Deploying Keeper to End-Users
Methods for deploying the Keeper app to end-user devices.
Overview
This section describes the methods of deploying Keeper to end-users. Keeper can be deployed as a web browser application, browser plugin, mobile app and native desktop application.
End-User Videos
A series of Keeper 101 videos are available to help train your end-users. Below is the Enterprise End-User guide:
Compatibility
Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari, Firefox, Edge, Brave and Opera. Native app installation is available from the Keeper website and every public-facing app store (iTunes, Google Play, Microsoft Store, Mac App Store, etc).
Device
OS Version Supported
Windows
7 / 8 / 10+
Mac OS
Current Version - 2
Linux
Fedora, Red Hat, CentOS, Debian, Ubuntu, Mint
iOS
9+
Android
4.4+
Chrome OS
Current Version - 2
Edge
Current Version - 2
Safari
Current Version - 2
Firefox
Current Version - 2
Opera
Current Version - 2
Brave
Current Version - 2
The latest Keeper downloads can be found at https://keepersecurity.com/download
Keeper Web Vault
The Keeper Web Vault is available for all users across every type of web browser. To access the Keeper Web Vault login, visit the URL according to your tenant region:
US Data Center
US Public Sector / GovCloud
EU Data Center
AU Data Center
CA Data Center
JP Data Center
Desktop Application
Keeper provides customers with a fully native desktop application as an optional component. The desktop app has some unique capabilities compared to the web vault, such as native app autofill and hot keys. See the subsection Desktop Application.
Browser Extension (Keeper Fill)
Keeper's browser extension provides autofill capabilities on every web browser. See the subsection Browser Extension (Keeper Fill).
Mobile App Deployment
Keeper for mobile and tablet devices can be deployed through the public-facing app stores. MDM solutions can also push these applications to end-user devices without any special requirements. When the users register or sign into an account, Enterprise enforcement policies are automatically applied.
SSO Deployments
Keeper supports authentication, provisioning and deployment through your existing SAML 2.0 identity provider such as Azure AD, Okta, Google Workspace, JumpCloud, Ping and many others. See the SSO Connect Cloud setup guide for deployment instructions.
Azure AD Condition Access Policies
When deployed through Azure AD, Keeper fully supports Azure conditional access policies across web, mobile and desktop applications.
Desktop Applications
Methods for deploying Keeper to user desktops
Overview
Keeper offers users two different desktop vaults. The Keeper Web Vault in the web browser, and the native Keeper Desktop application for Windows, Mac and Linux.
Benefits of Keeper Desktop App vs. Web Vault
The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:
Ability to Autofill and auto-type passwords into native apps using KeeperFill for Apps feature.
Ability to automatically import existing passwords without additional component installation.
Automatically migrate from existing LastPass vaults.
Secure biometric login using Touch ID on compatible MacBook Pro computers.
Secure biometric login using Windows Hello (Windows 10).
Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).
Increased performance.
Offline access using biometrics or master password (if permitted by Keeper Admin)
Keeper Desktop Deployment
Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the Additional Deployment Details section below.
Installer Options
Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [Install Link] Command-line deployment:
Microsoft Store Version (64 and 32-bit, supports Windows Hello) [Microsoft Store Link]
Command-line deployment:
Windows 10 MSIX Installer: [MSIX Installer Link] (Note: MSIX does not auto-update) Command-line deployment:
Windows 10 MSI Installer: [MSI Installer Link] (Note: MSI does not auto-update, no support for Windows Hello)
Command-line deployment:
Mac OS .dmg [Install Link (.dmg)]
Mac App Store [Mac App Store Link] (Note: does not support iCloud Keychain import)
Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) [Download Page Link]
Password Importer Standalone (Windows 10): [Install Link (.exe)]
Password Importer Standalone (Mac OS): [Install Link]
Additional Deployment Details
Microsoft Windows App Installer Distribution
Installer: [Install Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx
Auto-Updates: Yes
Windows Hello: Yes
The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.
Users download a small appinstaller file that automatically fetches the msixbundle from https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle. It otherwise behaves the same as the MSIX install.
The appinstaller can be deployed with PowerShell like this:
The contents of the KeeperPasswordManager.appinstaller file is below:
Microsoft Windows .MSIX Distributions
Install Link: [MSIX Installer Link]
Supported Platforms: Windows 10 build 1703 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: Yes
The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.
Command-line deployment:
Microsoft Windows .MSI Distributions
Install Link: [MSI Installer Link]
Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Architectures: x64, ia32
Install Location: %programfiles%\keeperpasswordmanager
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: No
The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.
