1 of 100

Enterprise Guide

Getting Started

Keeper is the leading cybersecurity platform for preventing password-related data breaches and cyberthreats.

Congratulations on your decision to deploy Keeper to protect your organization. This guide will provide valuable information on how to onboard your users, deploy the application to end-user devices and manage the platform.

Platform Overview

Keeper's platform provides the following high level capabilities:

Password & Passkey Management
Privileged Access Management
Endpoint Privilege Management
Secrets Management
Zero-Trust Network Access
Secure Vendor Access
OT Security
Connection Management
Remote Browser Isolation
Admin Console
Control Plane

About this Guide

This Keeper Enterprise guide covers the deployment of the core password management platform to your users. Additional guides and documentation of advanced privileged access capabilities are covered in later sections.

Keeper’s platform:

Provides each employee with a secure, encrypted digital vault in which to store their passwords, passkeys, files and other sensitive data. Employees can access their vault from any device and from all web browsers, automatically generate unique, complex passwords for all their accounts, and automatically fill their login credentials into all of their sites and apps.
Provides IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, two-factor authentication (2FA), role-based access control (RBAC), and other security policies.
Provides DevOps and engineering teams with a fully managed cloud-based, zero-knowledge Secrets Management platform for securing infrastructure secrets such as privileged accounts, API keys, database passwords, access keys, certificates and any type of confidential data.
Provides modern privilege access through connection management, OT security, secure vendor access, zero-trust network access and remote browser isolation with session management, monitoring and recording.

A brief platform demo can be viewed below:

Start Your Trial

Creating a trial of Keeper Business and MSP

Keeper Security provides customers with a fully functional trial version that provides all of the capabilities available in the Keeper platform including:

Password Management
Secrets Management
Privileged Access Management

(1) To create your Keeper Enterprise or KeeperMSP Trial version, visit this page: https://keepersecurity.com/password-manager-free-trial-sign-up.html ... or click on "Try it Free" from our homepage at: https://keepersecurity.com

(2) Select Business or MSP version

(3) Fill out the form using your Business email address, and click Start Free Trial.

(4) On the next screen, you'll create your account (or if you're using an existing Keeper personal email address, you can select "Use an Existing Account").

Important: At this step, please ensure that you select your desired Geographic Data Center location.

Signup for US, EU, AU, CA, JP data center locations are available.
US GovCloud (FedRAMP Compliant) region is available on request.

The choices available are US, EU, AU, CA, JP. Contact us for GovCloud public sector signup.

If you select the wrong data center region, please contact support to delete your trial and start over.

(5) Select your Administrator account Master Password.

Ensure you select a strong Master Password that is only used for managing Keeper. If you forget your Master Password, Keeper support cannot perform a password reset due to our Zero Knowledge architecture. We recommend activating Account Recovery (via a recovery phrase) after logging in and visiting the Settings screen.

(6) After verifying your email address and selecting a Master Password, you will be logged into the Keeper Admin Console. Click on "Admin" to add users and begin your configuration.

(7) Click on "Add Users" to invite other users for your trial, or to set up additional admin accounts. Users who are manually invited will login with a self-selected Master Password.

(8) Proceed through this Enterprise Guide to learn about best practices for deploying Keeper, Single Sign On ("SSO") integration, Role enforcement policies, Teams, Advanced Administration and other important topics.

Resources

Resources for getting started with Keeper Business and Enterprise edition

Just getting started with Keeper?

The following links will get you up and running with Keeper.

Keeper for Teams and Small Business
Keeper Enterprise

Keeper for Teams and Small Business Keeper Enterprise Deploying Keeper to End-Users Keeper MSP

Prefer to talk to someone?

Get a demo

To schedule a demo or watch an on-demand demonstration of the Keeper platform, visit: https://keepersecurity.com/schedule-demo.html

Contact enterprise sales

Contact our sales team: https://keepersecurity.com/contact.html?t=b&r=sales or email [email protected].

Government or Public Sector sales

Keeper Security Government Cloud (KSGC) is a FedRAMP Authorized environment that protects your agency against ransomware and cyberthreats with zero-trust cybersecurity.

https://www.keepersecurity.com/industries/public-sector.html

Contact our public sector team at [email protected].

Enterprise support

If you are an existing customer and need help, contact enterprise support: https://keepersecurity.com/support.html

White Papers, Use Case Docs and Other Industry Resources

The resource portal of our website provides several white papers and product data sheets: https://keepersecurity.com/resources.html

End-User Guides

The end-user guides are available for our desktop, web and mobile applications: https://docs.keeper.io/user-guides/

Encryption & Security Model

If you're a security guru, we recommend taking a look at our encryption model.

Release Notes

Check out the latest release notes and updates across all platforms. https://docs.keeper.io/release-notes/

Implementation Overview

High level steps for successful rollout of Keeper Enterprise

For the most successful rollout of Keeper Enterprise, follow the steps below.

Create Enterprise Trial

If you haven't already, create a from our website or by . Be sure to allocate the necessary number of total users you expect to onboard.

Managed Service Provider (MSP) customers: Please sign up for the product trial. Keeper MSP is a specialized version of the Keeper Enterprise product. To jump to the Keeper MSP guide, .

After creating your trial, login to the Admin Console and go through the onboarding.

Schedule Training

Schedule a demo/training session by contacting the or team. Keeper provides 1:1 admin training, end-user training, webinars and implementation support.

Provision to Users

Setup and configure your provisioning and authentication methods as described in the section of this document. You can choose from many different provisioning methods such as:

Manual provisioning through the Keeper Admin Console
Active Directory provisioning with the Keeper Bridge service
Single Sign-On (SAML 2.0) with Just-In-Time (JIT) provisioning
SCIM automated provisioning
Email provisioning
Keeper Commander API / SDK provisioning

if you require assistance in configuring your environment.

Notify Users

Inform your users, stakeholders, DevOps and IT Admin teams that you have partnered with Keeper Security, the leading cybersecurity platform for preventing password-related data breaches and cyberthreats to implement a simple, employee-friendly password management application.

Deploy the Vault

Deploy the web vault, browser extensions and desktop application as described in our or direct your users to install Keeper from our .

The Web Vault is available to Enterprise users at the URLs below:

US Data Center:

US Public Sector / GovCloud:

EU Data Center: AU Data Center: CA Data Center:

JP Data Center:

Upon first login, the user is walked through a simple onboarding experience.

Attend Training Sessions

Users are invited to join a training session via Google Meet or the customer's preferred meeting platform. This training invite can be contained within the email invitation body content, or sent separately by the Admin to their users. Contact your Customer Success manager at [email protected] to start training your team.

Monitor Usage

The Keeper Admin can monitor the usage of users via the , and also configure realtime web-hook alerts to . Installing is also helpful for running automated reports.

Disable Built-In Password Manager

We recommend that the Keeper Admin notifies users regarding the timeline in which built-in password manager saving will be disabled by GPO.

After the specified amount of time, the Keeper Admin should disable legacy built-in browser password managers, thus requiring and enforcing the use of Keeper on the browser.

about how to disable the built-in password manager.

Require Usage of Keeper

It's critical that all employees use Keeper to manage their passwords and to prevent sharing of information over insecure channels. Update your password policies and employee onboarding processes to ensure that Keeper is utilized. Sharing new employee onboarding records to the user's vault is a great way to encourage them to login and start using the platform. Your customer success manager can also assist you with strategies.

Protect Infrastructure

Once the Enterprise Password Manager has been deployed to all of your employees, reach out to your security, compliance and engineering teams to review the privileged access capabilities that Keeper offers.

KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and an cloud-based access control plane in one unified product.

about the advanced capabilities of KeeperPAM.

Domain Reservation

Reserve the use of domains for privacy and security

About Domain Reservation

Keeper's Cloud architecture is Zero Knowledge (more information about our security model is here).

For security reasons, Keeper's Enterprise tenants are restricted to inviting and creating end-user accounts within reserved email domains. When you sign up for a Keeper Business or Enterprise account, we recommend that you use a business email domain, e.g. mycompany.com.

If you sign up for the Enterprise account using @mycompany.com for your email address, this domain will be reserved to your tenant.

Keeper's architecture requires a domain to be reserved before it can be used by the Enterprise. This serves several purposes:

Ensures that end-users cannot create "rogue" accounts without being explicitly invited or provisioned by the Enterprise Admin.
Reduces administrative burden in locating free or personal accounts associated with a domain
Prevents a malicious actor from creating a Keeper account with a domain reserved by an Enterprise customer.

If you require additional email domains (e.g. us.company1.com and eu.company2.com), please open a support ticket with the Keeper team and we will assist you in reserving the domain. Alternatively, the new supports domain reservation through realtime DNS validation.

Reserve your Domains

If you own a set of domains that your users will use for logging in, be sure to contact your Keeper account manager to request domain reservation for all of your domains. We can lock the domains to your preferred region to ensure that users don't sign up in the wrong geographic data center.

Personal Domains

Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.

If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.

Domain Aliases

Organizations have the option to add a “corporate alias” to their account. For example, in situations where an organization domain change occurs, our team can easily transition your users to the new domain without any interruption in service. Please contact Keeper's support team to add a domain alias to your account.

Domain Reservation and Just-In-Time provisioning

If you are using Keeper SSO Connect Cloud or Keeper SSO Connect On-Prem, you can enable Just-In-Time Provisioning. If Just-In-Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.

If you would like to ensure that new users who access the vault are automatically routed to your SSO based on the email domain, please contact support and we will assist in setting up the routing.

Domain Routing

Customers who attempt to login or provision accounts from a different region may or may not automatically get routed to the proper region where their tenant is hosted. If the routing is not occurring, please open a support ticket.

Launch on Start Up

You can launch the Keeper Password Manager automatically when you start your computer.

Windows

To set Keeper Password Manager app to launch at start up, go to Start > Run and type shell:startup

Your startup folder will be shown. Place a shortcut Keeper Desktop into this folder. Now Keeper will launch automatically on startup.

Mac

From Settings, go to General > Login Items

Click the Plus (+), go to Applications, and select Keeper Password Manager

Now Keeper will launch when you start your mac.

Forcefield

Deploying the Forcefield endpoint protection software to users

The installation of the standalone version of Keeper Forcefield is available through an MSI installer based on the architecture.

x86/64-bit

ARM/64-bit

Automatic Deployment

Business customers can install the MSI on end-user machines using your preferred deployment method, whether it’s Intune, an RMM tool, or Group Policy. Each solution supports silent installation of MSI packages and can push the software to your target devices automatically. Just follow your standard process for deploying software across your environment.

Silent Installation / Uninstallation

Install:

Uninstall:

To log installation or uninstallation:

Browser Extension (KeeperFill)

KeeperFill makes it easy to login, save passwords and access your vault on web browsers.

Overview

The KeeperFill browser extension can be installed directly by the user or pushed to users by the Keeper administrator.

Direct Install from App Stores

The latest KeeperFill Browser Extension can be installed by users at the links below, or by visiting the Keeper download page. Chrome, Brave, Opera and other Chromium-based Browsers: https://chrome.google.com/webstore/detail/keeper%C2%AE-password-manager/bfogiafebfohielmmehodmfbbebbbpei Firefox: https://addons.mozilla.org/en-US/firefox/addon/keeper-password-manager/ Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/keeper%C2%AE-password-manager-/lfochlioelphaglamdcakfjemolpichk

Safari: https://apps.apple.com/us/app/keeper-for-safari/id6444685332

Admin Deployment

Chrome, Edge and Firefox deployment guides are linked below:

Automatically install apps and extensions on Chrome (Google)
Manage Microsoft Edge extensions in the enterprise (Microsoft)
Deploying Firefox with Extensions (Mozilla)

Deployment with MDM Platforms

For environments where devices are managed through platforms such as Microsoft Intune or Jamf.

Mac
Linux
- JSON Policy Deployment - Chrome
Windows

Offline / Direct Downloads

If your group policy does not support installation of extensions, your SCCM administrator may be able to use the below links to push the extensions or directly:

Microsoft Edge and Chrome: chrome.zip
Firefox: firefox.xpi

Direct package install is not recommended for most environments. Using app store management portals such as Google Admin are preferred.

End-User Guides

User guides are available for every web browser at the links below:

Mac

Deploying KeeperFill to macOS devices using device management platforms

MDM Deployment for macOS

Follow these steps to deploy KeeperFill to all Mac devices in your organization using your preferred device management platform.

To set up KeeperFill on Mac, you create configuration files in MCX Property List (.plist) format. When you deploy the configuration files to the device using your preferred mobile device management (MDM) tool, the settings are applied.

These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.

Overview of steps

Use your preferred editor to create the Keeper .plist policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all macOS devices in your organization using your preferred mobile device management (MDM) tool.

PLIST (.plist) Policy Deployment

Deploying KeeperFill to Chrome via PLIST Policy

Deploying Keeper Chrome Browser Extension via PLIST Policy

Create a Keeper plist policy configuration file

If you currently do not have a Policy file created, please proceed to creating your Keeper plist policy file to your desired location, Ex: /tmp and name it com.google.Chrome.plist by selecting GO on the top Menu Bar of you MacOS Desktop and select Terminal to open a Terminal Console.

Copy and paste the contents below, into your Terminal, and hit Enter / Return. This will create your plist file within the /tmp directory and display that the file is there.

In your preferred file editor or basic file editor, copy, paste and save the contents, below, into the com.google.Chrome.plist file.

Deploying your PLIST Policy

There are multiple tools to deploy your PLIST policy. In the next set on instructions, we will walk through deploying your PLIST policy file via Jamf Pro, AirWatch and Microsoft Intune.

Jamf Pro Policy Deployment - Chrome

Deploying Custom Configuration Profiles using Jamf Pro

Deploying Google Chrome PLIST (.plist) Policy using Jamf Pro

This is a general overview of how to deploy Google Chrome's .plist configuration profile, to computers within your organization, using Jamf Pro.

Upload Created PLIST File

Upload the manually created Google Chrome PLIST file that defines the properties for the preference domain you specify in Jamf Pro.

Log in to Jamf Pro.
Click Computers at the top of the page.
Click Configuration Profiles.
Click New.
Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
Click the Application & Custom Settings payload, and then click Upload.
Click Add.
Enter com.google.Chrome in the Preference Domain field.
To upload the custom PLIST file choose Upload File, enter the preference domain for which you want to set properties. Click Upload PLIST File, and then choose the com.google.Chrome.plist file previously created.

