How to deploy KeePassium with Intune

This guide is for IT administrators who need to manage KeePassium in a corporate environment managed by Microsoft Intune.

KeePassium works with Intune. The level of compatibility depends on app edition:

KeePassium and KeePassium Pro are designed a personal apps for end users. They can be deployed via Intune, but cannot accept app protection policies. As a result, they can only work as personal-perimeter apps.
KeePassium for Intune is a dedicated app specificaly built with Intune SDK. It can be deployed as a policy-managed work app and will enforce app protection and app configuration policies.

The rest of this guide applies to KeePassium for Intune. For brevity, we will call it just KeePassium.

Supported policies

App Protection Policy (APP) settings are enforced by the Intune SDK compiled into the app. Most of the policy settings are enforced without app's knowledge. According to Microsoft, core APP settings are enforced for all managed apps. In contrast, advanced APP settings depend on device enrollment status.

KeePassium also supports the "Require app protection policy" conditional access grant.

Finally, you can create an app configuration policy to control managed app parameters (AppConfig).

⚠️ No AutoFill

KeePassium for Intune does not have the Password AutoFill feature, because Intune SDK does not support it.

Installation

KeePassium for Intune is published on the App Store as a free app. You can add it using Microsoft's guide: Add iOS store apps to Microsoft Intune

Configuration

Once the app is added, create an app configuration policy:

In Intune admin center, open Apps --> App configuration policies
Click Add and select the necessary context. For this guide, we'll select Managed apps.
Give your policy a name and set Target to Selected apps

Screenshot: Create app configuration policy

Click Select public apps, find "KeePassium for Intune", click it, then click Select.
Click Next until you reach the Settings tab
Create two configuration parameters:
- license — your business license key. Contact us to get one.
- supportEmail — email address for all support requests from the app. Set it to your in-house support contact, so you can control what diagnostic data reaches external support.
If necessary, you can add other managed configuration parameters.

Screenshot: Add app configuration settings

Click Next and assign the configuration policy to appropriate groups.
Click Next, review the policy and click Create to finalize app configuration.

Setup on device

On first launch, KeePassium for Intune will ask the user to sign in with their work account. This is required by the Intune SDK, and is not related to KeePassium's functionality.
After Intune identifies the user and fetches relevant policies, the app restarts with the policies applies.
For all other intents and purposes, the app continues to work like standard KeePassium version, with all the features enabled (with policy restrictions, if configured).

Access permissions

KeePassium for Intune requires two permissions:

User.Read — allows users to sign-in to the app, so that Intune can apply relevant policies.
DeviceManagementManagedApps.ReadWrite — allows the app to read and write the user's data pertaining to itself in the Intune Mobile Application Management. This is required by Intune SDK.

You can grant these permissions tenant-wide.

OneDrive API

Synchronization with OneDrive additionally requires Files.ReadWrite.All which allows users to access both their own and shared databases. See also: How to sync using OneDrive.

Troubleshooting

KeePassium could not find the enterprise account of your organization

This means KeePassium could not find a valid business license among the managed configuration parameters. Make sure to follow the app configuration steps and that your license key is valid.

App protection policy is not applied on client devices

Make sure the policy targets the correct group. Also, please note that policy delivery in Intune can take several hours: Understand App Protection Policy delivery timing

The account is licensed for Intune but is not targeted with MAM policy

This error comes from the Intune library. According to their issue tracker, the most likely causes are:

There must be an app protection policy configured for the app. Make sure it is created in the correct context (device / user).
In some environments, app configuration policy must include several predefined keys:
Key Value
IntuneMAMUPN {{userprincipalname}}
IntuneMAMOID {{userid}}
IntuneMAMDeviceID {{deviceID}}

Key	Value
`IntuneMAMUPN`	`{{userprincipalname}}`
`IntuneMAMOID`	`{{userid}}`
`IntuneMAMDeviceID`	`{{deviceID}}`

Need admin approval

This may happen if the user who signs in to KeePassium is not allowed to consent for apps to access your organization's data.

The solution is to grant consent from an admin account. The URL for granting tenant-wide admin consent for KeePassium for Intune is:

https://login.microsoftonline.com/organizations/adminconsent?client_id=292a80b3-139a-4165-a20d-b2d2e764e538

Paste this URL to your browser, log in with an admin account, review requested permissions and click Accept.

If you manage several tenants, you may need to adjust the URL as described in Microsoft's article.

How to deploy KeePassium with Intune ​

Supported policies ​

Installation ​

Configuration ​

Setup on device ​

Access permissions ​

Troubleshooting ​

KeePassium could not find the enterprise account of your organization ​

App protection policy is not applied on client devices ​

The account is licensed for Intune but is not targeted with MAM policy ​

Need admin approval ​

See also ​