search

Variables & Wildcards

Audience: IT admins. This page gives many examples of path variables and wildcards in policies, jobs, and paths so you can match applications and folders across users, versions, and install locations.

For the full list of variables and wildcard rules, see Reference: Variables and Reference: Wildcards.

hashtag
Quick Reminder

  • Variables: {userprofile}, {programfiles}, {localappdata}, etc. Resolve to real paths at evaluation time. Use backslash (\) on Windows and forward slash (/) on Linux/macOS in patterns.

  • Wildcards: * in an application path means “any characters” in that segment. In folder filters (Extension.Folders), only prefix matching is used—no * in the folder path.

  • Combined: Resolve the variable first, then match; e.g. {userprofile}\*\*.exe matches any .exe in any subfolder of the user profile.

hashtag
Combining Variables and Wildcards

Variables and wildcards can be used together in application or file path patterns. The variable is resolved first (e.g. to the user’s profile path), then the * matches any characters in that path. This lets one pattern cover many versions or install locations.

Examples:

Pattern
What it matches

{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe

Git shipped with GitHub Desktop, for any version folder (e.g. app-3.2.1 or app-3.3.0) under the user’s local AppData.

{localappdata}\*\*\*.exe

Any .exe nested three levels deep under the user’s Local AppData (e.g. per-app versioned folders).

{programfiles}\*\*\*.exe

Any .exe in any subfolder of Program Files (e.g. C:\Program Files\Vendor\Product\bin\app.exe).

{userprofile}\Documents\*\*.pdf

Any PDF in any one-level subfolder of the user’s Documents.

{appdata}\*\*.exe

Any .exe in any one-level subfolder of the user’s Roaming AppData.

Notes:

  • Use backslash (\) on Windows and forward slash (/) on Linux/macOS in patterns when writing OS-specific rules; path variables resolve to the correct separator per platform.

  • One * matches any characters (including none) in that segment; multiple * segments allow multiple variable-depth folders (e.g. version numbers, app names).

hashtag
Examples

hashtag
1. Versioned or Install-Variant Apps (one pattern, many versions)

Use a single * (or multiple * segments) where the path has a version or build folder so one policy covers all versions.

Pattern
Use case

{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe

Git bundled with GitHub Desktop; * matches version folders like app-3.2.1, app-3.3.0.

{localappdata}\Programs\*\*\*.exe

Apps installed under Local\Programs with vendor/product/version structure.

{programfiles}\Microsoft VS Code\*\Code.exe

VS Code for any installed version folder.

{programfiles}\*\*\bin\*.exe

Any vendor’s bin folder three levels under Program Files.

{programfilesx86}\*\*\*.exe

Any 32-bit app in a three-level subfolder of Program Files (x86).

hashtag
2. User Profile and AppData (per-user paths)

Variables like {userprofile}, {appdata}, {localappdata} resolve to the requesting user’s paths. Use them so the same policy works for every user.

Pattern
What it matches

{userprofile}\*.exe

Any .exe directly in the user’s profile folder.

{userprofile}\Documents\*.exe

Any .exe in the user’s Documents.

{userprofile}\Documents\*\*.pdf

Any PDF in any one-level subfolder of Documents.

{appdata}\*\*.exe

Any .exe in any one-level subfolder of Roaming AppData (e.g. AppData\Roaming\Vendor\app.exe).

{localappdata}\*\*\*.exe

Any .exe three levels deep under Local AppData (covers versioned app folders).

{userdesktop}\*.lnk

Any shortcut on the user’s desktop.

{userprofile}\Downloads\*.exe

Any .exe in the user’s Downloads (Windows; use {downloads} on macOS).

hashtag
3. System and Program Files (same for all users)

These resolve to the same path for everyone on the machine. Use them for system tools and installed software.

Pattern
What it matches

{system32}\*.exe

Any executable directly in System32.

{system32}\*\*.exe

Any .exe in any one-level subfolder of System32.

{programfiles}\*\*.exe

Any .exe in any one-level subfolder of Program Files.

{programfiles}\*\*\*.exe

Any .exe in any subfolder up to three levels deep (e.g. Vendor\Product\bin\app.exe).

{programfiles}\*\*\*\*.exe

Deeper vendor/product/version/bin layouts.

{syswow64}\*.exe

32-bit executables in SysWOW64.

{programdata}\*\*.exe

Any .exe in any one-level subfolder of ProgramData.

hashtag
4. Keeper App Paths (plugin and job configs)

Use application variables so config works regardless of install directory.

Pattern or path
Use case

{approot}\Plugins\KeeperPolicy\KeeperPolicy.exe

Plugin executable path in a plugin JSON.

{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicy

Plugin path using plugin root.

{jobroot}\bin\MyTool\MyTool.exe

Job executable in the Jobs tree.

