Policies

Policy Overview

Privilege Manager can apply least privilege policies to users and machines across the fleet of endpoints which are running the Keeper agent. Policies are applied to collections, and the policy is customized by the Admin based on your organization's requirements.

Create a Policy

To create a new policy, click on "Create Policy" and complete the policy details form.

Important: Multiple policies can be applied simultaneously to the same device or user. When this happens, Keeper enforces all applicable policies with strict adherence to their requirements. In cases where policies have conflicting settings, Keeper automatically applies the most restrictive option, ensuring maximum security on the endpoint.

Policy Type

Keeper supports the following policy types:

• Privilege Elevation: Manages requests for an administrative elevation.

• Least Privilege: Removes local users from the admin role.

• File Access: Controls access to executables and sensitive files.

Policy Status

A policy can be applied in one of the following methods:

• Monitor: Keeper takes no action and the user will not receive any notifications.

• Monitor & Notify: Keeper takes no action, but user will receive a notification that the event occurred.

• Enforce: Keeper takes action on the policy and user will be notified.

Policy Controls

When a policy is enforced, the user must pass certain controls that are defined. The options are:

• Requires MFA: The user must use their assigned MFA device to prove their identity.

• Requires approval: The user must wait until an assigned approver handles the request.

• Requires Justification: The user must type an explanation of why they need the request approved.

If MFA is required, the user will be directed to sign up with a Keeper vault and set up a two-factor authentication method.

Policy Filters

A policy affects only the users and devices which are specified in the policy filter section. This includes the following options:

• User Groups: Select from the auto-generated or custom user group collections

• Machines: Select from the auto-generated or custom machine collections

• Applications: Select from the auto-generated or custom application collections

• Date and Time Window: Apply the policy only within the specific date range, days of the week and time of day. This allows you to create more restrictive policies outside of work hours, for example.

Policy Editor

Policies can be edited in the user interface in a basic or advanced mode. The advanced mode allows editing of the JSON policy definition.

Advanced Policy Editor

The Advanced mode of the policy editor allows the admin to manage the policy directly with JSON syntax.

Converting Events to Policy

From the main dashboard, elevation and access events can be easily converted into new policies or added to existing policies. Select the events and then click "+ Add to Policy". Choose the policy to apply the events or create a new policy.

Approval Settings

Keeper allows you to set any number of approvers in a policy for a given elevation request. After a set amount time, the request can be escalated to a designated admin. Approvals will expire after a set amount of time.

Policy Timing

Policies are pushed and applied across the fleet of endpoints within 30 minutes.

Offline Access

Policies created by the Keeper Admin are pushed to the end-user devices and cached locally. Policies are then evaluated on the device while offline.

Commander CLI

Keeper Commander supports Deployment and Collection management through our command-line interface and Python SDK.

Policy Management

The pedm policy command provides management over policy generation.

My Vault> pedm policy -h
pedm command [--options]

Command    Description
---------  ----------------------------
list       List PEDM policies
add        Add PEDM policy
edit       Edit PEDM policy
view       View PEDM policy
assign     Assign collections to policy
delete     Delete PEDM policy