⮐ Keeper HomeAll DocumentationAdmin Console
Search…
Getting Started
Start Your Trial
Resources
Quick Start for Small Business Teams
Why Choose Keeper Enterprise
Implementation Overview
Domain Reservation
Deploying Keeper to End-Users
End-User Guides
Keeper Admin Console Overview
Nodes and Organizational Structure
User and Team Provisioning
SSO / SAML Authentication
User Management and Lifecycle
Roles, RBAC and Permissions
Enforcement Policies
Delegated Administration
Account Transfer Policy
Teams (Groups)
Folders and Shared Folders
Share Admin
Creating Vault Records
One-Time Share
Importing Data
Record Types
Two-Factor Authentication
Storing Two-Factor Codes
Security Audit
BreachWatch (Dark Web)
Secure File Storage
Reporting, Alerts & SIEM
Recommended Alerts
Webhooks (Slack & Teams)
Compliance Reports
Vault Offline Access
Secrets Manager
Commander CLI
Keeper Connection Manager
Keeper MSP
Free Family License for Personal Use
KeeperChat
Recommended Security Settings
IP Allow Keeper
Keeper Encryption Model
Developer API / SDK Tools
On-Prem vs. Cloud
Authentication Flow V3
Migrating from LastPass
Training and Support
Troubleshooting
Docs Home
Powered By GitBook
Enforcement Policies
Role Enforcement Policies

Login Settings

Login Settings Enforcements

Allow SSO Master Password

This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.
Alternate Master Password Policy
Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.
Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:
  1. 1.
    Login to the Web Vault using SSO
  2. 2.
    Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.
  3. 3.
    Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.
Edit Master Password for SSO Users
SSO Master Password Login Flow
The Master Password login feature for SSO users is only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.

Master Password Complexity

Master Password Complexity policy enforces a password complexity for users that are assigned the selected role.
Master Password Complexity
Settings include:
  • Password length
  • Number of digits
  • Number of special characters
  • Number of uppercase letters
  • Number of lowercase letters
Important Note about Master Password Complexity and Default Role
When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.
Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.
Default Role is used to calculate Master Password Complexity Requirements (new accounts only)
When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.
Master Password complexity enforcement

Master Password Expiration

The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.
Master Password Expiration
When this policy is applied to users to login with SSO Connect (On-Prem), the Master Password is transparently updated by the Keeper application upon login, without user intervention. Since SSO users are authenticating against your identity provider, we don't recommend enabling this feature for roles that are authenticating using an SSO IdP. This feature does not affect users who login with SSO Connect (Cloud).
If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.

Biometrics

iOS Touch ID/Face ID, Mac OS Touch ID (Mac Store app only), Windows Hello (Microsoft Store) and Android platforms support biometric login. By default, all biometrics logins are allowed.

Two Factor Authentication (2FA)

Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
Two-Factor Authentication Enforcements
  • If 2FA is enforced, the user will be prompted to set up 2FA upon account creation or login
  • If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA
  • In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.
  • Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console
Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.
On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.
In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.
Keeper supports the following 2FA methods:
  • Text Message (SMS)
  • TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)
  • Smartwatch (Apple Watch or Android Wear)
  • RSA SecurID (Requires Admin Configuration)
  • Duo Security (Requires Admin Configuration)
  • FIDO2 WebAuthn Security Keys (Always allowed)
Security Keys are always available for users, and are not explicitly enforced.
More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

2FA and Device Verification

Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device verification instead of email (for example, if email access is not possible).
2FA for Device Verification
Device Verification with 2FA is only possible with accounts that login with a Master Password. Users who login with SSO cannot use 2FA for device verification and must use Keeper Push on a new or unrecognized device.

Platform Restriction

An Admin can restrict the use of certain platforms in Keeper Vault including, Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat, Desktop and Mobile.
Platform Restricts Enforcements

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.
Vault Features Enforcements
Vault Features Enforcements

Disable in-app onboarding

Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.