The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.
The MSI installer does not support Windows Hello.
The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:
The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\ where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%.
The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here: https://docs.microsoft.com/en-us/windows/desktop/msi/standard-installer-command-line-options
Windows Store
Install Link: [Microsoft Store Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Auto-Updates: Yes (via Microsoft Store)
Windows Hello: Yes
The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps and is owned by TrustedInstaller.
The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget:
Intune
Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (businessstore.microsoft.com), which is different than the consumer Microsoft Store (apps.microsoft.com), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.
Keeper Desktop for Mac
Minimum Requirements:
Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.
Auto-Updates: Yes
Download Link:
Keeper for Mac (.dmg)
Keeper Desktop for Linux
Minimum Requirements:
Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM
Auto-Updates: No
Download Links:
Keeper for Linux - Fedora, Red Hat and CentOS
Keeper for Linux - Debian, Ubuntu and Linux Mint
Checksum / Hash
For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL: https://keepersecurity.com/desktop_electron/SHASUM256.txt
Enterprise Configuration
Keeper supports Enterprise Configuration settings to control the end-user experience.
Configuration Options
DomainName
String
Enterprise SSO Domain to pre-populate on app launch.
Region
String
Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")
HideCreateAccount
Boolean
Hides the Create Account button from the start page
UseDefaultBrowserForSSO
Boolean
Routes the user to their default web browser for SSO authentication instead of using a popup window.
macOS User Defaults
Keeper Desktop can be configured using standard macOS NSUserDefaults objects using the com.keepersecurity.passwordmanager domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.
Testing the Config
You can test the configuration on the local machine using the below commands:
For example:
macOS - Information Property List File
Keeper Desktop's mac app bundle has an Information Property List File, Info.plist, which contains key-value pairs that identify and configure a bundle.
Finding the App Bundle ID and App Version
The following keys in Information Property List file contains the values for the App Bundle ID and App Version:
CFBundleIdentifier: App Bundle ID
CFBundleShortVersionString: App Version
To find the values of the above keys, you need to access the Information Property List File, Info.plist, and find the corresponding values.
Location of Info.plist after mounting DMG file:
Alternatively, you can run the defaults read command:
For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:
JSON Configuration File
All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.
Example File
macOS End Users
Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults. Visit the following section for more information.
The desktop.config.json file must be UTF-8 encoded.
From your text editor, in File > Save As...
In the "Save as type" drop-down, select All Files.
In the "Encoding" drop-down, select UTF-8.
Ensure the name of the file is desktop.config.json
Domain Routing Rules
Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is reserved, which means that typing anything @ yourcompany.com will get routed to the proper region.
If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.
Launch on Start Up
You can launch the Keeper Password Manager automatically when you start your computer.
Windows
To set Keeper Password Manager app to launch at start up, go to Start > Run and type shell:startup
Your startup folder will be shown. Place a shortcut Keeper Desktop into this folder. Now Keeper will launch automatically on startup.
Mac
From Settings, go to General > Login Items
Click the Plus (+), go to Applications, and select Keeper Password Manager
Now Keeper will launch when you start your mac.
Browser Extension (KeeperFill)
KeeperFill makes it easy to login, save passwords and access your vault on web browsers.
Overview
The KeeperFill browser extension can be installed directly by the user or pushed to users by the Keeper administrator.
Direct Install from App Stores
The latest KeeperFill Browser Extension can be installed by users at the links below, or by visiting the Keeper download page. Chrome, Brave, Opera and other Chromium-based Browsers: https://chrome.google.com/webstore/detail/keeper%C2%AE-password-manager/bfogiafebfohielmmehodmfbbebbbpei Firefox: https://addons.mozilla.org/en-US/firefox/addon/keeper-password-manager/ Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/keeper%C2%AE-password-manager-/lfochlioelphaglamdcakfjemolpichk
Safari: https://apps.apple.com/us/app/keeper-for-safari/id6444685332
Admin Deployment
Chrome, Edge and Firefox deployment guides are linked below:
Deploying Firefox with Extensions (Mozilla)
Deployment with MDM Platforms
For environments where devices are managed through platforms such as Microsoft Intune or Jamf.
Offline / Direct Downloads
If your group policy does not support installation of extensions, your SCCM administrator may be able to use the below links to push the extensions or directly:
Microsoft Edge and Chrome: chrome.zip
Firefox: firefox.xpi
Direct package install is not recommended for most environments. Using app store management portals such as Google Admin are preferred.
