Hi there,
Even if there is no connection available, the agent still functions. The DLP agent has its own encrypted data store called "Agent Store" - the agent store holds incidents and files until the time it can report back to the Endpoint server. (storage space though is 5% of disk space)
When the connection is restored, the event information is then uploaded to the server. The incident data then shows up in Enforce.
Hope that helps.
Cherian Thomas
Cnslt Info Security Risk