Note: If the PLIST file contains formatting errors, follow the PLIST (.plist) Policy Deployment instructions to remediate the issue.

10. Click the Scope tab, and then configure the scope of the configuration profile. 11. Click Save.

Microsoft Intune Policy Deployment - Chrome

Deploying Custom Configuration Profiles using Microsoft Intune

Deploying Google Chrome PLIST (.plist) Policy using Microsoft Intune

This is a general overview of how to deploy Google Chrome .plist configuration profile, to computers within your organization, using Microsoft Intune.

Create the Google Chrome profile

Sign in to the .
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
- Platform: Select macOS
- Profile: Select Preference file.
Select Create.

5. In Basics, enter the following properties:

Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS: Add preference file that configures Google Chrome on devices.
Description: Enter a description for the policy. This setting is optional, but recommended.

6. Select Next.

7. In Configuration settings, configure your settings:

Preference domain name: Enter the bundle ID as com.google.Chrome
Property list file: Select the property list file associated with your app. Be sure to choose the com.google.Chrome.plist file previously created.

The key information in the property list file is shown. If you need to change the key information, open the list file in another editor, and then re-upload the file in Intune.

Note: Be sure your file is formatted correctly. The file should only have key value pairs, and shouldn't be wrapped in <dict>, <plist>, or <xml> tags. If the PLIST file contains formatting errors, follow the instructions to remediate the issue.

8. Select Next.

9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-IL IT Team or Chicago_ITDepartment. For more information about scope tags, see .

10. Select Next.

11. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see .

12. Select Next.

13. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Assign the Google Chrome profile

Select Devices > Configuration profiles. All the profiles are listed.
Select the profile you want to assign > Properties > Assignments > Edit:
Select Included groups or Excluded groups, and then choose Select groups to include. When you select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
Select Review + Save. This step doesn't assign your profile.
Select Save. When you save, your profile is assigned. Your groups will receive your profile settings when the devices check in with the Intune service.

Use scope tags or applicability rules

When you create or update a profile, you can also add scope tags and applicability rules to the profile.

Scope tags are a great way to filter profiles to specific groups, such as US-IL IT Team or Chicago_ITDepartment. For more information about scope tags, see .

Linux

Deploying KeeperFill to Linux devices using device management platforms

Set up KeeperFill on Linux

Follow these steps to deploy KeeperFill to all Linux devices in your organization using your preferred deployment tool or script.

To set up KeeperFill on Linux, you create configuration files in JavaScript Object Notation (.json) format.

These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.

Overview of steps

Use your preferred editor to create the Keeper JSON policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all Linux PCs in your organization using your preferred deployment tool or script.

JSON Policy Deployment - Chrome

Deploying KeeperFill via JSON Policy

Deploying Keeper Chrome Browser Extension via JSON Policies

Step 1: Create a Keeper JSON policy configuration file

If you currently do not have JSON Policy files created in which you want to utilize to deploy the Keeper Browser extension to all PCs in your organization, please proceed to creating your Keeper JSON policy file to your desired location, Ex: /tmp, and name it keeperbe.json

OR create your keeperbe.json file via command-line

2. In your preferred JSON file editor or basic file editor, copy, paste and save the contents, below, into the keeperbe.json file or the policy file in which you currently utilize for your organization.

Step 2: Setup configuration folders

If you currently have configuration folders setup for the user PCs in your organization, proceed to Step 3: Deploying the Keeper JSON Policy File.

On each PC, in your organization, that you would like to apply this policy on, you’ll need at least one folder to apply this policy.

If it does not already exist, create the directory structure, verbatim, as follows; /etc/opt/chrome/policies/managedand set the proper permissions for that directory.

OR create your directory structure via command-line

The creation of this directory will most likely NOT be in the same directory as where Chrome is installed on the target Linux devices. Ex: My Chrome installed directory is /opt/google/chrome but my managed policy directory, in which my organization manages my Chrome install, is in the /etc/opt/chrome/policies/managed directory.

Step 3: Deploying the Keeper JSON Policy File

Use your preferred method (utility or script) to push the keeperbe.json policy file and Chrome Browser to the target Linux devices in your organization.

Push the keeperbe.json file to the /etc/opt/chrome/policies/managed directory on all target Linux devices in your network.
Confirm that the files are in the correct directories on all the target Linux devices.

Step 4: Check Your Chrome Policies

On a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied.

You may need to select "Reload Policies" to apply this new policy to the target Linux devices.

You may need to close and reopen Google Chrome before the new policies appear.

Windows

Deploying KeeperFill to Windows devices using device management platforms

There are many options to deploy the Keeper Browser Extension (KeeperFill) to browsers on Windows machines including Group Policy, SCCM and Intune.

Sample reference guides are linked below:

Group Policy Deployment - Chrome
Group Policy Deployment - Firefox
Group Policy Deployment - Edge
SCCM Deployment - Chrome
Intune - Edge
Intune - Chrome
Edge Settings Policy
Chrome Settings Policy

Intune - Chrome

Deploy the Keeper browser extension to Google Chrome using Microsoft Intune

Overview

These step by step instructions allow you to deploy the Keeper Chrome extension to users through Intune.

(1) Go to the ()

(2) In the portal, navigate to Devices > Configuration.

(3) Select Manage Devices > Configuration

(4) On the Policies tab, click Create > New Policy.

(5) Under Platform, select Windows 10 and later.

(6) Under Profile Type, choose Settings Catalog, then click Create.

(7) Enter a Name for the configuration profile and an optional Description, then click Next.

(8) In the Configuration Settings tab, select + Add settings.

(9) Search for "Google Chrome", then select "Google Chrome Extensions" and then select "Configure the list of force-installed apps and extensions" below. Then select Next to continue.

(10) In the "Configuration Settings" tab, enable the "Configure the list of force-installed apps and extensions" option then paste the following on one line:

(11) Review the Scope tags and Assignments settings tabs to assign the appropriate groups, then click Create to finalize. Ensure that "All Users" or specific groups are assigned.

(12) Navigate back to “Devices | Configuration” > Hit Refresh

(13) Your newly created policy will appear

The policy is now active. If a plan member has not yet enrolled with Intune, they will be prompted to do so upon signing in to a managed device. Once enrolled, the Keeper browser extension will be installed automatically.

Pinning the Extension

To pin the Chrome extension on the user's browser:

(1) Click on the policy you created under Devices | Configuration

(2) Under the "Configuration settings" select "Edit"

(3) Click + Add setting then search for "Google Chrome" settings and select "Google Chrome Extensions" then select "Extension management settings" in the subcategory below.

(4) After selecting this option, close the window and under the "Configuration settings" tab, activate the setting "Configure extension management settings" and paste the below JSON into the box:

(5) Select "Review + Save" and save the settings.

Intune - Edge

Deploy the Keeper browser extension to Microsoft Edge using Microsoft Intune

Overview

These step by step instructions allow you to deploy the Keeper Microsoft Edge extension to users through Intune.

(1) Go to the ()

(2) In the portal, navigate to Devices > Configuration.

(3) Select Manage Devices > Configuration

(4) On the Policies tab, click Create > New Policy.

(5) Under Platform, select Windows 10 and later.

(6) Under Profile Type, choose Settings catalog, then click Create.

(7) Enter a Name for the configuration profile and an optional Description, then click Next.

(8) In the Configuration Settings tab, select + Add settings.

(9) Search for "Microsoft Edge\Extensions", then select "Control with extensions are installed silently" and select Next.

(10) In the "Configuration Settings" tab, enable the "Control with extensions are installed silently" option then paste the following on one line:

(11) Review the Scope tags and Assignments settings tabs to assign the appropriate groups, then click Create to finalize. Ensure that "All Users" or specific groups are assigned.

(12) Navigate back to “Devices | Configuration” > Hit Refresh

(13) Your newly created policy will appear

Pinning the Extension

To pin the Edge extension on the user's browser:

(1) Click on the policy you created under Devices | Configuration

(2) Under the "Configuration settings" select "Edit"

(3) Click + Add setting then select "Configure extension management settings" under the Microsoft Edge\Extensions picker.

(5) Select "Review + Save" and save the settings.

SCCM Deployment - Chrome

This page describes how to deploy the Keeper Browser Extension with SCCM

Deploying Keeper Chrome Browser Extension via SCCM

This is a general guide in which describes how to utilize SCCM, against Google Chrome templates, to deploy the Keeper Browser extension to all desired PCs in your organization.

Step 1: Configuration Item

Create a new Configuration Item. This can be done within the Configuration Manager console, in the Assets and Compliance work space. Give it a suitable name, like Keeper Browser Extension, and click Next.

Step 2: Platform Selection

Select the appropriate platforms in which this Configuration will apply to and click Next.

Step 3: Create New Settings Configuration

Create a new settings configuration by clicking New.

Configure the new settings, as shown below, and click OK.

Name: ExtensionInstallForcelist
Description: Keeper Browser Extension
Key Name: Software\Policies\Google\Chrome\ExtensionInstallForcelist
Value Name: 1 This number is unique. Are you planning on adding other extensions this way, these should be added as 1, 2, 3 and so forth

Step 4: Create New Compliance Rule

Now click on the "Compliance Rules" tab and click on New.

Configure the new compliance rules, as shown below, and click OK.

Name: Keeper Security Extension Compliance Rule
Description: Keeper Browser
Within the "the following values:" field, add the value "bfogiafebfohielmmehodmfbbebbbpei;" without the quotes.
Tick ON Remediate noncompliant rules when supported and Report noncompliance if this setting instance is not found

Click OK to create the new compliance rule.

Click Close to finish the new configuration item wizard.

Step 5: Configuration Baseline

In order to deploy this Configuration item, you need a baseline unless you have an existing baseline you would rather use.

If you have an existing baseline you would rather use, proceed to ?.

Create a new Configuration Baseline in the Configuration Manager console, in the Asset and Compliance work space. Give it a suitable name and click Add > Configuration Item.

Add your newly created Keeper Browser Extension Configuration Item, shown within the Available Configuration Items pane and click OK.

Finish creating the new Configuration Baseline by clicking on OK.

Step 6: Deployment

Finally!!!! The Configuration Baseline containing the Keeper Browser Extension Configuration Item needs to be deployed. When deploying a baseline, remember to tick ON the Remediate noncompliant rules when supported. Also, consider how often the compliance should be evaluated. For ex: Group policies updates, by default, every 90 minutes. If this is replacing a GPO, consider to lower the policies update interval. Click OK to complete the configuration baseline.

Step 7: End user experience

Once the SCCM client has updated its policies, per device, and the Configuration Baseline has run, on a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.

You can also check your extension by navigating to chrome://extensions and ensuring your extensions are being forcefully installed.

Edge Settings Policy

Configuration settings for Edge Browser Extension

The behavior and settings of the Microsoft Edge extension can be customized through the ExtensionSettings policy on Microsoft Windows devices.

Please see the below link to learn about the various settings can be applied:

Chrome Settings Policy

Configuration settings for Chrome Browser Extension

The behavior and settings of the Chrome extension can be customized through the ExtensionSettings policy on Windows, Mac and Linux.

Please see the below link to learn about the various settings can be applied:

Virtual Machine Persistence

Persisting KeeperFill settings on virtualized desktops

Overview

Some customers virtualize their workforce desktops with tools like VMware or Citrix. For the KeeperFill extension to function properly on such desktops, certain directories may need to be persisted.

This applies to the extensions for Chrome and Edge. For each, three directories within the user's home directory must be persisted, as listed below.

Extension ID

Some directory paths refer to an <Extension-ID>. Where the ID is referred to, you can opt to persist the entire parent directory, or you can find the ID in the table below.

For Chrome, the ID may be either of the Chrome IDs listed. For Edge, the ID may be either of the Edge IDs listed; or, if you installed on Edge using the Chrome Web store, the ID will be one of the two Chrome IDs.

Browser

Extension ID

Edge

lfochlioelphaglamdcakfjemolpichk OR mpfckamfocjknfipmpjdkkebpnieooca

Chrome / Edge

bfogiafebfohielmmehodmfbbebbbpei OR kbedblbpfmeicfpadihimgombbafaeeh

Edge Locations

The following three directories should be persisted when using the Edge extension.

Extension Installation:

C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\<Extension-ID>

Indexed DB:

C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>

Storage:

C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\<Extension-ID>

Chrome Locations

The following three directories should be persisted when using the Chrome extension.

Extension Installation:

C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\<Extension-ID>

Indexed DB:

C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>

Storage:

C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\<Extension-ID>

IBM MaaS360

Deploy Keeper to mobile phones

Overview

From the MaaS360 dashboard, go to Apps > Catalog
Click "Add" and expand either iOS or Android
Choose Keeper Password Manager and once it's in the list, click into it

Check the box for "Update Automatically" and click "Distribute"

Check all three boxes listed below and click "Distribute"

Optional Deployment Tasks

Other Policy Driven Deployment Tasks

Prevent Installation of Untrusted Extensions

As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.

Preloading Password Importer Tool

The Keeper Password Importer tool is typically downloaded by the user during account creation on the Web Vault. If you do not permit the installation of applications on end-user devices, you can preload the app using the binaries located below:

Password Importer (Windows):
Password Importer (Mac):

Disabling Built-In Browser Password Managers

Often times, Enterprise customers would like to automatically disable the less secure, built-in password saving features of web browsers. There are several methods of managing this as described in this section.

Chrome for Enterprise

Google provides .adm and .admx files (.admx is a newer .xml file type) to make it easier to manage the Chrome browser using Group Policy. In G Suite and Chrome Enterprise environments, it is enabled via the Google Cloud platform using one of the below methods:

– Google provides adm and admx files that are incorporated into a GPO
– pushed via MDM tools (JAMF, etc...)
– pushed via MDM tools (Ivanti, etc...)
– Native management for G Suite subscribers
– centralized Cloud based Management for Windows, Mac, or Linux computers – agnostic to directory services

Mozilla Firefox for Enterprise

Similar to Chrome, Mozilla provides .adm and .admx files to manage Firefox using Group Policy. Mac-based systems are provided a .pkg file and are managed via JAMF, etc. Linux users are provided a policies.json file.

