search
Ctrlk

Policy-Based File Execution Redirection

Advanced configuration of KEPM elevations using a File Redirect

Audience: System administrators

This page explains how to configure and use file redirect in Keeper Endpoint Privilege Manager (KEPM). When a privilege elevation request is allowed by policy, redirect lets you substitute a different executable so the user gets the intended experience while policy stays in control.

hashtag
What is a File Redirect?

When a privilege elevation request is allowed by policy, KEPM normally launches the requested executable with elevation. A redirect intercepts that flow and launches a substitute executable instead.

Example: A user requests elevation for PowerShell 7 (pwsh.exe). Policy allows it, but the redirect rule substitutes Windows PowerShell 5.1 (powershell.exe) — the user gets the intended shell while the organization controls which binary runs elevated.

Key behaviors:

  • Redirect applies only to Privilege Elevation events — not File Access or other event types.

  • When a rule matches, the job sends DENY to the caller and launches the substitute executable elevated.

  • When redirect is disabled or no rule matches, normal elevation flow proceeds.

  • Policy evaluation and controls (MFA, justification, approval) are unchanged — redirect happens after the request is allowed.

Redirect rules are stored in the RedirectEvaluator plugin configuration under metadata.redirect.

hashtag
Requirements

Requirement
Description

LaunchPrivilegeElevation job

Must be deployed and registered. Contains the check-redirect task that calls RedirectEvaluator.

RedirectEvaluator plugin

Plugin config must have metadata.redirect.enabled: true and at least one rule in metadata.redirect.rules.

Privilege Elevation policy

A policy that allows the source application. Without this, the request is denied and LaunchPrivilegeElevation never runs.

SettingsUpdate policy

Pushes the full RedirectEvaluator JSON (including redirect rules) to endpoints so Plugins/RedirectEvaluator.json is updated.

Process Configuration Policies job

Runs the ConfigurationPolicyProcessor, which writes SettingsUpdate policy content to plugin files.

Reload of plugin settings

After the JSON file is updated, the service must load the new config. The only ways to reload are: UpdateSettings policy, restart KEPM service, or restart the machine. KEPM admin endpoints cannot be called from terminal or scripts — the calling process must be signed like KEPM.

UpdateSettings policy (optional)

When present and preprocessed, triggers revert-all to reload settings without restarting the service.

hashtag
Redirect Rule Format

Rules live under metadata.redirect.rules in the RedirectEvaluator plugin JSON.

Field
Required
Description

sourceExePattern

Yes

Regex matched against the executable file name only (e.g. pwsh\.exe). Case-insensitive. Use \\. for a literal dot.

commandLinePattern

Yes

Regex matched against the full command line. Cannot be empty — use .* to match any command line.

elevationOnly

Yes

Set true so the rule applies only to Privilege Elevation events.

nonAdminOnly

No

If true, rule applies only when the requesting user is not an administrator.

targetExe

Yes

Substitute executable: full path or a product-known name (e.g. Keeper.NetworkConnections) resolved from Jobs/bin or Plugins/bin.

targetArguments

No

Arguments for the substitute (often "").

circle-info

Important: Both sourceExePattern and commandLinePattern must be non-empty. To redirect regardless of command line, use ".*" for commandLinePattern. The first matching rule wins — place more specific rules before general ones.

hashtag
Setup

1

Privilege Elevation Policy

Create a policy that allows the application you want to redirect. If the request is denied, LaunchPrivilegeElevation is not triggered and redirect never runs.

  1. Create a Privilege Elevation policy in your management console or policy store.

  2. Set PolicyType to "PrivilegeElevation" and Status to "enabled".

  3. Configure ApplicationCheck to match the source executable (e.g. a path containing PowerShell\7\pwsh.exe).

  4. Set Controls to allow elevation (e.g. ["ALLOW"], or include MFA/Justify/Approval as needed).

  5. Assign to the appropriate user and machine collections, then deploy/sync.

Example (conceptual):

2

SettingsUpdate Policy (Redirect Rules)

This policy pushes the full RedirectEvaluator plugin JSON to Plugins/RedirectEvaluator.json on each endpoint.

  1. Build the full RedirectEvaluator JSON, including all required fields: id, name, description, version, pluginType, executablePath, Subscription, metadata, etc.

  2. Set metadata.redirect.enabled to true and populate metadata.redirect.rules with your rules.

  3. Create a SettingsUpdate policy with Extension.PluginName "RedirectEvaluator", Extension.Action "Update", and Extension.SettingsJson set to the full plugin JSON. Object format is easier to read and avoids escaping errors.

