Help for Users
Application policy is a KeePass feature that enables administrators to prevent you from accidently compromising the security system of your company.
Operations like exporting password entries to non-encrypted files or printing for example can be prevented effectively using the application policy.
If you are using KeePass at home, you can ignore the application policy (everything allowed anyway) or reduce your rights using the policy yourself, in order to avoid accidental leakage of sensitive information.
In order to prevent changing the policy after it has been specified, it is recommended to use an enforced configuration file.
Help for Administrators
KeePass can be installed on a network drive and a policy can be enforced (like not permitting users to print the password list).
The application policy enforcement is based on the mechanism how KeePass stores configuration settings. You first need to understand this method before you can continue creating a policy: Configuration.
A policy-enforcing KeePass installation looks like the following: the KeePass application files are stored on the network drive and all users are starting KeePass from this drive (i.e. they only have links to the executable on the network drive). By using an enforced configuration file on the network drive (remember that this file overrides all others), a policy can be enforced.
In order to create such an installation, follow these steps:
That's it. You created a policy that is enforced on all computers, including your own one (until you change the enforced configuration file on the network drive).
Recall what the policy mechanism looks like: KeePass and the configuration file are stored on the network drive. If you grant your users free access to the internet or allow them to insert CD-ROMs/DVDs/USB-Sticks, nothing prevents a user to download a fresh copy of KeePass and run it. In this case the policy isn't enforced, as the downloaded KeePass doesn't know anything of the enforced configuration file on the network drive.
Policy enforcement therefore only is effective if your users really use the KeePass version installed on the network drive.