Endpoint Privilege Manager Commands

Commands that control Keeper Endpoint Privilege Manager (KEPM) capabilities

Overview

Endpoint Privilege Manager is an advanced Privileged Elevation and Delegation Management (PEDM) solution that provides secure, just-in-time elevated privileges across your IT environments.

The EPM commands make use of a local SQLite file that is generated in the user's configuration folder, such as ~/.keeper/keeper_db.sqlite. This database is used to cache all of the retrieved information across endpoints.

epm Command

command: epm

Detail: Manage Keeper Endpoint Privilege Manager deployments, agents, policies, collections and approvals.

My Vault> epm -h                                                       
epm command [--options]

Command     Description
----------  ------------------------------------
sync-down   Sync down EPM data from the backend
deployment  Manage EPM deployments 
agent       Manage EPM agents
policy      Manage EPM policies
collection  Manage EPM collections 
scim        Sync EPM user/group collections from AD or AzureAD
approval    Manage EPM requests and approvals

Sub Commands

Sub-Command: sync-down

Detail: Sync down EPM data from the backend

My Vault> epm sync-down -h                                                 
usage: sync-down [-h] [--reload]

Sync down EPM data from the backend

options:
  -h, --help  show this help message and exit
  --reload    Perform full sync

Sub-Command: deployment

Detail: Manage EPM deployments

My Vault> epm deployment -h
epm command [--options]

Command    Description
---------  --------------------------------
list       List EPM deployments
add        Add EPM deployments
edit       Update EPM deployment
delete     Delete EPM deployment
download   Download EPM deployment package

list

My Vault> epm deployment list -h                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List EPM deployments

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

add

My Vault> epm deployment add -h                      
usage: add [-h] [-f] [--spiffe-cert SPIFFE] name

Add EPM deployments

positional arguments:
  name                  Deployment name

options:
  -h, --help            show this help message and exit
  -f, --force           do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate

edit

My Vault> epm deployment edit -h
usage: update [-h] [--disable {on,off}] [--spiffe-cert SPIFFE] [--name NAME] DEPLOYMENT

Update EPM deployment

positional arguments:
  DEPLOYMENT            Deployment name or UID

options:
  -h, --help            show this help message and exit
  --disable {on,off}    do not prompt for confirmation
  --spiffe-cert SPIFFE  File containing SPIFFE server certificate
  --name NAME           Deployment name

delete

My Vault> epm deployment delete -h
usage: delete [-h] [-f] DEPLOYMENT [DEPLOYMENT ...]

Delete EPM deployment

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

download

My Vault> epm deployment download -h                      
usage: download [-h] [--file FILE] DEPLOYMENT

Download EPM deployment package

positional arguments:
  DEPLOYMENT   Deployment name or UID

options:
  -h, --help   show this help message and exit
  --file FILE  File name

Sub-Command: agent

Detail: Manage EPM agents

My Vault> epm agent -h                         
epm command [--options]

Command     Description
----------  -------------------------
list        List EPM agents
edit        Update EPM agents
delete      Delete EPM agents
collection  List EPM agent resources

list

My Vault> epm agent list -h             
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v]

List EPM agents

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information

edit

My Vault> epm agent edit -h                          
usage: update [-h] [--enable {on,off}] [--deployment DEPLOYMENT] agent [agent ...]

Update EPM agents

positional arguments:
  agent                 Agent UID(s)

options:
  -h, --help            show this help message and exit
  --enable {on,off}     Enables or disables agents
  --deployment DEPLOYMENT
                        Moves agent to deployment

delete

My Vault> epm agent delete -h                             
usage: update [-h] [--force] agent [agent ...]

Delete EPM agents

positional arguments:
  agent       Agent UID(s)

options:
  -h, --help  show this help message and exit
  --force     do not prompt for confirmation

collection

My Vault> epm agent collection -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] agent

List EPM agent resources

positional arguments:
  agent                 Agent UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter

Sub-Command: policy

Detail: Manage EPM policies

My Vault> epm policy -h  
epm command [--options]

Command    Description
---------  ----------------------------
list       List EPM policies
add        Add EPM policy
edit       Edit EPM policy
view       View EPM policy
agents     Show agents for policies
assign     Assign collections to policy
delete     Delete EPM policy

list

My Vault> epm policy list -h               
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT]

List EPM policies

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

add

My Vault> epm policy add -h      
usage: add [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
           [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL]
           [--policy-type {elevation,file_access,command,least_privilege}] [--policy-name POLICY_NAME]
           [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]

