DLP content control list data inventory.
Add the ability to schedule or kick-off a full scan for files on the filesystem that match content control lists. This will allow users to discover where files which contain sensitive data on their servers may be located and alert if future files show up in places where they should not be.

Data Loss Prevention should be able to allow or block a file with specific extensions downloaded from particular Whitelisted URL in a browser.
The same file can only be uploaded to that specific Whitelisted URL in a browser but should be blocked on other URLs in browser.

We need more event logging information to show the user's file operation details associated with a peripheral. This is very very useful for generating data leakage evidence reports.

İt should be possible to view data loss prevention events logs for 1 year or more with policy. It can be viewed last 90 days for now. It is not enough. If it increases , it will make it useful.

Sophos EPP currently do not control the user when logged in Safe Mode, which can be threatening to the data security on both Client & Server side.

Sophos must figure out, to prompt Tamper Protection Password immediately after Safe Mode Login by the User. Only after validating Tamper Protection Password, User would be able to use the Computer.

This Tamper Protection Password prompt must be User role managed.

Can we include restricting and monitoring data movement between RDP connections and local system using DLP

web user option to ask administrator to allow permission to access a website or category.

It would be great if DLP could scan the clipboard, and in and outbound email for text matching the bank details profile.

At the moment it only scans files containing card data, I would like to see it cover a more broad number of scenarios.

We have found that users would be more likely to write or copy card details into the body of an email, then they are to go to the lengths of creating a file, adding the details, saving the file, and emailing it.

Thanks

Please increase development effort on the re-engineering of DLP so it does not use the AppInit_DLLs and therefore can have Secure Boot enabled.

Microsoft post in May 2018:

The AppInitDLLs mechanism is not a recommended approach for legitimate applications because it can lead to system deadlocks and performance problems.
The AppInitDLLs mechanism is disabled by default when secure boot is enabled.
Using AppInit_DLLs in a Windows 8 desktop app is a Windows desktop app certification failure.

As one of the requirements of the Security Department We would like to Implement
DLP - Data Loss Prevention via Gmail. That means blocking the transfer of files with a defining characteristic via Gmail. In That way when a user will attach such a file in order to transfer it to any mail destination Sophos will worn and ask permission to do it or just block it without any question.

When creating a rule you should be able to select who recieve the email alerts. Either as an individual or to a Distribution Group. Currently you either get all or nothing through the global settings, this should be added as a feature when defining the rule as to who recieves the alerts

Support Microsoft Edge as a Browser Destination for DLP. This is the default browser for Windows 10, and it cannot be removed.

The browser destination features of DLP are severely limited without this.

In DLP Alerts, is it possible to include the full path to where the file was being Moved/Copied?

Under our old Sophos system, the source path would show on the Data Loss Prevention Report. We switched to Sophos Central and now I am being told that option is no longer available. The source path is very useful to have on the report and Executive Management used it frequently. We need to have the option to add the source path to the report.

How can i identify unclassified data used

In the SafeGuard management center you allow for AD sync, but that sync does not resolve itself when password changes are made. Currently the only solution is to demote and re-promote manually each security officer. If the AD sync could function as a task properly and sync the password changes in an almost LDAP type situation, that would be optimal.

Dynamic ip should be stop to release for device, when blocked the mac for same device by lan to wan rejected rules

According to support, DPL policies do not work on Macs. I tested it and unfortunately, they are correct. This is a great feature and needs to be rolled out to Macs.