Key | Value |
Content-Type | application/json |
Authorization | Value |
vendor | Value |
Key | Value |
Keeper MSP is the most secure cybersecurity and password management platform for preventing password-related data breaches and cyberthreats.
Keeper MSP is natural extension of Keeper’s Enterprise Password Management solution which allows an MSP to manage multiple independent tenants (a.k.a. "Managed Companies" or "MC’s") from a central console. To serve the MSP market, Keeper Security created an enterprise-class, purpose-built solution which allows Keeper's password management and security software to be managed and distributed by MSP’s. The enterprise version of Keeper has been architected for scale and has the core features and functionality that MSP’s require, including:
Organizational roles
Robust enforcement policies
Multiple provisioning methods
Full support for 2FA methods
Robust event logging, auditing and reporting capabilities
Keeper vaults can be provisioned by MSPs to every one of their customers - to protect every employee on every device they use. Keeper is the leading password management application in the industry - with unmatched security, cross-platform capabilities and top ratings by industry services, press and end users. This guide supplements the Keeper Enterprise Guide and details the specific functionality for MSP-level administration and license management. Please refer to the Enterprise Guide for a broader overview of Keeper software which covers core functionality at the Managed Company level.
KeeperMSP can support a wide spectrum of deployment models, from full service (“white glove” ) MSP’s who manage everything for their users all the way to pure resellers who do little or no administration for their clients.
MSP Technicians have access to their MC’s Keeper Admin Console and thus have full rights to provision end users, set up MC-specific roles, login enforcements and teams for sharing credentials. These technicians may also choose to set-up a login credentials for users which can be done by sharing records from their private vaults to those of an MC. This allows an MSP to offer a fully integrated set of services that include a set of pre-configured login credentials they can keep updated if needed.
In this model, resellers primarily act as distributors and sell Keeper software to customers who can administer the solution themselves. The MSP can designate an administrator user at the MC to handle all management of the system.
Both the MSP Technician and the MC Administrator can share responsibilities to manage the system. For frequently changing or highly-specific settings (e.g. which employees are in a team folder) the “local” MC administrator could manage. For large scale initial provisioning and configuration, the MSP may be better equipped to facilitate this with Keeper’s Active Directory bridge, SSO or other provisioning methods.
Sign up for a free Keeper MSP trial license
If you want to try Keeper MSP before buying, then a trial is for you! Free trials are available for new customers and include unlimited licenses (for all plans offered) to work with. During a trial you can exercise all the core functionality of Keeper, set up your own staff administrators and create Managed Companies. All Secure Add-On features will be activated during the trial period.
If you elect to purchase the product after a trial then the users, vault data and administrative configurations you have set up will be preserved for live production operation.
To start a trial of Keeper MSP click on the Trial button from the MSP product page here: https://keepersecurity.com/msp-password-manager.html
(1) Click the Start Free Trial.
(2) Fill out the form using your Business Email Address, and click Start Free Trial.
(3) Select Account Type and Data Center Location.
On this screen, you'll create your account (or if you're using an existing Keeper personal email address, you can select "Use an Existing Account").
Important: At this step, please ensure that you select your desired Geographic Data Center location.
Signup for USA, EUR, AUS, JP, and CA data center locations are available.
GovCloud (FedRAMP Compliant) region is available for Public Sector entities.
The choices available are USA, EUR, AUS, JP, and CA. Contact us for GovCloud public sector signup.
(4) Select your Administrator account Master Password.
Ensure you select a strong Master Password that is only used for managing Keeper. If you forget your Master Password, Keeper support cannot perform a password reset due to our Zero-Knowledge architecture. We recommend activating Account Recovery (via a recovery phrase) after logging in and visiting the Settings screen.
(5) After verifying your email address and selecting a Master Password, you will be logged into the Keeper Admin Console. Click on the Admin tab from the left navigation panel to add users and begin your configuration.
Once you’ve signed into the console, please follow the "Getting Started" section on the following page.
Keeper has introduced a new Quick Start Checklist to help all business get up and running with the Keeper Admin Console. The steps outlined in this section specifically cover best practices for getting started as a Managed Service Provider (MSP).
If you're not logged in already, follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU) https://keepersecurity.com.au/console (AU) https://keepersecurity.ca/console (CA) https://keepersecurity.jp/console (JP) https://govcloud.keepersecurity.us/console (GOV)
(Or just open KeeperSecurity.com > Login > Admin Console)
Click the Admin tab to set up your Keeper Administrators. Click Add Users and enter the name and email address of the user.
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role. More information about our encryption model can be found here. Also, see Recommended Security Settings for best practices regarding your configuration.
Click on Roles tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies).
Once roles are defined, then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes default "Keeper Administrator" and "MSP Subscription Manager" roles. The MSP Subscription Manager role gives access to the MSP Subscription tab for changing the billing method and allocating secure add-ons for MSP internal use.
Teams
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
Active Directory / LDAP (using the Keeper Bridge)
SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
Email Provisioning
Command-Line or SDK integration
SCIM
The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:
Keeper AD Bridge
On premises SSO Connect
Cloud SSO Connect
Be sure to use the localized admin account when registering the service as outlined in the installation documentation.
