The three goals of this article are:
• Walk you through deploying a new basic keyword policy and response rule.
• Walk you through deploying the policy on an endpoint.
• Ensuring that the endpoint agent has received the policy and configuration.
Applicable to all DLP releases despite version.
Start by creating a "Policy Group" if you do not already have one that defines which servers your policies will be applied to.
In the Enforce console browse to System > Servers and Detectors > Policy Groups and click on "Add"
In this case we are working on policies for endpoints, so we will create a new Policy Group called "Endpoint Policy Group"
Select the servers that you wish for this policy group to apply to, in this case we only want this to apply to Endpoint Detection Servers.
Once you save the changes, the policy group has been created and you are now ready to start creating policies for this group.
In the Enforce console Browse to Manage > Policies > Policy List >
Click New
Click Add a blank policy.
Name your policy “in this example we will be creating a simple keyword policy named 'keywords' to test channels”
** make sure this policy is assigned to the correct Policy Group that we created above.
Click Add Rule.
Select “Content Matches Keyword” and hit next.
For rule name type “Keyword Detection Rule”.
In the Match Any section enter the keyword "purplemonkey"
Select Ok at the top of the screen.
And hit save.
To create an Exception is a very similar process.
Click "Add Exception" to create a new exception
Select "Content Matches Keyword" and hit Next
This time lets name the rule "Allow Exception"
In the Match Any section enter the keyword "allowdlp"
Select Ok at the top of the screen.
And hit save.
Now we will create the response rule not required but useful when testing.
Browse to Manage > Policies > Response
Click “Add response rule”
Select Automated Response and hit next.
For Rule Name we will use "Endpoint: Block".
In the action pull down under Endpoint select “Prevent: block”
Click add action.
Hit Save.
Now we add this to our policy.
Browse to Manage > Policies > Policy List
Click the 'keywords' rule we created.
Click the response tab.
In the pull-down "Endpoint: Block' that we created.
Hit add response.
In the top left hit save.
We now have a policy that will look for the keyword “purplemonkey" with an endpoint block that we can use to test with.
Testing Channels:
Browse to System > Agents > Overview and click the OK button to get to the agent list.
Notate what group and configuration your endpoint that you are testing with is in and ensure that it is reporting:
Now browse to System > Agents > Agent Configuration, and select the configuration you are testing with.
Now select the channels you are trying to test with, in this case, we will be testing Copy and Paste in Firefox:
Ensure the appropriate channels are selected.
Note that the paste function states (configured applications only)
Click the application monitoring tab, and click add application and select windows or mac.
Scroll down and select Mozilla Firefox, hit add, and click save.
Click Mozilla Firefox in the application menu
In the application monitoring settings change the functionality to paste, and hit OK.
Hit save in the agent configuration screen.
In the next screen select Apply Configuration.
Check mark the appropriate configuration group, and hit assign configuration.
Select your configuration and hit OK.
If you get an error stating that it is already assigned that is OK.
Now select the configuration again, and hit update configuration.
Notate the “last deployment date” and time of deployment.
Now Browse to Manage > Policies > Policy List
Notate the last Modified date and time for the corresponding policy.
Now let’s move to the endpoint machine we are testing with.
On the endpoint machine open a file explorer window, and browse to
C:\Program Files\Manufacturer\Endpoint Agent.
Or /Library/Manufacturer/Endpoint Agent for Mac.
We need to look at the time stamp on the cg.ead “Configuration” and ps.ead “Policy” and ensure that the date and time of both files is later than the date and time of the configuration and policy deployment.
Please note the cg.ead “configuration” is generally instantaneously delivered where the policy will wait until the next polling. Network traffic can also affect this and slow the process down.
Rebooting the agent will usually force a refresh and the files will be updated unless the agent is having trouble communicating with the endpoint server. "Please note: agents that are remote connecting via VPN will not get an automatic update upon reboot, you must wait for the polling interval to expire."
Now that we have verified that the agent has the updated policy and configuration files we can test the channel.
In this case we will open Firefox and browse to your desired testing site.
We will look for the HTTP post, and HTTPS post.
You will notice in this example you cannot copy the purple-monkey keyword as it is being blocked on copy, so copy functionality will need to be removed from the configuration in order to test.
Repeat the above steps to update the configuration and verify that the configuration was updated by looking at the date and time stamp on the endpoint.