Add EPM policy

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-type {elevation,file_access,command,least_privilege}
                        Policy type
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

edit

My Vault> epm policy edit -h                                                                                                                           
usage: edit [-h] [--user-filter USER_FILTER] [--machine-filter MACHINE_FILTER] [--app-filter APP_FILTER] [--date-filter DATE_FILTER]
            [--time-filter TIME_FILTER] [--day-filter DAY_FILTER] [--risk-level RISK_LEVEL] [--policy-name POLICY_NAME]
            [--control {allow,deny,audit,notify,mfa,justify,approval}] [--status {enforce,monitor,monitor_and_notify}] [--enable {on,off}]
            policy

Edit EPM policy

positional arguments:
  policy                Policy UID

options:
  -h, --help            show this help message and exit
  --user-filter USER_FILTER
                        Policy user filter. User collection UID or *
  --machine-filter MACHINE_FILTER
                        Policy machine filter. Machine collection UID
  --app-filter APP_FILTER
                        Policy application filter. Application collection UID
  --date-filter DATE_FILTER
                        Policy date filter. Date range in ISO format. YYYY-MM-DD:YYYY-MM-DD
  --time-filter TIME_FILTER
                        Policy time filter. Time. 24 hours format: HH:MM-HH:MM
  --day-filter DAY_FILTER
                        Policy day filter. Day of Week
  --risk-level RISK_LEVEL
                        Policy risk level
  --policy-name POLICY_NAME
                        Policy name
  --control {allow,deny,audit,notify,mfa,justify,approval}
                        Policy controls
  --status {enforce,monitor,monitor_and_notify}
                        Policy Status
  --enable {on,off}     Enables or disables policy

view

My Vault> epm policy view -h                                     
usage: view [-h] [--format {table,json}] [--output OUTPUT] policy

View EPM policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  --format {table,json}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)

agents

My Vault> epm policy agents -h                                 
usage: agent [-h] policy [policy ...]

Show agents for policies

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

assign

My Vault> epm policy assign -h                          
usage: assign [-h] [-c COLLECTION] policy [policy ...]

Assign collections to policy

positional arguments:
  policy                Policy UID or name

options:
  -h, --help            show this help message and exit
  -c, --collection COLLECTION
                        Collection UID

delete

My Vault> epm policy delete -h
usage: delete [-h] policy [policy ...]

Delete EPM policy

positional arguments:
  policy      Policy UID or name

options:
  -h, --help  show this help message and exit

Sub-Command: collection

Detail: Manage EPM collections

My Vault> epm collection -h                                   
epm command [--options]

Command     Description
----------  -----------------------------------
list        List EPM collections
view        Show EPM collection details
add         Creates EPM collections
update      Update EPM collection
delete      Delete EPM collections
connect     Link values to EPM collection
disconnect  Unlink values from EPM collections
wipe-out    Wipe out EPM collections

list

My Vault> epm collection list -h                                                                                       
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--type TYPE] [--pattern PATTERN]

List EPM collections

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --type TYPE           collection type filter
  --pattern PATTERN     collection search pattern

view

My Vault> epm collection view -h                                                                                                                       
usage: view [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [-v] [--link LINK] collection [collection ...]

Show EPM collection details

positional arguments:
  collection            Collection UID

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  -v, --verbose         print verbose information
  --link LINK           Show link details

add

My Vault> epm collection add -h                                           
usage: add [-h] [--type TYPE] collection [collection ...]

Creates EPM collections

positional arguments:
  collection   Collection name

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

update

My Vault> epm collection update -h                               
usage: update [-h] [--type TYPE] --name NAME collection

Update EPM collection

positional arguments:
  collection   Collection

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type (optional)
  --name NAME  Collection name

delete

My Vault> epm collection delete -h                         
usage: delete [-h] [-f] collection [collection ...]

Delete EPM collections

positional arguments:
  collection   Collection or @orphan_resource

options:
  -h, --help   show this help message and exit
  -f, --force  do not prompt for confirmation

disconnect

My Vault> epm collection disconnect -h                 
usage: unlink [-h] [--collection COLLECTION] [-f] links [links ...]

