Keeper MSP is the most secure cybersecurity and password management platform for preventing password-related data breaches and cyberthreats.
Keeper MSP extends Keeper's Enterprise Password Management by allowing MSPs to manage multiple independent tenants, or "Managed Companies" (MCs), through a central console.
To serve the MSP market, Keeper Security developed an enterprise-class, purpose-built solution. This system enables MSPs to manage and distribute Keeper's password management and security software. The enterprise version is designed for scalability and includes core features and functionalities required by MSPs, such as:
Organizational roles
Robust enforcement policies
Multiple provisioning methods
Full support for 2FA methods
Robust event logging, auditing and reporting capabilities
Keeper vaults can be provisioned by MSPs to every one of their customers - to protect every employee on every device they use. Keeper is the leading password management application in the industry - with unmatched security, cross-platform capabilities and top ratings by industry services, press and end users. This guide supplements the Keeper Enterprise Guide and details the specific functionality for MSP-level administration and license management. Please refer to the Enterprise Guide for a broader overview of Keeper software which covers core functionality at the Managed Company level.
KeeperMSP can support a wide spectrum of deployment models, from full service (“white glove” ) MSP’s who manage everything for their users all the way to pure resellers who do little or no administration for their clients.
MSP Technicians have access to their MC’s Keeper Admin Console and thus have full rights to provision end users, set up MC-specific roles, login enforcements and teams for sharing credentials. These technicians may also choose to set-up a login credentials for users which can be done by sharing records from their private vaults to those of an MC. This allows an MSP to offer a fully integrated set of services that include a set of pre-configured login credentials they can keep updated if needed.
In this model, resellers primarily act as distributors and sell Keeper software to customers who can administer the solution themselves. The MSP can designate an administrator user at the MC to handle all management of the system.
Both the MSP Technician and the MC Administrator can share responsibilities to manage the system. For frequently changing or highly-specific settings (e.g. which employees are in a team folder) the “local” MC administrator could manage. For large scale initial provisioning and configuration, the MSP may be better equipped to facilitate this with Keeper’s Active Directory bridge, SSO or other provisioning methods.
Sign up for a free Keeper MSP trial license
If you want to try Keeper MSP before buying, then a trial is for you! Free trials are available for new customers and include unlimited licenses (for all plans offered) to work with. During a trial you can exercise all the core functionality of Keeper, set up your own staff administrators and create Managed Companies. All Secure Add-On features will be activated during the trial period.
If you elect to purchase the product after a trial then the users, vault data and administrative configurations you have set up will be preserved for live production operation.
To start a trial of Keeper MSP click on the Trial button from the MSP product page here: https://keepersecurity.com/msp-password-manager.html
(1) Click the Start Free Trial.
(2) Fill out the form using your Business Email Address, and click Start Free Trial.
(3) Select Account Type and Data Center Location.
On this screen, you'll create your account (or if you're using an existing Keeper personal email address, you can select "Use an Existing Account").
Important: At this step, please ensure that you select your desired Geographic Data Center location.
Signup for USA, EUR, AUS, JP, and CA data center locations are available.
GovCloud (FedRAMP Compliant) region is available for Public Sector entities.
The choices available are USA, EUR, AUS, JP, and CA. Contact us for GovCloud public sector signup.
(4) Select your Administrator account Master Password.
Ensure you select a strong Master Password that is only used for managing Keeper. If you forget your Master Password, Keeper support cannot perform a password reset due to our Zero-Knowledge architecture. We recommend activating Account Recovery (via a recovery phrase) after logging in and visiting the Settings screen.
(5) After verifying your email address and selecting a Master Password, you will be logged into the Keeper Admin Console. Click on the Admin tab from the left navigation panel to add users and begin your configuration.
Once you’ve signed into the console, please follow the "Getting Started" section on the following page.
Quick start guide for Keeper MSP
Keeper has introduced a new Quick Start Checklist to help all business get up and running with the Keeper Admin Console. The steps outlined in this section specifically cover best practices for getting started as a Managed Service Provider (MSP).
Click the Admin tab to set up your Keeper Administrators. Click Add Users and enter the name and email address of the user.
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role. More information about our encryption model can be found here. Also, see Recommended Security Settings for best practices regarding your configuration.
Click on Roles tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies).
