Plugin & Task Settings
Audience: IT admins. This page documents settings for each plugin and, where applicable, tasks that use them. For each setting we state how it is used, type, default, and appropriate values. Settings can be stored in the plugin JSON file (Plugins/{PluginName}.json) or in unified storage; at runtime, unified storage takes precedence until reverted.
How settings are applied
Plugin JSON: Each plugin has a JSON file under
Plugins/(e.g.Plugins/KeeperPolicy.json). Settings can appear in the root or undermetadata. Editing the file and restarting the plugin (or reverting from JSON) applies them.Unified storage: The product can store plugin settings in unified storage. Those values override the plugin JSON until you run Revert (e.g.
POST /api/PluginSettings/{pluginName}/revertorrevert-all).Pushing config: A SettingsUpdate configuration policy can write the full plugin JSON to disk; then Process Configuration Policies runs the configuration processor. After that, use Revert if you want runtime storage to match the new file, and restart the plugin if needed.
API: You can read settings with
GET /api/PluginSettings/{pluginName}orGET /api/PluginSettings/{pluginName}/{settingName}and update withPUT /api/PluginSettings/{pluginName}/{settingName}(Admin). Value format is JSON (e.g. a string, number, or boolean).
Global (application) Settings
These live in appsettings.json under the Settings section and apply to the whole service. Only the main settings that admins commonly change are listed here.
KestrelHttpPort
integer
6888
HTTP port for the management API (localhost only).
1024–65535; must be free on the machine.
KestrelHttpsPort
integer
6889
HTTPS port for the management API (localhost only).
1024–65535; must be free.
system.logging.level
string
"Warning"
Minimum log level for the main service / KeeperLogger when used as fallback.
"Critical", "Error", "Warning", "Information", "Debug", "Trace". Production: "Warning" or "Information"; troubleshooting: "Debug".
RepositoryPath
string
"KeeperStorage"
Directory for system configuration storage.
Valid path; can use path variables (e.g. {approot}/KeeperStorage).
PluginPath
string
"Plugins"
Directory containing plugin JSON and executables.
Valid path; can use path variables.
ServiceName
string
"KeeperPrivilegeManager"
Windows service display name.
Any non-empty string.
MaintainKeeperAccount
boolean
false
When true (Windows), the ephemeral KeeperUserSession account is maintained across service restarts (for hybrid Azure AD + Intune).
true or false.
MQTT broker (in MqttBrokerSettings):
IpAddress
string
"127.0.0.1"
MQTT broker bind address.
"127.0.0.1" or "localhost" (must stay localhost for security).
Port
integer
8675
MQTT broker port.
1024–65535; must be free.
KeeperPolicy Plugin
Config file: Plugins/KeeperPolicy.json
Settings are read at plugin startup and used for MQTT connection, API calls, and policy behavior.
broker.host
string
"127.0.0.1"
MQTT broker hostname the plugin connects to.
Hostname or IP of the local MQTT broker (typically 127.0.0.1).
broker.port
integer
8675
MQTT broker port.
1024–65535; must match MqttBrokerSettings.Port.
subscription.topic
string
"KeeperPolicy"
Primary MQTT topic the plugin subscribes to for policy requests.
Non-empty topic name (e.g. "KeeperPolicy").
subscription.topics
string
(varies)
Comma-separated list of additional MQTT topics to subscribe to.
Comma-separated topic names; primary topic is usually included.
system.service.https_port
integer
6889
HTTPS port used for local API calls (e.g. custom filter, job trigger).
Same as KestrelHttpsPort (typically 6889).
customfilter.timeout_seconds
integer
30
Timeout in seconds for HTTP calls to custom filter jobs.
Positive integer (e.g. 15–60).
ratelimit.max_requests_per_minute
integer
100
Maximum policy evaluation requests per minute per source (rate limit).
