# Device Approve Commands
**Usage:**
```
device-approve [--options] [device ...]
```
**Parameters:**
User's email or device ID to approve or blank to see a list of pending devices
### List of Supported Commands
* [Device Approval - List Command](#device-approval-requests-list-command)
* [Device Approval - Approve Command](#device-approval-request-approve)
* [Device Approval - Deny Commands](#device-approval-request-deny)
### Device Approval Requests List Command
DotNet CLI
**Usage:**
```bash
enterprise-device [options] [command] [match]
```
**Aliases:** `ed`
**Sub Commands:**
* `list` - List device approval requests (default)
**Options:**
* `-f, --force` - Force reload enterprise data
* `--auto-approve ` - Set auto-approve policy
**Match Patterns:**
* `all` - Match all pending requests
* `email` - User email address
* `device-id` - Specific device ID
**Example:**
```zsh
# List pending device approvals
enterprise-device list
ed list
# Set auto-approve policy
enterprise-device --auto-approve true
```
DotNet SDK
**Function:** `DeviceApprovalRequests`
```csharp
public IEnumerable DeviceApprovalRequests => _deviceApprovals.Entities;
```
**Example:**
```csharp
var enterpriseData = new EnterpriseData();
var deviceApproval = new DeviceApprovalData();
// ... initialize enterprise loader with deviceApproval plugin ...
var pendingDevices = deviceApproval.DeviceApprovalRequests;
foreach (var device in pendingDevices)
{
Console.WriteLine($"User ID: {device.EnterpriseUserId}, Device: {device.DeviceName}");
}
```
PowerCommander
**Command:** `Get-PendingKeeperDeviceApproval`
**Flags:**
| Flag | Description |
| --------- | -------------------------------------------------------------------- |
| `-Reload` | Reload the list of pending device approvals from the server (switch) |
| `-Format` | Output format: `table`, `csv`, or `json` (default: `table`) |
| `-Output` | File path to write output to (required for csv and json formats) |
**Example:**
```powershell
PS > Get-PendingKeeperDeviceApproval
Email DeviceId DeviceName ClientVersion IpAddress
----- -------- ---------- ------------- ---------
user@example.com a1b2c3d4e5f6... John's iPhone 16.0.0 192.168.1.100
admin@company.com b2c3d4e5f6a1... Work Laptop 16.1.0 10.0.0.50
```
**Example for Json Output:**
```powershell
PS > Get-PendingKeeperDeviceApproval -Reload -Format json
[
{
"Email": "user@example.com",
"DeviceId": "a1b2c3d4e5f6...",
"DeviceName": "John's iPhone",
"ClientVersion": "16.0.0",
"IpAddress": "192.168.1.100",
"DeviceType": "mobile"
}
]
```
Python CLI
**Command:** `device-aprove`
#### Parameter:
`device` - User email or device ID (optional, can be repeated)
#### Options
* `-r`, `--reload` - Reload list of pending approval requests
* `--trusted-ip` - Approve only devices coming from a trusted IP address
* `--format` - Output format: `json`, `table`, `csv`
* `--output` - Output filename
**Example:**
```bash
My Vault> device-approve
Date Email Device ID Device Name Device Type IP Address Client Version Location
------------------- ---------------------------------------- -------------------- ---------------- ------------- ------------ ---------------- ----------
2026-01-21 06:02:40 user@keepersecurity.com 1234hgghjjhg234gh123 Web Vault Chrome Web Vault 192.168.1.1 w17.5.0
```
Python SDK
**Function:**
```python
from keepersdk.enterprise import enterprise_data
from keepersdk import utils
def token_to_string(token: bytes) -> str:
"""Convert device token bytes to hexadecimal string representation."""
src = token[0:TOKEN_PREFIX_LENGTH]
if src.hex:
return src.hex()
return ''.join('{:02x}'.format(x) for x in src)
enterprise = enterprise_data.IEnterpriseData()
approve_requests = enterprise.device_approval_requests.get_all_entities()
for device in approval_requests:
device_id = device.encrypted_device_token
if not device_id:
continue
device_id = token_to_string(utils.base64_url_decode(device_id))
print(device_id)
print(device.device_name)
print(device.device_type)
print(device.ip_address)
print(device.client_version)
print(device.location)
```
### Device Approval Request - Approve
Approves pending device approval requests. You can specify devices by device ID (partial match supported) or user email. If no match is specified, all pending devices will be approved.
