Policies that contain two-tier Detection (TTD) conditions, such as the following, will not generate incidents:
for endpoints, where two-tier detection is not supported, such as:
DLP 16.x on any of the following:
This is due to a design change in DLP 16.0.
As of DLP 16.0, policies that require two-tier detection can be evaluated only at the detection server. On endpoints where two-tier detection is not supported, such policies will not generate incidents. In other words, they will not work on Mac and Linux endpoints, and eDAR scans for Windows.. See also: Changes in the 16.0 Policy Evaluation Engine (broadcom.com)
Customers can use Policy Groups to separate policies with TTD conditions and policies without TTD conditions. Then, the non-TTD Policy Groups can be used for eDAR targets for all platforms including Windows, and detection servers managing macOS and Linux agents.