LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Administrative access
  • MSP
  • Client (Managed Company)
  • Roles
  • Naming
  • Stacking Roles
  • Default Role
  • Role Templating
  • Account Transfer
  • Team Sharing & Share Folders
  • Enforcement Policies
  • Advanced Reporting and Alerts (ARAM)

Was this helpful?

Export as PDF
  1. Keeper MSP

MSP Best Practices

Keeper MSP Best Practices and General Recommendations

Overview

This document provides best practice information regarding the setup and configuration of your Keeper MSP tenant.

Administrative access

MSP

It is very important to maintain at least two users within the root node with full administrative access to the Keeper Administration Console. If an admin gets locked out of the admin interface due to forgotten password, SSO service failure, enforcement policy settings, etc., the second account will be needed to assist in recovery. Due to the zero knowledge encryption model, Keeper's support staff members have no way of correcting a situation in which all MSP root administrators are unable to login.

Client (Managed Company)

Certain configurations require an administrative account within the MC tenant. For example, SSO Connect Cloud and Keeper Bridge services require an account with administrative permission within a Managed Company. The account is needed to bind the provisioning method to the MC instance.

Roles

Naming

It's a good practice to only create as many roles as necessary and to name them for their functionality. For example, you have a team of traveling sales people who require offline access. It’s far better to name the role “Enable offline access” than “Traveling sales people”. This way, when you have an access issue six months down the road, you can easily tell what each role does as opposed to who it’s for.

Stacking Roles

Stacking of multiple roles against the same user and/or team is a common practice. Please keep in mind you will always get the least permissive / most restrictive outcome of the sum of the rules.

Default Role

It’s a good practice to create a default role to host newly provisioned users. This is especially helpful when using a Just-In-Time advanced provisioning method. This way you know exactly what enforcement setting will be applied when new users are provisioned. Common default settings include master password complexity and 2FA requirements. This way you are insured that all user vaults are secured at first login.

Role Templating

As your managed company(MC) and user count increases, so does the overhead of managing access control. For this reason it's a good practice to develop a set of standardized roles to use across the entire client base. This way, no matter which MC you are administering, you are ensured access control is consistent across the enterprise.

Account Transfer

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred.

A successful transfer requires that the users had logged in at least once prior to the transfer action. When a user leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within the user's vault while retaining a secure role-based hierarchy in the organization.

Team Sharing & Share Folders

Prior to Vault version 16.8, MSP users could only share records and folders to individuals within the Managed Companies. Vault version 16.8 and newer provides MSPs with the ability to share folders directly from the MSP vault to entire Teams within the managed company.

From the MSP vault, it is recommended to create a Private Folder at the root level, for example "Clients". Within the private folder, add a Shared Folder for every managed company that you wish to share with. Within each Shared Folder, create subfolders that break down and categorize the information.

An example of this structure in the MSP Vault can be seen below:

From the Shared Folder "Edit" screen, click on the "Users" tab to share the folder with MSP users or directly with the Managed Company (if desired). In the "Email or team name" field, you can select a team from your MSP tenant, or from the managed company tenant.

Enforcement Policies

Below is a list of recommended Enforcement Policies. The following is applicable to your MSP technicians and managed company end-users.

Require Use of 2FA - Toggle to enable. Located under “Two-Factor Authentication”

Purging Deleted Records - Toggle to enable both “Days before records can be cleared permanently” and “Days before deleted records automatically purge” - We recommend setting this to 365 days Located under “Vault Features” at the bottom of the page.

Prevent exporting of records from Web Vault and Desktop App - Toggle to enable. Prevents Techs from walking away with passwords if they were to leave. Located under “Sharing and Uploading”.

Transfer Account - Toggle to enable (very important and recommended for every user, regardless of role.) Located under “Transfer Account”

As an MSP, it is critical that the vault transfer policy is enabled. Otherwise, you run the risk of users getting locked out of the platform and losing access to their vault if they forget their master password and account recovery questions.

Advanced Reporting and Alerts (ARAM)

Below is a list of recommended Reports and Alerts to build within the MSP Admin Console:

  • (Report) Managed Company Changes:

    • Event types to select:

      • Under “MSP,” select all. Select desired time range. Click save.

  • (Report) Admin Activity:

    • Under users, select all admins.

      • Event types to select:

      • Under “Security,” Disabled Two Factor, Created User, Invited User, Transferred Vault, Added User to a Role.

      • Under “Policy Change,” Created Node, Deleted Node, Created Team, Deleted Team, Created Report, Deleted Report, Created Alert, Deleted Alert Under “General Usage,” Emptied Trash Bin, Imported Records, Exported Records

      • Under “MSP,” Increased Number of Seats, Decreased Number of Seats, Changed Plan, Paused Managed Company, Removed Managed Company, Deleted Managed Company Select desired time range. Click save.

  • (Alert) BreachWatch Alerts:

    • Event types to select:

      • Under “BreachWatch,” BreachWatch detected high-risk record password, User ignored detected high-risk password.

      • Under “Attributes” select “Email Addresses” and select all.

      • Choose desired alert frequency (We suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.

  • (Alert) Brute Force Attack Watch:

    • Event type to select: Under “Security,” Failed Console Login.

      • Under “Login,” select Failed Login. Under “Attributes” select “Email Addresses” and select all.

      • Under “Alert Frequency” set to Number of Events > Every 5 occurrences If you would like to add other recipients to this alert, select “Recipients” and click Add. Click Save.

  • (Alert) Paused Companies:

    • Event type to select:

      • Under “MSP,” Paused Managed Company Under “Attributes” select “Email Addresses” and select all. Choose desired alert frequency (I suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.

These same reports and alerts can be set at the Managed Company level, if desired, as long as the MC is part of a plan that includes ARAM (Business Plus and Enterprise Plus licenses only).

PreviousProvision Family Plans via APINextFree Family License for Personal Use

Last updated 2 months ago

Was this helpful?

about the Account Transfer policy.

For more details regarding role-based enforcement policies, .

For more information about Keeper event reporting and alerts, see .

Learn More
click here
this page
Recommended MSP Vault Structure
Sharing to Managed Company Teams