End-User Guides
User guides are available for every web browser at the links below:
Mac
Deploying KeeperFill to macOS devices using device management platforms
MDM Deployment for macOS
Follow these steps to deploy KeeperFill to all Mac devices in your organization using your preferred device management platform.
To set up KeeperFill on Mac, you create configuration files in MCX Property List (.plist) format. When you deploy the configuration files to the device using your preferred mobile device management (MDM) tool, the settings are applied.
These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.
Overview of steps
Use your preferred editor to create the Keeper .plist policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all macOS devices in your organization using your preferred mobile device management (MDM) tool.
PLIST (.plist) Policy Deployment
Deploying KeeperFill to Chrome via PLIST Policy
Deploying Keeper Chrome Browser Extension via PLIST Policy
Create a Keeper plist policy configuration file
If you currently do not have a Policy file created, please proceed to creating your Keeper plist policy file to your desired location, Ex: /tmp and name it com.google.Chrome.plist by selecting GO on the top Menu Bar of you MacOS Desktop and select Terminal to open a Terminal Console.
Copy and paste the contents below, into your Terminal, and hit Enter / Return. This will create your plist file within the /tmp directory and display that the file is there.
In your preferred file editor or basic file editor, copy, paste and save the contents, below, into the com.google.Chrome.plist file.
Deploying your PLIST Policy
There are multiple tools to deploy your PLIST policy. In the next set on instructions, we will walk through deploying your PLIST policy file via Jamf Pro, AirWatch and Microsoft Intune.
Jamf Pro Policy Deployment - Chrome
Deploying Custom Configuration Profiles using Jamf Pro
Deploying Google Chrome PLIST (.plist) Policy using Jamf Pro
This is a general overview of how to deploy Google Chrome's .plist configuration profile, to computers within your organization, using Jamf Pro.
Upload Created PLIST File
Upload the manually created Google Chrome PLIST file that defines the properties for the preference domain you specify in Jamf Pro.
Log in to Jamf Pro.
Click Computers at the top of the page.
Click Configuration Profiles.
Click New.
Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
Click the Application & Custom Settings payload, and then click Upload.
Click Add.
Enter com.google.Chrome in the Preference Domain field.
To upload the custom PLIST file choose Upload File, enter the preference domain for which you want to set properties. Click Upload PLIST File, and then choose the com.google.Chrome.plist file previously created.
Note: If the PLIST file contains formatting errors, follow the PLIST (.plist) Policy Deployment instructions to remediate the issue.
10. Click the Scope tab, and then configure the scope of the configuration profile. 11. Click Save.
Microsoft Intune Policy Deployment - Chrome
Deploying Custom Configuration Profiles using Microsoft Intune
Deploying Google Chrome PLIST (.plist) Policy using Microsoft Intune
This is a general overview of how to deploy Google Chrome .plist configuration profile, to computers within your organization, using Microsoft Intune.
Create the Google Chrome profile
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
Platform: Select macOS
Profile: Select Preference file.
Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS: Add preference file that configures Google Chrome on devices.
Description: Enter a description for the policy. This setting is optional, but recommended.
6. Select Next.
7. In Configuration settings, configure your settings:
Preference domain name: Enter the bundle ID as
com.google.ChromeProperty list file: Select the property list file associated with your app. Be sure to choose the com.google.Chrome.plist file previously created.
The key information in the property list file is shown. If you need to change the key information, open the list file in another editor, and then re-upload the file in Intune.
Note: Be sure your file is formatted correctly. The file should only have key value pairs, and shouldn't be wrapped in <dict>, <plist>, or <xml> tags. If the PLIST file contains formatting errors, follow the PLIST (.plist) Policy Deployment instructions to remediate the issue.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-IL IT Team or Chicago_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
10. Select Next.
11. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.
12. Select Next.
13. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Assign the Google Chrome profile
Select Devices > Configuration profiles. All the profiles are listed.
Select the profile you want to assign > Properties > Assignments > Edit:
Select Included groups or Excluded groups, and then choose Select groups to include. When you select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
Select Review + Save. This step doesn't assign your profile.
Select Save. When you save, your profile is assigned. Your groups will receive your profile settings when the devices check in with the Intune service.
Use scope tags or applicability rules
When you create or update a profile, you can also add scope tags and applicability rules to the profile.
Scope tags are a great way to filter profiles to specific groups, such as US-IL IT Team or Chicago_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
Linux
Deploying KeeperFill to Linux devices using device management platforms
Set up KeeperFill on Linux
Follow these steps to deploy KeeperFill to all Linux devices in your organization using your preferred deployment tool or script.