DotNet CLI
**Usage:**
```bash
enterprise-device [options] [command] [match]
```
**Aliases:** `ed`
**Sub Commands:**
* `approve` - Approve device(s)
**Options:**
* `-f, --force` - Force reload enterprise data
* `--auto-approve ` - Set auto-approve policy
**Match Patterns:**
* `all` - Match all pending requests
* `email` - User email address
* `device-id` - Specific device ID
**Example:**
```
# Approve devices
enterprise-device approve user@example.com
ed approve all
enterprise-device approve abc123deviceid
# Set auto-approve policy
enterprise-device --auto-approve true
```
DotNet SDK
Not Supported
PowerCommander
**Command:** `Approve-KeeperDevice`
**Flags:**
| Flag | Description |
| ------------ | --------------------------------------------------------------------------------------------------------------------------------- |
| `-Match` | Device ID (partial match supported) or user email to approve. If not specified, all pending devices will be approved (Position 0) |
| `-Reload` | Reload the list of pending device approvals before processing (switch) |
| `-TrustedIp` | Approve devices from a trusted IP address (switch, currently not implemented) |
| `-WhatIf` | Preview what would happen without actually approving devices (switch, supported via SupportsShouldProcess) |
| `-Confirm` | Prompt for confirmation before approving devices (switch, supported via SupportsShouldProcess) |
**Example:**
```powershell
PS > Approve-KeeperDevice -Match "user@example.com"
What if: Performing the operation "Approve" on target "1 device(s)".
Approved 1 device(s)
```
Python CLI
**Command:** `device-aprove --approve `
#### Parameter:
`device` - User email or device ID (optional, can be repeated)
#### Options
* `-a`, `--approve` - Approve user devices
* `--trusted-ip` - Approve only devices coming from a trusted IP address
**Example:**
```bash
My Vault> device-approve --approve 1234hgghjjhg234gh123
```
Python SDK
**Function:**
```python
approval_requests: List[DeviceApprovalRequest] = list(enterprise_data.device_approval_requests.get_all_entities())
for device in approval_requests:
device_rq = enterprise_pb2.ApproveUserDeviceRequest()
device_rq.enterpriseUserId = device.enterprise_user_id
device_rq.encryptedDeviceToken = utils.base64_url_decode(device.encrypted_device_token)
device_rq.denyApproval = False
device_rq.encryptedDeviceDataKey = encrypted_data_key
device_requests.append(device_rq)
approve_rq = enterprise_pb2.ApproveUserDevicesRequest()
approve_rq.deviceRequests.extend(device_requests)
KeeperAuth.execute_auth_rest(APPROVE_USER_DEVICES_ENDPOINT, approve_rq,
response_type=enterprise_pb2.ApproveUserDevicesResponse)
```
### Device Approval Request - Deny
Denies pending device approval requests. You can specify devices by device ID (partial match supported) or user email. If no match is specified, all pending devices will be denied.
DotNet CLI
**Usage:**
```bash
enterprise-device [options] [command] [match]
```
**Aliases:** `ed`
**Sub Commands:**
* `decline` - Decline device(s)
**Options:**
* `-f, --force` - Force reload enterprise data
* `--auto-approve ` - Set auto-approve policy
**Match Patterns:**
* `all` - Match all pending requests
* `email` - User email address
* `device-id` - Specific device ID
**Example:**
```
# Decline devices
enterprise-device decline user@example.com
ed decline all
# Set auto-approve policy
enterprise-device --auto-approve true
```
DotNet SDK
Not Supported
PowerCommander
**Command:** `Deny-KeeperDevice`
**Flags:**
| Flag | Description |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------- |
| `-Match` | Device ID (partial match supported) or user email to deny. If not specified, all pending devices will be denied (Position 0) |
| `-Reload` | Reload the list of pending device approvals before processing (switch) |
| `-WhatIf` | Preview what would happen without actually denying devices (switch, supported via SupportsShouldProcess) |
| `-Confirm` | Prompt for confirmation before denying devices (switch, supported via SupportsShouldProcess) |
**Example:**
```powershell
PS > Deny-KeeperDevice -Match "user@example.com"
What if: Performing the operation "Deny" on target "1 device(s)".
Denied 1 device(s)
```
Python CLI
**Command:** `device-approve --deny `
#### Parameter:
`device` - User email or device ID (optional, can be repeated)
#### Options
* `-d`, `--deny` - Deny user devices
**Example:**
```bash
My Vault> device-approve --deny user@example.com
```
Python SDK
**Function:**
```python
approval_requests: List[DeviceApprovalRequest] = list(enterprise_data.device_approval_requests.get_all_entities())
for device in approval_requests:
device_rq = enterprise_pb2.ApproveUserDeviceRequest()
device_rq.enterpriseUserId = device.enterprise_user_id
device_rq.encryptedDeviceToken = utils.base64_url_decode(device.encrypted_device_token)
device_rq.denyApproval = True
device_requests.append(device_rq)
approve_rq = enterprise_pb2.ApproveUserDevicesRequest()
approve_rq.deviceRequests.extend(device_requests)
KeeperAuth.execute_auth_rest(APPROVE_USER_DEVICES_ENDPOINT, approve_rq,
response_type=enterprise_pb2.ApproveUserDevicesResponse)
```