Appearance
Managed App Configuration for MDM
IT administrators can control some KeePassium parameters via Mobile Device Management (MDM) systems, such as Microsoft Intune, Jamf Pro, Mosyle, etc. Managed configuration works with any KeePassium edition (free, Pro, Intune), as long as you include a valid business license key.
In addition to parameters on this page, KeePassium for Intune also supports Intune-specific app protection policies.
Requires Business license
Managed parameters must include a valid Business license key; otherwise, app configuration will remain unmanaged.
Privacy notice for end users
Your organization administrators can control only app settings. KeePassium does not provide them any access to user files or passwords.
Bundle Identifiers
The main KeePassium app and its AutoFill module have separate Bundle IDs:
- KeePassium
- Main app:
com.keepassium.ios
- AutoFill:
com.keepassium.ios.KeePassium-AutoFill
- Main app:
- KeePassium Pro
- Main app:
com.keepassium.ios.pro
- AutoFill:
com.keepassium.ios.pro.KeePassium-AutoFill
- Main app:
- KeePassium for Intune
- Main app:
com.keepassium.intune
- AutoFill: Intune SDK does not support AutoFill
- Main app:
macOS
Bundle IDs are the same in Mac apps — including the ios
part, for historic reasons.
General Parameters
license
String, required- Your business license key.
- Buy it online from our authorized reseller MyCommerce - Digital River GmbH, or
- Contact sales@keepassium.com to get one.
supportEmail
String- Overrides the default support email address. Set this to your company's IT support email (for example,
support@company.inc
)
Onboarding Parameters
requireAppPasscodeSet
Boolean- Whether the user must set up an App Protection passcode during onboarding. A stricter alternative to
hideAppLockSetupReminder
.true
— users have to set up a passcode during onboarding, and won't be able to remove it later.false
— users are allowed to skip the App Protection setup step.
hideAppLockSetupReminder
Boolean- Whether to hide the reminder for setting up the App Protection passcode. A softer alternative to
requrieAppPasscodeSet
.true
— reminder will be shown until the user configures the App Protection passcode.false
— reminder will not be shown.- Not set — reminder will be shown, but users can dismiss it.
App Settings
These are settings that are visible in the App Settings screen. Managed parameters cannot be modified by the user.
autoUnlockLastDatabase
Boolean- Controls whether the last-used database should be selected automatically on app launch
true
— select the last-used database automaticallyfalse
— show database selection screen
App Protection
appLockTimeout
Integer (seconds)- Timeout before locking the app (not databases). Possible values are:
0
- Lock Immediately3
- After 3 seconds15
- After 15 seconds30
- After 30 seconds60
- After 1 minute120
- After 2 minutes300
- After 5 minutes- Other values will be rounded to the nearest one in the list.
lockAppOnLaunch
Boolean- Enforces app protection when the app is first launched after device restart
true
— lock the app after device restart, even ifappLockTimeout
has not expired yet.false
— ignore device restart event, consider only timeout.
minimumAppPasscodeEntropy
Integer (bits)- Minimum required entropy for the app protection passcode (as estimated by the Zxcvbn library). Too simple passcodes will be rejected.
Data Protection
minimumDatabasePasswordEntropy
Integer (bits)- Minimum required entropy for database passwords (as estimated by the Zxcvbn library). This lower bound applies when users create a new database or change master keys of existing files.
rememberDatabaseKey
Boolean (true/false)- Remember database master keys in device keychain
rememberDatabaseFinalKey
Boolean- Sometimes KeePassium can cache database encryption keys and decrypt the file without a YubiKey scan. This setting controls whether such an optimization is allowed.
true
— skip YubiKey scans whenever possible;false
— always require a YubiKey scan.
keepKeyFileAssociations
Boolean (true/false)- Remember and automatically select key files last used with each database.
keepHardwareKeyAssociations
Boolean (true/false)- Remember and automatically select hardware keys last used with each database.
lockAllDatabasesOnFailedPasscode
Boolean- Whether to lock all databases when the user enters an incorrect app protection passcode.
true
— lock all databases and erase any remembered master keys from keychain;false
— don't lock or erase anything, let the user re-try the passcode.