Once roles are defined, then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes default "Keeper Administrator" and "MSP Subscription Manager" roles. The MSP Subscription Manager role gives access to the MSP Subscription tab for changing the billing method and allocating secure add-ons for MSP internal use.
Teams
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
Active Directory / LDAP (using the Keeper Bridge)
SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
Email Provisioning
Command-Line or SDK integration
SCIM
The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:
Keeper AD Bridge
On premises SSO Connect
Cloud SSO Connect
Be sure to use the localized admin account when registering the service as outlined in the installation documentation.
To learn more about provisioning, see the section of the Keeper Enterprise guide called User and Team Provisioning.
To add a new MC, click the Add Managed Company button and enter their name and select the managing node.
Choose a Base Plan and select any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included in each Base Plan once you select it.
By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
Keeper provides multiple MSP base plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
All plans include the following core features:
Encrypted Vault
Folders and Subfolders
Shared Team Folders
Unlimited Devices
Role-Based Access Controls
Security Audit
Activity Reporting
Team Management
Basic 2FA
100 GB Secure File Storage
Optional Secure Add-On features can be added to any existing base plan. Click here to learn more.
MSP technicians and employees are provided features and functionality as described below.
Keeper Administrators with "Manage Companies" permission can add, remove, and assign base-plans plus secure add-ons to their managed companies. These Keeper Administrators can also launch to the managed companies administrator consoles with full administrative permissions. This allows the MSP to set up the managed companies and optionally provision users, roles, and teams. User license allocation triggers consumption billing for the base plan and most secure add-on features.
To launch into the MC tenant, click the launch icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper Enterprise tenant.
Within an enterprise and within specific nodes, share admins have additional permissions that allow them to view, edit, share, and administer records and folders. General usage and configuration of Share Admins is documented here: Share Admin.
Share Admin rights and settings applies normally to managed companies. For MSPs, if an administrator has both 'Share Admin' permissions and the 'Manage Companies' permission, they will be Share Admins within the managed companies they have permissions over.
MSPs and MCs can easily share records between each other without first needing to setup a sharing relationship. Additionally, Share Admins, teams and users are automatically suggested when adding share participants.
In the suggestions list when adding a new sharee to a record or folder, Share Admins will be suggested first, then users within your organization, then Teams and Users from Managed companies. If a user or team suggested is not from your organization, the organization name will also be displayed in the list.
To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes providing their recovery phrase, email verification and two-factor verification.
MSP Administrators and Technicians can also authenticate into Keeper using any configured SAML 2.0 Single Sign-On (SSO) provider. If SSO is enabled, the user does not have a master password.
Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, ISO 27017, ISO 27018, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.
MSP Technicians exist at the root node level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.
New MSP and Managed Company accounts are created either in US, EU, CA, AU, JP or US_GOV geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.
Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MC) to allocate Keeper licenses to their users and pay for used licenses at the beginning of the following month. Managed Companies can allocate their own licenses simply by adding users.
Adding and Removing Secure Add-on Features
MSPs can add or remove Secure Add-on features at any time for internal use or for their managed companies. MSPs are provided with a monthly "Daily Average Usage Summary" which shows the number of units used to determine monthly charges. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.
Roles and Enforcement Policies
Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.
Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.
For MSP administrators, an additional permission is provided to control the authorization of different operations:
An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.
A separate “MSP Subscription Manager” role exists by default which allows an MSP Administrator to manage MSP internal subscriptions.
Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.
This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:
A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”
This folder could be shared with a user, or users at the client.
Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.
A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:
Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.
We recommend that Account Transfer is configured at the MSP level and also at the MC level. The user who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.
The MSP can configure administrative passthrough to grant MSP administrators the ability to transfer accounts within a managed company. This is accomplished by enabling the “Transfer Account” administrative permission in the both the MSP and managed company “Keeper Administrator” roles. Then select the “Keeper Administrator” as the “Eligible role” as described in step 3 here.
Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:
KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.
Upon downloading the latest version of Keeper Desktop App, you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.
Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians. Learn more about Keeper Commander here: https://docs.keeper.io/secrets-manager/commander-cli/overview
MSP-Specific commands
Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:
msp-down: Download the latest MSP data
msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc
msp-license: View the current license allocation
msp-license-report: Run a historical license allocation report
switch-to-mc: Switch to managed company context
switch-to-msp: Switch back to MSP context
msp-add: Add a managed company
msp-remove: Remove a managed company
msp-convert-node: Convert an enterprise node into a managed company
Looking for help with Commander? Email commander@keepersecurity.com.
