AppProfileSafe - Support Portal

CLI Command Overview

This page shows the usage patterns for each CLI operation mode with practical examples. For a complete list of all parameters, see Full Parameter Reference.

Export

Exports application settings (files, registry keys, folders) to a manifest-based backup directory.

AppProfileSafe.CLI.exe --export --manifestFile "<path>" --apps "App1,App2,..." [options]

The directory containing the manifest file becomes the export root. All exported data is stored in a subfolder alongside the manifest.

Only parameters listed under Export Options in the Full Parameter Reference are accepted. Passing an import-only or compliance-report-only parameter (e.g. --mappingFile, --reportFrom) results in an error.

Examples:

:: Export Firefox and Chrome to a local folder
AppProfileSafe.CLI.exe --export --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox,Chrome"

:: Export with strict schema validation (abort on invalid app definitions)
AppProfileSafe.CLI.exe --export --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --strictAppSchemaValidation

:: Export with custom user settings (override paths from settings.xml)
AppProfileSafe.CLI.exe --export --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --userSettingsFile "D:\Configs\test-env.xml"

:: Export to a UNC share with inline credentials
AppProfileSafe.CLI.exe --export --manifestFile "\\server\share\Manifest.xml" --apps "Firefox" --unc-user "DOMAIN\admin" --unc-password "secret"

:: Export to a UNC share using Windows Credential Manager
AppProfileSafe.CLI.exe --export --manifestFile "\\server\share\Manifest.xml" --apps "Firefox" --unc-credential-store

Import

Imports application settings from a previously created backup. By default, a system restore point is created before the import begins.

AppProfileSafe.CLI.exe --import --manifestFile "<path>" --apps "App1,App2,..." [options]
AppProfileSafe.CLI.exe --import --manifestFile "<path>" --apps all [options]

Use --apps all to import all applications contained in the manifest without listing them individually. This is useful for automation and scheduled tasks where the exact set of applications may vary between exports. Note that --apps all is only valid for import — export always requires explicit application names.

Only parameters listed under Import Options in the Full Parameter Reference are accepted. Passing an export-only parameter (e.g. --strictAppSchemaValidation) results in an error.

Examples:

:: Basic import
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox"

:: Import all applications from the manifest
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps all

:: Import all with path mapping
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps all --mappingFile "C:\Mappings\dev.xml"

:: Import with path mapping
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --mappingFile "C:\Mappings\dev.xml"

:: Import with blacklist (skip specific items)
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --blackListFile "C:\Config\blacklist.xml"

:: Import with mapping and blacklist
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --mappingFile "C:\Mappings\dev.xml" --blackListFile "C:\Config\blacklist.xml"

:: Import with custom user settings
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --userSettingsFile "D:\Configs\test-env.xml"

:: Import without creating a restore point
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --noRestorePoint

:: Import, continue even if restore point creation fails (e.g. 24h limit)
AppProfileSafe.CLI.exe --import --manifestFile "C:\Backup\Manifest.xml" --apps "Firefox" --ignoreRestorePointLimit

Compliance Report

Generates an HTML compliance report from audit log data. This is a standalone mode that cannot be combined with --export or --import. Only --reportFrom, --reportTo, and --silentMode are accepted alongside --generateComplianceReport.

AppProfileSafe.CLI.exe --generateComplianceReport [--reportFrom "<date>"] [--reportTo "<date>"]

Examples:

:: Generate report for the previous month (default)
AppProfileSafe.CLI.exe --generateComplianceReport

:: Generate report for a custom date range
AppProfileSafe.CLI.exe --generateComplianceReport --reportFrom "2026-01-01" --reportTo "2026-01-31"

If --reportFrom is omitted, it defaults to the first day of the previous month. If --reportTo is omitted, it defaults to the last day of the --reportFrom month.

Note: --userSettingsFile is not available in compliance report mode. The report always uses the base settings.xml paths.

Preflight Validation

Runs all preflight checks without performing any operations. Combine with --export or --import to specify which checks to run. If mode is omitted, export checks are used by default.

AppProfileSafe.CLI.exe --preflight --export --manifestFile "<path>" --apps "App1,..."
AppProfileSafe.CLI.exe --preflight --import --manifestFile "<path>" --apps "App1,..." [--mappingFile "<path>"]

The preflight produces a JSON report saved to the report folder and writes a summary to the console. It exits with code 0 if all checks pass, or code 2 if errors are found. Warnings alone do not cause a non-zero exit code.

Preflight runs before the parameter validation gate in the main execution flow, but after the license check. An invalid license causes an immediate exit with code 3 before any other processing.

The same parameter whitelist applies — only parameters valid for the selected mode (export or import) plus --preflight are accepted.

User Settings Override

The --userSettingsFile parameter allows overriding path values from the base settings.xml without modifying it. This is useful for running multiple configurations from the same installation — for example, different scheduled tasks targeting different SIEM endpoints, log folders, or app definition sets. Available in export and import modes only.

AppProfileSafe.CLI.exe --export --manifestFile "..." --apps "..." --userSettingsFile "<path>"

The user settings file uses the namespace urn:appprofilesafe:usersettings:v1 and contains only a <Paths> block. All elements are optional — only values you provide override the base settings. Logging, Audit, Reporting, and Health settings always come from the base settings.xml.

Example user settings file:

<?xml version="1.0" encoding="utf-8"?>
<UserSettings xmlns="urn:appprofilesafe:usersettings:v1">
  <Paths>
    <AppDefinitionsFolder>D:\CustomDefs</AppDefinitionsFolder>
    <EventPipelineConfigPath>D:\TestConfig\eventpipeline.xml</EventPipelineConfigPath>
  </Paths>
</UserSettings>

The file is validated against AppProfileSafe.UserSettings-v1.0.0.xsd on load. If validation fails, the CLI exits with code 1. Relative paths in the user settings file are resolved relative to the directory containing that file. See Configuration: settings.xml for details.

UNC Network Share Authentication

When the manifest path points to a UNC share, the CLI can authenticate using one of two methods:

MethodParametersUse case
Inline credentials--unc-user + --unc-passwordOne-off scripts where passwords can be passed securely
Credential Manager--unc-credential-storeScheduled tasks (store credentials once with cmdkey, reuse them without passwords in scripts)

The two methods are mutually exclusive — specifying both --unc-user and --unc-credential-store results in a validation error.

If neither method is specified and the manifest path is a UNC path, the CLI uses the current Windows session credentials without explicitly connecting. UNC authentication is not used in compliance report mode.

To store credentials for scheduled tasks, run once as the service account:

cmdkey /add:\\server\share /user:DOMAIN\admin /pass:secret

Then use --unc-credential-store in the scheduled task command line. The CLI auto-derives the credential target from the manifest path's share root.

Help

Display the built-in usage instructions:

AppProfileSafe.CLI.exe --help
AppProfileSafe.CLI.exe -h

Help is checked before argument validation. The --help flag always prints the help text to stdout and exits with code 0, regardless of any other parameters on the command line.