Getting Started
Quick start guide for Keeper MSP
Last updated
Was this helpful?
Enterprise Guide
Quick start guide for Keeper MSP
Last updated
Was this helpful?
Keeper has introduced a new Quick Start Checklist to help all business get up and running with the Keeper Admin Console. The steps outlined in this section specifically cover best practices for getting started as a Managed Service Provider (MSP).
Click the Admin tab to set up your Keeper Administrators. Click Add Users and enter the name and email address of the user.
Click on Roles tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies).
Once roles are defined, then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes default "Keeper Administrator" and "MSP Subscription Manager" roles. The MSP Subscription Manager role gives access to the MSP Subscription tab for changing the billing method and allocating secure add-ons for MSP internal use.
Teams
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
Active Directory / LDAP (using the Keeper Bridge)
SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
Email Provisioning
Command-Line or SDK integration
SCIM
The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:
Keeper AD Bridge
On premises SSO Connect
Cloud SSO Connect
Be sure to use the localized admin account when registering the service as outlined in the installation documentation.
To add a new MC, click the Add Managed Company button and enter their name and select the managing node.
Choose a Base Plan and select any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included in each Base Plan once you select it.
By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
Keeper provides multiple MSP base plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
All plans include the following core features:
Encrypted Vault
Folders and Subfolders
Shared Team Folders
Unlimited Devices
Role-Based Access Controls
Security Audit
Activity Reporting
Team Management
Basic 2FA
100 GB Secure File Storage
MSP technicians and employees are provided features and functionality as described below.
Keeper Administrators with "Manage Companies" permission can add, remove, and assign base-plans plus secure add-ons to their managed companies. These Keeper Administrators can also launch to the managed companies administrator consoles with full administrative permissions. This allows the MSP to set up the managed companies and optionally provision users, roles, and teams. User license allocation triggers consumption billing for the base plan and most secure add-on features.
Within an enterprise and within specific nodes, share admins have additional permissions that allow them to view, edit, share, and administer records and folders. General usage and configuration of Share Admins is documented here: Share Admin.
Share Admin rights and settings applies normally to managed companies. For MSPs, if an administrator has both 'Share Admin' permissions and the 'Manage Companies' permission, they will be Share Admins within the managed companies they have permissions over.
MSPs and MCs can easily share records between each other without first needing to setup a sharing relationship. Additionally, Share Admins, teams and users are automatically suggested when adding share participants.
In the suggestions list when adding a new sharee to a record or folder, Share Admins will be suggested first, then users within your organization, then Teams and Users from Managed companies. If a user or team suggested is not from your organization, the organization name will also be displayed in the list.
If you're not logged in already, follow the links below to access the Keeper Admin Console: (US) (EU) (AU) (CA) (JP) (GOV)
(Or just open > Login > Admin Console)
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role. More information about our encryption model can be found . Also, see for best practices regarding your configuration.
To learn more about provisioning, see the section of the Keeper Enterprise guide called .
Optional Secure Add-On features can be added to any existing base plan. Click to learn more.
To launch into the MC tenant, click the launch icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the for details on managing a Keeper Enterprise tenant.
