Using the User Cancel Response Rule and the ESF Timeout for macOS Endpoints
macOS endpoints have a maximum Endpoint Security Framework timeout limit that affects the User Cancel pop-up notification timer for DLP Agents.
The timer that appears in the User Cancel pop-up notification can be different from the default 60-second timer. On the macOS platform, DLP Agent monitors sensitive operations using the Apple Endpoint Security Framework.
For most sensitive operations, except Outlook and Clipboard paste monitoring, the macOS platform enforces a maximum time limit for completing the operation. This time limit is called the ENDPOINT_SECURITY_FRAMEWORK timeout limit or ESF timeout. The DLP Agent must complete all tasks within the time limit.
The macOS platform determines the ESF timeout value, which is a deadline value. For information about the event deadline, refer to the Apple Developer Documentation.
The DLP Agent must respond to the event before the deadline. For an end user to respond to an event, the time available for a response is less than the value configured in the Advanced Agent settings. By default, the value that is configured in the following advanced settings is 60 seconds:
- PostProcessor.FILE_SYSTEM_USER_RESPONSE_TIMEOUT.int
- PostProcessor.OTHER_USER_RESPONSE_TIMEOUT.int
Using the following method, the DLP Agent calculates the actual time that appears in the User Cancel pop-up notification:
- Calculate the User Cancel Window time using:ESF Timeout – DLP Agent processing time
- Compare the User Cancel Window time with the Advanced Agent settings value of the channel that is monitored. The lower value takes precedence. The time appears in the User Cancel pop-up notification. A countdown begins when the notification appears.
When a task exceeds the permitted time limit, the DLP Agent generates an audit incident. In this case, there is no User Cancel pop-up notification.
After generating an audit incident, one of the following
Agent Response
values appears on the Endpoint Incident Snapshot
page.- Allowed on Timeout: Configured Action was User Cancel Block,In this case,PostProcessor.NOTIFY_WITH_CANCEL_DEFAULT_ACTION.intis set to1to block the action.
- Allowed on Timeout: Configured Action was User Cancel NotifyIn this case,PostProcessor.NOTIFY_WITH_CANCEL_DEFAULT_ACTION.intis set to0to allow the action.
ESF Timeout Testing Result
Tests were conducted in the Broadcom lab environment covering various endpoint monitoring channels with large file sizes and file types, including Microsoft Office, PDF, ZIP, and so on.
The following lists the ESF timeout values that are observed while testing for various endpoint monitoring channels:
Endpoint monitoring channels | User Cancel pop-up notification timeout value in seconds |
| Can be in the range from 20 to 30 seconds for files ranging in size from 1 MB to 30 MB. |
| 60 |