Data loss prevention policies let you specify which information should be protected within your organization by setting up rules and using mechanisms like data matching, sensitivity labels and trainable classifiers. Defining what should be protected and how to detect sensitive information is only part of the DLP equation.  A full solution needs to monitor, or at least attempt to monitor, all points where information can leave an organization’s borders and any other boundaries defined by DLP policies.

DLP measures designed to monitor information movement via the internet or email don’t cover all the bases, especially in cloud environments where online services such as OneDrive blur the line between what is part of an organization’s domain and what isn’t. And let us not forget old school data exfiltration via physical media such as USB drives or printing documents. As it is with most scenarios that prevent a range of activities, the best place to catch them is close to the source. 

Endpoint data loss prevention can monitor and protect users’ computers after the devices have been onboarded with Microsoft Purview. Windows 10, version 1809 and newer, Windows 11, and macOS devices, the three latest versions can be protected by DLP policies. In addition, what users do with sensitive information can be monitored with activity explorer.

The following table tells us which endpoint activities are supported on which platforms and whether the activities are auditable, restricted, or both. Browser activity is monitored in accordance with data loss prevention policies. That means monitoring both domains being accessed, and the browser used to access them. Unallowed browsers as specified in DLP settings will have users redirected to use Microsoft Edge. As a Microsoft product integrated with the DLP ecosystem Edge can apply policy settings where third party browsers cannot. Endpoint can detect when users attempt to copy and paste data from protected content. This includes between and within office app processes as in, Word, Excel, and PowerPoint. Both activities are auditable and can be restricted on Windows and macOS.

Copying to a removable USB drive and a network share, along with printing a protected item is auditable and can be restricted on both Windows and macOS.

In a similar vein, copying to a remote desktop session and to a Bluetooth app is auditable and restricted, but only on Windows devices. Like browsers, unallowed Bluetooth apps are defined within DLP settings. Endpoint can record but not restrict the creation and renaming of an item on both platforms.

Regardless of DLP policy matching, Word, PowerPoint, Excel, and PDF files will be monitored, and activities audited. If “Always audit file activity for devices” is on in endpoint DLP settings, then CSV files will also be audited even if the device is not a target of a DLP policy. Turning off “Always audit file activity for devices” will only monitor data when there is a policy match. 

In addition to office files, text files of various formats, including rich text format, can be monitored. Interestingly source code files for C, C++, C#, and Java can also be monitored, which makes sense in terms of protecting intellectual property. 

File activity is monitored based on MIME type, not the file extension as shown in Windows Explorer, meaning activity will still be captured even if the file extension is changed for Word, Excel, PowerPoint, and PDF files. Other file types will continue to be monitored only if their extension is changed to a supported file type.

Collection and transmission of telemetry data from machines to Microsoft Purview’s endpoint DLP solution is accomplished by enabling device management. Device management onboards computers, which are called locations in endpoint DLP policy parlance. Machines can be onboarded or offboarded with a variety of scripts. The scripts cater to scenarios from running locally on a small number of machines to group policy or onboarding non-persistent virtual machines. Devices onboarded via Microsoft Defender for Endpoint will be visible in the device list, but you’ll need to turn on device monitoring to have endpoint DLP functionality enabled.

With regards to Microsoft Intune. Enrolment is not onboarding, but enrolment is a prerequisite to onboarding. To quote Microsoft, “If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.”

As I said earlier, Windows machines need to be running Windows 10 x64 version 1809 or later or Windows 11. Antimalware client 4.18.2110 or newer must be installed but doesn’t have to be active. Although real-time protection and behavior monitoring must be enabled. Devices must be either Azure active directory joined, hybrid AD joined, or Azure AD registered.

As far as macOS is concerned, Intel x64 and Apple silicon are supported. MacOS machines must already be managed via Intune or JAMF Pro or one of their Microsoft Defender for Endpoints subvariants.

 

Here we have a list of Microsoft 365 subscriptions and add-on SKUs that will enable you to use endpoint DLP functionality. As you can see, they’re all A5 or E5 products. You can, of course, sign up to the Microsoft Purview Compliance trial to try before you buy.