Hello,
First you must define which channel your endpoint will monitor (email)
Then you must define what your policy will look for (Keyword confidential)
Then you must define on who this policy will be applied (could be all workstation or only part of user with a workstation with agent running on)
Then you must use the correct response rule in your policy (I dont remember exact name but there is one by default). It is this part of the policy which will define that you want to popup user. You can use popup :
- just to inform end user
- To ask him for a justification
- To inform him that his action were blocked.
Regards