# Plugin & Task Settings
**Audience:** IT admins. This page documents **settings** for each plugin and, where applicable, **tasks** that use them. For each setting we state **how it is used**, **type**, **default**, and **appropriate values**. Settings can be stored in the plugin JSON file (`Plugins/{PluginName}.json`) or in unified storage; at runtime, unified storage takes precedence until reverted. *** ### How settings are applied * **Plugin JSON:** Each plugin has a JSON file under `Plugins/` (e.g. `Plugins/KeeperPolicy.json`). Settings can appear in the root or under `metadata`. Editing the file and restarting the plugin (or reverting from JSON) applies them. * **Unified storage:** The product can store plugin settings in unified storage. Those values override the plugin JSON until you run **Revert** (e.g. `POST /api/PluginSettings/{pluginName}/revert` or `revert-all`). * **Pushing config:** A **SettingsUpdate** configuration policy can write the full plugin JSON to disk; then **Process Configuration Policies** runs the configuration processor. After that, use Revert if you want runtime storage to match the new file, and restart the plugin if needed. * **API:** You can read settings with `GET /api/PluginSettings/{pluginName}` or `GET /api/PluginSettings/{pluginName}/{settingName}` and update with `PUT /api/PluginSettings/{pluginName}/{settingName}` (Admin). Value format is JSON (e.g. a string, number, or boolean). *** ### Global (application) Settings These live in **appsettings.json** under the `Settings` section and apply to the whole service. Only the main settings that admins commonly change are listed here.
SettingTypeDefaultHow it's usedAppropriate values
KestrelHttpPortinteger6888HTTP port for the management API (localhost only).1024–65535; must be free on the machine.
KestrelHttpsPortinteger6889HTTPS port for the management API (localhost only).1024–65535; must be free.
system.logging.levelstring"Warning"Minimum log level for the main service / KeeperLogger when used as fallback."Critical", "Error", "Warning", "Information", "Debug", "Trace". Production: "Warning" or "Information"; troubleshooting: "Debug".
RepositoryPathstring"KeeperStorage"Directory for system configuration storage.Valid path; can use path variables (e.g. {approot}/KeeperStorage).
PluginPathstring"Plugins"Directory containing plugin JSON and executables.Valid path; can use path variables.
ServiceNamestring"KeeperPrivilegeManager"Windows service display name.Any non-empty string.
MaintainKeeperAccountbooleanfalseWhen true (Windows), the ephemeral KeeperUserSession account is maintained across service restarts (for hybrid Azure AD + Intune).true or false.
**MQTT broker** (in **MqttBrokerSettings**): | Setting | Type | Default | How it's used | Appropriate values | | ------------- | ------- | ----------- | ------------------------- | ---------------------------------------------------------------------- | | **IpAddress** | string | "127.0.0.1" | MQTT broker bind address. | **"127.0.0.1"** or **"localhost"** (must stay localhost for security). | | **Port** | integer | 8675 | MQTT broker port. | 1024–65535; must be free. | *** ### KeeperPolicy Plugin **Config file:** `Plugins/KeeperPolicy.json`\ **Settings** are read at plugin startup and used for MQTT connection, API calls, and policy behavior. | Setting | Type | Default | How it's used | Appropriate values | | --------------------------------------------------------- | ------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | **broker.host** | string | "127.0.0.1" | MQTT broker hostname the plugin connects to. | Hostname or IP of the local MQTT broker (typically **127.0.0.1**). | | **broker.port** | integer | 8675 | MQTT broker port. | 1024–65535; must match **MqttBrokerSettings.Port**. | | **subscription.topic** | string | "KeeperPolicy" | Primary MQTT topic the plugin subscribes to for policy requests. | Non-empty topic name (e.g. **"KeeperPolicy"**). | | **subscription.topics** | string | (varies) | Comma-separated list of additional MQTT topics to subscribe to. | Comma-separated topic names; primary topic is usually included. | | **system.service.https\_port** | integer | 6889 | HTTPS port used for local API calls (e.g. custom filter, job trigger). | Same as **KestrelHttpsPort** (typically **6889**). | | **customfilter.timeout\_seconds** | integer | 30 | Timeout in seconds for HTTP calls to custom filter jobs. | Positive integer (e.g. **15**–**60**). | | **ratelimit.max\_requests\_per\_minute** | integer | 100 | Maximum policy evaluation requests per minute per source (rate limit). | Positive integer; increase if legitimate traffic is throttled. | | **metadata.admin.enforce\_policies\_for\_administrators** | boolean | false | When **no policy** matches a privilege-elevation (or other) request: if the user is an **administrator**, **false** = allow (OS default); **true** = deny. | **false** (default): admins are not subject to “no policy = deny” for elevation. **true**: admins are subject to the