LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Benefits of Keeper Desktop App vs. Web Vault
  • Keeper Desktop Deployment
  • Installer Options
  • Additional Deployment Details
  • Microsoft Windows App Installer Distribution
  • Microsoft Windows .MSIX Distributions
  • Microsoft Windows .MSI Distributions
  • Windows Store
  • Intune
  • Keeper Desktop for Mac
  • Keeper Desktop for Linux
  • Checksum / Hash
  • Enterprise Configuration
  • Configuration Options
  • macOS User Defaults
  • macOS - Information Property List File
  • JSON Configuration File
  • Domain Routing Rules

Was this helpful?

Export as PDF
  1. Deploying Keeper to End-Users

Desktop Applications

Methods for deploying Keeper to user desktops

PreviousDeploying Keeper to End-UsersNextLaunch on Start Up

Last updated 3 months ago

Was this helpful?

Overview

Keeper offers users two different desktop vaults. The in the web browser, and the native application for Windows, Mac and Linux.

Benefits of Keeper Desktop App vs. Web Vault

The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:

  • Ability to automatically import existing passwords without additional component installation.

  • Automatically migrate from existing LastPass vaults.

  • Secure biometric login using Touch ID on compatible MacBook Pro computers.

  • Secure biometric login using Windows Hello (Windows 10).

  • Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).

  • Increased performance.

  • Offline access using biometrics or master password (if permitted by Keeper Admin)

Keeper Desktop Deployment

Installer Options

  • Add-AppxPackage -AppInstallerFile .\KeeperPasswordManager.appinstaller

  • Command-line deployment:

    winget install 9N040SRQ0S8C --accept-package-agreements --accept-source-agreements

  • Add-AppxPackage -Path .\KeeperPasswordManager.msixbundle

  • Command-line deployment:

    msiexec.exe /i KeeperSetup32.msi /qn

Additional Deployment Details

Microsoft Windows App Installer Distribution

  • Supported Platforms: Windows 10 build 1803 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx

  • Auto-Updates: Yes

  • Windows Hello: Yes

The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.

The appinstaller can be deployed with PowerShell like this:

Add-AppxPackage -AppInstallerFile .\KeeperPasswordManager.appinstaller

The contents of the KeeperPasswordManager.appinstaller file is below:

<?xml version="1.0" encoding="utf-8"?>
<AppInstaller xmlns="http://schemas.microsoft.com/appx/appinstaller/2017/2" Version="16.6.0.0"
    Uri="https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.appinstaller">
    <MainBundle Name="KeeperSecurityInc.KeeperPasswordManager"
        Publisher="CN=Keeper Security Inc., O=Keeper Security Inc., L=Chicago, S=Illinois, C=US" Version="16.6.0.0"
        Uri="https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle" />
    <UpdateSettings>
        <OnLaunch HoursBetweenUpdateChecks="0" />
    </UpdateSettings>
</AppInstaller>

Microsoft Windows .MSIX Distributions

  • Supported Platforms: Windows 10 build 1703 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Data Location: %appdata%\Keeper Password Manager\IndexedDB

  • Auto-Updates: No

  • Windows Hello: Yes

The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.

Command-line deployment:

Add-AppxPackage -Path .\KeeperPasswordManager.msixbundle

Microsoft Windows .MSI Distributions

  • Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\keeperpasswordmanager

  • Data Location: %appdata%\Keeper Password Manager\IndexedDB

  • Auto-Updates: No

  • Windows Hello: No

The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.

The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.

The MSI installer does not support Windows Hello.

The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:

msiexec.exe /i KeeperSetup32.msi /qn

The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\ where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%.

Windows Store

  • Supported Platforms: Windows 10 build 1803 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Auto-Updates: Yes (via Microsoft Store)

  • Windows Hello: Yes

The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps and is owned by TrustedInstaller.

The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget:

winget install 9N040SRQ0S8C --accept-package-agreements

Intune

Keeper Desktop for Mac

Minimum Requirements:

Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.

Auto-Updates: Yes

Download Link:

Keeper Desktop for Linux

Minimum Requirements:

Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM

Auto-Updates: No

Download Links:

Checksum / Hash

Enterprise Configuration

Keeper supports Enterprise Configuration settings to control the end-user experience.