Keeper's unique billing platform will track your account’s daily license usage and bill you monthly, in arrears.
Keeper’s MSP Consumption Model allows MSPs and their Managed Companies (MCs) to allocate Keeper licenses to their users and pay only for used licenses at the beginning of the following month. Managed Companies can also allocate their own licenses, simply by adding users.
While other MSP solutions in the market bill upfront before licenses are allocated to users, Keeper’s consumption billing model is designed to scale with your MSP business as you add individual managed companies and their users.
Key benefits for our MSP customers include:
Maximized product usage and profitability through usage-based billing
Flexibility to respond quickly to changing customer needs
Improved MSP client retention through self-serve license allocation and easy upgrade/downgrade processes
Greater budget control and reduced financial risk through in-arrears monthly payments
No long-term commitments on licenses
From the "Managed Companies" section, click Billing Statements to view billing summaries and Managed Company usage details.
Keeper maintains daily license counts for MSP internal and Managed Company licenses. At the end of the month, daily average license counts are used to calculate the monthly charges.
MSPs are billed only for days that licenses were in use the previous month. MSPs can add or remove secure add-on features at any time for internal use or for their Managed Companies.
All billing cycles will be monthly, with bills generated on the first day of the following month. Keeper automatically generates a detailed monthly invoice showing all licenses used by the MSP and each Managed Company. Current and past invoices are available in the console from the “Subscriptions” section. Detailed PDFs can be downloaded to show exact usage by each individual Managed Company.
For companies with automatic billing, the billing method on file is used to charge the customer and a detailed receipt is sent to the MSP. For MSPs that are receiving Keeper through a distributor, monthly invoices will be generated but prices will not be shown on the invoices.
Keeper's Secure Add-Ons provide comprehensive visibility, security and control, all within one unified platform - with zero-trust and zero-knowledge security.
MSPs can add or remove Secure Add-On features at any time for their Managed Companies or for internal use. Billing Statements provide MSPs with a Base Plan Add-On Summary or per Managed Company usage detail. At the end of the month, average daily license counts are used to calculate the monthly charges for most add-on features.
Billing Statements are located under the Managed Companies section. You can filter by billing period, managed company and base plan. Both a daily summary and per managed company view are available.
The Base Plan Add-On Summary provides visibility into overall daily and average Add-On usage.
MSPs can view Secure Add-On usage for individual Managed Companies from the Per Managed Company tab.
The Advanced Reporting & Alerts Module (ARAM) empowers InfoSec administrators to monitor more than 100 different security and activity-related event types via customizable reports, real-time notifications and seamless integration into any third-party SIEM solution.(MSP Keeper Business and Keeper Enterprise plans include two basic ARAM Reports: "Recent Events" and "Security Events").
BreachWatch continuously scans the dark web and receives alerts on compromised passwords to take immediate action for preventing an account takeover attack.
Compliance Reporting provides on-demand visibility of access permissions for the organization's credentials and secrets and; supports audits for Sarbanes Oxley (SOX) and other industry regulations that require access-control monitoring and event auditing.
KeeperChat enables secure, ephemeral messaging across employee devices with the world’s most secure messaging solution, protecting communications with end-to-end encryption.
Secure File Storage taps into Keeper’s zero-knowledge encryption to put secure file storage, retrieval and decryption privileges in the hands of approved users only.
Keeper Secrets Manager secures your environment and eliminates secrets sprawl by removing hard-coded credentials from your source code, config files and CI/CD systems.
Keeper Connection Manager provides DevOps and IT teams with effortless access to RDP, SSH and Kubernetes endpoints through a web browser.
Dedicated Service & Support provided by our Profession Services Team provides training, ongoing support, product configuration and implementation for complex IT environments.
To add or remove Secure Add-Ons to a Managed Company, select the company and click Edit to make your selections.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
MSPs can add or remove Add-Ons for internal use from the "Subscriptions" section of the console.
Just like base plan licenses, at the end of the month, average daily license counts are used to calculate the monthly charges for relevant add-on features. MSPs are provided with a monthly "Daily Average Usage” summary which shows the number of units used to determine monthly charges
Secure File Storage
per day(s) in use (pro-rated)
ARAM
per user
BreachWatch
per user
Keeper Chat
per user
Compliance Reporting
per user
Keeper Connection Manager (KCM)
per KCM user (specified by MC)
Keeper Secrets Manager (KSM)
per API call bundle
Dedicated Service & Support
flat monthly rate
Loading...
