The Sender/User based on a Directory Server Group policy condition does not detect on macOS DLP Endpoint Agents.
DLP Mac Endpoint agents on 15.x and later
This issue is caused when the Mac Computer hasn't been joined to the Active Directory domain and the user is logging in with their local Mac account and not their AD account. You may see the following message in the Mac Endpoint Agent logs if they are in FINER logging level or higher with mac_machine_name\local_user replaced with the respective user's local machine and user name:
05/23/2022 12:36:42 | 946848 | FINER | AgentServices.UserGroupResolver | User [mac_machine_name\local_user] is not validated as an AD user.
If you suspect this is the issue you are advised to enable the FINEST logging level on the agent and check for the below log entries..
08/31/2022 15:41:37 | 7854 | FINEST | AgentServices.UserGroupResolver | GroupResolutionManagerImpl::GetUserGroups : AD Group Request for : [User:joe.bloggs , Domain:joes-MacBook-Pro]
08/31/2022 15:41:37 | 7854 | FINEST | AgentServices.UserGroupResolver | GroupResolutionManagerImpl::GetUserGroups : Not found details in cache , Adding GroupResolution Task
08/31/2022 15:41:37 | 7854 | INFO | AgentServices.UserGroupResolver | Validating User: [joe.blogs , joes-macbook-pro]
08/31/2022 15:41:37 | 7854 | FINER | AgentServices.UserGroupResolver | User [joes-macbook-pro\joe.bloggs] is not validated as an AD user.
This series of log entries clearly indicates that the user has logged on to the endpoint as local user rather than a domain user and thus the group rules will not work as intended.
The Mac computer needs to be joined to the Active Directory domain and the user needs to login to the Mac with their Active Directory account.
Refer to official documentation:
The condition Sender/User based on a Directory Server Group matches policy violations based on message senders and endpoint users synchronized from a directory group server. You can implement this condition in a policy group (identity) rule or exception.
NOTE: If the identity being detected is a user, the user must be actively logged on to a DLP Agent-enabled system for the policy to match.
Mac DLP Agents support Described Content Matching (DCM), which includes detection through data identifier, regular expression, and keyword rules. Mac DLP Agents support Indexed Document Matching (IDM). Mac DLP Agents support Directory Group Matching (DGM) for User Group-based policies, limited to the condition Sender/User based on a Directory Server Group rule. The agent also supports various response rules for Endpoint Prevent and Endpoint Discover.