LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Keeper Vaults and Master Passwords
  • Isolation of Managed Companies
  • Geographic SaaS Platform (US, EU, AU, GovCloud)
  • Key Supplemental Functionality for MSP’s
  • Teams and Shared Folders
  • Account Transfer
  • Administrative Passthrough for Account Transfer
  • Advanced Reporting and Alerts
  • Using KeeperFill for Apps in Remote Sessions
  • Command-Line SDK

Was this helpful?

Export as PDF
  1. Keeper MSP

Fundamentals

Keeper Vaults and Master Passwords

To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.

The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes providing their recovery phrase, email verification and two-factor verification.

MSP Administrators and Technicians can also authenticate into Keeper using any configured SAML 2.0 Single Sign-On (SSO) provider. If SSO is enabled, the user does not have a master password.

Isolation of Managed Companies

Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, ISO 27017, ISO 27018, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.

MSP Technicians exist at the root node level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.

Geographic SaaS Platform (US, EU, AU, GovCloud)

New MSP and Managed Company accounts are created either in US, EU, CA, AU, JP or US_GOV geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.

Key Supplemental Functionality for MSP’s

Licence Allocation & Consumption Billing

Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MC) to allocate Keeper licenses to their users and pay for used licenses at the beginning of the following month. Managed Companies can allocate their own licenses simply by adding users.

An MSP Admin can set an optional limit on the maximum number of licenses a Managed Company can allocate (by default, there is no limit).

Adding and Removing Secure Add-on Features

MSPs can add or remove Secure Add-on features at any time for internal use or for their managed companies. MSPs are provided with a monthly "Daily Average Usage Summary" which shows the number of units used to determine monthly charges. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.

Roles and Enforcement Policies

Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.

Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.

Administrative Permissions

For MSP administrators, an additional permission is provided to control the authorization of different operations:

An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.

A separate “MSP Subscription Manager” role exists by default which allows an MSP Administrator to manage MSP internal subscriptions.

Teams and Shared Folders

Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.

This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:

  1. A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”

  2. This folder could be shared with a user, or users at the client.

  3. Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.

A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:

Account Transfer

Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.

We recommend that Account Transfer is configured at the MSP level and also at the MC level. The user who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.

Administrative Passthrough for Account Transfer

The Administrative pass-through mechanism requires use of the “default” Keeper Administrator role in the MC. Any user-created roles will NOT allow the passthrough to occur. User created roles can only be used for vault transfer when initiated by an administrator local to the managed company.

Advanced Reporting and Alerts

Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:

Using KeeperFill for Apps in Remote Sessions

KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.

Command-Line SDK

MSP-Specific commands

Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:

  • msp-down: Download the latest MSP data

  • msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc

  • msp-license: View the current license allocation

  • msp-license-report: Run a historical license allocation report

  • switch-to-mc: Switch to managed company context

  • switch-to-msp: Switch back to MSP context

  • msp-add: Add a managed company

  • msp-remove: Remove a managed company

  • msp-convert-node: Convert an enterprise node into a managed company

Looking for help with Commander? Email commander@keepersecurity.com.

PreviousGetting StartedNextConsumption-Based Billing

Last updated 1 month ago

Was this helpful?

The MSP can configure administrative passthrough to grant MSP administrators the ability to transfer accounts within a managed company. This is accomplished by enabling the “Transfer Account” administrative permission in the both the MSP and managed company “Keeper Administrator” roles. Then select the “Keeper Administrator” as the “Eligible role” as described in .

Upon downloading the latest version of , you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.

Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians. Learn more about Keeper Commander here:

For a full list of MSP Management Commands click .

step 3 here
Keeper Desktop App
https://docs.keeper.io/secrets-manager/commander-cli/overview
here
Enforcement Policies
Node Structure
MSP Manage Companies Permission
MSP Subscription Manager Default Role
Vault Shared Folders
Keeper Commander with MSP-specific Functionality
KeeperFill for Apps Overview