|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
GeneralSettings in an enforced configuration file take precedence over settings in global and local configuration files. This feature is intended primarily for network administrators who want to enforce certain settings for users of a KeePass installation. The format of an enforced configuration file is basically the same as the format of a regular configuration file. An enforced configuration file must be stored in the KeePass application directory (which contains KeePass.exe). Its name depends on the KeePass edition:
In order to create an enforced configuration file, we recommend the following procedure:
KeePass 2.x Only
Regular configuration files often contain only settings whose values
differ from the default values (performance optimization).
There are multiple ways to find a setting that is set to its default value:
In general, settings that are not present in the enforced configuration file can be configured by the user, i.e. non-enforced settings are loaded and stored from/to global and local configuration files as usual. This depends on the merge modes and options though, which are described below. The global configuration file is stored in the KeePass application directory. As users should not have write access to any files in this directory (see the 'Security' section), any non-enforced settings should be stored in the local configuration file of the user. In order to instruct KeePass to use the local configuration file instead of the global one, the global configuration file (in the KeePass application directory) should only contain the following:
Theoretically, you can enforce all settings
(for instance by specifying the content mode
' SecurityUsers must not have write access to any files/folders in the KeePass application directory (including the enforced configuration file). You have to ensure this using an appropriate access control list (in Windows Explorer, right-click onto the KeePass application folder → 'Properties' → tab 'Security'). Both the KeePass setup program ('KeePass-X.YY-Setup.exe') and the MSI ('KeePass-X.YY.msi') install into the program files directories (usually 'C:\Program Files' and 'C:\Program Files (x86)') by default, which typically have appropriate access control lists already, i.e. no changes are necessary for these. An enforced configuration file applies only to the KeePass program in the same directory. If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced. Administrators can disallow running other copies of KeePass and other applications (that support the KeePass database file format), if desired, e.g. using Windows Defender Application Control, AppLocker or Software Restriction Policies. User Interface (2.x)Under certain circumstances, KeePass disables user interface controls for settings that are present in an enforced configuration file (not for all controls and not in all situations). Example. The following enforced configuration file enforces the specified values/states for the settings 'Clipboard auto-clear time' (20 seconds), 'Lock workspace when locking the computer or switching the user' and 'Lock workspace when the computer is about to be suspended'. KeePass grays out the corresponding controls in the user interface, i.e. their values/states cannot be changed. All other settings can be configured by the user. <?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Security> <WorkspaceLocking> <LockOnSessionSwitch>true</LockOnSessionSwitch> <LockOnSuspend>true</LockOnSuspend> </WorkspaceLocking> <ClipboardClearAfterSeconds>20</ClipboardClearAfterSeconds> </Security> </Configuration>
Node Modes – Attribute '
|
Node Mode | Description |
---|---|
Create | If there is no corresponding node in the user configuration, create such a node and open it. |
Open | If there is a corresponding node in the user configuration, open it. |
OpenOrCreate | If there is a corresponding node in the user configuration, open it. Otherwise, create such a node and open it. |
Remove | If there is a corresponding node in the user configuration, remove it. |
None | Do nothing.
This mode is for internal use only and cannot
be specified using the ' |
The first matching rule in the following list determines the node mode for the current element in the enforced configuration:
MergeNodeMode
' attribute,
use the specified mode.Element XPath | Node Mode |
---|---|
/Configuration/Application/PluginCompatibility | None (★) |
/Configuration/Meta/DpiFactorX | None (★) |
/Configuration/Meta/DpiFactorY | None (★) |
/Configuration/Meta/PreferUserConfiguration | None (★) |
/Configuration/Meta/Version | None (★) |
OpenOrCreate
' mode.(★)
The configuration settings marked with a star
depend on the user's computer (operating system, display resolution, etc.)
or the KeePass installation/version.
In general, it does not make sense to enforce certain values for them.
If a corresponding node in the user configuration can be opened (possibly after creating it), the contents of the two nodes are then merged according to the content mode.
Example (Node Mode 'Remove ') | |
---|---|
User configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item> <Key>Example_A</Key> <Value>21</Value> </Item> <Item> <Key>Example_B</Key> <Value>22</Value> </Item> </Custom> </Configuration> |
Enforced configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item MergeNodeMode="Remove"> <Key>Example_A</Key> </Item> </Custom> </Configuration> |
Result:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item> <Key>Example_B</Key> <Value>22</Value> </Item> </Custom> </Configuration> |
Comment:
In the enforced configuration, the item has a
' |
MergeContentMode
' (2.x)Given a node in the enforced configuration and a corresponding opened node in the user configuration, the content mode specifies how the contents of the two nodes are merged.
The desired content mode can be declared using a 'MergeContentMode
'
attribute on the enforced node.
This attribute is optional.
