LogoLogo
Enterprise Guide
Enterprise Guide
  • Getting Started
  • Start Your Trial
  • Resources
  • Keeper for Teams and Small Business
  • Keeper Enterprise
  • Implementation Overview
  • Domain Reservation
  • Deploying Keeper to End-Users
    • Desktop Applications
      • Launch on Start Up
    • Browser Extension (KeeperFill)
      • Mac
        • PLIST (.plist) Policy Deployment
          • Jamf Pro Policy Deployment - Chrome
          • Microsoft Intune Policy Deployment - Chrome
      • Linux
        • JSON Policy Deployment - Chrome
      • Windows
        • Group Policy Deployment - Chrome
        • Group Policy Deployment - Firefox
        • Group Policy Deployment - Edge
        • SCCM Deployment - Chrome
        • Intune - Chrome
        • Intune - Edge
        • Edge Settings Policy
        • Chrome Settings Policy
      • Virtual Machine Persistence
    • Mobile Apps
      • IBM MaaS360
    • Optional Deployment Tasks
    • IE11 Trusted Sites
  • End-User Guides
  • Keeper Admin Console Overview
  • Nodes and Organizational Structure
  • Risk Management Dashboard
  • User and Team Provisioning
    • Custom Invite and Logo
      • Custom Email - Markdown Language
    • Simple Provisioning through the Admin Console
    • Active Directory Provisioning
    • LDAP Provisioning
    • SSO JIT (Just-in-Time) Provisioning
    • Okta Provisioning
    • Entra ID / Azure AD Provisioning
    • Google Workspace Provisioning
    • JumpCloud Provisioning
    • CloudGate Provisioning
    • OneLogin Provisioning
    • Microsoft AD FS Provisioning
    • API Provisioning with SCIM
      • Using SCIM API Provisioning
    • Team and User Approvals
    • Email Auto-Provisioning
    • CLI Provisioning with Commander SDK
  • SSO / SAML Authentication
  • User Management and Lifecycle
  • Email Address Changes
  • Roles, RBAC and Permissions
    • Enforcement Policies
    • Security Keys
  • Delegated Administration
  • Account Transfer Policy
  • Teams (Groups)
  • Sharing
    • Record and File Sharing
    • Shared Folders
    • PAM Resource Sharing
    • One-Time Share
    • Share Admin
    • Time-Limited Access
    • Self-Destructing Records
    • Hiding Passwords
  • Creating Vault Records
  • Importing Data
  • Record Types
  • Two-Factor Authentication
  • Storing Two-Factor Codes
  • Security Audit
    • Security Audit Score Calculation
  • BreachWatch (Dark Web)
  • Secure File Storage & Sharing
  • Reporting, Alerts & SIEM
    • Event Descriptions
    • Splunk
    • Sumo Logic
    • Exabeam (LogRhythm)
    • Syslog
    • QRadar
    • Azure Monitor
    • Azure Sentinel
    • AWS S3 Bucket
    • Devo
    • Datadog
    • Logz.io
    • Elastic
    • Firewall Configuration
    • On-site Commander Push
  • Recommended Alerts
  • Webhooks
    • Slack Webhooks
    • Teams Webhooks
    • Amazon Chime Webhooks
    • Discord Webhooks
  • Compliance Reports
  • Vault Offline Access
  • Secrets Manager
  • Commander CLI
  • Keeper Connection Manager
  • KeeperPAM Privileged Access Manager
  • Keeper Forcefield
  • KeeperChat
  • Keeper MSP
    • Free Trial
    • Getting Started
    • Fundamentals
    • Consumption-Based Billing
      • Secure Add-Ons
      • Existing MSP Admins
    • Onboarding
    • PSA Billing Reconciliation
    • Join the Slack Channel
    • Next Steps
    • Offboarding
    • Commander CLI/SDK
    • Account Management APIs
    • Provision Family Plans via API
    • MSP Best Practices
  • Free Family License for Personal Use
    • Provision Family plans via API
    • Provision Student plans via API
    • API Troubleshooting
      • API Parameters
      • API Response Codes
      • API Explorer - Swagger
  • Keeper Security Benchmarks and Recommended Security Settings
  • IP Allow Keeper
  • Keeper Encryption and Security Model Details
  • Developer API / SDK Tools
  • On-Prem vs. Cloud
  • Authentication Flow V3
  • Migrating from LastPass
  • Training and Support
  • Keeper SCORM Files for LMS Modules
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • White Glove Provisioning
  • Schema Design
  • Create a New Managed Company
  • Nodes & Provisioning Methodology
  • Create Roles
  • Create Teams
  • Pre-Deploy Keeper Applications and Extensions
  • Configure Reporting & Alerts for "Plus" MC's
  • Onboard Users
  • Account Recovery
  • Configure Logging and Custom Reporting & Alerts

Was this helpful?

