icon-zapp.svg
Client Connector

Zscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client Connector

This feature is supported on devices running Zscaler Client Connector version 4.3 and later for Windows and Zscaler Client Connector version 4.2 and later for macOS. The Endpoint DLP feature is only supported on devices running macOS Monterey (12) and later versions. To learn about the prerequisites of this feature, see Step-by-Step Configuration Guide for Zscaler Endpoint Data Loss Prevention (DLP).

Zscaler Endpoint Data Loss Prevention (DLP) safeguards your company’s data by monitoring activities that users take on endpoints such as, removable storage (e.g., USB external drives), printers, network shares, and personal cloud storage (e.g., Dropbox). To learn more, see About Endpoint Data Loss Prevention and Understanding Endpoint Policy Enforcement.

When you configure and activate the Endpoint DLP policy in Zscaler Internet Access (ZIA), endpoints automatically use Zscaler Client Connector to retrieve the policy from the Zscaler cloud.

Endpoint DLP requires Full Disk Access for proper operation. MDM profiles that grant Full Disk Access must be deployed to endpoints prior to Endpoint DLP installation.

Configuring Endpoint DLP in the Zscaler Client Connector Portal

Admin can enable Zscaler Endpoint DLP using the Zscaler Client Connector Portal. For steps to enable the Install Endpoint DLP feature, see Configuring Zscaler Client Connector Profiles.

Install Endpoint DLP

Endpoint DLP Integration With Zscaler Client Connector

On Zscaler Client Connector, the Data Protection page refers to the Zscaler Endpoint DLP feature. On the Data Protection page, the end-users can view the connection status of the service and perform troubleshooting.

Data Protection on Zscaler Client Connector

Endpoint DLP enforces rules without an internet connection. After the connection is retrieved, it sends all the incidents and activities to the cloud.

Endpoint DLP Notifications

When a user violates an Endpoint DLP rule, and the user notifications are enabled, they receive a message on the endpoint based on the triggered rule.

Endpoint DLP notifications

You can configure Endpoint DLP policy rules to Allow, Block, or ask end users to Confirm activities that match the rule. If you select Allow, the service allows and logs the activity. If you select Block, the service blocks and logs the activity. If you select Confirm, the end user can justify the activity to continue or cancel the activity altogether; in both cases, the service logs the activity accordingly.

Examples of Endpoint DLP Notifications

  • When a user violates or triggers an Endpoint DLP rule that is configured for the Allow action and the End User Notification is selected as Show, the Allow notification is displayed. The user can click Learn more for more details about the notification or click Do Not Disturb to prevent the notification from reappearing. The allow notification automatically disappears in 10 seconds.

    Allow notification

    Close

  • When a user violates or triggers an Endpoint DLP rule that is configured for the Allow action and the End User Notification is selected as Show, the Block notification is displayed. The user can click Learn more to understand why their activity was blocked, and then click the More options drop-down menu and choose Do Not Disturb or Request Exemption.

    Block notification

    Close

  • If the admin has set rules with a confirm action, end users receive a notification requesting action. The user has 5 minutes to select an option. If the user doesn’t provide input within the time period, Zscaler blocks the user activity.

    Confirm notification

    Close

Mute Notifications

Users can turn off Endpoint DLP user notifications on the Zscaler Client Connector > More > Settings >Show all notifications. Even if this setting is turned off, the Endpoint DLP notifications are still logged on the Notifications page.

Requesting Exemption from Data Protection

Authorized users can enter a One-Time Password (OTP) to disable the Endpoint DLP service on Zscaler Client Connector. To learn more about requesting exceptions for the Endpoint DLP service, see Viewing Information About Zscaler Endpoint DLP on Zscaler Client Connector.

Related Articles
About Zscaler Client Connector App ProfilesConfiguring Zscaler Client Connector App ProfilesSearching for a Zscaler Client Connector ProfileCopying a Zscaler Client Connector App ProfileZscaler Client Connector Profile Rule ExampleViewing the Policy Token for a Zscaler Client Connector Profile Anti-Tampering for Zscaler Client ConnectorConfiguring a Default Global Log ModeConfiguring a Cellular Quota with Zscaler Client Connector for AndroidSyncing Directory Groups between the ZIA Admin Portal and Zscaler Client Connector PortalBest Practices for Adding Bypasses for Z-Tunnel 2.0About Application BypassAdding IP-Based Applications to Bypass TrafficAdding Process-Based Applications to Bypass TrafficZscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client ConnectorAbout Business ContinuityConfiguring Business Continuity in Zscaler Client Connector