Enforcement Policies

Role Enforcement Policies


Keeper role enforcement policies provide fine-grained control over the security and functionality of your Keeper environment.

Login Settings

Allow SSO Master Password

This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.

Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.

Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:

  1. Login to the Web Vault using SSO

  2. Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.

  3. Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.

The Master Password login feature for SSO users is only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.

Master Password Complexity

Master Password Complexity policy enforces a password complexity for users that are assigned the selected role. This policy only applies to users who login with a master password.

Settings include:

  • Password length

  • Number of digits

  • Number of special characters

  • Number of uppercase letters

  • Number of lowercase letters

Important Note about Master Password Complexity and Default Role

When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.

Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.

When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.

Master Password Expiration

The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will be forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.

This feature does not affect users who login with SSO Connect Cloud.

If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.


Keeper natively supports Windows Hello, Touch ID, Face ID and Android biometrics. Customers who normally login to their Keeper Vault using a Master Password or Enterprise SSO Login can also login to their devices using a biometric. Offline access can also be achieved with a biometric for both Master Password and SSO-enabled users unless the "Restrict offline access" enforcement is applied.

Keeper does not store or process biometric data of users. Keeper integrates with the existing biometrics capabilities of the operating system.

Two Factor Authentication (2FA)

Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

  • If 2FA is enforced, the user will be prompted to set up 2FA upon account creation or login

  • If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA

  • In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.

  • Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console

Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.

On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.

In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.

Keeper supports the following 2FA methods:

  • FIDO2 WebAuthn Security Keys (supports PIN verification)

  • TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)

  • Smartwatch (Apple Watch or Android Wear)

  • RSA SecurID

  • Duo Security

  • Text Message (SMS)

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

2FA and Device Approval

Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device approval instead of email (for example, if email access is not possible).

Device Approval with a 2FA code is only possible with accounts that login with a Master Password. Users who login with SSO on a new device are required to use Keeper Push, Admin Approval or Keeper Automator approval methods.

Platform Restriction

An Admin can restrict the use of specific platforms to access Keeper including the Web Vault, Browser Extensions, Mobile app, Desktop app, Commander SDK and KeeperChat.

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.

Disable in-app onboarding

Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.

The in-app onboarding flow will adapt to the policies set by the Keeper Administrator:

  • If importing is not allowed, this option will be hidden

  • If Browser Extension is not allowed, this option will be hidden

  • If account recovery is disabled, this option will be hidden

  • If Quick Start is completely disabled, this flow will not appear

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:

Mask notes

This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.

Pause BreachWatch on Client Devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch events to Reporting & Alerts and connected external logging systems

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.

Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.

Require Re-authentication (Master Password or biometrics)

This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:

  • Autofilling passwords

  • Revealing and copying a password or masked field

  • Editing, sharing and deleting a record or folder.

Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.

Note: This feature does not apply to SSO users.

Retention of Deleted Records

By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.

  • Day(s) before records can be cleared permanently

  • Day(s) before deleted records automatically purge

To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.

Admins can also configure automatic deletion of records that the user has placed into the trash bin.

Record Passwords

Keeper's password and passphrase generator can be enforced as a general policy, or for specific website domains.

Password Generator

The password generator on end-user vaults will adhere to the minimum character length, minimum number of lowercase/uppercase/numbers/symbols and allowed list of symbols as defined here. The symbols used in the password generator will be limited to the selection from the list. By default, all symbols will be used.

Passphase Generator

The passphrase generator on end-user vaults is enabled by default, but can be disabled by the admin. Passphrases will adhere to the minimum number of words and can be configured to include capital letters and a number. The separators between words will be selected from the list of allowed symbols. By default, a set of symbols is utilized.

Domain-Specific Password, Passphrase and Symbol Policies

Domain-specific policies allow admins to enforce a password complexity privacy rule for a specific domain name, or domain pattern match.

Wildcards (*) can be used to create minimum password complexity rules for more than a single domain.

For example:

  • *.amazon.com

  • *.google.com

  • *.gov

  • example.com

  • *.example.com

One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. If a wildcard is used by itself, the policy will be enforced for any record which contains any value for the domain name.

Apply Privacy Screen Setting (Prevent Viewing Passwords)

Keeper's Privacy Screen feature can be applied at the team level, role policy level (based on specific record domains), and at the record type (template) level.

At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.

If Privacy Screen is applied to a user with edit or ownership permission on a record, the user is forced to use the password generator when editing the record.

It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.

This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.

Inside the vault, any record with a matching URL will be locked, and the user cannot unmask to view the password.

Likewise, in the Browser Extension, the Privacy Screen is activated.

Watch the video below to learn more about the Privacy Screen feature.

Privacy Screen

Record Types

If record types are enabled for your account, specific record types that are not wanted can be enabled or disabled. Both default and custom record types can be enabled or disabled based on the role permissions. Custom record types show up below default types, but the desired order can be controlled within each users vault settings.

Turning off certain record types will affect what shows up in the dropdowns in user vaults:

Note that the left menu item for "Record Types" will not be visible if this capability is not enabled for your enterprise.

If all record types except one are disabled in the console, when creating a record in the vault, the popup to select a record type will not appear. The workflow will continue as if record types has not been enabled for users in that role.

Even if record types are disabled for a portion of users in an organization, this will not limit sharing and editing capabilities. For example, an Admin will be able to share a custom SSH Key record with non-admins and all data in the record will be present.

If records are shared with another organization that does not have record types enabled, the data will be there, but not visible until that organization has record types enabled.

Creating and Sharing

Creating and sharing enforcements offer admins a wide range of granular, flexible restrictions that can be applied to users when both creating and sharing records.