To set up KeeperFill on Linux, you create configuration files in JavaScript Object Notation (.json) format.
These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.
Overview of steps
Use your preferred editor to create the Keeper JSON policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all Linux PCs in your organization using your preferred deployment tool or script.
JSON Policy Deployment - Chrome
Deploying KeeperFill via JSON Policy
Deploying Keeper Chrome Browser Extension via JSON Policies
Step 1: Create a Keeper JSON policy configuration file
If you currently do not have JSON Policy files created in which you want to utilize to deploy the Keeper Browser extension to all PCs in your organization, please proceed to creating your Keeper JSON policy file to your desired location, Ex: /tmp, and name it keeperbe.json
OR create your keeperbe.json file via command-line
2. In your preferred JSON file editor or basic file editor, copy, paste and save the contents, below, into the keeperbe.json file or the policy file in which you currently utilize for your organization.
Step 2: Setup configuration folders
If you currently have configuration folders setup for the user PCs in your organization, proceed to Step 3: Deploying the Keeper JSON Policy File.
On each PC, in your organization, that you would like to apply this policy on, you’ll need at least one folder to apply this policy.
If it does not already exist, create the directory structure, verbatim, as follows;
/etc/opt/chrome/policies/managedand set the proper permissions for that directory.
OR create your directory structure via command-line
The creation of this directory will most likely NOT be in the same directory as where Chrome is installed on the target Linux devices. Ex: My Chrome installed directory is /opt/google/chrome but my managed policy directory, in which my organization manages my Chrome install, is in the /etc/opt/chrome/policies/managed directory.
Step 3: Deploying the Keeper JSON Policy File
Use your preferred method (utility or script) to push the keeperbe.json policy file and Chrome Browser to the target Linux devices in your organization.
Push the keeperbe.json file to the
/etc/opt/chrome/policies/manageddirectory on all target Linux devices in your network.Confirm that the files are in the correct directories on all the target Linux devices.
Step 4: Check Your Chrome Policies
On a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied.
You may need to select "Reload Policies" to apply this new policy to the target Linux devices.
You may need to close and reopen Google Chrome before the new policies appear.
Windows
Deploying KeeperFill to Windows devices using device management platforms
There are many options to deploy the Keeper Browser Extension (KeeperFill) to browsers on Windows machines including Group Policy, SCCM and Intune.
Sample reference guides are linked below:
Group Policy Deployment - Chrome
Deploying KeeperFill via Group Policy
Deploying Keeper Chrome Browser Extension via Group Policy Management
This section describes how to utilize your Active Directory Group Policy Management, against Google Chrome templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
Step 1: Adding Chrome Policy Templates
On your domain controller, navigate to the URL, provided below, and download the correct 32 or 64 bit zip bundle. Extract the Google Chrome bundle to your desired location. Ex: C:\temp
Navigate to the directory in which you extracted the Google Chrome Bundle and copy the chrome.admx file located within the 64-bit
\GoogleChromeEnterpriseBundle64\Configuration\admxdirectory toC:\Windows\PolicyDefinitionsOR 32-bit\GoogleChromeEnterpriseBundle\Configuration\admxdirectory toC:\Windows\PolicyDefinitionsNavigate to the directory in which you extracted the Google Chrome Bundle and copy the chrome.adml file located within the 64-bit
\GoogleChromeEnterpriseBundle64\Configuration\admx\en-USdirectory toC:\Windows\PolicyDefinitions\en-USOR 32-bit\GoogleChromeEnterpriseBundle\Configuration\admx\en-USdirectory toC:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Step 3: Create or Configure your Chrome Policy
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Chrome Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: “Chrome Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Chrome Policy -> Computer Configuration -> Policies -> Administrative Templates -> Google Chrome -> Extensions then Right click and Edit the “Configure the list of force-installed apps and extensions”
If this Policy will apply to Users instead of Computers, the Edge Policies you will be expanding will be located under User Configuration -> Policies -> Administrative Templates -> Google Chrome
5. Tick the Enable button, and then click the Show button.
6. Add the following text and click OK.
7. Click Apply, and then click OK
8. Disable Chrome's Built-In Password Manager by navigating to Google Chrome -> Password manager and then Right click and Edit the “Enable saving passwords to the password manager”
9. Tick the "Disabled" button, and then click Apply, and then click OK.
10. Following the same process as steps 8 - 9, direct within Google Chrome Administrative Templates Policy definitions, Disable Chrome's AutoFill capabilities by editing both "Enable AutoFill for addresses" and "Enable AutoFill for credit cards" and setting them to disabled.
