Overview

Endpoint Privilege Manager

Overview

Keeper Endpoint Privilege Manager (KEPM) is a Privileged Elevation and Delegation Management (PEDM) solution that gives organizations precise control over privilege elevation, file access, application execution, and command-line activity across Windows, macOS, and Linux endpoints.

Keeper Endpoint Privilege Manager enables users to perform the tasks they need—securely and without friction—while security teams enforce policy with expanded audit visibility and governance precision.

Introduction & Solution Overview

Keeper Endpoint Privilege Manager (KEPM) is a modern Privileged Elevation and Delegation Management (PEDM) solution designed to eliminate standing privilege, enforce least privilege access at both the process and machine levels to protect against data breaches and cyber attacks, and provide centralized governance over endpoint activity.

With Keeper Endpoint Privilege Manager, you can:

• Control when and how users can run as administrator or access sensitive files and commands

• Require MFA, approval, or justification before allowing sensitive actions

• Reduce or eliminate standing local administrator privileges

• Redirect risky actions (such as opening network settings) to controlled substitute experiences

• Enforce policies consistently across Windows, macOS, and Linux

• Gain expanded audit visibility and governance precision across all endpoints

Policies are defined in the Keeper Admin Console and enforced locally by the KEPM agent on each endpoint. Every elevation, file access attempt, policy match, and approval workflow is policy-gated and auditable.

KEPM strengthens enterprise governance and enforcement precision through centralized global approvals, expanded audit visibility, risk-aware analytics integration, granular command-level policy controls, and built-in platform resilience. These capabilities modernize endpoint privilege management while preserving operational flexibility across Windows and macOS environments.

The result: stronger security, measurable compliance, and operational continuity without blocking productivity.

This comprehensive documentation will guide you through the setup, deployment, and management of Endpoint Privilege Manager.

Solution Overview

Endpoint Privilege Manager offers a robust set of features designed to secure your endpoints through privilege management:

• Agent-Based Deployment across Windows, Linux, and macOS endpoints

• Least-Privilege Management for all desktops and servers

• Elimination of Standing Local Admin Rights across all deployments

• Process-Level Privilege Management for granular access control

• Just-in-Time (JIT) Access at both process and machine levels

• Elevation Requests with approvals and escalation workflows

• Flexible Policy Management based on your organization's risk tolerance

• Standards-Based Architecture leveraging SPIFFE and MQTT protocols

• Integration with ITSM solutions including ServiceNow, Jira, Salesforce

Solution Overview Feature List

Endpoint Privilege Manager offers a robust set of features designed to secure your endpoints through privilege management:

• Central Administration Console: Manage deployments, collections, policies, requests, and audit history from one place.

• Deployment Groups and Targeting: Roll out in stages and scope controls by users, machines, apps, and platforms.

• Agent-Based Endpoint Coverage: Enforce controls across Windows, macOS, and Linux endpoints.

• Least-Privilege Enforcement: Ensure users and workloads run with only the permissions required.

• Remove Standing Local Admin Rights: Eliminate persistent admin privileges while maintaining productivity.

• Process-Level Privilege Control: Elevate only approved applications and processes, not entire accounts.

• Just-in-Time Elevation: Grant time-bound access at the process or machine level when needed.

• Elevation Requests and Approvals: Support user requests with justification, approvals, and escalation paths.

• Application, Command, and Data Controls: Restrict risky actions and sensitive access using policy-based rules and temporary grants.

• Audit and Reporting: Capture detailed activity for investigations, compliance, and operational visibility.

Expanded Audit Visibility & Governance Precision

Governance and visibility are core benefits of KEPM.

Keeper Endpoint Privilege Manager provides:

• Detailed audit events for privilege elevation, file access, command-line activity, and policy evaluation.

• Clear visibility into which policies matched and why.

• Tracking of justification entries, MFA challenges, and approval decisions.

• Full audit trails for compliance reporting and forensic investigations.

• Integration-ready event streams for SIEM and security monitoring tools.

Security teams gain precise control at the process, machine, and user levels—ensuring governance policies are enforced with measurable accountability.

