The Custom Policy section is designed to be extremely flexible. Allowing you to evaluate and enforce just about anything you can script. It also allows you to upload files that can be used on the targeted device.
The Evaluation and Remediation code languages are specific to the OS and run in the version currently installed on the target machine.
Linux & OS X: Bash
It is possible to launch and run a script file in a different language in the remediation code by invoking the file from the native language script. This assumes that your target device is capable of running the uploaded script file.
Note: On 64-bit Windows, this runs in a 32-bit PowerShell session. You may need to plan around this for accessing 64-bit registry locations and filesystems. This is caused by 32-bit processes being redirected to 'Wow6432Node' or 'SysWoW64' in place of the native locations.
The evaluation code is intended to test a condition, and return an exit code based on that condition. The evaluation runs each time a device runs a scan and flags the device for remediation according to the exit code. If the exit code is 0, the evaluation is seen as successful and no remediation will take place. Any non-zero exit code flags the device for remediation when the policy’s scheduled time arrives.
Note that manually executing the policy triggers the Remediation code regardless of the flagged exit code.
The remediation code section is open ended, it can be used to do basically anything you can script. Whether that is enforcing a configuration setting, installing an application or certificate etc.
Any files you uploaded to the policy are downloaded when the remediation code runs, and can then be called/invoked by your script.
Any files you may need to reference in your remediation script can be uploaded as part of the policy. These files will download when the remediation runs and will be available in the current working directory of the script. As such, they can usually just be referred to by their file name. Though some situations may require you use the relative path. (./filename in Bash or .\filename in PowerShell)
Executing Custom Policy
As with all of the other policy types, custom policies can be scheduled to run by Month, Day-of-Week, and Week-of-Month. Use this to customize the schedule on which the remediation script will run non-compliant devices.
Manual Execution can be handled in two different ways, per device and per policy.
On the Device Details page for every device in a Group that is associated with the policy; There is an Associated Policies section where you will see the policy name and a ‘Run Policy’ button. This button will trigger the policy to run immediately on the selected device.
On the System Management page when clicking on a policy, the page will display lines to its associated groups and a button labeled ‘Execute Policy Now’. This button will trigger the policy to run immediately on all devices in the associated groups.
Note: These methods trigger the remediation script regardless of the compliance status of the device. Use these methods with caution.