To learn more about provisioning, see the section of the Keeper Enterprise guide called User and Team Provisioning.
To add a new MC, click the Add Managed Company button and enter their name and select the managing node.
Choose a Base Plan and select any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included in each Base Plan once you select it.
By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.
Keeper provides multiple MSP base plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
All plans include the following core features:
Encrypted Vault
Folders and Subfolders
Shared Team Folders
Unlimited Devices
Role-Based Access Controls
Security Audit
Activity Reporting
Team Management
Basic 2FA
100 GB Secure File Storage
Optional Secure Add-On features can be added to any existing base plan. Click here to learn more.
MSP technicians and employees are provided features and functionality as described below.
Keeper Administrators with "Manage Companies" permission can add, remove, and assign base-plans plus secure add-ons to their managed companies. These Keeper Administrators can also launch to the managed companies administrator consoles with full administrative permissions. This allows the MSP to set up the managed companies and optionally provision users, roles, and teams. User license allocation triggers consumption billing for the base plan and most secure add-on features.
To launch into the MC tenant, click the launch icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper Enterprise tenant.
Within an enterprise and within specific nodes, share admins have additional permissions that allow them to view, edit, share, and administer records and folders. General usage and configuration of Share Admins is documented here: Share Admin.
Share Admin rights and settings applies normally to managed companies. For MSPs, if an administrator has both 'Share Admin' permissions and the 'Manage Companies' permission, they will be Share Admins within the managed companies they have permissions over.
The default Keeper Administrator role has both Share Admin permissions and Manage companies permissions. Therefore, the default MSP admin account has Share Admin permissions on all MCs.
MSPs and MCs can easily share records between each other without first needing to setup a sharing relationship. Additionally, Share Admins, teams and users are automatically suggested when adding share participants.
In the suggestions list when adding a new sharee to a record or folder, Share Admins will be suggested first, then users within your organization, then Teams and Users from Managed companies. If a user or team suggested is not from your organization, the organization name will also be displayed in the list.
To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes providing their recovery phrase, email verification and two-factor verification.
MSP Administrators and Technicians can also authenticate into Keeper using any configured SAML 2.0 Single Sign-On (SSO) provider.
Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, ISO 27017, ISO 27018, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.
MSP Technicians exist at the root node level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.
New MSP and Managed Company accounts are created either in US, EU, AU, JP or US_GOV geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.
Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MC) to allocate Keeper licenses to their users and pay for used licenses at the beginning of the following month. Managed Companies can allocate their own licenses simply by adding users.
An MSP Admin can set an optional limit on the maximum number of licenses a Managed Company can allocate (by default, there is no limit).
Adding and Removing Secure Add-on Features
MSPs can add or remove Secure Add-on features at any time for internal use or for their managed companies. MSPs are provided with a monthly "Daily Average Usage Summary" which shows the number of units used to determine monthly charges. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.
Roles and Enforcement Policies
Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.
Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.
For MSP administrators, an additional permission is provided to control the authorization of different operations:
An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.
A separate “MSP Subscription Manager” role exists by default which allows an MSP Administrator to manage MSP internal subscriptions.
Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.
This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:
A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”
This folder could be shared with a user, or users at the client.
Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.
A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:
Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.
We recommend that Account Transfer is configured at the MSP level and also at the MC level. The user who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.
The MSP can configure administrative passthrough to grant MSP administrators the ability to transfer accounts within a managed company. This is accomplished by enabling the “Transfer Account” administrative permission in the both the MSP and managed company “Keeper Administrator” roles. Then select the “Keeper Administrator” as the “Eligible role” as described in step 3 here.
The Administrative pass-through mechanism requires use of the “default” Keeper Administrator role in the MC. Any user-created roles will NOT allow the passthrough to occur. User created roles can only be used for vault transfer when initiated by an administrator local to the managed company.
Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:
KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.
Upon downloading the latest version of Keeper Desktop App, you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.
Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians. Learn more about Keeper Commander here: https://docs.keeper.io/secrets-manager/commander-cli/overview
MSP-Specific commands
Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:
msp-down: Download the latest MSP data
msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc
msp-license: View the current license allocation
msp-license-report: Run a historical license allocation report
switch-to-mc: Switch to managed company context
switch-to-msp: Switch back to MSP context
msp-add: Add a managed company
msp-remove: Remove a managed company
msp-convert-node: Convert an enterprise node into a managed company
For a full list of MSP Management Commands click here.
Looking for help with Commander? Email commander@keepersecurity.com.
Keeper's unique billing platform will track your account’s daily license usage and bill you monthly, in arrears.
Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MCs) to allocate Keeper licenses to their users and pay only for used licenses at the beginning of the following month. Managed Companies can also allocate their own licenses, simply by adding users.
While other MSP solutions in the market bill upfront before licenses are allocated to users, Keeper’s consumption billing model is designed to scale with your MSP business as you add individual managed companies and their users.
Key benefits for our MSP customers include:
Maximized product usage and profitability through usage-based billing
Flexibility to respond quickly to changing customer needs
Improved MSP client retention through self-serve license allocation and easy upgrade/downgrade processes
Greater budget control and reduced financial risk through in-arrears monthly payments
No long-term commitments on licenses
This billing method does not apply to MSP Distributors. MSP distributors will continue to be invoiced through Keeper's partner team.
