# Timers & Intervals

**Audience:** IT admins. This page lists **all timers and intervals** used in Keeper Privilege Manager: job scheduling, policy refresh, KeeperAgent, KeeperClient, logging, plugin health, session monitoring, watchdog, and internal plugin loops. For each timer you will find the **value**, **how to change it** (if configurable), and the **purpose**. *** Keeper EPM uses a set of timers and intervals to control when it syncs policies, runs jobs, checks health, monitors sessions, refreshes the user interface, and manages time-limited grants. This page is a single reference for all of them — what each timer does, its default value, and whether (and how) you can change it. {% hint style="info" icon="right-left" %} **Fixed vs. configurable:** Some timers are fixed in the product code and can only be changed by a product update. Others are configurable through settings files, plugin configuration, or the dashboard. Each section below identifies which category applies. {% endhint %} ## Quick Reference

Area	Timer	Default	Configurable?
Jobs	Scheduler tick	1 min	No
Jobs	Per-job interval	Varies by job	Yes — job JSON
Jobs	Process Config Policies min interval	60 s	No
Policy	Policy sync	10 min	Yes — KeeperApi `SyncFrequency`
Policy	Resend pending inventory	30 min	No
KeeperAgent	Approval list refresh	Same as policy sync	Yes — same as sync
KeeperAgent	MQTT loop delay	5 s	No
KeeperClient	KPM health check	30 s	No
KeeperClient	Menu / launcher refresh	5 min	Yes — `metadata.menu`
Logging	Flush to disk	5 s	No
Logging	Connection health log	5 min	No
Logging	KPM process check (shutdown)	500 ms	No
Plugin health	Plugin health check	30 s (0.5 min)	Yes — `appsettings.json`
Plugin health	Initial delay before first check	60 s	No
Session monitoring	Session polling	5 s	Yes — `appsettings.json`
Watchdog	Health check interval	10 s	Yes — Watchdog config
Watchdog	Startup delay	90 s	Yes — Watchdog config
File / execution grants	Default grant duration	240 min (4 hrs)	Yes — per-request via `DurationMinutes`
Policy evaluation	Custom filter timeout	30 s	Yes — KeeperPolicy plugin

* [Job Scheduling](#job-scheduling) * [Policy Refresh & Sync](#policy-refresh-and-sync) * [Keeper Agent](#keeper-agent) * [Keeper Client](#keeper-client) * [Logging](#logging) * [Plugin Health Monitoring](#plugin-health-monitoring) * [Session Monitoring](#session-monitoring) * [Watchdog](#watchdog) * [File Access & Execution Grants](#file-access-and-execution-grants) * [Policy Evaluation Timeout](#policy-evaluation-timeout) ## Job Scheduling The job service evaluates all scheduled jobs once per minute. When the current time matches a job's configured schedule, the job is queued to run.

Timer	Default	Configurable?
Scheduler tick	1 minute	No — fixed in code
Process Configuration Policies – minimum interval	60 seconds	No — fixed in code; prevents the configuration processor from running again immediately when multiple triggers fire at once
Per-job schedule	Varies	Yes — edit the job's JSON: `schedule.intervalMinutes`, `schedule.cronExpression`, `schedule.runAt`, or `schedule.calendar`

### **Common per-job schedule examples:**

Job	Default schedule
`ephemeral-account-cleanup-if-unused`	Every 0.5 minutes (30 seconds)
`ephemeral-orphan-profile-folders-cleanup`	Every 5 minutes (Windows only)
`mfa-lockout-cleanup`	Every 1 minute
`keeperagent-silent-expiration-check`	Every 1440 minutes (24 hours)

**To configure:** Edit the job's JSON file in the `Jobs/` directory, setting `schedule.intervalMinutes` (or `schedule.cronExpression`, `schedule.runAt`, or `schedule.calendar` depending on the schedule type). Jobs can also be updated centrally across all endpoints using an **Update Jobs** policy. See [Jobs: Definition & Format](/keeperpam/endpoint-privilege-manager/reference/jobs-definition-and-format.md) for the full schedule syntax. *** ## Policy Refresh & Sync The agent periodically checks the Keeper backend for updated policies, jobs, and approval data. This is driven by the **KeeperApi** plugin.

Timer	Default	Configurable?
Policy sync	10 minutes	Yes
Resend pending inventory	30 minutes	No — fixed in code
Approval list refresh	Same as policy sync (10 min default)	Yes — controlled by the same setting as policy sync

**How approvals are updated:** Approval data is not on a separate timer. It is updated as part of the same sync-down cycle that pulls new policies. The Keeper Agent also refreshes its approval list automatically when a user opens the approvals view, or after an approver grants or denies a request. **To configure:** Change the **`SyncFrequency`** setting (or `sync.interval_minutes`) in the KeeperApi plugin. This can be set via the dashboard, by editing `Plugins/KeeperApi.json` directly, or via `PUT /api/PluginSettings/KeeperApi/...`. The value is in minutes. To trigger an immediate policy sync on an endpoint, use the **Refresh Policies** option in the Keeper Agent system tray menu. *** ## Keeper Agent The Keeper Agent is the desktop application that users interact with to manage and launch their approval requests.

Timer	Default	Configurable?
Approval list refresh	Same as policy sync (10 min)	Yes
MQTT loop delay	5 seconds	No — fixed in code

**To configure:** The approval list refresh interval is controlled by the same `SyncFrequency` setting as policy sync — see section 2 above. The MQTT loop delay cannot be changed. *** ## Keeper Client The Keeper Client is the system tray application that handles notifications, menu items, and user-facing actions on the endpoint.

