Architecture

This section gives a high-level view of how Keeper EPM is built and best practices for running it.

Architecture

Trust and Control

Keeper EPM is designed so that you stay in control:

• Dashboard: You define policies, approvers, collections, and deployment groups in the Keeper Admin Console. No need to log into each endpoint to change policy.

• Agent: A local service on each endpoint enforces your policies. It talks to the backend for registration and policy sync, and runs plugins for policy evaluation, logging, and user interaction.

• Local-first enforcement: Policy decisions are made on the endpoint using the latest policy data. So even if the network is briefly unavailable, the agent can still enforce what it last received.

Visibility

• Health and status: The agent exposes health and status endpoints so you (or your monitoring tools) can verify it’s running and responding.

• Audit and logs: Actions, policy matches, approvals, and denials are audited and logged. You can send this data to the Keeper backend and to your own SIEM or audit tools.

• Plugins: Core capabilities (policy, API, logging, client) are split into plugins so that updates and troubleshooting can be focused.

Security

• No standing privilege for users: By design, users don’t need to be local admins. Elevation is granted per request, under policy.

• Controlled elevation: When elevation is allowed, it can be time-limited and tied to MFA, justification, or approval.

• Secure communication: Agents communicate with the backend over secure channels; registration uses tokens you control.

You don’t need to know implementation details—just that the system is built for control, visibility, and security at scale.

Best Practices Overview

• Start with Monitor. Use Monitor or Monitor & Notify for new policies so you can see what would be blocked or allowed before you enforce.

• Use collections. Group users and machines in collections so one policy applies to many endpoints without maintaining long lists.

• Use variables and wildcards. Keep policies simple and cross-platform with variables like {userprofile} and patterns like *.exe where supported.

• Pilot with deployment groups. Roll out to a small deployment group first, validate behavior, then expand.

• Tune logging. Use a higher log level (e.g., Information or Debug) when troubleshooting; use Warning or Error in production to reduce noise and storage.

• Secure registration tokens. Treat registration tokens as secrets; store and transmit them securely.

• Review approvals and denials. Periodically review approval requests and denial events so you can adjust policies and catch misuse.

• Align with compliance. Use MFA, justification, and approval where your compliance framework requires evidence of control.

• Keep agents updated. Deploy agent updates through your normal patch process so you get fixes and new features.

You’re in control. This guide is your single place for customer-facing documentation—no internal or developer links, just what you need to run Keeper EPM with confidence.