SASE's script policy management lets IT administrators run automated batch operations on endpoint devices using built-in script templates. Use it to distribute files, manage system state (restart, shutdown, logout), and apply device personalization — with scheduling, monitoring, and audit capabilities built in.
Only platform-provided templates are supported. Uploading or running custom scripts is not supported.
Key concepts
Script policy — A scheduling blueprint that defines what to run, which devices to target, and when to run it. A policy is a persistent configuration rule that governs how and when tasks are generated.
Task — A specific execution instance generated by a policy at a scheduled time. A single policy can generate one or more tasks depending on its execution mode (run once, weekly, or at an interval).
How it works
Understanding this execution model helps you predict task behavior and avoid misconfiguration.
Task generation
When a policy is created and enabled, the first task is immediately generated with a status of Pending Scheduling or Running, depending on whether the execution window has started.
For policies that run multiple times, each new task is generated after the previous one completes. The new task's status is Pending Scheduling.
Offline device behavior
Offline devices check the policy scope after coming back online. If the device falls within the scope and the current time is within the execution window, the task runs.
Policy status
Policy status reflects the state of its most recently generated task:
| Policy status | Meaning |
|---|---|
| Pending Scheduling | Waiting for the next scheduled execution |
| Running | Currently executing |
| Stopped | Stopped; no pending tasks |
| Paused | The policy is paused (applies to Run Once policies) |
Prerequisites
Before you begin, make sure you have:
Administrator access to the SASE console
For macOS devices running file management scripts: Full Disk Access permission granted to SASE
For macOS devices running the Replace Desktop Wallpaper script: both Automation and Full Disk Access permissions granted to SASE
Quick start: change the desktop wallpaper on a device
This example walks through the end-to-end flow — from preparing the asset to confirming the result on the device.
Prepare the wallpaper image. Upload it to a publicly accessible Object Storage Service (OSS) bucket or any HTTP/HTTPS-accessible location. Copy the image URL (for example,
https://aliyundoc.com/wallpaper.png).Create the policy.
Go to the Execute Script page and click Create Script Policy.
In the Create Policy Configuration pane, set the following parameters:
Policy Name: Test wallpaper replacement
Script Template: Replace Desktop Wallpaper
Enabled: Enabled
Execution Mode: Run Once
Wallpaper Download URL: The image URL from step 1
Effective Scope: Specific Device, then select the test device
Click OK.
Verify the result. After the policy is created, its status shows as Pending Scheduling or Running on the Execute Script page. Switch to the Task Management tab to find the corresponding task. Once the task completes, log in to the test device to confirm the wallpaper has changed.
Create a script policy
Go to the Execute Script page and click Create Script Policy.
In the Create Policy Configuration pane, configure the following parameters, then click OK.
| Parameter | Description |
|---|---|
| Policy Name | A name for the policy. |
| Script Template | The operation template to run. See Template library for the full list and parameter details. |
| Task Description | A brief description of the task. |
| Enabled | Whether to enable the policy immediately after creation. |
| Execution Mode | Run Once — Runs once within the specified time window. Weekly — Runs on the specified days and times each week. Interval Execution — Runs repeatedly at a fixed interval. |
| Execution Time | The time window during which the script starts and stops. |
| Execution Interval | Required when Execution Mode is Interval Execution. Specifies the interval between runs. |
| Policy Validity Period | When the policy expires. Select Permanent or set an Expiration Date. |
| Script Parameters | Varies by template. See Template library. |
| Timeout (Seconds) | Maximum execution time per run. Default: 300 seconds. If a task fails with a timeout error, increase this value. |
| Effective Scope | The devices or user groups to target. Options: Specific User Group, Specific Device Tag, Specific Device, or All Users. Follow the principle of least privilege — select only the devices the policy needs to reach. |
If a Run Once policy has a status of Paused, it cannot be re-enabled. Create a new policy instead.
Manage script policies
On the Execute Script page, perform the following operations:
View details — Find the policy and click Details in the Actions column.
Delete — Find the policy, click Delete in the Actions column, and follow the on-screen prompts.
Stop a single policy — Find the policy and click Stop in the Actions column.
Stop policies in batches — Select multiple policies, then click Batch Stop.
Enable a single policy — Find the policy and click Enable in the Actions column.
Enable policies in batches — Select multiple policies, then click Batch Enable.
Batch Enable is not available if any selected policy has an Execution Mode of Run Once.