From the "Managed Companies" section, click Billing Statements to view billing summaries and Managed Company usage details.
Keeper maintains daily license counts for MSP internal and Managed Company licenses. At the end of the month, daily average license counts are used to calculate the monthly charges.
MSPs are billed only for days that licenses were in use the previous month. MSPs can add or remove secure add-on features at any time for internal use or for their Managed Companies.
An MSP Admin can set an optional limit on the maximum number of licenses a Managed Company can allocate (by default, there is no limit).
All billing cycles will be monthly, with bills generated on the first day of the following month. Keeper automatically generates a detailed monthly invoice showing all licenses used by the MSP and each Managed Company. Current and past invoices are available in the console from the “Subscriptions” section. Detailed PDFs can be downloaded to show exact usage by each individual Managed Company.
For companies with automatic billing, the billing method on file is used to charge the customer and a detailed receipt is sent to the MSP. For MSPs that are receiving Keeper through a distributor, monthly invoices will be generated but prices will not be shown on the invoices.
Keeper's Secure Add-Ons provide comprehensive visibility, security and control, all within one unified platform - with zero-trust and zero-knowledge security.
MSPs can add or remove Secure Add-On features at any time for their Managed Companies or for internal use. Billing Statements provide MSPs with a Base Plan Add-On Summary or per Managed Company usage detail. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.
Billing Statements are located under the Managed Companies section. You can filter by billing period, managed company and base plan. Both a daily summary and per managed company view are available.
The Base Plan Add-On Summary provides visibility into overall daily and average Add-On usage.
MSPs can view Secure Add-On usage for individual Managed Companies from the Per Managed Company tab.
The Advanced Reporting & Alerts Module (ARAM) empowers InfoSec administrators to monitor more than 100 different security and activity-related event types via customizable reports, real-time notifications and seamless integration into any third-party SIEM solution.(MSP Keeper Business and Keeper Enterprise plans include two basic ARAM Reports: "Recent Events" and "Security Events").
BreachWatch continuously scans the dark web and receives alerts on compromised passwords to take immediate action for preventing an account takeover attack.
Compliance Reporting provides on-demand visibility of access permissions for the organization's credentials and secrets and; supports audits for Sarbanes Oxley (SOX) and other industry regulations that require access-control monitoring and event auditing.
KeeperChat enables secure, ephemeral messaging across employee devices with the world’s most secure messaging solution, protecting communications with end-to-end encryption.
Secure File Storage taps into Keeper’s zero-knowledge encryption to put secure file storage, retrieval and decryption privileges in the hands of approved users only.
Keeper Secrets Manager secures your environment and eliminates secrets sprawl by removing hard-coded credentials from your source code, config files and CI/CD systems.
Keeper Connection Manager provides DevOps and IT teams with effortless access to RDP, SSH and Kubernetes endpoints through a web browser.
Dedicated Service & Support provided by our Profession Services Team provides training, ongoing support, product configuration and implementation for complex IT environments.
To add or remove Secure Add-Ons to a Managed Company, select the company and click Edit to make your selections.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
MSPs can add or remove Add-Ons for internal use from the "Subscriptions" section of the console.
Just like base plan licenses, at the end of the month, average daily license counts are used to calculate the monthly charges for relevant add-on features. MSPs are provided with a monthly "Daily Average Usage” summary which shows the number of units used to determine monthly charges
Secure Add-On | Units Used to Calculate Charges |
---|---|
Secure File Storage | per day(s) in use (pro-rated) |
ARAM | per user |
BreachWatch | per user |
Keeper Chat | per user |
Compliance Reporting | per user |
Keeper Connection Manager (KCM) | per KCM user (specified by MC) |
Keeper Secrets Manager (KSM) | per API call bundle |
Dedicated Service & Support | flat monthly rate |
This page will guide existing MSPs as they migrate to our upgraded platform with new features and billing improvements.
Thank you for being a valued KeeperMSP customer! We’re launching powerful features and products to further improve your KeeperMSP experience. When Keeper releases our upgraded KeeperMSP product, you can expect new zero-trust Secure Add-ons and an improved billing model.
MSP consumption-based billing is live. Some MSPs have not been fully migrated to consumption billing. If you have any questions, please contact your Keeper sales representative.
These new features and Secure Add-Ons provide comprehensive visibility, security and control, all within one unified platform - with zero-trust and zero-knowledge security:
The Advanced Reporting & Alerts (ARAM) Module empowers InfoSec administrators to monitor more than 100 different security and activity-related event types via customizable reports, real-time notifications and seamless integration into any third-party SIEM solution.
BreachWatch continuously scans the dark web and receives alerts on compromised passwords to take immediate action for preventing an account takeover attack.
Compliance Reporting provides on-demand visibility of access permissions for the organization's credentials and secrets and; supports audits for Sarbanes Oxley (SOX) and other industry regulations that require access-control monitoring and event auditing.