11. (Optional) If you would like to disable Developer Tools, to further secure against users attempting to unmask a masked password / credential, still within the Google Chrome Administrative Templates Policy definitions, disable Developer Tools by editing "Control where developer tools can be used" end setting it to "Enabled" and select the Options value of "Don't allow using the developer tools" and click OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, in which contains your Computers or Users, and select Link an Existing GPO.
13. Select the “Chrome Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC within that OU, the “Chrome Policy” will automatically install the Keeper Security Browser Extension, if Chrome is installed on those PCs as well as disable Chrome's, less secure, built-in password manager and AutoFill capabilities.
Step 4: Check Your Chrome Policies
On a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to chrome://extensions and ensuring your extensions are being forcefully installed.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Google Chrome before the new policies appear.
Group Policy Deployment - Firefox
Deploying KeeperFill via Group Policy
Deploying Keeper Firefox Browser Extension via Group Policy Management
This section describes how to utilize your Active Directory Group Policy Management, against Firefox Policy Templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
Step 1: Adding Firefox Policy Templates
On your domain controller, download the zip file and extract the Firefox Policy Template file to your desired location. Ex: C:\temp
Step 2: Adding Firefox .admx and .adml files to Group Policy
Navigate to the directory in which you extracted the Firefox Policy Template file and copy the firefox.admx file located within the
\policy_templates_v.(version)\windowsdirectory toC:\Windows\PolicyDefinitionsNavigate to the directory in which you extracted the Firefox Policy Template file and copy the firefox.adml file located within the
\policy_templates_v.(version)\windows\en-USdirectory toC:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Step 3: Create or Configure your Firefox Policy
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Firefox Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: "Firefox Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Firefox Policy -> Computer Configuration -> Policies -> Administrative Templates -> Firefox -> Extensions then Right click and Edit the “Extensions to Install”
5. Tick the Enable button, and then click the Show button.
6. Add the full hyperlink to the Add-on from Mozilla, like below:
7. Click Apply, and then click OK
8. Now proceed to right clicking and Edit the “Prevent extensions from being disabled or removed”
9. Add the URL again from Step 6 above in the value field.
10. Click Apply, and then click OK
11. Disable the Firefox Built-In Password Manager by navigating direct within Firefox Administrative Templates Policy definitions and then Right click and edit both the Offer to save logins and Offer to save logins (default) and set to Disabled, Click Apply and then OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, and select Link an Existing GPO.
13. Select the “Firefox Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC within that OU, the “Firefox Policy” will automatically install the Keeper Security Browser Extension, if Firefox is installed on those PCs as well as disable Firefox's, less secure, built-in password manager and AutoFill capabilities.
Step 4: Check Your Firefox Policies
On a target client device, open Firefox and navigate to about:policies to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Firefox before the new policies appear.
Group Policy Deployment - Edge
Deploying KeeperFill via Group Policy
Deploying Keeper Edge Browser Extension via Group Policy Management
This section describes how to utilize your Active Directory Group Policy Management, against Microsoft Edge templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
Step 1: Adding Edge Policy Templates
On your domain controller, go to the Microsoft Edge Enterprise landing page to download the Microsoft Edge policy templates file (MicrosoftEdgePolicyTemplates.cab), by clicking on "Get Policy Files" and extract the contents to your desired location. Ex: C:\temp
Please select and download the correct files in accordance to your organizations environment and preferences.
2. Browse to the directory in which you saved the downloaded MicrosoftEdgePolicyTemplates.zip file. Extract the contents of the MicrosoftEdgePolicyTemplates.zip file to your desired location. Ex: C:\temp
Step 2: Adding Edge .admx and .adml files to Group Policy
Navigate to the directory in which you extracted the Microsoft Edge Templates zip file and copy the msedge.admx file located within the
\windows\admxdirectory toC:\Windows\PolicyDefinitionsNavigate to the directory in which you extracted the Microsoft Edge Templates zip file and copy the msedge.adml file located within the
\windows\admx\en-USdirectory toC:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Step 3: Create or Configure your Edge Policy
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Edge Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: “Edge Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Edge Policy -> Computer Configuration -> Policies -> Administrative Templates -> Microsoft Edge -> Extensions then Right click and Edit the “Control which extensions are installed silently”
If this Policy will apply to Users instead of Computers, the Edge Policies you will be expanding will be located under User Configuration -> Policies -> Administrative Templates -> Microsoft Edge.
