Desktop Applications
Methods for deploying Keeper to user desktops
Last updated
Was this helpful?
Enterprise Guide
Methods for deploying Keeper to user desktops
Last updated
Was this helpful?
Keeper offers users two different desktop vaults. The in the web browser, and the native application for Windows, Mac and Linux.
The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:
Ability to automatically import existing passwords without additional component installation.
Automatically migrate from existing LastPass vaults.
Secure biometric login using Touch ID on compatible MacBook Pro computers.
Secure biometric login using Windows Hello (Windows 10).
Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).
Increased performance.
Offline access using biometrics or master password (if permitted by Keeper Admin)
Command-line deployment:
Command-line deployment:
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx
Auto-Updates: Yes
Windows Hello: Yes
The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.
The appinstaller can be deployed with PowerShell like this:
The contents of the KeeperPasswordManager.appinstaller file is below:
Supported Platforms: Windows 10 build 1703 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: Yes
The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.
Command-line deployment:
Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Architectures: x64, ia32
Install Location: %programfiles%\keeperpasswordmanager
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: No
The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.
The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.
The MSI installer does not support Windows Hello.
The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:
The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\ where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%.
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Auto-Updates: Yes (via Microsoft Store)
Windows Hello: Yes
The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps and is owned by TrustedInstaller.
The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget:
Minimum Requirements:
Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.
Auto-Updates: Yes
Download Link:
Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM
Auto-Updates: No
Keeper supports Enterprise Configuration settings to control the end-user experience.
DomainName
String
Enterprise SSO Domain to pre-populate on app launch.
Region
String
Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")
HideCreateAccount
Boolean
Hides the Create Account button from the start page
UseDefaultBrowserForSSO
Boolean
Routes the user to their default web browser for SSO authentication instead of using a popup window.
Keeper Desktop can be configured using standard macOS NSUserDefaults objects using the com.keepersecurity.passwordmanager domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.
Testing the Config
You can test the configuration on the local machine using the below commands:
For example:
Keeper Desktop's mac app bundle has an Information Property List File, Info.plist, which contains key-value pairs that identify and configure a bundle.
Finding the App Bundle ID and App Version
The following keys in Information Property List file contains the values for the App Bundle ID and App Version:
CFBundleIdentifier: App Bundle ID
CFBundleShortVersionString: App Version
To find the values of the above keys, you need to access the Information Property List File, Info.plist, and find the corresponding values.
Location of Info.plist after mounting DMG file:
Alternatively, you can run the defaults read command:
For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:
All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.
Example File
macOS End Users
The desktop.config.json file must be UTF-8 encoded.
From your text editor, in File > Save As...
In the "Save as type" drop-down, select All Files.
In the "Encoding" drop-down, select UTF-8.
Ensure the name of the file is desktop.config.json
If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.
Ability to Autofill and auto-type passwords into native apps using feature.
Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the section below.
Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [] Command-line deployment:
Microsoft Store Version (64 and 32-bit, supports Windows Hello) []
Windows 10 MSIX Installer: [] (Note: MSIX does not auto-update) Command-line deployment:
Windows 10 MSI Installer: [] (Note: MSI does not auto-update, no support for Windows Hello)
Mac OS .dmg []
Mac App Store [] (Note: does not support iCloud Keychain import)
Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) []
Password Importer Standalone (Windows 10): []
Password Importer Standalone (Mac OS): []
Installer: []
Users download a small appinstaller file that automatically fetches the msixbundle from . It otherwise behaves the same as the MSIX install.
Install Link: []
Install Link: []
The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here:
Install Link: []
Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (), which is different than the consumer Microsoft Store (), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.
(.dmg)
Keeper for Linux -
Keeper for Linux -
For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL:
Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults. Visit the following for more information.
Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is , which means that typing anything @ yourcompany.com will get routed to the proper region.
