Device Approve Commands

Approve Cloud SSO Devices.

Usage:

device-approve [--options] [device ...]

Parameters:

User's email or device ID to approve or blank to see a list of pending devices

List of Supported Commands

Device Approval Requests List Command

DotNet CLI

Usage:

enterprise-device [options] [command] [match]

Aliases: ed

Sub Commands:

list - List device approval requests (default)

Options:

-f, --force - Force reload enterprise data
--auto-approve <true|false> - Set auto-approve policy

Match Patterns:

all - Match all pending requests
email - User email address
device-id - Specific device ID

Example:

# List pending device approvals
enterprise-device list
ed list

# Set auto-approve policy
enterprise-device --auto-approve true

DotNet SDK

Function: DeviceApprovalRequests

  public IEnumerable<DeviceRequestForAdminApproval> DeviceApprovalRequests => _deviceApprovals.Entities;

Example:

var enterpriseData = new EnterpriseData();
var deviceApproval = new DeviceApprovalData();
// ... initialize enterprise loader with deviceApproval plugin ...

var pendingDevices = deviceApproval.DeviceApprovalRequests;
foreach (var device in pendingDevices)
{
    Console.WriteLine($"User ID: {device.EnterpriseUserId}, Device: {device.DeviceName}");
}

PowerCommander

Command: Get-PendingKeeperDeviceApproval

Flags:

Flag

Description

-Reload

Reload the list of pending device approvals from the server (switch)

-Format

Output format: table, csv, or json (default: table)

-Output

File path to write output to (required for csv and json formats)

Example:

PS > Get-PendingKeeperDeviceApproval

Email                DeviceId            DeviceName      ClientVersion  IpAddress
-----                --------            ----------      -------------  ---------
[email protected]     a1b2c3d4e5f6...     John's iPhone   16.0.0         192.168.1.100
[email protected]    b2c3d4e5f6a1...     Work Laptop      16.1.0         10.0.0.50

Example for Json Output:

PS > Get-PendingKeeperDeviceApproval -Reload -Format json
[
    {
        "Email":  "[email protected]",
        "DeviceId":  "a1b2c3d4e5f6...",
        "DeviceName":  "John's iPhone",
        "ClientVersion":  "16.0.0",
        "IpAddress":  "192.168.1.100",
        "DeviceType":  "mobile"
    }
]

Python CLI

Command: device-aprove

Parameter:

device - User email or device ID (optional, can be repeated)

Options

-r, --reload - Reload list of pending approval requests
--trusted-ip - Approve only devices coming from a trusted IP address
--format - Output format: json, table, csv
--output - Output filename

Example:

My Vault> device-approve

Date                 Email                                     Device ID             Device Name       Device Type    IP Address    Client Version    Location
-------------------  ----------------------------------------  --------------------  ----------------  -------------  ------------  ----------------  ----------
2026-01-21 06:02:40  [email protected]                   1234hgghjjhg234gh123  Web Vault Chrome  Web Vault      192.168.1.1    w17.5.0

Python SDK

Function:

from keepersdk.enterprise import enterprise_data
from keepersdk import utils


def token_to_string(token: bytes) -> str:
    """Convert device token bytes to hexadecimal string representation."""
    src = token[0:TOKEN_PREFIX_LENGTH]
    if src.hex:
        return src.hex()
    return ''.join('{:02x}'.format(x) for x in src)

enterprise = enterprise_data.IEnterpriseData()
approve_requests = enterprise.device_approval_requests.get_all_entities()
for device in approval_requests:
    device_id = device.encrypted_device_token
    if not device_id:
        continue
    device_id = token_to_string(utils.base64_url_decode(device_id))
    print(device_id)
    print(device.device_name)
    print(device.device_type)
    print(device.ip_address)
    print(device.client_version)
    print(device.location)

Device Approval Request - Approve

Approves pending device approval requests. You can specify devices by device ID (partial match supported) or user email. If no match is specified, all pending devices will be approved.

