Filters

Workstyle Filters

To view or edit the general properties of a Workstyle, navigate to Windows > Workstyles > Workstyle Name > Filters in the policy tree. The Filters section is last in the list on the right.

The Filters tab of a Workstyle can be used to further refine when a Workstyle is actually applied.

By default, a Workstyle applies to all users or computers who receive it. However, you can add one or more filters that restricts the application of the Workstyle:

  • Account Filter: This filter restricts the Workstyle to specific users or groups of users.
  • Computer Filter: This filter restricts the Workstyle to specific computers (names or IP addresses), or Remote Desktop clients.
  • Time Filter: This filter restricts the Workstyle to being applied at particular days of the week and times of the day.
  • Expiry Filter: This filter sets the expiration of a Workstyle to a date and time.
  • WMI Filter: This filter restricts the Workstyle based on the success or failure of a WMI query.

If you want the Workstyle to apply only if all filters match, select the option ALL filters must match from above the the Filters table. If you want the Workstyle to apply when any filter matches, select the option ANY filter can match from above the Filters table.

Filters can also be configured to apply if there are no matches. This is referred to as an exclude filter. To set an exclude filter, check the filter box and click Actions > Set NOT. To clear the exclude filter, select it and click Actions > Clear NOT.

Time filters and Expiry filters can only be used once in a Workstyle.

After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have McAfee Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.

Account Filters

Account filters specify the users and groups the Workstyle is applied to.

When a new controlling Workstyle is created, a default account filter is added to target either Standard users only, or Everyone (including administrators), depending on your selection in the Workstyle Wizard.

Configure Account Filters

To restrict a Workstyle to specific groups or users:

  1. Expand the appropriate Workstyle in the left pane and click Filters.

Select Actions > Add Account Filter

  1. Select Actions > Add Account Filter.

 

  1. Click on the new account filter to open the Add/Edit Accounts page.
  2. Choose Browse to browse for an account, or select Add Account to add an account manually.
  3. Click OK.

Domain and well-known accounts display a Security Identifier (SID). The SID is used by the Privilege Management for Windows client, which avoids account lookup operations. For local accounts, the name is used by the Privilege Management for Windows client, and the SID is looked up when the Workstyle is loaded by the client.

SIDs must be added if using a group as a filter on a non-domain machine

By default, an account filter applies if any of the user or group accounts in the list match the user. If you have specified multiple user and group accounts within one account filter, and want to apply the Workstyle only if all entries in the account filter match, then check the option All items below should match.

You can add more than one account filter if you want the user to be a member of more than one group of accounts for the Workstyle to be applied.

If an account filter is added, but no user or group accounts are specified, a warning is displayed, advising No accounts added, and the account filter is ignored.

If All items below should match is enabled, and you have more than one user account listed, the Workstyle never applies, as the user cannot match two different user accounts.

Computer Filters

A computer filter specifies the computers and IP addresses that the Workstyle is applied to.

To restrict the Workstyle to specific computers:

  1. Expand the appropriate Workstyle in the left pane and click Filters.
  2. Select Actions > Add Computer Filter.
  3. Click the new computer filter to open the Add/Edit Computers page.
  4. Choose Browse Systems to select a managed computer from the McAfee ePO System Tree, or select Add Host Name to manually enter the computer information.
  5. When you have finished adding computers to the filter, click Finish.

To restrict the Workstyle to specific IP addresses, follow the steps above, but click Add IP Address and enter an IP address.

You can also use the asterix wildcard (*) in any octet to include all addresses in that octet range; for example, 192.168.*.*. Alternatively, you can specify a particular range for any octet; for example, 192.168.0.0-254. Wildcards and ranges can be used in the same IP address, but not in the same octet.

By default, the hostname is matched against the host computer, where the Workstyle is being applied. If a user logs on through RDP then you may instruct the computer filter to match against the remote desktop computer by checking the Match the remote desktop (instead of the local computer) box. If the user logs on directly to the computer then the remote desktop is the same as the computer.

You may add more the one computer filter if you want the computer to match more than one computer filter for the Workstyle to be applied.

By default, a computer filter applies if any of the hostnames or IP Addresses in the list match the computer. If you have specified multiple hostnames and IP addresses, and want to apply the Workstyle only if ALL entries in the computer filter match, then select the option All items below should match.

Time Range Filters

A time range filter can specify the hours of a day, and days of week that a Workstyle is to be applied.

To restrict a Workstyle to a specific date or time period of activity:

  1. Expand the appropriate Workstyle in the left pane and click Filters.
  2. Select Actions > Add Time Range Filter.
  3. Click on the new time range filter.
  4. Click on the 24 x 7 grid squares to toggle when the Workstyle should be made Active or Inactive and click OK.

Only one time filter may be added to a Workstyle.

The time filter is applied based on the user’s timezone by default. Uncheck the Use timezone of user for time restrictions (otherwise use UTC) box to use UTC for the timezone.

Expiry Filter

An expiry filter specifies an expiry date and time for a Workstyle.

To restrict a Workstyle to an expiry date and time:

  1. Expand the appropriate Workstyle in the left pane and click Filters.
  2. Select Actions > Add Expiry Filter.
  3. Click on the new expiry filter.
  4. Set the date and time that you want the Workstyle to expire on and click OK.

Only one expiry filter may be added to a Workstyle.

The expiry time is applied based on the user’s timezone by default. Uncheck the Use timezone of user for policy expiry (otherwise use UTC) box to use UTC for the timezone.

Windows Management Information (WMI) Filters

A WMI filter specifies if a Workstyle should be applied, based on the outcome of a WMI query.

The filter allows you to specify the following:

  • Description: Free text to describe the WMI query.
  • Namespace: Set the namespace that the query will execute against. By default, this is root\CIMV2.
  • Query: The WMI Query Language (WQL) statement to execute.
  • Timeout: The time (in seconds) the client waits for a response before terminating the query. By default, no timeout is specified.

Long running WMI queries result in delayed application launches. Therefore, we recommend you specify a timeout to ensure that queries are terminated in a timely manner.

When a WMI query is executed, the client checks if any rows of data are returned. If any data is returned, then the WMI query is successful. If no data is returned or an error is detected in the execution, the WMI query is unsuccessful.

It is possible for many rows of data to be returned from a WMI query, in which case you can create more complex WQL statements using WHERE clauses. The more clauses you add to your statement, the fewer rows are likely to return, and the more specific your WMI query is.

The WMI filter includes several default templates for common WMI queries. To add a new WMI query from a template, click Add a WMI template and use the instant search box to quickly find a template.

WQL statements can include parameterized values which allow you to execute queries including select user, computer, and Privilege Management for Windows properties.

WMI queries are always run as SYSTEM, and cannot be executed against remote computers or network resources. WMI filters do not support impersonation levels, and can only be used with SELECT queries.

By default, a WMI filter applies if any of the WMI queries in the list return true. If you have specified multiple WMI queries, and want to apply the Workstyle only if ALL queries return true, then check the option All items below should match.

If a WMI filter is added, but no WMI queries are specified, a warning is displayed, advising No queries added.

For information on how to use parameters, please see Privilege Management for Windows Workstyle Parameters.