Prevent user from creating folders

Turning this on will prevent users in the role from creating a folder or a shared folder.

Prevent users from creating Identity and Payment records

Turning this on will prevent users in the role from creating Identity and Payment records, such as credit cards and addresses.

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:
Custom Field Masking

Mask notes

This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:
Notes Masking

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.

Pause BreachWatch on Client Devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch events to Reporting & Alerts and connected external logging systems

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.
Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.

Require Re-authentication (Master Password or biometrics)

This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:
  • Autofilling passwords
  • Revealing and copying a password or masked field
  • Editing, sharing and deleting a record or folder.
Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.
Note: This feature does not apply to SSO users.

Purging Deleted Records

By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.
  • Day(s) before records can be cleared permanently
  • Day(s) before deleted records automatically purge
To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.
Admins can also configure automatic deletion of records that the user has placed into the trash bin.
Purging Deleted Records

Generated Password Complexity

This feature allows you to specify a password generator complexity policy on a per-domain basis, or use wildcards to specify a larger, matching pattern against domain names. With this enforcement policy in place, the record owner will be required to use the password generator feature (dice) to create a random high-strength password.
Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.

Apply Privacy Screen (Prevent Viewing Passwords)

Keeper's Privacy Screen, used in conjunction with the Generated Password Complexity policy described above, gives you the ability to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.
If Privacy Screen is applied to a user with edit or ownership permission on a record, the user is forced to use the password generator when editing the record.
It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.
This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.
Admin Console - Apply Privacy Screen
Inside the vault, any record with a matching URL will be locked, and the user cannot unmask to view the password.
Privacy Screen in Vault
Likewise, in the Browser Extension, the Privacy Screen is activated.
Privacy Screen in Browser Extension
Watch the video below to learn more about the Privacy Screen feature.
Privacy Screen

Record Types

If record types are enabled for your account, specific record types that are not wanted can be enabled or disabled. Both default and custom record types can be enabled or disabled based on the role permissions. Custom record types show up below default types, but the desired order can be controlled within each users vault settings.
Turning off certain record types will affect what shows up in the dropdowns in user vaults:
Record type selection when creating a new record in the vault
Note that the left menu item for "Record Types" will not be visible if this capability is not enabled for your enterprise.
If all record types except one are disabled in the console, when creating a record in the vault, the popup to select a record type will not appear. The workflow will continue as if record types has not been enabled for users in that role.
Even if record types are disabled for a portion of users in an organization, this will not limit sharing and editing capabilities. For example, an Admin will be able to share a custom SSH record with non-admins and all data in the record will be present.
If records are shared with another organization that does not have record types enabled, the data will be there, but not visible until that org is record types enabled.

Sharing & Uploading

By default, all Sharing & Uploading is allowed.
Sharing & Uploading Enforcements

Prevent record and folder sharing

Turning this on will prevent users in the role from sharing any record or folder.

Prevent record sharing to users outside of Keeper Enterprise

Turning this on will ensure records are not shared with users outside of your organization.
Turning this on will prevent users in the role from sharing records via One-Time Share Links.

Prevent sharing records with file attachments

Turning this on will prevent users in the role from sharing records that have files attached to the record.

Prevent exporting of records from Web App and Desktop App

Turning this on will prevent users in the role from exporting their data from their Keeper Web Vault and Desktop App. Please note, this is a client-side enforcement since the data is loaded locally when a user logs into their vault.

Prevent importing of records from Web App and Desktop App

Turning this on will prevent users in the role from importing their data from their Keeper Web Vault and Desktop App.

Prevent users from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.

KeeperFill

KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications.
To learn more about KeeperFill, read our KeeperFill Browser Extension guides.