KeeperChat enables secure, ephemeral messaging across employee devices with the world’s most secure messaging solution, protecting communications with end-to-end encryption.
Secure File Storage taps into Keeper’s zero-knowledge encryption to put secure file storage, retrieval and decryption privileges in the hands of approved users only.
Keeper Secrets Manager secures your environment and eliminates secrets sprawl by removing hard-coded credentials from your source code, config files and CI/CD systems.
Keeper Connection Manager provides DevOps and IT teams with effortless access to RDP, SSH and Kubernetes endpoints through a web browser.
Based on your licensing pool balance, your account will also soon transition from your current license pool billing model to our new consumption-based billing model. Once your current entitlements match or exceed your consumption, the switch will be automatic and seamless.
Upon transitioning your account to our new billing model, you can expect the following key benefits:
It’s cost-effective and designed to scale with your business
You will only be charged for the licenses you use, thereby eliminating the need to estimate the number of users upfront.
No long-term commitments on licenses and users can activate or deactivate a user license at any time
Keeper will track your account’s daily license usage and bill you monthly, in arrears. You may continue to add licenses for any of our products (e.g. Secrets Manager, Compliance Reporting, KeeperChat and Connection Manager) as needed.
Click Add Managed Company and enter their name and select the managing node. Next, choose a base plan and any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included with each base plan once you select it.
By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.
More information regarding base plans can be found here.
To edit an existing Managed Company's details, Base Plan, maximum licenses and Secure Add-Ons, click on the name of the Managed Company, then click Edit.
Since Keeper's new billing model is based on actual daily license usage, the default "License Pool Manager" Role will be replaced with the "MSP Subscription Manager" role. The MSP Subscription Manager’s main function is to manage billing for the MSP. This role has access to the “Subscriptions” tab of the console in order to make changes to the billing method and manage Secure Add-Ons for MSP internal use.
The users in the "License Pool Manager" role already have access to the Subscription tab, therefore, they will remain in the role and the role name will automatically change to "MSP Subscription Manager"
Administrative Permissions
The "Allocate Company Licenses" permission has been merged with the "Manage Companies (MSP) permission".
In order for SEPA to appear as a payment method on the checkout page upon purchase or renewal of KeeperMSP you must fulfill the following criteria:
(1) The selected country in the "Your Information" form must be supported by SEPA
(2) The selected currency in "Order Summary" form must be EUR
Keeper MSP Onboarding Process
The following section covers the creation of a managed company to be managed by the MSP as opposed to handing off the instance to the client for future administration and management.
It's best to start a design by looking at your overall customer base across all account and extract as much commonalty as possible. We are looking for common requirements across all MC's. The closer all the MC's are to each other, the easier they will be to administer as a whole. Our goal is to create a templated procedure which can be re-used by future MC's.
In the table below, we can use a role named "Vault Transfer Required" across all the MC's. At first look, one might be tempted to create a role named "2FA" to handle each MC's different 2FA requirement. However, this naming is ambiguous as Keeper has over a dozen 2FA options. For long term platform management, it's best to name roles for the exact setting(s) they enforce. Our goal is consistent role naming and results across all MC's.
Roles are all about platform administration, so they will have a lot of commonality across MC's. On the other hand, due to varying business requirements, Teams and Shared Folders tend to be MC specific. In the table below we would create one shared folder for each Team present in a given MC. Unlike the table, try and use a common naming convention across all MC. Resist creating an "AP" team in one MC and a "Accounts Payable" team in another.
MC | Roles | Teams | Shares |
MC1 | Vault Transfer Required 2FA Required Master Password Complexity | IT HR AP | Share per team |
MC2 | Vault Transfer Required 2FA Optional No mobile device access | Accounts Payable AP | Share per team |
MC3 | Vault Transfer Required Office access only | N/A | Sales IT AP |
From the console interface, create a new managed company, decide on a provisioning method and create any desired roles and teams.
Additionally, create any desired MC customizations including corporate logo and or customized email invitations.
Once the "MC" had been created, a provisioning method need to be chosen as this will effect the node structure. If Single Sign-On or Advance Provisioning will be utilized, a node needs to be added to host the provisioning method. For our example, we will use basic master password access and manual provisioning so no additional nodes will be required.
Note: On-Prem SSO Connect & AD Bridge require an administrator account within the managed company to bind the service. When setting up one of the fore-mentioned services, the administrators email tells the service which instance to bind to.
Create all desired Roles within the admin console. Roles are stackable, i.e., users can belong to multiple roles and will receive the lest permissive outcome of the summed roles. Keeper recommends naming your roles for the function they provide as opposed to a business unit or geo location. If a role enforces vault transfer, name it "Vault Transfer"
If configured correctly, the platform can allow members of the top-level MSP default "Keeper Administrator" role to perform vault transfers for a managed company without the need for a unique administrator account within the managed company. The administrative Vault Transfer passthrough can be enabled by:
Enable the "Transfer Account" option within the "Administrative Permissions" for the default top level "Keeper Administrator" role.
Perform the same operation for the default "Keeper Administrator" role within the managed company.
Within the managed company's user account transfer role, select "Keeper Administrator" as the "Eligible Role".
