The Custom Policy section is designed to be extremely flexible. Allowing you to evaluate and enforce just about anything you can script. It also allows you to upload files that can be used on the targeted device.
The Evaluation and Remediation code languages are specific to the OS and run in the version currently installed on the target machine.
Linux & OS X: Bash
It is possible to launch and run a script file in a different language in the remediation code by invoking the file from the native language script. This assumes that your target device is capable of running the uploaded script file.
The evaluation code is intended to test a condition, and return an exit code based on that condition. The evaluation runs each time a device runs a scan and flags the device for remediation according to the exit code. If the exit code is 0, the evaluation is seen as successful and no remediation will take place. Any non-zero exit code flags the device for remediation when the policy’s scheduled time arrives.
Note that manually executing the policy triggers the Remediation code regardless of the flagged exit code.
The remediation code section is open ended, it can be used to do basically anything you can script. Whether that is enforcing a configuration setting, installing an application or certificate etc.
Any files you uploaded to the policy are downloaded when the remediation code runs, and can then be called/invoked by your script.
Any files you may need to reference in your remediation script can be uploaded as part of the policy. These files will download when the remediation runs and will be available in the current working directory of the script.
Executing Custom Policy
As with all of the other policy types, custom policies can be scheduled to run by Month, Day-of-Week, and Week-of-Month. Use this to customize the schedule on which the remediation script will run non-compliant devices.
Manual Execution can be handled in two different ways, per device and per policy.
On the Device Details page for every device in a Group that is associated with the policy; There is an Associated Policies section where you will see the policy name and a ‘Run Policy’ button. This button will trigger the policy to run immediately on the selected device.
On the System Management page when clicking on a policy, the page will display lines to its associated groups and a button labeled ‘Execute Policy Now’. This button will trigger the policy to run immediately on all devices in the associated groups.
Note: These methods trigger the remediation script regardless of the compliance status of the device. Use these methods with caution.
Asides like these are a good opportunity for cross-linking articles in the future for increased discoverability (I have a WIP KB for this exact topic).