Microsoft Edge for Business

Edge for Business is now available for Windows and Mac. Group policy is managed through .adm and .admx files on Windows, and .plist on Mac.

Internet Explorer Mode for Edge

The new Edge for Business now supports "Internet Explorer Mode". We recommend using this mode for any IE browser requirements within your organization.

Legacy Internet Explorer

If legacy Internet Explorer is absolutely required by your users, management of password saving features can be disabled under traditional GPO found under:

User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer

Then disable “Turn on the auto-complete feature for user names and passwords.”

IE11 Trusted Sites

Policy Requirements for IE11 Trusted Sites

IE11 - Trusted Sites Policy

Customers who login to Keeper with SSO, or customers who are on corporate networks that deploy group policies for Internet Explorer, ensure that the following entries exist in your Trusted Sites settings under Tools > Internet Options > Security.

US / Global Customers (USA East/West):

keepersecurity.com *.keepersecurity.com

EU Data Center Customers (Ireland, London, Frankfurt):

keepersecurity.eu *.keepersecurity.eu AU Data Center Customers (Sydney): keepersecurity.com.au *.keepersecurity.com.au

CA Data Center Customers (Canada): keepersecurity.ca *.keepersecurity.ca

JP Data Center Customers (Tokyo): keepersecurity.jp *.keepersecurity.jp GovCloud Data Center (US): keepersecurity.us *.keepersecurity.us

Enterprise customers must push group policies to end-users with these Trusted Sites in order to fully function with SSO and other critical features.

End-User Guides

Links to end-user guides for mobile and desktop devices.

End-User Guides

Once you've deployed Keeper to your users, they can reference our many end-user guides listed below for step-by-step instructions for Keeper's web, desktop and mobile applications.

iOS iPhone and iPad application including autofill setup.
Android Android phone and tablet user guide including autofill setup.
Web Vault & Desktop App Keeper Web Vault and native Desktop app for Mac, PC, Linux.
Browser Extensions KeeperFill browser extensions for all web browsers including Chrome, Edge, Firefox, Safari, Brave and Opera.
Enterprise End-User Setup (Master Password Login) End-user guide specifically for users who login with a Master Password.
Enterprise End-User Setup (SSO Login) End-user guide specifically for users who login with SSO solutions such as Azure.
KeeperFill for Apps Native application autofill, auto-type keystroke automation and shortcut filling.
KeeperChat Native secure messaging application for iOS, Android, Mac and PC.
Sharing Guide focused on the various ways to share content in Keeper.
Record Types Usage guide on record templates and custom fields.
Importing A series of guides for migrating existing passwords from CSV files, or from other products such as 1Password, LastPass, KeePass, Dashlane, Bitwarden and many more.
Passkeys This is a guide to managing Passkeys in your vault. Passkeys are FIDO credentials that replace passwords with cryptographic key pairs for phishing-resistant sign-in security.

Enterprise End-User Welcome Video

This video provides a general overview of the Keeper platform for new end-users.

Keeper 101 Video Series

Additional videos for getting started with Keeper are available at the page below:

https://www.keepersecurity.com/getting-started.html

Co-branded Documentation

Do you require any additional documentation or user guides with your branding? Let us know. Email: [email protected].

Nodes and Organizational Structure

Keeper's node architecture scales for organizations of all sizes

Keeper's "node" architecture provides customers with a way to organize users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. A node is typically associated with different provisioning methods and identity providers.

By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.

Smaller organizations might choose to administer keeper as single level. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. Larger organizations benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators.

Nodes and SSO

When rolling out Keeper alongside an SSO identity provider, we require that those users are located within a node. This way, you can have any number of nodes associated with one or more SSO identity providers.

Nodes and Active Directory

When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.

Watch the video below to learn about nodes and organizational structure.

Creating Nodes

To manually create Nodes and Sub Nodes, select the button and click Add Node. The Add Node window will appear. Enter the name of the Node and select the node where you want the new node to be added in the tree structure.

Navigating Nodes

At any time, you can change which node you are viewing by navigating to or selecting the nodes on the Node selector. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree.

When users are in the vault and sharing records, Teams and Users are visible in the auto-suggest field by all users regardless of what node the team or user resides in.

Node Isolation

If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, "node isolation" will need to be enabled. With node isolation enabled, "children" of a node can see each others' associated users/teams as well of those above it (parent nodes).

When a node is isolated, users and teams in the parent node will be visible. Node isolation only limits visibility between parallel nodes.

Note: Any user who is an a role with admin rights having Share Admin permissions will also appear in auto-suggestion drop-downs, if the role has management permissions over the node for the currently logged-in user.

Activating node isolation

Turning on node isolation can be accomplished using the , or by opening a support ticket with Keeper support.

To find a list of nodes and node IDs, use the enterprise-info command:

To enable node isolation for a specific node, use the enterprise-node command:

After node isolation is enabled, a visual indicator will show in the console:

Node Isolation affects the ability for users to share records and folders outside of their node tree. For example, when sharing a record from the vault, the auto-suggestion list is restricted.

Managed Service Providers

If you are a Managed Service Provider (MSP) and you are considering the use of Nodes for different customers, we recommend you instead use the Keeper MSP product which provides a specialized set of features for deploying Managed Companies. The Keeper MSP user guide can be found here:

Nodes & Administrative Permissions

Within a Node, the "Role" is defined that can enable administrative permissions.

If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions are only applied the the specific node to which the role belongs.

Nodes & User Provisioning

Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.

Stacking Provisioning Methods

A node can contain one or more authentication or provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration. Or you can authenticate with SAML 2.0 SSO and provision users with SCIM.

Adding a Provisioning Method

Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".

Risk Management Dashboard

Enhanced Risk Visibility With Keeper’s Risk Management Dashboard

Overview

The Keeper Risk Management Dashboard is a powerful feature of the Keeper Admin Console that provides comprehensive security posture information covering end-user deployment, utilization, cloud configuration, and event monitoring. This critical data helps administrators ensure that risks are remediated and compliance is enforced effectively.

Key Utilization Metrics

Keeper’s Risk Management Dashboard delivers a risk assessment score based on key metrics within an organization’s Keeper environment. These metrics include:

Users who have created records
Users who have logged in within 30 days
Users who have accepted Keeper invitations
Users with Two-Factor Authentication (2FA) protected vaults
- Only displays for organizations that are not SSO enabled as 2FA is traditionally done at the SSO level. Keeper’s Risk Management Dashboard automatically detects SSO environments and tailors the risk management level to your configuration.

Users Who Have Created Records

The Users Who Have Created Records metric indicates the number of users within your organization that are actively using Keeper and creating records.

Predefined filters allow an Administrator to view users with no records created and users who have records created.

Individual users can be clicked to view a per user detail.

A downloadable CSV file is also available for further data analysis by clicking Download Report.

Users Who Have Logged In Within 30 Days

The Users Who Have Logged In Within 30 Days metric provides an indicator that shows users who have recently used Keeper within your organization.

Predefined filters allow an Administrator to view users who have and have not been active recently.

Individual users can be clicked to view a per user detail.

A downloadable CSV file is also available for further data analysis by clicking Download Report.

Users Who Have Accepted Their Keeper Invitation

The Users Who Have Accepted Their Keeper Invitations metric allow Administrators to measure and keep track of users who have accepted their Keeper Invitation and also allows Administrators to re-invite users who have not accepted invitations. This ensures maximum coverage for your organization.

Predefined filters allow an Administrator to view invited and active users as well as re-inviting users by clicking Resend All Invites.

Individual users can be clicked to view a per user detail.

A downloadable CSV file is also available for further data analysis by clicking Download Report.

Users With 2FA Protected Vaults

The Users With 2FA Protected Vaults metric provides an indicator that shows users who have enabled 2FA to login to their individual Keeper vaults.

Predefined filters allow an Administrator to view users who have and have not enabled 2FA for their vault.

Individual users can be clicked to view a per user detail.

A downloadable CSV file is also available for further data analysis by clicking Download Report.

License Utilization

The Risk Management Dashboard will display a license count during the first two weeks of onboarding after activating your first user and allow the Administrator to purchase more licenses by clicking Add Users.

A Low license alert will display when an organization has reached 90% of used licenses and allow the Administrator to purchase more licenses by clicking Resolve.

Keeper Security Benchmarks

Keeper’s Risk Management Dashboard leverages an outlined set of Keeper Security Benchmarks to keep organizations compliant and safe. With an emphasis on enforcing least privilege and ensuring organizations embrace the highest level of security, Keeper consistently updates these benchmarks to ease security adoption and provide important information for admins.

Keeper Security Benchmarks in the Keeper Risk Management Dashboard are broken into three main categories:

Critical Items to Resolve
Completed
Ignored
- If a benchmark is not applicable to your organization, an Administrator may choose to ignore it.

Keeper will periodically update recommendations for Keeper Security Benchmarks if a feature is updated or a recommendation is updated due to security advances.

When a benchmark is updated, a previously resolved item will become unresolved until configuration changes are made to adhere to the current recommendation.

The Security Benchmark tab is viewable in the default view. For information about all Keeper Security Benchmarks, click About Keeper Security Benchmarks.

Each benchmark will have a custom action to remediate the issue displayed.

In this example, clicking Add Back-up Admin will take the Admin to the Keeper Administrator role policy.

Clicking Ignore Benchmark will add the benchmark to the "Ignored" list.

High Priority Security Alerts

The Security Alerts tab will show a subset of Keeper's Advanced Reporting and Alerts Module's (ARAM) alerts. The subset is based on items that are considered high risk alerts.

Clicking View Reporting & Alerts will take the Administrator to the ARAM module in the Keeper Admin Console to view and take action on all alerts.

Each alert is clickable and will display:

Number of occurrences of the alert in the last 30 days
Sorting options for:
- Name
- Number of Occurrences
- Recent Occurrences
Trend percentage based on current 30 days against the previous 30 days
Option to download a csv report of the trend for further data analysis
Individual clickable user details to display information about an individual user

Risk Management Dashboard Report

A PDF summary report can be generated by clicking Download Report.

User and Team Provisioning

User provisioning is flexible and powerful with Keeper Enterprise

Keeper Enterprise can provision users through many different methods that are described here in detail.

Provisioning Methods Supported

Manual Provisioning through the Keeper Admin Console
Single Sign-On (SAML 2.0) Authentication and Provisioning with Keeper SSO Connect
Active Directory / LDAP Provisioning with the AD Bridge
Okta, Azure AD, Google Workspace, Ping, OneLogin Provisioning with SCIM
API Provisioning with SCIM
Email Auto-Provisioning
CLI Provisioning with Commander SDK

Watch the video below to learn more about provisioning users.

Best Practices for User Provisioning

Small Businesses and Teams

If you are deploying Keeper to a small number of users, or if you are only deploying Keeper to a team within a large Enterprise, using Keeper's "manual provisioning" or "bulk upload" may be sufficient.

See: Simple Provisioning through the Admin Console

Organizations with On-Prem Active Directory

For organizations that are managing an on-prem AD environment, we recommend using the Keeper Active Directory Bridge application ("AD Bridge") for mapping node structure and adding Users, Teams and Roles.

See: AD Bridge

The AD Bridge software is used strictly for provisioning of users. To authenticate your users against AD, we recommend using AD FS with the Keeper SSO Connect service.

See: SSO Connect Cloud

Organizations with On-Prem Active Directory and AD FS

For organizations who are already utilizing federated services, Keeper SSO Connect provides real-time authentication and Just-In-Time (JIT) provisioning. If you would like to automatically assign users to Roles and Teams through AD security groups or other custom LDAP queries, the Keeper AD Bridge software can also be utilized.

See: AD Bridge with SSO Connect Cloud

Organizations using Entra ID / Azure AD, Okta, JumpCloud, Google Workplace or other cloud-based directories

Many Keeper Enterprise customers have either migrated to a cloud-based identity store or they are in the process of migration, either through AD->Azure syncing or other mirroring techniques.

If your organization utilizes a cloud-based directory, you have 3 choices for deployment:

SSO (SAML 2.0) Authentication

Keeper SSO Connect is a powerful feature of Keeper Enterprise which supports real-time authentication and provisioning of user accounts through any SAML 2.0 compatible identity provider. Azure AD, AD FS, Okta, JumpCloud, Google Workspace, Ping, OneLogin and all other identity providers are compatible with Keeper.

SSO Connect Cloud supports Just-In-Time ("JIT") provisioning to make the user onboarding process simple and straightforward.

See: SSO Connect Cloud

SCIM provisioning

The SCIM provisioning protocol is supported by most modern identity providers including Azure, Okta, Google Workspace and many others. Google calls it "User Provisioning". Okta and Azure call it "Automated Provisioning". Keeper's SCIM implementation can provision a user account, de-provision an account, create a team, assign a user to a team, remove a user from a team.

See: Entra ID / Azure AD, Google Workspace, Okta, JumpCloud and generic SCIM provisioning docs

SCIM provisioning and SSL (SAML 2.0) authentication

SCIM and SSO can be combined to provide real-time authentication, provisioning of accounts AND the ability to create teams, assign users into teams, de-provision users, etc. Entra ID / Azure AD, Okta, Google Workspace, JumpCloud, Ping and many other modern identity providers support a combination of these two methods.

See: SSO Connect Cloud

Universities and Large Organizations with legacy or fragmented directories

Universities and large organizations who have fragmented user directories or do not wish to integrate Keeper with SSO or SAML protocols can use Keeper's Email Provisioning method for a mass deployment.

Email provisioning essentially reserves a domain name (e.g. iastate.edu) and will automatically provision a user based on their domain (with email verification) into a default role. No work needs to be done by the Keeper Admin once the initial configuration is set up.

See: Email Auto-provisioning

Integration with Portals or Custom Apps

If you have a special integration requirement such as automatically provisioning and creating user vaults through a developer API or other custom integration needs, Keeper provides several SDK options. Visit the Commander SDK platform for Python, .Net, PowerShell, Java and other toolkits available for customers.

See: Commander SDK

Custom Invite and Logo

Configure a custom invite email and logo before inviting users

Custom Email Invitations

Prior to adding users to Keeper we recommend uploading your company logo to the vault and customizing the email invitation that will invite your employees to create their Keeper Vault. These configurations are highly recommended as they have shown to help with quick user adoption of Keeper's software.

