Content Groups

Content control allows you to control the accessibility of privileged content. Content Groups provide a means of targeting specific types of content, based on file or folder, drive, or controlling process. Rules determining the behavior for that content are applied to each Content Group in a Workstyle.

There are two main use cases for applying content control:

  1. Allow Modification: To allow standard users to modify privileged content, without having to assign admin rights to either the user, or the application used to modify the content.

    Content Groups can be added to Content Rules where the content can be assigned admin rights. When this is done, any user who receives the Workstyle can modify matching content without requiring an administrator account.

  2. Blocked Access: To block access to content or directories.

    Content Groups can be added to Content Rules where the ability to open the content can be controlled with a Block action. When this is done, any user who can normally open and read the content is blocked from opening the content.

Sample file types that can be used in Content Groups:

  • Text documents (files with no extension that are basically just text documents): .txt, .log, .docx

  • Scripts: .ps1, .bat, .cmd

 

Content Groups cannot modify .exe files.

The following sections explain how to create Content Groups, including content definitions, and how to assign groups to Content Rules to apply the specific content Control Rules that meet your requirements.

Create Content Groups

 

We recommend adding a controlling process for each content definition. If a controlling process is not added to a content definition, then performance issues can occur on computers the policy is applied to.

To create a Content Group:

  1. Navigate to Endpoint Privilege Management Settings > Windows > Content Groups.
  2. Right-click and select New Content Group. This creates a Content Group with the default name Content Group x, where x increments numerically.
  3. Right-click on the new Content Group and select Rename. Enter the new name you want and press Return to save your new Content Group.

Duplicate Content Groups

You can duplicate a Content Group if you need a new Content Group that contains the same content as an existing Content Group. You can edit a duplicated Content Group independently of the Content Group it was duplicated from.

To duplicate a Content Group:

  1. Navigate to Endpoint Privilege Management Settings > Windows > Content Groups.
  2. Right-click on the Content Group you want to duplicate and select Copy.
  3. Select the Content Groups node, right-click, and select Paste. This makes a new copy of the Content Group and all the Content rules it contains.

A new duplicate Content Group with an incremental number in brackets appended to the name is created that you can add content to.

Target Content Definitions

The Content dialog box provides various Content Definitions. Endpoint Privilege Management for Windows must match every definition you configure before it triggers a match (the rules are combined with a logical AND). The following definitions are available:

File or Folder Name

Validate applications by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Although you can enter relative filenames, we strongly recommend that you enter the full path to a file or the COM server. Environment variables are also supported.

We do not recommend using the File or Folder Name does NOT Match definition in isolation for executable types, as it results in matching every application, including hosted types such as Installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.

When creating blocking rules for applications or content, and using the File or Folder Name definition as matching criteria against paths which exist on network shares, use the Universal Naming Convention (UNC) network path rather than a mapped drive letter.

For more information, see Regular Expressions Syntax.

Drive

Verify the type of disk drive where the file is located. Choose from one of the following options:

  • Fixed disk: Any drive that is identified as being an internal hard disk.
  • Network: Any drive that is identified as a network share.
  • RAM disk: Any drive that is identified as a RAM drive.
  • Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, this option will match any of the removable media types below. Alternatively, if you want to target a specific type, choose one of the following removable media types:
    • Removable Media: Any drive that is identified as removable media.
    • USB: Any drive that is identified as a disk connected via USB.
    • CD/DVD: Any drive that is identified as a CD or DVD drive.
    • eSATA Drive: Any drive that is identified as a disk connected via eSATA.

Controlling Process

Use this definition to target content based on the process (application) used to open the content file. The application must have been added to an Application Group. You can also define whether any parent of the application matches the definition.

For more information, see Regular Expressions Syntax.

Insert Content

To insert a content rule:

  1. Select the Content Group you want to add the content control to.
  2. Right-click and select Insert Content.
  3. Enter a description, if required.
  4. You need to configure the matching criteria for the executable and then click Next. You can configure:
    • File or Folder Name
    • Drive
    • Controlling Process
  5. Click Finish. The content is added to the Content Group.