Main > Policy Management > DLP Policies page in the Data Security module of the Security Manager.

Click Manage Policies.

Do one of the following:

Click a policy and select Add > Rule

Click a rule and select Edit

Go to the Destination section for the rule.

Select from the following:

Select Endpoint Email to monitor outbound or internal email messages sent to specified destinations. By default, this option covers all endpoint destinations. To select destinations, click Edit.

The system analyzes all email messages sent from endpoint users, even if they send them to external webmail services such as Yahoo.


	Important For endpoint email to be analyzed, one or more internal email domains must be specified on the Email Domains tab of the Settings > General > Endpoint page.

For Windows, Forcepoint DLP can analyze endpoint email generated by Microsoft Outlook and IBM Notes. (Rules are not enforced on Notes messages if Notes is configured to send mail directly to Internet, rather than through the Domino server.)

The system supports the desktop version of Outlook 2010, 2013, and 2016 but not the Windows 8 touch version. Forcepoint DLP supports IBM Notes versions 8.5.1, 8.5.2 FP4, 8.5.3, and 9.

For macOS, the system can analyze endpoint email generated by Outlook 2011, Outlook 2016, and Apple Mail.

Forcepoint DLP can detect incidents in S/MIME encrypted messages sent from Outlook 2013 (Windows), Outlook 2016 (Windows), and Outlook 2016 (Mac).

Select Endpoint HTTP/HTTPS from the Channels drop-down list to monitor endpoint devices such as laptops, and protect them from posting sensitive data to the Web. This traffic can be monitored when endpoint machines are outside the network.

The endpoint software intercepts HTTP(S) posts as they are being uploaded within the browser. (It does not monitor download requests.)

For both Mac and Windows-based endpoints, the system analyzes posts from Internet Explorer, Firefox, and Chrome browsers.

The system does not support the HTTP destination channel on Linux endpoints.

For a list of supported browser versions, see the Certified Product Matrix.

Note that this destination is different from the Browsers destination, which looks at the data as it is being copied, pasted, or accessed. The system can monitor these operations on most browsers, such as Internet Explorer, Firefox, Safari, and Opera.

If Linking Service is active, URL category information is included in the incident (see Configuring Linking Service).

Select Endpoint printing to monitor data being sent from an endpoint machine to a local or network printer. The system supports drivers that print to a physical device, not those that print to file or PDF.

Select Endpoint application to monitor or prevent sensitive data from being copied and pasted from an application such as Microsoft Word or a web browser. This is desirable, because endpoint clients are often disconnected from the corporate network and can pose a security risk.

To prevent performance degradation when all activities on a rule's condition page are analyzed:

When files are saved to the browser's cache folders, the crawler analyzes only .exe, .csv, .xls/xlsx, .pdf, .txt, and .doc/.docx files.

When files are saved to any other local folder, it analyzes all file types.

The system can monitor copy and paste operations on most browsers, such as Internet Explorer, Firefox, Safari, and Opera.


	Note If a user's browser is open, new endpoint policies are not enforced on those browsers. Users must close and reopen their browser for new policies to take effect.

The applications that the system supports out of the box are found in the article Forcepoint DLP Endpoint Applications. Custom applications can also be defined.

Select Endpoint removable media to monitor or prevent sensitive data from being transferred to removable media. In the action plan, you define whether to block it, permit it, ask users to confirm their action, encrypt it with a profile key configured by administrators, or encrypt it with a password supplied by endpoint users. Here, define the devices to analyze.

The system monitors unencrypted data being copied to native Windows and Mac CD/DVD burner applications. It monitors non-native Windows CD/DVD burner applications as well, but only blocks or permits operations without performing content classification.

Non-native CD/DVD blocking applies to CD, DVD, and Blue-ray read-write devices on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012 endpoints.

Linux endpoint does not support CD/DVD burners.

On Windows 7, the system can also monitor unencrypted data being copied to Android devices through the Windows Portable Devices (WPD) protocol.

Select Endpoint LAN to monitor or prevent sensitive data from being transfered via a LAN connection to a network drive or share on another computer. Forcepoint DLP administrators can:

Specify a list of IP addresses, hostnames, or networks that are allowed as a source or destination for LAN copy.

Intercept data copied from an endpoint client to a network share.

Set a different behavior according to the endpoint type (laptop or other) and location (connected or not connected).

Endpoint LAN control is applicable to Microsoft sharing only.

Please note, if access to the LAN requires user credentials, files larger than 10 MB are handled as huge files which are only searched for file size, file name and binary fingerprint. Files smaller than 10 MB are fully analyzed.

The huge files limit for other channels is 100 MB.

Destination channels are supported as follows:

On Windows endpoints, all destination channels are supported.

The cut, copy, paste, file access, and download operations are not supported for cloud apps on Windows endpoints, however, when they are used through a Windows Store browser.

On Linux endpoints, only removable media is supported.

On Mac endpoints, all destination channels except the print channel are supported, with one exception: cloud apps are not supported.


Destination Channel	Windows	Mac	Linux
Email
Web HTTP/HTTPS
Printing
Applications
Removable media
LAN

For more information on monitoring destinations and protecting data on endpoints, see Custom Policy Wizard - Destination.