same deny when no policy matches. | *** ### KeeperAPI Plugin **Config file:** `Plugins/KeeperApi.json`\ Used for communication with the Keeper backend (registration, policy sync, audit). | Setting | Type | Default | How it's used | Appropriate values | | -------------------------- | ------- | --------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------- | | **broker.host** | string | "127.0.0.1" | MQTT broker hostname. | **127.0.0.1** or localhost. | | **broker.port** | integer | 8675 | MQTT broker port. | Same as **MqttBrokerSettings.Port**. | | **api.base\_url** | string | (from env or default) | Base URL for the Keeper backend API. | Full HTTPS URL of the Keeper API (e.g. **""**). | | **sync.interval\_minutes** | integer | (varies) | Interval in minutes between policy/settings sync from the backend. | Positive integer (e.g. **15**–**60**). | *** ### KeeperLogger Plugin **Config file:** `Plugins/KeeperLogger.json`\ Controls where and how log messages are written (file, HTTP endpoint, retention, size). | Setting | Type | Default | How it's used | Appropriate values | | ----------------------- | ------- | ---------------------- | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **logToFile** | boolean | true | When true, log messages are written to a file. | **true** or **false**. | | **logFileName** | string | "Log/KeeperLogger.log" | Path (relative to plugin working dir or absolute) for the log file. Can use path variables. | Valid path; e.g. **"Log/KeeperLogger.log"** or **"{approot}/Log/KeeperLogger.log"**. | | **maxFileSizeMB** | number | 100 | Maximum size in MB of the log file before rotation. | Positive number (e.g. **50**–**500**). | | **logRetentionDays** | integer | 15 | Number of days to keep rotated log files before deletion. | Positive integer (e.g. **7**–**90**). | | **logToHttpEndpoint** | boolean | false | When true, log messages are also sent to an HTTP endpoint. | **true** or **false**. | | **loggingHttpEndpoint** | string | "" | URL to post log messages to when **logToHttpEndpoint** is true. | Full HTTP/HTTPS URL or empty. | | **log.level** | string | (varies) | Minimum level for messages written to file or HTTP. | **"Critical"**, **"Error"**, **"Warning"**, **"Information"**, **"Debug"**, **"Trace"**. Production: **"Warning"** or **"Information"**; troubleshooting: **"Debug"**. | *** ### RedirectEvaluator Plugin (redirect capability) **Config file:** `Plugins/RedirectEvaluator.json`\ Redirect settings control whether the **LaunchPrivilegeElevation** job substitutes a different executable when a rule matches (e.g. ncpa.cpl → Keeper.NetworkConnections). See [Reference: Redirect](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/redirect-capability) for the full flow. | Setting | Type | Default | How it's used | Appropriate values | | ------------------------------- | ------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **metadata.redirect.enabled** | boolean | true/false (configurable) | When **true**, the LaunchPrivilegeElevation job runs the **check-redirect** task and evaluates **metadata.redirect.rules**. When a rule matches, the caller gets DENY and the **targetExe** is launched elevated. When **false**, check-redirect is skipped and the requested exe is launched (or denied) as per normal flow. | **true**: redirect on. **false**: redirect off, normal launch-elevated only. | | **metadata.redirect.rules** | array | \[] or rule list | List of redirect rules. First matching rule wins. Each rule has **sourceExePattern**, **commandLinePattern**, **elevationOnly**, **nonAdminOnly**, **targetExe**, **targetArguments**. | Array of rule objects; see [Reference: Redirect](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/redirect-capability). Leave **\[]** if no redirects desired. | | **metadata.redirect.rulesPath** | string | (optional) | If supported, path to a file containing redirect rules (alternative to inline **rules**). | Valid file path or empty. | **Redirect rule fields (each object in metadata.redirect.rules):** | Field | Type | How it's used | Appropriate values | | ---------------------- | -------------- | --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | **sourceExePattern** | string (regex) | Matched against the **executable name** of the elevation request (e.g. `rundll32.exe`). Case-insensitive. | Regex; use `\\.