Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper roll-out. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.
When a user is onboarded via SSO Connect Cloud™, a device public/private key pair is generated by the client device. The private key is stored locally and the public key is stored on the Keeper cloud server. The vault's data key is encrypted with the device public key. When a user needs to log into a new device, they can approve from a previously logged in device which will encrypt the data key with the new devices public key and the new device will be able to decrypt it with the device private key. To allow an administrator the ability to perform a device approval (to support a user who has deleted all their devices) having account transferred enable on a role that all SSO users are members of will share the data key to the administrators and support the the exchange of keys for a new device.
Visit the section in the Enterprise Guide on enabling account transfer: https://docs.keeper.io/enterprise-guide/account-transfer-policy#how-to-enable-account-transfer-functionality
By Sept 30, 2020, Keeper will introduce a new Administrative Permission that will permit an admin to perform device approvals without requiring Vault Transfer permissions. Stay tuned!