Comment on page

Enforcement Policies

Role Enforcement Policies

Login Settings

Allow SSO Master Password

This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.
Alternate Master Password Policy
Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.
Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:
  1. 1.
    Login to the Web Vault using SSO
  2. 2.
    Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.
  3. 3.
    Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.
Edit Master Password for SSO Users
SSO Master Password Login Flow
The Master Password login feature for SSO users is only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.

Master Password Complexity

Master Password Complexity policy enforces a password complexity for users that are assigned the selected role.
Settings include:
  • Password length
  • Number of digits
  • Number of special characters
  • Number of uppercase letters
  • Number of lowercase letters
Important Note about Master Password Complexity and Default Role
When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.
Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.
Default Role is used to calculate Master Password Complexity Requirements (new accounts only)
When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.
Master Password complexity enforcement

Master Password Expiration

The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will be forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.
Master Password Expiration
When this policy is applied to users to login with SSO Connect (On-Prem), the Master Password is transparently updated by the Keeper application upon login, without user intervention. Since SSO users are authenticating against your identity provider, we don't recommend enabling this feature for roles that are authenticating using an SSO IdP. This feature does not affect users who login with SSO Connect (Cloud).
If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.


iOS Touch ID/Face ID, Mac OS Touch ID (Mac Store app only), Windows Hello (Microsoft Store) and Android platforms support biometric login. By default, all biometrics logins are allowed.

Two Factor Authentication (2FA)

Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
Two-Factor Authentication Enforcements
  • If 2FA is enforced, the user will be prompted to set up 2FA upon account creation or login
  • If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA
  • In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.
  • Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console
Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.
On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.
In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.
Keeper supports the following 2FA methods:
  • Text Message (SMS)
  • TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)
  • Smartwatch (Apple Watch or Android Wear)
  • RSA SecurID (Requires Admin Configuration)
  • Duo Security (Requires Admin Configuration)
  • FIDO2 WebAuthn Security Keys (Always allowed)
Security Keys are always available for users, and are not explicitly enforced.
More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

2FA and Device Verification

Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device verification instead of email (for example, if email access is not possible).
2FA for Device Verification
Device Verification with 2FA is only possible with accounts that login with a Master Password. Users who login with SSO cannot use 2FA for device verification and must use Keeper Push on a new or unrecognized device.

Platform Restriction

An Admin can restrict the use of certain platforms in Keeper Vault including, Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat, Desktop and Mobile.
Platform Restricts Enforcements
Client-side enforcements will be applied to all enabled platforms

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.
Vault Features Enforcements
Vault Features Enforcements

Disable in-app onboarding

Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.

Prevent user from creating folders

Turning this on will prevent users in the role from creating a folder or a shared folder.

Prevent users from creating Identity and Payment records

Turning this on will prevent users in the role from creating Identity and Payment records, such as credit cards and addresses.

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:
Custom Field Masking

Mask notes

This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:
Notes Masking

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.

Pause BreachWatch on Client Devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch events to Reporting & Alerts and connected external logging systems

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.
Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.

Require Re-authentication (Master Password or biometrics)

This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:
  • Autofilling passwords
  • Revealing and copying a password or masked field
  • Editing, sharing and deleting a record or folder.
Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.
Note: This feature does not apply to SSO users.

Purging Deleted Records

By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.
  • Day(s) before records can be cleared permanently
  • Day(s) before deleted records automatically purge
To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.
Admins can also configure automatic deletion of records that the user has placed into the trash bin.
Purging Deleted Records

Generated Password Complexity

This feature allows you to specify a password generator complexity policy on a per-domain basis, or use wildcards to specify a larger, matching pattern against domain names. With this enforcement policy in place, the record owner will be required to use the password generator feature (dice) to create a random high-strength password.
Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.

Apply Privacy Screen (Prevent Viewing Passwords)

Keeper's Privacy Screen feature can be applied at the team level, role policy level (based on specific record domains), and at the record type (template) level.
At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.
If Privacy Screen is applied to a user with edit or ownership permission on a record, the user is forced to use the password generator when editing the record.
It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.
This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.
Admin Console - Apply Privacy Screen
Inside the vault, any record with a matching URL will be locked, and the user cannot unmask to view the password.
Privacy Screen in Vault
Likewise, in the Browser Extension, the Privacy Screen is activated.
Privacy Screen in Browser Extension
Watch the video below to learn more about the Privacy Screen feature.
Privacy Screen

Record Types

If record types are enabled for your account, specific record types that are not wanted can be enabled or disabled. Both default and custom record types can be enabled or disabled based on the role permissions. Custom record types show up below default types, but the desired order can be controlled within each users vault settings.
Turning off certain record types will affect what shows up in the dropdowns in user vaults:
Record type selection when creating a new record in the vault
Note that the left menu item for "Record Types" will not be visible if this capability is not enabled for your enterprise.
If all record types except one are disabled in the console, when creating a record in the vault, the popup to select a record type will not appear. The workflow will continue as if record types has not been enabled for users in that role.
Even if record types are disabled for a portion of users in an organization, this will not limit sharing and editing capabilities. For example, an Admin will be able to share a custom SSH record with non-admins and all data in the record will be present.
If records are shared with another organization that does not have record types enabled, the data will be there, but not visible until that org is record types enabled.

Sharing & Uploading

By default, all Sharing & Uploading is allowed.
Sharing & Uploading

Prevent record and folder sharing

Turning this on will prevent users in the role from sharing any record or folder.

