The Limit Incident Data Retention response rule action does not behave the same way for Mac OS endpoints as it does for Windows endpoints. This article describes the behavior for the response rule action for Mac OS systems.
The Limit Incident Data Retention response rule action enables you to retain the original message (including files and attachments) for Endpoint Prevent and Endpoint Discover incidents. If you don't use the response rule action, the Data Loss Prevention discards the original messages for endpoint incidents.
On Mac OS systems, the response rule action works for policies with the Notify response rule action, but not for policies with the Block response rule action.
The Limit Incident Data Retention action does not work for Application File Access channel.