Editing Run Script preferences

Configure the Actions setting to manage the way scripts in a Run Script request are deployed to your devices. Specifically, you can:

  • Edit the start up folder that Reach scripts are downloaded to when you create a Run Script request.

  • Configure whether the Reach script signature is validated when you create a Run Script request to run a script on your Windows devices.

When a Windows or Mac device with a pending Run Script request connects with the Absolute Monitoring Center, the agent downloads the script to a startup folder and runs the script on the device from this location. By default, the agent uses the C:\ProgramData\ as the startup folder on Windows devices and /tmp/ as the startup folder on Mac devices. If these locations are unsuitable, you can customize the startup folder location.

You can change the startup folder to a local drive, an external drive, or a network drive. On Windows, the network drive must already be mapped to a drive letter. For example, H:\.

If the folder already exists on the target device, the agent checks the read-write permissions of the folder. If the agent can gain the required permission, the agent downloads and runs the script there.

If the startup folder (or any of the parent folders) doesn't exist, the agent tries to create them. If the agent has the create permission, the agent creates the folder or folders, and then downloads and runs the script.

If the agent doesn't have the correct permissions, or fails to create the startup folder, the Run Script request fails for the device. You can view the failure reason in Action Requests.

Although the agent deletes the script from the startup folder once the request is complete, it doesn't remove the folders that it created. The startup folder remains on the device for future use.

A valid startup folder complies with the following requirements:

  • The path must be a valid absolute folder path

    • On Windows devices, a valid path starts with <Drive Letter>:\

      For example: C:\ProgramData\ReachScript\

    • On Mac devices, a valid path starts with the root folder /

      For example: /tmp/ReachScript/

  • The folder has read, write, and execute permissions
  • The path doesn't contain Unicode
  • The path is 150 characters or less

Depending on your anti-malware product, you may need to add the folder as a policy exception or add it to an allow list.

To edit the startup folder:

  1. Log in to the Secure Endpoint Console with the Manage permission for Reach Script.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions, do one of the following:
    • To change the Windows startup folder, click the field next to Windows and enter a new path.
    • To change the Mac startup folder, click the field next to macOS and enter a new path.
  4. Click outside the dialog to save your changes.

The startup folder is changed for all future Run Script requests. Existing Run Script requests use the folders that were set when the request was created.

If you've saved changes to the startup folders, you can reset them to the default locations.

To reset the startup folder location:

  1. Log in to the Secure Endpoint Console with Manage permissions for Reach Script.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions, do one of the following:
    • To reset the Windows startup folder, click the field next to Windows and clear the path from the field.
    • To reset the Mac startup folder, click the field next to macOS and clear the path from the field.
  4. Click outside the dialog to save your changes.

The startup folders will now use the default location for all future Run Script requests. Existing Run Script requests use the folders that were set when the request was created.

All PowerShell scripts that are part of a Reach script are signed, either by you before you upload them, or by Absolute if they aren't signed when they're uploaded to the Secure Endpoint Console. If signature validation is enabled, the ANS component A lightweight software component of the Secure Endpoint Agent that is responsible for running a script on a device when a Run Script request is processed. validates the signature when the script is downloaded to the device as part of a Run Script request. This ensures that the script hasn't been altered since it was signed. By default, script validation is disabled. For improved security, we strongly recommend that you enable script validation.

Scripts are signed even if the script signature check is disabled.

To enable or disable signature validation:

  1. Log in to the Secure Endpoint Console with Manage permissions for Reach Script.
  2. On the navigation bar, click Settings > Account settings.

  3. Do one of the following:

    • To enable script signature validation, click the Script signature validation slider to set it to On.
    • To disable script signature validation, click the Script signature validation slider to set it to Off.
  4. In the dialog that opens, click Enable.

The signature validation setting is updated.

To validate the script's signature at the device, the device must be running Secure Endpoint Agent version 9.0 or higher.