After copying a file from an MTP device, such as an Apple iPhone or Android device, and then deleting the file from the device, the DLP system triggers an incident for the removable media channel.

DLP 15.x, 16.x

This is a known limitation and is working as designed.

The limitation stems from the operating systems and the MTP API. When a file is deleted for the first time, the OS maps the file back to the copied version on the local drive, causing the MTP API to read the file from the local drive. As a result, the DLP system interprets this action as a copy to removable media event and scans the file.

After the initial access, the file mapping is updated, and the MTP API no longer attempts to access the local drive file.

Additionally, this issue may occur only with specific file types, such as .png files.

If there is a DLP block then, deleting the file a second time works around the issue without triggering the incident or block.