Timer	Default	Configurable?
KPM health check	30 seconds	No — set at build time
Menu / launcher refresh	5 minutes	Yes

The **KPM health check** controls how quickly the system tray icon reflects that the main service has gone down. The **menu refresh** controls how quickly new jobs, launchers, and menu items appear in the tray after they are deployed. **To configure the menu refresh interval:** Set **`metadata.menu.refreshIntervalMinutes`** in the KeeperClient plugin. This can be edited in `Plugins/KeeperClient.json` or via the PluginSettings API. The setting **`metadata.menu.autoRefresh`** must be `true` for the refresh timer to run. *** ## Logging The **KeeperLogger** plugin manages log output. Most of its internal intervals are fixed to ensure reliable, consistent behavior. Log rotation and retention thresholds are configurable.

Timer	Default	Configurable?
Flush to disk	5 seconds	No — fixed in code
Connection health log	5 minutes	No — fixed in code
KPM process check (for shutdown)	500 ms	No — fixed in code
Log rotation / retention	Configurable	Yes

Log rotation and retention are thresholds, not periodic timers. The logger rotates when the file reaches the configured size limit and removes old files when they exceed the configured retention period. **To configure log rotation and retention:** Set **`maxFileSizeMB`** and **`logRetentionDays`** in the KeeperLogger plugin settings. See [Reading Logs](/keeperpam/endpoint-privilege-manager/user-guides/reading-logs.md) for details. *** ## Plugin Health Monitoring The main service monitors each plugin process to detect crashes or unexpected exits.

Timer	Default	Configurable?
Plugin health check interval	30 seconds (0.5 min)	Yes
Initial delay before first check	60 seconds	No — fixed in code

The initial delay allows plugins time to start cleanly before they are first probed, preventing false-positive failure detection during service startup. **To configure the health check interval:** Set **`PluginMonitoring:CheckIntervalMinutes`** in `appsettings.json`. The minimum effective value is 0.1 minutes (6 seconds). *** ## Session Monitoring The service monitors user sessions to detect logons, logoffs, and Remote Desktop (RDP) connect and disconnect events. Session changes can trigger jobs — for example, starting the Keeper Client when a user logs on. | Timer | Default | Configurable? | | ---------------------------- | --------- | ------------- | | **Session polling interval** | 5 seconds | Yes | A shorter interval means session-based jobs start faster after a user logs in or reconnects over RDP. **To configure:** Set **`SessionMonitoring:PollingIntervalSeconds`** in `appsettings.json`. The minimum value is 1 second. *** ## Watchdog The **Watchdog** is a separate, lightweight monitoring service that runs independently of the main Keeper EPM service. It periodically probes the main service's health endpoint and can automatically restart the service if it becomes unresponsive.

Timer	Default	Configurable?
Health check interval	10 seconds	Yes — clamped between 2 and 300 seconds
Startup delay	90 seconds	Yes — minimum 30 seconds

The startup delay gives the main service time to finish starting before the Watchdog begins health checks, preventing false-positive failure detection during normal startup. The Watchdog can be configured to either restart the service automatically (`AutoRemediate: true`) or only monitor and log (`AutoRemediate: false`). **To configure:** Set **`Watchdog:CheckIntervalSec`** and **`Watchdog:StartupDelaySec`** in the Watchdog's `appsettings.json` configuration. Both settings can also be pushed centrally to endpoints using a **ConfigurationUpdate** policy. See [Plugin and Task Settings](/keeperpam/endpoint-privilege-manager/reference/plugin-and-task-settings.md) for details. *** ## File Access & Execution Grants When a user is granted temporary access to a file or elevated execution after satisfying a control (MFA, Justification, or Approval), that access is time-limited and reverts automatically when the grant expires.

Timer / Value	Default	Configurable?
File access grant duration	240 minutes (4 hours)	Yes — per request
Execution grant duration	240 minutes (4 hours)	Yes — per request
ApplyFileAccessPolicies job schedule	Per job definition	Yes — job JSON

These durations are defaults set in code. There is no global dashboard slider. Changing the default requires pushing a modified job definition to endpoints using an **Update Jobs** policy. **To configure:** Set the **`DurationMinutes`** parameter in the `GrantFileAccess` job (for approval-gated access) or the `LaunchFileAccess` job (for MFA- or justification-gated access). See [Configuring the Approval Duration](/keeperpam/endpoint-privilege-manager/user-guides/configuring-the-approval-duration.md) for step-by-step instructions. *** ## Policy Evaluation Timeout When a policy uses a **custom filter job**, the policy engine calls that job during evaluation and waits for a response. If the job does not respond within the timeout window, the custom filter is treated as failed. | Timer | Default | Configurable? | | ------------------------------------ | ---------- | ------------- | | **Custom filter evaluation timeout** | 30 seconds | Yes | This is a per-request timeout, not a recurring interval. If your custom filter jobs involve external API calls or slower scripts, you may need to increase this value to prevent evaluation timeouts. **To configure:** Set **`customfilter.timeout_seconds`** in the KeeperPolicy plugin settings. See [Plugin and Task Settings](/keeperpam/endpoint-privilege-manager/reference/plugin-and-task-settings.md) for details. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/reference/timers-and-intervals.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.