Timers & Intervals
Audience: IT admins. This page lists all timers and intervals used in Keeper Privilege Manager: job scheduling, policy refresh, KeeperAgent, KeeperClient, logging, plugin health, session monitoring, watchdog, and internal plugin loops. For each timer you will find the value, how to change it (if configurable), and the purpose.
Keeper EPM uses a set of timers and intervals to control when it syncs policies, runs jobs, checks health, monitors sessions, refreshes the user interface, and manages time-limited grants. This page is a single reference for all of them — what each timer does, its default value, and whether (and how) you can change it.
Fixed vs. configurable: Some timers are fixed in the product code and can only be changed by a product update. Others are configurable through settings files, plugin configuration, or the dashboard. Each section below identifies which category applies.
Quick Reference
Jobs
Scheduler tick
1 min
No
Jobs
Per-job interval
Varies by job
Yes — job JSON
Jobs
Process Config Policies min interval
60 s
No
Policy
Policy sync
10 min
Yes — KeeperApi SyncFrequency
Policy
Resend pending inventory
30 min
No
KeeperAgent
Approval list refresh
Same as policy sync
Yes — same as sync
KeeperAgent
MQTT loop delay
5 s
No
KeeperClient
KPM health check
30 s
No
KeeperClient
Menu / launcher refresh
5 min
Yes — metadata.menu
Logging
Flush to disk
5 s
No
Logging
Connection health log
5 min
No
Logging
KPM process check (shutdown)
500 ms
No
Plugin health
Plugin health check
30 s (0.5 min)
Yes — appsettings.json
Plugin health
Initial delay before first check
60 s
No
Session monitoring
Session polling
5 s
Yes — appsettings.json
Watchdog
Health check interval
10 s
Yes — Watchdog config
Watchdog
Startup delay
90 s
Yes — Watchdog config
File / execution grants
Default grant duration
240 min (4 hrs)
Yes — per-request via DurationMinutes
Policy evaluation
Custom filter timeout
30 s
Yes — KeeperPolicy plugin
Job Scheduling
The job service evaluates all scheduled jobs once per minute. When the current time matches a job's configured schedule, the job is queued to run.
Scheduler tick
1 minute
No — fixed in code
Process Configuration Policies – minimum interval
60 seconds
No — fixed in code; prevents the configuration processor from running again immediately when multiple triggers fire at once
Per-job schedule
Varies
Yes — edit the job's JSON: schedule.intervalMinutes, schedule.cronExpression, schedule.runAt, or schedule.calendar
Common per-job schedule examples:
ephemeral-account-cleanup-if-unused
Every 0.5 minutes (30 seconds)
ephemeral-orphan-profile-folders-cleanup
Every 5 minutes (Windows only)
mfa-lockout-cleanup
Every 1 minute
keeperagent-silent-expiration-check
Every 1440 minutes (24 hours)
To configure: Edit the job's JSON file in the Jobs/ directory, setting schedule.intervalMinutes (or schedule.cronExpression, schedule.runAt, or schedule.calendar depending on the schedule type). Jobs can also be updated centrally across all endpoints using an Update Jobs policy. See Jobs: Definition & Format for the full schedule syntax.
Policy Refresh & Sync
The agent periodically checks the Keeper backend for updated policies, jobs, and approval data. This is driven by the KeeperApi plugin.
Policy sync
10 minutes
Yes
Resend pending inventory
30 minutes
No — fixed in code
Approval list refresh
Same as policy sync (10 min default)
Yes — controlled by the same setting as policy sync
How approvals are updated: Approval data is not on a separate timer. It is updated as part of the same sync-down cycle that pulls new policies. The Keeper Agent also refreshes its approval list automatically when a user opens the approvals view, or after an approver grants or denies a request.
To configure: Change the SyncFrequency setting (or sync.interval_minutes) in the KeeperApi plugin. This can be set via the dashboard, by editing Plugins/KeeperApi.json directly, or via PUT /api/PluginSettings/KeeperApi/.... The value is in minutes.
To trigger an immediate policy sync on an endpoint, use the Refresh Policies option in the Keeper Agent system tray menu.
Keeper Agent
The Keeper Agent is the desktop application that users interact with to manage and launch their approval requests.
Approval list refresh
Same as policy sync (10 min)
Yes
MQTT loop delay
5 seconds
No — fixed in code
To configure: The approval list refresh interval is controlled by the same SyncFrequency setting as policy sync — see section 2 above. The MQTT loop delay cannot be changed.