5. Tick the Enable button, and then click the Show button.
6. Add the following text and click OK.
7. Click Apply, and then click OK
8. Disable Edge's Built-In Password Manager by navigating to Microsoft Edge -> Password manager and protection and then Right click and Edit the “Enable saving passwords to the password manager”
9. Tick the "Disabled" button, and then click Apply, and then click OK.
10. Following the same process as steps 8 - 9, directly within Microsoft Edge Administrative Templates Policy definitions, Disable the Edge AutoFill capabilities by editing both "Enable AutoFill for addresses" and "Enable AutoFill for credit cards" and setting them to disabled.
11. (Optional) If you would like to disable Developer Tools, to further secure against users attempting to unmask a masked password / credential, still within the Microsoft Edge Administrative Templates Policy definitions, disable Developer Tools by editing "Control where developer tools can be used" end setting it to "Enabled" and select the Options value of "Don't allow using the developer tools" and click OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, in which contains your Computers or Users and select Link an Existing GPO.
13. Select the “Edge Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC or User within that OU, the “Edge Policy” will automatically install the Keeper Security Browser Extension, if Edge is installed on those PCs, as well as disable the Edge browser, less secure, built-in password manager and AutoFill capabilities.
Step 4: Check Your Edge Policies
On a target client device, open Microsoft Edge and navigate to edge://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to edge://extensions and ensuring your extensions are being forcefully installed.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Microsoft Edge before the new policies appear.
SCCM Deployment - Chrome
This page describes how to deploy the Keeper Browser Extension with SCCM
Deploying Keeper Chrome Browser Extension via SCCM
This is a general guide in which describes how to utilize SCCM, against Google Chrome templates, to deploy the Keeper Browser extension to all desired PCs in your organization.
Step 1: Configuration Item
Create a new Configuration Item. This can be done within the Configuration Manager console, in the Assets and Compliance work space. Give it a suitable name, like Keeper Browser Extension, and click Next.
Step 2: Platform Selection
Select the appropriate platforms in which this Configuration will apply to and click Next.
Step 3: Create New Settings Configuration
Create a new settings configuration by clicking New.
Configure the new settings, as shown below, and click OK.
Name: ExtensionInstallForcelist
Description: Keeper Browser Extension
Key Name: Software\Policies\Google\Chrome\ExtensionInstallForcelist
Value Name: 1 This number is unique. Are you planning on adding other extensions this way, these should be added as 1, 2, 3 and so forth
Step 4: Create New Compliance Rule
Now click on the "Compliance Rules" tab and click on New.
Configure the new compliance rules, as shown below, and click OK.
Name: Keeper Security Extension Compliance Rule
Description: Keeper Browser
Within the "the following values:" field, add the value "bfogiafebfohielmmehodmfbbebbbpei;https://clients2.google.com/service/update2/crx" without the quotes.
Tick ON Remediate noncompliant rules when supported and Report noncompliance if this setting instance is not found
Click OK to create the new compliance rule.
Click Close to finish the new configuration item wizard.
Step 5: Configuration Baseline
In order to deploy this Configuration item, you need a baseline unless you have an existing baseline you would rather use.
If you have an existing baseline you would rather use, proceed to ?.
Create a new Configuration Baseline in the Configuration Manager console, in the Asset and Compliance work space. Give it a suitable name and click Add > Configuration Item.
Add your newly created Keeper Browser Extension Configuration Item, shown within the Available Configuration Items pane and click OK.
Finish creating the new Configuration Baseline by clicking on OK.
Step 6: Deployment
Finally!!!! The Configuration Baseline containing the Keeper Browser Extension Configuration Item needs to be deployed. When deploying a baseline, remember to tick ON the Remediate noncompliant rules when supported. Also, consider how often the compliance should be evaluated. For ex: Group policies updates, by default, every 90 minutes. If this is replacing a GPO, consider to lower the policies update interval. Click OK to complete the configuration baseline.
Step 7: End user experience
Once the SCCM client has updated its policies, per device, and the Configuration Baseline has run, on a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to chrome://extensions and ensuring your extensions are being forcefully installed.
Intune - Chrome
Deploy the Keeper browser extension to Google Chrome using Microsoft Intune
(1) Go to the Intune Portal
(2) In the portal, navigate to Devices > Configuration.
(3) Select Manage Devices > Configuration
(4) On the Policies tab, click Create > New Policy.
(5) Under Platform, select Windows 10 and later.
(6) Under Profile Type, choose Settings Catalog, then click Create.
