# MSP Best Practices

## Overview

This document provides best practice information regarding the setup and configuration of your Keeper MSP tenant.

## Administrative access

### MSP

It is very important to maintain at least two users within the root node with full administrative access to the Keeper Administration Console. If an admin gets locked out of the admin interface due to forgotten password, SSO service failure, enforcement policy settings, etc., the second account will be needed to assist in recovery. Due to the zero knowledge encryption model, Keeper's support staff members have no way of correcting a situation in which all MSP root administrators are unable to login.

### **Client (Managed Company)**

Certain configurations require an administrative account within the MC tenant. For example, SSO Connect Cloud and Keeper Bridge services require an account with administrative permission within a Managed Company. The account is needed to bind the provisioning method to the MC instance.

## **Roles**

### **Naming**

It's a good practice to only create as many roles as necessary and to name them for their functionality. For example, you have a team of traveling sales people who require offline access. It’s far better to name the role “Enable offline access” than “Traveling sales people”. This way, when you have an access issue six months down the road, you can easily tell what each role does as opposed to who it’s for.

### **Stacking Roles**

Stacking of multiple roles against the same user and/or team is a common practice. Please keep in mind you will always get the least permissive / most restrictive outcome of the sum of the rules.

### **Default Role**

It’s a good practice to create a default role to host newly provisioned users. This is especially helpful when using a Just-In-Time advanced provisioning method. This way you know exactly what enforcement setting will be applied when new users are provisioned. Common default settings include master password complexity and 2FA requirements. This way you are insured that all user vaults are secured at first login.

### Role Templating

As your managed company (MC) and user count increases, so does the overhead of managing access control. For this reason it's a good practice to develop a set of standardized roles to use across the entire client base. This way, no matter which MC you are administering, you are ensured access control is consistent across the enterprise.

## **Account Transfer**

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred.

A successful transfer requires that the users had logged in at least once prior to the transfer action. When a user leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within the user's vault while retaining a secure role-based hierarchy in the organization.

[Learn More](https://docs.keeper.io/en/enterprise-guide/account-transfer-policy) about the Account Transfer policy.<br>

## Team Sharing & Share Folders

Prior to Vault version 16.8, MSP users could only share records and folders to individuals within the Managed Companies. Vault version 16.8 and newer provides MSPs with the ability to share folders directly from the MSP vault to entire Teams within the managed company.

From the MSP vault, it is recommended to create a Private Folder at the root level, for example "Clients". Within the private folder, add a Shared Folder for every managed company that you wish to share with. Within each Shared Folder, create subfolders that break down and categorize the information.

An example of this structure in the MSP Vault can be seen below:

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2Fq82KSlxoVywbU1Ke5FsF%2FScreenshot%202022-09-19%20at%204.15.06%20PM.jpg?alt=media&#x26;token=ee17dbe5-35ea-4a09-aec7-5e8dd878a216" alt=""><figcaption><p>Recommended MSP Vault Structure</p></figcaption></figure>

From the Shared Folder "Edit" screen, click on the "Users" tab to share the folder with MSP users or directly with the Managed Company (if desired). In the "Email or team name" field, you can select a team from your MSP tenant, or from the managed company tenant.

<figure><img src="https://4290574019-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LO5CAzpxoaEquZJBpYz%2Fuploads%2FNvFkqdzyGVpEHCkmr543%2FScreenshot%202022-09-19%20at%204.16.31%20PM.jpg?alt=media&#x26;token=99c50795-1a07-4f9a-b377-f69febb91eb0" alt=""><figcaption><p>Sharing to Managed Company Teams</p></figcaption></figure>

## **Enforcement Policies**

Below is a list of recommended Enforcement Policies. The following is applicable to your MSP technicians and managed company end-users.

| Location                        | Policy Name                                                                                                                                                  | Recommended Setting  | Notes                                                         |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | ------------------------------------------------------------- |
| Two-Factor Authentication       | Require the use of Two-Factor Authentication                                                                                                                 | Enable (Toggle On)   | -                                                             |
| Vault Features (bottom of page) | <p>Under "Retention of Deleted Records"<br><br>Day(s) before records can be cleared permanently<br><br>Day(s) before deleted records automatically purge</p> | Enable both settings | Set retention to 365 days (recommended)                       |
| Import and Export               | Can export from vault                                                                                                                                        | Disable (Unchecked)  | Prevents users from taking passwords when they leave          |
| Transfer Account                | Enable Account Transfer                                                                                                                                      | Enable (Toggle On)   | Very important; recommended for every user regardless of role |

For more details regarding role-based enforcement policies, see [this page](https://docs.keeper.io/en/enterprise-guide/roles/enforcement-policies).

{% hint style="danger" %}
As an MSP, it is critical that the vault transfer policy is enabled. Otherwise, you run the risk of users getting locked out of the platform and losing access to their vault if they forget their master password and account recovery questions.
{% endhint %}

## **Advanced Reporting and Alerts (ARAM)**

Below is a list of recommended Reports and Alerts to build within the MSP Admin Console.

<table><thead><tr><th width="210.390625">Name</th><th>Event Types to Select</th></tr></thead><tbody><tr><td><strong>Managed Company Changes (Report)</strong></td><td><strong>Under "Event Types"</strong> → <strong>"MSP"</strong><br>Select all events</td></tr><tr><td><strong>Admin Activity (Report)</strong></td><td><p><strong>Under "Event Types"</strong> → <strong>"Security"</strong></p><p>Disabled Two-Factor Auth; Created User; Invited User; Transferred Vault; Added User to Role<br><br><strong>Under "Event Types"</strong> → "<strong>Policy Change"</strong></p><p>Created Node; Deleted Node; Created Team; Deleted Team; Created Report; Deleted Report; Created Alert; Deleted Alert<br><br><strong>Under "Event Types"</strong> → <strong>"General Usage"</strong><br>Emptied Trash Bin; Imported Records; Exported Records<br><br><strong>Under "Event Types"</strong> → <strong>"MSP"</strong><br>Increased Number of Seats; Decreased Number of Seats; Changed MC Plan; Paused Managed Company; Removed Managed Company; Deleted Managed Company<br><br><strong>Under "Users"</strong><br>Select all admins</p></td></tr><tr><td><strong>BreachWatch (Alert)</strong></td><td><p><strong>Under "Event Types" → "BreachWatch"</strong></p><p>BreachWatch detected high-risk record password; User ignored detected high-risk record password<br><br><strong>Under "Attributes"</strong></p><p>Email Addresses → Select all</p><p>Alert Frequency → Every occurrence (recommended)</p></td></tr><tr><td><strong>Brute Force Attack Watch (Alert)</strong></td><td><p><strong>Under "Event Types" → “Security”</strong></p><p>Failed Console Login<br><br><strong>Under "Event Types" → “Login”</strong></p><p>Failed Login<br><br><strong>Under "Attributes"</strong></p><p>Email Addresses → Select all<br>Alert Frequency → Every 5 occurrences</p></td></tr><tr><td><strong>Paused Companies (Alert)</strong></td><td><strong>Under "Event Types" → “MSP”</strong><br>Paused Managed Company<br><br><strong>Under “Attributes”</strong><br>Email Addresses → Select all<br>Alert Frequency → Every occurrence (recommended)</td></tr></tbody></table>

For more information about Keeper event reporting and alerts, see [this page](https://docs.keeper.io/en/enterprise-guide/event-reporting).

{% hint style="info" %}
These same reports and alerts can be set at the Managed Company level, if desired, as long as the MC is part of a plan that includes ARAM (Business Plus and Enterprise Plus licenses only).
{% endhint %}