Enforcement Policies
This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.
Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.
Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:
Login to the Web Vault using SSO
Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.
Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.
The Master Password login feature for SSO users is currently only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.
Master Password Complexity policy enforces a password complexity for users that are assigned the selected role.
Settings include:
Password length
Number of digits
Number of special characters
Number of uppercase letters
Number of lowercase letters
Important Note about Master Password Complexity and Default Role
When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.
Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.
When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.
The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.
When this policy is applied to users to login with SSO Connect (On-Prem), the Master Password is transparently updated by the Keeper application upon login, without user intervention. Since SSO users are authenticating against your identity provider, we don't recommend enabling this feature for roles that are authenticating using an SSO IdP. This feature does not affect users who login with SSO Connect (Cloud).
If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.
iOS Touch ID/Face ID, Mac OS Touch ID (Mac Store app only), Windows Hello (Microsoft Store) and Android platforms support biometric login. By default, all biometrics logins are allowed.
Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
If 2FA is enforced, the user will be required to set up 2FA upon account creation or login
If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA
In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.
Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console
Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.
On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.
In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.
Keeper supports the following 2FA methods:
Text Message (SMS)
TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)
Smartwatch (Apple Watch or Android Wear)
RSA SecurID (Requires Admin Configuration)
Duo Security (Requires Admin Configuration)
U2F Security Keys (Always allowed)
Security Keys are always available for users, and are not explicitly enforced.
More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.
Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device verification instead of email (for example, if email access is not possible).
Device Verification with 2FA is only possible with accounts that login with a Master Password. Users who login with SSO cannot use 2FA for device verification and must use Keeper Push on a new or unrecognized device.
An Admin can restrict the use of certain platforms in Keeper Vault including, Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat, Desktop and Mobile.
An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.
Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.
Turning this on will prevent users in the role from creating a folder or a shared folder.
Turning this on will prevent users in the role from creating Identity and Payment records, such as credit cards and addresses.
This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:
This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:
Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.
When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.
By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.
Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.
This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:
Autofilling passwords
Revealing and copying a password or masked field
Editing, sharing and deleting a record or folder.
Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.
Note: This feature does not apply to SSO users.
By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.
Day(s) before records can be cleared permanently
Day(s) before deleted records automatically purge
To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.
Admins can also configure automatic deletion of records that the user has placed into the trash bin.
This feature allows you to specify a password generator complexity policy on a per-domain basis, or use wildcards to specify a larger, matching pattern against domain names. With this enforcement policy in place, the record owner will be required to use the password generator feature (dice) to create a random high-strength password.
Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.
Keeper's Privacy Screen, used in conjunction with the Generated Password Complexity policy described above, gives you the ability to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.
If Privacy Screen is applied to a user with edit or ownership permission on a record, the user is forced to use the password generator when editing the record.
It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.
This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.
Inside the vault, any record with a matching URL will be locked, and the user cannot unmask to view the password.
Likewise, in the Browser Extension, the Privacy Screen is activated.
Watch the video below to learn more about the Privacy Screen feature.
By default, all Sharing & Uploading is allowed.
Turning this on will prevent users in the role from sharing any record or folder.
Turning on this policy will ensure records are not shared with users outside of your organization.
Turning this on will prevent users in the role from sharing records that have files attached to the record.
Turning this on will prevent users in the role from exporting their data from their Keeper Web Vault and Desktop App. Please note, this is a client-side enforcement since the data is loaded locally when a user logs into their vault.
When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.
KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications.
To learn more about the KeeperFill Browser Extension in our guides.
Admins can individually enable the various features and settings of the KeeperFill Browser extension.
Supported Enforcement Settings:
Enforce or Disable "Hover Locks"
Enforce or Disable "Autofill"
Enforce or Disable "Auto Submit"
Enforce or Disable "Match on Subdomain"
Enforce "Prompt to Fill"
Enforce "Prompt to Login"
Enforce "Prompt to Save"
Enforce "Prompt to Change"
Enforce "Prompt to Disable"
Enforce the "HTTP Fill Warning" popup
Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.
Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.
More information about Offline Access is documented here.
Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.
If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.
Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. "Stay Logged In" is a feature which allows the user to remain logged into the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, according to the value set by the Logout Timer.
The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate logout timer durations, specified in minutes.
The Admin can disable account recovery for users (security question and answer). This policy is most commonly used when authentication is delegated to a SAML 2.0 identity provider.
If account recovery is disabled, we recommend that customer enable the Vault Transfer policy to ensure that an Admin can assist a user who is unable to recover their vault (in the case of lost Master Password or an identity provider outage).
The Keeper invitation sent to new users when creating their vault can be re-sent automatically if the user does not create their account in the specified timeframe. The default setting is to only send the email invitation one time. You can increase the frequency depending on the amount of email reminders that you would like users to receive.
Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.
Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.
To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.
Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.
For detailed Account Transfer configuration information click here.
Keeper's encryption model uses a Password-Based Key Derivation Function (PBKDF2) to derive an encryption key from the user's Master Password. By default, Keeper defaults to using 100,000 iterations. We recommend leaving this setting as is unless there are performance issues on older web browsers.
Watch the video below to learn more about Enforcement Policies.