For security reasons, custom email invitations are only allowed for reserved domains. If you are sending invitations to users on domains that are not currently reserved to your tenant, please follow this guide.

To customize the email language, subject and logo, select Configurations then Edit next to "Email Invitations".

The email invitation template supports customization of the following four attributes:

Subject
Message Heading
Message Body
Download Button Text

Markdown Syntax

The body of the message supports plain text as well as basic markdown syntax. Example of markdown syntax:

Embedded Image from URL:
![Image](https://keeper-email-images.s3.amazonaws.com/common/acme.jpg)

**This is bold text**

*This is Italic*

# This is Heading 1
## This is Heading 2

Link Text:
Visit [Keeper](https://keepersecurity.com)!

For more information on the markdown language supported by Keeper, visit the following:

Custom Email - Markdown Language

Custom Email Template on Admin Console:

The example above produces the following email invitation:

Note Regarding Domain Reservation

For security reasons, a custom email invitation can only be sent to a user if the domain has been reserved to the tenant. If the email domain of the recipient is not reserved, the user will receive Keeper's default email invite, which looks like the below:

To ensure that your domains are reserved, please see the Domain Reservation documentation page.

Custom Invites on a Per-Node Basis

When creating a custom email invitation, the template is applied to users at the root node and all child nodes.

If you would like to have a different email invitation on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom template for each node.

enterprise-node --invite-email="C:\path\to\emailTokyo.txt" Tokyo

Documentation for this feature is linked here.

Additional info for creating and inviting users with Commander are documented here.

Upload your unique company logo to the console so it will appear in the Keeper Vault header when users are logged into their Keeper Web Vault and Desktop App. It will also appear in your users' One-Time Share invites. To upload your logo, select Configurations and Edit next to "Company Logo".

Custom Vault Logo on a Per-Node Basis

If you would like to have a different vault logo and one-time share logo on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom logo for each node.

enterprise-node --logo-file "/path/to/logo.jpg" Tokyo

Documentation for this feature is linked here.

For MSPs, a Managed Company can be associated with a node. Using this method, a custom logo file can be added for each node.

Custom Email - Markdown Language

Overview

When formatting the body message of your custom email templates, Keeper supports plain text as well as basic markdown syntax. This document will go over the markdown syntax supported by Keeper

Heading

To create a heading, add the hash symbol (#) in front of a word or phrase. The number of hash symbols you use corresponds to the heading level.

Markdown Syntax

Font Size

Paragraphs

Sentences are plain text and multiple sentences can be grouped together to form a paragraph.

Do not indent paragraphs with spaces or tabs as it can cause formatting issues

Markdown Syntax

Rendered Output

Line Breaks

To create a line break or new line, press return or enter at the end of the line. Pressing return or enter multiple times will create multiple line breaks

Markdown Syntax

Rendered Output

Bold & Italic

To bold text, add 2 asterisks (**) To italicize text , add 1 asterisk (*)

Markdown Syntax

Rendered Output

Links

To create a link, enclose the link text in brackets (i.e. [Keeper]) and place the URL in parentheses (i.e. (https://keepersecurity.com)). You can also format (bold or italics) the link as needed.

Markdown Syntax

Rendered Output

Embed Images from URL

To embed images from URL, add an exclamation mark (!), followed by the word Image in brackets, and the path or URL to the image asset in parentheses:

Simple Provisioning through the Admin Console

Provision users and create teams from the Keeper Admin Console.

Addition of Users

To add users manually through the user interface, follow these steps.

Login to the Admin Console.
Select the Node that the user will belong to. By default, the top level root node is selected.
From the Users Tab, select the + Add Users button.
Enter the Name and Email of the user and then click Add.
The user will receive an email to create their vault with a Master Password or SSO, depending on what node they are located in.

Bulk User Import

You can also import many users at once via a comma-delimited text file (.csv).

Preparing a file for Bulk User Import

The file format for a CSV file upload is 3 columns: Email Address, Name, Role.

The Role field is optional. Keeper recommends you create a default, "General Employee" role and all users imported will be automatically applied to that role, for example:

Example File (using Excel)

Convert the file to .csv by selecting File > Save As... > (.csv)

A few important notes about preparing a CSV file for user importing:

Ensure that the file does not contain a header row.
Only roles without Admin Permissions can be imported. Any row containing a Role that has Administrative Permissions will be skipped.
Don't populate a default role in the column. This is not necessary and will generate error messages. Simply leave the Role blank to inherit the default ole.
If you include a Role name, make sure it matches the exact spelling in the Admin Console.

Performing Bulk User Import

From the Admin Console, select Admin > Users.
Select the + Add Users.
Drag and drop a prepared CSV file with 3 columns: Name, Email and Optional Role.

After dragging and dropping the file, you will be asked to review the changes. Note the default role will appear empty. Click Add to complete the import.

Active Directory Provisioning

Keeper AD Bridge supports automatic provisioning of nodes, roles, teams and users across any size Active Directory environment.

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory service. To activate and install the Keeper Bridge, follow the steps below:

Login to the Admin Console.
Create a Node (under the root node) to sync with your Active Directory.
Visit the Provisioning tab and select Add Method and then Active Directory Sync.
Download the Keeper Bridge and proceed with setup.

For detailed Keeper Bridge setup and installation instructions see our Keeper Bridge Guide.

Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment. The Keeper AD Bridge Guide documents the full setup process.

The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.
Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console

LDAP Provisioning

Keeper AD Bridge supports automatic provisioning of nodes, roles, teams and users from any LDAP service.

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an LDAP service. To activate and install the Keeper Bridge, follow the below steps:

Login to the Admin Console.
Create a Node (under the root node) to sync with your Active Directory.
Visit the Provisioning tab and select Add Method and then select LDAP Sync.
Download the Keeper Bridge and proceed with setup.

For detailed Bridge setup and install instructions see our Keeper Bridge Guide.

The Keeper Bridge does not authenticate users into their vault with their LDAP password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.
Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
Once the Keeper Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through the LDAP Directory. Role enforcement policy changes should still be made on the Admin Console

SSO JIT (Just-in-Time) Provisioning

Keeper supports just-in-time automatic provisioning and seamless authentication with any identity provider

Overview of SSO - JIT Provisioning and Authentication

Keeper SSO Connect® Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Entra ID / Azure AD, Google Workspace, Centrify, Duo, OneLogin, Ping Identity, JumpCloud and many more.

Keeper supports both IdP-initiated login flows and SP-initiated flows. Just-in-time provisioning allows admins to quickly and easily roll out Keeper to users using a few simple steps:

Configure the SAML 2.0 connection with "Enable Just-In-Time Provisioning" selected
Assign your users to the Keeper application in your identity provider
Direct your users to simply login to Keeper with their email address or SSO domain.

If your domain is , users will be automatically routed through your identity provider as seen in the below screenshots.

Any user who is provisioned through JIT will be assigned to the default for the node which they are provisioned in.

The user's vault will be immediately provisioned and the user will be walked through the onboarding process which can include importing passwords, installing the KeeperFill browser extension and setting up two-factor authentication.

The exact steps of the onboarding process depend on the user's assigned role enforcement policy. Onboarding can also be disabled completely.

After the onboarding is complete, users can begin using Keeper and managing their vault.

For a full step by step guide on setting up your SSO Connect Cloud environment, see the .

See the admin guide

Entra ID / Azure AD Provisioning

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Azure AD / Entra ID platform.

Overview

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.

Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.

View the full SSO Connect Cloud setup guide:

If you have already setup Keeper SSO Connect Cloud or you don't have the need for SSO, proceed to Step 1 in the Configuration Steps below.

Features

Keeper/Azure provisioning integration supports the following features:

Creates users in Keeper
Updates user attributes (display name in Keeper)
Deletes users (locks users in Keeper)
Creates teams in Keeper (from Azure groups)
Adds or removes users to groups (to teams in Keeper)

When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.

Requirements

To setup Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.

Configuration Steps

Watch the video below to learn more about Azure AD provisioning with SCIM.

Step 1. Navigate to your Azure Admin account and select Azure Active Directory > Enterprise Applications and then New Application. Search for Keeper and select Keeper Password Manager & Digital Vault.

Step 2. After adding the application, click on the Provisioning section and select Automatic from the listed options.

In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.

Step 3. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.

Note: SCIM integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console. Be sure to host the provisioner within a "subnode" as opposed to the "root" node.

Step 4. Choose the SCIM option and click Next then select Create Provisioning Token.

Step 5. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen from step one. Select Save to finish the Keeper provisioning setup.

Step 6. Return to the Azure AD screen and click Test Connection. If successful, save the credentials. Turn the Provisioning Status "on" and click Save.

Step 7. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app.

Step 8. Start Provisioning

Ensure that provisioning is started by clicking on the "Start" button.

Wait for approximately five minutes (in some cases, Microsoft can take up to 40 minutes for the first time run), then click the Sync button in the Admin Console. Verify that users appear under the Users tab.

SCIM-provisioned teams are not immediately created but rather put into a “Pending Queue” where they are finalized by one of several approval methods.

Instant Provisioning

In Azure, you can also instantly provision a user by clicking on Provisioning > Provision on demand.

Note: If a new domain needs to be used for SCIM provisioning, a support ticket must be submitted to Keeper to properly reserve the domain with your account.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as Azure, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role.

Keeper's Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Team Provisioning and Team Assignments

When setting up User and Team SCIM provisioning with Azure, make sure of the following:

Ensure that you have assigned the Azure groups in the SAML application
When you invite a user from Azure or assign a user into a group that has been provisioned, Azure will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
To streamline this process, the Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is .

SAML 2.0 Authentication with Azure AD

This document described the provisioning process with Azure AD. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the .

Google Workspace Provisioning

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Google Workspace platform.

Keeper Enterprise is available for Google Workspace with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like Google Workspace) and service providers (like Keeper).

IMPORTANT: If you want your users to authenticate via SAML 2.0 with Google Workspace, you must first configure and install Keeper SSO Connect.

View the full SSO Connect Cloud setup guide: https://docs.keeper.io/sso-connect-cloud/

SCIM Overview

Companies utilizing Google Workspace for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision users. Keeper has developed a tight integration with Google Workspace and Google Cloud to automatically provision users and teams from Google to Keeper. In the integration, admins can select which groups and users are provisioned to Keeper.

In addition to provisioning and de-provisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with Google for seamless and frictionless access.

Integration of Keeper Enterprise into Google Workspace enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

Protects and generates strong passwords for any non-SAML application or website
Implements zero-knowledge security architecture with full end-to-end encryption
Stores SSH keys, digital certificates and any other confidential information
Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system.
Manages shared passwords for financial, business, social media or any other critical service

Keeper is available for all Google Workspace Education, Business and Enterprise customers.

SSO and SCIM Setup and Configuration

Google Workspace supports the following integrations with Keeper:

SSO authentication with SAML 2.0
Automatic User Provisioning with SCIM
User and Team provisioning with Google Cloud Functions and Cloud Scheduler

For step-by-step Google Workspace specific configuration use the following link: https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/g-suite-keeper

CloudGate Provisioning

Keeper supports SAML 2.0 Authentication and SCIM provisioning with CloudGate UNO

Overview

This guide covers CloudGate Automated Provisioning with SCIM which will update and deactivate Keeper user accounts as changes are made in CloudGate.

You can configure SCIM without SSO or SSO+SCIM

Requirements

To setup Keeper user provisioning with CloudGate, you need to have access to the and a CloudGate Admin account.

User Provisioning SSO+SCIM

IMPORTANT: If you want your users to authenticate via SSO / SAML 2.0 with CloudGate, you must first configure and install Keeper SSO Connect with CloudGate. View the full SSO Connect setup guides: SSO Connect Cloud: Once Complete, proceed to Step 7: in the guide below.

If you just want to provision users via SCIM provisioning without SSO, proceed to the guide below.

User Provisioning (SCIM)

Configuration Steps

Step 1: Add SCIM Provisioning Method for CloudGate

Navigate to your Keeper Admin console and add the SCIM Provisioning Method to your desired "Node".

Step 2: Select SCIM Provisioning Method

Select "SCIM (System for Cross-Domain Identity Management)" and select "Next".

Step 3: Generate SCIM Token

At the next screen select "Generate" to generate your Token to connect your SCIM provisioning method.

Step 4: Save SCIM Provisioning Method

At the next screen, you will be presented with your URL and Token. You will need this information for the step 8 to configure the SCIM section of the Keeper SSO Application within CloudGate. Select "Save".

You will now see your SCIM Provisioning Method in a Pending State.

Step 5: Add Keeper Application to CloudGate

Navigate to your CloudGate Admin Console -> Service Provider and select the Add service provider to add Keeper Password Manager to the list of your SSO applications.

Step 6: Configure Keeper Application

On the "ADD SERVICE PROVIDER" page, search for Keeper Security in the search bar. Select Add on the Keeper SSO Cloud Connect icon.

Step 7: Configure SCIM within Keeper Application

Click "edit" on the Keeper SSO Cloud Connect icon you created at SERVICE PROVIDERS page and go to the provisioning settings tab.

Step 8: Activate SCIM

This is where you will supply the previously generated URL and Token within the SCIM Provisioning Method in your Keeper Admin Console at the step 4. Now you can click "Test" to check if the SCIM provisioning is OK.

Step 9: Save Keeper Application

Select "save".

User provisioning with CloudGate is complete. Moving forward, new users who have been configured to use Keeper, in CloudGate and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and will be under the control of CloudGate.

Microsoft AD FS Provisioning

Keeper supports SAML 2.0 Authentication and SCIM provisioning with Microsoft AD FS

Keeper integrates with Microsoft AD FS for real-time user authentication, provisioning and de-provisioning.

View the full SSO Connect setup guides:

SSO Connect Cloud with Microsoft AD FS: https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/ad-fs-keeper

SSO Connect On-Prem: https://docs.keeper.io/sso-connect-guide/identity-provider-setup/ad-fs-configuration

Team and User Approvals

Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams

The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".

Keeper provides several methods of approvals, manual and automated.

Team and User Approval Process

New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.

Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.

Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.

Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 3: Keeper Automator

Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.

Keeper Automator version 3.3+ supports automated team creation, team-user assignments and user approvals

Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.

