# Variables & Wildcards
**Audience:** IT admins. This page gives **many examples** of **path variables** and **wildcards** in policies, jobs, and paths so you can match applications and folders across users, versions, and install locations. For the full list of variables and wildcard rules, see [Reference: Variables](/keeperpam/endpoint-privilege-manager/policies/path-variables.md) and [Reference: Wildcards](/keeperpam/endpoint-privilege-manager/policies/wildcards.md). *** ## Quick Reminder * **Variables:** `{userprofile}`, `{programfiles}`, `{localappdata}`, etc. Resolve to real paths at evaluation time. Use **backslash** (`\`) on Windows and **forward slash** (`/`) on Linux/macOS in patterns. * **Wildcards:** `*` in an **application path** means “any characters” in that segment. In **folder filters** (Extension.Folders), only **prefix matching** is used—no `*` in the folder path. * **Combined:** Resolve the variable first, then match; e.g. `{userprofile}\*\*.exe` matches any `.exe` in any subfolder of the user profile. ## Combining Variables and Wildcards Variables and wildcards can be used **together** in application or file path patterns. The variable is resolved first (e.g. to the user’s profile path), then the `*` matches any characters in that path. This lets one pattern cover many versions or install locations. **Examples:**
PatternWhat it matches
{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exeGit shipped with GitHub Desktop, for any version folder (e.g. app-3.2.1 or app-3.3.0) under the user’s local AppData.
{localappdata}\*\*\*.exeAny .exe nested three levels deep under the user’s Local AppData (e.g. per-app versioned folders).
{programfiles}\*\*\*.exeAny .exe in any subfolder of Program Files (e.g. C:\Program Files\Vendor\Product\bin\app.exe).
{userprofile}\Documents\*\*.pdfAny PDF in any one-level subfolder of the user’s Documents.
{appdata}\*\*.exeAny .exe in any one-level subfolder of the user’s Roaming AppData.
**Notes:** * Use **backslash** (`\`) on Windows and **forward slash** (`/`) on Linux/macOS in patterns when writing OS-specific rules; path variables resolve to the correct separator per platform. * One `*` matches any characters (including none) in that segment; multiple `*` segments allow multiple variable-depth folders (e.g. version numbers, app names). ## Examples ### 1. Versioned or Install-Variant Apps (one pattern, many versions) Use a single `*` (or multiple `*` segments) where the path has a version or build folder so one policy covers all versions.
PatternUse case
{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exeGit bundled with GitHub Desktop; * matches version folders like app-3.2.1, app-3.3.0.
{localappdata}\Programs\*\*\*.exeApps installed under Local\Programs with vendor/product/version structure.
{programfiles}\Microsoft VS Code\*\Code.exeVS Code for any installed version folder.
{programfiles}\*\*\bin\*.exeAny vendor’s bin folder three levels under Program Files.
{programfilesx86}\*\*\*.exeAny 32-bit app in a three-level subfolder of Program Files (x86).
### 2. User Profile and AppData (per-user paths) Variables like `{userprofile}`, `{appdata}`, `{localappdata}` resolve to the **requesting user’s** paths. Use them so the same policy works for every user.
PatternWhat it matches
{userprofile}\*.exeAny .exe directly in the user’s profile folder.
{userprofile}\Documents\*.exeAny .exe in the user’s Documents.
{userprofile}\Documents\*\*.pdfAny PDF in any one-level subfolder of Documents.
{appdata}\*\*.exeAny .exe in any one-level subfolder of Roaming AppData (e.g. AppData\Roaming\Vendor\app.exe).
{localappdata}\*\*\*.exeAny .exe three levels deep under Local AppData (covers versioned app folders).
{userdesktop}\*.lnkAny shortcut on the user’s desktop.
{userprofile}\Downloads\*.exeAny .exe in the user’s Downloads (Windows; use {downloads} on macOS).
### 3. System and Program Files (same for all users) These resolve to the same path for everyone on the machine. Use them for system tools and installed software.
PatternWhat it matches
{system32}\*.exeAny executable directly in System32.
{system32}\*\*.exeAny .exe in any one-level subfolder of System32.
{programfiles}\*\*.exeAny .exe in any one-level subfolder of Program Files.
{programfiles}\*\*\*.exeAny .exe in any subfolder up to three levels deep (e.g. Vendor\Product\bin\app.exe).
{programfiles}\*\*\*\*.exeDeeper vendor/product/version/bin layouts.
{syswow64}\*.exe32-bit executables in SysWOW64.
{programdata}\*\*.exeAny .exe in any one-level subfolder of ProgramData.
### 4. Keeper App Paths (plugin and job configs) Use **application** variables so config works regardless of install directory.
Pattern or pathUse case
{approot}\Plugins\KeeperPolicy\KeeperPolicy.exePlugin executable path in a plugin JSON.
{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicyPlugin path using plugin root.
{jobroot}\bin\MyTool\MyTool.exeJob executable in the Jobs tree.
{approot}\Localization\LocaleValues.jsonPath to a locale file in documentation or scripts.