DotNet CLI

Usage:

enterprise-device [options] [command] [match]

Aliases: ed

Sub Commands:

approve - Approve device(s)

Options:

-f, --force - Force reload enterprise data
--auto-approve <true|false> - Set auto-approve policy

Match Patterns:

all - Match all pending requests
email - User email address
device-id - Specific device ID

Example:

# Approve devices
enterprise-device approve [email protected]
ed approve all
enterprise-device approve abc123deviceid

# Set auto-approve policy
enterprise-device --auto-approve true

DotNet SDK

Not Supported

PowerCommander

Command: Approve-KeeperDevice

Flags:

Flag

Description

-Match

Device ID (partial match supported) or user email to approve. If not specified, all pending devices will be approved (Position 0)

-Reload

Reload the list of pending device approvals before processing (switch)

-TrustedIp

Approve devices from a trusted IP address (switch, currently not implemented)

-WhatIf

Preview what would happen without actually approving devices (switch, supported via SupportsShouldProcess)

-Confirm

Prompt for confirmation before approving devices (switch, supported via SupportsShouldProcess)

Example:

PS > Approve-KeeperDevice -Match "[email protected]"

What if: Performing the operation "Approve" on target "1 device(s)".
Approved 1 device(s)

Python CLI

Command: device-aprove --approve <Device_UID>

Parameter:

device - User email or device ID (optional, can be repeated)

Options

-a, --approve - Approve user devices
--trusted-ip - Approve only devices coming from a trusted IP address

Example:

My Vault> device-approve --approve 1234hgghjjhg234gh123

Python SDK

Function:

approval_requests: List[DeviceApprovalRequest] = list(enterprise_data.device_approval_requests.get_all_entities())

for device in approval_requests:
            device_rq = enterprise_pb2.ApproveUserDeviceRequest()
            device_rq.enterpriseUserId = device.enterprise_user_id
            device_rq.encryptedDeviceToken = utils.base64_url_decode(device.encrypted_device_token)
            device_rq.denyApproval = False
            device_rq.encryptedDeviceDataKey = encrypted_data_key
            device_requests.append(device_rq)
approve_rq = enterprise_pb2.ApproveUserDevicesRequest()
approve_rq.deviceRequests.extend(device_requests)
KeeperAuth.execute_auth_rest(APPROVE_USER_DEVICES_ENDPOINT, approve_rq, 
                                response_type=enterprise_pb2.ApproveUserDevicesResponse)

Device Approval Request - Deny

Denies pending device approval requests. You can specify devices by device ID (partial match supported) or user email. If no match is specified, all pending devices will be denied.

DotNet CLI

Usage:

enterprise-device [options] [command] [match]

Aliases: ed

Sub Commands:

decline - Decline device(s)

Options:

-f, --force - Force reload enterprise data
--auto-approve <true|false> - Set auto-approve policy

Match Patterns:

all - Match all pending requests
email - User email address
device-id - Specific device ID

Example:

# Decline devices
enterprise-device decline [email protected]
ed decline all

# Set auto-approve policy
enterprise-device --auto-approve true

DotNet SDK

Not Supported

PowerCommander

Command: Deny-KeeperDevice

Flags:

Flag

Description

-Match

Device ID (partial match supported) or user email to deny. If not specified, all pending devices will be denied (Position 0)

-Reload

Reload the list of pending device approvals before processing (switch)

-WhatIf

Preview what would happen without actually denying devices (switch, supported via SupportsShouldProcess)

-Confirm

Prompt for confirmation before denying devices (switch, supported via SupportsShouldProcess)

Example:

PS > Deny-KeeperDevice -Match "[email protected]"

What if: Performing the operation "Deny" on target "1 device(s)".
Denied 1 device(s)

Python CLI

Command: device-approve --deny <Device_UID>

Parameter:

device - User email or device ID (optional, can be repeated)

Options

-d, --deny - Deny user devices

Example:

My Vault> device-approve --deny [email protected]

Python SDK

Function:

approval_requests: List[DeviceApprovalRequest] = list(enterprise_data.device_approval_requests.get_all_entities())

for device in approval_requests:
            device_rq = enterprise_pb2.ApproveUserDeviceRequest()
            device_rq.enterpriseUserId = device.enterprise_user_id
            device_rq.encryptedDeviceToken = utils.base64_url_decode(device.encrypted_device_token)
            device_rq.denyApproval = True
            device_requests.append(device_rq)
approve_rq = enterprise_pb2.ApproveUserDevicesRequest()
approve_rq.deviceRequests.extend(device_requests)
KeeperAuth.execute_auth_rest(APPROVE_USER_DEVICES_ENDPOINT, approve_rq, 
                                response_type=enterprise_pb2.ApproveUserDevicesResponse)

PreviousTransfer User Commands NextAudit Alert Commands

Last updated 22 days ago

Was this helpful?

hashtagList of Supported Commands

hashtagDevice Approval Requests List Command

hashtagParameter:

hashtagOptions

hashtagDevice Approval Request - Approve

hashtagParameter:

hashtagOptions

hashtagDevice Approval Request - Deny

hashtagParameter:

hashtagOptions

List of Supported Commands

Device Approval Requests List Command

Parameter:

Options

Device Approval Request - Approve

Parameter:

Options

Device Approval Request - Deny

Parameter:

Options