Deployment

Deploying the Keeper Agent to your endpoints

Overview

Deploying Endpoint Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken.

Requirements

  • macOS: Sequoia, Sonoma, Tahoe

  • Linux: RedHat 9.4+, Ubuntu 20.04+, Amazon Linux 2, Rocky Linux 9+, Debian 11, 12, SUSE 15sp 2+, AlmaLinux 9.4+

  • Windows: 11, Server 2022 and 2025 (Intel x64 Only)

Encryption

All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata.

Deployment Package

From the Endpoint Privilege Manager > Deployments screen, select "New Deployment Package". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string.

Deployment Collections

When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.

Agent Deployment

From the Admin Console UI, copy the installer zip file and download it to your machine. Unzip the file to extract the packages for each specific platform. Copy the deployment token for use in the installer command. A valid deployment token is required to register the Keeper Agent to your tenant.

Always verify the Keeper agent in your sandbox or non-production test environment before installing directly on production systems.

The below documentation covers installation and configuration of the Keeper agent:

Windows installation

1

Download and Unpack

Download the installer via the Keeper Admin Console UI or use the PowerShell commands:

Invoke-WebRequest -Uri "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerWindows.zip" -OutFile "KeeperPrivilegeManagerWindows.zip"
Expand-Archive -Path "KeeperPrivilegeManagerWindows.zip" -DestinationPath "."
Set-Location "windows"
2

Install the Agent

As an Administrator, run the installer with the provided token.

msiexec /i KeeperPrivilegeManager-x-x-x-xxx.msi REGISTRATION_CODE="<token>" /l*v in.txt /quiet

(replace x-x-x-xxx with the version number of the .msi file)

Tips:

  • Ensure that the Keeper Endpoint Privilege Manager service is running.

  • You may need to update your endpoint security product to allow Keeper Privilege Manager services to run.

  • The Keeper Client application will start up automatically on all new login sessions for users on the machine.

Troubleshooting on Windows

To restart the Endpoint Privilege Manager services, we recommend simply rebooting the machine. The service can also be restarted from Services.

The log files are located in:

C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperLogger\Log>

Uninstall on Windows

To uninstall the Windows agent:

msiexec /x KeeperPrivilegeManager-x-x-x.xxx.msi UNREGISTER_AGENT="true" /l*v out.txt /quiet

To manually register an agent that has already been installed, the below can be invoked:

C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperRegistration\KeeperRegistration --token="<token>"

Linux Installation

1

Download and Unpack

curl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip"
unzip KeeperPrivilegeManagerLinux.zip
cd linux
2

Install the Agent

Ubuntu / Debian-based distributions:

sudo KEEPERREGCODE="<token>" dpkg -i keeper-privilege-manager_*.deb

RPM-based distributions (RHEL, Rocky Linux, AlmaLinux, CentOS, Oracle Linux, SUSE Enterprise Server, etc.):

sudo KEEPERREGCODE="<token>" rpm -ivh keeper-privilege-manager-*.rpm

Amazon Linux 2:

sudo KEEPERREGCODE="<token>" yum install -y keeper-privilege-manager-*.rpm

Amazon Linux 2023:

sudo KEEPERREGCODE="<token>" dnf install -y keeper-privilege-manager-*.rpm
3

Optional: Install GNOME Agent UI

For customers using Linux systems running GNOME, the Keeper user interface is available as an extension.

Ensure GNOME Shell is installed on the endpoint:

sudo apt install -y gnome-shell-extension-prefs
or
keepersudo apt install -y gnome-shell-extension-prefs 
(if Keeper is already installed)

Open the GNOME Extensions app (gnome-extensions-app) or Extension Manager from the system menu and toggle all options "ON".

The Keeper EPM icon will then appear in the system tray or top bar, providing access to agent status and controls.

The full UI is available on Linux just like Windows and macOS devices.

Linux sudo usage

After installation, Keeper modifies the PAM module on the device to wrap sudo. Any usage of the sudo command is delegated to keepersudo.

See the Command Line Policy documentation for configuration and usage instructions.

Updating

To update the Agent that has already been registered:

curl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip"
unzip KeeperPrivilegeManagerLinux.zip
cd linux
keepersudo dpkg -i keeper-privilege-manager_*.deb

To identify which version is running:

dpkg -l keeper-privilege-manager

Troubleshooting on Linux

Error logs will be located in /var/log/syslog or /var/log/messages depending on the flavor of Linux.

