Deployment

Overview

Deploying Endpoint Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken.

Requirements

• macOS: Sequoia, Sonoma

• Linux: RedHat 9.4+, Ubuntu 20.04+, Amazon Linux 2, Rocky Linux 9+, Debian 11, 12, SUSE 15sp 2+, AlmaLinux 9.4+

• Windows: 11, Server 2022 and 2025

Encryption

All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata.

Deployment Package

From the Endpoint Privilege Manager > Deployments screen, select "New Deployment Package". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string.

Deployment Collections

When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.

Discovery of Inventory Data

When the agent is installed and deployed to the endpoints, there are 3 types of discovery that is performed on the endpoint:

• Basic Inventory: Operating system, version, type

• Account Inventory: Local users and groups

• File Inventory: All executables on the system

The Keeper Admin Console will receive the discovered inventory as encrypted telemetry data, containing information about the endpoint including:

• Computer name and type

• OS information (Windows, macOS, Linux) and version

• Local user account information

• Local group account information

• Installed applications

The Deployment page displays the endpoint stats organized by collection.

The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.

Individual endpoints can also be disabled, to prevent the agent from applying policies.

Commander CLI

Keeper Commander supports Deployment management through our command-line interface and Python SDK.

Agent Management

The pedm agent command provides management over individual agents running on the endpoint.

My Vault> pedm agent -h
pedm command [--options]

Command     Description
----------  -------------------------
list        List PEDM agents
edit        Update PEDM agents
delete      Delete PEDM agents
collection  List PEDM agent resources

Deployment

The pedm deployment command provides management over agent deployments.

My Vault> pedm deployment -h
pedm command [--options]

Command    Description
---------  --------------------------------
list       List PEDM deployments
add        Add PEDM deployments
update     Update PEDM deployment
delete     Delete PEDM deployment
download   Download PEDM deployment package

Reports

The pedm report command provides event logs and event reports.

My Vault> pedm report -h
pedm command [--options]
Command    Description
---------  -----------------------------
column     Run column reports
event      Run audit event reports
summary    Run audit summary reports

Next Steps

Once you have deployed the agent, discovery kicks in and generates collections.