Managed App Configuration for MDM

IT administrators can control some KeePassium parameters via Mobile Device Management (MDM) systems, such as Microsoft Intune, Jamf Pro, Mosyle, etc. Managed configuration works with any KeePassium edition (free, Pro, Intune), as long as you include a valid business license key.

In addition to parameters on this page, KeePassium for Intune also supports Intune-specific app protection policies.

Requires Business license

Managed parameters must include a valid Business license key; otherwise, app configuration will remain unmanaged.

Privacy notice for end users

Your organization administrators can control only app settings. KeePassium does not provide them any access to user files or passwords.

Bundle Identifiers

The main KeePassium app and its AutoFill module have separate Bundle IDs:

• KeePassium
  • Main app: com.keepassium.ios
  • AutoFill: com.keepassium.ios.KeePassium-AutoFill
• KeePassium Pro
  • Main app: com.keepassium.ios.pro
  • AutoFill: com.keepassium.ios.pro.KeePassium-AutoFill
• KeePassium for Intune
  • Main app: com.keepassium.intune
  • AutoFill: Intune SDK does not support AutoFill

macOS

Bundle IDs are the same in Mac apps — including the ios part, for historic reasons.

General Parameters

license String, required

Your business license key. Contact sales@keepassium.com to get one.

supportEmail String

Overrides the default support email address. Set this to your company's IT support email (for example, support@company.inc)

Onboarding Parameters

requireAppPasscodeSet Boolean

Whether the user must set up an App Protection passcode during onboarding. A stricter alternative to hideAppLockSetupReminder.

• true — users have to set up a passcode during onboarding, and won't be able to remove it later.
• false — users are allowed to skip the App Protection setup step.

hideAppLockSetupReminder Boolean

Whether to hide the reminder for setting up the App Protection passcode. A softer alternative to requrieAppPasscodeSet.

• true — reminder will be shown until the user configures the App Protection passcode.
• false — reminder will not be shown.
• Not set — reminder will be shown, but users can dismiss it.

App Settings

These are settings that are visible in the App Settings screen. Managed parameters cannot be modified by the user.

autoUnlockLastDatabase Boolean

Controls whether the last-used database should be selected automatically on app launch

• true — select the last-used database automatically
• false — show database selection screen

App Protection

appLockTimeout Integer (seconds)

Timeout before locking the app (not databases). Possible values are:

• 0 - Lock Immediately
• 3 - After 3 seconds
• 15 - After 15 seconds
• 30 - After 30 seconds
• 60 - After 1 minute
• 120 - After 2 minutes
• 300 - After 5 minutes
• Other values will be rounded to the nearest one in the list.

lockAppOnLaunch Boolean

Enforces app protection when the app is first launched after device restart

• true — lock the app after device restart, even if appLockTimeout has not expired yet.
• false — ignore device restart event, consider only timeout.

minimumAppPasscodeEntropy Integer (bits)

Minimum required entropy for the app protection passcode (as estimated by the Zxcvbn library). Too simple passcodes will be rejected.

Data Protection

minimumDatabasePasswordEntropy Integer (bits)

Minimum required entropy for database passwords (as estimated by the Zxcvbn library). This lower bound applies when users create a new database or change master keys of existing files.

rememberDatabaseKey Boolean (true/false)

Remember database master keys in device keychain

rememberDatabaseFinalKey Boolean

Sometimes KeePassium can cache database encryption keys and decrypt the file without a YubiKey scan. This setting controls whether such an optimization is allowed.

• true — skip YubiKey scans whenever possible;
• false — always require a YubiKey scan.

keepKeyFileAssociations Boolean (true/false)

Remember and automatically select key files last used with each database.

keepHardwareKeyAssociations Boolean (true/false)

Remember and automatically select hardware keys last used with each database.

lockAllDatabasesOnFailedPasscode Boolean

Whether to lock all databases when the user enters an incorrect app protection passcode.