Keeper MSP Onboarding Process
The following section covers the creation of a managed company to be managed by the MSP as opposed to handing off the instance to the client for future administration and management.
It's best to start a design by looking at your overall customer base across all account and extract as much commonalty as possible. We are looking for common requirements across all MC's. The closer all the MC's are to each other, the easier they will be to administer as a whole. Our goal is to create a templated procedure which can be re-used by future MC's.
In the table below, we can use a role named "Vault Transfer Required" across all the MC's. At first look, one might be tempted to create a role named "2FA" to handle each MC's different 2FA requirement. However, this naming is ambiguous as Keeper has over a dozen 2FA options. For long term platform management, it's best to name roles for the exact setting(s) they enforce. Our goal is consistent role naming and results across all MC's.
Roles are all about platform administration, so they will have a lot of commonality across MC's. On the other hand, due to varying business requirements, Teams and Shared Folders tend to be MC specific. In the table below we would create one shared folder for each Team present in a given MC. Unlike the table, try and use a common naming convention across all MC. Resist creating an "AP" team in one MC and a "Accounts Payable" team in another.
From the console interface, create a new managed company, decide on a provisioning method and create any desired roles and teams.
Note: On-Prem SSO Connect & AD Bridge require an administrator account within the managed company to bind the service. When setting up one of the fore-mentioned services, the administrators email tells the service which instance to bind to.
Create all desired Roles within the admin console. Roles are stackable, i.e., users can belong to multiple roles and will receive the lest permissive outcome of the summed roles. Keeper recommends naming your roles for the function they provide as opposed to a business unit or geo location. If a role enforces vault transfer, name it "Vault Transfer"
If configured correctly, the platform can allow members of the top-level MSP default "Keeper Administrator" role to perform vault transfers for a managed company without the need for a unique administrator account within the managed company. The administrative Vault Transfer passthrough can be enabled by:
Enable the "Transfer Account" option within the "Administrative Permissions" for the default top level "Keeper Administrator" role.
Perform the same operation for the default "Keeper Administrator" role within the managed company.
Within the managed company's user account transfer role, select "Keeper Administrator" as the "Eligible Role".
If the client managed company wishes to restrict the vault transfer ability to only certainly members of their organization and prevent the MSP from preforming the action, create and use a role other than the default "Keeper Administrator" as the "Eligible Role". The MSP passthrough will only work with the default administrator roles provided by Keeper. To set up local transfer rights only:
Create a new role within the managed company.
Enable "Transfer Account" option within the "Administrative Permissions" of the new role.
Use the new role as the "Eligible Role" for the "user" role where account transfer will be enabled.
Any roles with the "Set as Default Role for Node and Sub Nodes "Create Teams" option enabled will be automatically assigned to all new users. Users can also be indirectly added to roles via team memberships as roles can contain to both users and teams.
For small companies, often, only two roles are required. An administrative role for platform administration and a second for the general user base. Keeper recommends enabling the following minimum "role enforcement" policies:
Note - Administrative access can be restricted to the MC's public facing egress IP addresses by creating an "Allow IP List" This will require an administrator to be on the MC's LAN or VPN to administer the platform.
Generally, two-factor is configured for master password based authentication. Try and encourage your clients to adopt "Require code at every login" policy settings, especially for mobile devices. "Require code at every 30 days" is often used for desktop clients. If using SSO authentication with two-factor enabled at the idP, it can be off or un-configured . By default, users can still opt to setup and use two-factor unless all the "available" methods are explicitly disabled within the enforcement policy.
Teams offer the ability to group users for sharing and applying additional sharing options. If using SCIM provisioning you can indirectly add users to roles via team to role assignments.
Add any applicable role mappings as needed.
Keeper offers several options for onboarding users. Multiple methods can be used in parallel.
Manual entry via the admin console
CSV import via the admin console
Due to Keeper's zero-knowledge architecture, additional configuration may be required for account recovery. If SSO is in use, the administrator can perform an end-user password reset via the IdP's user management interface. Master Password-based users do not have this option so extra steps are required to ensure recover is possible if needed. The first option for Master Password based users is a self-service solution by providing a recovery phrase. A recovery phrase is a simple, auto-generated set of 24 words that was configured when setting up their vault. If the user has forgotten their recovery phrase and vault transfer policy has been configured by the administrator and accepted by the end user, you can use the vault transfer feature to recover the vault.