Monitor and manage tasks
On the Task Management page, find a task to perform the following operations:
View task status — The Status column shows the current state: Pending Scheduling, Running, or Stopped.
View effective scope — Click the link in the Effective Scope column to see scope details.
Preview execution results — Hover over the Execution Result column to see a summary of device statuses: All, Running, Execution Successful, and Execution Failed.
View task details — Click Details in the Actions column to open the task details page.
Overview: Shows counts for Total Devices, Completed Devices, Executing Devices, and Failed Devices.
Device Details: Lists per-device execution results.
View or download logs — In the device list on the task details page, find the device and click:
View Logs — View the script execution log online.
Download — Download the log for offline analysis or auditing.
Template library
Templates define the specific operation a policy runs. Before creating a policy, review the template's function, required permissions, and parameters.
File management
On macOS, grant Full Disk Access permission to SASE before running any file management script.
Collect Files — Collect specified files from target devices in batches.
| Parameter | Description |
|---|---|
| Source Path | Paths of files to collect. Multiple paths supported. |
| Upload URL | The URL where collected files are uploaded. |
| Upload Rate Limit | Upload rate in KB/s. Default: 2048 KB/s. Set to 0 for no limit. |
| File Size Limit | Maximum file size to collect, in MB. Default: 1024 MB. |
Delete File — Delete specified files from target devices in batches.
| Parameter | Description |
|---|---|
| File Path to Delete | Paths of files to delete. Multiple paths supported. |
Distribute Files — Distribute files to specified directories on target devices in batches.
| Parameter | Description |
|---|---|
| Download URL | File download URLs accessible from the client. HTTP and HTTPS supported. Multiple URLs supported. |
| Download Rate Limit | Download rate in kb/s. Default: 2048 kb/s. Set to 0 for no limit. |
| Save Path | Directory where files are saved on the client. Configure a path for at least one platform (Windows or macOS). |
System administration
Unsaved files cannot be saved when a system administration script runs. Use the Force Execution option with caution as it may cause data loss if files are not saved.
Remote Logout — Schedule logoffs for target user devices.
Remote Restart — Schedule restarts for target user devices.
Remote Shutdown — Schedule shutdowns for target user devices.
All three templates share the following parameter:
| Parameter | Description |
|---|---|
| Force Execution | Forces the operation immediately, without waiting for the user to save open files. May cause data loss. |
Personalization
On macOS, grant both Automation and Full Disk Access permissions to SASE before running this script.
Replace Desktop Wallpaper — Set the desktop wallpaper for specified devices.
| Parameter | Description |
|---|---|
| Wallpaper Download URL | A publicly accessible HTTP or HTTPS image URL. Example: https://aliyundoc.com/wallpaper.png |
Security and compliance
Follow the principle of least privilege. In Effective Scope, select only the devices or user groups the policy needs to target. Overly broad scope amplifies the impact of misconfigured or accidental operations.
Review high-risk operations before running. For Delete File, Remote Logout, Remote Restart, and Remote Shutdown, establish an internal approval process. Confirm the necessity and accuracy of the operation before executing.
Troubleshooting
A task shows "Execution Failed"
On the Task Management page, click Details for the failed task.
In the device list, find devices with Execution Result of Execution Failed.
Click View Logs to see the specific error message.
Match the error to one of the common causes below and take the appropriate action.
| Cause | What to check |
|---|---|
| Insufficient permissions | Verify that the endpoint device has granted the required authorization to SASE. On macOS, confirm Full Disk Access (and Automation, for wallpaper scripts) is granted. |
| Network issue | Confirm the device can reach the URLs in the script parameters (file source URL, wallpaper URL, and so on). |
| Incorrect path or parameters | Check that the file paths in the script parameters exist and are in the correct format for the target OS. |
| Script timeout | The execution time exceeded Timeout (Seconds). Increase the timeout value in the policy. |
| Device offline | The device was offline during the task execution window. The task runs the next time the device comes online, if it is still within the execution window. |
A policy is enabled but no task is generated, or the task stays in "Pending Scheduling"
Check the following:
Execution window not reached — The current time is outside the Execution Time window set in the policy.
Policy has expired — The current date is past the policy's Expiration Date.
No devices in scope — No online devices currently match the criteria in Effective Scope.
Previous task still running — For periodic tasks, the system waits for the current task to finish before generating the next one.