All pages
Powered by GitBook
1 of 2

Policies

Applying least privilege policies to your users and machines

Policy Overview

Endpoint Privilege Manager can apply least privilege policies to applications, users and machines across the fleet of endpoints which are running the Keeper agent. Policies can be applied to any collections in the tenant. The policy is customized by the Admin based on the organization's requirements.

Policies are applied based on:

  • Collection of resources

  • Policy Type

  • Controls

  • Attributes

The Policies screen displays all active enforcements in the tenant.

Policies

Create a Policy

To create a new policy, click on "Create Policy" and complete the policy details form.

Important: Multiple policies can be applied simultaneously to the same device or user. When this happens, Keeper enforces all applicable policies with strict adherence to their requirements. In cases where policies have conflicting settings, Keeper automatically applies the most restrictive option, ensuring maximum security on the endpoint.

Policy Type

Keeper supports the following policy types:

  • Privilege Elevation: Manages requests for an administrative elevation.

  • Least Privilege: Removes local users from the admin role.

  • File Access: Controls access to executables and sensitive files.

  • Command Line: For controlling sudo on unix based systems.

Policy Status

A policy can be applied in one of the following methods:

  • Monitor: Keeper takes no action and the user will not receive any notifications.

  • Monitor & Notify: Keeper takes no action, but user will receive a notification that the event occurred.

  • Enforce: Keeper takes action on the policy and user will be notified.

Policy Controls

When a policy is enforced, the user must pass certain controls that are defined. The options are:

  • Requires MFA: The user must use their assigned MFA device to prove their identity.

  • Requires approval: The user must wait until an assigned approver handles the request.

  • Requires Justification: The user must type an explanation of why they need the request approved.

If MFA is required, the user will be directed to sign up with a Keeper vault and set up a two-factor authentication method.

Policy Filters

A policy affects only the users and devices which are specified in the policy filter section. This includes the following options:

  • User Groups: Select from the auto-generated or custom user group collections

  • Machines: Select from the auto-generated or custom machine collections

  • Applications: Select from the auto-generated or custom application collections

  • Date and Time Window: Apply the policy only within the specific date range, days of the week and time of day. This allows you to create more restrictive policies outside of work hours, for example.

Policy Editor

Policies can be edited in the user interface in a basic or advanced mode. The advanced mode allows editing of the JSON policy definition.

Policy Editor

Advanced Policy Editor

The Advanced mode of the policy editor allows the admin to manage the policy directly with JSON syntax.

Advanced Policy Editor

Converting Events to Policy

From the main dashboard, elevation and access events can be easily converted into new policies or added to existing policies. Select the events and then click "+ Add to Policy". Choose the policy to apply the events or create a new policy.

Add Events to Policy

Approval Settings

Keeper allows you to set any number of approvers in a policy for a given elevation request. After a set amount time, the request can be escalated to a designated admin. Approvals will expire after a set amount of time.

Policy Timing

Policies are pushed and applied across the fleet of endpoints within 30 minutes.

Offline Access

Policies created by the Keeper Admin are pushed to the end-user devices and cached locally. Policies are then evaluated on the device while offline.

  • If justification is required, the user's justification message is cached offline until the agent is online again and sent to the server. If the policy only requires justification, execution is permitted.

  • If MFA is required, the user will be able to execute the action only when online.

  • If approval is required, the user can initiate the approval only when online.

Commander CLI

Keeper Commander supports Deployment and Collection management through our command-line interface and Python SDK.

Policy Management

The pedm policy command provides management over policy generation.

My Vault> pedm policy -h
pedm command [--options]

Command    Description
---------  ----------------------------
list       List PEDM policies
add        Add PEDM policy
edit       Edit PEDM policy
view       View PEDM policy
assign     Assign collections to policy
delete     Delete PEDM policy

Next Steps

Set up a few policies by example, or learn about managing requests.

Example Policies

Example policies that can be enforced in Endpoint Privilege Manager with step-by-step guidance

File Access Policy

In this example, we will require approval to access a protected file called "netlogon.inf" on all Windows machines.

1

Create Collection

Create a "Protected Files" collection which will hold the protected file resources.

Create a new Collection of Protected Files
2

Add Item to Collection

Click on "Manually define resource" and add the netlogon.inf file to the collection.

Add Item to Collection
3

Create a Policy

From the Policy tab, click on Create Policy and select:

Policy Type: File Access

Status: Enforce

Add Control: Select MFA, Justification or Approval

User Groups: Select the users or groups affected, or All Users and Groups

Machines: Select which machines to apply the policy, or All Machines

Applications: Select the "Protected Files" collection as defined above.

Create Policy

To require approval by an admin for accessing the file resource, select "Requires Approval" and then select the approver(s).

Require Approval on File Access

After saving the policy, it will apply to all affected machines within a few minutes.