Cortado Support

My Tickets Visit

How to roll out time-constrained policies

It is often useful to create policies that are time-controlled i.e. conditional on the day of the week or even the time of day. In this How-To we will show you how you can use Powershell and Windows Task Scheduler to roll out time-sensitive policies for mobile devices.


In this How-To we will create an example on fully managed iOS devices that are partially for private use (COPE), a policy that will prevent the use of Facebook during core work hours by hiding the app. We don’t need to consider settings of already established policies that may have been set, as Cortado Server allows multiple policies to be assigned per user/group or device. The rule of thumb is: The stricter settings take precedence. So if there is no existing policy that sets an policy Restrict App Usage for supervised iOS devices, we can safely assign a policy that allows everything, but sets a backlist. The blacklist will only be implemented when other guidelines are met.

This How-To will also introduce you to the basic features of PowerShell integration with the Cortado server.


Before we start, we have to save the user data of the user in whose context the script will later be run, in order for the script implementation to occur automatically. The user account it will be carried out for is the Cortado Service account, that is, the same user account that you used to install the Cortado server.

Note! We recommend that you encrypt the user’s password and store it in a.txt file. If this does not comply with your security standards, we ask you to select an acceptable path to transfer the access data for the Cortado Service to the script as soon as it is executed.

  • To encrypt the password and save it in a .txt file, open Powershell ISE on the Cortado server (the application server, if you are using Cortado Proxy Extension). Enter the following code there:
$credential = Get-Credential
$credential.Password | ConvertFrom-SecureString | Set-Content c:execute.txt
  • This opens a window in which you can enter the user name and password. If that succeeds, you will find the encrypted password file in the root of the user directory (example: C:\Users\ccssrv\execute.txt).
  • We then begin to build the Powershell script. Open a text editor for this. First, we need to reassemble the user data for the Service account:
$username =
$encrypted = Get-Content c:execute.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($username, $encrypted)
  • Here the connection to the server is configured. Please replace with the address/ FQDN of your application server.
Connect-CCSFarm -CCSUrl -PSCredential $credential
  • Next, set the command to roll out the policy Restrict App Usage on a group template. In our example the group template is called Salesforce. Please replace this name with the group template that will be affected by the blacklist in your environment:
Get-CCSGroupUsers –SamAccountName “Salesforce” | Get-CCSGroupTemplate -SamAccountName "Salesforce" | Get-CCSPolicy -PolicyName "PowerShell_PoC_1" | Assign-CCSPolicy
  • Get-CCSGroupUsers retrieves the users in our group template, Get-CCSGroupTemplate retrieves the group template with the SamAccountName Salesforce. Then retrieve, via Get-CCSPolicy, the policy with the name Powershell_PoC_1 and finally roll this out to the group template with Assign-CCSPolicy.
  • Save the script under the name Assign_Powershell_PoC_1.ps1. Now reopen the text editor and produce a script that removes the assigned policy. This script is very similar to our first and only differs in the last Powershell CMD:
$username =
$encrypted = Get-Content c:execute.txt | ConvertTo-SecureString
$credential = New-Object System.Management.Automation.PsCredential($username, $encrypted)
Connect-CCSFarm -CCSUrl -PSCredential $credential
Get-CCSGroupUsers –SamAccountName “Salesforce” | Get-CCSGroupTemplate -SamAccountName "Salesforce" | Get-CCSPolicy -PolicyName "PowerShell_PoC_1" | Unassign-CCSPolicy
  • Please take note here of Unassign-CCSPolicy, which removes the assigned policy. Save the script under the name Unassign_Powershell_PoC_1.ps1.
  • The only thing left to be done now is to set up the policy Restrict App Usage and to configure the Windows Task Scheduler to run the script on a regular basis.
  • For a a description of how to create an app policy Restrict App Usage, refer to our tutorial How to place iOS default applications on the blacklist or whitelist.

Because the aim, in our example, is to ban Facebook, our policy Restrict App Usage now looks like this:

  • Save the policy and go back to the Cortado-Server. Start the Windows Task Manager there and click on Create Task.

  • In the form, assign a name to the task, as well as a description, and enter the user (their Cortado Service account) in whose context the script will be run. Specify that the script will be run regardless of whether the user is logged on. Then go to the Tab Triggers tab.

  • In the new window, create a new trigger. Specify that the script should run daily at 09:00 and click on OK. Then go to the Actions tab.

  • Create a new action there: Start a Program. State that Powershell should start and give the path to the script as the argument for that. We also add the parameter –ExecutionPolicy Bypass after the path to ensure that the script will run without interaction.

  • Now follow the same steps for the Unassign_Powershell_PoC_1.ps1 script. However, here the trigger is set for the end of the working hours (example 17:00:00) The path to the script is adapted under Actions.
  • The outcome now is that, on supervised iOS-devices, access to Facebook is hidden at the start of the main work hours and made available again at the end.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.