(KeePass & Mobile clients)
Offline Mode allows Pleasant Password Server users to cache passwords locally so that they can access credentials when disconnected from the server.
Please Note: As of Version 7.10.4, when setting up your offline cache you will now specify a Username/Password (so for example if you specify the Username using the Full UPN format it would require you to match this full username format when logging back in again with offline mode).
This feature can be enabled selectively by administrators, and is possible in:
- Keepass for Pleasant Client
- Mobile (v2.7.0+)
- Enable Offline Caching
- Restrict Offline Caching
- Creating an Offline Cache - From KeePass
- Opening KeePass in Offline Mode
- Setting the KeePass Cache Expiry and Clearing the Cache
- Read-Only: No changes made to credentials or groups are synced back to the server. If a user makes changes to any entries/groups or adds new items, these changes will be lost upon reconnecting to the server.
- Create a Cache in advance! If a user wants to access their credentials offline they will need to create this cache before going offline from the server.
- 2FA Requirements: Policy 2FA requirements will not be applied when opening the Offline Cache.
First, users will need to have permissions to store their credentials offline.
To set this up and admin would have to set this up in the Web Application.
View Entry Offline
Offline Syncing is restricted by the “View Entry Offline” permission in the Access Levels. If a user has an Access Level with this permisson, the user is able to sync the credential offline. If they do not have access to a credential with this persmission, they then will not be able to cache and view the Entry offline.
Audit Log Records
During an offline sync, an Audit Log record is made for each password that is being cached. A password that has been accessed with Offline Mode by a user has been saved on that user's computer.
Be sure that for unauthorized user who we do not want to be able to perform an offline cache does not have an Access Level with the permission "View Entry Offline."
Next, users will see a “Disconnect/Cache...” button in the KeePass for Pleasant client allowing to disconnect offline.
Pressing this button, will cause passwords to be cached locally. The status will show as Working Offline and will allow the user to click a Connect... button.
Included in the Cache
- All passwords that the user has access to, having the View Entry Offline permission
Except any passwords with time limited access
While the user is in offline mode, the user (nor any other registered user), cannot login into the network via the user's KeePass Client, until it is taken back to online mode.
2FA Requirements are not applied when authenticating in Offline Mode. So, it is important that other security precautions are in place with this cached file.
A KeePass user will be shown Work Offline option button at the login prompt (v7.7.2+). This only happens if they have credentials permitted for Offline use (see above for details).
No Connection at Login
If no connection to the server is found at login, the application will attempt to use a previous cache.
Server Connection Lost
If connection to the server is lost, Keepass for Pleasant Password Server can also automatically switch to offline mode. In this case Keepass will try to load a previously saved cache.
Attempting to disconnect and cache passwords with no connection to the server will try to use a previously saved cache. If there is no cache available then nothing can be cached and no credentials are available, the user will need to reconnect to the server to view credentials.
Opening a Cache File
A cache file is fully encrypted and can only be opened indirectly, by logging in using a KeePass for Pleasant client.
The master password for the cache is the user's password. Cached credentials are stored in the KDBX file format which is the encrypted database format for KeePass.
User Password Changes
If the user changes their password then their cache will not open automatically. If they still need access to the cache they can import the file and use their old password as the master password.
(v7.7.1+ KeePass & Server)
By default the cache does not expire. This can be changed in the Client Configuration by setting the Default Rule to Expire Cache After a set number of days.
Clearing The Cache
The cache can be cleared using the “Clear offline cache…” button in the “Password Server” dropdown menu in the KeePass for Pleasant client.