` for literal dot (e.g. **"rundll32\\.exe"**). | | **commandLinePattern** | string (regex) | Matched against the full **command line**. Acts as “contains.” Case-insensitive. | Regex; e.g. **"ncpa\\.cpl"** for ncpa.cpl. | | **elevationOnly** | boolean | If true, rule applies only to **Privilege Elevation** events. | **true** for typical redirects. | | **nonAdminOnly** | boolean | If true, rule applies only when the **requesting user is not an administrator**. | **true** to redirect only standard users; **false** to redirect admins too. | | **targetExe** | string | **Plugin ID** or executable name of the substitute (resolved from Jobs/bin or Plugins/bin). | e.g. **"Keeper.NetworkConnections"**; must be deployed. | | **targetArguments** | string | Command-line arguments for the substitute executable. | Any string; often **""**. | *** ### KeeperClient Plugin **Config file:** `Plugins/KeeperClient.json`\ System tray client: notifications, menu, health check. Many options are in **metadata** (e.g. menu items, UI behavior). | Setting | Type | Default | How it's used | Appropriate values | | ---------------------------------------- | ------- | ----------- | ---------------------------------------------------- | --------------------------------------------------------- | | **broker.host** | string | "127.0.0.1" | MQTT broker hostname. | **127.0.0.1**. | | **broker.port** | integer | 8675 | MQTT broker port. | Same as broker. | | **metadata.menu.refreshIntervalMinutes** | integer | 5 | How often the tray menu is refreshed from the API. | Positive integer (e.g. **1**–**30**). | | **metadata.menu.autoRefresh** | boolean | true | Whether the menu refreshes automatically on a timer. | **true** or **false**. | | **metadata.LanguageOverride** | string | "DEFAULT" | Override UI language. | **"DEFAULT"** or a valid culture code (e.g. **"en-US"**). | | **metadata.showInTray** | boolean | true | Whether to show an icon in the system tray. | **true** or **false**. | *** ### keeperAgent Plugin **Config file:** `Plugins/keeperAgent.json`\ Standalone UI for managing privilege elevation and file access requests (approvals, history). | Setting | Type | Default | How it's used | Appropriate values | | ---------------------------------- | ------- | ------- | -------------------------------------------------------------------------------------- | --------------------------------------- | | **approvalExpirationHours** | integer | 72 | Hours after which a pending approval request expires. | Positive integer (e.g. **24**–**168**). | | **approvedRequestExpirationHours** | integer | 24 | Hours after which an approved (granted) request expires and can no longer be launched. | Positive integer (e.g. **1**–**72**). | | **historyRetentionDays** | integer | 30 | Number of days to keep history items in the UI. | Positive integer (e.g. **7**–**90**). | | **maxPayloadSizeBytes** | integer | 1048576 | Maximum payload size for messages (1 MB). | Positive integer. | | **maxRequestItems** | integer | 20 | Maximum number of pending request items to show. | Positive integer. | | **maxHistoryItems** | integer | 20 | Maximum number of history items to show. | Positive integer. | | **maxExceptionMessageLength** | integer | 500 | Maximum length of exception messages displayed. | Positive integer. | *** ### Tasks That Use Plugin Settings Some **job tasks** read plugin settings to decide behavior. Documented here so you know which settings affect which tasks. | Job | Task | Setting used | How it's used | | ---------------------------- | -------------- | ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **LaunchPrivilegeElevation** | check-redirect | **RedirectEvaluator**: **metadata.redirect.enabled** | When **true**, the task runs the RedirectEvaluator executable and evaluates redirect rules; when **false**, the task is skipped and the job proceeds with normal launch-elevated (no redirect). | Other policy-control jobs (e.g. privilege-elevation-policy-controls, default-policy-controls) use **KeeperMfa**, **KeeperJustification**, **KeeperApproval** as **executables** (task commands), not as plugins with settings you configure in this reference. Their behavior is driven by job parameters and policy, not by separate plugin setting tables. *** ### Summary: Where to Configure | What | Where | Notes | | ----------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------------- | | **Global (ports, paths, system log level)** | **appsettings.json** → **Settings**, **MqttBrokerSettings** | Restart service for port/path changes. | | **KeeperPolicy (broker, admin fallback, etc.)** | **Plugins/KeeperPolicy.json** or **PUT /api/PluginSettings/KeeperPolicy/{key}** | Restart KeeperPolicy after change. | | **KeeperAPI (broker, API URL, sync)** | **Plugins/KeeperApi.json** or PluginSettings API | Restart KeeperAPI after change. | | **KeeperLogger (file, retention, level)** | **Plugins/KeeperLogger.json** or PluginSettings API | Restart Logger after change. | | **Redirect (enabled, rules)** | **Plugins/RedirectEvaluator.json** or PluginSettings API | Restart not required for next evaluation; rule order matters. | | **KeeperClient (menu, tray)** | **Plugins/KeeperClient.json** | Restart KeeperClient to apply. | | **keeperAgent (expiration, limits)** | **Plugins/keeperAgent.json** | Restart keeperAgent to apply. | After editing plugin JSON on disk, use **POST /api/PluginSettings/{pluginName}/revert** (or **revert-all**) to reload from file into unified storage if the product caches settings there, then restart the plugin so it picks up the new values.\ If the plugin is configured to autoRestart = true, stopping the plugin will cause the plugin to auto restart.