Positive integer; increase if legitimate traffic is throttled.
metadata.admin.enforce_policies_for_administrators
boolean
false
When no policy matches a privilege-elevation (or other) request: if the user is an administrator, false = allow (OS default); true = deny.
false (default): admins are not subject to “no policy = deny” for elevation. true: admins are subject to the same deny when no policy matches.
KeeperAPI Plugin
Config file: Plugins/KeeperApi.json
Used for communication with the Keeper backend (registration, policy sync, audit).
broker.host
string
"127.0.0.1"
MQTT broker hostname.
127.0.0.1 or localhost.
broker.port
integer
8675
MQTT broker port.
Same as MqttBrokerSettings.Port.
api.base_url
string
(from env or default)
Base URL for the Keeper backend API.
Full HTTPS URL of the Keeper API (e.g. "https://api.keepersecurity.com").
sync.interval_minutes
integer
(varies)
Interval in minutes between policy/settings sync from the backend.
Positive integer (e.g. 15–60).
KeeperLogger Plugin
Config file: Plugins/KeeperLogger.json
Controls where and how log messages are written (file, HTTP endpoint, retention, size).
logToFile
boolean
true
When true, log messages are written to a file.
true or false.
logFileName
string
"Log/KeeperLogger.log"
Path (relative to plugin working dir or absolute) for the log file. Can use path variables.
Valid path; e.g. "Log/KeeperLogger.log" or "{approot}/Log/KeeperLogger.log".
maxFileSizeMB
number
100
Maximum size in MB of the log file before rotation.
Positive number (e.g. 50–500).
logRetentionDays
integer
15
Number of days to keep rotated log files before deletion.
Positive integer (e.g. 7–90).
logToHttpEndpoint
boolean
false
When true, log messages are also sent to an HTTP endpoint.
true or false.
loggingHttpEndpoint
string
""
URL to post log messages to when logToHttpEndpoint is true.
Full HTTP/HTTPS URL or empty.
log.level
string
(varies)
Minimum level for messages written to file or HTTP.
"Critical", "Error", "Warning", "Information", "Debug", "Trace". Production: "Warning" or "Information"; troubleshooting: "Debug".
RedirectEvaluator Plugin (redirect capability)
Config file: Plugins/RedirectEvaluator.json
Redirect settings control whether the LaunchPrivilegeElevation job substitutes a different executable when a rule matches (e.g. ncpa.cpl → Keeper.NetworkConnections). See Reference: Redirect for the full flow.
metadata.redirect.enabled
boolean
true/false (configurable)
When true, the LaunchPrivilegeElevation job runs the check-redirect task and evaluates metadata.redirect.rules. When a rule matches, the caller gets DENY and the targetExe is launched elevated. When false, check-redirect is skipped and the requested exe is launched (or denied) as per normal flow.
true: redirect on. false: redirect off, normal launch-elevated only.
metadata.redirect.rules
array
[] or rule list
List of redirect rules. First matching rule wins. Each rule has sourceExePattern, commandLinePattern, elevationOnly, nonAdminOnly, targetExe, targetArguments.
Array of rule objects; see Reference: Redirect. Leave [] if no redirects desired.
metadata.redirect.rulesPath
string
(optional)
If supported, path to a file containing redirect rules (alternative to inline rules).
Valid file path or empty.
Redirect rule fields (each object in metadata.redirect.rules):
sourceExePattern
string (regex)
Matched against the executable name of the elevation request (e.g. rundll32.exe). Case-insensitive.
Regex; use \\. for literal dot (e.g. "rundll32\.exe").
commandLinePattern
string (regex)
Matched against the full command line. Acts as “contains.” Case-insensitive.
Regex; e.g. "ncpa\.cpl" for ncpa.cpl.
elevationOnly
boolean
If true, rule applies only to Privilege Elevation events.
true for typical redirects.
nonAdminOnly
boolean
If true, rule applies only when the requesting user is not an administrator.
true to redirect only standard users; false to redirect admins too.
targetExe
string
Plugin ID or executable name of the substitute (resolved from Jobs/bin or Plugins/bin).
e.g. "Keeper.NetworkConnections"; must be deployed.
targetArguments
string
Command-line arguments for the substitute executable.
