# Setting up RBI

## Overview 

In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App. 

An active license is required in order to use the features available with KeeperPAM. This license is available for both business and enterprise customers.

* [KeeperPAM Homepage](https://www.keepersecurity.com/privileged-access-management/)
* [Request a Demo](https://www.keepersecurity.com/contact.html?t=b\&r=sales)
* [Contact Support](https://www.keepersecurity.com/support.html)

## Prerequisites 

Prior to configuring RBI, make sure to have the following:

### Remote Browser Isolation Enforcement Policies 

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FKAnz1MjmzRZ9uQpzqzOU%2FScreenshot%202025-01-21%20at%2011.58.04%E2%80%AFAM.png?alt=media&#x26;token=465c899b-3da2-45d5-a8eb-27445977eaa2" alt=""><figcaption><p>Remote Browser Isolation Policies</p></figcaption></figure>

The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:&#x20;

<table><thead><tr><th width="196">Enforcement Policy</th><th width="274">Commander Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can configure remote browsing settings</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_RBI
</code></pre></td><td>Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types</td></tr><tr><td>Can launch remote browsing</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_RBI
</code></pre></td><td>Allow users to launch remote browsing on PAM Remote Browsing Record Types</td></tr><tr><td>Can view RBI session recordings</td><td><pre><code>ALLOW_VIEW_RBI_RECORDINGS
</code></pre></td><td>Allow users to view RBI Session Recordings.</td></tr></tbody></table>

The above enforcement policies can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command:

```
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_RBI_RECORDINGS":true
```

#### Enforcement Policy Use Cases

If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.

In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings"  and "Can launch remote browsing" policies should be enabled for the user.

To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.

### Session Recordings&#x20;

Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback).&#x20;

### Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways).

### PAM Configuration&#x20;

The **PAM Configuration** contains essential information of your target infrastructure, settings and [Keeper Gateway](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/gateways). Setting up a PAM Configuration for your infrastructure is **required**. For more information on creating and configuring the PAM Configuration, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-configuration).&#x20;

### PAM Remote Browser

When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this [page](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-remote-browser).

## PAM Settings - Remote Browser Isolation

### **Accessing RBI Settings**

After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:

1. Editing the PAM Browser Record
2. Clicking on "Set Up" in the PAM Settings section

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FiEJsSgghmWCLXbVLjbco%2FScreenshot%202025-03-28%20at%2012.13.25%E2%80%AFPM.png?alt=media&#x26;token=aea7060f-dea6-4cea-aa26-50953a099003" alt=""><figcaption><p>Remote Browser Isolation Settings</p></figcaption></figure>

### Configuring RBI Settings

After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:

<table><thead><tr><th width="295">Field</th><th>Definition</th></tr></thead><tbody><tr><td>PAM Configuration</td><td><p><strong>Required</strong></p><p>This is the PAM Configuration that defines the environment and Gateway being utilized.</p></td></tr><tr><td>Enable Connection </td><td><strong>Required</strong><br>To enable RBI for this record, this toggle needs to be enabled.</td></tr><tr><td>Graphical Session Recording</td><td>When enabled, graphical session recordings will be enabled for this record.</td></tr><tr><td>Include Key Events</td><td>When enabled, the keyboard events will also be monitored and played back alongside the graphical session recording.</td></tr><tr><td>Allow navigation via direct URL manipulation</td><td>If checked, the user will be presented with an URL navigation bar.</td></tr><tr><td>Ignore server certificate</td><td>If set, the Chromium browser will ignore an invalid certificate as long as the URL matches the exact domain that is set in the Record URL field.</td></tr><tr><td>Allow URL Patterns</td><td><p>The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.</p><p>If specified, only pages matching patterns in the list are permitted.<br></p><p>By default, all URLs are permitted.<br><br>Detailed Information <a href="url-patterns-and-resource-url-patterns#overview">here</a><br></p></td></tr><tr><td>Allow Resource URL Patterns</td><td><p>The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines.<br></p><p>If specified, only resources matching patterns in the list are permitted to be loaded.<br></p><p>By default, no restrictions are imposed on resources loaded by pages.<br><br>Detailed Information <a href="url-patterns-and-resource-url-patterns#overview">here</a></p></td></tr><tr><td>Browser Autofill - Credentials</td><td>RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section.<br><br>Detailed Information <a href="setting-up-rbi/browser-autofill">here</a></td></tr><tr><td>Browser Autofill - Autofill Targets</td><td>This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule.<br><br>Detailed Information <a href="setting-up-rbi/browser-autofill">here</a></td></tr><tr><td>Can copy to clipboard</td><td>If enabled, text copied within the RBI session will be accessible by the user.</td></tr><tr><td>Can paste from clipboard</td><td>If enabled, user can paste text from clipboard within the connected RBI session.</td></tr></tbody></table>

## Session Recordings - RBI&#x20;

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FpcDZcca7LVVyiPGxwY3V%2FScreenshot%202025-01-21%20at%2012.14.54%E2%80%AFPM.png?alt=media&#x26;token=30d5539c-0f3c-4717-8468-a0c825604f23" alt=""><figcaption></figcaption></figure>

For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the [Session Recording & Playback](https://docs.keeper.io/en/keeperpam/privileged-access-manager/session-recording-and-playback) docs.