Content control allows you to control the accessibility of privileged content. Content Groups provide a means of targeting specific types of content, based on file or folder, drive, or controlling process. Rules determining the behavior for that content are applied to each Content Group in a Workstyle.
There are two main use cases for applying content control:
- To allow standard users to modify privileged content, without having to assign admin rights to either the user or to the application used to modify the content.
Content Groups can be added to content rules where the content can be assigned admin rights. When this is done, any user who receives the Workstyle can modify matching content without requiring an administrator account.
- To block access to content or directories.
Content groups can be added to content rules where the ability to open the content can be controlled with a Block action. When this is done, any user who would normally be able to open and read the content is blocked from opening the content.
Create Content Groups
To create a Content Group:
- Log in to ePO Policy Orchestrator and click on Policy Catalog.
- Select the policy that you want to add a Content Group to.
- Expand the operating system you want to add the Content Group to and click Actions > Add.
- Enter a name and a description (if required) for the new Content Group. Click OK.
After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have McAfee Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.
Duplicate Content Groups
You can duplicate a Content Group if you need a new Content Group that contains the same content as an existing Content Group. You can edit a duplicated Content Group independently of the Content Group it was duplicated from.
To duplicate a Content Group:
- Browse to the Content Group that you want to duplicate.
- Select Actions > Duplicate. You are asked to confirm the duplication.
- A new Content Group is created that you can add content to.
Target Content Definitions
The Content dialog box provides various Content Definitions. Privilege Management for Windows must match every definition you configure before it will trigger a match (the rules are combined with a logical AND). The following definitions are available:
File or Folder Name
Applications are validated by matching the file or folder name. You can choose to match based on the following options (wildcard characters ? and * may be used):
- Exact Match
- Starts With
- Ends With
- Regular Expressions
Although you can enter relative filenames, we strongly recommend that you enter the full path to a file or the COM server. Environment variables are also supported.
We caution against using the definition File or Folder Name does NOT Match in isolation for executable types. This results in matching every application, including hosted types such as installer packages, scripts, batch files, registry files, management consoles, and Control Panel applets.
When creating blocking rules for applications or content, and the File or Folder Name is used as matching criteria against paths which exist on network shares, use the Universal Naming Convention (UNC) network path rather than a mapped drive letter.
This option can be used to check the type of disk drive that where the file is located. Choose from one of the following options:
- Fixed disk: Any drive that is identified as being an internal hard disk.
- Network: Any drive that is identified as a network share.
- RAM disk: Any drive that is identified as a RAM drive.
- Any Removable Drive or Media: If you want to target any removable drive or media, but are unsure of the specific drive type, choose this option which will match any of the removable media types below. Alternatively, if you want to target a specific type, choose from one of the following removable media types:
- Removable Media: Any drive that is identified as removable media.
- USB: Any drive that is identified as a disk connected via USB.
- CD/DVD: Any drive that is identified as a CD or DVD drive.
- eSATA Drive: Any drive that is identified as a disk connected via eSATA.
This option allows you to target content based on the process (application) that will be used to open the content file. The application must have been added to an Application Group. You can also define whether any parent of the application matches the definition.
To insert a content type:
- Select the relevant target Content Group.
- In the right pane select Actions > Add.
- The Add Content dialog box appears. Enter the file or folder name.
- Enter a description for the content and click Next.
- You need to configure the matching criteria for the executable and then click Next. You can configure:
- File or Folder Name
- Controlling Process
- Click OK. The content is added to the Content Group.