Export as PDF
  1. Keeper MSP

Onboarding

Keeper MSP Onboarding Process

PreviousExisting MSP AdminsNextPSA Billing Reconciliation

Last updated 1 month ago

Was this helpful?

White Glove Provisioning

The following section covers the creation of a managed company to be managed by the MSP as opposed to handing off the instance to the client for future administration and management.

Schema Design

It's best to start a design by looking at your overall customer base across all account and extract as much commonalty as possible. We are looking for common requirements across all MC's. The closer all the MC's are to each other, the easier they will be to administer as a whole. Our goal is to create a templated procedure which can be re-used by future MC's.

In the table below, we can use a role named "Vault Transfer Required" across all the MC's. At first look, one might be tempted to create a role named "2FA" to handle each MC's different 2FA requirement. However, this naming is ambiguous as Keeper has over a dozen 2FA options. For long term platform management, it's best to name roles for the exact setting(s) they enforce. Our goal is consistent role naming and results across all MC's.

Roles are all about platform administration, so they will have a lot of commonality across MC's. On the other hand, due to varying business requirements, Teams and Shared Folders tend to be MC specific. In the table below we would create one shared folder for each Team present in a given MC. Unlike the table, try and use a common naming convention across all MC. Resist creating an "AP" team in one MC and a "Accounts Payable" team in another.

MC

Roles

Teams

Shares

MC1

Vault Transfer Required 2FA Required

Master Password Complexity

IT

HR

AP

Share per team

MC2

Vault Transfer Required 2FA Optional

No mobile device access

Accounts Payable

AP

Share per team

MC3

Vault Transfer Required

Office access only

N/A

Sales

IT

AP

Create a New Managed Company

From the console interface, create a new managed company, decide on a provisioning method and create any desired roles and teams.

Additionally, create any desired including corporate logo and or customized email invitations.

Nodes & Provisioning Methodology

Once the "MC" had been created, a provisioning method need to be chosen as this will effect the structure. If or will be utilized, a node needs to be added to host the provisioning method. For our example, we will use basic master password access and manual provisioning so no additional nodes will be required.

Note: On-Prem SSO Connect & AD Bridge require an administrator account within the managed company to bind the service. When setting up one of the fore-mentioned services, the administrators email tells the service which instance to bind to.

Create Roles

Create all desired Roles within the admin console. Roles are stackable, i.e., users can belong to multiple roles and will receive the lest permissive outcome of the summed roles. Keeper recommends naming your roles for the function they provide as opposed to a business unit or geo location. If a role enforces vault transfer, name it "Vault Transfer"

MSP administrative Vault Transfer passthrough

If configured correctly, the platform can allow members of the top-level MSP default "Keeper Administrator" role to perform vault transfers for a managed company without the need for a unique administrator account within the managed company. The administrative Vault Transfer passthrough can be enabled by:

  1. Enable the "Transfer Account" option within the "Administrative Permissions" for the default top level "Keeper Administrator" role.

  2. Perform the same operation for the default "Keeper Administrator" role within the managed company.

  3. Within the managed company's user account transfer role, select "Keeper Administrator" as the "Eligible Role".

If the client managed company wishes to restrict the vault transfer ability to only certainly members of their organization and prevent the MSP from preforming the action, create and use a role other than the default "Keeper Administrator" as the "Eligible Role". The MSP passthrough will only work with the default administrator roles provided by Keeper. To set up local transfer rights only:

  1. Create a new role within the managed company.

  2. Enable "Transfer Account" option within the "Administrative Permissions" of the new role.

  3. Use the new role as the "Eligible Role" for the "user" role where account transfer will be enabled.

Any roles with the "Set as Default Role for Node and Sub Nodes "Create Teams" option enabled will be automatically assigned to all new users. Users can also be indirectly added to roles via team memberships as roles can contain to both users and teams.