Configuration Options

Key
Type
Description

DomainName

String

Enterprise SSO Domain to pre-populate on app launch.

Region

String

Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")

HideCreateAccount

Boolean

Hides the Create Account button from the start page

UseDefaultBrowserForSSO

Boolean

Routes the user to their default web browser for SSO authentication instead of using a popup window.

macOS User Defaults

Keeper Desktop can be configured using standard macOS NSUserDefaults objects using the com.keepersecurity.passwordmanager domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.

Testing the Config

You can test the configuration on the local machine using the below commands:

defaults write com.keepersecurity.passwordmanager <key> <value>

For example:

defaults write com.keepersecurity.passwordmanager \
    DomainName mycompany.co.uk

defaults write com.keepersecurity.passwordmanager \
    Region eu
    
defaults write com.keepersecurity.passwordmanager \
    HideCreateAccount -bool true
    
defaults write com.keepersecurity.passwordmanager \
    UseDefaultBrowserForSSO -bool true

macOS - Information Property List File

Keeper Desktop's mac app bundle has an Information Property List File, Info.plist, which contains key-value pairs that identify and configure a bundle.

Finding the App Bundle ID and App Version

The following keys in Information Property List file contains the values for the App Bundle ID and App Version:

CFBundleIdentifier: App Bundle ID

CFBundleShortVersionString: App Version

To find the values of the above keys, you need to access the Information Property List File, Info.plist, and find the corresponding values.

Location of Info.plist after mounting DMG file:

<app_name>.app/Contents/Info.plist file

Alternatively, you can run the defaults read command:

defaults read /Applications/<app_name>.app/Contents/Info.plist <key>

For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:

defaults read /Applications/Keeper\ Password\ Manager.app/Contents/Info.plist CFBundleIdentifier
com.keepersecurity.passwordmanager

defaults read /Applications/Keeper\ Password\ Manager.app/Contents/Info.plist CFBundleShortVersionString
16.8.9

JSON Configuration File

All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.

Example File

{ "domainName": "MyCompany.com", "region": "us", "hideCreateAccount" : true, "useDefaultBrowserForSSO" : true }

macOS End Users

The desktop.config.json file must be UTF-8 encoded.

From your text editor, in File > Save As...

  • In the "Save as type" drop-down, select All Files.

  • In the "Encoding" drop-down, select UTF-8.

  • Ensure the name of the file is desktop.config.json

Domain Routing Rules

If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.

Ability to Autofill and auto-type passwords into native apps using feature.

Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the section below.

Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [] Command-line deployment:

Microsoft Store Version (64 and 32-bit, supports Windows Hello) []

Windows 10 MSIX Installer: [] (Note: MSIX does not auto-update) Command-line deployment:

Windows 10 MSI Installer: [] (Note: MSI does not auto-update, no support for Windows Hello)

Mac OS .dmg []

Mac App Store [] (Note: does not support iCloud Keychain import)

Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) []

Password Importer Standalone (Windows 10): []

Password Importer Standalone (Mac OS): []

Installer: []

Users download a small appinstaller file that automatically fetches the msixbundle from . It otherwise behaves the same as the MSIX install.

Install Link: []

Install Link: []

The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here:

Install Link: []

Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (), which is different than the consumer Microsoft Store (), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.

(.dmg)

Keeper for Linux -

Keeper for Linux -

For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL:

Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults. Visit the following for more information.

Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is , which means that typing anything @ yourcompany.com will get routed to the proper region.

KeeperFill for Apps
Install Link
Microsoft Store Link
MSIX Installer Link
MSI Installer Link
Install Link (.dmg)
Mac App Store Link
Download Page Link
Install Link (.exe)
Install Link
Install Link
https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle
MSIX Installer Link
MSI Installer Link
https://docs.microsoft.com/en-us/windows/desktop/msi/standard-installer-command-line-options
Microsoft Store Link
businessstore.microsoft.com
apps.microsoft.com
Keeper for Mac
Mac App Store
Fedora, Red Hat and CentOS
Debian, Ubuntu and Linux Mint
https://keepersecurity.com/desktop_electron/SHASUM256.txt
reserved
Additional Deployment Details
section
Keeper Web Vault
Keeper Desktop