Enable Office Open XML content inspection on macOS endpoints

The macOS endpoint security framework requires special configuration for enabling DLP Agents to inspect Office Open XML content. You must create an MDM profile that grants the OOXMLHostApp process full disk access on macOS 10.14 and later.
For illustration purposes, the following instructions assume that you plan to use Jamf, an IT management application.
When you download the agent installer package from the Broadcom Product Downloads portal, the package contains a ready-to-use MDM configuration file that you can use with a management application like Jamf to perform several deployment tasks simultaneously. See Sample Jamf MDM configuration file for macOS endpoints.
  1. In Jamf, select a configuration profile.
  2. Navigate to
    Privacy Preferences Policy Control
    .
  3. Under
    App Access
    , in the
    Identifier field
    , enter
    /Library/Manufacturer/Endpoint Agent/OOXMLHostApp
  4. In the
    Identifier Type
    menu, select
    Bundle ID
    .
  5. In the
    Code Requirement
    field, enter the following:
    identifier OOXMLHostApp and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y2CCP3S9W7
    If you copy this information from the documentation, make sure that there are no extra line breaks when you paste it in the
    Code Requirement
    field.
  6. In the
    APP OR SERVICE
    table, add the following settings:
    APP OR SERVICE
    ACCESS
    SystemPolicyAllFiles
    Allow
    SystemPolicyRemovableVolumes
    Allow
    SystemPolicyNetworkVolumes
    Allow
  7. Click
    Save
    .
You can refer to the
System > Agents > Overview
page of the Enforce Server administration console to view and troubleshoot any issues.