See the setup instructions here:

Approval Method 4: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

Download Keeper Commander here: .

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

Keeper Commander Parameters

--team approve teams only
--user approve team users only
--restrict-edit {on,off} disable record edits
--restrict-share {on,off} disable record re-shares
--restrict-view {on,off} disable view/copy passwords

device-approve approves SSO Cloud user devices.

--approve approve all devices
--trusted-ip approve devices that come from recognized IPs
--reload retrieve the latest devices pending approval
--deny deny a device

See the setup instructions here:

Email Auto-Provisioning

Basic provisioning of users based on email address

Overview

To facilitate the onboarding of Keeper to users based on their email address domain and a Master Password, use the Email Provisioning method. This can be used for organizations that are deploying Keeper to a large number of users (such as a university) where the admin is not explicitly inviting the user to sign up.

For example, anyone with the email address containing the domain acme.edu, can be automatically provisioned to a particular node and role within the Acme EDU Keeper Enterprise account upon creating their vault.

Email provisioning is only recommended for users setting up a Master Password authentication method. SSO-enabled nodes do not require an email provisioning method.

Configuration

(1) Login to he Keeper Admin Console

(2) If you don't already have a Node created for this provisioning method, please create one by clicking "Add Node". Provisioning is not permitted in the root node.

(3) In the new node, click on Provisioning > Add Method

(4) Select Email Auto-Provisioning then Next

(5) Choose a method of domain name ownership. You can use DNS lookup or HTML file upload.

(6) Once verification is complete, the status will show the email domain.

Inviting Users

When using the email provisioning method, the easiest way to invite users to sign up is to provide them a link to the vault:

US Data Center:

EU Data Center: AU Data Center:

CA Data Center:

JP Data Center:

Users simply click "Set up now" and use your company email to create your vault.

The user types in their email and clicks "Next".

User will set a Master Password.

After the user confirms their email with a verification code, the user will be provisioned to the specified Node and Default Role in the Admin Console.

CLI Provisioning with Commander SDK

Keeper Commander is an open-source Python SDK which can perform many vault and administrative functions within the Keeper system.

Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Commander SDK can assist in the following use cases:

Command line access to your Keeper vault
Running reports
Importing passwords, folders and shared folder
Provisioning users and teams
Pushing records to users and teams
Sharing records and folders with users and teams
Performing targeted password rotation
Managing Secrets Manager and Keeper PAM

Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.

Commander resources:

Command-line Usage

Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:

Interactive Shell

To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.

Type h to display all commands and help information.

Keeper Command Reference

Commander has hundreds of features. Specifically with regards to User and Team provisioning, the following commands are relevant:

create-user
enterprise-info
enterprise-node
enterprise-user
enterprise-role
enterprise-team
enterprise-push
team-approve
transfer-user
scim
automator

There are two methods for creating user accounts with Commander:

Invite users to an enterprise with the enterprise-user --add command
Create new user accounts and vaults with the create-user command

For the full list of commands offered by Commander, visit:

SSO / SAML Authentication

Federate login to Keeper with any SAML 2.0 compatible identity provider (IdP)

Overview

Keeper integrates with any SAML 2.0 compatible identity provider such as Entra ID, Okta, Google Workspace, Duo, OneLogin, Ping Identity, JumpCloud and more.

We offer two different SSO implementations: SSO Connect Cloud and SSO Connect On-Prem. Both implementations provide Zero Knowledge encryption with seamless authentication for end-users. We recommend for most customers.

SSO Connect Cloud

Keeper SSO Connect Cloud is the latest Cloud-based architecture which can be configured with your identity provider to authenticate and provision users in a matter of minutes. To read the SSO Connect Cloud setup guide, see the link below: https://docs.keeper.io/sso-connect-cloud/

SSO Connect On-Prem

SSO Connect On-Prem is a self-hosted integration that requires either a Windows or Linux hosted application server. To read about the SSO Connect On-Prem configuration, see the link below:

https://docs.keeper.io/sso-connect-guide/

Email Address Changes

Best practices for handling end-user email changes in bulk

Handling Email Changes for SSO Users

Organizations may need to migrate users to a new email domain, such as during a merger or acquisition. For users authenticating via Single Sign-On (SSO), their email address serves as the primary identifier in both the Identity Provider (IdP) and Keeper. If the email addresses do not match, authentication will fail. To prevent disruptions, email changes must be properly coordinated between both systems.

Recommended Process for Administrators

To ensure a seamless transition when updating user email addresses in bulk, Keeper recommends using Keeper Commander (CLI Tool) before making changes in the IdP. This approach maintains authentication continuity and minimizes user impact.

Updating User Emails with Keeper Commander

Reserve the New Email Domain Ensure the new domain is for your enterprise. If not, contact Keeper Support to enable it before proceeding.
Download Keeper Commander Get the latest release:
Update User Emails Run the following command to change an email address:
- This command updates the primary email while retaining the old email as an alias.
- Reference:
Batch Processing for Multiple Users
- Create a batch file with multiple commands for bulk updates.
- Test with one user before applying changes to all.
- Guide:
Sync Keeper SSO Connect (If Applicable) If using Keeper SSO Connect On-Prem, sync the SSO Connect server to apply the updates.
Update Emails in the IdP Once emails are updated in Keeper, proceed with updating them in the IdP.

Alternative Process: User Updates Their Own Email

Users can manually update their Keeper email, but this must be coordinated to avoid authentication issues. Before proceeding, ensure that role-based enforcement does not prevent email changes.

Steps for Users to Update Their Email

Log in to Keeper using the current email address.
Administrator updates the email in the IdP.
User updates email in Keeper:
- Navigate to Settings > General > Email Address - Reset Now.
- A confirmation email will be sent to the new email address.
- Click the link in the email to confirm the update.
Sync Keeper SSO Connect (If Applicable)

Bulk Email Changes

If multiple users require email updates, please contact Keeper Support for assistance in coordinating these updates efficiently.

Roles, RBAC and Permissions

Keeper's Least-Privilege Role permissions are both flexible and powerful.

In the Keeper architecture, Roles and Teams are separate but related concepts.

Roles define permissions, controls what features and security settings apply to users and manages administrative capabilities.

Teams are used for sharing privileged accounts and Shared Folders among users within the vault. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals (more on teams ).

Role-based Access Controls (RBAC) provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role Keeper Administrator (under the Root Node) is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

We strongly recommend adding a secondary admin to the Keeper Administrator role in case one account is lost or no longer accessible. The creation of additional roles such as a General Employee role, is not required but highly encouraged.

Watch the video below to learn more about role-base access controls.

Adding Roles

You can add roles manually through the Admin Console, automatically mapped via SCIM, created with Keeper Commander, or assigned from Active Directory / LDAP via the .

To add roles manually, select the Roles tab. There you can navigate to the specific node you would like the role to be assigned to. Select the + button to add a role. Verify or select the appropriate Node in the organization tree (or select the Root Node). Enter the name of the role you are creating then click Add. After the role has been created, you can configure the role enforcement policies, select the users to assign the role and set administrative permissions.

Role Enforcement Policies

First, select the role you would like to configure. Click the Enforcement Policies button. Observe the enforcement policies are are structured into the following areas:

Login Settings
Two-Factor Authentication (2FA)
Platform Restriction
Vault Features
Record Passwords
Creating and Sharing
Import and Export
KeeperFill
Account Settings
Allow IP List
Keeper Secrets Manager
Privileged Access Manager (KeeperPAM)
Transfer Account

For more information about Enforcement Policies, click .

Team-to-Role Mapping

Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into Teams that can be assigned custom Roles. With team-to-role mapping, a user who is a member of a team who is assigned to a role will assume the enforcements of the given role. That user can be a member of the role more than once, once via user-role membership and again via user-team-role memberships if any exist.

To use team-to-role mapping, administrators simply assign a role to an entire Team, as opposed to individual users, and use Role Enforcement Policies to establish different requirements and restrictions for each Team.

Currently Keeper does not allow mapping of administrative roles to teams, in order to prevent an admin from inadvertently elevating permission of a user. This feature is being considered for a future release.

SCIM Role Mapping

When setting up SCIM (System for Cross-Domain Identity Management) in the Keeper Admin Console, roles can be automatically assigned instead. By default, SCIM groups map to Keeper teams. SCIM group names that start with this optional prefix will instead map the assignments to a role.

Role Enforcement Conflicts

It is important to note, that if a user is a member of multiple roles or a team with differing role enforcements, all enforcements must be satisfied for all the roles the user is a member of. Keeper implements least-privileged policies, so when a user is a member of multiple roles, their net policy is typically most restrictive, but this can vary depending on the enforcement.

For example: Role A does not allow sharing to anyone. Role B does not allow sharing outside of the enterprise. The user will be unable to share to anyone because Role A (least privilege) does not allow it.

Enforcement Policies

The documents each of the available enforcement policies.

Security Keys

Additional information regarding FIDO2 Security Keys in Keeper

Keeper Administrators can enforce the use of FIDO2 security keys, and require that a security key can be used as the only 2FA method. Security Keys can be enforced for any type of account, including Master Password-based login and SSO login.

Administrators can also require the use of PIN associated with the hardware key.

Screenshot below:

Important Notes Regarding Security Key Enforcement

Enforcing the use of a FIDO2 hardware security key has several implications for users which admins need to be aware of.

Support for enforcing a FIDO2 Security Key can vary based on the device operating system and device firmware capabilities. Ensure you are using the latest operating system and Keeper version.
Keeper supports both plug-in and NFC keys on mobile devices. Documentation and support for security keys is available on our end-user guide for iOS and Android.
Troubleshooting Keeper with Security Keys on iOS is documented at this link

Sharing

Business users can securely share their records and folders with co-workers, contractors and partners across all devices

Overview

Sharing Keeper records is a secure and powerful feature of the platform. Keeper offers various easy-to-use sharing capabilities with role-based enforcement policies to solve the most common use cases.

- easily share a single record with another Keeper user and choose from various permission types to control access.
- share multiple records in a folder to a specific set of users or Keeper Teams.
- share access to a zero-trust privileged session without sharing access to credentials
- provides time-limited secure sharing of a record to anyone, even if they don't have a Keeper account. This is a useful feature for sharing information with contractors or new employees during their onboarding process.
- role-based permission that gives administrators elevated access rights over your organization's shared folders and shared records.
- securely share credentials or secrets with other Keeper users on a temporary basis, automatically revoking access at a specified time.
- One-time share records that automatically delete from both sides when shared and viewed.

PAM Resource Sharing

Sharing access to servers, databases, workloads and web applications with Keeper

Overview

Keeper Vault uses Shared Folders as the access control mechanism for all KeeperPAM-managed resources. These PAM resources can be organized within shared folders in the same way as standard Keeper records.

A significant advantage of the KeeperPAM architecture is that it enables resource access sharing without revealing the actual credentials to users. This zero-knowledge approach maintains security while providing necessary access.

Types of PAM Resources

Shared Folders can contain various types of PAM resources:

PAM Machine - For server and endpoint connections
PAM Database - For database system access
PAM Directory - For directory service management
PAM Remote Browser - For secure web application access
PAM User - For service credential management

The share receipient can then initiate a zero-trust privileged session to the target system, without having access to the underlying credentials.

Implementing Least Privilege

For optimal security through least privilege principles, we suggest maintaining PAM Users in a dedicated shared folder separate from other resources. This separation helps limit access to sensitive underlying credentials.

The recommended configuration includes:

A shared folder for infrastructure components (Machines, Databases, etc.)
A separate shared folder specifically for PAM User credentials

When you utilize Keeper's or Gateway wizard, this separation happens automatically, establishing the recommended security structure from the beginning.

Security Benefits

This organizational approach provides several advantages:

Credentials remain protected even when resource access is shared
Administration is streamlined through the familiar Keeper interface
Access permissions can be precisely configured at the folder level
Complete audit trails track all resource access activity
The system integrates seamlessly with existing Keeper workflows

For more information:

KeeperPAM

Time-Limited Access

Time-Limited Access allows you to securely share records, folders and PAM resources with other Keeper users on a temporary basis.

Overview

Time-Limited Access allows you to securely share credentials, secrets or PAM Resources like machines, databases and directories - with other Keeper users on a temporary basis, automatically revoking access at a specified time. Time-Limited Access prevents long standing privileges and ensures that information is removed from the recipient’s vault, greatly reducing the risk of unauthorized access.

Key Benefits

Revoked access at a specified time designated by the record owner, minimizing the workload on the owner to remove the share at a later time.
Enhances security as traditional short term sharing has been done in insecure ways like using sticky notes, text messages or instant messengers.
Simplified compliance with event tracking on all sharing activity, ensuring least privilege access is maintained.
When paired with or Keeper Secrets Manager (KSM) capabilities, users can schedule rotation of the shared credential upon the expiration of access, ensuring the recipient never has standing privilege.

Select the record from your vault and click Share, entering their email address or selecting it from your contacts list. Set their permission level and click Add.

Select the “Permissions” dropdown and click Set Expiration. Here you can select one of the default expirations or click custom date and time to set your own. Next, check the box if you would like the record owner, such as yourself, or users with edit access to be notified via email when the recipient's record access expires. Click Done to save.

The recipient of a shared record with time-limited access may have "view" and "edit" permissions but will not be able to share the record. If "share" permissions are applied, the expiration will be removed.

Open the shared folder from your vault and click the edit icon and from the “Users” tab, add the user or team you would like to share the folder with.

Set their permissions and from the dropdown menu click Set Expiration, following the same steps you would for a single record share (described above).

Next, check the box if you would like users with "can manage records" permissions over the folder to be notified via email when the recipient's record access expires. Click Done to save.

The recipient of a shared folder with time-limited access may have "can manage records" permissions, but the ability to "manage users" is restricted. If these permissions are applied, the expiration will be removed.

When sharing access to PAM Resources (such as a Windows or Linux server), privileged sessions can be established to the target resource, without access to the credentials. When access is revoked, the session is terminated and session logs are created for the administrator.

For more information about PAM sessions and permissions, see the documentation.

Time-Limited Access With Keeper Commander

Manage time-limited access on records and folders programmatically using the Keeper Commander CLI and SDK. Relevant commands:

with --expire-at and --expire-in switches
with --expire-at and --expire-in switches

For more information see our documentation.

