Deployment
Deploying the Keeper Agent to your endpoints

Overview
Deploying Endpoint Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken.
Requirements
macOS: Sequoia, Sonoma
Linux: RedHat 9.4+, Ubuntu 20.04+, Amazon Linux 2, Rocky Linux 9+, Debian 11, 12, SUSE 15sp 2+, AlmaLinux 9.4+
Windows: 11, Server 2022 and 2025
Encryption
All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata.
Deployment Package
From the Endpoint Privilege Manager > Deployments screen, select "New Deployment Package". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string.
Deployment Collections
When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.

Discovery of Inventory Data
When the agent is installed and deployed to the endpoints, there are 3 types of discovery that is performed on the endpoint:
Basic Inventory: Operating system, version, type
Account Inventory: Local users and groups
File Inventory: All executables on the system
The Keeper Admin Console will receive the discovered inventory as encrypted telemetry data, containing information about the endpoint including:
Computer name and type
OS information (Windows, macOS, Linux) and version
Local user account information
Local group account information
Installed applications
The Deployment page displays the endpoint stats organized by collection.

The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.

Individual endpoints can also be disabled, to prevent the agent from applying policies.

Commander CLI
Keeper Commander supports Deployment management through our command-line interface and Python SDK.
Agent Management
The pedm agent
command provides management over individual agents running on the endpoint.
Deployment
The pedm deployment
command provides management over agent deployments.
Reports
The pedm report
command provides event logs and event reports.
Next Steps
Once you have deployed the agent, discovery kicks in and generates collections.
Last updated
Was this helpful?