# Configuring Policies

The Exfiltration policies for MAC and Windows OS allow you to monitor if there are any uploads via browser or cloud storage apps. You can configure the domains in Internet that needs to be monitored and also the cloud storage apps which need to be monitored.

When there are any uploads to the configured domain or cloud storage apps, the Nightfall AI agent notifies this action. You can configure the notification channels through which you wish to receive notifications when there is an attempt to upload files/folders. 

## Verify Connection

Once you have completed the installation of the Nightfall agent, you must ensure that the connection is live. If the Nightfall agent cannot connect to the macOS or the Windows OS device for more than 6 hours, the connection is lost. When the connection is live, a **Connected** message is displayed. If the connection is lost, a **Disconnected** message is displayed under the **Agent Status** column. 

<figure><img src="/files/9YqP1DBPrRBIITUw4SjF" alt=""><figcaption></figcaption></figure>

## Removing Disconnected Devices

When a macOS or Windows OS device is disconnected, you can remove the device from the monitored list (**Devices** tab). To remove a disconnected device from the monitored list, click the delete icon for the respective device.

<figure><img src="/files/BdbtnojOcijTWCB2KmcM" alt=""><figcaption></figcaption></figure>

Clicking the delete icon displays a warning pop-up window as shown in the following image. Click **Remove Device** to confirm the removal of the device.&#x20;

<figure><img src="/files/11dIEsMt470Yg5jFL5jb" alt="" width="563"><figcaption></figcaption></figure>

If a removed device reconnects, it is automatically added to the monitored list. To permanently prevent the monitoring of a device, you must de-provision the device through MDM (uninstall the Nightfall Agents and remove it from future targeting).&#x20;

This feature declutters your monitoring list and ensures that only active devices that are being monitored are displayed.&#x20;

You can leverage this feature efficiently with loaner laptops. When a former employee returns a device, the connection is lost and the status is displayed as disconnected. Security teams can be concerned about the device displaying the **Disconnected** status for a prolonged period and can initiate an investigation. Instead, you can use this feature and remove the device from the monitored list. When the device is reassigned to another employee, it connects back automatically, and the monitoring resumes.&#x20;

Similarly, you can use this feature for seasonal and dormant devices; remove them once they are not in use. They will connect back automatically once they are in use again.&#x20;

## Create Domain Collections

Collections help you refine your monitoring to reduce noise from sanctioned upload destinations as well as closely monitor exfiltration of files originating from high-value SaaS applications accessed through the browser. You can also define specific domain collections to closely monitor upload activity to specific categories of upload destinations. For instance, to track files uploaded to social media, you can create a domain collection called social media and add domains like Facebook, Instagram, Twitter, and so on. Similarly, you create a collection for known and sanctioned upload destinations that are safe to upload to so you can ignore them from your monitoring policies or monitor the upload of items originating from such domains. While creating a policy, you can directly add the collection to be monitored. All the domains in the collection will be monitored.&#x20;

You can create a domain by either manually entering all the domain URLs manually or by uploading a comma-delimited list of domains in a text file.&#x20;

To group domains:

1. Log in to the Nightfall app.
2. Navigate to **Integrations** from the left menu.
3. Click **Manage** on the macOS/Windows OS integration.&#x20;

<figure><img src="/files/LXR2iDbuHBk0JT4IVQ04" alt="" width="563"><figcaption></figcaption></figure>

4. Click the **Domains** tab.
5. Click **+** **New Collection**.

You can either add the domains manually or upload a text file containing the list of domains. The following section has two tabs. The first explains the process of manually adding domains, and the second tab explains adding domains by uploading a file.&#x20;

{% tabs %}
{% tab title="Adding Domains Manually" %}
6\. Click **+ Add Domain**.

<figure><img src="/files/UagfsgJ8HlGO0QfBxuke" alt="" width="375"><figcaption></figcaption></figure>

7. Enter a name for the Collection in the **Collection Name** field (**Social Media** in the following image)
8. Enter a domain and hit the enter key (**facebook.com** in the following image).

<figure><img src="/files/cMwmYIsssVxSDHMKCmvO" alt="" width="375"><figcaption></figcaption></figure>

{% hint style="info" %}
**Important**

When you add a domain, the sub domain is not included automatically. For instance, if you add **abcd.com**, **docs.abcd.com** is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (\*) and enter the domain as **\*.abcd.com**
{% endhint %}

9. (Optional) Click **+ Add Domain** to add multiple domains to the collection.
10. (Optional) Click the delete icon to delete a domain.
11. Click **Save Changes**.

<figure><img src="/files/yU9bbX23BnI6DDgsytVT" alt="" width="375"><figcaption></figcaption></figure>
{% endtab %}

{% tab title="Upload Text File Containing Domains" %}
6\. Enter a name for the Collection in the **Collection Name** field.&#x20;
7\. Click **Upload**.

<figure><img src="/files/8kKQrxN5fDFBkoaFvjc3" alt="" width="563"><figcaption></figcaption></figure>

8. Browse and upload the text file containing the list of domains.&#x20;

{% hint style="info" %}
All the domains must be separated by a comma. The file must have a .txt extension.&#x20;
{% endhint %}

Once you upload the file, the list of domains present in the file are displayed as follows.

<figure><img src="/files/lHuWdPMotQun3lNFa7N7" alt="" width="563"><figcaption></figcaption></figure>

{% hint style="info" %}
**Important**

When you add a domain, the sub domain is not included automatically. For instance, if you add **abcd.com**, **docs.abcd.com** is not included. To include subdomains, you must enter the full URL containing the subdomain. If you have multiple subdomains, you can use the asterisk wildcard (\*) and enter the domain as **\*.abcd.com**
{% endhint %}

9. (Optional) To add more Domains to the Collection, you can either click **+ Add Domain** and enter the domain manually, or click **Upload txt** and upload another text file containing domains.&#x20;
10. (Optional) Click the delete icon to remove a domain from the Collection.&#x20;
11. Click **Save Changes**.

<figure><img src="/files/oJ233BF1De2fq1LtkZ8a" alt=""><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}

## Creating Policy

The detailed steps to configure the MAC OS/Windows OS device exfiltration policy are explained in the following documents.&#x20;

* [MAC/Windows App Selection](/data-exfiltration-prevention/exfiltration_endpoint/policies/integration.md)
* [Scope](/data-exfiltration-prevention/exfiltration_endpoint/policies/scope.md)
* [Trigger](/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger.md)
* [Advanced Settings](/data-exfiltration-prevention/exfiltration_endpoint/policies/advanced_settings.md)
* [Creating Policy](/data-exfiltration-prevention/exfiltration_endpoint/policies/create_policy.md)
* [Remediation for MAC OS Policies](/data-exfiltration-prevention/exfiltration_endpoint/policies/remediation.md)
* [Remediation for Windows OS Policies](/data-exfiltration-prevention/exfiltration_endpoint/policies/remediation-for-windows-os-policies.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.