Prevent record sharing to users outside of Keeper Enterprise

Turning this on will ensure records are not shared with users outside of your organization.
Turning this on will prevent users in the role from sharing records via One-Time Share Links.

Prevent sharing records with file attachments

Turning this on will prevent users in the role from sharing records that have files attached to the record.

Prevent exporting of records from Web App and Desktop App

Turning this on will prevent users in the role from exporting their data from their Keeper Web Vault and Desktop App. Please note, this is a client-side enforcement since the data is loaded locally when a user logs into their vault.

Prevent importing of records from Web App and Desktop App

Turning this on will prevent users in the role from importing their data from their Keeper Web Vault and Desktop App.

Prevent use of LastPass shared folders import option

When this is enabled, anyone transferring their vault from LastPass from the desktop app will not be able to transfer shared folders. This can prevent occurrences of duplicate records, and ensures that the Admin is responsible for migrating all shared folder records. Learn more about migrating from LastPass.

Prevent users from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.


KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications.
To learn more about KeeperFill, read our KeeperFill Browser Extension guides.

KeeperFill Browser Extension

Admins can individually enable the various features and settings of the KeeperFill Browser extension.
KeeperFill Enforcement Policies (1)
KeeperFill Enforcement Policies (2)
Supported Enforcement Settings:
  • Enforce or Disable "Hover Locks"
  • Enforce or Disable "Autofill Suggestions"
  • Enforce or Disable "Autofill"
  • Enforce or Disable "Auto Submit"
  • Enforce or Disable "Match on Subdomain"
  • Enforce "Prompt to Fill"
  • Enforce "Prompt to Save"
  • Enforce "Prompt to Change"
  • Enforce "Prompt to Disable"
  • Enforce the "HTTP Fill Warning" popup

Disable KeeperFill on Specified Websites

Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

Account Settings

Account Settings Enforcement Policies (1)
Account Settings Enforcement Policies (2)

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.
More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.

Disable email invitations

If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.

Enable Self-Destruct

Turning this policy on will allow users in this role 5 incorrect password attempts before all locally-stored Keeper data is erased.

Prevent Keeper Family License Invites

Turning this policy on will prevent users from inviting their personal email to a Keeper Family License for personal use. More information about the free Family License for Personal Use is available at this page.

Disable Stay Logged In

Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. This feature allows users to remain logged in to the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, until the inactivity timer expires. When the enforcement policy is active, users will always be logged out when the application closes, regardless of the inactivity timer.

Default User Setting for Stay Logged In

Set the default "Stay Logged In" setting "on" or "off" for new users in this role. This setting applies only to new users, it is not retroactive.
Stay Logged In Default User Setting

Logout Timer

The Admin can set the inactivity logout timer for the Web, Mobile and Desktop Apps. A different duration can be set for each, in minutes. Users will be logged out of the respective app after being idle for the duration.
Logout Timer

Account Recovery

A 24-word auto-generated recovery phrase is a break-glass method of recovering a Keeper Vault if the user forgets their master password. Account recovery can also be used to login to an account if the SSO identity provider is unavailable.
Keeper has implemented recovery phrases using the same BIP39-word list used to protect crypto wallets. The word list in BIP39 is a set of 2,048 words used to generate an encryption key with 256 bits of entropy. Each word in the BIP39 list is carefully selected to improve visibility and make the recovery process less error-prone. More information about account recovery is found at the Keeper blog post.
This policy allows the Admin to disable account recovery for users. This policy to disable account recovery is recommended when customers login with Keeper SSO Connect Cloud with a SAML 2.0 identity provider.
If account recovery is disabled, we recommend that customer enable the Vault Transfer policy to ensure that an Admin can assist a user who is unable to recover their vault (in the case of lost Master Password).
In a release planned in Q4 2023, Keeper Admins will also have the ability to help end-users perform a master password reset.

Keeper Invitation

The Keeper invitation sent to new users when creating their vault can be re-sent automatically if the user does not create their account in the specified timeframe. The default setting is to only send the email invitation one time. You can increase the frequency depending on the amount of email reminders that you would like users to receive.
By default, Keeper invitations are only valid for 7 days. We recommend automatically resending invitations to ensure the highest levels of adoption.
Keeper Invitation Resend

Allow IP List

Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.
Allow IP List
Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Keeper Secrets Manager

If Keeper Secrets Manager is activated on a role, the Secrets Manager functionality will appear on the Web Vault, Desktop App and Commander CLI.
Keeper Secrets Manager
To learn more about Keeper Secrets Manager, see:

Keeper Password Rotation

Keeper Password Rotation allows Keeper customers to securely rotate credentials in any cloud-based or on-prem environment. If Password Rotation is activated on a role, the Password Rotation functionality will appear on the Web Vault, Desktop App and Commander CLI.
Enforcement Policy: Keeper Rotation
To learn more about Keeper Password Rotation, visit this page.

Transfer Account

To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.
Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login. It is critical that the Transfer Account policy is configured prior to the time it will need to be used.
Transfer Account Enforcements
For detailed Account Transfer configuration information click here.

Managing Policies in Keeper Commander CLI

Keeper Commander, our command-line CLI and Python-based SDK supports the ability to modify roles and enforcement policies.
For more information, visit: Enterprise Role Commands
Here's an example restricting the "Engineering" role to access import records.
enterprise-role Engineering --enforcement "RESTRICT_IMPORT:True"

Video Overview

Watch the video below to learn more about Enforcement Policies.
Enforcement Policies