Keeper Client
The Keeper Client is the system tray application that handles notifications, menu items, and user-facing actions on the endpoint.
KPM health check
30 seconds
No — set at build time
Menu / launcher refresh
5 minutes
Yes
The KPM health check controls how quickly the system tray icon reflects that the main service has gone down. The menu refresh controls how quickly new jobs, launchers, and menu items appear in the tray after they are deployed.
To configure the menu refresh interval: Set metadata.menu.refreshIntervalMinutes in the KeeperClient plugin. This can be edited in Plugins/KeeperClient.json or via the PluginSettings API. The setting metadata.menu.autoRefresh must be true for the refresh timer to run.
Logging
The KeeperLogger plugin manages log output. Most of its internal intervals are fixed to ensure reliable, consistent behavior. Log rotation and retention thresholds are configurable.
Flush to disk
5 seconds
No — fixed in code
Connection health log
5 minutes
No — fixed in code
KPM process check (for shutdown)
500 ms
No — fixed in code
Log rotation / retention
Configurable
Yes
Log rotation and retention are thresholds, not periodic timers. The logger rotates when the file reaches the configured size limit and removes old files when they exceed the configured retention period.
To configure log rotation and retention: Set maxFileSizeMB and logRetentionDays in the KeeperLogger plugin settings. See Reading Logs for details.
Plugin Health Monitoring
The main service monitors each plugin process to detect crashes or unexpected exits.
Plugin health check interval
30 seconds (0.5 min)
Yes
Initial delay before first check
60 seconds
No — fixed in code
The initial delay allows plugins time to start cleanly before they are first probed, preventing false-positive failure detection during service startup.
To configure the health check interval: Set PluginMonitoring:CheckIntervalMinutes in appsettings.json. The minimum effective value is 0.1 minutes (6 seconds).
Session Monitoring
The service monitors user sessions to detect logons, logoffs, and Remote Desktop (RDP) connect and disconnect events. Session changes can trigger jobs — for example, starting the Keeper Client when a user logs on.
Session polling interval
5 seconds
Yes
A shorter interval means session-based jobs start faster after a user logs in or reconnects over RDP.
To configure: Set SessionMonitoring:PollingIntervalSeconds in appsettings.json. The minimum value is 1 second.
Watchdog
The Watchdog is a separate, lightweight monitoring service that runs independently of the main Keeper EPM service. It periodically probes the main service's health endpoint and can automatically restart the service if it becomes unresponsive.
Health check interval
10 seconds
Yes — clamped between 2 and 300 seconds
Startup delay
90 seconds
Yes — minimum 30 seconds
The startup delay gives the main service time to finish starting before the Watchdog begins health checks, preventing false-positive failure detection during normal startup. The Watchdog can be configured to either restart the service automatically (AutoRemediate: true) or only monitor and log (AutoRemediate: false).
To configure: Set Watchdog:CheckIntervalSec and Watchdog:StartupDelaySec in the Watchdog's appsettings.json configuration. Both settings can also be pushed centrally to endpoints using a ConfigurationUpdate policy. See Plugin and Task Settings for details.
File Access & Execution Grants
When a user is granted temporary access to a file or elevated execution after satisfying a control (MFA, Justification, or Approval), that access is time-limited and reverts automatically when the grant expires.
File access grant duration
240 minutes (4 hours)
Yes — per request
Execution grant duration
240 minutes (4 hours)
Yes — per request
ApplyFileAccessPolicies job schedule
Per job definition
Yes — job JSON
These durations are defaults set in code. There is no global dashboard slider. Changing the default requires pushing a modified job definition to endpoints using an Update Jobs policy.
To configure: Set the DurationMinutes parameter in the GrantFileAccess job (for approval-gated access) or the LaunchFileAccess job (for MFA- or justification-gated access). See Configuring the Approval Duration for step-by-step instructions.
Policy Evaluation Timeout
When a policy uses a custom filter job, the policy engine calls that job during evaluation and waits for a response. If the job does not respond within the timeout window, the custom filter is treated as failed.
Custom filter evaluation timeout
30 seconds
Yes
This is a per-request timeout, not a recurring interval. If your custom filter jobs involve external API calls or slower scripts, you may need to increase this value to prevent evaluation timeouts.
To configure: Set customfilter.timeout_seconds in the KeeperPolicy plugin settings. See Plugin and Task Settings for details.
Last updated