Enforcement Policies

Role Enforcement Policies

Login Settings

Login Settings

Allow SSO Master Password

This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.

Alternate Master Password Policy

Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.

Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:

  1. Login to the Web Vault using SSO

  2. Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.

  3. Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.

The Master Password login feature for SSO users is currently only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.

Master Password Complexity

Master Password Complexity policy enforces a password complexity for users that are assigned the selected role.

Master Password Complexity

Settings include:

  • Password length

  • Number of digits

  • Number of special characters

  • Number of uppercase letters

  • Number of lowercase letters

Important Note about Master Password Complexity and Default Role

When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.

Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.

Default Role is used to calculate Master Password Complexity Requirements (new accounts only)

When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.

Master Password complexity enforcement

Master Password Expiration

The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.

Master Password Expiration

When this policy is applied to users to login with SSO Connect (On-Prem), the Master Password is transparently updated by the Keeper application upon login, without user intervention. Since SSO users are authenticating against your identity provider, we don't recommend enabling this feature for roles that are authenticating using an SSO IdP. This feature does not affect users who login with SSO Connect (Cloud).

If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.

Biometrics

iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support biometric login. By default, all biometrics logins are allowed.

Biometrics Policy

Two Factor Authentication (2FA)

Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

Two-Factor Authentication Policy
  • If 2FA is enforced, the user will be required to set up 2FA upon account creation or login

  • If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA

  • In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.

  • Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console

Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.

On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.

In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.

Keeper supports the following 2FA methods:

  • Text Message (SMS)

  • TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)

  • Smartwatch (Apple Watch or Android Wear)

  • RSA SecurID (Requires Admin Configuration)

  • Duo Security (Requires Admin Configuration)

  • U2F Security Keys (Always allowed)

Security Keys are always available for users, and are not explicitly enforced.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

2FA and Device Verification

Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device verification instead of email (for example, if email access is not possible).

2FA for Device Verification

Device Verification with 2FA is only possible with accounts that login with a Master Password. Users who login with SSO cannot use 2FA for device verification and must use Keeper Push on a new or unrecognized device.

Platform Restriction

An Admin can restrict the use of certain platforms in Keeper Vault including, Web Vault, Extensions, Mobile and Desktop devices. For KeeperChat, Desktop and Mobile.

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.

Disable in-app onboarding

Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.

Prevent user from creating folders

Turning this on will prevent users in the role from creating a folder or a shared folder.

Prevent users from creating Identity and Payment records

Turning this on will prevent users in the role from creating Identity and Payment records, such as credit cards and addresses.

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:

Custom Field Masking

Mask notes

This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:

Notes Masking

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.

Pause BreachWatch on Client Devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch events to Reporting & Alerts and connected external logging systems

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.

Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.

Require Re-authentication (Master Password or biometrics)

This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:

  • Autofilling passwords

  • Revealing and copying a password or masked field

  • Editing, sharing and deleting a record or folder.

Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.

Note: This feature does not apply to SSO users.

Purging Deleted Records

By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.

  • Day(s) before records can be cleared permanently

  • Day(s) before deleted records automatically purge

To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.

Admins can also configure automatic deletion of records that the user has placed into the trash bin.

Purging Deleted Records

Generated Password Complexity

This feature allows you to specify a password generator complexity policy on a per-domain basis, or use wildcards to specify a larger, matching pattern against domain names. With this enforcement policy in place, the record owner will be required to use the password generator feature (dice) to create a random high-strength password.

Wildcards can be used to create minimum password complexity rules for more than a single domain: *.com, *.net, *.gov, etc. can be configured. One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. For example, if you create a global rule (*) for a minimum password length of eight characters, and a (*.com) rule with a minimum of six characters, the lest permissive rule of eight characters will take precedence for all domains.

Apply Privacy Screen (Prevent Viewing Passwords)

Keeper's Privacy Screen, used in conjunction with the Generated Password Complexity policy described above, gives you the ability to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users. It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.

Admin Console - Apply Privacy Screen

Inside the vault, any record with a matching URL will be locked, and the user cannot unmask to view the password.

Privacy Screen in Vault

Likewise, in the Browser Extension, the Privacy Screen is activated.

Privacy Screen on Browser Extension

Sharing & Uploading

By default, all Sharing & Uploading is allowed.

Sharing & Uploading Enforcements

Prevent record and folder sharing

Turning this on will prevent users in the role from sharing any record or folder.

Prevent record sharing to users outside of Keeper Enterprise

Turning on this policy will ensure records are not shared with users outside of your organization.

Prevent sharing records with file attachments

Turning this on will prevent users in the role from sharing records that have files attached to the record.

Prevent exporting of records from Web App and Desktop App

Turning this on will prevent users in the role from exporting their data from their Keeper Web Vault and Desktop App. Please note, this is a client-side enforcement since the data is loaded locally when a user logs into their vault.

Prevent users from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.

KeeperFill

KeeperFill is the browser extension that provides Keeper users with autofill capability on websites and applications.

To learn more about the KeeperFill Browser Extension in our guides.

KeeperFill Browser Extension

Admins can individually enable the various features and settings of the KeeperFill Browser extension.

  • Enable Hover Locks

  • Enable Prompt to Login

  • Enable Prompt to Fill

  • Enable Auto Submit

  • Enable Prompt to Save

  • Enable Prompt to Change

Restrict domain access

Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

Account Settings

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.

More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.

Disable email invitations

If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.

Disable Stay Logged In

Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. "Stay Logged In" is a feature which allows the user to remain logged into the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, according to the value set by the Logout Timer.

Logout Timer

The Admin can govern how long a platform is signed in. Web, Mobile and Desktop Apps can have separate logout timer durations, specified in minutes.

Logout Timer

Allow IP List

Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Transfer Account

To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.

Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.

For detailed Account Transfer configuration information click here.

PBKDF2 Minimum Iterations

Keeper's encryption model uses a Password-Based Key Derivation Function (PBKDF2) to derive an encryption key from the user's Master Password. By default, Keeper defaults to using 100,000 iterations. We recommend leaving this setting as is unless there are performance issues on older web browsers.