If the client managed company wishes to restrict the vault transfer ability to only certainly members of their organization and prevent the MSP from preforming the action, create and use a role other than the default "Keeper Administrator" as the "Eligible Role". The MSP passthrough will only work with the default administrator roles provided by Keeper. To set up local transfer rights only:
Create a new role within the managed company.
Enable "Transfer Account" option within the "Administrative Permissions" of the new role.
Use the new role as the "Eligible Role" for the "user" role where account transfer will be enabled.
Details on setting up vault transfer are available here: Account Transfer Policy.
Any roles with the "Set as Default Role for Node and Sub Nodes "Create Teams" option enabled will be automatically assigned to all new users. Users can also be indirectly added to roles via team memberships as roles can contain to both users and teams.
For small companies, often, only two roles are required. An administrative role for platform administration and a second for the general user base. Keeper recommends enabling the following minimum "role enforcement" policies:
Setting Group | Setting | Value |
Login Settings | Length | Minimum 12 characters |
Login Settings | Expier | 90 days |
Two-Factor | Require use of two factor | On |
Two-Factor | All Platforms | Require code every login |
Account Settings | Disable Stay Logged in | On |
Account Settings | Logout Timers (all) | 10 Minutes |
Account Settings | Allow IP List | See note below |
Transfer Account | Enable Account Transfer | On |
Note - Administrative access can be restricted to the MC's public facing egress IP addresses by creating an "Allow IP List" This will require an administrator to be on the MC's LAN or VPN to administer the platform.
Setting Group | Setting | Value |
Login Settings | Length | Minimum10 characters |
Login Settings | Expier | 90 days |
Two-Factor | Require use or two factor | See note below |
Two-Factor | All Platforms | See note below |
Sharing & Uploading | Prevent sharing outside Enterprise | On |
Sharing & Uploading | Prevent exporting of records | On |
Account Settings | Prevent users from changing email | On |
Account Settings | Disable Stay Logged in | On |
Account Settings | Logout Timers (all) | 15 to 90 Minutes |
Transfer Account | Enable Account Transfer | On |
Transfer Account | Eligible role | Keeper Administrator |
Generally, two-factor is configured for master password based authentication. Try and encourage your clients to adopt "Require code at every login" policy settings, especially for mobile devices. "Require code at every 30 days" is often used for desktop clients. If using SSO authentication with two-factor enabled at the idP, it can be off or un-configured . By default, users can still opt to setup and use two-factor unless all the "available" methods are explicitly disabled within the enforcement policy.
By default, user invitations are sent upon account creation. If you wish to suppress the invitations until a later date, preform the following steps:
Within the MC, create a new role. For this example, we name the role "Suppress Emails Invitations".
Open the roles "Enforcement Policies" dialog.
Select "Account Settings".
Enable the "Disable email invitations" option and click "done".
Check / enable the "Set as Default Role for Node and Sub Nodes" option. This is to ensure the role will be applied to the user upon first login.
Teams offer the ability to group users for sharing and applying additional sharing options. If using SCIM provisioning you can indirectly add users to roles via team to role assignments.
Create all desired Teams.
Add any applicable role mappings as needed.
Prior to onboarding users, you may wish to distribute certain Keeper's browser extensions, desktop and mobile apps. Details on centralized software distribution methods are covered here.
Managed Companies with a "plus" license type have access to Keeper's Advanced reporting and Alerts module. SEIM log forwarding, alerts and custom reports should be created as needed. Please see: MSP Best Practice Reports and Alerts.
Keeper offers several options for onboarding users. Multiple methods can be used in parallel.
Manual entry via the admin console
CSV import via the admin console
Active Directory provisioning via Keeper's AD Bridge agent
Just In Time (JIT) provisioning via Keeper's Cloud SSO Connect or SSO Connect On-Prem.
SCIM provisioning via an IdP
SCIM provisioning via API.
Email provisioning via domain entry
Advanced automated provisioning via Keeper Commander's API / CLI interface
Due to Keeper's zero-knowledge architecture, additional configuration may be required for account recovery. If SSO is in use, the administrator can perform an end-user password reset via the IdP's user management interface. Master Password based users do not have this option so extra steps are required to ensure recover is possible if needed. The first option for Master Password based users is a self-service solution by providing a recovery phrase. A recovery phrase is a simple, auto-generated set of 24 words that was configured when setting up their vault. If the user has forgotten their recovery phrase and vault transfer has been configured by the administrator and accepted by the end user, you can use the following procedure to recover the account: Password Recovery Via Vault Transfer
Keeper's Advanced Reporting and Alerts Module (ARAM) is available to managed companies with a "plus" license type. SIEM and Syslog forwarding configurations are covered here: Reporting & Alerts (SIEM). Best practice and example reports and alerts are covered here: Best Practices.
Reconcile your Keeper and PSA Billing with Gradient MSP
Through a third-party integration with our partners at Gradient MSP, Keeper MSP Admins gain a powerful high-level view of your entire billing process.