Granular Sharing Enforcements


“Creating” enforcements handle a user’s ability to create records, folders, shared folders and more.

Creating can be customized to:

  • Create records, including the ability to restrict the creation of records and folders inside shared folders only and duplication of records.

  • Create folders, including the ability to restrict the creation of folders inside shared folders only.

  • Create shared folders

  • Create items in the identity and payments tab, including the payment and address records using the KeeperFill Browser Extension.

  • Upload files


“Sharing” enforcements handle a user’s ability to share and receive items including one-time share links, file attachments and more.

Sharing can be customized to:

  • Share and receive items

  • Share to others by adding records inside shared folders only, preventing a user from adding other users to records and shared folders.

  • Only receive shared items, preventing a user from adding other users to records and shared folders.

  • Cannot share or receive items, preventing a user from adding other users to records and shared folders and from receiving items from others. If this enforcement is enabled, then the ability to generate One-Time Share links, share records with file attachments and share to users outside the enterprise will be disabled by default.

Admins can also individually restrict a users ability to:

  • Generate One-Time Share links

  • Share records with file attachments

  • Can share outside of isolated nodes

  • Share to users outside of the enterprise

  • Can receive items from users outside of the enterpirse

Import and Export

"Import" and Export" enforcements offers admins more targeted control over their users’ ability to import and export from their vaults.

Importing and exporting can be customized to:

  • Import into vault, including the ability to restrict importing shared folders from LastPass.

  • Export from vault


KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications.

To learn more about KeeperFill, read our KeeperFill Browser Extension guides.

KeeperFill Browser Extension

Admins can individually enable the various features and settings of the KeeperFill Browser extension.

Supported Enforcement Settings:

  • Enforce or Disable "Hover Locks"

  • Enforce or Disable "Autofill Suggestions"

  • Enforce or Disable "Autofill"

  • Enforce or Disable "Auto Submit"

  • Enforce or Disable "Match on Subdomain"

  • Enforce "Prompt to Fill"

  • Enforce "Prompt to Save"

  • Enforce "Prompt to Change"

  • Enforce "Prompt to Disable"

  • Enforce the "HTTP Fill Warning" popup

Disable KeeperFill on Specified Websites

Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

Account Settings

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.

More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.

Enable Self-Destruct

Turning this policy on will allow users in this role 5 incorrect password attempts before all locally-stored Keeper data is erased.

Prevent Keeper Family License Invites

Turning this policy on will prevent users from inviting their personal email to a Keeper Family License for personal use. More information about the free Family License for Personal Use is available at this page.

Disable Stay Logged In

Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. This feature allows users to remain logged in to the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, until the inactivity timer expires. When the enforcement policy is active, users will always be logged out when the application closes, regardless of the inactivity timer.

Default User Setting for Stay Logged In

Set the default "Stay Logged In" setting "on" or "off" for new users in this role. This setting applies only to new users, it is not retroactive.

Logout Timer

The Admin can set the inactivity logout timer for the Web, Mobile and Desktop Apps. A different duration can be set for each, in minutes. Users will be logged out of the respective app after being idle for the duration.

Account Recovery

A 24-word auto-generated recovery phrase is a break-glass method of recovering a Keeper Vault if the user forgets their master password. Account recovery can also be used to login to an account if the SSO identity provider is unavailable.

Keeper has implemented recovery phrases using the same BIP39-word list used to protect crypto wallets. The word list in BIP39 is a set of 2,048 words used to generate an encryption key with 256 bits of entropy. Each word in the BIP39 list is carefully selected to improve visibility and make the recovery process less error-prone. More information about account recovery is found at the Keeper blog post.

This policy allows the Admin to disable account recovery for users. This policy to disable account recovery is recommended when customers login with Keeper SSO Connect Cloud with a SAML 2.0 identity provider.

If account recovery is disabled, we recommend that customer enable the Vault Transfer policy to ensure that an Admin can assist a user who is unable to recover their vault (in the case of lost Master Password).

To perform account recovery for a user, follow the instructions to recover an account using vault transfer.

Keeper Invitation

Disable email invitations

If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.

Automatically resend email invitations

The Keeper invitation sent to new users when creating their vault can be re-sent automatically if the user does not create their account in the specified timeframe. The default setting is to only send the email invitation one time. You can increase the frequency depending on the amount of email reminders that you would like users to receive.

By default, Keeper invitations are only valid for 7 days. We recommend automatically resending invitations to ensure the highest levels of adoption.

Allow IP List

Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Keeper Secrets Manager

If Keeper Secrets Manager is activated on a role, the Secrets Manager functionality will appear on the Web Vault, Desktop App and Commander CLI.

To learn more about Keeper Secrets Manager, see:

pageSecrets Manager

Keeper Password Rotation

Keeper Password Rotation allows Keeper customers to securely rotate credentials in any cloud-based or on-prem environment. If Password Rotation is activated on a role, the Password Rotation functionality will appear on the Web Vault, Desktop App and Commander CLI.

To learn more about Keeper Password Rotation, visit this page.

Transfer Account

To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.

Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login. It is critical that the Transfer Account policy is configured prior to the time it will need to be used.

For detailed Account Transfer configuration information click here.

Managing Policies in Keeper Commander CLI

Keeper Commander, our command-line CLI and Python-based SDK supports the ability to modify roles and enforcement policies.

For more information, visit: Enterprise Role Commands

Here's an example restricting the "Engineering" role to access import records.

enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True"

Video Overview

Watch the video below to learn more about Enforcement Policies.

Enforcement Policies

Last updated