Policies that contain two-tier Detection (TTD) conditions, such as the following, will not generate incidents:

• EDM
• Recipient matching on Active Directory
• Recipient matching on EDM
• Two-tier IDM partial matching

for endpoints, where two-tier detection is not supported, such as:

• Mac
• Linux
• eDAR scan on Windows

DLP 16.x on any of the following:

• macOS
• Linux
• eDAR scan on Windows

This is due to a design change in DLP 16.0.

As of DLP 16.0, policies that require two-tier detection can be evaluated only at the detection server. On endpoints where two-tier detection is not supported, such policies will not generate incidents. In other words, they will not work on Mac and Linux endpoints, and eDAR scans for Windows.. See also: Changes in the 16.0 Policy Evaluation Engine (broadcom.com)

Customers can use Policy Groups to separate policies with TTD conditions and policies without TTD conditions. Then, the non-TTD Policy Groups can be used for eDAR targets for all platforms including Windows, and detection servers managing macOS and Linux agents.