Best Practices for Deploying the On-Send Web Add-in for Outlook on Windows and macOS Endpoints

Before you deploy the on-send web add-in for Outlook on Windows endpoints, review the best practices that are listed in this topic.
Unless indicated otherwise, the best practices are common to both Windows and macOS endpoints.
  • Make sure that Symantec Data Loss Prevention 16.1 or later is successfully deployed on the endpoints and on the Enforce Server.
  • Make sure that you have an active Microsoft Outlook 365 subscription.
  • For Windows endpoints, make sure that Outlook version 1.2024.925.200 or later is installed on the endpoints.
  • For macOS endpoints, make sure that Outlook version 16.30 or later is installed.
    Support for Microsoft Purview, formerly known as Microsoft Information Protection, requires Outlook version 16.88 or later.
  • Make sure that one of the following ports is open and available on the endpoints:
    • 4631
    • 4641
    • 4651
    The opened port gets bound to the loopback address and is not accessible over the network.
  • Make sure that the URL of the add-in server (https://officeapp.endpoint.dlp.protect.symantec.com) is added to the allow list in your organization's Internet firewall. After deployment, the add-in downloads various resources that it needs to function from the add-in server.
  • If you are monitoring Outlook Web Access, make sure to whitelist the URL to avoid generating duplicate incidents from the Outlook application as well as the HTTPS browser channels.
  • Do not sideload the add-in as the add-in might not function if you deploy it that way.
  • Make sure that on-send feature for add-ins is enabled in Outlook. For more information, see https://docs.microsoft.com/en-us/office/dev/add-ins/outlook/outlook-on-send-addins?tabs=classic#enable-the-on-send-feature
  • Mailbox users should not be allowed to disable or remove the add-in.
  • For macOS endpoints, do not remove the truststore certificate used by the add-in from the keychain. If you remove the truststore certificate from the keychain Outlook monitoring becomes disabled, and it could take up to 75 minutes for the agent state to change to critical in the Enforce Server administration console.