Content groups

Build a Content Group using the definitions provided to control access to privileged content. Content Groups are added to a Content Rule in a Workstyle. When matches are detected on computers receiving the policy, the rule triggers and the rule behavior applies (allow or block rule).

There are two main use cases for applying content control:

• Allow modification: Allows standard users to modify privileged content, without having to assign admin rights to either the user, or the application used to modify the content.

  Add a Content Group to a content rule where the content can be assigned admin rights. When this is done, any user who receives the Workstyle can modify matching content without requiring an administrator account.

• Block access to content or directories.

  Add a Content Group to a content rule where the ability to open the content can be controlled with a Block action. When this is done, any user who can open and read the content is blocked from opening the content.

Create a content rule

1. Expand a Workstyle, and then go to Content Rules.
2. Click Create New.
3. Select the rule properties:
   • Group: Select a Content Group.
   • Action: Select Allow or Block. The action that occurs if the content in the Content Group is accessed by the end user.
   • End User Message: Select a message from the list.
   • Access Token: Select the type of token to pass to the Content Group. You can select from:
     • Passive (no change): Doesn't make any change to the user's token. This is essentially an audit feature.
     • Enforce User's Default Rights: Removes all rights and uses the user's default token. Windows UAC always tries to add administration rights to the token being used so if the user clicked on an application that triggers UAC, the user cannot progress past the UAC prompt.
     • Drop Admin Rights: Removes administration rights from the user's token.
     • Add Full Admin (Required for installers): Standard Windows Admin token containing all Admin privileges.
     • Add Basic Admin Rights: Gives greater control over the privileges granted when targeting rules at actions. This excludes the following privileges: SeDebugPrivilege, SeLoadDriverPrivilege.
     • Privilege Management Support Token: Applies Add Full Admin privileges with tamper protection removed.
     • Keep Privileges - Enhanced: Keeps the same privileges of the process token and adds some additional context to it. Use the token with features such as Advanced Parent Tracking or Anti-tamper.
   • Raise a Local Event: Off, On, Anonymous. Select if an event is raised if this Content Rule is triggered. When on, an event is sent to the local event log file. Anonymous removes user and host name from events so the user / host are not identifiable.
   • Run an Audit Script: Select an audit script from the list.
   • Reporting Events: When the setting is on, events are raised for viewing in EPM Analytics.
4. Click Create Content Rule.

Create a content group

⚠️

Important

We recommend adding a controlling process for each content definition. If a controlling process is not added to a content definition, then performance issues can occur on computers the policy is applied to.

1. Expand the Windows panel of the Policy Editor.
2. Click Content Groups, and then click Create New Content Group.
3. Enter a name, and then click Create Content Group.
4. Select the saved content group, and then click Create New Content.
5. Configure the definitions.
6. Click Create Content.

After the content is added, add the Content Group to an existing Content Rule or create a new one.

Content definitions

A Content Group is composed of one or more definitions. All definitions that make up a Content Group must match before the Content Rule triggers.

The following content definitions are available:

• File or Folder Name
• Drive
• Controlling Process

Review the next sections to learn more before building a Content Group.

File or folder name

Validate applications by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):

• Exact Match
• Starts With
• Ends With
• Contains
• Regular Expressions

Although you can enter relative filenames, we strongly recommend that you enter the full path to a file or the COM server. Environment variables are also supported.

We do not recommend using the File or Folder Name does NOT Match definition in isolation for executable types, as it results in matching every application, including hosted types such as Installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.

When creating blocking rules for applications or content, and using the File or Folder Name definition as matching criteria against paths which exist on network shares, use the Universal Naming Convention (UNC) network path rather than a mapped drive letter.

Drive

Verify the type of disk drive where the file is located. Choose from one of the following options:

• Fixed disk: Any drive that is identified as being an internal hard disk.
• Network: Any drive that is identified as a network share.
• RAM disk: Any drive that is identified as a RAM drive.
• Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, this option will match any of the removable media types below. Alternatively, if you want to target a specific type, choose one of the following removable media types:
  • Removable Media: Any drive that is identified as removable media.
  • USB: Any drive that is identified as a disk connected via USB.
  • CD/DVD: Any drive that is identified as a CD or DVD drive.
  • eSATA Drive: Any drive that is identified as a disk connected via eSATA.

Controlling process

Use this definition to target content based on the process (application) used to open the content file. The application must have been added to an Application Group. You can also define whether any parent of the application matches the definition.