In this section:
Use Scripted conditions to create, import, and export conditions using VBScript, JScript, and PowerShell. You can use Scripted conditions to cater for scenarios that are not available as standard from the Application Control console. For example, to check if the Windows Firewall is switched on.
The scripts are held in the AAMP configuration, copied to disk at runtime, executed, and then deleted upon completion. Scripts can be imported and exported to enable reuse.
Caution: Large scripts and high numbers of scripts increase the size of an AAMP configuration, which can impact the time required to deploy configurations to endpoints and affect configuration execution time.
Because the condition scripts are run in batch mode, any prompts or message boxes are not displayed and the script times out without being executed. To ensure that a condition script runs correctly, remove or comment out any prompts or message boxes from the script.
When creating scripted conditions, make sure that there is sufficient time for the script to run and any additional conditions to be evaluated. Application Control has a timeout period of 10 seconds to evaluate any conditions for a custom rule. If all the conditions are not evaluated within 10 seconds, the custom rule is not applied. In addition, conditions are evaluated synchronously. That is, when expression evaluation is triggered, the agent waits for the script to complete before evaluating the next condition. The agent stalls the application of a custom rule until evaluation of all conditions is complete or has timed out. So even if you configure the Scripted condition to run for less than 10 seconds, if there are other conditions to evaluate and not enough time left to do it, it is still possible for evaluation to time out.
Windows PowerShell scripts use various execution policies which can prevent the scripts from running or only allow those signed by trusted publishers to run. Application Control overrides execution policies and bypasses any restrictions to enable the PowerShell scripts to run.
Application Control is compatible with PowerShell version 2.0 or later.
The version required will depend upon the operating system you are using. Windows XP and Server 2003 requires PowerShell 2.0. Windows Server 2008 R2 SP1 x64 and Windows 7 SP1 requires PowerShell 3.0. More recent operating systems will require PowerShell 3.0 or later.
All scripts for scripted conditions must specify an exit code, which when returned, is used by the Application Control agent to determine whether the script has passed or failed. For scripts without an exit code, a success (0 value) is assumed by the agent.
Each script type must use a specific exit statement:
Replace [value] with the exit code for the script: 0 for success and 1 for failure. For example: WScript.Quit 0, WScript.Quit(0), exit (0). For Powershell scripts, any non-zero value will indicate a fail.
- Select the node for a Custom rule.
In the work area for the rule, open the Conditions drop-down menu and select Scripted.
The Scripted Condition dialog displays.
- Select the Type of scripting: PowerShell, VBScript or JScript.
In the Run for scroll box, set the time for which the script is allowed to run.
This is the number of seconds after which the script is terminated. The maximum value you can enter is 10 seconds. Setting the value to zero or leaving the field blank gives the script infinite time to complete. However, if the script exceeds the 10 second timeout to evaluate conditions; it times out and the custom rule is not applied.
Scripted conditions override default node and condition timeouts, but do not override the 10 second timeout to evaluate conditions. This value is hard coded
- Click the Options
drop-down and configure the following options as required:
- Evaluate Once Per Session - Select this option to run the condition once and cache the result for the duration of the session. Otherwise, the condition is evaluated each time it is called on in a configuration.
- Run As System User - Select this option to enable the script to use functionality that would not otherwise be accessible to the currently logged on user.
- Enter the script using
one of the following methods:
- Type directly into the field
- Drag and drop or copy and paste from another location.
- Click the import button and select a file to open and use in the script field.
- Click OK to save the script.
When triggered, the script runs to its completion and the resulting success or failure of the condition is detailed in the debug log files.
Scripts that time out are classed as failing and any child nodes and their associated actions will not run.
Scripts can be exported and saved from the Scripted Condition dialog and imported into other conditions and configurations.
- Click the export button and select a location to save the file.
- Click Save to complete the export.