Fundamentals
Keeper Vaults and Master Passwords
To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes providing their recovery phrase, email verification and two-factor verification.
MSP Administrators and Technicians can also authenticate into Keeper using any configured SAML 2.0 Single Sign-On (SSO) provider.
Isolation of Managed Companies
Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, ISO 27017, ISO 27018, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.
MSP Technicians exist at the root node level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.
Geographic SaaS Platform (US, EU, AU, GovCloud)
New MSP and Managed Company accounts are created either in US, EU, AU, JP or US_GOV geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.
Key Supplemental Functionality for MSP’s
Licence Allocation & Consumption Billing
Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MC) to allocate Keeper licenses to their users and pay for used licenses at the beginning of the following month. Managed Companies can allocate their own licenses simply by adding users.
An MSP Admin can set an optional limit on the maximum number of licenses a Managed Company can allocate (by default, there is no limit).
Adding and Removing Secure Add-on Features
MSPs can add or remove Secure Add-on features at any time for internal use or for their managed companies. MSPs are provided with a monthly "Daily Average Usage Summary" which shows the number of units used to determine monthly charges. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.
Roles and Enforcement Policies
Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.
Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.
Administrative Permissions
For MSP administrators, an additional permission is provided to control the authorization of different operations:
An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.
A separate “MSP Subscription Manager” role exists by default which allows an MSP Administrator to manage MSP internal subscriptions.
Teams and Shared Folders
Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.
This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:
A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”
This folder could be shared with a user, or users at the client.
Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.
A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:
Account Transfer
Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.
We recommend that Account Transfer is configured at the MSP level and also at the MC level. The user who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.
Administrative Passthrough for Account Transfer
The MSP can configure administrative passthrough to grant MSP administrators the ability to transfer accounts within a managed company. This is accomplished by enabling the “Transfer Account” administrative permission in the both the MSP and managed company “Keeper Administrator” roles. Then select the “Keeper Administrator” as the “Eligible role” as described in step 3 here.
The Administrative pass-through mechanism requires use of the “default” Keeper Administrator role in the MC. Any user-created roles will NOT allow the passthrough to occur. User created roles can only be used for vault transfer when initiated by an administrator local to the managed company.
Advanced Reporting and Alerts
Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:
Using KeeperFill for Apps in Remote Sessions
KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.
Upon downloading the latest version of Keeper Desktop App, you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.
Command-Line SDK
Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians. Learn more about Keeper Commander here: https://docs.keeper.io/secrets-manager/commander-cli/overview
MSP-Specific commands
Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:
msp-down: Download the latest MSP data
msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc
msp-license: View the current license allocation
msp-license-report: Run a historical license allocation report
switch-to-mc: Switch to managed company context
switch-to-msp: Switch back to MSP context
msp-add: Add a managed company
msp-remove: Remove a managed company
msp-convert-node: Convert an enterprise node into a managed company
For a full list of MSP Management Commands click here.
Looking for help with Commander? Email commander@keepersecurity.com.
Last updated