Managed App Configuration for MDM

IT administrators can control some KeePassium parameters via Mobile Device Management (MDM) systems, such as Microsoft Intune, Jamf Pro, Mosyle, etc. Managed configuration works with any KeePassium edition (free, Pro, Intune), as long as you include a valid business license key.

In addition to parameters on this page, KeePassium for Intune also supports Intune-specific app protection policies.

Requires Business license

Managed parameters must include a valid Business license key; otherwise, app configuration will remain unmanaged.

Privacy notice for end users

Your organization administrators can control only app settings. KeePassium does not provide them any access to user files or passwords.

Bundle Identifiers

The main KeePassium app and its AutoFill module have separate Bundle IDs:

• KeePassium
  • Main app: com.keepassium.ios
  • AutoFill: com.keepassium.ios.KeePassium-AutoFill
• KeePassium Pro
  • Main app: com.keepassium.ios.pro
  • AutoFill: com.keepassium.ios.pro.KeePassium-AutoFill
• KeePassium for Intune
  • Main app: com.keepassium.intune
  • AutoFill: Intune SDK does not support AutoFill

macOS

Bundle IDs are the same in Mac apps — including the ios part, for historic reasons.

Configuration Plist file

You can generate your configuration file using a GUI tool by Jamf:

• Download KeePassium's managed app configuration specfile
• Upload it to to the AppConfig Generator
• You would get a GUI to modify managed app configuration
  Screenshot

  

• In the end, click Download to get the plist file
  Sample output

  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
    <dict>
      <key>configVersion</key>
      <integer>1</integer>
      <key>license</key>
      <string>your license key here</string>
      <key>licenseSeatID</key>
      <string>${userUID}</string>
      <key>supportEmail</key>
      <string>org-support@keepassium.com</string>
      <key>requireAppPasscodeSet</key>
      <string>yes</string>
      <key>minimumAppPasscodeEntropy</key>
      <integer>10</integer>
      <key>minimumDatabasePasswordEntropy</key>
      <integer>20</integer>
      <key>allowNetworkAccess</key>
      <string>yes</string>
      <key>autoUnlockLastDatabase</key>
      <string>yes</string>
      <key>rememberDatabaseKey</key>
      <string>yes</string>
      <key>rememberDatabaseFinalKey</key>
      <string>yes</string>
      <key>keepKeyFileAssociations</key>
      <string>yes</string>
      <key>keepHardwareKeyAssociations</key>
      <string>yes</string>
      <key>lockAllDatabasesOnFailedPasscode</key>
      <string>yes</string>
      <key>appLockTimeout</key>
      <string>0</string>
      <key>lockAppOnLaunch</key>
      <string>yes</string>
      <key>lockDatabasesOnReboot</key>
      <string>no</string>
      <key>databaseLockTimeout</key>
      <string>-1</string>
      <key>clipboardTimeout</key>
      <string>60</string>
      <key>useUniversalClipboard</key>
      <string></string>
      <key>hideProtectedFields</key>
      <string>yes</string>
      <key>enableQuickTypeAutoFill</key>
      <string>yes</string>
      <key>showBackupFiles</key>
      <string></string>
      <key>backupDatabaseOnSave</key>
      <string>yes</string>
      <key>backupKeepingDuration</key>
      <string>5270400</string>
      <key>excludeBackupFilesFromSystemBackup</key>
      <string>yes</string>
      <key>allowedFileProviders</key>
      <array>
        <string>all</string>
      </array>
    </dict>
  </plist>

Parameters

Some of the settings are represented in the App Settings dialog. Managed parameters cannot be modified by the user.

General

license: String, required

Your business license key. Contact sales@keepassium.com to get one.

supportEmail: String

Overrides the default support email address. Set this to your company's IT support email (for example, support@company.inc)

Onboarding

requireAppPasscodeSet: Boolean

Whether the user must set up an App Protection passcode during onboarding. A stricter alternative to hideAppLockSetupReminder.

• true — users have to set up a passcode during onboarding, and won't be able to remove it later.
• false — users are allowed to skip the App Protection setup step.

hideAppLockSetupReminder: Boolean

Whether to hide the reminder for setting up the App Protection passcode. A softer alternative to requrieAppPasscodeSet.

• true — reminder will be shown until the user configures the App Protection passcode.
• false — reminder will not be shown.
• Not set — reminder will be shown, but users can dismiss it.

App Protection

appLockTimeout: Integer (seconds)

Timeout before locking the app (not databases). Possible values are:

• 0 - Lock Immediately
• 3 - After 3 seconds
• 15 - After 15 seconds
• 30 - After 30 seconds
• 60 - After 1 minute
• 120 - After 2 minutes
• 300 - After 5 minutes
• Other values will be rounded to the nearest one in the list.

lockAppOnLaunch: Boolean

Enforces app protection when the app is first launched after device restart

• true — lock the app after device restart, even if appLockTimeout has not expired yet.
• false — ignore device restart event, consider only timeout.

minimumAppPasscodeEntropy: Integer (bits)

Minimum required entropy for the app protection passcode (as estimated by the Zxcvbn library). Too simple passcodes will be rejected.

autoUnlockLastDatabase: Boolean

Controls whether the last-used database should be selected automatically on app launch

• true — select the last-used database automatically
• false — show database selection screen

Data Protection

minimumDatabasePasswordEntropy: Integer (bits)

Minimum required entropy for database passwords (as estimated by the Zxcvbn library). This lower bound applies when users create a new database or change master keys of existing files.

rememberDatabaseKey: Boolean

Remember database master keys in device keychain

rememberDatabaseFinalKey: Boolean

Sometimes KeePassium can cache database encryption keys and decrypt the file without a YubiKey scan. This setting controls whether such an optimization is allowed.

