Sender/User based on a Directory Server Group policy condition does not detect on macOS DLP Endpoint Agents
search cancel

Sender/User based on a Directory Server Group policy condition does not detect on macOS DLP Endpoint Agents

book

Article ID: 243315

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

The Sender/User based on a Directory Server Group policy condition does not detect on macOS DLP Endpoint Agents. 

Environment

DLP Mac Endpoint agents on 15.x and later

Cause

This issue is caused when the Mac Computer hasn't been joined to the Active Directory domain and the user is logging in with their local Mac account and not their AD account. You may see the following message in the Mac Endpoint Agent logs if they are in FINER logging level or higher with mac_machine_name\local_user replaced with the respective user's local machine and user name:

05/23/2022 12:36:42 | 946848 | FINER | AgentServices.UserGroupResolver | User [mac_machine_name\local_user] is not validated as an AD user.

If you suspect this is the issue you are advised to enable the FINEST logging level on the agent and check for the below log entries..

08/31/2022 15:41:37 |  7854 | FINEST  | AgentServices.UserGroupResolver | GroupResolutionManagerImpl::GetUserGroups : AD Group Request for : [User:joe.bloggs , Domain:joes-MacBook-Pro]
08/31/2022 15:41:37 |  7854 | FINEST  | AgentServices.UserGroupResolver | GroupResolutionManagerImpl::GetUserGroups : Not found details in cache , Adding GroupResolution Task
08/31/2022 15:41:37 |  7854 | INFO    | AgentServices.UserGroupResolver | Validating User: [joe.blogs , joes-macbook-pro] 
08/31/2022 15:41:37 |  7854 | FINER   | AgentServices.UserGroupResolver | User [joes-macbook-pro\joe.bloggs] is not validated as an AD user.

This series of log entries clearly indicates that the user has logged on to the endpoint as local user rather than a domain user and thus the group rules will not work as intended.

Resolution

The Mac computer needs to be joined to the Active Directory domain and the user needs to login to the Mac with their Active Directory account.

Refer to official documentation: 

1. Configuring the Sender/User based on a Directory Server Group condition:

The condition Sender/User based on a Directory Server Group matches policy violations based on message senders and endpoint users synchronized from a directory group server. You can implement this condition in a policy group (identity) rule or exception.
NOTE: If the identity being detected is a user, the user must be actively logged on to a DLP Agent-enabled system for the policy to match.

2. Overview of Mac agent detection technologies and policy authoring features:

Mac DLP Agents support Described Content Matching (DCM), which includes detection through data identifier, regular expression, and keyword rules. Mac DLP Agents support Indexed Document Matching (IDM). Mac DLP Agents support Directory Group Matching (DGM) for User Group-based policies, limited to the condition Sender/User based on a Directory Server Group rule. The agent also supports various response rules for Endpoint Prevent and Endpoint Discover.

Additional Information

Join your Mac to a network account server

Allow network users to log in to your Mac

 

Powered by Wolken Software