TTechclick ⚡ XP 0% All lessons
Forcepoint · Data Loss Prevention · EndpointInteractive · L1 / L2 / L3

Forcepoint DLP Endpoint — Data in Use: USB, Print, Clipboard & Screen Capture

Forcepoint DLP Endpoint is the agent that lives on the laptop and enforces policy on the riskiest moments — copying to USB, printing, pasting from the clipboard and grabbing the screen. This lesson maps every data-in-use channel, the block/permit/confirm/encrypt actions, how it keeps working offline, and how its incidents flow back to the Security Manager.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Forcepoint DLP Endpoint (2026): the Forcepoint One Endpoint agent that protects data in use — USB/removable media, printing, clipboard cut-copy-paste and screen capture — plus block/permit/confirm/encrypt action plans, offline fingerprint matching, endpoint Discovery and how incidents sync back to the Security Manager.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Data in use

Why local actions need an on-device agent.

 2

The channels

USB, print, clipboard, screen capture + actions.

 3

Offline & Discovery

Cached fingerprints, queued incidents, data at rest.

 4

Reporting & ops

Incidents to FSM, Endpoint Status, the sync 'X'.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What is 'data in use' on an endpoint?

Answered in Data in use.

2. Does Forcepoint read the contents of a screen capture?

Answered in The channels.

3. How does the agent enforce policy when the laptop is off-network?

Answered in Offline & Discovery.

Most engineers think…

Most people assume endpoint DLP is 'antivirus that also blocks USB' — a thing that only works when you are on the office network. That picture fails you in an interview and in the field.

Forcepoint DLP Endpoint (the Forcepoint One Endpoint agent) is a self-contained enforcer for data in use: it carries its own policy engine and a cached fingerprint repository, so it inspects copy/paste, print, USB writes and screen captures locally — on a plane, at home, anywhere. It applies a per-channel action plan (block, permit, confirm or encrypt), queues incidents while disconnected, and syncs everything back to the Security Manager on reconnect. Knowing that offline-first design is what separates a real DLP engineer from someone who thinks it is just a USB switch.

① What 'data in use' means on the endpoint

DLP protects data in three states: in motion (leaving over email, web or cloud), at rest (stored in shares, databases and laptops), and in use — the live actions a person takes on their own device. The reason data in use needs its own agent is simple: copying a file to a USB stick, printing it, or pasting account numbers into a chat window never crosses the network gateway in a way a proxy can inspect. Only software on the device can see it.

That software is Forcepoint DLP Endpoint, delivered as the Forcepoint One Endpoint agent. It runs on Windows and macOS, monitors local data activity, controls data in use, and also performs endpoint Discovery on data at rest. Crucially, it works on and off the corporate network, because it holds its own policy engine and a cached set of fingerprints.

Legenddata-state bandband titleband detail textborder / accentdiagram panel
Figure 1 — Three data states — endpoint owns 'in use'
The endpoint agent is the only thing that can see data in use; in motion and at rest are covered elsewhere (and partly by endpoint Discovery).Three data states — endpoint owns 'in use'Data in motionEmail, web/SWG, cloud — leaving the network nowData at restStored files — shares, DBs, and endpoint DiscoveryData in useEndpoint actions — USB, print, clipboard, screen capture
The endpoint agent is the only thing that can see data in use; in motion and at rest are covered elsewhere (and partly by endpoint Discovery).
Quick check · Q1 of 10 · Understand

Why does 'data in use' need an agent on the device rather than a network proxy?

Correct: a. USB writes, printing and clipboard paste are local actions that do not traverse the network in an inspectable way, so only on-device software (the endpoint agent) can see and control them.
👉 So far: Data in use = live local actions (USB, print, clipboard, screen capture) that no network proxy can see — only the on-device Forcepoint One Endpoint agent enforces them, on or off the network.

② Channel-by-channel control — and the action you take

The agent watches a set of data-in-use channels. Removable media monitors or prevents copying files (or parts of files) to USB drives, CD/DVD burners and Android/WPD phones — and can encrypt-to-USB with a profile key or a user password so data only leaves protected. Print covers drivers that print to a physical device — not print-to-file or print-to-PDF, and it cannot read document metadata. Endpoint Application analyses clipboard cut/copy/paste and other in-app handling; apps are either built-in (hard to evade) or custom (matched by exe/name/URL, which a user could rename to dodge).