databaseLockTimeout
Integer (seconds)- Timeout before locking all databases (not the app). Possible values are:
-1
— Never0
— Lock Immediately5
— After 5 seconds15
— After 15 seconds30
— After 30 seconds60
— After 1 minute120
— After 2 minutes300
— After 5 minutes600
— After 10 minutes1800
— After 30 minutes3600
— After 1 hour7200
— After 2 hours14400
— After 4 hours28800
— After 8 hours86400
— After 24 hours172800
— After 48 hours604800
— After 7 days- Other values will be rounded to the nearest one in the list.
lockDatabasesOnTimeout
Boolean- Whether to clear remembered master keys on database timeout
true
— close opened databases and erase their remembered master keysfalse
— close opened databases, but leave their master keys in keychain
lockDatabasesOnReboot
Boolean (true/false)- Whether to clear remembered master keys after device restart.
clipboardTimeout
Integer (seconds)- Time before erasing copied items from clipboard.
-1
— Never10
— After 10 seconds20
— After 20 seconds30
— After 30 seconds60
— After 1 minute120
— After 2 minutes180
— After 3 minutes300
— After 5 minutes600
— After 10 minutes1200
— After 20 minutes
WARNING
This setting does not affect cross-device Universal Clipboard content. Its timeout is fixed by Apple at around 2 minutes.
useUniversalClipboard
Boolean (true/false)- Whether copied items should be shared with other Apple devices via the Universal Clipboard.
hideProtectedFields
Boolean- Whether to hide protected fields behind asterisks by default. Users still can toggle visibility with the button.
true
— sensitive content is replaced with asteriskfalse
— sensitive content is shown in plain text
Network Access
allowNetworkAccess
Boolean- Controls access to network-dependent features, such as direct connections to business clouds, password audit, favicon downloads, etc.
true
— network-dependent features are allowedfalse
— network-dependent features are blocked, the app should stay offline.
Intune edition
This setting applies only to app's own features. KeePassium for Intune includes the Intune SDK, which communicates with Microsoft services whenever it needs to.
Database Backup
showBackupFiles
Boolean- Whether to show internal backup files in database list.
true
— show both internal backup files and actual databases.false
— hide internal backup files, show only actual databases.
backupDatabaseOnSave
Boolean- Whether to create an internal backup copy every time a database is saved.
backupKeepingDuration
Integer (seconds)- Maximum allowed age of backup files
3600
— 1 hour14400
— 4 hours86400
— 1 day604800
— 1 week2419200
— 4 weeks5270400
— 2 months15552000
— 6 months31536000
— 1 year
excludeBackupFilesFromSystemBackup
Boolean (true/false)- Whether internal backup files should be excluded from system backup of app data.
true
— backup files are created with the exclude from backup attribute.false
— backup files may be included in system backup.
File Operations
allowedFileProviders
String array- Restricts file import/export operations to only allowed storage locations; other locations will be blocked.
File Provider | Description |
---|---|
all (default) | Allow all storage locations (overrides any other options in this array) |
com.apple.FileProvider.LocalStorage | Local device storage |
net.box.BoxNet.documentPickerFileProvider | Box (via Files integration) |
com.keepassium.fileprovider.dropbox | Dropbox (direct connection) |
com.getdropbox.Dropbox.FileProvider | Dropbox (via Files integration) |
com.keepassium.fileprovider.googledrive | Google Drive (direct connection) |
com.google.Drive.FileProviderExtension | Google Drive (via Files integration) |
com.apple.CloudDocs.iCloudDriveFileProvider | iCloud Drive (via Files integration) |
com.apple.CloudDocs.MobileDocumentsFileProvider | iCloud Drive (before iOS 16.5; via Files integration) |
com.keepassium.fileprovider.onedrive | OneDrive (direct connection) |
com.microsoft.skydrive.onedrivefileprovider | OneDrive (via Files integration) |
com.apple.SMBClientProvider.FileProvider | SMB share (via Files integration) |
com.apple.filesystems.UserFS.FileProvider | USB storage (via Files integration) |
com.keepassium.fileprovider.webdav | WebDAV (direct connection) |