The Limit Incident Data Retention response rule action does not behave the same way for Mac OS endpoints as it does for Windows endpoints. This article describes the behavior for the response rule action for Mac OS systems.

The Limit Incident Data Retention response rule action enables you to retain the original message (including files and attachments) for Endpoint Prevent and Endpoint Discover incidents. If you don't use the response rule action, the Data Loss Prevention discards the original messages for endpoint incidents.

On Mac OS systems, the response rule action works for policies with the Notify response rule action, and also for policies with the Endpoint: "Block for removable storage" and "Endpoint: Block for Network Shares" response rule actions.

The Limit Incident Data Retention action does not work for Application File Access channel. If these response rules are used together, sensitive files are blocked, but blocked files are not available for access in the Application File Access incident.