Self-Destructing Records

Self-Destructing Records allow you to share records with user's outside of Keeper, while automatically deleting the record from your vault and disabling the share link at specified time

Overview

Self-Destructing Records utilize Keeper’s existing One-Time Share technology which allows time-limited, secure sharing of a record to anyone, even if they don’t have a Keeper account.

Self-Destructing Records take our feature even further by automatically deleting the record from your vault once the share link is disabled and the recipient’s access is revoked. This reduces your workload to revoke record access and removing it from your vault at a later time.

Key Benefits

Providing the most secure, encrypted method to send sensitive information to users outside of your organization without exposing sensitive information in plain text over email, text message or messaging.
Avoids the accumulation of unnecessary privileges within an organization over time.
Assurance that the details of a shared record remain with the recipient, on a single device.

Create a Self-Destructing Record

To create a Self-Destructing Record, create a new record as you normally would. Enter the record details and click Add Self-Destruct.

From the menu that is now presented, select when you want the share link to expire.

Once you've made your selection, click Save & Share to generate a One-Time Share link.

You have the option to copy the link directly, or send it in an invite or QR code format.

The recipient of a Self-Destructing Record simply clicks on the provided link and is instantly presented with the shared record in their web browser. One-Time Share links are bound to a single device, further strengthening security and preventing unauthorized distribution or viewing on multiple devices. The link will expire at the specified time or once the recipient has viewed the record for five minutes, whichever comes first.

Keeper's Self-Destructing Records allow you to securely share records with file attachments that self-destruct at a specified time.

Create a record as you normally would and click Add Attachments to upload your file, or simply drag and drop the file directly into your vault.

Click Add Self-Destruct, select when you want the share link to expire, then click Save & Share to generate a One-Time Share link.

The recipient of a Self-Destructing Record simply clicks on the provided link and is instantly presented with the shared record in their web browser. They can then click on the file to download it to their local device.

Delete a Self-Destructing Record

You can delete a Self-Destructing Record at any time, thus disabling the share link by clicking Delete Now. Deleted Self-Destructing Records will appear in your vault's “Deleted Items” with the option to "Restore".

Self-Destructing Records With Keeper Commander

Manage self-destructing records programmatically using the Keeper Commander CLI and SDK. Relevant commands:

with --self-destruct switch

For more information see our documentation.

Importing Data

Importing passwords and other secret information into your Keeper vault

Keeper provides several methods of migrating passwords and private data from other products into the vault. Each method is fully documented with screenshots and example data.

Importing from Web Browsers

The Keeper Web Vault and Desktop App provide automatic import of passwords from all popular web browsers including Chrome, Firefox, Edge, Safari and others. Keeper provides a standalone Importer tool that is downloaded and installed from the Web Vault.

Detailed step by step instructions for Web Browser import can be found at this link.

Keeper Desktop Import

You can easily import passwords through the Keeper Desktop native application. From the Desktop App, simply click on Settings > Import > click "Import" to begin the import process.

Download Keeper Desktop

Importing from Flat Files

Importing from other password managers

Developer Tools for Migrating Data

Importing KeeperPAM Resources

Keeper Commander

Storing Two-Factor Codes

Keeper provides encrypted 2FA code storage for websites and applications.

Storing 2FA Codes in Keeper

Keeper has developed a fully-integrated security layer that adds two-factor codes directly in vault records. A Keeper user simply adds the two-factor code into the vault record field and then it will automatically be filled when logging in via the Web Vault or Browser Extension. The Keeper vault is also capable of storing and managing TOTP / 2FA codes for 3rd party applications.

Advantages of Storing Two-Factor Codes in Keeper

Keeper two-factor codes are more secure than using SMS text messages.
Two-factor codes stored in Keeper are protected with strong Zero-Knowledge encryption.
They can be auto-filled quickly while logging in to a site, saving time and reducing friction.
Keeper records are securely backed up so if you lose a device you don’t have to reset all the codes.
Keeper records are shareable. If you have multiple people that need to log in with the same credentials, they won’t need to track down the person who has the only device containing the code.

See the Video Demo below of Two-Factor Codes Integration:

Two-Factor codes can be filled directly with the Keeper Browser Extension.

Alternatively, Two-Factor codes can be filled in any login screen using the Right Click menu.

Setup and Configuration

To add a Two-Factor Code, you can use the Web Vault, Desktop App or mobile apps.

From the Desktop App, click on "Add Two-Factor Code". There are 3 ways to input the code:

Scan (Desktop App Only)
Upload a QR code image (.jpg, .png, etc)
Manual Entry (advanced)

The "Scan" feature on the Keeper Desktop application lets you drag a small scanner window on top of the target QR code. This is useful when setting up applications on the desktop computer.

It's also very easy and straightforward to use the Keeper mobile app on iOS or Android to add a Two-Factor code. Tap on "Add Two-Factor Code" from the record edit screen and use the device camera.

Security Audit

Password security strength reporting in the Admin Console

End-User Security Audit

In each end-user's vault, the Security Audit screen provides information about the password strength and password reuse taking place. The calculation of password strength and reuse is performed continuously from the user's Vault on all platforms including Keeper Desktop, Web Vault, iOS and Android devices.

Keeper's Password 'strength' is a calculated score based on the complexity of the password, with a score rating between 0 and 100 according to the below metrics:

Weak: < 40 Fair: 40-59 Medium: 60-79 Strong: >= 80

Admin Console Report

To preserve Zero Knowledge, the summary of each end-user Security Audit score is encrypted with the Enterprise Public Key, then stored encrypted in the Keeper Cloud.

When the Admin logs into the Admin Console, the Audit Data is decrypted locally on the Admin Console device and made available for administrators in an aggregated format from the Security Audit screen.

The Security Audit screen provides summary and user-level security score information that includes:

Overall Security Score
Record Password Strength
Unique Record Passwords
Use of Two-Factor Authentication

For more information on how these scores are calculated, visit the following:

The Security Audit screen contains a table that displays the record password strength, unique record password count, and 2FA status for all users across the enterprise.

The table is sorted by default on the users’ overall Security Audit score, showing users with the lowest Security Audit score first. You can reverse this sort order or sort instead on the user's name, password strength, reused passwords, or two-factor method.

Additionally, you can filter the table on the following fields:

Record Password Strength: Strong, Medium, Fair, or Weak
Unique Record Password: Re-used or Unique
2FA: Text Message, Authenticator App (TOTP), Smartwatch (KeeperDNA), Security Keys, RSA SecurID, Duo Security, or No 2FA

Refreshing Security Audit Scores

Administrators can refresh the security scores on the UI without having to log out of the Console and log back in. The ability to refresh scores is useful when the admin is expecting users to log into their Vaults to have their latest security scores sync with the Console. When the user has logged into their Vault, the admin needs to simply click the Refresh Scores button to sync the latest scores to the Console.

Resetting Security Audit Scores

Administrators can reset security scores from the UI if the scores have gotten out-of-sync with user Vaults. The administrator can either reset scores for the entire enterprise using the Reset Scores button on the Security Audit screen or for specific users. Please note that only Root Admins can reset the Security Audit score.

The Reset Scores button on the Security Audit screen will reset scores for the entire enterprise. Once the scores are reset, users will need to log in to their Vaults for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.

Alternatively, the administrator can navigate to the User Details modal and select Reset Security Score under User Actions to reset individual users' Security Audit scores. As is the case with performing an enterprise-wise score reset, once the scores are reset, the user will need to log in to their Vault for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.

BreachWatch

In addition to Security Score, Keeper also provides a Dark Web scan summary of end-user passwords through the BreachWatch secure add-on.

BreachWatch alerts can be configured in the Advanced Reporting & Alerts module to alert users and Administrators when a password has been found on the dark web.

Commander CLI

The Keeper Commander CLI provides direct access to the audit data and event data, with other advanced capabilities. For more information, see the reference guide and .

BreachWatch (Dark Web)

Zero Knowledge dark web breach scanning for Keeper Enterprise

Overview

BreachWatch provides organizations oversight of the vulnerabilities of user's passwords through active monitoring of dark web breach data. Users and administrators are notified if any of their passwords in a record have been used in publicly known breach that could leave your organization vulnerable to a credential stuffing attack or an account takeover.

Watch the video below to learn more about dark web monitoring with BreachWatch

End-User Experience

BreachWatch will prompt the user on their client device to Resolve the breached password by either changing the password or ignoring it. If a password alert is ignored, then that record will be skipped on future scans until the password is reset. The user may also do nothing (deferring a response) and leave the risky password unchanged and thus still "at risk".

Admin Console Experience

BreachWatch provides Admins a dashboard overview and a summary table in the Admin Console detailing how users have dealt with their BreachWatch notifications.

If users have "At Risk" or "Ignored" passwords, the Keeper Administrator can reach out to the user in order to take action. If a record does not contain a password, it will not be shown in the count. The report includes both "owned" and "shared" records.

Reporting & Alerts

If the Advanced Reporting & Alerts module is activated on the Enterprise license, then BreachWatch specific events can be sent from the devices/clients and used to report activity with a variety of filters, and/or generate an alert.

Activate BreachWatch Event Reporting

IMPORTANT: To activate event-level reporting of BreachWatch data to the Advanced Reporting & Alerts Module you must enable the event role enforcement policy under the specific role > Enforcement Policies > Vault Features screen.

By default, Keeper does not send BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The Keeper Admin must explicitly enable this feature. After it's enabled, the event data will begin to flow through to the Advanced Reporting engine and connected SIEM systems such as Splunk.

Note that this is not retroactive. Events will only flow through Advanced Reporting & Alerts after this feature is activated.

BreachWatch Reports

After BreachWatch events are flowing into the reporting module, visit the "Reporting & Alerts" screen to generate a report.

Click on Add Custom Report then select the BreachWatch events.

Alerts can also be created with custom event tracking.

Webhooks can receive alerts, so that you can perform any custom logic such as Slack channel alerts, Microsoft Teams, etc.

To enable webhook alerts:

Click on the event name.
Click the Recipients tab.
Add or click on an existing Recipient.
Click the Add Webhook button.
Configure the URL, HTTP Body, and an optional token.
Click Save.

Events can also be streamed to 3rd party SIEM solutions.

Deployment & Reporting Enablement

The BreachWatch capability can be deployed selectively to your organization via Role Enforcements. The Pause BreachWatch on client devices toggle controls whether devices send events for reporting purposes, and whether to pause the service so it will not appear on the user's devices at all. Note that enabling events to the reporting module will send record event metadata (User Email, Record UID, IP Address and Device Type) from Keeper’s backend to any connected SIEM product.
If you do not want to deploy BreachWatch to your entire organization at once, you can control the deployment using the Pause BreachWatch on client devices toggle. Users in this node will not have BreachWatch enabled on their client devices.

Security

BreachWatch is a Zero Knowledge architecture that uses a number of layered techniques to protect our customer’s information. For detailed technical information regarding the security and encryption model of BreachWatch, please visit the BreachWatch section on the by clicking .

CLI Commands

BreachWatch can be managed and used through the . See the below related commands:

Event Descriptions

Details on what triggers each event

A list of all available events captured by the Keeper Advanced Reporting and Alert Module are provided in the chart below. The Event Code is utilized in the user interface and within the Keeper Commander CLI command parameters. The "Message" field is utilized for the Alerting module.

Within each event, there may be additional attributes such as Record UID, Shared Folder UID, Team UID, Username, etc. These attributes will appear within the event description and they are also provided to the 3rd party SIEM provider in the format as specified by the destination.

AWS S3 Bucket

Integrating Keeper SIEM push to an Amazon S3 bucket endpoint

Overview

Keeper supports event streaming into an Amazon S3 bucket. Setup instructions are below.

S3 Bucket Configuration

(1) In AWS, create an S3 bucket and of course ensure that all permissions are locked down.

(2) Create a user account without console access and assign a basic role policy which can only put files within the bucket. Example below.

(3) Generate Access Key and Secret Key, provide those to the Admin Console user interface along with the Bucket Name. You can select different time intervals for the file uploads. You can also select the file format which includes:

JSON
Syslog
CSV

For the Bucket Name, provide a full ARN that includes the region. For example: arn:aws:s3:us-west-2::my-keeper-events

Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.

If you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.

Log File Examples

Syslog File

JSON File

CSV File

Microsoft Sentinel

Legacy Azure Sentinel

Integrating Keeper SIEM event pushes to Azure Sentinel and Log Analytics

Microsoft has deprecated this logging API. Please see the Microsoft Sentinel integration page.

Overview

Keeper supports event streaming into Azure Sentinel / Log Analytics environments. This document describes the legacy method of streaming logs, which is being deprecated in 2025. Use the Azure Monitor or Microsoft Sentinel with Azure Marketplace method instead.

To proceed with this method... in Azure, go to Log Analytics workspaces > Select Workspace > Classic "Agents Management". From here you can retrieve a Workspace ID and Key. Provide these two fields to Keeper to start streaming logs to your selected workspace.

Keeper will immediately start sending event data to the designated Azure Log Analytics workspace, under a custom table named Keeper_CL.

To view the logs, open the Log Analytics Workspace > Logs > select the Keeper_CL table.

