Content Groups

Content control allows you to control the accessibility of privileged content. Content Groups provide a means of targeting specific types of content, based on file or folder, drive, or controlling process. Rules determining the behavior for that content are applied to each Content Group in a Workstyle.

There are two main use cases for applying content control:

  1. Allow Modification: To allow standard users to modify privileged content, without having to assign admin rights to either the user, or the application used to modify the content.

    Content Groups can be added to Content Rules where the content can be assigned admin rights. When this is done, any user who receives the Workstyle can modify matching content without requiring an administrator account.

  2. Blocked Access: To block access to content or directories.

    Content Groups can be added to Content Rules where the ability to open the content can be controlled with a Block action. When this is done, any user who can normally open and read the content is blocked from opening the content.

Sample file types that can be used in Content Groups:

  • Text documents (files with no extension that are basically just text documents): .txt, .log, .docx

  • Scripts: .ps1, .bat, .cmd


Content Groups cannot modify .exe files.

The following sections explain how to create Content Groups, including content definitions, and how to assign groups to Content Rules to apply the specific content Control Rules that meet your requirements.

Create Content Groups

To create a Content Group:

  1. Log in to ePO Policy Orchestrator and click on Policy Catalog.
  2. Select the policy that you want to add a Content Group to.
  3. Expand the operating system you want to add the Content Group to and click Actions > Add.
  4. Enter a name and a description (if required) for the new Content Group. Click OK.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have McAfee Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.

Duplicate Content Groups

You can duplicate a Content Group if you need a new Content Group that contains the same content as an existing Content Group. You can edit a duplicated Content Group independently of the Content Group it was duplicated from.

To duplicate a Content Group:

  1. Browse to the Content Group that you want to duplicate.
  2. Select Actions > Duplicate. You are asked to confirm the duplication.
  3. A new Content Group is created that you can add content to.

Target Content Definitions

The Content dialog box provides various Content Definitions. Privilege Management for Windows must match every definition you configure before it triggers a match (the rules are combined with a logical AND). The following definitions are available:

File or Folder Name

Applications are validated by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):

  • Exact Match
  • Starts With
  • Ends With
  • Contains
  • Regular Expressions

Although you can enter relative filenames, we strongly recommend that you enter the full path to a file or the COM server. Environment variables are also supported.

We do not recommend using the File or Folder Name does NOT Match definition in isolation for executable types, as it results in matching every application, including hosted types such as Installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.

When creating blocking rules for applications or content, and using the File or Folder Name definition as matching criteria against paths which exist on network shares, this should be done using the Universal Naming Convention (UNC) network path rather than a mapped drive letter.


This option can be used to check the type of disk drive where the file is located. Choose from one of the following options:

  • Fixed disk: Any drive that is identified as being an internal hard disk.
  • Network: Any drive that is identified as a network share.
  • RAM disk: Any drive that is identified as a RAM drive.
  • Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, this option will match any of the removable media types below. Alternatively, if you want to target a specific type, choose one of the following removable media types:
    • Removable Media: Any drive that is identified as removable media.
    • USB: Any drive that is identified as a disk connected via USB.
    • CD/DVD: Any drive that is identified as a CD or DVD drive.
    • eSATA Drive: Any drive that is identified as a disk connected via eSATA.

Controlling Process

This option allows you to target content based on the process (application) used to open the content file. The application must have been added to an Application Group. You can also define whether any parent of the application matches the definition.

For more information, please see Supported Regular Expressions Syntax.

Insert Content

To insert a content type:

  1. Select the relevant target Content Group.
  2. In the right pane select Actions > Add.
  3. The Add Content dialog box appears. Enter the file or folder name.
  4. Enter a description for the content and click Next.
  5. You need to configure the matching criteria for the executable and then click Next. You can configure:
    • File or Folder Name
    • Drive
    • Controlling Process
  6. Click OK. The content is added to the Content Group.