Loading...
Join the Keeper MSP Slack Channel
Keeper MSP customers are encouraged to join the Keeper Slack channel for communication directly with support team, engineers and other MSP users around the world.
Please use the below Google Form to request access:
Keeper MSP - Where to go from here
The Keeper MSP guide covered functionality specific to the MSP environment. Visit our other guides that go into depth on the end-user and administrator experience.
iOS, Android, Web Vault, Desktop App (Mac, Windows, Linux) and KeeperFill Browser Extensions https://docs.keeper.io/user-guides/
Administrator guide for Keeper Business and Keeper Enterprise customers. https://docs.keeper.io/enterprise-guide/
Next-gen privileged access management solution. https://docs.keeper.io/en/keeperpam
100% cloud-based integration with SAML 2.0 Identity Providers for seamless authentication. https://docs.keeper.io/sso-connect-cloud/
Command-line tools and SDK interface. https://docs.keeper.io/secrets-manager/commander-cli/overview
Cloud-based secrets management platform for IT Admins, DevOps & Developers. https://docs.keeper.io/secrets-manager/secrets-manager/overview
Active Directory and LDAP bridge guide for provisioning users, roles, teams. https://docs.keeper.io/keeper-bridge/
Full release notes and version history across Keeper platforms. https://docs.keeper.io/release-notes/
Read about Keeper's security and encryption model. https://docs.keeper.io/enterprise-guide/keeper-encryption-model
Live system status, monitoring and alerts with notification signup. https://statuspage.keeper.io
Deletion or Isolation of Managed Companies
A single user or group of users can be removed from the platform by deleting the users within the managed company's admin panel.
In the Managed Companies screen, click the Launch icon to enter the Admin Console of the MC containing the user to be deleted.
Navigate to the admin panel and click the Edit icon next to the user you wish to delete. From the User Actions menu, select Delete User. Once a user is deleted, beginning the following day that user will not be counted toward the MC's daily license count.
The user's vault will be deleted along with their account. If the user wishes to retain their records and vault data, they must be exported prior to account deletion. Personal vaults and Family Plan vaults are not affected.
Use the following procedure to delete all user vaults, data and the managed company:
In the Administration Console of the MC to be deleted, click the Launch icon.
Navigate to the admin panel and delete all users. You can select all users at once via the "User Checkbox" as seen below.
Close out of the MC's Administration Console and return to MSP Console.
Delete the MC from with the Managed Companies screen.
Use the following procedure to isolate a managed company into a standalone trial instance. Instance structure and vaults are retained. This assumes the client wants to continue using the product as a Keeper customer outside of the MSP context.
At least one user must be assigned to the MC's Keeper Administrator role prior to MC deletion. Failure to do so will result in permanent Administration Console lockout
Click the Launch icon for the Administration Console of the MC to be isolated.
Navigate to the Admin Panel > Roles and insure at least one, preferably two active user belong to the Keeper Administrator role. Failure to do so will result in permanent Administration Console lockout. The first user added to admin role will become the principal admin and owner of the instance.
Close out any open MC's Administration Consoles and return to the MSP Console.
In the Managed Companies tab, select the MC and click Remove Company.
Keeper allows for the migration of a managed company to a different Managed Service Provider (MSP).
To complete the migration, their current MSP must first assign at least one user from the managed company to the Keeper Administrator role within the managed company’s Keeper Admin Console. After assigning a designated user the Keeper Administrator role, the managed company’s instance must then be removed from the previous MSP’s instance.
Once removed, the managed company will automatically be transitioned to an Enterprise Trial account for a period of 14 days. This process ensures a secure and efficient transition while maintaining administrative oversight.
For the new Enterprise trial account, users utilizing SSO must be switched to Master Password users and must be removed from the SSO node, if applicable. Before this step, users need to set a recovery phrase to ensure continued access to their accounts. Users can set a recovery phrase by following the steps listed below:
From the user's vault, navigate to the account dropdown menu and click Settings > Recovery Phrase.
Once the users are removed from the SSO node, they will need to log into their account using the Forgot Master Password workflow by following the steps below:
From the Keeper vault login screen, click Need Help? > Forgot Master Password. Follow the prompts to regain access.