• true — skip YubiKey scans whenever possible;
• false — always require a YubiKey scan.

keepKeyFileAssociations: Boolean

Remember and automatically select key files last used with each database.

keepHardwareKeyAssociations: Boolean

Remember and automatically select hardware keys last used with each database.

lockAllDatabasesOnFailedPasscode: Boolean

Whether to lock all databases when the user enters an incorrect app protection passcode.

• true — lock all databases and erase any remembered master keys from keychain;
• false — don't lock or erase anything, let the user re-try the passcode.

databaseLockTimeout: Integer (seconds)

Timeout before locking all databases (not the app). Possible values are:

• -1 — Never
• 0 — Lock Immediately
• 5 — After 5 seconds
• 15 — After 15 seconds
• 30 — After 30 seconds
• 60 — After 1 minute
• 120 — After 2 minutes
• 300 — After 5 minutes
• 600 — After 10 minutes
• 1800 — After 30 minutes
• 3600 — After 1 hour
• 7200 — After 2 hours
• 14400 — After 4 hours
• 28800 — After 8 hours
• 86400 — After 24 hours
• 172800 — After 48 hours
• 604800 — After 7 days
• Other values will be rounded to the nearest one in the list.

lockDatabasesOnTimeout: Boolean

Whether to clear remembered master keys on database timeout

• true — close opened databases and erase their remembered master keys
• false — close opened databases, but leave their master keys in keychain

lockDatabasesOnReboot: Boolean

Whether to clear remembered master keys after device restart.

clipboardTimeout: Integer (seconds)

Time before erasing copied items from clipboard.

• -1 — No automatic erasing
• 0 - Disable cut/copy to clipboard
• 10 — After 10 seconds
• 20 — After 20 seconds
• 30 — After 30 seconds
• 60 — After 1 minute
• 120 — After 2 minutes
• 180 — After 3 minutes
• 300 — After 5 minutes
• 600 — After 10 minutes
• 1200 — After 20 minutes

WARNING

Non-zero timeouts do not affect cross-device Universal Clipboard, its timeout is fixed by Apple at around 2 minutes. Copy block (timeout 0) does apply.

useUniversalClipboard: Boolean (true/false)

Whether copied items should be shared with other Apple devices via the Universal Clipboard.

hideProtectedFields: Boolean

Whether to hide protected fields behind asterisks by default. Users still can toggle visibility with the button.

• true — sensitive content is replaced with asterisk
• false — sensitive content is shown in plain text

Networked Features

allowNetworkAccess: Boolean

Controls network access for network-dependent features, such as direct connections to business clouds, password audit, favicon downloads, etc. This is the "master switch" that blocks all network connections.

• true — network access is allowed. You can block specific features using parameters described below.
• false — network access is blocked, the app should stay offline. Parameters like allowFaviconDownload and allowPasswordAudit have no effect.

Intune edition

This setting applies only to app's own features. KeePassium for Intune includes the Intune SDK, which communicates with Microsoft services whenever it needs to.

allowFaviconDownload: Boolean

Controls access to favicon download feature, which involves connection to arbitrary websites.

• true (default) — favicon download is allowed (still requires allowNetworkAccess)
• false — favicon download feature is disabled.

allowPasswordAudit: Boolean

Controls access to the password audit feature, which involves connections to "Have I Been Pwned" API.

• true (default) — password audit is allowed (still requires allowNetworkAccess)
• false — password audit is disabled.

Database Backup

showBackupFiles: Boolean

Whether to show internal backup files in database list.

• true — show both internal backup files and actual databases.
• false — hide internal backup files, show only actual databases.

backupDatabaseOnSave: Boolean

Whether to create an internal backup copy every time a database is saved.

backupKeepingDuration: Integer (seconds)

Maximum allowed age of backup files

• 3600 — 1 hour
• 14400 — 4 hours
• 86400 — 1 day
• 604800 — 1 week
• 2419200 — 4 weeks
• 5270400 — 2 months
• 15552000 — 6 months
• 31536000 — 1 year

excludeBackupFilesFromSystemBackup: Boolean

Whether internal backup files should be excluded from system backup of app data.

• true — backup files are created with the exclude from backup attribute.
• false — backup files may be included in system backup.

File Operations

allowedFileProviders: String array

Restricts file import/export operations to only allowed storage locations; other locations will be blocked.

File Provider	Description
all (default)	Allow all storage locations (overrides any other options in this array)
com.apple.FileProvider.LocalStorage	Local device storage
net.box.BoxNet.documentPickerFileProvider	Box (via Files integration)
com.keepassium.fileprovider.dropbox	Dropbox (direct connection)
com.getdropbox.Dropbox.FileProvider	Dropbox (via Files integration)
com.keepassium.fileprovider.googledrive	Google Drive (direct connection)
com.google.Drive.FileProviderExtension	Google Drive (via Files integration)
com.apple.CloudDocs.iCloudDriveFileProvider	iCloud Drive (via Files integration)
com.apple.CloudDocs.MobileDocumentsFileProvider	iCloud Drive (before iOS 16.5; via Files integration)
com.keepassium.fileprovider.onedrive	OneDrive (direct connection)
com.microsoft.skydrive.onedrivefileprovider	OneDrive (via Files integration)
com.apple.SMBClientProvider.FileProvider	SMB share (via Files integration)
com.apple.filesystems.UserFS.FileProvider	USB storage (via Files integration)
com.keepassium.fileprovider.webdav	WebDAV (direct connection)

WARNING

If you block local device storage, KeePassium will not show or access local files (including in-app backup).

See also

• Intune setup guide