All Products
Search
Document Center

Secure Access Service Edge:Manage watermarks to protect data

Last Updated:Jun 20, 2026

Data leaks from screenshots, photos of screens, or printed documents can cause significant business losses. To mitigate this risk, use the Data Loss Prevention (DLP) feature of Secure Access Service Edge (SASE) to apply screen watermarks and application watermarks. You can use a visible watermark as a deterrent or an invisible watermark to trace the source of a leak. This topic describes how to configure watermark policies, view sensitive behavior detection results, and configure a watermark whitelist.

Prerequisites

Configure screen and application watermark policies

  1. Log on to the Secure Access Service Edge console.

  2. In the left navigation pane, choose Data Protection > Policy Center.

  3. On the Watermark Management tab, go to the Screen Watermark or Application Watermark tab and click Create Policy.

  4. In the Create Policy panel, configure the following parameters.

    Parameter

    Description

    Basic Information

    Policy Name

    The name of the policy.

    The name must be 2 to 32 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

    Status

    Specifies whether the policy is enabled. The policy applies only when enabled.

    Priority

    The value can be an integer from 1 to 100. A smaller value indicates a higher priority.

    User Group

    The user or user group to which the policy applies.

    If you enable policies for both screen watermarks and print watermarks, they both apply to the specified user or user group.

    Applicable Application

    If you are configuring an application watermark policy, you must specify the applications to which the policy applies.

    Before you specify the applicable applications, you must enable the Web Application Access Reinforcement feature for the corresponding internal applications.

    Watermark Settings

    Visible Watermark

    Select this option and configure the specifications for the visible watermark based on your business needs. You can use the preview feature to see how the watermark will look.

    We recommend that you set Opacity to the maximum value. Otherwise, the watermark may be difficult to see.

    Invisible Watermark

    Select this option and configure the specifications for the invisible watermark based on your business needs.

  5. Click OK.

    After the policy is created, it appears in the policy list.

Extract invisible watermark information

If you configured an invisible watermark, follow these steps to extract it.

  1. On the Watermark Management > Watermark Extraction tab, select the watermark type to extract.

  2. Upload the file that contains the invisible watermark as prompted.

    The system automatically extracts the watermark content from the uploaded file.

    To export the results, click Export on the right.

View sensitive behavior detection results

Employee printing can trigger sensitive behavior detection. The Data Loss Prevention feature automatically scans printed files and provides data analysis for the last 30 days, 7 days, and 24 hours.

  1. In the left navigation pane, choose Data Protection > Sensitive Behavior Detection.

  2. On the Sensitive Behavior Detection page, view the statistics for files printed by employees within a specified time range.

  3. In the list of users involved in sensitive file exfiltration, click Details to view details about the printed files.

  4. Find the target file and click Details in the Actions column. You can view details such as the sensitive content, the matched policy, the office terminal, and the exfiltration channel.

Configure watermark whitelist

If you want to prevent SASE from auditing and controlling the printing activities of specific employees in your enterprise, you can configure the Watermark Whitelist for data loss prevention to apply a more lenient policy to these employees.

  1. On the Policy Center > Watermark Management tab, click Watermark Whitelist.

  2. On the Whitelist > Data Loss Prevention tab, add employees to the whitelist for screen watermarks and application watermarks.

    Separate multiple entries with commas (,). After you enter the items, press Enter to confirm.

  3. Click Submit.

Adjust policy priority

To adjust the priority of a watermark policy, click the 编辑 icon and change the number. The priority can be a value from 1 to 100. A smaller value indicates a higher priority.

Disable policy

To temporarily disable a policy, turn off the switch in the Policy Status column. The policy configuration is saved. You can re-enable it later by turning the Policy Status on.

Delete policy

If a policy is no longer needed, click Delete to permanently remove it.

Important

Deleted policies cannot be restored. Proceed with caution.

Related topics