Unlink values from EPM collections

positional arguments:
  links                 UIDs to unlink

options:
  -h, --help            show this help message and exit
  --collection, -c COLLECTION
                        Parent collection UID or name
  -f, --force           do not prompt for confirmation

wipe-out

My Vault> epm collection wipe-out -h                                            
usage: wipe-out [-h] [--type TYPE]

Wipe out EPM collections

options:
  -h, --help   show this help message and exit
  --type TYPE  collection type

Sub-Command: approval

Detail: Manage EPM requests and approvals

My Vault> epm approval -h                                                    
epm command [--options]

Command    Description
---------  -----------------------------
list       List EPM approval requests
action     Modify EPM approval requests

list

Get the current list of outstanding approvals

My Vault> epm approval list -h 
usage: list [-h] [--format {table,csv,json,pdf}] [--output OUTPUT] [--type {approved,denied,pending}]

List EPM approval requests

options:
  -h, --help            show this help message and exit
  --format {table,csv,json,pdf}
                        format of output
  --output OUTPUT       path to resulting output file (ignored for "table" format)
  --type {approved,denied,pending,expired}
                        approval type filter

action

Perform an action on a request, such as approving, removing or denying the request.

My Vault> epm approval action -h 
usage: action [-h] [--approve APPROVE] [--deny DENY] [--remove REMOVE]

Modify EPM approval requests

options:
  -h, --help         show this help message and exit
  --approve APPROVE  Request UIDs for approval
  --deny DENY        Request UIDs for denial
  --remove REMOVE    Request UIDs for removal. UID, @approved, @denied, @pending

Sub-Command: scim

Detail: Sync EPM user/group collections from AD or AzureAD

My Vault> epm scim -h                                                                                                                                                                                                     
usage: scim [-h] {record,azure,ad} ...

Sync EPM user/group collections from AD or AzureAD

options:
  -h, --help         show this help message and exit

Directory Type:
  {record,azure,ad}  Authentication method
    record           Connection parameters from Keeper record
    azure            Connect via Azure AD
    ad               Connect via Active Directory

Azure AD connection parameters

My Vault> epm scim azure -h                                                                                                                                                                                               
usage: scim azure [-h] --tenant-id TENANT_ID --client-id CLIENT_ID --client-secret CLIENT_SECRET [--azure-cloud {US,GOV,CN,EU}]

options:
  -h, --help            show this help message and exit
  --tenant-id TENANT_ID
  --client-id CLIENT_ID
  --client-secret CLIENT_SECRET
  --azure-cloud {US,GOV,CN,EU}
                        Azure cloud (AzureCloud, AzureChinaCloud, etc.)

Azure Client ID -> Login

Azure Client Secret -> Password

"Azure Tenant ID" -> Custom field

How to register an app in Microsoft Entra ID - Microsoft identity platformMicrosoftLearn

Microsoft Graph permissions: User.Read.All, Group.Read.All, Directory.Read.All

Create Client Application Secret

Active Directory connection parameters

My Vault> epm scim ad -h                                                                                                                                                                                                  
usage: scim ad [-h] [--ad-url AD_URL] [--ad-user AD_USER] [--ad-password AD_PASSWORD] [--group GROUPS] [--netbios-domain]

options:
  -h, --help            show this help message and exit
  --ad-url AD_URL       AD LDAP URL (e.g., ldap(s)://<host>)
  --ad-user AD_USER     AD bind user (DOMAIN\username or DN)
  --ad-password AD_PASSWORD
                        AD password
  --group GROUPS        AD group name or DN (repeatable)
  --netbios-domain      Use NetBIOS domain names (e.g., TEST) instead of DNS names (e.g., test.local)

AD User -> Login

AD User Password -> Password

AD URL -> Website Address

NetBIOS Domain -> Custom field (TRUE use NetBIOS domain name)

PreviousKeeperPAM Commands NextConnection Commands

Last updated 18 days ago

Was this helpful?

hashtagOverview

hashtagepm Command

hashtagSub-Command: sync-down

hashtagSub-Command: deployment

hashtaglist

hashtagadd

hashtagedit

hashtagdelete

hashtagdownload

hashtagSub-Command: agent

hashtaglist

hashtagedit

hashtagdelete

hashtagcollection

hashtagSub-Command: policy

hashtaglist

hashtagadd

hashtagedit

hashtagview

hashtagagents

hashtagassign

hashtagdelete

hashtagSub-Command: collection

hashtaglist

hashtagview

hashtagadd

hashtagupdate

hashtagdelete

hashtagdisconnect

hashtagwipe-out

hashtagSub-Command: approval

hashtaglist

hashtagaction

hashtagSub-Command: scim

hashtagAzure AD connection parameters

hashtagActive Directory connection parameters

Overview

epm Command

Sub-Command: sync-down

Sub-Command: deployment

list

add

edit

delete

download

Sub-Command: agent

list

edit

delete

collection

Sub-Command: policy

list

add

edit

view

agents

assign

delete

Sub-Command: collection

list

view

add

update

delete

disconnect

wipe-out

Sub-Command: approval

list

action

Sub-Command: scim

Azure AD connection parameters

Active Directory connection parameters