Defining a group of all computers except these.
With help from this forum I've been able to identify and label a group of computers that are authorized to run a particular legacy application. How would I prevent the application from being executed on all of our KACE managed computers except for the authorized group? The "Disallowed Programs Policy" script makes it pretty easy to block execution from a defined set, but it wasn't readily apparent how to do the inverse, i.e., block execution from everything except a defined set. Thanks much!
0 Comments
[ + ] Show comments
Answers (3)
Please log in to answer
Posted by:
GillySpy
13 years ago
I would make a label whose conditions is the inverse of the other one.
You could also make a label that fires after the other one that checks to see if it's in the other label and if it isn't then label it -- this would be a custom filter.
You could also make a label that fires after the other one that checks to see if it's in the other label and if it isn't then label it -- this would be a custom filter.
Posted by:
cblake
13 years ago
A Smart label that looks for a common criteria (like domain name or OS Name), and NOT in the authorized label might be another similar approach.
Posted by:
kawelea
13 years ago
Thanks all. Defining the inverse was not as hard as I thought it would be. Within the Scripting/Custom Inventory capabilities, I couldn't find any "Logical Not" functionality, but the capability does exist when defining a Smart Label. So I created a manual label (e.g., "AuthorizedMachines") associated with all the computers authorized to run the software, then created a Smart Label (e.g., "DenyExecute" defined by "Label Name" "does not contain" "Authorized Machines".
So now I can run the "Disallowed Programs Policy" script against the "DenyExecute" label to block them from running the app, and control who can run the app by adding/removing the machine from the "AuthorizedMachines" label.
Anything I should be concerned about with this approach?
So now I can run the "Disallowed Programs Policy" script against the "DenyExecute" label to block them from running the app, and control who can run the app by adding/removing the machine from the "AuthorizedMachines" label.
Anything I should be concerned about with this approach?
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.