With the Keeper-Gradient MSP integration, MSPs can:
Review client usage - no more surprises at month-end
Instantly sync service consumption to your PSA
Identify opportunities to grow your business:
Identify under-performing service offerings
Zero in on opportunities to increase revenue and profit
GradientMSP currently integrates with the most popular PSAs:
Connectwise Manage
Datto Autotask
BMS by Kaseya
Syncro
Pulseway
HALOPSA
Accelo
Tigerpaw
CloudBlue PSA
Login to Gradient MSP Synthesize. If you don't already have a GradientMSP account, you can easily create one by providing your email address or SSO credentials.
Navigate to the Integrations tab.
Select the Keeper Security Integration card, and click Connect.
Select Billing Only and click Continue.
Click Generate API Token and copy the Gradient API Key. Note that each integration is assigned a unique API Key. Save this key in a secure location. It will only be available once.
Click Open Vendor Portal. This will open a new tab with the Keeper MSP Console.
In the Keeper MSP Console, select the Configurations tab and click Setup under the Gradient MSP integration card.
A modal will open where you will paste in your Gradient Key. Then click Test Connection and Save.
Return to Synthesize and click Next to complete the service and account mapping.
Map your accounts by dragging the card from Synthesize on the left to Keeper Security on the right. When complete, press Next.
Exact matches are auto-mapped. The remaining can be searched by clicking the filter button or typing in the Synthesize search bar.
Map your services by dragging the card from Synthesize on the left to Keeper Security on the right. When complete, click Next.
Services can be searched by clicking the filter button or typing in the Synthesize search bar.
Finish Account and Service Mapping
A modal will pop up, letting you know you have completed all the steps and we are ready to receive data. Click OK to complete setup
Return to Keeper Security, you will see the integration card shows connected, with updated pending to be synced.
Click Sync Mapping
The integration card will update to show Connected once the sync completes.
Please note you will need to sync mappings from Keeper every time you make changes to mappings in Gradient.
Return to Synthesize, Refresh your page, and Reconcile!
Important note for Datto Autotask users: Autotask does not support decimal values. All values written to Autotask will be rounded up.
Login to Synthesize and navigate to the Integrations tab.
Filter to Connected Integrations
Select the Keeper Security Integration card, and click Configure.
Press Disconnect and Confirm.
Disconnecting this integration will remove the authentication settings and all account and service mapping. You can reconnect this integration, but you will need to remap your account and services.
For more information on the Gradient MSP platform and further instructions on the Synthesize platform, visit Gradient MSP at:
Join the Keeper MSP Slack Channel
Keeper MSP customers are encouraged to join the Keeper Slack channel for communication directly with support team, engineers and other MSP users around the world.
Please contact your Keeper sales rep or support team member for the invite link.
Keeper MSP - Where to go from here
The Keeper MSP guide covered functionality specific to the MSP environment. Visit our other guides that go into depth on the end-user and administrator experience.
iOS, Android, Web Vault, Desktop App (Mac, Windows, Linux) and KeeperFill Browser Extensions https://docs.keeper.io/user-guides/
Administrator guide for Keeper Business and Keeper Enterprise customers. https://docs.keeper.io/enterprise-guide/
100% cloud-based integration with SAML 2.0 Identity Providers for seamless authentication. https://docs.keeper.io/sso-connect-cloud/
Command-line tools and SDK interface. https://docs.keeper.io/secrets-manager/commander-cli/overview
Cloud-based secrets management platform for IT Admins, DevOps & Developers. https://docs.keeper.io/secrets-manager/secrets-manager/overview
Active Directory and LDAP bridge guide for provisioning users, roles, teams. https://docs.keeper.io/keeper-bridge/
Full release notes and version history across Keeper platforms. https://docs.keeper.io/release-notes/
Read about Keeper's security and encryption model. https://docs.keeper.io/enterprise-guide/keeper-encryption-model
Live system status, monitoring and alerts with notification signup. https://statuspage.keeper.io
Deletion or Isolation of Managed Companies
A single user or group of users can be removed from the platform by deleting the users within the managed company's admin panel.
NOTE! The users vault will be deleted along with their account. If the user wishes to retain their records / vault data, it must be exported prior to account deletion. Personal vaults / Family Plan vaults are not affected.
"Launch" onto the Admin Console of the MC containing the user to be deleted.
2. Navigate to the admin panel and click the edit icon next to the user you wish to delete. From the "User Actions" menu, select Delete User.
Once a user is deleted, beginning the following day that user will not be counted toward the MC's daily license count.
Use the following procedure to delete all user vaults, data and the managed company:
"Launch" the Administration Console of the MC to be deleted.
Navigate to the admin panel and delete all users. You can select all users at once via the "User Checkbox" as seen below.
Close out of the MC's Administration Console and return to MSP Console.
Delete the MC from with the Managed Companies screen.
Use the following procedure to isolate a managed company into a standalone trial instance. Instance structure and vaults are retained. This assumes the client wants to continue using the product as a "Keeper direct" customer.
NOTE! At least one user must be assigned to the MC's "Keeper Administrator" role prior to MC deletion. Failure to do so will result in permanent Administration Console lockout
"Launch" into the Administration Console of the MC to be isolated.
Navigate to the Admin Panel -> Roles and insure at least one, preferably two active user belong to the "Keeper Administrator" role. Failure to do so will result in permanent Administration Console lockout. The first used added to admin role will become the principal admin/ owner of the instance.
