Manish,
yang_zhang is correct. It does function, but there are restrictions to it. The main thing is that you need to configure the functionality to happen. My understanding is we can leverage the IDM/EDM only if there is whats called a Two-Tier policy.**(See correction below) This would involve putting 2 rules in a policy:
- Look for copy to USB
- Compare data to IDM/EDM
Because we will hit the first (USB Copy rule), we will then send the data back to analyze against rule 2. This will result in successfully generating an incident.
To my understanding, we don't yet fully support an explicit IDM/EDM rule by itself in a policy on the endpoint.**(See correction below) The other option is to look into using the VML option. VML is supported on the endpoint, and in some cases can provide just as good a coverage depending on how well the data sets are that are provided to the engine to analyze.
**CORRECTION**
I apologize as my above comment wasn't 100% accurate. We do support single tiered IDM/EDM, as yang_zhang had illustrated. I should clarify, that my suggestion would be for the sake of scalability and network bandwidth, you might want to consider the Two-Tier detection method instead. With many types of data needing to be compared to IDM/EDM rules, there is more data which will need to be sent back to the detection server.