Configuring watermarking

Every application includes options of whether or not to enable file watermarking (on download or upload actions) which allows you to track user usage of Microsoft Office docs (DOCX, PPTX, XLSX) and PDFs.

Watermarking has Visible and File View Callback options to deter a user from sharing of sensitive data and tracking when a file is opened. All possible permutations of the two options, as well as the ability to turn off watermarking altogether, can be configured.

Note: Due to the document format/application potentially not supporting or having the proper font-family required to display unicode characters, any unicode characters used in the custom watermark message (such as Japanese characters, etc) will be automatically converted to phonetic ASCII.


  • Visible Watermarks: Added to documents in a non-obtrusive location (at the end of the document) as a user deterrent against data leakage. This watermark includes the username, a timestamp, and a unique transaction ID, and is meant to act as a reminder to your users that the data is being tracked and that they should be careful with sensitive corporate data. Visible watermarks are not added to password protected files, even if this option is enabled.
    Note: Forcepoint ONE SSE does not support visible watermarks for PDF files, but will still support the below File View Callback feature for PDFs.
  • File View Callback: Selecting "Invisible" or "Callback" will embed an invisible callback into the file to track every time that the file is opened from a device with Internet access using a supported application.
    • Invisible/No Callback: Will embed the invisible tracker to track the file but does not send an active callback to Forcepoint ONE SSE. The file can be uploaded on the Access Dashboard to display the file's location history.
    • Callback: Selecting any option with "Callback" turned on will embed the invisible tracker into the file. When the file is opened on a computer with internet access, the callback tracker will send an active callback to Forcepoint ONE SSE and log that event on the Access Dashboard.
      Note: Forcepoint ONE SSE only stores the details of files that are tagged with the callback feature for 90 days. After that, the data is purged meaning if the file is viewed after 90 days, a log line is generated but information about the file will not be included.
Note: If you select Forcepoint DLP as the data pattern, then the Watermark field is set to its default value as this field is not supported and is grayed out. Refer to Configuring FSM controlled policies for CASB and SWG channels to enable the Forcepoint DLP data pattern.