Screen capture and the action plan

Screen captures are not analysed for content — the agent can only block-and-audit, permit-and-audit, or permit the capture (and macOS 11 cannot block it at all). Every channel gets an action plan: block, permit, confirm (prompt the user for justification), encrypt with an admin profile key, or encrypt with a user-supplied password. Note macOS does not support the clipboard/application channel at all.

Figure 2 — Data-in-use channels the agent controls
Forcepoint One Endpoint watches each local channel and applies a per-channel action plan.Data-in-use channels the agent controlsEndpoint agentForcepoint OneRemovable media / USBPrint (physical)Application / clipboardScreen captureHTTP/HTTPS + EmailEndpoint LAN
Forcepoint One Endpoint watches each local channel and applies a per-channel action plan.
Figure 3 — Action plan when a channel matches
Each channel applies one action when a rule matches — from a silent permit-with-audit to an encrypt or a hard block.Action plan when a channel matchesPermitallow + auditConfirmprompt for reasonEncryptprofile key / passwordBlockstop the action
Each channel applies one action when a rule matches — from a silent permit-with-audit to an encrypt or a hard block.
💾
Removable media (USB)
tap to flip

Monitors or prevents copying files to USB, CD/DVD and Android/WPD devices — and can encrypt-to-USB with a profile key or a user password.

🖨️
Print channel
tap to flip

Covers drivers that print to a physical device — not print-to-file or print-to-PDF — and cannot read document metadata.

📋
Application / clipboard
tap to flip

Analyses cut/copy/paste and in-app handling. Built-in apps use trusted metadata (hard to evade); custom apps match by exe/name/URL (rename-able).

📸
Screen capture
tap to flip

Not content-analysed. The agent can only block-and-audit, permit-and-audit or permit the capture. macOS 11 cannot block it.

Built-in beats custom for app matching

When you must control a sensitive application's clipboard, prefer a built-in (trusted-metadata) match over a custom exe/name/URL match. A user can rename a custom-matched executable to dodge the rule; built-in metadata matching is much harder to evade.

'The print channel will stop PDF leaks' trap

The Print channel only covers drivers that print to a physical device — not print-to-file or print-to-PDF. If you rely on it to stop someone 'printing' to a PDF, data walks out. Cover that with the application or web channels instead.

Quick check · Q2 of 10 · Remember

Does Forcepoint DLP Endpoint analyse the contents of a screen capture?

Correct: c. Screen captures are not analysed for content. The agent can block-and-audit, permit-and-audit, or permit the action — and on macOS 11 it cannot block at all.
👉 So far: Channels: removable media, physical print, application/clipboard, screen capture (action only, not content). Actions: block, permit, confirm, encrypt with profile key or user password.

③ Offline enforcement and endpoint Discovery

The headline feature is offline enforcement. The agent carries a local (secondary) fingerprint repository so detection runs on the device itself; it only re-syncs from the management server when its fingerprints go stale. The repository stores partial hashes only, never the original data, and admins set a maximum cache size in MB.

When the machine is disconnected, incidents are stored and queued locally, then synced to the endpoint server — and on to the Security Manager — the moment it reconnects. The same agent also runs endpoint Discovery: it scans the laptop or desktop for sensitive data at rest, can remediate findings, and exposes last/next scan status in endpoint status. So one agent covers data in use and data at rest on the device.

Figure 4 — Online vs offline enforcement
The agent behaves the same whether or not it can reach the server — it just defers the reporting.Online vs offline enforcementOnline (connected)Fingerprints fresh from serverIncidents stream to FSM liveEndpoint Status shows syncedPolicy/profile updates apply fastOffline (disconnected)Matches on cached fingerprintsIncidents queued locallyEnforcement keeps workingSyncs everything on reconnect
The agent behaves the same whether or not it can reach the server — it just defers the reporting.

▶ Watch a USB copy get encrypted offline, then synced

How the endpoint agent enforces a data-in-use rule with no network, then reports it. Press Play for the healthy path, then Break it to see the classic failure.