The following values are supported:
Content Mode | Description |
---|---|
Merge | For each (direct) child element of the current element in the enforced configuration, the merge algorithm tries to find a corresponding child element in the user configuration and calls itself (recursively). |
Replace | Replaces the content of the element in the user configuration by the content of the element in the enforced configuration. Any differing or additional settings in the user configuration element are lost. The content is not inspected further, i.e. any merge attributes in the content have no effect. |
The first matching rule in the following list determines the content mode for the current node pair:
MergeContentMode
' attribute,
use the specified mode.Element XPath | Content Mode |
---|---|
/Configuration/Application/TriggerSystem | Replace |
/Configuration/Application/TriggerSystem/Triggers/Trigger | Replace |
/Configuration/Defaults/KeySources/Association | Replace |
/Configuration/Integration/UrlSchemeOverrides | Replace |
/Configuration/PasswordGenerator/AutoGeneratedPasswordsProfile | Replace |
/Configuration/PasswordGenerator/UserProfiles | Replace |
/Configuration/PasswordGenerator/UserProfiles/Profile | Replace |
/Configuration/Search/LastUsedProfile | Replace |
/Configuration/Search/UserProfiles/Profile | Replace |
Merge
' mode.Replace
' mode.
Changing the content mode from 'Replace
' to 'Merge
'
is rarely a good idea. For example, you should not specify 'Merge
'
as content mode for the element '/Configuration/Application/TriggerSystem
'
if you consider the injection of a malicious trigger in the regular
configuration file to be a threat.
Example (Content Mode 'Replace ') | |
---|---|
User configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <UI> <TrayIcon> <GrayIcon>true</GrayIcon> </TrayIcon> </UI> </Configuration> |
Enforced configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <UI> <TrayIcon MergeContentMode="Replace"> <SingleClickDefault>true</SingleClickDefault> </TrayIcon> </UI> </Configuration> |
Result:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <UI> <TrayIcon> <SingleClickDefault>true</SingleClickDefault> </TrayIcon> </UI> </Configuration> |
Comment:
The ' If the ' |
The following optional attributes are supported:
Attribute Name | Value | Description |
---|---|---|
MergeChildrenOtherMode | This attribute controls the behavior for child elements
that are present in the user configuration, but not in the enforced
configuration.
The default value is ' | |
None |
Keep the child elements. | |
Remove |
Remove the child elements. | |
MergeChildrenSortOrder | This attribute allows to specify how the
child elements of the current element are sorted.
The default value is ' | |
Other |
The order of the child elements in the user configuration is preserved. | |
This |
The order of the child elements in the enforced configuration is preserved. |
A list is an element that contains multiple child elements with the same name. The child elements of a list are called list items.
When merging lists, KeePass has to decide which list item in the enforced configuration gets merged with which list item in the user configuration.
For some lists, this decision is made as follows: for each list item, one or more child nodes are selected and their contents are concatenated (with separators) to build a node key; list items with identical node keys in both configurations are then merged. The child node selection depends on the type of the list item:
Element XPath | Node Key Selection XPath |
---|---|
/Configuration/Application/MostRecentlyUsed/Items/ConnectionInfo | Path | UserName |
/Configuration/Application/PluginCompatibility/Item | . |
/Configuration/Application/TriggerSystem/Triggers/Trigger | Guid |
/Configuration/Application/WorkingDirectories/Item | . |
/Configuration/Custom/Item | Key |
/Configuration/Defaults/KeySources/Association | DatabasePath |
/Configuration/Integration/AutoTypeAbortOnWindows/Window | . |
/Configuration/Integration/UrlSchemeOverrides/CustomOverrides/Override | Scheme | UrlOverride |
/Configuration/MainWindow/EntryListColumnCollection/Column | Type | CustomName |
/Configuration/PasswordGenerator/UserProfiles/Profile | Name |
/Configuration/Search/UserProfiles/Profile | Name |
For other lists, the list items are merged based on their indices.
Example (Node Keys) | |
---|---|
User configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item> <Key>Example_A</Key> <Value>21</Value> </Item> <Item> <Key>Example_B</Key> <Value>22</Value> </Item> <Item> <Key>Example_C</Key> <Value>23</Value> </Item> </Custom> </Configuration> |
Enforced configuration:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item> <Key>Example_B</Key> <Value>40</Value> </Item> </Custom> </Configuration> |
Result:
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Custom> <Item> <Key>Example_A</Key> <Value>21</Value> </Item> <Item> <Key>Example_B</Key> <Value>40</Value> </Item> <Item> <Key>Example_C</Key> <Value>23</Value> </Item> </Custom> </Configuration> |
Comment:
For a ' |
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Application> <Start> <CheckForUpdate>false</CheckForUpdate> <CheckForUpdateConfigured>true</CheckForUpdateConfigured> </Start> </Application> </Configuration>
UIFlags
value 32.
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <UI> <UIFlags>32</UIFlags> </UI> </Configuration>
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Security> <Policy> <Export>false</Export> <Print>false</Print> <ChangeMasterKey>false</ChangeMasterKey> </Policy> </Security> </Configuration>
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Security> <Policy> <Plugins>false</Plugins> </Policy> </Security> </Configuration>
<?xml version="1.0" encoding="utf-8"?> <Configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Application> <TriggerSystem> <Enabled>false</Enabled> </TriggerSystem> </Application> </Configuration>