Using the User Cancel Response Rule and the ESF Timeout for macOS Endpoints

macOS endpoints have a maximum Endpoint Security Framework timeout limit that affects the User Cancel pop-up notification timer for DLP Agents.
The timer that appears in the User Cancel pop-up notification can be different from the default 60-second timer. On the macOS platform, DLP Agent monitors sensitive operations using the Apple Endpoint Security Framework.
For most sensitive operations, except Outlook and Clipboard paste monitoring, the macOS platform enforces a maximum time limit for completing the operation. This time limit is called the ENDPOINT_SECURITY_FRAMEWORK timeout limit or ESF timeout. The DLP Agent must complete all tasks within the time limit.
The macOS platform determines the ESF timeout value, which is a deadline value. For information about  the event deadline, refer to the Apple Developer Documentation.
The DLP Agent must respond to the event before the deadline. For an end user to respond to an event, the time available for a response is less than the value configured in the Advanced Agent settings. By default, the value that is configured in the following advanced settings is 60 seconds:
  • PostProcessor.FILE_SYSTEM_USER_RESPONSE_TIMEOUT.int
  • PostProcessor.OTHER_USER_RESPONSE_TIMEOUT.int
Using the following method, the DLP Agent calculates the actual time that appears in the User Cancel pop-up notification:
  1. Calculate the User Cancel Window time using:
    ESF Timeout – DLP Agent processing time
  2. Compare the User Cancel Window time with the Advanced Agent settings value of the channel that is monitored. The lower value takes precedence. The time appears in the User Cancel pop-up notification. A countdown begins when the notification appears.
When a task exceeds the permitted time limit, the DLP Agent generates an audit incident. In this case, there is no User Cancel pop-up notification.
After generating an audit incident, one of the following
Agent Response
values appears on the
Endpoint Incident Snapshot
page.
  • Allowed on Timeout: Configured Action was User Cancel Block
    ,
    In this case,
    PostProcessor.NOTIFY_WITH_CANCEL_DEFAULT_ACTION.int
    is set to
    1
    to block the action.
  • Allowed on Timeout: Configured Action was User Cancel Notify
    In this case,
    PostProcessor.NOTIFY_WITH_CANCEL_DEFAULT_ACTION.int
    is set to
    0
    to allow the action.

ESF Timeout Testing Result

Tests were conducted in the Broadcom lab environment covering various endpoint monitoring channels with large file sizes and file types, including Microsoft Office, PDF, ZIP, and so on.
The following lists the ESF timeout values that are observed while testing for various endpoint monitoring channels:
Endpoint monitoring channels
User Cancel pop-up notification timeout value in seconds
  • Removable Storage
  • Print
  • All applicable HTTPS channels, except Clipboard Paste operations
  • Application File Access Channel (AFAC)
  • Cloud Storage
  • Copy to Share
Can be in the range from 20 to 30 seconds for files ranging in size from 1 MB to 30 MB.
  • Outlook monitoring
  • Clipboard Paste monitoring
60