Getting started with the Reach script library

Absolute provides Absolute Reach scripts and automatically includes them in the script library. Absolute Reach scripts have the Absolute logo () and show that they're created by Absolute. To see only Absolute Reach scripts, click Absolute. Absolute Reach scripts may include a Script Variables area when you view them in the script library. When authorized users create a Run Script request using an Absolute script, they can specify any required and optional parameter values in the fields in the Script Variables area. You can edit or delete Absolute Reach scripts.

For the full list of available scripts, see the Absolute Reach datasheet.

You create and maintain custom Reach scripts. Custom Reach scripts have the custom icon () and show the user that created the script. You can create a custom Reach script, upload PowerShell or Bash scripts to it, and save it directly to the script library. A custom Reach script is also created when an authorized user selects Save to Custom library when they submit a Run Script request. When you create a custom Reach script, you can specify script configurations, which are saved with the script and applied when the script runs on a device. To see only custom Reach scripts, click Custom. You can add, edit, and delete custom Reach scripts.

Reach scripts can contain a PowerShell script, a Bash script, or both a PowerShell and a Bash script. To improve security and to prevent some antivirus programs from blocking the script from running on your Windows devices, all PowerShell scripts that are part of a Reach script are signed. Absolute signs the PowerShell scripts in Absolute Reach scripts. You can sign the PowerShell scripts in your custom Reach scripts before you upload them. If no signature is found when you upload them, Absolute signs the script.

When the ANS component A lightweight software component of the Secure Endpoint Agent that is responsible for running a script on a device when a Run Script request is processed. processes a Run Script request on your Windows device and you've enabled the script signature check for your account, the ANS component validates the signature on the PowerShell script before running it. If the validation fails, the Run Script request fails for the device. The script signature check is disabled by default. For improved security, we strongly recommend that you enable script validation.

Scripts are signed even when the script signature check is disabled in Settings > Action preferences.

Scripts signed by you

When you run a script signed by you on your Windows devices and you've enabled the script signature check, you need to make sure you have added your certificate to your devices' Trusted Root Certification Authorities and Trusted Publishers certificates stores before you use the script in Run Script requests. The ANS component uses the certificates stores to validate the signature on the PowerShell script to make sure that the script wasn't tampered with after you signed it.

Scripts signed by Absolute

When you run a script signed by Absolute on your Windows devices and you've enabled the script signature check, the ANS component imports the root Certificate Authority public key on the device's Trusted Root Certification Authorities certificates store. Next, the ANS component validates the signature on the PowerShell script to make sure the script wasn't tampered with after Absolute signed it. Depending on your device and user policies, the ANS component either runs the script, or imports the certificate from the PowerShell script to the Trusted Publishers certificates store, and runs the script.

When the ANS component is uninstalled, the certificates are removed from the Trusted Root Certification Authorities and Trusted Publishers certificates stores.

To validate the script's signature at the device, the device must be running Secure Endpoint Agent version 9.0 or higher.