# Variables & Wildcards
**Audience:** IT admins. This page gives **many examples** of **path variables** and **wildcards** in policies, jobs, and paths so you can match applications and folders across users, versions, and install locations. For the full list of variables and wildcard rules, see [Reference: Variables](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/path-variables) and [Reference: Wildcards](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/wildcards). *** ## Quick Reminder * **Variables:** `{userprofile}`, `{programfiles}`, `{localappdata}`, etc. Resolve to real paths at evaluation time. Use **backslash** (`\`) on Windows and **forward slash** (`/`) on Linux/macOS in patterns. * **Wildcards:** `*` in an **application path** means “any characters” in that segment. In **folder filters** (Extension.Folders), only **prefix matching** is used—no `*` in the folder path. * **Combined:** Resolve the variable first, then match; e.g. `{userprofile}\*\*.exe` matches any `.exe` in any subfolder of the user profile. ## Combining Variables and Wildcards Variables and wildcards can be used **together** in application or file path patterns. The variable is resolved first (e.g. to the user’s profile path), then the `*` matches any characters in that path. This lets one pattern cover many versions or install locations. **Examples:** | Pattern | What it matches | | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | `{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe` | Git shipped with GitHub Desktop, for any version folder (e.g. `app-3.2.1` or `app-3.3.0`) under the user’s local AppData. | | `{localappdata}\*\*\*.exe` | Any `.exe` nested three levels deep under the user’s Local AppData (e.g. per-app versioned folders). | | `{programfiles}\*\*\*.exe` | Any `.exe` in any subfolder of Program Files (e.g. `C:\Program Files\Vendor\Product\bin\app.exe`). | | `{userprofile}\Documents\*\*.pdf` | Any PDF in any one-level subfolder of the user’s Documents. | | `{appdata}\*\*.exe` | Any `.exe` in any one-level subfolder of the user’s Roaming AppData. | **Notes:** * Use **backslash** (`\`) on Windows and **forward slash** (`/`) on Linux/macOS in patterns when writing OS-specific rules; path variables resolve to the correct separator per platform. * One `*` matches any characters (including none) in that segment; multiple `*` segments allow multiple variable-depth folders (e.g. version numbers, app names). ## Examples ### 1. Versioned or Install-Variant Apps (one pattern, many versions) Use a single `*` (or multiple `*` segments) where the path has a version or build folder so one policy covers all versions. | Pattern | Use case | | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | | `{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe` | Git bundled with GitHub Desktop; `*` matches version folders like `app-3.2.1`, `app-3.3.0`. | | `{localappdata}\Programs\*\*\*.exe` | Apps installed under `Local\Programs` with vendor/product/version structure. | | `{programfiles}\Microsoft VS Code\*\Code.exe` | VS Code for any installed version folder. | | `{programfiles}\*\*\bin\*.exe` | Any vendor’s `bin` folder three levels under Program Files. | | `{programfilesx86}\*\*\*.exe` | Any 32-bit app in a three-level subfolder of Program Files (x86). | ### 2. User Profile and AppData (per-user paths) Variables like `{userprofile}`, `{appdata}`, `{localappdata}` resolve to the **requesting user’s** paths. Use them so the same policy works for every user. | Pattern | What it matches | | --------------------------------- | ------------------------------------------------------------------------------------------------- | | `{userprofile}\*.exe` | Any `.exe` directly in the user’s profile folder. | | `{userprofile}\Documents\*.exe` | Any `.exe` in the user’s Documents. | | `{userprofile}\Documents\*\*.pdf` | Any PDF in any one-level subfolder of Documents. | | `{appdata}\*\*.exe` | Any `.exe` in any one-level subfolder of Roaming AppData (e.g. `AppData\Roaming\Vendor\app.exe`). | | `{localappdata}\*\*\*.exe` | Any `.exe` three levels deep under Local AppData (covers versioned app folders). | | `{userdesktop}\*.lnk` | Any shortcut on the user’s desktop. | | `{userprofile}\Downloads\*.exe` | Any `.exe` in the user’s Downloads (Windows; use `{downloads}` on macOS). | ### 3. System and Program Files (same for all users) These resolve to the same path for everyone on the machine. Use them for system tools and installed software. | Pattern | What it matches | | ---------------------------- | ---------------------------------------------------------------------------------------- | | `{system32}\*.exe` | Any executable directly in System32. | | `{system32}\*\*.exe` | Any `.exe` in any one-level subfolder of System32. | | `{programfiles}\*\*.exe` | Any `.exe` in any one-level subfolder of Program Files. | | `{programfiles}\*\*\*.exe` | Any `.exe` in any subfolder up to three levels deep (e.g. `Vendor\Product\bin\app.exe`). | | `{programfiles}\*\*\*\*.exe` | Deeper vendor/product/version/bin layouts. | | `{syswow64}\*.exe` | 32-bit executables in SysWOW64. | | `{programdata}\*\*.exe` | Any `.exe` in any one-level subfolder of ProgramData. | ### 4. Keeper App Paths (plugin and job configs) Use **application** variables so config works regardless of install directory. | Pattern or path | Use case | | ----------------------------------------------------------- | -------------------------------------------------- | | `{approot}\Plugins\KeeperPolicy\KeeperPolicy.exe` | Plugin executable path in a plugin JSON. | | `{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicy` | Plugin path using plugin