Policies

Policy Overview

Endpoint Privilege Manager can apply least privilege policies to applications, users and machines across the fleet of endpoints which are running the Keeper agent. Policies can be applied to any collections in the tenant. The policy is customized by the Admin based on the organization's requirements.

Policies are applied based on:

• Collection of resources

• Policy Type

• Controls

• Attributes

The Policies screen displays all active enforcements in the tenant.

Create a Policy

To create a new policy, click on "Create Policy" and complete the policy details form.

Important: Multiple policies can be applied simultaneously to the same device or user. When this happens, Keeper enforces all applicable policies with strict adherence to their requirements. In cases where policies have conflicting settings, Keeper automatically applies the most restrictive option, ensuring maximum security on the endpoint.

Policy Types

Keeper supports the following policy types:

• Least Privilege: Removes local users from the admin role.

• Privilege Elevation: Manages requests for an administrative elevation.

• File Access: Controls access to executables and sensitive files.

• Command Line: Controls sudo on unix-based systems.

Policy Status

A policy can be applied in one of the following methods:

• Monitor: Keeper takes no action and the user will not receive any notifications.

• Monitor & Notify: Keeper takes no action, but user will receive a notification that the event occurred.

• Enforce: Keeper takes action on the policy and user will be notified.

Policy Controls

When a policy is enforced, the user must pass certain controls that are defined. The options are:

• Requires MFA: The user must use their assigned MFA device to prove their identity. If MFA is required, the user needs to sign up with a Keeper vault and set up a TOTP-based 2FA method. MFA sessions are valid for 5 minutes. Any valid Keeper email/2FA combination will work as long as it's inside the tenant.

• Requires Approval: The user must wait until an assigned approver handles the request. Approvals always require justification. The first level of approval request times out after 30 minutes. After 30 minutes the request is automatically escalated. The escalated approval must be completed within 4 hours. After the request is approved, the user has 24 hours to use it.

• Requires Justification: The user must type an explanation of why they need the request approved. If MFA is required in addition to a justification, the user will be first required to pass MFA followed by the justification request.

Policy Filters

A policy affects only the users and devices which are specified in the policy filter section. This includes the following options:

• User Groups: Select from the auto-generated or custom user group collections

• Machines: Select from the auto-generated or custom machine collections

• Applications: Select from the auto-generated or custom application collections

• Date and Time Window: Apply the policy only within the specific date range, days of the week and time of day. This allows you to create more restrictive policies outside of work hours, for example.

Wildcard Policy

When select a policy filter, you can choose "Select All" which is what we call a wildcard policy. A wilcard policy ensures that future objects added to the collection are automatically picked up.

For example, the below policy has a wildcard policy against all user groups, machine collections and applications.

Policy Editor

Policies can be edited in the user interface in a basic or advanced mode. The advanced mode allows editing of the JSON policy definition.

Advanced Policy Editor

The Advanced mode of the policy editor allows the admin to manage the policy directly with JSON syntax.

Converting Events to Policy

From the main dashboard, elevation and access events can be easily converted into new policies or added to existing policies. Select the events and then click "+ Add to Policy". Choose the policy to apply the events or create a new policy.

Approval Settings

Keeper allows you to set any number of approvers in a policy for a given elevation request. After a set amount time, the request can be escalated to a designated admin. Approvals will expire after a set amount of time.

Policy Timing

Policies are pushed and applied across the fleet of endpoints within 30 minutes. The Keeper agent user interface also has a "Refresh Policies" option.

Offline Access

Policies created by the Keeper Admin are pushed to the end-user devices and cached locally. Policies are then evaluated on the device while offline.

• If justification is required, the user's justification message is cached offline until the agent is online again and sent to the server. If the policy only requires justification, execution is permitted.

• If MFA is required, the user will be able to execute the action only when online.

• If approval is required, the user can initiate the approval only when online.

Automation with Commander

Keeper Commander supports policy automation through our command-line interface, Service Mode REST API and Python SDK. Learn more about Endpoint Privilege Manager commands.

Policy Management

The pedm policy command provides management over policy generation.

My Vault> pedm policy -h
pedm command [--options]

Command    Description
---------  ----------------------------
list       List PEDM policies
add        Add PEDM policy
edit       Edit PEDM policy
view       View PEDM policy
assign     Assign collections to policy
delete     Delete PEDM policy

Next Steps

Learn about the policies:

• Least Privilege Policy

• Privilege Elevation Policy

• Command Line Policy

• File Access Policy