To restart the services: 

systemctl restart keeper-privilege-manager

Uninstall on Linux

Uninstalling the Keeper agent varies based on the platform and the install method used above.

Ubuntu / Debian-based distributions:

keepersudo apt remove -y keeper-privilege-manager

To remove and purge all configuration file:

keepersudo apt purge -y keeper-privilege-manager

RPM-based distributions:

keepersudo rpm -e keeper-privilege-manager

On RHEL / Rocky / Alma / CentOS / Oracle Linux:

keepersudo yum remove -y keeper-privilege-manager

or:

keepersudo dnf remove -y keeper-privilege-manager

To manually register an agent that has already been installed, the below can be invoked:

/opt/keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"

macOS Installation

1

Download and Unpack

curl -o KeeperPrivilegeManagerMacOS.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerMacOS.zip"
unzip KeeperPrivilegeManagerMacOS.zip
cd macos/
chmod +x install_endpoint_privilege_manager.sh

The script will determine which package to install based off of keeper-privilege-manager version number and OS architecture type. It is safe to run with multiple package versions and architectures.

2

Install the Agent

sudo KEEPERREGCODE="<token>" ./install_endpoint_privilege_manager.sh
3

Full Disk Access

Important: The agent must be provided Full Disk Access permission for File Access and Command Line policies to function.

  • Go to: SettingsPrivacy & SecurityFull Disk Access to the KeeperPrivilegeManager application.

  • After full disk access is granted, you can restart the computer, or just reload the agent process by running:

sudo /Library/Keeper/sbin/Plugins/bin/KeeperPamConfig/KeeperPamConfig

The agent is signed from "Callpod Inc." which is the holding company of Keeper Security. All of Keeper's software on macOS and iOS devices are digitally signed by Callpod Inc. due to Apple's policies.

To manually register an agent that has already been installed, the below can be invoked:

/Library/Keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"

Restarting the service

If a service restart is required on macOS, the following commands can be used:

launchctl unload /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist

launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist

Uninstall on macOS

To uninstall the Keeper agent from macOS, run the attached script:

curl -o uninstall_macos.sh "https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/pedm/uninstall_macos.sh"

chmod +x uninstall_macos.sh

keepersudo ./uninstall_macos.sh

Notes:

  • The Keeper Agent will launch for users upon a new login session. Therefore logout/login may be required.

  • The sudo policy controls are documented on the Command Line Policy page.

  • Installation of packages (.pkg) and images (.dmg) requires that the user explicitly opens the request from the Keeper agent UI.

Discovery of Inventory Data

When the agent is installed and deployed to the endpoints, there are 3 types of discovery that is performed on the endpoint:

  • Basic Inventory: Operating system, version, type

  • Account Inventory: Local users and groups

  • File Inventory: All executables on the system

The Keeper Admin Console will receive the discovered inventory as encrypted telemetry data, containing information about the endpoint including:

  • Computer name and type

  • OS information (Windows, macOS, Linux) and version

  • Local user account information

  • Local group account information

  • Installed applications

When deploying Keeper, we recommend installing the agent on reference machines in order to collect as much standardized inventory data as possible, before deploying to your fleet of devices.

The Deployment page displays the endpoint stats organized by collection.

Deployment Dashboard

The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.

Enable or Disable Collections of Endpoints

Individual endpoints can also be disabled, to prevent the agent from applying policies.

Enable or Disable individual endpoints

Automation with Commander

Keeper Commander supports deployment automation through our command-line interface, Service Mode REST API and Python SDK. Learn more about Endpoint Privilege Manager commands.

Agent Management

The pedm agent command provides management over individual agents running on the endpoint.

My Vault> pedm agent -h
pedm command [--options]

Command     Description
----------  -------------------------
list        List PEDM agents
edit        Update PEDM agents
delete      Delete PEDM agents
collection  List PEDM agent resources

Deployment

The pedm deployment command provides management over agent deployments.

My Vault> pedm deployment -h
pedm command [--options]

Command    Description
---------  --------------------------------
list       List PEDM deployments
add        Add PEDM deployments
update     Update PEDM deployment
delete     Delete PEDM deployment
download   Download PEDM deployment package

Reports

The pedm report command provides event logs and event reports.

My Vault> pedm report -h
pedm command [--options]
Command    Description
---------  -----------------------------
column     Run column reports
event      Run audit event reports
summary    Run audit summary reports

Next Steps

Once you have deployed the agent, discovery kicks in and generates collections.

PreviousSetupNextCollections

Last updated

Was this helpful?