### 5. Folder Filter (Extension.Folders) — prefix only, no `*` Folder filters use **prefix matching**: “Does the full path **start with** this folder?” You **can** use variables; you **cannot** use wildcards in the folder path (the `*` would be literal).
Folder valueMatches
{downloads}Every file under the user’s Downloads (and subfolders).
{userprofile}Every file under the user’s profile.
{documents}Every file under the user’s Documents.
{desktop} or {userdesktop}Every file on the user’s desktop and in desktop subfolders.
{programfiles}Every file under Program Files.
{localappdata}Every file under the user’s Local AppData.
**Wrong:** `{downloads}\*` — the `*` is treated as a literal character, not “any subfolder.” Use `{downloads}` to mean “all of Downloads.” ### 6. ApplicationCheck + Extension.Folders (combined) When ApplicationCheck has a **filename pattern** (e.g. `*.exe`) and Extension.Folders is set, the product can build full path patterns. Examples:
ApplicationCheckExtension.FoldersEffect
*.exe{userdesktop}All .exe on the user’s desktop.
*.exe{downloads}All .exe in the user’s Downloads (and subfolders).
*.pdf{documents}All PDFs under the user’s Documents.
*.exe{programfiles}All .exe under Program Files (very broad).
*.exe{localappdata}All .exe under the user’s Local AppData.
### 7. Linux and macOS On Linux/macOS use **forward slashes** and the appropriate variables. Many executables have no extension.
Pattern (Linux/macOS)What it matches
{home}/*Any file in the user’s home directory.
{home}/bin/*Any file in the user’s bin (or ~/bin).
{usr}/bin/*Any file in /usr/bin.
{usr}/local/bin/*Any file in /usr/local/bin.
{applications}/*.appAny .app in /Applications (macOS).
{downloads}/*Any file in the user’s Downloads (macOS).
{library}/*Any file under /Library (macOS).
### 8. Job and Plugin JSON Paths (executablePath, arguments) Variables in **executablePath** or task paths are resolved when the job or plugin runs.
Example pathUse case
{jobroot}/bin/RedirectEvaluator/RedirectEvaluatorRedirect evaluator executable in the Jobs tree.
{approot}\Jobs\bin\MyScript.exeScript under the application root.
{pluginroot}\KeeperPolicy\bin\Release\net8.0\KeeperPolicy.exePlugin exe path in plugin JSON.
{userprofile}\AppData\Local\MyApp\run.exeUser-specific app launched by a job (resolved for the target user when applicable).
### 9. Narrowing by Path Depth (one vs multiple `*`) * **One `*`** = one path segment (e.g. one folder name). * **Multiple `*`** = multiple segments (version/product/vendor structure).
PatternDepthExample matches
{programfiles}\*.exeOne segmentC:\Program Files\SomeApp.exe (rare).
{programfiles}\*\*.exeTwo segmentsC:\Program Files\Vendor\app.exe.
{programfiles}\*\*\*.exeThree segmentsC:\Program Files\Vendor\Product\app.exe.
{localappdata}\*\*.exeTwo segmentsC:\...\Local\Vendor\app.exe.
{localappdata}\*\*\*.exeThree segmentsC:\...\Local\Vendor\Version\app.exe.
### 10. Real-World Policy Examples (conceptual) * **Allow Git from GitHub Desktop (any version):**\ Application path: `{userprofile}\AppData\Local\GitHubDesktop\*\resources\app\git\cmd\git.exe` * **Scope a policy to “all executables in user Downloads”:**\ ApplicationCheck: `*.exe`; Extension.Folders: `{downloads}` (or the platform equivalent). * **Match any 32-bit app in Program Files (x86):**\ `{programfilesx86}\*\*\*.exe` (adjust `*` count to your typical depth). * **Match a tool in the Keeper Jobs bin:**\ In a job task: `executablePath`: `{jobroot}\bin\MyTool\MyTool.exe`. * **Deny executables only in a specific user folder:**\ Use ApplicationCheck with a path like `{userprofile}\Documents\Scripts\*.exe` or combine with Extension.Folders `{userprofile}\Documents\Scripts` and ApplicationCheck `*.exe`. ### 11. What to Avoid * **`*` in Extension.Folders:** e.g. `["{downloads}\\*"]` — use `["{downloads}"]` for “all of Downloads.” * **Case on Linux/macOS:** Paths and extensions are case-sensitive; e.g. `*.EXE` won’t match `script.exe` on Linux. * **Overly broad patterns:** `{programfiles}\*\*.exe` matches every `.exe` in any two-level subfolder of Program Files; use filters (users, machines, other rules) to narrow scope. * **Mixing slashes on Windows:** Prefer backslash in Windows paths; the product typically normalizes, but consistent `\` avoids confusion. *** ### Reference * [Reference: Variables](/keeperpam/endpoint-privilege-manager/policies/path-variables.md) — All built-in variables (Windows, Linux, macOS, app-specific), custom variables, protected paths. * [Reference: Wildcards](/keeperpam/endpoint-privilege-manager/policies/wildcards.md) — Application wildcards, folder prefix matching, what to avoid. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/policy-examples/advanced-examples/variables-and-wildcards.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.