root. | | `{jobroot}\bin\MyTool\MyTool.exe` | Job executable in the Jobs tree. | | `{approot}\Localization\LocaleValues.json` | Path to a locale file in documentation or scripts. | ### 5. Folder Filter (Extension.Folders) — prefix only, no `*` Folder filters use **prefix matching**: “Does the full path **start with** this folder?” You **can** use variables; you **cannot** use wildcards in the folder path (the `*` would be literal). | Folder value | Matches | | ------------------------------ | ----------------------------------------------------------- | | `{downloads}` | Every file under the user’s Downloads (and subfolders). | | `{userprofile}` | Every file under the user’s profile. | | `{documents}` | Every file under the user’s Documents. | | `{desktop}` or `{userdesktop}` | Every file on the user’s desktop and in desktop subfolders. | | `{programfiles}` | Every file under Program Files. | | `{localappdata}` | Every file under the user’s Local AppData. | **Wrong:** `{downloads}\*` — the `*` is treated as a literal character, not “any subfolder.” Use `{downloads}` to mean “all of Downloads.” ### 6. ApplicationCheck + Extension.Folders (combined) When ApplicationCheck has a **filename pattern** (e.g. `*.exe`) and Extension.Folders is set, the product can build full path patterns. Examples: | ApplicationCheck | Extension.Folders | Effect | | ---------------- | ----------------- | ---------------------------------------------------- | | `*.exe` | `{userdesktop}` | All `.exe` on the user’s desktop. | | `*.exe` | `{downloads}` | All `.exe` in the user’s Downloads (and subfolders). | | `*.pdf` | `{documents}` | All PDFs under the user’s Documents. | | `*.exe` | `{programfiles}` | All `.exe` under Program Files (very broad). | | `*.exe` | `{localappdata}` | All `.exe` under the user’s Local AppData. | ### 7. Linux and macOS On Linux/macOS use **forward slashes** and the appropriate variables. Many executables have no extension. | Pattern (Linux/macOS) | What it matches | | ---------------------- | ------------------------------------------ | | `{home}/*` | Any file in the user’s home directory. | | `{home}/bin/*` | Any file in the user’s `bin` (or `~/bin`). | | `{usr}/bin/*` | Any file in `/usr/bin`. | | `{usr}/local/bin/*` | Any file in `/usr/local/bin`. | | `{applications}/*.app` | Any `.app` in `/Applications` (macOS). | | `{downloads}/*` | Any file in the user’s Downloads (macOS). | | `{library}/*` | Any file under `/Library` (macOS). | ### 8. Job and Plugin JSON Paths (executablePath, arguments) Variables in **executablePath** or task paths are resolved when the job or plugin runs. | Example path | Use case | | --------------------------------------------------------------- | ----------------------------------------------------------------------------------- | | `{jobroot}/bin/RedirectEvaluator/RedirectEvaluator` | Redirect evaluator executable in the Jobs tree. | | `{approot}\Jobs\bin\MyScript.exe` | Script under the application root. | | `{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicy.exe` | Plugin exe path in plugin JSON. | | `{userprofile}\AppData\Local\MyApp\run.exe` | User-specific app launched by a job (resolved for the target user when applicable). | ### 9. Narrowing by Path Depth (one vs multiple `*`) * **One `*`** = one path segment (e.g. one folder name). * **Multiple `*`** = multiple segments (version/product/vendor structure). | Pattern | Depth | Example matches | | -------------------------- | -------------- | ------------------------------------------ | | `{programfiles}\*.exe` | One segment | `C:\Program Files\SomeApp.exe` (rare). | | `{programfiles}\*\*.exe` | Two segments | `C:\Program Files\Vendor\app.exe`. | | `{programfiles}\*\*\*.exe` | Three segments | `C:\Program Files\Vendor\Product\app.exe`. | | `{localappdata}\*\*.exe` | Two segments | `C:\...\Local\Vendor\app.exe`. | | `{localappdata}\*\*\*.exe` | Three segments | `C:\...\Local\Vendor\Version\app.exe`. | ### 10. Real-World Policy Examples (conceptual) * **Allow Git from GitHub Desktop (any version):**\ Application path: `{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe` * **Scope a policy to “all executables in user Downloads”:**\ ApplicationCheck: `*.exe`; Extension.Folders: `{downloads}` (or the platform equivalent). * **Match any 32-bit app in Program Files (x86):**\ `{programfilesx86}\*\*\*.exe` (adjust `*` count to your typical depth). * **Match a tool in the Keeper Jobs bin:**\ In a job task: `executablePath`: `{jobroot}\bin\MyTool\MyTool.exe`. * **Deny executables only in a specific user folder:**\ Use ApplicationCheck with a path like `{userprofile}\Documents\Scripts\*.exe` or combine with Extension.Folders `{userprofile}\Documents\Scripts` and ApplicationCheck `*.exe`. ### 11. What to Avoid * **`*` in Extension.Folders:** e.g. `["{downloads}\\*"]` — use `["{downloads}"]` for “all of Downloads.” * **Case on Linux/macOS:** Paths and extensions are case-sensitive; e.g. `*.EXE` won’t match `script.exe` on Linux. * **Overly broad patterns:** `{programfiles}\*\*.exe` matches every `.exe` in any two-level subfolder of Program Files; use filters (users, machines, other rules) to narrow scope. * **Mixing slashes on Windows:** Prefer backslash in Windows paths; the product typically normalizes, but consistent `\` avoids confusion. *** ### Reference * [Reference: Variables](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/path-variables) — All built-in variables (Windows, Linux, macOS, app-specific), custom variables, protected paths. * [Reference: Wildcards](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/wildcards) — Application wildcards, folder prefix matching, what to avoid.