① USB writeOff-network, a user drags a customer-export file onto a USB stick on their laptop.
② MatchThe agent runs the cached fingerprint repository locally and recognises real customer records — a true match.
③ Encrypt + queueThe removable-media action plan encrypts the file with the profile key and queues an incident on the device.
④ Sync to FSMBack on the network, the agent syncs the queued incident to the endpoint server and Security Manager.
Press Play to step through the healthy offline-enforce-then-sync path. Then press Break it.
Quick check · Q3 of 10 · Apply

A laptop is on a flight with no network. A user copies a customer export to USB. What happens?

Correct: c. The agent carries its own policy engine and a cached fingerprint repository, so it enforces offline and stores incidents locally, syncing them to the endpoint server and Security Manager on reconnect.
👉 So far: Offline-first: a cached fingerprint repository (partial hashes only, capped in MB) lets the agent match locally; incidents queue and sync on reconnect. The same agent runs endpoint Discovery on data at rest.

④ Reporting and operations — proving it from the console

Every endpoint event becomes an incident in the Forcepoint Security Manager — with the user, the channel, the matched content and the action taken (blocked, encrypted, confirmed). Analysts triage from the incident queue, exactly as they do for network and web events, so a USB block and an email block sit in the same place.

Endpoint Status and the sync 'X'

To check fleet health, go to Data ▸ Main ▸ Status ▸ Endpoint Status, which lists every registered endpoint. An 'X' flags an endpoint whose policy or profile version is not synchronized — the single most useful read when a user reports 'the new rule isn't applying'. On deployment, agents and policy-engine machines need a direct connection to the management server, and each endpoint registers with an endpoint server.

Figure 5 — A USB write becomes a synced incident
An offline USB copy is enforced locally, queued, then surfaced in the Security Manager once the laptop reconnects.A USB write becomes a synced incidentUSB writeuser copies a fileMatchcached fingerprint hitEnforceencrypt or blockQueueincident stored localSyncraised in FSM
An offline USB copy is enforced locally, queued, then surfaced in the Security Manager once the laptop reconnects.

Priya, a security analyst at a Pune fintech BPO, faces this

A relationship manager complains he can't paste customer account numbers from the core banking app into a personal WhatsApp Web tab, and his USB copy of an exported report was silently encrypted.

Likely cause

A new policy applied the Endpoint Application channel (block on clipboard out of regulated apps) and Removable Media (encrypt-with-password) — both data-in-use controls behaving exactly as designed.

Diagnosis

In the Security Manager she opens Data ▸ Main ▸ Status ▸ Incidents, filters by the user, and sees a clipboard 'blocked' event and a USB 'encrypted' event tied to the data-in-use policy.

Data ▸ Main ▸ Status ▸ Incidents + Data ▸ Main ▸ Status ▸ Endpoint Status
Fix

The block is correct policy, so she keeps WhatsApp Web blocked, documents that internal CRM destinations are permitted, and shares the decryption-password workflow for legitimate USB exports.

Verify

The RM retries: clipboard to WhatsApp is blocked-and-audited as intended, the USB file opens after entering the supplied password, and both events appear correctly in the console with the endpoint showing no 'X'.

Read the incident, then the sync 'X'

Don't guess why a user was blocked or why a rule 'didn't fire'. The incident shows the exact channel, action and matched content; the Endpoint Status page shows whether that endpoint's policy/profile is even synced (the 'X'). Those two reads answer most endpoint tickets.

Quick check · Q4 of 10 · Analyze

A user says a new endpoint rule 'isn't applying'. What is the fastest thing to check?

Correct: d. Data ▸ Main ▸ Status ▸ Endpoint Status lists registered endpoints; an 'X' flags one whose policy or profile version is not synchronized — usually why a new rule has not taken effect yet.
👉 So far: Endpoint incidents land in the Security Manager. Check Data ▸ Main ▸ Status ▸ Endpoint Status; an 'X' means that endpoint's policy/profile version is not synchronized.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which data state does the endpoint agent uniquely protect?

