AppProfileSafe - Support Portal

Full Parameter Reference

This page lists every parameter accepted by the CLI, organized by operation mode — matching the structure of the built-in --help output. Parameters are case-insensitive. Value parameters take the next token as their value. Each operation mode has its own set of allowed parameters — passing a parameter outside the active mode's whitelist or an unrecognized parameter causes an immediate error.


Usage

AppProfileSafe.CLI.exe --export  <options>
AppProfileSafe.CLI.exe --import  <options>
AppProfileSafe.CLI.exe --generateComplianceReport [report options]
AppProfileSafe.CLI.exe --preflight --export <options>
AppProfileSafe.CLI.exe --preflight --import <options>


Help

Parameter Type Description
-h, --help Switch Display usage instructions to stdout and exit with code 0. Checked before all other validation — any additional parameters on the command line are ignored when --help is present.


Export Options

Parameter Type Description
--export Switch Run in export mode. Mutually exclusive with --import and --generateComplianceReport.
--manifestFile "<path>" Value (string) Required. Path to the manifest XML file to create. Must end with .xml. The directory containing the manifest becomes the export root.
--apps "A,B,C" Value (comma-separated) Required. Comma-separated application names. Must match application definition names in the definitions folder. Note: --apps all is not supported in export mode.
--strictAppSchemaValidation Switch Validate all application definitions against the App XSD before export. Abort with exit code 1 on failure. Without this flag, validation warnings are logged but export proceeds.
--preflight Switch Validate all preconditions without performing any operations. Produces a JSON report.
--userSettingsFile "<path>" Value (string) Override path values from the base settings.xml. Only the <Paths> block is evaluated. Must end with .xml. Validated against AppProfileSafe.UserSettings-v1.0.0.xsd. See Configuration: settings.xml.
--silentMode Switch Suppress all console output (log file only). See Silent Mode Behavior.
--unc-user "<user>" Value (string) Username for UNC share authentication. Format: DOMAIN\User or user@domain. Used with --unc-password.
--unc-password "<pass>" Value (string) Password for UNC share authentication. Used with --unc-user.
--unc-credential-store Switch Read UNC credentials from Windows Credential Manager. Target auto-derived from manifest path's share root. Mutually exclusive with --unc-user.


Import Options

Parameter Type Description
--import Switch Run in import mode. Mutually exclusive with --export and --generateComplianceReport.
--manifestFile "<path>" Value (string) Required. Path to the manifest XML file to read. Must end with .xml.
--apps "A,B,C" Value (comma-separated) Required. Comma-separated application names, or all to import every application in the manifest. The value all is case-insensitive and only valid in import mode.
--mappingFile "<path>" Value (string) Path to a mapping XML file for path transformations during import. Must end with .xml. See Mapping.
--noRestorePoint Switch Skip creation of a Windows system restore point before import.
--ignoreRestorePointLimit Switch Continue import even if the restore point cannot be created (e.g. due to the Windows 24-hour limit between restore points).
--preflight Switch Validate all preconditions without performing any operations. Produces a JSON report.
--userSettingsFile "<path>" Value (string) Override path values from the base settings.xml. Only the <Paths> block is evaluated.
--silentMode Switch Suppress all console output (log file only). See Silent Mode Behavior.
--unc-user "<user>" Value (string) Username for UNC share authentication. Format: DOMAIN\User or user@domain. Used with --unc-password.
--unc-password "<pass>" Value (string) Password for UNC share authentication. Used with --unc-user.
--unc-credential-store Switch Read UNC credentials from Windows Credential Manager. Target auto-derived from manifest path's share root. Mutually exclusive with --unc-user.

A system restore point is created before import by default. This allows rollback if the import causes issues. Windows limits restore point creation to once every 24 hours. Use --noRestorePoint to skip creation entirely, or --ignoreRestorePointLimit to continue the import when creation fails.


Compliance Report Options

Parameter Type Default Description
--generateComplianceReport Switch Generate a compliance report from audit logs. Standalone mode — cannot combine with --export or --import.
--reportFrom "<date>" Value (ISO date) First day of previous month Start date for the compliance report period (e.g. 2026-01-01).
--reportTo "<date>" Value (ISO date) Last day of previous month End date for the compliance report period (inclusive).
--silentMode Switch Suppress all console output.

Dates are validated on parse. If --reportFrom is after --reportTo, the CLI exits with code 1. Only --reportFrom, --reportTo, --silentMode, and --help are accepted alongside --generateComplianceReport. The --userSettingsFile parameter is not available in compliance report mode — the report always uses the base settings.xml paths.


Console Output

When not in silent mode, the CLI writes progress to the console in pipe-delimited format:

App | Type | Source | Destination | Result

Types include Key, Value, File, and Folder. Results include Created, Changed, Unchanged, Failed (access denied), Failed (error), and Skipped (blacklisted).

Validation errors and runtime errors are written to stderr, followed by the full help text. Use --silentMode to suppress all console output — errors and help text are then only recorded in the application log.

Help output (-h / --help) is written to stdout and always exits with code 0.


Exit Codes

Code Meaning
0Success
1User error (invalid arguments, missing files)
2System error (export/import failure, I/O error)
3License error (missing, invalid, or expired license)
4SIEM error (SIEM forwarding active but unreachable)
5Audit error (audit log integrity check failed)


Validation Rules

The CLI validates parameters in a fixed order before starting any operation:

Validation order:

  1. Unknown parameters — Any parameter starting with - that is not in the recognized parameter set is rejected (e.g. Unknown parameter: --foo).
  2. Help check — If --help is present, validation succeeds immediately and help is printed. All other parameters are ignored.
  3. License validation — The license is checked immediately after help. An invalid or missing Enterprise license causes an exit with code 3 before any parameter validation.
  4. Mode required — One of --export, --import, or --generateComplianceReport must be specified. --preflight alone defaults to export mode.
  5. Whitelist check — Every provided parameter is checked against the active mode's whitelist. A parameter outside the whitelist is rejected (e.g. Parameter --mappingFile is not allowed in export mode).
  6. Required parameters--manifestFile and --apps are required for export and import. For export, --apps must be an explicit list. For import, --apps all is additionally accepted. Not required for compliance reports.
  7. Value validation — File paths must end with .xml. Report dates must be valid ISO dates with --reportFrom not after --reportTo. If --userSettingsFile points to a non-existent file or fails XSD validation, the CLI exits with code 1.
  8. Mutual exclusion--unc-user and --unc-credential-store cannot be used together.


Per-Mode Parameter Whitelists

Each mode defines the complete set of parameters it accepts. Any parameter not on the active mode's whitelist is rejected with an error message naming the parameter and the mode. This prevents accidental misconfiguration in scripts.

Parameter Export Import Compliance Report
--manifestFile
--apps✓ (list only)✓ (list or all)
--strictAppSchemaValidation
--mappingFile
--blackListFile
--noRestorePoint
--ignoreRestorePointLimit
--userSettingsFile
--unc-user
--unc-password
--unc-credential-store
--reportFrom
--reportTo
--preflight
--silentMode
--help