(7) On the next screen, enter a Name for the configuration profile and an optional Description, then click Next.
(8) In the Configuration Settings tab, select + Add settings.
(9) Search for Google, then select Configure the list of force-installed apps and extensions.
(10) Enable Configure the list of force-installed apps and extensions, then paste the following on separate lines:
Line 1 : bfogiafebfohielmmehodmfbbebbbpei
Line 2 : https://clients2.google.com/service/update2/crx
(11) In the Scope Tags section, click + Select scope tags and enter any applicable tags.
(12) In the Assignments section, add groups then click Next.
(13) Review the configuration settings, then click Create to finalize.
(14) Navigate back to “Devices | Configuration” > Hit Refresh
(15) Your newly Created Policy Name will then be listed
The policy is now active. If a plan member has not yet enrolled with Intune, they will be prompted to do so upon signing in to a managed device. Once enrolled, the Keeper browser extension will be installed automatically.
Intune - Edge
Deploy the Keeper browser extension to Microsoft Edge using Microsoft Intune
(1) Go to the Intune Portal
(2) In the portal, navigate to Devices > Configuration.
(3) Select Manage Devices > Configuration
(4) On the Policies tab, click Create > New Policy.
(5) Under Platform, select Windows 10 and later.
(6) Under Profile Type, choose Settings Catalog, then click Create.
(7) On the next screen, enter a Name for the configuration profile and an optional Description, then click Next.
(8) In the Configuration Settings tab, select + Add settings.
(9) Search for Edge, then select Configure the list of force-installed apps and extensions.
(10) Enable Configure the list of force-installed apps and extensions, then paste the following on separate lines:
Line 1 : lfochlioelphaglamdcakfjemolpichk
Line 2 : https://edge.microsoft.com/extensionwebstorebase/v1/crx
(11) In the Scope Tags section, click + Select scope tags and enter any applicable tags.
(12) In the Assignments section, add groups then click Next.
(13) Review the configuration settings, then click Create to finalize.
(14) Navigate back to “Devices | Configuration” > Hit Refresh
(15) Your newly Created Policy Name will then be listed
The policy is now active. If a plan member has not yet enrolled with Intune, they will be prompted to do so upon signing in to a managed device. Once enrolled, the Keeper browser extension will be installed automatically.
Edge Settings Policy
Configuration settings for Edge Browser Extension
The behavior and settings of the Microsoft Edge extension can be customized through the ExtensionSettings policy on Microsoft Windows devices.
Please see the below link to learn about the various settings can be applied:
Chrome Settings Policy
Configuration settings for Chrome Browser Extension
The behavior and settings of the Chrome extension can be customized through the ExtensionSettings policy on Windows, Mac and Linux.
Please see the below link to learn about the various settings can be applied:
Virtual Machine Persistence
Persisting KeeperFill settings on virtualized desktops
Overview
Some customers virtualize their workforce desktops with tools like VMware or Citrix. For the KeeperFill extension to function properly on such desktops, certain directories may need to be persisted.
This applies to the extensions for Chrome and Edge. For each, three directories within the user's home directory must be persisted, as listed below.
Extension ID
Some directory paths refer to an <Extension-ID>. Where the ID is referred to, you can opt to persist the entire parent directory, or you can find the ID in the table below.
For Chrome, the ID may be either of the Chrome IDs listed. For Edge, the ID may be either of the Edge IDs listed; or, if you installed on Edge using the Chrome Web store, the ID will be one of the two Chrome IDs.
Edge
lfochlioelphaglamdcakfjemolpichk OR mpfckamfocjknfipmpjdkkebpnieooca
Chrome / Edge
bfogiafebfohielmmehodmfbbebbbpei OR kbedblbpfmeicfpadihimgombbafaeeh
Edge Locations
The following three directories should be persisted when using the Edge extension.
Extension Installation:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\<Extension-ID>
Indexed DB:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>
Storage:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\<Extension-ID>
Chrome Locations
The following three directories should be persisted when using the Chrome extension.
Extension Installation:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\<Extension-ID>
Indexed DB:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>
Storage:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\<Extension-ID>
Mobile Apps
Deployment of mobile apps through Intune
Overview
Keeper's mobile applications for iOS and Android are native apps that support all vault capabilities including record management, sharing management and autofill. Deploying the app to end-users is possible either through the public app store download or through mobile device management platforms.
