LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Forcefield
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Login to the KeeperMSP Administrative Console
  • Setting Up Your Administrators and Technicians
  • Automated / Advanced Provisioning
  • Adding a Managed Company (MC)
  • MSP Base Plans
  • MSP Features
  • Administering a Managed Company (MC)
  • Share Admin interactions with MSPs and MCs
  • MSP to MC Team Sharing

Was this helpful?

Export as PDF
  1. Keeper MSP

Getting Started

Quick start guide for Keeper MSP

PreviousFree TrialNextFundamentals

Last updated 1 year ago

Was this helpful?

Keeper has introduced a new Quick Start Checklist to help all business get up and running with the Keeper Admin Console. The steps outlined in this section specifically cover best practices for getting started as a Managed Service Provider (MSP).

Login to the KeeperMSP Administrative Console

Setting Up Your Administrators and Technicians

Click the Admin tab to set up your Keeper Administrators. Click Add Users and enter the name and email address of the user.

Creating Roles

Click on Roles tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies).

Once roles are defined, then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes default "Keeper Administrator" and "MSP Subscription Manager" roles. The MSP Subscription Manager role gives access to the MSP Subscription tab for changing the billing method and allocating secure add-ons for MSP internal use.

Teams

If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.

Automated / Advanced Provisioning

Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:

  • Active Directory / LDAP (using the Keeper Bridge)

  • SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.

  • Email Provisioning

  • Command-Line or SDK integration

  • SCIM

The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:

  • Keeper AD Bridge

  • On premises SSO Connect

  • Cloud SSO Connect

Be sure to use the localized admin account when registering the service as outlined in the installation documentation.

Adding a Managed Company (MC)

To add a new MC, click the Add Managed Company button and enter their name and select the managing node.

  • Choose a Base Plan and select any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included in each Base Plan once you select it.

  • By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.

Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.

Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.

IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.

MSP Base Plans

Keeper provides multiple MSP base plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.

All plans include the following core features:

  • Encrypted Vault

  • Folders and Subfolders

  • Shared Team Folders

  • Unlimited Devices

  • Role-Based Access Controls

  • Security Audit

  • Activity Reporting

  • Team Management

  • Basic 2FA

  • 100 GB Secure File Storage

MSP Features

MSP technicians and employees are provided features and functionality as described below.

Administering a Managed Company (MC)

Keeper Administrators with "Manage Companies" permission can add, remove, and assign base-plans plus secure add-ons to their managed companies. These Keeper Administrators can also launch to the managed companies administrator consoles with full administrative permissions. This allows the MSP to set up the managed companies and optionally provision users, roles, and teams. User license allocation triggers consumption billing for the base plan and most secure add-on features.

Share Admin interactions with MSPs and MCs

Within an enterprise and within specific nodes, share admins have additional permissions that allow them to view, edit, share, and administer records and folders. General usage and configuration of Share Admins is documented here: Share Admin.

Share Admin rights and settings applies normally to managed companies. For MSPs, if an administrator has both 'Share Admin' permissions and the 'Manage Companies' permission, they will be Share Admins within the managed companies they have permissions over.

The default Keeper Administrator role has both Share Admin permissions and Manage companies permissions. Therefore, the default MSP admin account has Share Admin permissions on all MCs.

MSP to MC Team Sharing

MSPs and MCs can easily share records between each other without first needing to setup a sharing relationship. Additionally, Share Admins, teams and users are automatically suggested when adding share participants.

In the suggestions list when adding a new sharee to a record or folder, Share Admins will be suggested first, then users within your organization, then Teams and Users from Managed companies. If a user or team suggested is not from your organization, the organization name will also be displayed in the list.

If you're not logged in already, follow the links below to access the Keeper Admin Console: (US) (EU) (AU) (CA) (JP) (GOV)

(Or just open > Login > Admin Console)

Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role. More information about our encryption model can be found . Also, see for best practices regarding your configuration.

To learn more about provisioning, see the section of the Keeper Enterprise guide called .

Optional Secure Add-On features can be added to any existing base plan. Click to learn more.

To launch into the MC tenant, click the launch icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the for details on managing a Keeper Enterprise tenant.

https://keepersecurity.com/console
https://keepersecurity.eu/console
https://keepersecurity.com.au/console
https://keepersecurity.ca/console
https://keepersecurity.jp/console
https://govcloud.keepersecurity.us/console
KeeperSecurity.com
here
Recommended Security Settings
User and Team Provisioning
here
Keeper Enterprise Guide
Quick Start Checklist
Add MSP Technician Users
Roles
Create a Role
Set Enforcement Policies
Add Users to Role
Add Managing Node
Apply to Node
Define Administrative Permissions
Customize Permission Level
Add Team
Add User to Team
Add New Managed Company
Company Details and Base Plan Selection
Secure Add-On Selection
MSP Features
Launch MC Tenant
MC Tenant
Admin Permissions - Manage Companies (MSP) selected
MSP to MC Sharing