Next, ensure that all shared folders within the enterprise have at least one user’s email address showing in the shared folder’s user tab, and the user has full folder permissions (Can Manage Users & Records).
The administrator of the Enterprise trial instance will need to contact Keeper Support to be verified. The enterprise trial can then be downgraded. Downgrading an Enterprise trial will switch all users to free personal trial accounts for 30 days and remove the users from the Enterprise trial instance. No Data Will Be Lost During The Downgrade.
The users will now be in the state to be onboarded to the new managed company in the new managed service provider. The new managed service provider will need to recreate roles and teams, that are not able to be migrated.
Keeper Commander CLI for Managed Service Providers
Keeper Commander is a command-line and SDK interface which can be used to control your Keeper environment and automate many different functions of the platform. Commander provides hundreds of features which apply to both individual enterprise tenants and MSP tenants.
MSP Commands
APIs for MSPs and Distributors to manage accounts
The primary use cases enabled via the API are:
Create Trial Account
Convert To Paid Account
List all MSPs
Get Current Usage
Get Monthly Usage
Cancel Paid Account
Activate Expired Accounts
List MSP Products
Delete Pending/Conflict Accounts
In order to access the MSP specific APIs, contact your support representative to request an API key, this will be shared as a secret key in a Keeper record.
After access has been requested, Keeper will share a record with you that will include the necessary information to use the APIs. In order to use any of the above API methods, a JWT needs to be created. In the below example, the 'iat' and 'exp' are 5 minutes apart. The below code will generate the token needed in the web request:
The below script will correctly generate JWT and has the data needed for the 'create-trial-account' POST.
For encryption, use HS512 Algorithm
Use the below json as payload, note this token has a 5 minute expiration
use secret.key as secret key to encode the token
Certain API endpoints will return the status of an MSP. The below explains what each status is:
PENDING
When an account is created created via the /create-trial-account endpoint, an email is sent inviting the user to activate the account and begin thier trial.
TRIAL
A newly activated MSP automatically starts with a 14 day trial. At the end of the trial, if the /convert-to-paid endpoint is not called, the MSP will be deactivated and they can no longer login. Data will be deleted after 1 year. An expired trial can be re-activated within the data retenion period.
ACTIVE
An active, paid MSP account with an expiration date some time in the future.
REGION_CONFLICT
When an account is created via the /create-trial-account endpoint in US region instead of activating account from email link, user activated trial account from website in other region. Field “accountRegion” in response shows the registered account region.
PRODUCT_CONFLICT
When an account is created created via the /create-trial-account endpoint in US region instead of activating account from email link, user activated enterprise trial/consumer trial account from website. Field “productType” in response shows the Keeper product type
EXPIRED
if the /cancel-paid-account endpoint is called, the MSP provided will be immediately expired and billing will stop for this MSP.
Each Keeper line item has a human readable name that maps to ID's. These are provided in the usage API endpoints.
720
Keeper MSP
10001
Keeper Business
10002
Keeper Business Plus
10010
Keeper Enterprise
10011
Keeper Enterprise Plus
967
Keeper Connection Manager Add On
968
Keeper Secrets Manager Add On
910
KeeperChat Add On
920
Keeper ARAM Add On
930
Keeper BreachWatch Add On
940
Keeper Compliance Reporting Add On
1011
Keeper 1TB Storage Add On
1012
Keeper 10TB Storage Add On
730
Dedicated Service & Support
973
Remote Browser Isolation
978
Privilege Access Management
If you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.
API for MSPs to provision Family Plans
As an MSP partner, Keeper provides an API endpoint to provision Family Plans. For more information on provisioning Family plans via API, visit:
If you need support or have additional questions on the usage of these APIs, please contact support or your sales representative.
Keeper MSP Best Practices and General Recommendations
This document provides best practice information regarding the setup and configuration of your Keeper MSP tenant.
It is very important to maintain at least two users within the root node with full administrative access to the Keeper Administration Console. If an admin gets locked out of the admin interface due to forgotten password, SSO service failure, enforcement policy settings, etc., the second account will be needed to assist in recovery. Due to the zero knowledge encryption model, Keeper's support staff members have no way of correcting a situation in which all MSP root administrators are unable to login.
Certain configurations require an administrative account within the MC tenant. For example, SSO Connect Cloud and Keeper Bridge services require an account with administrative permission within a Managed Company. The account is needed to bind the provisioning method to the MC instance.
