# Setting up RBI

## Overview

In this guide, you will learn how to setup Remote Browser Isolation (RBI) in your Keeper Vault. RBI works from both Web Vault and Desktop App.

## Prerequisites

Prior to configuring RBI, make sure to have the following:

### Remote Browser Isolation Enforcement Policies

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**.

<figure><img src="/files/DV89Pguzeglku6sYbGFl" alt=""><figcaption><p>Remote Browser Isolation Policies</p></figcaption></figure>

The following Enforcement Policies affect user's permissions to use Remote Browser Isolation and need to be enabled:

<table><thead><tr><th width="196">Enforcement Policy</th><th width="274">Commander Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can configure remote browsing settings</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_RBI
</code></pre></td><td>Allow users to configure Remote Browser and session recording settings on PAM Remote Browsing and PAM Configuration Records Types</td></tr><tr><td>Can launch remote browsing</td><td><pre data-overflow="wrap"><code>ALLOW_LAUNCH_RBI
</code></pre></td><td>Allow users to launch remote browsing on PAM Remote Browsing Record Types</td></tr><tr><td>Can view RBI session recordings</td><td><pre><code>ALLOW_VIEW_RBI_RECORDINGS
</code></pre></td><td>Allow users to view RBI Session Recordings.</td></tr></tbody></table>

The above enforcement policies can also be enabled on the [Keeper Commander CLI](/keeperpam/commander-cli/command-reference/secrets-manager-commands.md#overview) using the `enterprise-role` command:

```
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_LAUNCH_RBI":true
enterprise-role "My Role" --enforcement "ALLOW_VIEW_RBI_RECORDINGS":true
```

#### Enforcement Policy Use Cases

If a user should only have access to launch RBI sessions and not configuring RBI settings, then only "Can launch remote browsing" policy should be enabled for the user.

In addition to launching RBI sessions, If a user should also have access to configure RBI settings, then "Can configure remote browsing settings" and "Can launch remote browsing" policies should be enabled for the user.

To allow users to view RBI session recordings, then "Can configure remote browsing settings" policy should be enabled for the user.

### Session Recordings

Launched RBI sessions can also be recorded. These recordings are available on the PAM Browser record types and can be played back on your Vault. For more details on session recording and playback, visit this [page](/keeperpam/privileged-access-manager/session-recording-and-playback.md).

### Installing the Keeper Gateway

The Keeper Gateway is a hosted agentless service that is installed on the customer's network to enabled zero-trust access to target infrastructure. Typically this service is installed on a Linux or Docker environment in each of the networks that requires access.

For more details on installing and setting up your gateway, visit this [page](/keeperpam/privileged-access-manager/getting-started/gateways.md).

### PAM Configuration

The **PAM Configuration** contains essential information of your target infrastructure, settings and [Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md). Setting up a PAM Configuration for your infrastructure is **required**. For more information on creating and configuring the PAM Configuration, visit this [page](/keeperpam/privileged-access-manager/getting-started/pam-configuration.md).

### PAM Remote Browser

When launching an RBI session, the Web and Desktop Vault Client will render a chromium browser window with a established connection to the specified URL defined on the PAM Browser record. For more information on how to setting up the PAM Browser Record, visit this [page](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-remote-browser.md).

## PAM Settings - Remote Browser Isolation

### **Accessing RBI Settings**

After creating a PAM Browser Settings with the target URL, navigate to the PAM Settings by:

1. Editing the PAM Browser Record
2. Clicking on "Set Up" in the PAM Settings section

<figure><img src="/files/6PISNDIpBokxqVIfJECd" alt=""><figcaption></figcaption></figure>

### Configuring RBI Settings

After opening up the PAM Settings screen. The following table lists all the configurable fields for RBI:

