Policy: Status

Every KEPM policy is assigned a status that determines how Keeper responds when the policy is matched on an endpoint. Status controls whether Keeper passively observes activity, notifies users of policy events, or actively enforces controls. This allows administrators to introduce policies gradually — monitoring behavior before committing to enforcement — without disrupting users prematurely.

Status Options

Off

The policy is disabled and has no effect on endpoints. It remains saved in the Admin Console but is not evaluated or applied. Use this status to deactivate a policy without deleting it.

Monitor

Keeper evaluates the policy and logs matching events to the audit trail, but takes no action and does not notify the user. The user's activity proceeds uninterrupted.

Use Monitor when introducing a new policy to observe how often it would match before deciding whether to enforce it. This is the recommended starting status for any new policy.

Monitor & Notify

Keeper evaluates the policy and logs matching events, but takes no enforcement action. The user receives an on-screen notification informing them that the event occurred and that a policy applies to it.

When Monitor & Notify is selected, the Require Policy Acknowledgement option must be enabled. This requires the user to actively acknowledge the notification before dismissing it, ensuring awareness of the policy without blocking the action.

Use Monitor & Notify to prepare users for an upcoming enforcement change — giving them visibility into which of their actions will be affected before controls are activated.

Enforce

Keeper actively applies the policy's configured controls. The user must satisfy the required control — such as providing a justification, completing MFA, or waiting for approver action — before the requested action is permitted. If the user does not satisfy the control, the action is blocked.

This is the active enforcement state. All policy controls (Require Approval, Require MFA, Require Justification, Allow, Deny) only take effect when the policy status is set to Enforce.

Recommended Rollout Approach

Transitioning a policy through statuses progressively reduces the risk of disrupting users and gives administrators time to validate policy scope and behavior before full enforcement.

Policy Timing

Once a policy status is changed and saved, the updated policy is pushed to all in-scope endpoints within approximately 30 minutes. Users can also trigger an immediate sync via the Refresh Policies option in the Keeper agent.