Setting up RBI
Setting up RBI in your Desktop Vault
Overview
In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App.
Prerequisites
Prior to configuring RBI, make sure to have the following:
Remote Browser Isolation Enforcement Policies
Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:
Can configure remote browsing settings
Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types
Can launch remote browsing
Allow users to launch remote browsing on PAM Remote Browsing Record Types
Can view RBI session recordings
Allow users to view RBI Session Recordings.
The above enforcement policies can also be enabled on the Keeper Commander CLI using the enterprise-role command:
Enforcement Policy Use Cases
If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.
In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings" and "Can launch remote browsing" policies should be enabled for the user.
To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.
Session Recordings
Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this page.
Installing the Keeper Gateway
The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.
For more details on installing and setting up your gateway, visit this page.
PAM Configuration
The PAM Configuration contains essential information of your target infrastructure, settings and Keeper Gateway. Setting up a PAM Configuration for your infrastructure is required. For more information on creating and configuring the PAM Configuration, visit this page.
PAM Remote Browser
When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this page.
PAM Settings - Remote Browser Isolation
Accessing RBI Settings
After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:
Editing the PAM Browser Record
Clicking on "Set Up" in the PAM Settings section
Configuring RBI Settings
After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:
PAM Configuration
Required
This is the PAM Configuration that defines the environment and Gateway being utilized.
Enable Remote Browser Isolation
Required To enable RBI for this record, this toggle needs to be enabled.
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record. Required for KeeperAI.
Key Events
When enabled, the keyboard events will also be monitored and played back alongside the graphical session recording. Required for KeeperAI.
Allow navigation via direct URL manipulation
If checked, the user will be presented with an URL navigation bar.
Allow File Downloads
If checked, allow website file downloads through RBI to the local machine
Allow File Uploads
If checked, allow website file uploads through RBI.
Ignore server certificate
If set, the Chromium browser will ignore an invalid certificate as long as the URL matches the exact domain that is set in the Record URL field.
Session Persistance
Session Persistence controls whether RBI sessions are temporary, user-specific or shared across users, determining how session data is retained and reused. None - No session data is retained. Each session starts fresh with no stored cookies, local storage or history. By User - Session data is retained for the individual user. By Resource - A single shared session is maintained for the resource (RBI record) and reused across users. Only one active session is allowed at a time. Detailed Information here
Allow URL Patterns
The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.
If specified, only pages matching patterns in the list are permitted.
By default, all URLs are permitted. Detailed Information here
Allow Resource URL Patterns
The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines.
If specified, only resources matching patterns in the list are permitted to be loaded.
By default, no restrictions are imposed on resources loaded by pages. Detailed Information here
Browser Autofill - Credentials
RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section. Detailed Information here
Browser Autofill - Autofill Targets
This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule. Detailed Information here
Can copy to clipboard
If enabled, text copied within the RBI session will be accessible by the user.
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected RBI session.
File Upload and Download
Keeper Remote Browser Isolation (RBI) provides secure file transfer capabilities that allow users to move files between their local device and the isolated browser session.
Allow file uploads When enabled, users can upload files from their local machine into the remote browser session. This includes support for drag-and-drop or standard file selection within the browser. Uploaded files are transferred securely into the isolated environment without exposing the local system to web-based threats.
Allow file downloads When enabled, users can download files from the remote browser session to their local machine. Files retrieved from the isolated session are delivered securely to the user’s device.
These controls can be configured based on organizational security policies to restrict or allow file movement as needed.
Note: File transfer capabilities should be enabled based on risk tolerance, as allowing uploads or downloads may introduce data exfiltration or malware transfer considerations depending on the use case.
Session Persistence
By default, every new Remote Browser Isolation session runs in incognito mode, where no session data (such as cookies, local storage or browsing history) is retained after the session ends. This allows multiple users to run concurrent sessions without any persistence of data.
The Session Persistence setting controls how session data is retained:
None (Incognito mode) No data is stored between sessions. Each session starts fresh and is completely isolated. This is the most secure option and is recommended for general use and untrusted browsing.
By User (session retained for current user) Session data is preserved for the individual user. When the user reconnects, they can resume their previous session state (e.g., logged-in sessions, open tabs). Other users cannot access this session.
By Resource (shared session across users) A single persistent session is shared across all users accessing the RBI resource. Only one active session is allowed at a time. This is useful for shared accounts or environments where continuity across users is required, but it should be used carefully due to shared access.
Session Recordings - RBI
For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the Session Recording & Playback docs.
Workflow and RBI
Workflow (check-in/check-out) can be enabled on PAM Browser records to add approval controls and governance to web-based access.
When Workflow is applied to RBI sessions:
Users must request access before launching a session
Access can require approval from designated approvers
Sessions can be time-bound, ensuring access is automatically revoked after a defined period
All access is tracked for accountability and audit purposes
This ensures that access to sensitive web applications through RBI is controlled, monitored and aligned with organizational security policies.
To learn more, visit the following page:
WorkflowKeeperAI and RBI
KeeperAI can be enabled on Remote Browser Isolation (RBI) and PAM Browser records to provide AI-powered threat detection and session analysis.
When enabled, KeeperAI monitors browser sessions in real time and analyzes user activity to identify potential security risks. This includes detecting anomalous behavior, suspicious actions and indicators of compromise during web-based sessions.
To learn more, vist the following page:
KeeperAILast updated
Was this helpful?