• true — lock all databases and erase any remembered master keys from keychain;
• false — don't lock or erase anything, let the user re-try the passcode.

databaseLockTimeout Integer (seconds)

Timeout before locking all databases (not the app). Possible values are:

• -1 — Never
• 0 — Lock Immediately
• 5 — After 5 seconds
• 15 — After 15 seconds
• 30 — After 30 seconds
• 60 — After 1 minute
• 120 — After 2 minutes
• 300 — After 5 minutes
• 600 — After 10 minutes
• 1800 — After 30 minutes
• 3600 — After 1 hour
• 7200 — After 2 hours
• 14400 — After 4 hours
• 28800 — After 8 hours
• 86400 — After 24 hours
• 172800 — After 48 hours
• 604800 — After 7 days
• Other values will be rounded to the nearest one in the list.

lockDatabasesOnTimeout Boolean

Whether to clear remembered master keys on database timeout

• true — close opened databases and erase their remembered master keys
• false — close opened databases, but leave their master keys in keychain

lockDatabasesOnReboot Boolean (true/false)

Whether to clear remembered master keys after device restart.

clipboardTimeout Integer (seconds)

Time before erasing copied items from clipboard.

• -1 — Never
• 10 — After 10 seconds
• 20 — After 20 seconds
• 30 — After 30 seconds
• 60 — After 1 minute
• 120 — After 2 minutes
• 180 — After 3 minutes
• 300 — After 5 minutes
• 600 — After 10 minutes
• 1200 — After 20 minutes

WARNING

This setting does not affect cross-device Universal Clipboard content. Its timeout is fixed by Apple at around 2 minutes.

useUniversalClipboard Boolean (true/false)

Whether copied items should be shared with other Apple devices via the Universal Clipboard.

hideProtectedFields Boolean

Whether to hide protected fields behind asterisks by default. Users still can toggle visibility with the button.

• true — sensitive content is replaced with asterisk
• false — sensitive content is shown in plain text

Network Access

allowNetworkAccess Boolean

Controls access to network-dependent features, such as direct connections to business clouds, password audit, favicon downloads, etc.

• true — network-dependent features are allowed
• false — network-dependent features are blocked, the app should stay offline.

Intune edition

This setting applies only to app's own features. KeePassium for Intune includes the Intune SDK, which communicates with Microsoft services whenever it needs to.

Database Backup

showBackupFiles Boolean

Whether to show internal backup files in database list.

• true — show both internal backup files and actual databases.
• false — hide internal backup files, show only actual databases.

backupDatabaseOnSave Boolean

Whether to create an internal backup copy every time a database is saved.

backupKeepingDuration Integer (seconds)

Maximum allowed age of backup files

• 3600 — 1 hour
• 14400 — 4 hours
• 86400 — 1 day
• 604800 — 1 week
• 2419200 — 4 weeks
• 5270400 — 2 months
• 15552000 — 6 months
• 31536000 — 1 year

excludeBackupFilesFromSystemBackup Boolean (true/false)

Whether internal backup files should be excluded from system backup of app data.

• true — backup files are created with the exclude from backup attribute.
• false — backup files may be included in system backup.

File Operations

allowedFileProviders String array

Restricts file import/export operations to only allowed storage locations; other locations will be blocked.

File Provider	Description
all (default)	Allow all storage locations (overrides any other options in this array)
com.apple.FileProvider.LocalStorage	Local device storage
net.box.BoxNet.documentPickerFileProvider	Box (via Files integration)
com.keepassium.fileprovider.dropbox	Dropbox (direct connection)
com.getdropbox.Dropbox.FileProvider	Dropbox (via Files integration)
com.keepassium.fileprovider.googledrive	Google Drive (direct connection)
com.google.Drive.FileProviderExtension	Google Drive (via Files integration)
com.apple.CloudDocs.iCloudDriveFileProvider	iCloud Drive (via Files integration)
com.apple.CloudDocs.MobileDocumentsFileProvider	iCloud Drive (before iOS 16.5; via Files integration)
com.keepassium.fileprovider.onedrive	OneDrive (direct connection)
com.microsoft.skydrive.onedrivefileprovider	OneDrive (via Files integration)
com.apple.SMBClientProvider.FileProvider	SMB share (via Files integration)
com.apple.filesystems.UserFS.FileProvider	USB storage (via Files integration)
com.keepassium.fileprovider.webdav	WebDAV (direct connection)

See also

• Intune setup guide