<table><thead><tr><th width="295">Field</th><th>Definition</th></tr></thead><tbody><tr><td>PAM Configuration</td><td><p><strong>Required</strong></p><p>This is the PAM Configuration that defines the environment and Gateway being utilized.</p></td></tr><tr><td>Enable Remote Browser Isolation</td><td><strong>Required</strong><br>To enable RBI for this record, this toggle needs to be enabled.</td></tr><tr><td>Graphical Session Recording</td><td>When enabled, graphical session recordings will be enabled for this record. Required for KeeperAI.</td></tr><tr><td>Key Events</td><td>When enabled, the keyboard events will also be monitored and played back alongside the graphical session recording. Required for KeeperAI.</td></tr><tr><td>Allow navigation via direct URL manipulation</td><td>If checked, the user will be presented with an URL navigation bar.</td></tr><tr><td>Allow File Downloads</td><td>If checked, allow website file downloads through RBI to the local machine</td></tr><tr><td>Allow File Uploads</td><td>If checked, allow website file uploads through RBI.</td></tr><tr><td>Ignore server certificate</td><td>If set, the Chromium browser will ignore an invalid certificate as long as the URL matches the exact domain that is set in the Record URL field.</td></tr><tr><td>Session Persistance</td><td>Session Persistence controls whether RBI sessions are temporary, user-specific or shared across users, determining how session data is retained and reused.<br><br><strong>None</strong> - No session data is retained. Each session starts fresh with no stored cookies, local storage or history.<br><br><strong>By User</strong> - Session data is retained for the individual user.<br><br><strong>By Resource</strong> - A single shared session is maintained for the resource (RBI record) and reused across users. Only one active session is allowed at a time.<br><br>Detailed Information <a href="#session-persistence">here</a></td></tr><tr><td>Allow URL Patterns</td><td><p>The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.</p><p>If specified, only pages matching patterns in the list are permitted.<br></p><p>By default, all URLs are permitted.<br><br>Detailed Information <a href="/pages/awHU6IJPTVQT21eCOAjZ#overview">here</a><br></p></td></tr><tr><td>Allow Resource URL Patterns</td><td><p>The patterns of all URLs that the page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines.<br></p><p>If specified, only resources matching patterns in the list are permitted to be loaded.<br></p><p>By default, no restrictions are imposed on resources loaded by pages.<br><br>Detailed Information <a href="/pages/awHU6IJPTVQT21eCOAjZ#overview">here</a></p></td></tr><tr><td>Browser Autofill - Credentials</td><td>RBI sessions launched from the Keeper Vault provides the capability of autofilling a username and password into a target website login screen. A vault record that is shared to a KSM application can be linked here. The credentials on this linked record will be autofilled in the target website login screen based on the autofill rules defined in the Autofill Targets section.<br><br>Detailed Information <a href="/pages/JtIYNW80QVx3YzJQZ5Bi">here</a></td></tr><tr><td>Browser Autofill - Autofill Targets</td><td>This section will contain the autofill rules, which are a JSON/YAML array of objects, where each object specifies contains an autofill rule.<br><br>Detailed Information <a href="/pages/JtIYNW80QVx3YzJQZ5Bi">here</a></td></tr><tr><td>Can copy to clipboard</td><td>If enabled, text copied within the RBI session will be accessible by the user.</td></tr><tr><td>Can paste from clipboard</td><td>If enabled, user can paste text from clipboard within the connected RBI session.</td></tr></tbody></table>

### File Upload and Download

Keeper Remote Browser Isolation (RBI) provides secure file transfer capabilities that allow users to move files between their local device and the isolated browser session.

* **Allow file uploads**\
  When enabled, users can upload files from their local machine into the remote browser session. This includes support for drag-and-drop or standard file selection within the browser. Uploaded files are transferred securely into the isolated environment without exposing the local system to web-based threats.
* **Allow file downloads**\
  When enabled, users can download files from the remote browser session to their local machine. Files retrieved from the isolated session are delivered securely to the user’s device.

These controls can be configured based on organizational security policies to restrict or allow file movement as needed.

**Note:** File transfer capabilities should be enabled based on risk tolerance, as allowing uploads or downloads may introduce data exfiltration or malware transfer considerations depending on the use case.

### Session Persistence

By default, every new Remote Browser Isolation session runs in **incognito mode**, where no session data (such as cookies, local storage or browsing history) is retained after the session ends. This allows multiple users to run concurrent sessions without any persistence of data.

The **Session Persistence** setting controls how session data is retained:

* **None (Incognito mode)**\
  No data is stored between sessions. Each session starts fresh and is completely isolated. This is the most secure option and is recommended for general use and untrusted browsing.
* **By User (session retained for current user)**\
  Session data is preserved for the individual user. When the user reconnects, they can resume their previous session state (e.g., logged-in sessions, open tabs). Other users cannot access this session.
* **By Resource (shared session across users)**\
  A single persistent session is shared across all users accessing the RBI resource. Only one active session is allowed at a time. This is useful for shared accounts or environments where continuity across users is required, but it should be used carefully due to shared access.

## Session Recordings - RBI

<figure><img src="/files/1Azb1Go8bFBafB4eelNw" alt=""><figcaption></figcaption></figure>

For this protocol, graphical data, including timing information, is recorded. For more details on the recordings and how to access them, see the [Session Recording & Playback](/keeperpam/privileged-access-manager/session-recording-and-playback.md) docs.

## Workflow and RBI

Workflow (check-in/check-out) can be enabled on PAM Browser records to add approval controls and governance to web-based access.

When Workflow is applied to RBI sessions:

* Users must request access before launching a session
* Access can require approval from designated approvers
* Sessions can be time-bound, ensuring access is automatically revoked after a defined period
* All access is tracked for accountability and audit purposes

This ensures that access to sensitive web applications through RBI is controlled, monitored and aligned with organizational security policies.

To learn more, visit the following page:

{% content-ref url="/pages/XxNCDDQtE3ysUWYD4fMk" %}
[Workflow](/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow.md)
{% endcontent-ref %}

## KeeperAI and RBI

KeeperAI can be enabled on Remote Browser Isolation (RBI) and PAM Browser records to provide AI-powered threat detection and session analysis.

When enabled, KeeperAI monitors browser sessions in real time and analyzes user activity to identify potential security risks. This includes detecting anomalous behavior, suspicious actions and indicators of compromise during web-based sessions.

To learn more, vist the following page:

{% content-ref url="/pages/hPhvWPKEYG0crNdsO2JO" %}
[KeeperAI](/keeperpam/privileged-access-manager/keeperai.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/remote-browser-isolation/setting-up-rbi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.