App Store Deployment
iOS
Keeper for iOS can be installed directly from the App Store:
Android
Keeper for Android can be installed from the Google Play application at the link below:
Microsoft Intune Deployment
Keeper can be easily deployed to users through Microsoft Intune.
iOS
To deploy the iOS app via Intune to your users, follow the steps below:
(1) From Intune, Select app type of "iOS store app"
(2) Search for Keeper
(3) Select the Keeper Password Manager app by Callpod Inc.
(4) Click Create
Notes regarding the iOS app:
The publisher shows as "Callpod Inc." which is the original holding company for Keeper Security. This is normal.
The Appstore URL is: https://apps.apple.com/us/app/keeper-password-manager/id287170072
If you need the Bundle ID, it is
D4D2433BGC(Case Sensitive)
Android
To deploy the Android app via Intune to your users, follow the steps below:
(1) Select app type of "Android store app"
(2) Enter the below information, feel free to customize the description.
Name
Keeper Password Manager
Description
Keeper automatically generates strong passwords, stores them in a secure digital vault accessible from any device, and autofills them across all of your sites and apps. Keeper’s powerful encryption protects your passwords and sensitive information from data breaches, ransomware, and other cyberattacks.
Minimum operating system
Android 8.0 (Oreo)
Category
Productivity
Show in portal
Yes
Developer
Keeper Security
(3) Create the application
Notes regarding the Android app:
If you need the identifier, it is
com.callpod.android_apps.keeper
IBM MaaS360
Deploy Keeper to mobile phones
Optional Deployment Tasks
Other Policy Driven Deployment Tasks
Prevent Installation of Untrusted Extensions
As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.
Preloading Password Importer Tool
The Keeper Password Importer tool is typically downloaded by the user during account creation on the Web Vault. If you do not permit the installation of applications on end-user devices, you can preload the app using the binaries located below:
Password Importer (Windows): https://keepersecurity.com/pwd_importer/win32/keeperimport.exe
Password Importer (Mac): https://keepersecurity.com/pwd_importer/Darwin/KeeperImport.zip
Disabling Built-In Browser Password Managers
Often times, Enterprise customers would like to automatically disable the less secure, built-in password saving features of web browsers. There are several methods of managing this as described in this section.
Chrome for Enterprise
Google provides .adm and .admx files (.admx is a newer .xml file type) to make it easier to manage the Chrome browser using Group Policy. In G Suite and Chrome Enterprise environments, it is enabled via the Google Cloud platform using one of the below methods:
AD managed Chrome – Google provides adm and admx files that are incorporated into a GPO
Chrome Mac Policies and Quickstart – pushed via MDM tools (JAMF, etc...)
Chrome Linux policies and Quickstart – pushed via MDM tools (Ivanti, etc...)
Chrome G Suite managed – Native management for G Suite subscribers
Chrome Enterprise managed – centralized Cloud based Management for Windows, Mac, or Linux computers – agnostic to directory services
Mozilla Firefox for Enterprise
Similar to Chrome, Mozilla provides .adm and .admx files to manage Firefox using Group Policy. Mac-based systems are provided a .pkg file and are managed via JAMF, etc. Linux users are provided a policies.json file.
Microsoft Edge for Business
Edge for Business is now available for Windows and Mac. Group policy is managed through .adm and .admx files on Windows, and .plist on Mac.
Internet Explorer Mode for Edge
The new Edge for Business now supports "Internet Explorer Mode". We recommend using this mode for any IE browser requirements within your organization.
Legacy Internet Explorer
If legacy Internet Explorer is absolutely required by your users, management of password saving features can be disabled under traditional GPO found under:
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Then disable “Turn on the auto-complete feature for user names and passwords.”
IE11 Trusted Sites
Policy Requirements for IE11 Trusted Sites
IE11 - Trusted Sites Policy
Customers who login to Keeper with SSO, or customers who are on corporate networks that deploy group policies for Internet Explorer, ensure that the following entries exist in your Trusted Sites settings under Tools > Internet Options > Security.
US / Global Customers (USA East/West):
keepersecurity.com *.keepersecurity.com
EU Data Center Customers (Ireland, London, Frankfurt):
keepersecurity.eu *.keepersecurity.eu AU Data Center Customers (Sydney): keepersecurity.com.au *.keepersecurity.com.au
CA Data Center Customers (Canada): keepersecurity.ca *.keepersecurity.ca
JP Data Center Customers (Tokyo): keepersecurity.jp *.keepersecurity.jp GovCloud Data Center (US): keepersecurity.us *.keepersecurity.us
Enterprise customers must push group policies to end-users with these Trusted Sites in order to fully function with SSO and other critical features.