A Powerful, Event-Driven System — Extensible Without Compromising Security

KEPM is built on an event-driven architecture. User actions—such as requesting elevation—trigger automated workflows including:

• MFA Challenges

• Approval Routing

• Justification Capture

• Custom Scripts or API Calls via Jobs

You can extend the system using:

• Custom Filters

• Jobs that Execute Scripts or Call APIs

• Configuration Policies that Push Settings to Endpoints

• Redirect Policies to Controlled Substitute Applications

All functionality operates under the same policy and audit model. The agent’s control plane remains local and secure, and only trusted components can initiate privileged operations.

Zero-Standing Privilege (ZSP)

Keeper EPM enables organizations to move toward zero-standing privilege:

• Users are not Local administrators by default

• Elevation is requested when needed

• Policies determine whether to allow, deny, require MFA, require justification, or require approval

This dramatically reduces attack surface while maintaining operational efficiency.

Keeper Endpoint Privilege Manager's "least privilege" policy removes users from local admin privilege across all managed devices (Windows, macOS, Linux). On Windows devices, the users are removed from the local administrators group. On macOS and Linux, users are removed from sudo.

Privileged commands are executed from a Keeper-managed ephemeral account.

Granular Enforcement & Application Control

KEPM extends least privilege enforcement beyond traditional elevation scenarios. Granular command-level elevation enables precise control over elevated actions, reducing over-privileging risks. Support for Application AllowList and DenyList policies for standard execution strengthens default-deny strategies and allows organizations to govern application behavior across both elevated and non-elevated contexts. Expanded policy targeting options increase flexibility while maintaining centralized administrative control. KEPM provides fine-grained, application-aware enforcement:

Privilege Elevation

• Target specific applications, command lines, users, groups, or machines.

• Apply Allow, Deny, MFA, Justification, or Approval actions per policy

• Elevate processes without elevating the entire user account

File & Data Access

• Allow, deny, or gate access to files or folders

• Require justification or approval for sensitive access

Command Line Control

• Define rules for commands or patterns

• Apply policies to CLI-triggered activity

Variables and wildcards allow scalable policy targeting without maintaining long rule lists.

Command Line Protection & keepersudo

Keeper Endpoint Privilege Manager protects command-line privilege usage through the Command Line Policy type.

On macOS and Linux, KEPM integrates with the keepersudo command, which replaces or wraps traditional sudo behavior under policy control.

With Command Line policies, you can:

• Control or restrict specific commands

• Require justification before execution

• Enforce MFA for sensitive operations

• Route high-risk commands for approval

• Grant temporary elevation for defined commands only

This ensures sudo usage is governed, audited, and aligned with least-privilege principles.

Audit & Visibility

Audit visibility provides comprehensive operational and forensic insight. Administrators can view the complete end-to-end elevation flow, tracking requests from submission through approval and execution. Policy audit entries include enriched contextual information such as elevation account usage, MFA identity, file path, and command-line parameters. Full-session correlation identifiers improve traceability across components, while integrated risk scoring data strengthens compliance reporting and supports advanced behavioral analytics.

Platform Resilience & Reliability

KEPM is built for operational resilience across environments, incorporating built-in resilience mechanisms to ensure continuous endpoint protection.

Multi-Platform Coverage

• Windows

• macOS

• Linux

Service-Based Architecture

Each endpoint runs a local service responsible for:

• Policy Evaluation

• Backend Synchronization

• Logging

• Workflow Enforcement

Keeper Watchdog Service (Windows)

The optional Keeper Watchdog Service monitors the primary EPM service and automatically restarts it if interrupted or terminated.

EPM Watchdog (Plugins & Jobs)

The optional KEPM Watchdog, which is configurable, monitors plugin and job execution health, ensuring operational reliability and self-healing behavior.

Health & Status Monitoring

• Built-in health endpoints

• Status checks for automation and monitoring systems

• Configurable plugins and deployment updates without reinstalling agents

Dashboard

The Keeper Admin Console is the central administration console for EPM. The default Dashboard contains all recent events, including any events in monitoring mode. From the Dashboard, the user can navigate to the main areas of Privilege Manager including:

From the dashboard, administrators can:

• Activate EPM and manage licensing.

