Live · Partner Integration

GuardEntry × BMC Control-M

Install GuardEntry's Policy Gate Job Type in Control-M and chain it as a predecessor to any job — file transfer, DB load, ERP run, cloud pipeline — and the downstream job will run only when APR returns allow. Same Job Type works on self-hosted Control-M and BMC Helix Control-M. Setup takes about 15 minutes.

📄 Integration Overview (PDF)Start setup wizard →

Prerequisites

•BMC Helix Control-M, or self-hosted Control-M/Enterprise Manager 9.0.19.100+
•Control-M Application Integrator access (admin role)
•A GuardEntry API key — get one free at guardentry.ai/connect
•Agents with outbound HTTPS to app.guardentry.ai (or your tenant URL)

Import the GuardEntry Policy Gate

1. Download GuardEntry_PolicyGate_v1.0.0.ccp from the in-dashboard wizard at app.guardentry.ai/dashboard/integrations/setup/controlm
2. Open Control-M Application Integrator (Helix: Tools → Application Integrator; self-hosted: AI workstation)
3. Click Import → upload the .ccp file
4. Open the imported GuardEntry Policy Gate Job Type → click Publish
5. Deploy to Agents (Helix auto-deploys; self-hosted: ctm deploy jobtype or EM's Deploy Plug-in dialog)

The import adds one Job Type to your Control-M instance:

• GuardEntry Policy Gate — chain as a predecessor to any job to gate it on APR policy

Configure the connection profile

The connection profile stores your GuardEntry API key and base URL.

1. In Control-M, go to Configuration → Connection Profiles
2. Click New → pick GuardEntry Policy Gate
3. Fill in:

Field	Value
Name	`GUARDENTRY_PROD`
`api_key`	`fgrc_k1_…` (the key minted in the wizard)
`base_url`	`https://app.guardentry.ai`

4. Click Save. Reuse this profile across every GuardEntry Policy Gate job.

Chain it as a predecessor

1. Open the folder containing the job you want to gate
2. Add a new job → select GuardEntry Policy Gate
3. Set the connection profile to GUARDENTRY_PROD
4. Configure inputs:

Input	Value	Notes
`actor_type`	`workflow.control-m.<job-class>`	e.g. `workflow.control-m.file-transfer` — drives policy lookup
`content`	Description of what the downstream job does	Templatable. Default: `%%JOBNAME on %%NODEID at %%ODATE`
`label`	Free-text intent tag	Audit grouping, e.g. `controlm.backup`
`mode`	`fast` \| `balanced` \| `strict`	Start with `fast` (regex/substring, <200ms)
`on_block`	`fail` \| `warn`	`fail` exits 1 → downstream goes NOT_OK. `warn` = observe mode

5. In Control-M's folder view, draw a flow line from GuardEntry Policy Gate into the downstream job — Policy Gate now runs first, and the downstream job inherits its NOT_OK state on block.

6. Click Save → Order the folder to send a test call.

Outputs available to downstream jobs

GuardEntry Policy Gate writes the following Control-M variables that downstream jobs can read via %%APPL_VAR:

Variable	Description
`%%GUARDENTRY_DECISION`	`allow` \| `block` \| `require_approval` \| `uncertain` \| `verify` \| `unreachable`
`%%GUARDENTRY_POLICY_ID`	GuardEntry policy UUID — empty if no policy matched
`%%GUARDENTRY_AUDIT_LINK`	Deep link to the audit record in GuardEntry
`%%GUARDENTRY_REVIEWS_LINK`	Deep link to the review queue (populated when `require_approval`)

The full decision JSON is written to job sysout for Control-M's native audit visibility.

Example use cases

File-transfer gate

Chain Policy Gate before a Control-M Managed File Transfer (MFT) job. Set actor_type=workflow.control-m.file-transfer and pass the source path + destination + file pattern as content. APR can block transfers matching exfiltration patterns (PII filenames, unusual destinations).

Mass-update gate

Chain Policy Gate before a batch DB job. Set actor_type=workflow.control-m.db-batch and pass the SQL or job name as content. APR can require approval for jobs touching production-tier tables outside the change window.

ERP / cloud pipeline gate

Chain Policy Gate before an SAP, Informatica, or AWS Step Functions job. Set actor_type=workflow.control-m.erp and pass pipeline metadata in content. APR gates on the customer's compliance posture (SOC 2, ISO 27001 controls).

Troubleshooting

⚠️Downstream job runs even when APR returns block — Confirm the gate job's on_block is set to fail (not warn). In warn mode, blocks are logged but exit code is 0, so the downstream job still runs.

⚠️"unreachable" decisions — The Agent can't reach GuardEntry. Check outbound HTTPS to app.guardentry.ai:443. Policy Gate fails open on network errors so a GuardEntry outage doesn't take down your batch window.

⚠️All decisions are allow — Your policy may be in observe mode. The 👁 observe badge in your GuardEntry dashboard means violations are logged but not blocked. Switch to enforcement from the policy settings page when ready.

ServiceNow Get API key