search cancel

What is the "Allowed on macOS Timeout: Configured Action was Block" Agent Response in the DLP Endpoint incident snapshot?

book

Article ID: 257810

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enforce

Issue/Introduction

You've noticed in the DLP Enforce Console some Endpoint Incidents with an Agent Response field value of "Allowed on macOS Timeout: Configured Action was Block" and a little alarm clock icon. You're wondering what this means and when does it occur.

 

Environment

Release : 15.8

Resolution

The "Allowed on macOS Timeout: Configured Action was Block" Endpoint Agent Response is specific to macOS DLP Endpoint Agents and signifies when there is a macOS timeout waiting on the agent to perform detection. Once the timeout period is reached the incident is created however the block response rule is not triggered and the message is allowed as indicated in the Agent Response field. There is no way to change this timeout period as it is hard coded.

In addition you may notice the ability to filter incidents on Agent Response field with the following values however only the value mentioned above actually is used so the other three values will not return any incident results.

Allowed on macOS Timeout: Configured Action was Notify

Blocked on macOS Timeout: Configured Action was Block

Blocked on macOS Timeout: Configured Action was Notify

 

 

Additional Information

Endpoint Incident Snapshot

Endpoint Known Issues in 15.8

Attachments