# Policy: Status

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FRBbyQlZhX6O16aJhJYUF%2Fimage.png?alt=media&#x26;token=3811b40c-d7ef-4d11-aa11-73217350c08d" alt=""><figcaption></figcaption></figure>

Every KEPM policy is assigned a **status** that determines how Keeper responds when the policy is matched on an endpoint. Status controls whether Keeper passively observes activity, notifies users of policy events, or actively enforces controls. This allows administrators to introduce policies gradually — monitoring behavior before committing to enforcement — without disrupting users prematurely.

***

### Status Options

#### Off

The policy is disabled and has no effect on endpoints. It remains saved in the Admin Console but is not evaluated or applied. Use this status to deactivate a policy without deleting it.

#### Monitor

Keeper evaluates the policy and logs matching events to the audit trail, but takes no action and does not notify the user. The user's activity proceeds uninterrupted.

Use Monitor when introducing a new policy to observe how often it would match before deciding whether to enforce it. This is the recommended starting status for any new policy.

#### Monitor & Notify

Keeper evaluates the policy and logs matching events, but takes no enforcement action. The user receives an on-screen notification informing them that the event occurred and that a policy applies to it.

When Monitor & Notify is selected, the **Require Policy Acknowledgement** option must be enabled. This requires the user to actively acknowledge the notification before dismissing it, ensuring awareness of the policy without blocking the action.

Use Monitor & Notify to prepare users for an upcoming enforcement change — giving them visibility into which of their actions will be affected before controls are activated.

#### Enforce

Keeper actively applies the policy's configured controls. The user must satisfy the required control — such as providing a justification, completing MFA, or waiting for approver action — before the requested action is permitted. If the user does not satisfy the control, the action is blocked.

This is the active enforcement state. All policy controls (Require Approval, Require MFA, Require Justification, Allow, Deny) only take effect when the policy status is set to Enforce.

***

### Recommended Rollout Approach

Transitioning a policy through statuses progressively reduces the risk of disrupting users and gives administrators time to validate policy scope and behavior before full enforcement.

| Stage | Status               | Purpose                                                                       |
| ----- | -------------------- | ----------------------------------------------------------------------------- |
| 1     | **Monitor**          | Observe match frequency and validate policy scope without user impact         |
| 2     | **Monitor & Notify** | Inform users that a policy applies to their actions before enforcement begins |
| 3     | **Enforce**          | Activate controls and require user compliance                                 |

***

### Policy Timing

Once a policy status is changed and saved, the updated policy is pushed to all in-scope endpoints within approximately **30 minutes**. Users can also trigger an immediate sync via the **Refresh Policies** option in the Keeper agent.