You have purchased the Cloud Service for DLP and want to activate it. You have been sent a link to the Data Loss Prevention (DLP) Cloud Management Portal (CMP).

Note: upcoming changes are scheduled for the CMP, including a name and location change for the portal. For more information on that, please see: Upcoming changes to Cloud Management Portal (CMP).

• Data Loss Prevention Cloud Detection Service - aka a "CDS" whether for the CloudSOC, for WSS, or for a Custom REST Detector
• Data Loss Prevention Cloud Service for Email
• CloudSOC Tenant, aka CASB
• Additional Cloud Detectors of the same type on a single Enforce (same region)

Note that the above detector types can also be configured in a "Cloud Managed DLP" option. - but those detectors do not use enrollment bundles.

• "Enforce Managed" detectors require enrollment bundles in order to bind the service to an on-premises Enforce Server.
• "Cloud Managed" detectors do not - they are bound to your CloudSOC Tenant via a different process, which is performed by the Cloud Operations teams.

You have purchased the Cloud Service, but do not have a bundle that will let you enroll with the service.

For clarification, all customers of the DLP Cloud Service need to login to the CMP in order to gain access to the Cloud Service: https://cmp.protect.broadcom.com/

Below are the steps you will need to follow in order to get your Cloud Service "provisioned" - and to receive your enrollment bundle:

1. Purchase the Cloud Service.
2. Confirm receipt of a "Welcome email" directing you to log in to the Cloud Management Portal.
   • Note that this email sometimes ends up in a SPAM folder. This first email should be sent from "[email protected]".
   • Log in to the Cloud Management Portal.
   • FYI: The CMP account as set up uses the same SSO method to sign in as the account you would use to access your Support cases on the Broadcom portal (e.g., you need an account in Okta).
   • Once successfully logged in to the CMP, your account will appear as "Enabled" to the Technical Support teams. Otherwise, it shows up as "New" and we will advise you to complete this step.
3. Next, you need to verify the setup of the Cloud Detection Service needed.
   The details submitted will vary somewhat with each type of Cloud Detector:
   • For ALL Detector types: The email address of a DLP "Admin". The Cloud Operations team may use this info to contact you and your team directly, as in the event of an issue with your Cloud Service. Thus, this should not be an individual email address - we suggest you use a Distribution List.
   • For ALL Detector types: The region where you need your Detector to be "housed" - either EMEA or US. At this time, APJ customers should choose the US region.
   • For Cloud Service for Email entitlements, you need to verify your email setup or mailflow - designating the MTA you will be using with the Cloud Service. It needs to be one of the following supported configurations:
     • Forwarding mode - the "next hop" after DLP is Email Security.cloud - aka "MessageLabs". Note: Customers need to provide their Email Security.cloud user name as part of this configuration. This is also known as the "Clientnet" ID [Detector MIN CREF], and is always 3 letters followed by 4 numerals, e.g., ABC1234:
       • G-Suite/Google for Work Gmail => DLP Cloud Service for Email => Email Security.cloud
       • O365 => DLP Cloud Service for Email => Email Security.cloud
     • "Hybrid" mode - also a "Forwarding mode" option: a Hybrid mode Detector will accept messages from your on-prem Exchange or from your O365 tenant:
       • Exchange / O365 => DLP Cloud Service for Email => Email Security.cloud
     • Reflecting mode - only available for customers of O365/M365: no Email Security.cloud integration is needed, instead, messages go back to O365 for final transport and delivery:
       
       • O365 => DLP Cloud Service for Email => O365
         
     • NOTE: there are no other supported configurations for the Cloud Service for Email at this time. 
4. Until you actually submit its configuration, the status of your entitlements will have a wrench icon:
   
   • When you've successfully submitted your configuration its status will change to this icon:
     
     At this point, your new Cloud Detector should be provisioned within 1-2 business days.

When provisioning is complete, the Cloud Operations team will send a second Welcome Email to the DLP Admin as submitted above - including the Enrollment Bundle and configuration details.

The bundle email will be sent from "[email protected]".

*Until the configuration has been submitted as above, no provisioning will have occurred, and no bundle can be issued.*

For multiple detectors of the same type on a single Enforce:

Starting in version 16.x, you are able to add additional detectors of the same type to a single Enforce- aka a second CASB detector with an existing CASB detector on the same Enforce. However, in order for this to work both detectors of the same type must be provisioned on the same account, and in the same region. This currently does not work if detectors are in different regions, but this may be resolved in a future release. 

Customers using DLP and CASB must have a CASB Tenant provisioned before submitting their "DLP CDS for CASB" entitlement.

As noted in the "Environment" section above, customers who've requested Cloud Managed DLP detectors will not receive an enrollment bundle. For more info about submitting a Cloud Managed DLP detector, see You want to have a Cloud-Managed DLP CDS provisioned (broadcom.com).

If you've already completed the steps above, and for any reason need a new enrollment bundle for your on-premises detector, please contact Technical support. As per this article, the bundle generation feature is not currently working in the CMP.

Note: if you do not see the DLP entitlements in your CMP account and you have a PLA license, additional steps may be required: You have a PLA for DLP but do not see any entitlements for it in the Cloud Management Portal (broadcom.com).