Correct: a. Local actions — USB, print, clipboard, screen capture — are data in use, which only an on-device agent can see. In-motion is the network/web/email path; the endpoint also helps with at-rest via Discovery.
Q6 · Understand

Which removable-media response is NOT a valid action-plan option?

Correct: d. Action plans are block, permit, confirm, encrypt-with-profile-key and encrypt-with-password. Auto-emailing the matched file to an admin is not an endpoint action-plan option.
Q7 · Apply

You must stop sensitive content being pasted out of a regulated banking app. Which channel?

Correct: b. Cut/copy/paste and in-app handling are governed by the Endpoint Application (clipboard) channel. Print covers physical printing, removable media covers USB, and Discovery scans data at rest.
Q8 · Analyze

Why can the agent still enforce a fingerprinted policy on a laptop with no network?

Correct: a. The agent stores a local secondary fingerprint repository (partial hashes, capped in MB) and its own policy engine, so detection runs locally and incidents queue until reconnect.
Q9 · Evaluate

An interviewer asks why built-in app matching beats custom matching for clipboard control. Best answer?

Correct: d. Custom matches key off an executable name, app name or URL, which a user can rename to dodge. Built-in matching uses trusted application metadata and is much harder to evade.
Q10 · Evaluate

A user reports a new endpoint rule isn't taking effect. What is the strongest first diagnostic?

Correct: c. The Endpoint Status page shows registered endpoints; an 'X' means that endpoint's policy or profile version is not synchronized — the most common reason a new rule has not applied yet.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does protecting 'data in use' require an agent on the device instead of a network DLP gateway? Then compare with the expert version.

Expert version: Because data in use is a set of purely local actions — copying to USB, printing, pasting from the clipboard, capturing the screen — that never cross a network gateway in a form a proxy can inspect. Only software running on the endpoint can observe and control them. Forcepoint DLP Endpoint (Forcepoint One Endpoint) carries its own policy engine and a cached fingerprint repository so it enforces these channels with an action plan (block/permit/confirm/encrypt) even fully offline, queues incidents locally, and syncs them to the Security Manager on reconnect — which is exactly why endpoint DLP is offline-first, not network-dependent.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Forcepoint One Endpoint
The unified Forcepoint endpoint agent that delivers DLP Endpoint enforcement on Windows and macOS, on and off the network.
Data in use
Information being actively handled on a device — copied, printed, captured to screen, or written to USB — enforced only by the on-device agent.
Removable media channel
Governs copying files to USB, CD/DVD and mobile/WPD devices; can block, permit, confirm or encrypt-to-USB.
Endpoint Application channel
Controls clipboard cut/copy/paste and in-app handling; matches apps by built-in trusted metadata or custom exe/name/URL.
Action plan
The per-channel response when a rule matches: block, permit, confirm, encrypt with a profile key, or encrypt with a user password.
Fingerprint repository
A local cache of partial hashes (not the original data, capped in MB) that lets the agent match sensitive content offline.
Endpoint Discovery
An on-device scan of data at rest on laptops/desktops, with optional remediation and visible last/next scan status.
Endpoint Status page
Data ▸ Main ▸ Status ▸ Endpoint Status — lists registered endpoints; an 'X' flags an unsynchronized policy or profile version.

📚 Sources

  1. Forcepoint Help — Selecting endpoint destination channels to monitor (removable media, print, application, screen capture). help.forcepoint.com
  2. Forcepoint Help — Endpoint Applications: screen capture, trusted/built-in vs custom apps. help.forcepoint.com
  3. Forcepoint — Endpoint Data Loss Prevention (cyber-edu / product overview). forcepoint.com
  4. Forcepoint Help — Installing Forcepoint DLP agents and endpoint server registration. help.forcepoint.com
  5. Forcepoint Help — Viewing endpoint status & the Endpoint Status page (sync 'X'). help.forcepoint.com
  6. Forcepoint Help — Configuring the endpoint fingerprint repository (cache size, partial hashes). help.forcepoint.com

What's next?

Got data in use on the endpoint? Next, see how the same policy reaches the network and cloud — the email gateway, web/SWG proxy, the Protector and CASB — so a record is recognised identically wherever it tries to leave.

Next · All interview lessons → Practice on exam.techclick.in →