Troubleshooting

If you need to troubleshoot the event log APIs, the below Python script will simulate the Keeper backend system sending event logs to your Azure environment. Replace the Workspace ID and Workspace Key before testing it.

import base64
import datetime
import hmac
import hashlib
import requests
import json

# Configuration
workspace_id = 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx'
workspace_key = 'xxxxxx'
log_type = 'Keeper'

# Sample body
body = [
{
  "audit_event": "role_created",
  "remote_address": "11.22.33.44",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "timestamp": "2025-01-12T00:03:44.743Z",
  "role_id": "28162100560074"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.55",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-13T00:03:44.743Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "RESEND_ENTERPRISE_INVITE_IN_X_DAYS",
  "value": "7"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.66",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-14T00:03:44.776Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "SEND_BREACH_WATCH_EVENTS",
  "value": "ON"
},
{
  "audit_event": "role_enforcement_changed",
  "remote_address": "11.22.33.77",
  "category": "policy",
  "client_version": "EMConsole.17.0.0",
  "timestamp": "2025-01-15T00:03:44.835Z",
  "username": "[email protected]",
  "enterprise_id": 6557,
  "role_id": "28162100560074",
  "enforcement": "GENERATED_PASSWORD_COMPLEXITY",
  "value": "[{\"domains\":[\"_default_\"],\"length\":20,\"lower-use\":false,\"lower-min\":5}]"
},
{
  "audit_event": "audit_alert_sent",
  "category": "usage",
  "client_version": "Keeper Service.1.2.0",
  "username": "ALERT",
  "enterprise_id": 6557,
  "timestamp": "2025-01-16T01:31:11.123Z",
  "origin": "admin_permission_added",
  "name": "XXX123",
  "recipient": "[email protected],+19165551212",
  "username_new": true,
  "client_version_new": true
}]

body_json = json.dumps(body)
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body_json)

signature_string = f"{method}\n{content_length}\n{content_type}\nx-ms-date:{rfc1123date}\n{resource}"
decoded_key = base64.b64decode(workspace_key)
signature = base64.b64encode(hmac.new(decoded_key, signature_string.encode('utf-8'), hashlib.sha256).digest()).decode('utf-8')

headers = {
    'Content-Type': content_type,
    'Authorization': f'SharedKey {workspace_id}:{signature}',
    'Log-Type': log_type,
    'x-ms-date': rfc1123date
}

uri = f'https://{workspace_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01'

response = requests.post(uri, data=body_json, headers=headers)
print(f"Response code: {response.status_code}")
print(f"Response message: {response.text}")

Crowdstrike NG SIEM

Integrating Keeper SIEM push to Crowdstrike NG SIEM

Overview

Keeper supports event streaming into Crowdstrike NG SIEM. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Add the Data Connector

From the Crowdstrike dashboard, visit the Data onboarding > Data Connectors screen.
Select "+ Add connection" and search for Keeper
Click "Configure", assign a name, and then "Create connection".

Create the API Key

From the Data Connector screen, in the Keeper row click the overflow menu and then "Generate API Key".
Save the API Key and API URL for the next step.

Activate the Integration

From the Keeper Admin Console, go to Reporting & Alerts > External Logging
Select Crowdstrike Falcon Next-Gen
Provide the API Key and API URL from Step 2.
Click Test and then Save.

Setup Complete!

When SIEM logs are sent from Keeper to Crowdstrike, the data will begin to populate in the "Third Party" source within a few minutes.

Datadog

Integrating Keeper SIEM push to Datadog

Overview

Keeper supports event streaming into Datadog deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

The Datadog integration requires two fields:

URL (For example: datadoghq.com or datadoghq.eu)
API Key

To retrieve an API Key, please follow the below instructions

In the Datadog interface, go to Organization Settings > API Keys
Create a new API key

Ensure that your API Key matches up with the destination server where your Datadog environment is hosted.

Devo

Integrating Keeper SIEM push to Devo

Overview

Keeper supports event streaming into Devo deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Devo uses a standard "Syslog" push capability over TCP.

Ports TCP Ports 514 and 6514 (TLS)

Fields Exported "audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"

Payload Format Pipe-delimited, e.g. "audit_event=login|[email protected]|..."

Important: Ensure that the endpoint is using a valid signed SSL certificate. Keeper's systems will refuse to connect to an invalid or self-signed endpoint. Also, ensure that your Devo server allows traffic from Keeper servers. See page.

Elastic

Integrating Keeper SIEM push to Elastic

Overview

Keeper supports event streaming into Elastic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Elastic integration uses a TCP push to the destination endpoint. The fields required are:

Host (e.g. mycompany.gcp.cloud.us.io:9243)
Search Index (e.g. keeper)
API Key

Please refer to the Elastic documentation for generating an API key:

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Elastic server allows traffic from Keeper servers. See page.

Troubleshooting

If Keeper is unable to connect to your Elastic instance, please check the following:

In the host field, do not type http or https
Make sure to include the port
If you are using a "Space", add the space name to the end of the Host field after the port. For example: example-elastic01.us-east.found.io:9243/s/spacename
Make sure any firewall in front of Elastic is configured per

Exabeam (LogRhythm)

Integrating Keeper SIEM push to Exabeam

Overview

Keeper supports event streaming into Exabeam (formerly LogRhythm) deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Exabeam uses a standard "Syslog" push capability over TCP.

Ports TCP Ports 514 and 6514 (TLS)

Payload Format Pipe-delimited, e.g. "audit_event=login|[email protected]|..."

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Exabeam server allows traffic from Keeper servers. See page.

Google Security Operations (Chronicle)

Integrating Keeper SIEM push to Google Security Operations (formerly Chronicle)

Overview

Keeper supports event streaming into Google Security Operations, formerly known as Google Chronicle. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Create an API Key

Go to the Google Cloud console and select the project associated to your Google Security Operations (Chronicle) environment.
Select APIs & Services > Credentials and create a new Credential > API Key.
After creating the API key, edit the key and apply restrictions.
Ensure that the API key is restricted to "Chronicle API" capabilities only.
Save this API key for step 3 below.

Create a Feed

From your Google Security Operations tenant:

Go to Settings > Feeds > Add Feed
Select Source Type of "Webhook" and then select Log Type of "Keeper Enterprise Security"
Select Next and then Submit.
When prompted, generate the Secret Key and save it for the step 3.
Also, copy the Feed Endpoint and save this for step 3.

Activate Integration

From the Keeper Admin Console, go to Reporting & Alerts > External Logging
Select Google Security Operations
Provide API Key from step 1, Feed Endpoint and Feed Secret Key from Step 2.
Click Test and then Save.

Setup Complete!

When SIEM logs are sent from Keeper to Google, the data will begin to populate within 15 minutes.

Logz.io

Integrating Keeper SIEM push to Logz.io

Overview

Keeper supports event streaming into Logz.io deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Logz.io uses their HTTPS listener method.

The connection to Logz.io requires two fields:

Host (e.g. mycompany.logz.io)
Token

Please refer to your Logz.io documentation for generating a security token.

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Logz.io server allows traffic from Keeper servers. See Firewall Configuration page.

QRadar

Integrating Keeper SIEM event pushes to IBM QRadar

Overview

Keeper supports event streaming into IBM QRadar deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

QRadar uses a standard "Syslog" push capability over TCP.

Ports TCP Ports 514 and 6514 (TLS)

Example Payload

<165>1 2022-10-13T21:05:51.996Z yourLogSourceID keeper - - - {"record_uid":"XXX","audit_event":"fast_fill","remote_address":"12.34.56.78","category":"usage","client_version":"Browser Extensions.16.4.7","username":"[email protected]","enterprise_id":123456}

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your QRadar server allows traffic from Keeper servers. See Firewall Configuration page.

ServiceNow ITSM

Secure ingestion of security and incidents alerts into ServiceNow SIR

Overview

The Keeper Security ITSM application provides a secure and streamlined integration between Keeper Security Alerts and ServiceNow’s Security Incident Response (SIR) module. It enables enterprise customers to centrally manage and respond to Keeper-generated security alerts by automating their intake, transformation, and creation as Security Incident tickets within ServiceNow.

This integration helps security teams maintain visibility, improve response times, and ensure that Keeper Security alerts are managed consistently within existing ServiceNow SIR workflows.

ServiceNow Store Listing:

Features

Receive Keeper Security alerts and incidents through a protected webhook endpoint, ensuring that only authorized sources can submit data to the platform.
Protect the webhook endpoint with OAuth 2.0, enabling secure, token-based access for external systems.
Allows administrators to generate and manage bearer tokens directly within the application for seamless integration with Keeper Security alert module.
Guided Setup to configure authentication, validate data ingestion, and ensure smooth end-to-end operation without manual coding.
Store incoming alerts in a custom import set table and automatically transform them into Security Incident Response (SIR) records using predefined mapping rules.
Provides custom priority mapping for Keeper Security alert types enabling SIR administrators to work on incidents on priority basis.

Setup and Configuration

Full Setup and Configuration is documented below:

Sumo Logic

Integrating Keeper SIEM push to Sumo Logic

Overview

Keeper supports event streaming into Sumo Logic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

The Sumo Logic integration requires a single sync URL.

Configure an HTTP Logs and Metrics Source

To configure an HTTP Logs and Metrics Source:

In Sumo Logic, select Manage Data > Collection > Collection.
In the Collectors page, click Add Source next to a Hosted** **Collector.
Select HTTP Logs & Metrics.
Enter a Name to display for the Source in the Sumo web application. Description is optional.
(Optional) For Source Host and Source Category, enter any string to tag the output collected from the source. (Category metadata is stored in a searchable field called _sourceCategory.)
SIEM Processing. This option is present if Cloud SIEM Enterprise (CSE) is enabled. Click the checkbox to to send the logs collected by the source to CSE.
Fields. Click the +Add Field link to define the fields you want to associate, each field needs a name (key) and value.
- A green circle with a check mark is shown when the field exists in the Fields table schema.
- An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
When the URL associated with the source is displayed, copy the URL so you can use it to upload data.
When you are finished configuring the Source, click Save.
Processing Rules. Configure any desired filters, such as allowlist, denylist, hash, or mask, as described in Create a Processing Rule. Processing rules are applied to log data, but not to metric data.

Enforcement Policies

Role Enforcement Policies

Overview

Keeper role enforcement policies provide fine-grained control over the security and functionality of your Keeper environment.

Policy Sections:

Login Settings
Two-Factor Authentication
Platform Restriction
Vault Features
Record Passwords
Record Types
Creating and Sharing
Import and Export
KeeperFill
Account Settings
Allow IP List
Privileged Access Manager
Transfer Account

Master Password Complexity

Master Password Complexity policy enforces a password complexity for users that are assigned the selected role. This policy only applies to users who login with a master password.

Settings include:

Password length
Number of digits
Number of uppercase letters
Number of lowercase letters
Number of special characters

Important Note about Master Password Complexity and Default Role

When users are initially creating their vault, Keeper looks at all of the Default Roles within the Keeper Enterprise console in order to enforce master complexity rules. Keeper decides the Master Password complexity rules based on the largest value of each Default Role.

Once the account is created, Keeper will use the role assigned to the user to ensure Master Password complexity requirements are enforced on an ongoing basis.

When creating the Keeper Vault, the user will be required to adhere to the complexity requirements.

Master Password Expiration

The Master Password Expiration policy will require users to change the Master Password at the selected time interval (in days). When this policy is turned on, the Master Password will expire and the user will be forced to choose a new Master Password upon their next login. To configure the number of days that the Master Password must be changed, select this setting and make a selection between 10 to 150 days.

This feature does not affect users who login with SSO Connect Cloud.

If a user's Master Password needs to be expired immediately, this can be done from the Users tab. Select the user(s) that you wish to expire the master password for and select the Expire Master Password for all users. This will instantly expire a user's Master Password and require a password reset.

SSO Master Password

This option, which we also refer to as "Alternate Master Password", provides SSO-activated users a way to alternatively login by using their own Master Password instead. This may be useful if the SSO connection is down or the user is offline. This can also be used by SSO-enabled users to log into Keeper Commander CLI.

Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Web Vault, Browser Extension and Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator in the role policy and then configured by the user. Offline access can also be achieved with a Master Password for SSO-enabled users when this feature is activated.

Once this policy is activated, each user can follow the below steps to activate their Alternate Master Password:

Login to the Web Vault using SSO
Visit the Settings screen and then click "Setup" or "Edit" to set the Master Password.
Once set, the user can login to Keeper Web Vault by visiting the "Enterprise SSO Login" > "Master Password" screen.

The Master Password login feature for SSO users is only available on the Web Vault, Desktop App, Browser Extension and Commander CLI.

Device Biometrics

Keeper natively supports Windows Hello, Touch ID, Face ID and Android biometrics. Customers who normally login to their Keeper Vault using a Master Password or Enterprise SSO Login can also login to their devices using a biometric. Offline access can also be achieved with a biometric for both Master Password and SSO-enabled users unless the "Restrict offline access" enforcement is applied in the Account Settings policy screen.

Keeper does not store or process biometric data of users. Keeper integrates with the existing biometrics capabilities of the operating system.

Starting in July 2025, Keeper supports biometric login with a passkey, allowing users to authenticate using a device-bound passkey that replaces all traditional login methods - including master password, SSO, and two-factor authentication (2FA). When enabled, the passkey login acts as a complete replacement for both the first factor (e.g., master password or SSO) and the second factor (e.g., TOTP, SMS, Duo), offering a faster and more secure experience.

Biometric login with a passkey is available on Browser Extension 17.2+, and Web Vault 17.5+.

Separately, Keeper supports the use of device biometrics (e.g., Touch ID, Windows Hello) to replace just the first factor, such as the master password or SSO login, while still requiring 2FA. Both features can be configured independently by administrators through this section.

What is a Passkey and Why It Replaces First and Second Factors:

A passkey is a FIDO2 credential stored securely on the user's device, protected by a local biometric or PIN. Unlike traditional passwords, a passkey is phishing-resistant, device-bound, and cryptographically tied to the service. Because using a passkey requires both possession of the device (something you have) and biometric or PIN verification (something you are or know), it satisfies both authentication factors in a single action. This eliminates the need for separate 2FA mechanisms, while significantly improving security and user experience.

Clarification on Passkey Support – Platform Attachment Only:

Keeper’s biometric login with a passkey exclusively supports platform authenticator attachment. This means the passkey is created and stored locally on the user's device (e.g., laptop, phone, tablet) and is not portable across devices. The user must use the same device on which the passkey was registered to authenticate. We do not support cross-platform (roaming) authenticators such as security keys (e.g., YubiKey or external FIDO tokens). This design ensures that passkeys are tightly bound to a trusted device with built-in biometric protection, simplifying the login flow and improving security.

Two Factor Authentication (2FA)

Turning on the Two-Factor Authentication policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

If 2FA is enforced, the user will be prompted to set up 2FA upon account creation or login
If 2FA is enforced, it cannot be disabled by the user, but they can "Edit" and re-configure their 2FA
In addition to enforcing 2FA, the Admin can also specify how often users are prompted to re-authenticate with a new code.
Admin can disable a user's 2FA temporarily from the User detail screen in the Admin Console

Note that 2FA is always enforced on the Keeper servers once it has been configured for a user, no matter how often the user is prompted for a code. When a user has authenticated with a 2FA code, a token is generated on the device which is used for subsequent communication to the backend system.

