Lezen in het Engels

Create and manage endpoint DLP policies

100 ervaringspunten
  • 8 minutes

Creating custom endpoint data loss prevention (DLP) policies allows you to define data protection rules for devices like Windows and macOS. These policies control how sensitive data is handled on endpoints, such as copying files to USB drives, uploading to cloud services, and transferring data via Bluetooth. By implementing these policies, organizations can track and control the handling of sensitive data, taking appropriate actions when violations occur to protect personal, financial, and confidential information.

Before you begin

Before creating a custom DLP policy for endpoints, ensure you meet these prerequisites:

  • Permissions: Make sure you have sufficient access to create a DLP policy, such as Compliance Administrator, Information Protection Admin, or a similar role within Microsoft Purview.

  • Licensing: Your organization must have one of these licenses to create endpoint DLP policies:

    • Microsoft 365 E5
    • Microsoft 365 E5 Compliance
    • Microsoft 365 E5 Information Protection and Governance Add-on

  • Endpoint requirements: Ensure the targeted devices, including Windows 10/11 and macOS, are onboarded and meet the necessary prerequisites for endpoint DLP.

Create a custom DLP policy for devices

Use these steps to create and configure a custom endpoint DLP policy for your organization's devices.

  1. Sign in to the Microsoft Purview portal, then navigate to Solutions > Data Loss Prevention > Policies.

  2. Select + Create policy.

  3. On the Start with a template or create a custom policy page, choose to create a Custom DLP policy, then select Next.

  4. Name your DLP policy and provide a description. You can use the policy intent statement here if needed. Select Next.

  5. Assign admin units. If the policy applies to all users, leave the default settings, then select Next.

  6. On the Choose where to apply the policy, ensure Devices is selected, then select Next.

    Screenshot showing devices selected as a location for DLP.

  7. On the Define policy settings page, ensure that Create or customize advanced DLP rules is selected, then select Next.

  8. On the Customize advanced DLP rules page, select Create rule to begin defining your advanced DLP rule.

  9. In the Create rule panel, start by naming and describing your rule.

  10. Under the Conditions section, select Add condition and choose the appropriate condition based on your organization's requirements. The available conditions depend on the locations you selected earlier in the policy.

  11. In the Actions section, select the appropriate action for your endpoint DLP policy. Unlike other locations, you can choose to Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices and Audit or restrict activities on devices.

    From here, configure Audit, Block with override, or Block for these actions:

    • Sensitive site restrictions

    • Service domain and browser activities

    • File activities for all apps including, copying to clipboard, removable USB device, network share, printing, etc.

    • File activities for apps in restricted app groups (preview)

    • App access restrictions

      Screenshot showing device options when creating an advanced DLP rule.

  12. In the User notifications section, specify whether to notify users about policy matches and configure the policy tip message.

  13. In the User overrides section, decide whether to allow users to override the policy when a match is detected.

  14. In the Incident reports section, configure the severity level for alerts and determine who receives these alerts and reports.

  15. In the Additional options section, set whether the rule should stop processing further policies once it's triggered and define the priority order of the rule.

  16. Select Save at the bottom of the Create rule panel.

  17. After configuring the rule, review the summary of the advanced DLP rule you created on the Customize advanced DLP rules page, then select Next.

  18. On the Policy mode page, choose to either Run the policy in simulation mode, Turn the policy on immediately, or Leave the policy turned off for later activation.

  19. On the Review and finish page, review the policy details, then select Submit to create your custom DLP policy.

  20. After submission, on the New policy created confirmation page, select Done.

Simulation mode

Simulation mode allows you to test your endpoint DLP policies without affecting users' daily work. You can identify potential policy matches, fine-tune conditions, and evaluate rule performance before going live. For example, if a policy blocks file transfers to USB devices, simulation mode shows where this action would trigger and how often, allowing you to adjust settings and reduce false positives.

Deploy your DLP policy

After testing your policy in simulation mode, deploy it to a small pilot group first. This ensures the policy works as expected on endpoint devices like Windows and macOS. Once you're confident in its effectiveness, gradually roll it out across the organization, balancing data protection with minimal disruption to users.

Volgende eenheid: Deploy the Microsoft Purview browser extension

Vorige Volgende