Any string; often "".
KeeperClient Plugin
Config file: Plugins/KeeperClient.json
System tray client: notifications, menu, health check. Many options are in metadata (e.g. menu items, UI behavior).
broker.host
string
"127.0.0.1"
MQTT broker hostname.
127.0.0.1.
broker.port
integer
8675
MQTT broker port.
Same as broker.
metadata.menu.refreshIntervalMinutes
integer
5
How often the tray menu is refreshed from the API.
Positive integer (e.g. 1–30).
metadata.menu.autoRefresh
boolean
true
Whether the menu refreshes automatically on a timer.
true or false.
metadata.LanguageOverride
string
"DEFAULT"
Override UI language.
"DEFAULT" or a valid culture code (e.g. "en-US").
metadata.showInTray
boolean
true
Whether to show an icon in the system tray.
true or false.
keeperAgent Plugin
Config file: Plugins/keeperAgent.json
Standalone UI for managing privilege elevation and file access requests (approvals, history).
approvalExpirationHours
integer
72
Hours after which a pending approval request expires.
Positive integer (e.g. 24–168).
approvedRequestExpirationHours
integer
24
Hours after which an approved (granted) request expires and can no longer be launched.
Positive integer (e.g. 1–72).
historyRetentionDays
integer
30
Number of days to keep history items in the UI.
Positive integer (e.g. 7–90).
maxPayloadSizeBytes
integer
1048576
Maximum payload size for messages (1 MB).
Positive integer.
maxRequestItems
integer
20
Maximum number of pending request items to show.
Positive integer.
maxHistoryItems
integer
20
Maximum number of history items to show.
Positive integer.
maxExceptionMessageLength
integer
500
Maximum length of exception messages displayed.
Positive integer.
Tasks That Use Plugin Settings
Some job tasks read plugin settings to decide behavior. Documented here so you know which settings affect which tasks.
LaunchPrivilegeElevation
check-redirect
RedirectEvaluator: metadata.redirect.enabled
When true, the task runs the RedirectEvaluator executable and evaluates redirect rules; when false, the task is skipped and the job proceeds with normal launch-elevated (no redirect).
Other policy-control jobs (e.g. privilege-elevation-policy-controls, default-policy-controls) use KeeperMfa, KeeperJustification, KeeperApproval as executables (task commands), not as plugins with settings you configure in this reference. Their behavior is driven by job parameters and policy, not by separate plugin setting tables.
Summary: Where to Configure
Global (ports, paths, system log level)
appsettings.json → Settings, MqttBrokerSettings
Restart service for port/path changes.
KeeperPolicy (broker, admin fallback, etc.)
Plugins/KeeperPolicy.json or PUT /api/PluginSettings/KeeperPolicy/{key}
Restart KeeperPolicy after change.
KeeperAPI (broker, API URL, sync)
Plugins/KeeperApi.json or PluginSettings API
Restart KeeperAPI after change.
KeeperLogger (file, retention, level)
Plugins/KeeperLogger.json or PluginSettings API
Restart Logger after change.
Redirect (enabled, rules)
Plugins/RedirectEvaluator.json or PluginSettings API
Restart not required for next evaluation; rule order matters.
KeeperClient (menu, tray)
Plugins/KeeperClient.json
Restart KeeperClient to apply.
keeperAgent (expiration, limits)
Plugins/keeperAgent.json
Restart keeperAgent to apply.
After editing plugin JSON on disk, use POST /api/PluginSettings/{pluginName}/revert (or revert-all) to reload from file into unified storage if the product caches settings there, then restart the plugin so it picks up the new values. If the plugin is configured to autoRestart = true, stopping the plugin will cause the plugin to auto restart.
Return to Reference Index
Last updated
Was this helpful?