@miller34mike, I tried creating a custom DLP policy under https://compliance.microsoft.com. Scoped it to devices and MCAS, yet I can't see any action that allows me to block the upload to the web page. What am I doing wrong?
Hi @The737
This is due to selecting both Devices and MDCA. When you scope to multiple locations, you only get the options that are available in both locations.
To set and Endpoint policy to block service domain uploads you will need to set the policy to Devices only and then within the rule, you will see service domain uploads.
To see this option, select actions > Audit or restrict activities on devices and it will be the first checkbox that you can select.
MDCA from a DLP perspective would not help you in this scenario.
To set your allowed list of service domains, which means everything else gets blocked, go to compliance.microsoft.com > Data loss prevention > Endpoint DLP settings and find the drop-down for Browser and domain restrictions to sensitive data. Make sure the drop-down for block/allow is set to allow and then set your appropriate sites.
@miller34mike, y
Perfect! The final check to perform is under settings within the compliance portal at the link below, confirm that device onboarding has been enabled and that the same device from MDE shows up under Purview (it may take up-to an hour to complete the onboarding). Enabling Device onboarding within the compliance portal will automatically ingest all MDE-onboarded devices into purview, which is the final step to make sure that Endpoint DLP policies can be pushed to the device.
@miller34mike , nope, the upload isn't even visible in the Activity Explorer. In terms of the extensions, I entered them with the "." yet it got removed.
Interesting thing though... if I go on the onboarded devices page and look at the overview of the machine, the MDE Enrolment status is N/A. This gives me something to dig into....
