Methods for deploying Keeper to user desktops
Keeper offers users two different desktop vaults. The Keeper Web Vault in the web browser, and the native Keeper Desktop application for Windows, Mac and Linux.
The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:
Ability to Autofill and auto-type passwords into native apps using KeeperFill for Apps feature.
Ability to automatically import existing passwords without additional component installation.
Automatically migrate from existing LastPass vaults.
Secure biometric login using Touch ID on compatible MacBook Pro computers.
Secure biometric login using Windows Hello (Windows 10).
Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).
Increased performance.
Offline access using biometrics or master password (if permitted by Keeper Admin)
Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the Additional Deployment Details section below.
Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [Install Link] Command-line deployment:
Microsoft Store Version (64 and 32-bit, supports Windows Hello) [Microsoft Store Link]
Command-line deployment:
Windows 10 MSIX Installer: [MSIX Installer Link] (Note: MSIX does not auto-update) Command-line deployment:
Windows 10 MSI Installer: [MSI Installer Link] (Note: MSI does not auto-update, no support for Windows Hello)
Command-line deployment:
Mac OS .dmg [Install Link (.dmg)]
Mac App Store [Mac App Store Link] (Note: does not support iCloud Keychain import)
Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) [Download Page Link]
Password Importer Standalone (Windows 10): [Install Link (.exe)]
Password Importer Standalone (Mac OS): [Install Link]
Installer: [Install Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx
Auto-Updates: Yes
Windows Hello: Yes
The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.
Users download a small appinstaller file that automatically fetches the msixbundle from https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle. It otherwise behaves the same as the MSIX install.
The appinstaller can be deployed with PowerShell like this:
The contents of the KeeperPasswordManager.appinstaller
file is below:
Install Link: [MSIX Installer Link]
Supported Platforms: Windows 10 build 1703 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: Yes
The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.
Command-line deployment:
Install Link: [MSI Installer Link]
Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Architectures: x64, ia32
Install Location: %programfiles%\keeperpasswordmanager
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: No
The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.
The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.
The MSI installer does not support Windows Hello.
The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:
The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\
where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%
.
The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here: https://docs.microsoft.com/en-us/windows/desktop/msi/standard-installer-command-line-options
Install Link: [Microsoft Store Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Auto-Updates: Yes (via Microsoft Store)
Windows Hello: Yes
The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps
and is owned by TrustedInstaller.
The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget
:
Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (businessstore.microsoft.com), which is different than the consumer Microsoft Store (apps.microsoft.com), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.
Minimum Requirements:
Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.
Auto-Updates: Yes
Download Link:
Keeper for Mac (.dmg)
Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM
Auto-Updates: No
Keeper for Linux - Fedora, Red Hat and CentOS
Keeper for Linux - Debian, Ubuntu and Linux Mint
For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL: https://keepersecurity.com/desktop_electron/SHASUM256.txt
Enterprise configuration settings are available in Keeper Desktop version 16.7.0 and newer.
Keeper supports Enterprise Configuration settings to control the end-user experience.
DomainName
String
Enterprise SSO Domain to pre-populate on app launch.
Region
String
Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")
HideCreateAccount
Boolean
Hides the Create Account button from the start page
UseDefaultBrowserForSSO
Boolean
Routes the user to their default web browser for SSO authentication instead of using a popup window.
Keeper Desktop can be configured using standard macOS NSUserDefaults
objects using the com.keepersecurity.passwordmanager
domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.
Testing the Config
You can test the configuration on the local machine using the below commands:
For example:
Keeper Desktop's mac app bundle has an Information Property List File, Info.plist
, which contains key-value pairs that identify and configure a bundle.
Finding the App Bundle ID and App Version
The following keys in Information Property List file contains the values for the App Bundle ID and App Version:
CFBundleIdentifier: App Bundle ID
CFBundleShortVersionString: App Version
To find the values of the above keys, you need to access the Information Property List File, Info.plist
, and find the corresponding values.
Location of Info.plist
after mounting DMG file:
Alternatively, you can run the defaults read
command:
For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:
All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json
". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.
Example File
macOS End Users
Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults
. Visit the following section for more information.
The desktop.config.json file must be UTF-8 encoded.
From your text editor, in File > Save As...
In the "Save as type" drop-down, select All Files.
In the "Encoding" drop-down, select UTF-8.
Ensure the name of the file is desktop.config.json
Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is reserved, which means that typing anything @ yourcompany.com will get routed to the proper region.
If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.
You can launch the Keeper Password Manager automatically when you start your computer.
To set Keeper Password Manager app to launch at start up, go to Start > Run and type shell:startup
Your startup folder will be shown. Place a shortcut Keeper Desktop into this folder. Now Keeper will launch automatically on startup.
From Settings, go to General > Login Items
Click the Plus (+), go to Applications, and select Keeper Password Manager
Now Keeper will launch when you start your mac.