For small companies, often, only two roles are required. An administrative role for platform administration and a second for the general user base. Keeper recommends enabling the following minimum "role enforcement" policies:

"Keeper Administer" Role (predefined)

Setting Group
Setting
Value

Login Settings

Length

Minimum 12 characters

Login Settings

Expier

90 days

Two-Factor

Require use of two factor

On

Two-Factor

All Platforms

Require code every login

Account Settings

Disable Stay Logged in

On

Account Settings

Logout Timers (all)

10 Minutes

Account Settings

Allow IP List

See note below

Transfer Account

Enable Account Transfer

On

Note - Administrative access can be restricted to the MC's public facing egress IP addresses by creating an "Allow IP List" This will require an administrator to be on the MC's LAN or VPN to administer the platform.

"Default" user role

Setting Group
Setting
Value

Login Settings

Length

Minimum10 characters

Login Settings

Expier

90 days

Two-Factor

Require use or two factor

See note below

Two-Factor

All Platforms

See note below

Sharing & Uploading

Prevent sharing outside Enterprise

On

Sharing & Uploading

Prevent exporting of records

On

Account Settings

Prevent users from changing email

On

Account Settings

Disable Stay Logged in

On

Account Settings

Logout Timers (all)

15 to 90 Minutes

Transfer Account

Enable Account Transfer

On

Transfer Account

Eligible role

Keeper Administrator

Generally, two-factor is configured for master password based authentication. Try and encourage your clients to adopt "Require code at every login" policy settings, especially for mobile devices. "Require code at every 30 days" is often used for desktop clients. If using SSO authentication with two-factor enabled at the idP, it can be off or un-configured . By default, users can still opt to setup and use two-factor unless all the "available" methods are explicitly disabled within the enforcement policy.

By default, user invitations are sent upon account creation. If you wish to suppress the invitations until a later date, preform the following steps:

  1. Within the MC, create a new role. For this example, we name the role "Suppress Emails Invitations".

  2. Open the roles "Enforcement Policies" dialog.

  3. Select "Account Settings".

  4. Enable the "Disable email invitations" option and click "done".

  5. Check / enable the "Set as Default Role for Node and Sub Nodes" option. This is to ensure the role will be applied to the user upon first login.

Create Teams

Teams offer the ability to group users for sharing and applying additional sharing options. If using SCIM provisioning you can indirectly add users to roles via team to role assignments.

  2. Add any applicable role mappings as needed.

Pre-Deploy Keeper Applications and Extensions

Configure Reporting & Alerts for "Plus" MC's

Onboard Users

Keeper offers several options for onboarding users. Multiple methods can be used in parallel.

  • Manual entry via the admin console

  • CSV import via the admin console

Account Recovery

Due to Keeper's zero-knowledge architecture, additional configuration may be required for account recovery. If SSO is in use, the administrator can perform an end-user password reset via the IdP's user management interface. Master Password-based users do not have this option so extra steps are required to ensure recover is possible if needed. The first option for Master Password based users is a self-service solution by providing a recovery phrase. A recovery phrase is a simple, auto-generated set of 24 words that was configured when setting up their vault. If the user has forgotten their recovery phrase and vault transfer policy has been configured by the administrator and accepted by the end user, you can use the vault transfer feature to recover the vault.

Configure Logging and Custom Reporting & Alerts

Details on setting up vault transfer are available here: .

Create all desired .

Prior to onboarding users, you may wish to distribute certain Keeper's browser extensions, desktop and mobile apps. Details on centralized software distribution methods are covered .

Managed Companies with a "plus" license type have access to Keeper's Advanced reporting and Alerts module. SEIM log forwarding, alerts and custom reports should be created as needed. Please see:

Active Directory provisioning via Keeper's agent

(JIT) provisioning via Keeper's or .

via an IdP

via API.

via domain entry

Advanced via API / CLI interface

Keeper's Advanced Reporting and Alerts Module (ARAM) is available to managed companies with a "plus" license type. SIEM and Syslog forwarding configurations are covered here: . Best practice and example reports and alerts are covered here: .

Account Transfer Policy
Teams
here
AD Bridge
Just In Time
Cloud SSO Connect
SSO Connect On-Prem
SCIM provisioning
SCIM provisioning
Email provisioning
automated provisioning
Keeper Commander's
node
Advance Provisioning
Reporting & Alerts (SIEM)
Single Sign-On
MC customizations
MSP Best Practice Reports and Alerts.
Best Practices