{approot}\Localization\LocaleValues.json

Path to a locale file in documentation or scripts.

hashtag
5. Folder Filter (Extension.Folders) — prefix only, no *

Folder filters use prefix matching: “Does the full path start with this folder?” You can use variables; you cannot use wildcards in the folder path (the * would be literal).

Folder value
Matches

{downloads}

Every file under the user’s Downloads (and subfolders).

{userprofile}

Every file under the user’s profile.

{documents}

Every file under the user’s Documents.

{desktop} or {userdesktop}

Every file on the user’s desktop and in desktop subfolders.

{programfiles}

Every file under Program Files.

{localappdata}

Every file under the user’s Local AppData.

Wrong: {downloads}\* — the * is treated as a literal character, not “any subfolder.” Use {downloads} to mean “all of Downloads.”

hashtag
6. ApplicationCheck + Extension.Folders (combined)

When ApplicationCheck has a filename pattern (e.g. *.exe) and Extension.Folders is set, the product can build full path patterns. Examples:

ApplicationCheck
Extension.Folders
Effect

*.exe

{userdesktop}

All .exe on the user’s desktop.

*.exe

{downloads}

All .exe in the user’s Downloads (and subfolders).

*.pdf

{documents}

All PDFs under the user’s Documents.

*.exe

{programfiles}

All .exe under Program Files (very broad).

*.exe

{localappdata}

All .exe under the user’s Local AppData.

hashtag
7. Linux and macOS

On Linux/macOS use forward slashes and the appropriate variables. Many executables have no extension.

Pattern (Linux/macOS)
What it matches

{home}/*

Any file in the user’s home directory.

{home}/bin/*

Any file in the user’s bin (or ~/bin).

{usr}/bin/*

Any file in /usr/bin.

{usr}/local/bin/*

Any file in /usr/local/bin.

{applications}/*.app

Any .app in /Applications (macOS).

{downloads}/*

Any file in the user’s Downloads (macOS).

{library}/*

Any file under /Library (macOS).

hashtag
8. Job and Plugin JSON Paths (executablePath, arguments)

Variables in executablePath or task paths are resolved when the job or plugin runs.

Example path
Use case

{jobroot}/bin/RedirectEvaluator/RedirectEvaluator

Redirect evaluator executable in the Jobs tree.

{approot}\Jobs\bin\MyScript.exe

Script under the application root.

{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicy.exe

Plugin exe path in plugin JSON.

{userprofile}\AppData\Local\MyApp\run.exe

User-specific app launched by a job (resolved for the target user when applicable).

hashtag
9. Narrowing by Path Depth (one vs multiple *)

  • One * = one path segment (e.g. one folder name).

  • Multiple * = multiple segments (version/product/vendor structure).

Pattern
Depth
Example matches

{programfiles}\*.exe

One segment

C:\Program Files\SomeApp.exe (rare).

{programfiles}\*\*.exe

Two segments

C:\Program Files\Vendor\app.exe.

{programfiles}\*\*\*.exe

Three segments

C:\Program Files\Vendor\Product\app.exe.

{localappdata}\*\*.exe

Two segments

C:\...\Local\Vendor\app.exe.

{localappdata}\*\*\*.exe

Three segments

C:\...\Local\Vendor\Version\app.exe.

hashtag
10. Real-World Policy Examples (conceptual)

  • Allow Git from GitHub Desktop (any version): Application path: {userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe

  • Scope a policy to “all executables in user Downloads”: ApplicationCheck: *.exe; Extension.Folders: {downloads} (or the platform equivalent).

  • Match any 32-bit app in Program Files (x86): {programfilesx86}\*\*\*.exe (adjust * count to your typical depth).

  • Match a tool in the Keeper Jobs bin: In a job task: executablePath: {jobroot}\bin\MyTool\MyTool.exe.

  • Deny executables only in a specific user folder: Use ApplicationCheck with a path like {userprofile}\Documents\Scripts\*.exe or combine with Extension.Folders {userprofile}\Documents\Scripts and ApplicationCheck *.exe.

hashtag
11. What to Avoid

  • * in Extension.Folders: e.g. ["{downloads}\\*"] — use ["{downloads}"] for “all of Downloads.”

  • Case on Linux/macOS: Paths and extensions are case-sensitive; e.g. *.EXE won’t match script.exe on Linux.

  • Overly broad patterns: {programfiles}\*\*.exe matches every .exe in any two-level subfolder of Program Files; use filters (users, machines, other rules) to narrow scope.

  • Mixing slashes on Windows: Prefer backslash in Windows paths; the product typically normalizes, but consistent \ avoids confusion.

hashtag
Reference

  • Reference: Variables — All built-in variables (Windows, Linux, macOS, app-specific), custom variables, protected paths.

  • Reference: Wildcards — Application wildcards, folder prefix matching, what to avoid.

PreviousPolicy: Create a Policy with Job Running PowerShellNextFAQs

Last updated

Was this helpful?