It's a good practice to only create as many roles as necessary and to name them for their functionality. For example, you have a team of traveling sales people who require offline access. It’s far better to name the role “Enable offline access” than “Traveling sales people”. This way, when you have an access issue six months down the road, you can easily tell what each role does as opposed to who it’s for.
Stacking of multiple roles against the same user and/or team is a common practice. Please keep in mind you will always get the least permissive / most restrictive outcome of the sum of the rules.
It’s a good practice to create a default role to host newly provisioned users. This is especially helpful when using a Just-In-Time advanced provisioning method. This way you know exactly what enforcement setting will be applied when new users are provisioned. Common default settings include master password complexity and 2FA requirements. This way you are insured that all user vaults are secured at first login.
As your managed company(MC) and user count increases, so does the overhead of managing access control. For this reason it's a good practice to develop a set of standardized roles to use across the entire client base. This way, no matter which MC you are administering, you are ensured access control is consistent across the enterprise.
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred.
A successful transfer requires that the users had logged in at least once prior to the transfer action. When a user leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within the user's vault while retaining a secure role-based hierarchy in the organization.
Prior to Vault version 16.8, MSP users could only share records and folders to individuals within the Managed Companies. Vault version 16.8 and newer provides MSPs with the ability to share folders directly from the MSP vault to entire Teams within the managed company.
From the MSP vault, it is recommended to create a Private Folder at the root level, for example "Clients". Within the private folder, add a Shared Folder for every managed company that you wish to share with. Within each Shared Folder, create subfolders that break down and categorize the information.
An example of this structure in the MSP Vault can be seen below:
From the Shared Folder "Edit" screen, click on the "Users" tab to share the folder with MSP users or directly with the Managed Company (if desired). In the "Email or team name" field, you can select a team from your MSP tenant, or from the managed company tenant.
Below is a list of recommended Enforcement Policies. The following is applicable to your MSP technicians and managed company end-users.
Require Use of 2FA - Toggle to enable. Located under “Two-Factor Authentication”
Purging Deleted Records - Toggle to enable both “Days before records can be cleared permanently” and “Days before deleted records automatically purge” - We recommend setting this to 365 days Located under “Vault Features” at the bottom of the page.
Prevent exporting of records from Web Vault and Desktop App - Toggle to enable. Prevents Techs from walking away with passwords if they were to leave. Located under “Sharing and Uploading”.
Transfer Account - Toggle to enable (very important and recommended for every user, regardless of role.) Located under “Transfer Account”
As an MSP, it is critical that the vault transfer policy is enabled. Otherwise, you run the risk of users getting locked out of the platform and losing access to their vault if they forget their master password and account recovery questions.
Below is a list of recommended Reports and Alerts to build within the MSP Admin Console:
(Report) Managed Company Changes:
Event types to select:
Under “MSP,” select all. Select desired time range. Click save.
(Report) Admin Activity:
Under users, select all admins.
Event types to select:
Under “Security,” Disabled Two Factor, Created User, Invited User, Transferred Vault, Added User to a Role.
Under “Policy Change,” Created Node, Deleted Node, Created Team, Deleted Team, Created Report, Deleted Report, Created Alert, Deleted Alert Under “General Usage,” Emptied Trash Bin, Imported Records, Exported Records
Under “MSP,” Increased Number of Seats, Decreased Number of Seats, Changed Plan, Paused Managed Company, Removed Managed Company, Deleted Managed Company Select desired time range. Click save.
(Alert) BreachWatch Alerts:
Event types to select:
Under “BreachWatch,” BreachWatch detected high-risk record password, User ignored detected high-risk password.
Under “Attributes” select “Email Addresses” and select all.
Choose desired alert frequency (We suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.
(Alert) Brute Force Attack Watch:
Event type to select: Under “Security,” Failed Console Login.
Under “Login,” select Failed Login. Under “Attributes” select “Email Addresses” and select all.
Under “Alert Frequency” set to Number of Events > Every 5 occurrences If you would like to add other recipients to this alert, select “Recipients” and click Add. Click Save.
(Alert) Paused Companies:
Event type to select:
Under “MSP,” Paused Managed Company Under “Attributes” select “Email Addresses” and select all. Choose desired alert frequency (I suggest every occurrence). If you would like to add other recipients to this alert, select “Recipients” and click Add. Click save.