On the user's device, the Admin can decide how often the user is prompted. For example, you can specify that users on Web Vault and Desktop app are prompted every login, but users on mobile devices are prompted once every 30 days. In any case, logging into a new device will always prompt the user.

In addition to specifying the 2FA prompting frequency, the Admin can specify which 2FA methods are available to users within the role. Different roles can be enforced with different methods.

Keeper supports the following 2FA methods:

FIDO2 WebAuthn Security Keys (supports PIN verification)
TOTP (Google Authenticator, Microsoft Authenticator or any time-based TOTP generator)
Smartwatch (Apple Watch or Android Wear)
RSA SecurID
Duo Security
Text Message (SMS)

Note: If "Biometric Login with a Passkey" is enabled, and the user creates a passkey on their device, they will not be separately prompted for 2FA on that specific device.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

2FA and Device Approval

Keeper's advanced authentication system provides a built-in device verification that provides a second factor via email confirmation when attempting to login on an unrecognized device. If a user has configured 2FA, it can also be used as a method of device approval instead of email (for example, if email access is not possible).

Device Approval with a 2FA code is only possible with accounts that login with a Master Password. Users who login with SSO on a new device are required to use Keeper Push, Admin Approval or Keeper Automator approval methods.

Platform Restriction

An Admin can restrict the use of specific platforms to access Keeper including the Web Vault, Browser Extensions, Mobile app, Desktop app, Commander SDK and KeeperChat.

Vault Features

An Admin can prevent users in a role from using standard features in the Vault. Each individual policy is described below.

Disable in-app onboarding

Turning this on will prevent the "Quick Start" module from appearing in users' vaults when they login in for the first time.

The in-app onboarding flow will adapt to the policies set by the Keeper Administrator:

If importing is not allowed, this option will be hidden
If Browser Extension is not allowed, this option will be hidden
If account recovery is disabled, this option will be hidden
If Quick Start is completely disabled, this flow will not appear

Mask custom fields

This will force all custom field names and values to be masked. The user will need to unmask by clicking the eye icon in the record. Here's an example of what this will look like:

Mask notes

This will mask the notes section of a record. The user must click the eye icon unmask the details. Here's an example of what this will look like:

Mask passwords

Passwords are always masked, by default, across all Keeper platforms. On iOS and Android devices, users have the choice of turning password masking On or Off. If this setting is enabled, the users will always have masking enabled, and to view a password will require the user to click on the eye icon.

Pause BreachWatch on Client Devices

When enabled, BreachWatch events will not be sent from the devices to the Keeper Admin Console. The only reason to use this feature might be when using test data or in the initial setup of the Enterprise console. Pausing BreachWatch events will therefore not generate events in the Admin Console or connected reporting systems.

Send BreachWatch Events to Reporting Systems and External SIEM

By default, Keeper sends BreachWatch event data from the user's device to connected SIEM and Advanced Reporting & Alerts reporting tools. The event data flows through to the Advanced Reporting engine and connected SIEM systems such as Splunk.

Require Re-authentication (Master Password or biometrics)

This enforcement policy allows you to require users to re-authenticate using either their Master Password or biometric login prior to completing the following actions:

Autofilling passwords
Revealing and copying a password or masked field
Editing, sharing and deleting a record or folder.

Additionally, "Delay re-authentication after minutes of inactivity" allows you to specify how many minutes should pass after inactivity before the user is asked to re-authenticate.

Note: This feature does not apply to SSO users.

Retention of Deleted Records

By default, a deleted record will move into the Owner's trash bin ("Deleted Items"). Keeper provides two enforcement policies to control the handling of deleted items.

Day(s) before records can be cleared permanently
Day(s) before deleted records automatically purge

To prevent the possibility of a user either accidentally or maliciously permanently deleting the records in their vault, you can specify the number of days that a record must sit in the trash bin before being permanently deleted.

Admins can also configure automatic deletion of records that the user has placed into the trash bin.

Record Passwords

Keeper's password and passphrase generator can be enforced as a general policy, or for specific website domains.

Password Generator

The password generator on end-user vaults will adhere to the minimum character length, minimum number of lowercase/uppercase/numbers/symbols and allowed list of symbols as defined here. The symbols used in the password generator will be limited to the selection from the list. By default, all symbols will be used.

Passphrase Generator

The passphrase generator on end-user vaults is enabled by default, but can be disabled by the admin. Passphrases will adhere to the minimum number of words and can be configured to include capital letters and a number. The separators between words will be selected from the list of allowed symbols. By default, a set of symbols is utilized.

Domain-Specific Password, Passphrase and Symbol Policies

Domain-specific policies allow admins to enforce a password complexity privacy rule for a specific domain name, or domain pattern match.

Wildcards (*) can be used to create minimum password complexity rules for more than a single domain.

For example:

*.amazon.com
*.google.com
*.gov
example.com
*.example.com

One can also create a global domain rule using the wildcard character (*) by itself. Keep in mind that overlapping rules will be evaluated to produce the most restrictive outcome. If a wildcard is used by itself, the policy will be enforced for any record which contains any value for the domain name.

Apply Privacy Screen Setting (Prevent Viewing Passwords)

Keeper's Privacy Screen feature can be applied at the team level, role policy level (based on specific record domains), and at the record type (template) level.

At the role policy level, the Privacy Screen enforcement policy is used in conjunction with the Generated Password Complexity policy to control the viewing (unmasking) of passwords based on a specified domain. With this policy in place, passwords are not visible from the user interface serving as a deterrent from casual observation. This feature is commonly used to limit viewing of passwords for the non-technically savvy users.

Inside the vault, any record with a matching URL will be locked, and the user will not be able to unmask the password field. If the user has edit rights to the record, they will only be able to update the password field using the password generator.

It is important to note that password masking is only visual in nature and the password is still stored in the user's vault and accessible via API communication and browser inspection. If the admin would like to enforce that users cannot inspect the web pages, we recommend using group policies to prevent users from opening the browser development tools.

This feature can be enabled within the Generated Password Complexity settings by checking the “Apply Privacy Screen” box once a domain has been added.

The Privacy Screen only applies to records that are shared to the user (for role-level Privacy Screen) or team (for team-level Privacy Screen). Users will still be able to view and update passwords for records they own.

Likewise, in the Browser Extension, the Privacy Screen is activated.

Watch the video below to learn more about the Privacy Screen feature.

Record Types

If record types are enabled for your account, specific record types that are not wanted can be enabled or disabled. Both default and custom record types can be enabled or disabled based on the role permissions. Custom record types show up below default types, but the desired order can be controlled within each users vault settings.

Turning off certain record types will affect what shows up in the dropdowns in user vaults:

Note that the left menu item for "Record Types" will not be visible if this capability is not enabled for your enterprise.

If all record types except one are disabled in the console, when creating a record in the vault, the popup to select a record type will not appear. The workflow will continue as if record types has not been enabled for users in that role.

Even if record types are disabled for a portion of users in an organization, this will not limit sharing and editing capabilities. For example, an Admin will be able to share a custom SSH Key record with non-admins and all data in the record will be present.

If records are shared with another organization that does not have record types enabled, the data will be there, but not visible until that organization has record types enabled.

Creating and sharing enforcements offer admins a wide range of granular, flexible restrictions that can be applied to users when both creating and sharing records.

Creating

“Creating” enforcements handle a user’s ability to create records, folders, shared folders and more.

Creating can be customized to:

Create records, including the ability to restrict the creation of records and folders inside shared folders only and duplication of records.
Create folders, including the ability to restrict the creation of folders inside shared folders only.
Create shared folders
Create items in the identity and payments tab, including the payment and address records using the KeeperFill Browser Extension.
Upload files
Create two-factor (TOTP) codes in records (Note: client support beginning in August, 2025)

“Sharing” enforcements handle a user’s ability to share and receive items including one-time share links, file attachments and more.

Sharing can be customized to:

Share and receive items
Share to others by adding records inside shared folders only, preventing a user from adding other users to records and shared folders.
Only receive shared items, preventing a user from adding other users to records and shared folders.
Cannot share or receive items, preventing a user from adding other users to records and shared folders and from receiving items from others. If this enforcement is enabled, then the ability to generate One-Time Share links, share records with file attachments and share to users outside of the enterprise will be disabled by default.

Admins can also individually restrict a users ability to:

Generate One-Time Share links
Create self-destructing records
Create one-time share links with editable fields and file upload capabilities
Share records with file attachments
Can share outside of isolated nodes
Share to users outside of the enterprise
Can receive items from users outside of the enterprise

Import and Export

"Import" and Export" enforcements offers admins more targeted control over their users’ ability to import and export from their vaults.

Importing and exporting can be customized to:

Import into vault, including the ability to restrict importing shared folders from LastPass.
Export from vault

KeeperFill

The KeeperFill policies govern the behavior of the browser extension that allows Keeper users to autofill usernames, passwords, and other credentials on websites and applications.

To learn more about KeeperFill, read our guides.

KeeperFill Browser Extension

Admins can individually enable the various features and settings of the KeeperFill Browser extension.

Supported Enforcement Settings:

Enforce or Disable "Hover Locks"
Enforce or Disable "Autofill Suggestions"
Enforce or Disable "Autofill"
Enforce or Disable "Auto Submit"
Enforce or Disable "Match on Subdomain"
Enforce "Prompt to Fill"
Enforce "Prompt to Save"
Enforce "Prompt to Change"
Enforce "Prompt to Disable"
Enforce the "HTTP Fill Warning" popup

Disable KeeperFill on Specified Websites

Admins can disable KeeperFill on specific websites. This feature supports wildcard characters for matching domain names or URLs. One use case might be to disable KeeperFill for internal applications that have a lot of form fields.

Account Settings

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce the restriction so they can not login offline.

More information about Offline Access is documented here.

Prevent users from changing their email

Turning this on prevents users from changing their email address. Note, SSO-enabled users cannot change their email.

Enable Self-Destruct

Turning this policy on will allow users in this role 5 incorrect password attempts before all locally-stored Keeper data is erased.

Prevent Keeper Family License Invites

Turning this policy on will prevent users from inviting their personal email to a Keeper Family License for personal use. More information about the free Family License for Personal Use is available at this page.

Disable Stay Logged In

Activating this enforcement policy will disable the "Stay Logged In" feature for users in the role. This feature allows users to remain logged in to the Web Vault, Desktop App and Browser Extension in between browser or computer restarts, until the inactivity timer expires. When the enforcement policy is active, users will always be logged out when the application closes, regardless of the inactivity timer.

Default User Setting for Stay Logged In

Set the default "Stay Logged In" setting "on" or "off" for new users in this role. This setting applies only to new users, it is not retroactive.

Logout Timer

The Admin can set the inactivity logout timer for the Web, Mobile and Desktop Apps. A different duration can be set for each, in minutes. This sets the maximum and default time to automatically log out a user from Keeper when they are inactive. If a Keeper user's current timer is set greater than this value, it will be reduced to this default time setting.

Account Recovery

A 24-word auto-generated recovery phrase is a break-glass method of recovering a Keeper Vault if the user forgets their master password. Account recovery can also be used to login to an account if the SSO identity provider is unavailable.

Keeper has implemented recovery phrases using the same BIP39-word list used to protect crypto wallets. The word list in BIP39 is a set of 2,048 words used to generate an encryption key with 256 bits of entropy. Each word in the BIP39 list is carefully selected to improve visibility and make the recovery process less error-prone. More information about account recovery is found at the Keeper blog post.

This policy allows the Admin to disable account recovery for users. This policy to disable account recovery is recommended when customers login with Keeper SSO Connect Cloud with a SAML 2.0 identity provider.

If account recovery is disabled, we recommend that customer enable the Vault Transfer policy to ensure that an Admin can assist a user who is unable to recover their vault (in the case of lost Master Password).

Keeper Invitation

Disable email invitations

If this policy is activated, users in the role will not receive email invitations when their account is provisioned. A use case for this might be if the Admin would like to send their own email invitation instead of the system invite. An additional use case for this would be if the Admin is testing the invite process.

Automatically resend email invitations

The Keeper invitation sent to new users when creating their vault can be re-sent automatically if the user does not create their account in the specified timeframe. The default setting is to only send the email invitation one time. You can increase the frequency depending on the amount of email reminders that you would like users to receive.

By default, Keeper invitations are only valid for 7 days. We recommend automatically resending invitations to ensure the highest levels of adoption.

Allow IP List

Users within the specified role can be restricted to use Keeper outside a set of IP address ranges. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login. To add an IP Range, click on Add Range.

Make sure you test IP Allow on a role that is not associated with your account. Adding an invalid IP range could lock you out, or all of your users. If you run into this situation, please contact Enterprise Support.

Keeper Secrets Manager

If Keeper Secrets Manager is activated on a role, the features will become available on the Web Vault, Desktop App and Commander CLI.

To learn more about Keeper Secrets Manager, see:

Secrets Manager

Keeper Password Rotation

Keeper Password Rotation allows Keeper customers to securely rotate credentials in any cloud-based or on-prem environment. If Password Rotation is activated on a role, the Password Rotation functionality will appear on the Web Vault, Desktop App and Commander CLI.

Learn more about

Privileged Access Manager

If you are a KeeperPAM customer, you'll have the ability to manage role permissions for all privileged access capabilities through the Privileged Access Manager tab, which also includes Keeper Secrets Manager permissions.

Can create applications and manage secrets
Can create, deploy and manage Keeper Gateways
Can configure rotation settings
Can rotate credentials
Can configure connection settings
Can launch connections
Can view session recordings
Can configure tunnel settings
Can start tunnels
Can configure remote browsing
Can launch remote browsing
Can view RBI session recordings
Can run discovery

Transfer Account

To enable account transfer toggle on the switch and select the eligible role which can perform the account transfer from the dropdown menu.

Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login. It is critical that the Transfer Account policy is configured prior to the time it will need to be used.

For detailed Account Transfer configuration information click here.

Managing Policies in Keeper Commander CLI

Keeper Commander, our command-line CLI and Python-based SDK supports the ability to modify roles and enforcement policies.

For more information, visit: Enterprise Role Commands

Here's an example restricting the "Engineering" role to restrict the export of records.

enterprise-role Engineering --enforcement "RESTRICT_EXPORT:True"

Video Overview

Watch the video below to learn more about Enforcement Policies.