Close out any open MC's Administration Consoles and return to MSP Console.
Delete the MC from within the managed company's panel.
Users within an MC's can be migrated to another MSP. This involves deleting the Managed Company container yet retaining the users vaults. Once the container is deleted, the users can be invited to a new Managed Company. Contact Keeper Security Support for assistance with container deletion.
Keeper Commander CLI for Managed Service Providers
Keeper Commander is a command-line and SDK interface which can be used to control your Keeper environment and automate many different functions of the platform. Commander provides hundreds of features which apply to both individual enterprise tenants and MSP tenants.
To set up and install Keeper Commander, visit this documentation: https://docs.keeper.io/secrets-manager/commander-cli/overview
Some of Commander's MSP-specific commands are listed below.
MSP Commands
Command | Description |
---|---|
| Display MSP details |
| Refresh local MSP data from server |
| View and manage MSP licenses |
| Creates Managed Company |
| Removes Managed Company |
| Generate MSP Billing Reports |
| Switch context to run commands as a managed company |
| Switch context to run commands as MSP |
| Convert an enterprise node into a managed company |
| Copy role enforcements from MSP to MCs |
| Options for managed MSPs. Edit licenses and view msp and mc details. |
APIs for MSPs and Distributors to manage accounts
Note: These APIs only apply to distributors of MSP accounts. Most MSPs are able to manage companies via commander 'msp' commands.
The primary use cases enabled via the API are:
Create Trial Account
Convert To Paid Account
List all MSPs
Get Current Usage
Get Monthly Usage
Cancel Paid Account
Activate Expired Accounts
List MSP Products
Delete Pending/Conflict Accounts
In order to access the MSP specific APIs, contact your support representative to request an API key, this will be shared as a JWT token in a Keeper record.
convert-to-paid
Bearer
vendor_name(Provided by Keeper)
Convert-to-paid
OK
Fetch Monthly Usage
Bearer
vendor_name(Provided by Keeper)
^[0-9]
^[0-9]
OK
items details
Cancel Paid Account
Bearer
vendor_name(Provided by Keeper)
Request Body for Cancel Paid Account API
OK
Create Trial Account
Bearer JWT
vendor_name(Provided by Keeper)
Create trial account request
iso standard country code
"US"
Country Code followed by phone number
"+1 9191919191"
Success Response
Unique identifier for the given user.
iso standard country code
"US"
"zip-code for US , postalCode for non-US countries"
Unique identifier for each account.
Get All linked MSPs
Bearer
vendor_name(Provided by Keeper)
OK
Activate Expired Account
Bearer
vendor_name(Provided by Keeper)
Request Body for Activate Expired Account API
OK
Get available Keeper MSP products
Bearer
vendor_name(Provided by Keeper)
OK
Delete Pending/Conflict Account
Bearer
vendor_name(Provided by Keeper)
Request Body for Delete Pending/Conflict Account API
OK
After access has been requested, Keeper will share a record with you that will include the necessary information to use the APIs. In order to use any of the above API methods, a JWT needs to be created. In the below example, the 'iat' and 'exp' are 5 minutes apart. The below code will generate the token needed in the web request:
The below script will correctly generate JWT and has the data needed for the 'create-trial-account
' POST.
You can use a look like JWT.io to generate your JSON Web Token from the pre-shared secret.
For encryption, use HS512 Algorithm
Use the below json as payload, note this token has a 5 minute expiration
use secret.key
as secret key to encode the token
Certain API endpoints will return the status of an MSP. The below explains what each status is:
Status | Definition |
---|---|
PENDING | When an account is created created via the |
TRIAL | A newly activated MSP automatically starts with a 14 day trial. At the end of the trial, if the |
ACTIVE | An active, paid MSP account with an expiration date some time in the future. |
REGION_CONFLICT | When an account is created created via the |
PRODUCT_CONFLICT | When an account is created created via the |
EXPIRED | if the |
Each Keeper line item has a human readable name that maps to ID's. These are provided in the usage API endpoints.
productID | Line Item |
---|---|
720 | Keeper MSP |
10001 | Keeper Business |
10002 | Keeper Business Plus |
10010 | Keeper Enterprise |
10011 | Keeper Enterprise Plus |
967 | Keeper Connection Manager Add On |
968 | Keeper Secrets Manager Add On |
910 | KeeperChat Add On |
920 | Keeper ARAM Add On |
930 | Keeper BreachWatch Add On |
940 | Keeper Compliance Reporting Add On |
1011 | Keeper 1TB Storage Add On |
1012 | Keeper 10TB Storage Add On |
730 | Dedicated Service & Support |
If you wish to explore the APIs in another tool like postman or the swagger editor, download the associated YAML definition of the APIs below
The account creation API will automatically send an email to the created/invited account. Exmaple below.
If you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.
API for MSPs to provision Family Plans
As an MSP partner, Keeper provides an API endpoint to provision Family Plans. For more information on provisioning Family plans via API, visit:
Provision Family plans via APIIf you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.