  4. Assign to the appropriate collections and deploy/sync.

Example SettingsUpdate policy:

circle-info

SettingsJson must be the complete plugin JSON — all fields including id, name, executablePath, Subscription, and metadata are required.

3

Run Process Configuration Policies

The Process Configuration Policies job (ConfigurationPolicyProcessor) reads SettingsUpdate policies and writes Extension.SettingsJson to Plugins/RedirectEvaluator.json on each endpoint.

  • Scheduled: Runs automatically on its next cycle after sync.

  • On demand: Use the KeeperClient Refresh option to trigger policy sync and preprocessing immediately.

After this step, the plugin file on disk contains your redirect rules. The running service may still use the old in-memory config until settings are reloaded (Step 4).

4

Reload Plugin Settings

After the plugin JSON file is updated, the service must load the new settings. The only ways to reload are:

  1. UpdateSettings policy — Triggers revert-all during policy preprocessing (see Step 5).

  2. Restart KEPM service — Reads plugin config from disk on startup. Most reliable for a first-time load.

  3. Restart the machine — Same effect as restarting the service.

circle-info

KEPM admin endpoints cannot be triggered from terminal, PowerShell, curl, or other unsigned tools.

5

Optional: UpdateSettings Policy for Reload Without Restart

  1. Create a policy with PolicyType "UpdateSettings" and Status "enabled".

  2. Assign to the appropriate collections and deploy/sync.

  3. When KeeperPolicy preprocesses policies, it finds the UpdateSettings policy and calls revert-all once, re-importing plugin settings from the current in-memory configuration into storage.

circle-info

Note: UpdateSettings re-imports from the current in-memory configuration — it does not re-read JSON files from disk. For the first push of a new RedirectEvaluator.json, a service restart is the most reliable approach. Use UpdateSettings for subsequent reloads once the config is already loaded.

hashtag
Runtime Behavior

When a user triggers a privilege elevation request that matches a redirect rule:

  1. User requests elevation — e.g. rundll32.exe with ncpa.cpl in the command line.

  2. Policy evaluation — The Privilege Elevation policy allows the request; controls (MFA, justification, approval) run as normal.

  3. LaunchPrivilegeElevation job starts — The check-redirect task runs when metadata.redirect.enabled is true.

  4. RedirectEvaluator is invoked — Called with context (FilePath, CommandLine, IsAdmin, OriginalEventType). It returns JSON to stdout; the executor merges it and adds aliases so downstream tasks see DenyOriginalRequest: true, RedirectTargetExe, and RedirectTargetArgs.

  5. Job branches on outcome:

    • send-deny-redirect — Publishes DENY to the caller so the original executable is not launched.

    • launch-substitute — HTTP POST to launch-elevated with the resolved substitute path and arguments.

    • send-did-elevate-response — Sends DidElevate so the client shows success; the user sees the substitute application.

When redirect is disabled, check-redirect sets DenyOriginalRequest: false and the job continues with the normal launch-elevated path.

hashtag
Target Executable Path Resolution

targetExe values like Keeper.NetworkConnections are resolved to full paths by the task executor before the launch-substitute call. The executor looks in Jobs/bin (and Plugins/bin as applicable). Only paths under the manager's control are used for substitute launches.

hashtag
Limitations

Limitation
Description

Privilege Elevation only

Redirect is not evaluated for File Access or other event types.

Both patterns required

sourceExePattern and commandLinePattern must both be non-empty.

Policy must allow first

The elevation request must be allowed by policy. If denied, LaunchPrivilegeElevation does not run and redirect is never evaluated.

Tampering protection

If KEPM detects Plugins/RedirectEvaluator.json was modified after initial load, it may skip the file on hot reload. Restart the KEPM service so the file is read at startup.

Target executable

targetExe must resolve under Jobs/bin or Plugins/bin and be launchable on the endpoint.

First matching rule wins

Order rules from most specific to least specific.

UpdateSettings scope

Re-imports from in-memory config only — does not re-read JSON from disk. Use a service restart to load a file that has never been loaded before.

No API from terminal/scripts

Admin endpoints require the calling process to be signed like KEPM. Terminal, PowerShell, and curl cannot call them.

hashtag
Related Documentation

PreviousUsing PowerShell Jobs as Custom Policy FiltersNextVariables & Wildcards

Last updated

Was this helpful?