Mac agent removable storage features

Mac agent removable storage features provides information about the removable storage features for the Mac DLP Agent.
Mac agent removable storage features
Supported
Not supported
  • Removable storage file systems include HFS+ (all versions of macOS Extended), FAT, exFAT, and APFS
  • File type filters applied based on file extension
  • USB devices mounted as mass storage device
  • USB 2.0 and 3.0 removable storage devices
  • File copy operations, including support for these applications: Finder and Terminal
  • Documents that are saved to removable storage using Save As operation from the following applications:
    • Microsoft Office 2016 and later
    • Microsoft 365
    • TextEdit
    • Preview
    • Archive Utility
    • Acrobat Reader
  • Sensitive files that are blocked are automatically moved to the File Recovery location
  • Restoring files
  • True file type filtering. The Mac agent does not perform a file signature match when it filters on certain file types. The agent uses the file extension to apply file type filters.
  • Configurable recovery file path. When a block response rule is applied, sensitive files are moved to the recovery folder on the Mac endpoint. This recovery folder is at
    $HOME/My Recovered Files
    , where
    $HOME
    is the endpoint user's home directory. The file is saved in the recover location to prevent a complete loss of the file. The recover location is specified in the Block pop-up.
  • File copies to NTFS removable storage file systems
  • File types for iWorks 2013 and higher
  • USB 1.0 removable storage devices
  • Response rule pop-ups when sudo commands are used to move sensitive files to removable storage devices. Detection occurs, appropriate response rules are executed, and default pop-up responses are sent.
  • File transfers over Media Transfer Protocol (MTP)
  • Pop-up when command-line terminals (for example, SSH client) from remote machines are used to move sensitive files to removable storage devices
  • Actual file names in incidents for Microsoft Office files. When an Office file is saved to a removable storage device using a Save As operation, the Mac agent displays the actual file name in the incident. For other applications, the Mac agent might capture a temporary file name that macOS creates during the Save As process.
  • When an Excel file is saved to a removable storage device using a Save As operation, the contents of the saved file are not monitored.
The following known issues apply to the Mac DLP Agent support for removable storage.
Removable storage known issues
Description
Workaround
A file copy operation of multiple files using Finder is blocked when one file contains sensitive data.
None
Sensitive files that have been recovered may no longer contain Spotlight metadata-like comments.
None
If a keyword policy that uses a Block response rule detects sensitive information being moved from a Mac endpoint to a removable storage device and the sensitive information is found in a package file (for example
.pkg
,
.dmg
, or
.lpdf
), the sensitive file is blocked and the rest of the package file is moved to its intended destination. This often causes the package file to become corrupt.
None