Keeper MSP Best Practices and General Recommendations
It is very important to maintain at least two users within the root node with full administrative access to the Keeper Administration Console. If an admin gets locked out of the admin interface due to forgotten password, SSO service failure, enforcement policy settings, etc., the second account will be needed to assist in recovery. Due to the zero knowledge encryption model, Keeper's support staff members have no way of correcting a situation in which all MSP root administrators are unable to login.
Certain configurations require an administrative account within the MC tenant. For example, SSO Connect Cloud and Keeper Bridge services require an account with administrative permission within a Managed Company. The account is needed to bind the provisioning method to the MC instance.
It's a good practice to only create as many roles as necessary and to name them for their functionality. For example, you have a team of traveling sales people who require offline access. It’s far better to name the role “Enable offline access” than “Traveling sales people”. This way, when you have an access issue six months down the road, you can easily tell what each role does as opposed to who it’s for.
Stacking of multiple roles against the same user and/or team is a common practice. Please keep in mind you will always get the least permissive / most restrictive outcome of the sum of the rules.
It’s a good practice to create a default role to host newly provisioned users. This is especially helpful when using a Just-In-Time advanced provisioning method. This way you know exactly what enforcement setting will be applied when new users are provisioned. Common default settings include master password complexity and 2FA requirements. This way you are insured that all user vaults are secured at first login.
As your managed company(MC) and user count increases, so does the overhead of managing access control. For this reason it's a good practice to develop a set of standardized roles to use across the entire client base. This way, no matter which MC you are administering, you are ensured access control is consistent across the enterprise.
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred.
A successful transfer requires that the users had logged in at least once prior to the transfer action. When a user leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within the user's vault while retaining a secure role-based hierarchy in the organization.
Details for Account Transfer are available here: https://docs.keeper.io/enterprise-guide/account-transfer-policy
Prior to Vault version 16.8, MSP users could only share records and folders to individuals within the Managed Companies. Vault version 16.8 and newer provides MSPs with the ability to share folders directly from the MSP vault to entire Teams within the managed company.
From the MSP vault, it is recommended to create a Private Folder at the root level, for example "Clients". Within the private folder, add a Shared Folder for every managed company that you wish to share with. Within each Shared Folder, create subfolders that break down and categorize the information.
An example of this structure in the MSP Vault can be seen below:
From the Shared Folder "Edit" screen, click on the "Users" tab to share the folder with MSP users or directly with the Managed Company (if desired). In the "Email or team name" field, you can select a team from your MSP tenant, or from the managed company tenant.
Below is a list of recommended Enforcement Policies. The following is applicable to your MSP technicians and managed company end-users.
Require Use of 2FA - Toggle to enable. Located under “Two-Factor Authentication”
Purging Deleted Records - Toggle to enable both “Days before records can be cleared permanently” and “Days before deleted records automatically purge” - We recommend setting this to 365 days Located under “Vault Features” at the bottom of the page.
Prevent exporting of records from Web Vault and Desktop App - Toggle to enable. Prevents Techs from walking away with passwords if they were to leave. Located under “Sharing and Uploading”.
Transfer Account - Toggle to enable (very important and recommended for every user, regardless of role.) Located under “Transfer Account”
As an MSP, it is critical that vault transfer is enabled. Otherwise, you run the risk of users getting locked out of the platform and losing access to their vault if they forget their master password and account recovery questions.
For more details regarding role-based enforcement policies, click here.
Below is a list of recommended Reports and Alerts to build within the MSP Admin Console:
(Report) Managed Company Changes:
Event types to select:
Under “MSP,” select all. Select desired time range. Click save.
(Report) Admin Activity:
Under users, select all admins.
Event types to select:
Under “Security,” Disabled Two Factor, Created User, Invited User, Transferred Vault, Added User to a Role.
Under “Policy Change,” Created Node, Deleted Node, Created Team, Deleted Team, Created Report, Deleted Report, Created Alert, Deleted Alert Under “General Usage,” Emptied Trash Bin, Imported Records, Exported Records
Under “MSP,” Increased Number of Seats, Decreased Number of Seats, Changed Plan, Paused Managed Company, Removed Managed Company, Deleted Managed Company Select desired time range. Click save.
(Alert) BreachWatch Alerts:
Event types to select:
Under “BreachWatch,” BreachWatch detected high-risk record password, User ignored detected high-risk password.
Under “Attributes” select “Email Addresses” and select all.
Choose desired alert frequency (We suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.
(Alert) Brute Force Attack Watch:
Event type to select: Under “Security,” Failed Console Login.
Under “Login,” select Failed Login. Under “Attributes” select “Email Addresses” and select all.
Under “Alert Frequency” set to Number of Events > Every 5 occurrences If you would like to add other recipients to this alert, select “Recipients” and click Add. Click Save.
(Alert) Paused Companies:
Event type to select:
Under “MSP,” Paused Managed Company Under “Attributes” select “Email Addresses” and select all. Choose desired alert frequency (I suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.
These same reports and alerts can be set at the Managed Company level, if desired, as long as the MC is part of a plan that includes ARAM (Business Plus and Enterprise Plus licenses only).
For more information about Keeper event reporting and alerts, see this page.