question

danaman avatar image
0 Votes"
danaman asked JamesTran-MSFT commented

Data Loss Prevention - Devices

Hi

We are looking into creating DLP policies to protect our data.

I am creating a test policy and one of the options I can see allows us to target devices.

Under the device section it only gives me the option to target users. I cannot see any devices listed.

How do we get the devices to show here?

Do we have to onboard them 1st using one of the methods listed here

https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-endpoints?view=o365-worldwide



azure-information-protection
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered JamesTran-MSFT commented

@danaman Thanks for reaching out. Yes you are correct, you will need to board them first using https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints?view=o365-worldwide

Once added you can monitor Windows 10 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

Thanks for the response.

My question though is why are we asked for users and groups in the devices section?

Does this mean that when a device is onboarded any user that the policy is scoped to will be targeted by the dlp policy on that device?

So lets say we have 2 users log on to an onboarded device. One user is in the scope of the DLP policy and one is not.

The user that is not scoped in the policy will not be affected? Only the user that has been scoped will be affected?

0 Votes 0 ·

@danaman If you target a device, the DLP policy applies to that irrespective of which user logs into that. if will be applied to all users who access that machine. IF you apply the DLP policy to users, the policy stay with users to whichever device they login.

0 Votes 0 ·

So how do we target a device within a DLP policy? The device section only allows you to choose users and groups.

The Microsoft documentation for this also states that when targeting devices the options we are given are users or groups.

0 Votes 0 ·
Show more comments