KeeperFill Browser Extension

Admins can individually enable the various features and settings of the KeeperFill Browser extension.
KeeperFill Browser Extension Enforcements
Browser Extension Prompts
Supported Enforcement Settings:
  • Enforce or Disable "Hover Locks"
  • Enforce or Disable "Autofill"
  • Enforce or Disable "Auto Submit"
  • Enforce or Disable "Match on Subdomain"
  • Enforce "Prompt to Fill"
  • Enforce "Prompt to Login"
  • Enforce "Prompt to Save"
  • Enforce "Prompt to Change"
  • Enforce "Prompt to Disable"
  • Enforce the "HTTP Fill Warning" popup

Disable KeeperFill on Specified Websites

Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

Account Settings

Account Settings Enforcements

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.
More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.

Disable email invitations

If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.

Enable Self-Destruct

Turning this policy on will allow users in this role 5 incorrect password attempts before all locally-stored Keeper data is erased.

Disable Stay Logged In

Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. "Stay Logged In" is a feature which allows the user to remain logged into the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, according to the value set by the Logout Timer.

Default User Setting for Stay Logged In

Set the default "Stay Logged In" setting "on" or "off" for new users in this role. This setting applies only to new users, it is not retroactive.
Stay Logged In Default User Setting

Logout Timer

The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate logout timer durations, specified in minutes.
Logout Timer

Account Recovery

The Admin can disable account recovery for users (security question and answer). This policy is most commonly used when authentication is delegated to a SAML 2.0 identity provider.
If account recovery is disabled, we recommend that customer enable the Vault Transfer policy to ensure that an Admin can assist a user who is unable to recover their vault (in the case of lost Master Password or an identity provider outage).

Keeper Invitation

The Keeper invitation sent to new users when creating their vault can be re-sent automatically if the user does not create their account in the specified timeframe. The default setting is to only send the email invitation one time. You can increase the frequency depending on the amount of email reminders that you would like users to receive.

Allow IP List

Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.
Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Keeper Secrets Manager

If Keeper Secrets Manager is activated on a role, the Secrets Manager functionality will appear on the Web Vault, Desktop App and Commander CLI.
Keeper Secrets Manager
To learn more about Keeper Secrets Manager, see:

Transfer Account

To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.
Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login. It is critical that the Transfer Account policy is configured prior to the time it will need to be used.
Transfer Account Enforcements
For detailed Account Transfer configuration information click here.

PBKDF2 Minimum Iterations

Keeper's encryption model uses a Password-Based Key Derivation Function (PBKDF2) to derive an encryption key from the user's Master Password. By default, Keeper defaults to using 100,000 iterations. We recommend leaving this setting as is unless there are performance issues on older web browsers.
Watch the video below to learn more about Enforcement Policies.
Enforcement Policies
Previous
Roles, RBAC and Permissions
Next
Delegated Administration
Last modified 10d ago
Export as PDF
Copy link
Outline
Login Settings
Allow SSO Master Password
Master Password Complexity
Master Password Expiration
Biometrics
Two Factor Authentication (2FA)
Platform Restriction
Vault Features
Disable in-app onboarding
Prevent user from creating folders
Prevent users from creating Identity and Payment records
Mask custom fields
Mask notes
Mask passwords
Pause BreachWatch on Client Devices
Send BreachWatch events to Reporting & Alerts and connected external logging systems
Require Re-authentication (Master Password or biometrics)
Purging Deleted Records
Generated Password Complexity
Apply Privacy Screen (Prevent Viewing Passwords)
Record Types
Sharing & Uploading
Prevent record and folder sharing
Prevent record sharing to users outside of Keeper Enterprise
Prevent record sharing via One-Time Share Links
Prevent sharing records with file attachments
Prevent exporting of records from Web App and Desktop App
Prevent importing of records from Web App and Desktop App
Prevent users from uploading files
KeeperFill
KeeperFill Browser Extension
Disable KeeperFill on Specified Websites
Account Settings
Restrict offline access
Prevent users from changing their email
Disable email invitations
Enable Self-Destruct
Disable Stay Logged In
Default User Setting for Stay Logged In
Logout Timer
Account Recovery
Keeper Invitation
Allow IP List
Keeper Secrets Manager
Transfer Account
PBKDF2 Minimum Iterations