Device Approvals

Description of Device Approvals and Approval Queue for SSO Connect Cloud

How Device Approvals Work

Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

When a user attempts to login on a device that has never been used prior, a device approval must take place. Part of this device approval process involves the transfer of an Elliptic-Curve encryption key.

To preserve Zero Knowledge, Keeper cannot simply use an email confirmation link (like the Master Password use cases) because Keeper's servers are restricted from accessing the user's private key. To solve this, we developed a Push-based approval system that can be performed by either the user or the designated Administrator.

When logging into a new or unrecognized device, the user can select if they would like to approve their device using an existing Keeper app, or they can request administrator approval:

Keeper Push - Device Approval

Device Approval Methods

Keeper SSO Connect Cloud supports 3 different device approval methods:

1) Keeper Push

2) Admin Approval via the Keeper Admin Console

3) Admin Approval via Commander automation tool

Important Note about Private Browsing Mode

Web browsers in "Incognito" or "Private Browsing" mode will be treated as a new / unrecognized device and will require device approval every time the browser window is closed. This could cause confusion for your users if they don't have another device (such as a mobile phone or another computer/browser that is actively being used). To mitigate confusion, you can configure automated approvals as described in the "Using Commander..." section below.

Transfer Account Role Permission

The Transfer Account feature must be currently be enabled for Admins that require the ability to approve devices in the Approval Queue. Failure to configure this option could result in a user's vault becoming orphaned an inaccessible.

How to Enable Account Transfer

Visit the section in the Enterprise Guide on enabling account transfer: https://docs.keeper.io/enterprise-guide/account-transfer-policy#how-to-enable-account-transfer-functionality

Approve Devices Role Permission

A new special role permission is launching by the end of September which provides a role permission specifically for device approvals. When assigning an Administrative role, simply check the "Approve Devices" box.

(1) Go to Roles within the root node or the SSO node

(2) Select the gear icon to control the Admin Permissions for the selected role.

(3) Assign "Approve Devices" permission

Now, any user added to this role is able to login to the Admin Console or Commander to perform device approvals.

Keeper Push Method

Keeper Push is a method of approval that the user handles on their own. Selecting "Keeper Push" will send a notification to the user's approved devices. For mobile and desktop apps, the push will arrive and the user can simply accept the device approval.

1) Select Keeper Push

Keeper Push

2) User waits for the push approval to appear on their other device

Keeper Push

3) User must be logged into a different, recognized device to receive the notification.

User Push Approval

Admin Approval Method via Admin Console

Selecting "Admin Approval" will send the request to the Keeper Administrator with Vault Transfer permissions, or with the "Approve Devices" permission. The Admin can perform the approval through the Admin Console "Approval Queue" screen or by being logged into the Admin Console at the time of the request.

1) User selects "Admin Approval"

Admin Approval

2) User waits for approval or comes back later

Admin Approval

3) Administrator logs into the Admin Console and visits the Approval Queue

Approval Queue

4) Admin reviews the information and approves the device

Device Approval Screen

Select the device to approve and then click "Approve". If the user is waiting, they will be instantly permitted to login. Otherwise, the user can login at a later time without any approval (as long as they don't clear out their web browser cache or reset the app).

Commander Method for Automated Approvals

Keeper Commander, our CLI and SDK platform is capable of performing Admin Device Approvals for automated approval without having to login to the Admin Console.

Automated approvals can be configured on any computer that is able to run Keeper Commander (Mac, PC or Linux). The steps are outlined below:

Install Keeper Commander

Python Installation - Linux and Mac

  1. Get Python 3 from python.org.

  2. Install Keeper Commander with pip3:

$ pip3 install keepercommander

Important: Restart your terminal session after installation

Python Installation - Windows

  1. Download and install WinPython

  2. From the install folder of WinPython, run the "WinPython Command Prompt"

  3. Install Keeper Commander with pip3:

$ pip3 install keepercommander

Upgrading to Latest Python Code

$ pip3 install --upgrade keepercommander

Use CLI for Device Approvals

Enter the CLI using the "keeper shell" command.

$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
|_|
password manager & digital vault

Use the "login" command to login as the Keeper Admin with the permission to approve devices. Commander supports Master Password and 2FA.

My Vault> login admin@acme-demo.com
Password: *******

Type "device-approve" to list all devices:

My Vault> device-approve
Email Device ID Device Name Client Version
------------------ ------------------ ---------------- ----------------
demo@acme-demo.com f68de375aacdff3846 Web Vault Chrome w15.0.4
demo@acme-demo.com 41sffcb44187222bcc Web Vault Chrome w15.0.4

To manually approve a specific device, use this command:

My Vault> device-approve --approve <device ID>

To approve all devices that come from IPs that are recognized as successfully logged in for the user previously, use this command:

My Vault> device-approve --approve --trusted-ip

To approve all devices regardless of IP address, use this command:

My Vault> device-approve --approve

To deny a specific device request, use the "deny" command:

My Vault> device-approve --deny <device ID>

To deny all approvals, remove the Device ID parameter:

My Vault> device-approve --deny

To reload the latest device approvals without having to exit the shell, use the "reload" command:

My Vault> device-approve --reload

Automatically Approving Devices every X seconds

Commander supports an automation mode that will run approvals every X number of seconds. To set this up, modify the config.json file that is auto-created in the folder running Commander and add a few lines to the file ("commands" and "timedelay") like below :

{
"device_id": "<filled in automatically>",
"user": "admin@acme-demo.com",
"commands":["device-approve --reload","device-approve --trusted-ip --approve"],
"timedelay":30
}

Now when you run "keeper shell", Commander will run the commands every time period specified. Example:

$ keeper shell
Executing [device-approve --reload]...
Password:
Logging in...
Syncing...
Executing [device-approve --reload]...
Email Device ID Device Name Client Version
------------------ ------------------ ---------------- ----------------
demo@acme-demo.com f68de375aacdff3846 Web Vault Chrome w15.0.4
Executing [device-approve --trusted-ip --approve]...
2020/09/20 21:59:47 Waiting for 30 seconds
Executing [device-approve --reload]...
There are no pending devices to approve
.
.
.

There are many ways to customize, automate and process automated commands with Keeper Commander. To explore the full capabilities see the link below:

https://github.com/keeper-Security/commander