Worklet Policy Best Practices

Follow these best practices for effective use of Worklets.

Note: The Evaluation code is run every time a device is scanned, even if a policy or worklet doesn't have an assigned schedule.

Using Device Targeting

Device targeting is recommended to ensure that a Worklet policy doesn't negatively impact an account compliance score.

Prerequisites: You have the required administrative permissions to manage Worklets.
  1. Go to the Edit Worklet page of the policy.
  2. Select Device Targeting and set the Attribute OS to match the operating system setting of the policy itself.

This device targeting setting ensures that the Worklet policy runs against devices with the same OS. Otherwise, the policy would count against the compliance score due to any Worklet failures when run against devices with different OSes.

Manually Running a Worklet

If you want to manually run a Worklet and want to include the evaluation code, using the Run Policy option requires some additional actions.

What to know: When you run a Worklet using the Run Policy option, the evaluation code is not executed. Only the remediation code is executed.

Recommendation: When you are developing and testing a Worklet and want to include the evaluation code, follow these steps:

  1. Schedule the Worklet policy to run 10 minutes from the current time.
  2. Perform a device scan on the testing device to make it aware of the Worklet policy change.
  3. Monitor the results.

PowerShell Examples

Evaluation Code:

Copy 
<#
.SYNOPSIS
    Worklet to test evaluation code
    OS Support: Windows 8/10/11
    Required modules: NONE

.DESCRIPTION
    This script does an evaluation test to check and see if a file exist on the endpoint. If it doesn't, it will create them.

.REQUIREMENTS
PowerShell 2.0

.EXAMPLE

.NOTES
    Author          :Robert Eickleberry
    Modified By     :
    Prerequisite    :PowerShell V2 and up over Win 8/10/11
    Date            :16 Aug 2022 
#>

#variables to look for in evaluation
$file = "Test.txt"
$folder = "C:\Automox\"

#variables combined to create test path location
$location = "$folder$file"

#funcation to add date and time to file
function Get-TimeStamp {
    
    return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)
    
}

#checks if file exist
if (Test-Path -Path $location)
{
    #if location exist, adds message
    Add-Content -path $location -value "$folder and $file exist. Evaluation code - Using Exit 0. $(Get-TimeStamp)"
    Exit 0
}
else
{   

    Exit 1
}

Remediation Code:

Copy 
<#
.SYNOPSIS
    Worklet to test remediation code
    OS Support: Windows 8/10/11
    Required modules: NONE

.DESCRIPTION
    This script is does an evaluation test to check and see if a file exist on the endpoint.

.REQUIREMENTS
PowerShell 2.0

.EXAMPLE

.NOTES
    Author          :Robert Eickleberry
    Modified By     :
    Prerequisite    :PowerShell V2 and up over Win 8/10/11
    Date            :16 Aug 2022 
#>

#variables to look for in remediation
$file = "Test.txt"
$folder = "C:\Automox\"

#variables combined to create test path location
$location = "$folder$file"

#funcation to add date and time to file
function Get-TimeStamp {
    
    return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)
    
}

#adds message to already existing file

    #if location does not exist, creates folder and file
    New-Item -ItemType Directory -Force -Path $folder
    New-Item -path $folder -name $file -type "file"

    #after folder and file is created, adds message
    Add-Content -path $location -value "Created folder $folder and file $file via Remediation Code. $(Get-TimeStamp)"

Exit 0

Related Topics