Policy: Types
KEPM policies define what Keeper governs on an endpoint. Each policy is built around a type that determines the category of action being controlled. Every policy is assigned a status, one or more controls, and filters that scope it to specific users, machines, applications, and time windows.
Multiple policy types can be active on the same endpoint simultaneously. When policies conflict, Keeper enforces the most restrictive outcome.
Privilege Elevation
The Privilege Elevation policy intercepts requests to run applications or actions with administrator-level privileges and enforces the configured control before allowing the elevation to proceed. It is the primary mechanism for just-in-time privilege elevation — ensuring users only gain elevated access for specific, verified actions rather than operating with persistent admin rights.
On Windows, Keeper intercepts UAC elevation events automatically. On macOS and Linux, users initiate elevation requests through the Keeper Client system tray UI. All elevations are executed through an ephemeral service account, keeping privileged actions isolated and auditable.
Supported controls: Allow, Deny, Require Approval, Require MFA, Require Justification
Learn more → Privilege Elevation Policy Type
Least Privilege
The Least Privilege policy removes local administrator rights from standard users on targeted endpoints. It is the recommended starting point for any KEPM deployment — without it, users may already hold admin rights, rendering elevation controls ineffective.
When enforced, Keeper removes targeted users from the local Administrators group and notifies them on-screen. Built-in system accounts and domain admin accounts are automatically protected and cannot be affected. A configurable exclusion list allows specific accounts to be exempt from enforcement.
Learn more → Least Privilege Policy Type
File Access
The File Access policy controls access to specific files on an endpoint — both executable files (applications, scripts, binaries) and non-executable files (configuration files, sensitive data, documents). Unlike Privilege Elevation, File Access policies apply to any user on the system, including those with existing admin rights.
For executables, access is intercepted at the point of execution. For non-executable files, Keeper restricts read, write, and delete operations at the ACL level until the required control is satisfied. File Access policies do not apply to Keeper-protected system paths, and if both a File Access and Privilege Elevation policy exist for the same executable, the Privilege Elevation policy takes precedence.
Supported controls: Allow, Deny, Require Approval, Require MFA, Require Justification
Learn more → File Access Policy Type
Command Line
The Command Line policy governs the use of sudo on macOS and Linux systems. It is the Unix equivalent of the Privilege Elevation policy, providing consistent privileged-access governance across all supported platforms.
When applied, Keeper replaces the standard sudo command with keepersudo via a PAM module. Users must submit elevation requests through keepersudo, satisfying whatever control the policy requires before the command is executed. Keeper maintains an explicit allowlist of commands eligible for elevation on each endpoint.
Supported controls: Allow, Deny, Require Approval, Require MFA, Require Justification
Learn more → Command Line Policy Type
Advanced Policy Types
Advanced policy types are configured through the Advanced Mode JSON editor and cover operational use cases beyond endpoint access control. They are not selectable from the standard policy type dropdown — administrators set the PolicyType field directly in JSON and populate the Extension object with the required configuration.
Update Settings
Pushes plugin or agent configuration to endpoints centrally, without requiring manual file edits on individual machines. The agent's configuration processor applies the provided JSON payload to the target plugin file on each in-scope endpoint.
Learn more → Update Settings Policy Type
Update Jobs
Deploys, modifies, or removes job definitions on endpoints from a central location. The agent processes the policy and adds, updates, or deletes the specified job file under the Jobs/ directory on each in-scope endpoint.
Learn more → Update Jobs Policy Type
Custom
Provides a schema-flexible policy classification for specialized workflows, internal integrations, or custom evaluators that do not map to any standard KEPM policy type. Custom policies follow the same structural format as all other policy types and support the full range of KEPM controls, with the Extension object populated freely to meet the needs of the consuming component.
Learn more → Custom Policy Type
Policy Type Summary
Privilege Elevation
Just-in-time elevation control
Windows, macOS, Linux
Standard UI
Least Privilege
Remove local admin rights from standard users
Windows, macOS, Linux
Standard UI
File Access
Control access to executables and sensitive files
Windows (full); macOS & Linux (via Keeper Client UI)
Standard UI
Command Line
Govern sudo usage on Unix-based systems
macOS, Linux
Standard UI
Update Settings
Push plugin/agent configuration to endpoints
All
Advanced Mode (JSON)
Update Jobs
Deploy or remove job definitions on endpoints
All
Advanced Mode (JSON)
Custom
Specialized workflows and integrations
All
Advanced Mode (JSON)
Last updated
Was this helpful?