• Create and manage Policies, enforcing least privilege access across your fleet of devices

• Define Collections and assign policy scope, Managing groups of applications, machines, and users for applying policy

• Configure Approvers and approval workflows.

• Manage Deployment Groups.

• Monitor Deployments and endpoint status.

• Process & Review Requests and approval history.

• Access detailed Audit History and reporting data.

Administrators manage once in the dashboard—policies are enforced everywhere by the agent.

Deployment Groups & Targeting

Deployment Groups allow staged rollout and granular targeting.

You can:

• Deploy in phases (test → pilot → department → enterprise).

• Scope policies by:

  • User or Group

  • Machine

  • Application

  • Platform

• Tune policy modes using:

  • Off

  • Monitor

  • Monitor & Notify

  • Enforce

This ensures safe rollout and governance precision.

Keeper Endpoint Privilege Manager within the KeeperPAM Platform

Keeper Endpoint Privilege Manager is part of the broader KeeperPAM platform. KeeperPAM serves as the unified platform for privileged access management, encompassing multiple complementary services:

• Password Management: Secure storage and rotation of credentials

• Secrets Management: Control of application secrets and API keys

• Zero Trust Network Access: Secure, verified remote connections

• Connection Management: Streamlined access to remote systems

• Secure Tunneling: Protected pathways to sensitive resources

KEPM extends Zero Trust principles directly to the endpoint by controlling local privilege and application execution.

While KeeperPAM secures access to infrastructure, sessions, and credentials, KEPM extends KeeperPAM's capabilities by enforcing least privilege and delegation at the endpoint level—creating a unified security and governance model. KEPM governs what privileges users have once they're working on the systems that KeeperPAM secures.

For example, an administrator might use KeeperPAM's connection capabilities to securely access a server, and then Privilege Manager controls their local admin privileges on that server. Similarly, Privilege Manager can manage everyday privilege elevation requests on end-user workstations, removing the need for standing local admin rights while still enabling essential operations through just-in-time elevation.

End-User Experience

KEPM is designed to enable productivity while maintaining security.

Users running the Keeper agent are provided with an interface to see the policies applied to their device, and monitor their approvals and elevation requests. The Keeper agent UI is available on Windows, macOS and Linux devices.

• Users request elevation when needed

• Clear dialogs explain required justification or MFA

• Approved actions proceed seamlessly

• Redirects offer secure alternatives rather than hard denials

• Elevation is temporary and policy-controlled

The experience is consistent and predictable across supported Windows, macOS, & Linux platforms.

Windows

When a Windows user attempts to run an application requiring elevation:

• The EPM dialog displays justification and/or MFA requirements

• Approval workflows trigger if required

• Elevation is time-bound and policy-controlled

macOS

On macOS, elevation and file access controls operate under the same policy model:

• Users see native-style dialogs for justification or MFA.

• Policies govern GUI apps and command-line tools.

Linux (GNOME)

On Linux, EPM enforces policy through controlled elevation flows:

• CLI activity is governed via keepersudo.

• Policy evaluation occurs before privileged execution.

Command Line Experience

On macOS and Linux endpoints, Keeper protects sudo elevation through the Command Line Policy type. As can be seen in the screenshots below, a new elevation command called keepersudo is used to elevate requests.

In the below example, the user requests elevation to root, and access is granted by the admin.

Elevation Approvals

Administrator elevation approvals are performed in the Keeper Admin Console, Commander CLI or any other connected applications.

Privilege Elevation

Command Line (Sudo) Approval

Operational Flexibility

Operational flexibility in Keeper EPM is enabled through dynamic configuration capabilities, streamlined deployment workflows, and real-time administrative visibility—including policy modes for safe rollout, configuration policies for plugin and job management, scalable targeting with variables and wildcards, and offline registration options for air-gapped environments—allowing security teams to refine governance and maintain enforcement precision without disrupting productivity.

About this Guide

This guide on Privilege Manager is progressively outlined in:

• Getting Started