Deploy with macOS

This page walks you through how to install and set up Keeper Endpoint Privilege Manager (EPM) on macOS devices. It explains what components are installed and why, how to install and register a device, the key differences between macOS versions, and how to confirm that everything is working correctly.

Overview

Keeper EPM runs on macOS using a lightweight background application, known as an agent, that operates on each device. The agent acts as the enforcement layer for your policies by receiving rules from the Keeper Admin Console, monitoring user activity, and applying security controls—such as approvals, MFA, or privilege elevation—when required.

macOS Version Support

System Extension Support

Support for system extensions varies by macOS version. macOS Tahoe (newer versions) provides full support and delivers the best overall experience, while older versions such as Sonoma and Sequoia offer only partial support. When possible, it is recommended to use macOS Tahoe or later to ensure full functionality.

Supported macOS Versions

• Tahoe (newer) → Full support (best experience)

• Sonoma / Sequoia (older) → Partial support

What Changes Between macOS Versions?

What This Means for You

For the best experience, it is recommended to use macOS Tahoe or later, as it provides full feature support. On older versions such as Sonoma or Sequoia, you should use KeeperClient for application installations, avoid targeting restricted system folders, and expect some limitations in policy enforcement and functionality.

Deployment Packages

How you can deploy Keeper's Endpoint Manager

You have several deployment options depending on your environment. Manual installation is suitable for testing or small rollouts, while scripts provide a flexible way to automate deployment. For larger organizations, MDM tools such as Jamf or Intune are typically the best choice, offering centralized management and consistency across devices. Most customers use MDM-based deployment to achieve scalable and reliable rollouts.

Before You Start (Prerequisite Checklist)

• A Keeper tenant with EPM enabled

• A registration token from the Admin Console

• The macOS installer package

• Admin access on the device

• Network access (HTTPS on port 6889 by default)

Deployment Steps

1

Download & Unpack

From the Admin Console, navigate to Endpoint Privilege Manager then click on "Deployments" to view your deployment packages.

Click on the deployment package that you wish to deploy to a macOS workstation. Under "Select Package Files" select "Mac".

2

Install the Agent

The macOS package is distributed as a zip file containing the following files:

File

Description

install_endpoint_privilege_manager.sh

Installation script

keeper-privilege-manager-x.x.x.x.arm64.pkg

Package for Apple Silicon (ARM64)

keeper-privilege-manager-x.x.x.x.x86_64.pkg

Package for Intel (x86_64)

uninstall_endpoint_privilege_manager.sh

Uninstallation script

The install script automatically detects the system architecture, selects the appropriate package, installs it, and registers the agent with the provided deployment token.

To install, run the following from a terminal:

Replace <YOUR_TOKEN_HERE> with the deployment token from the Keeper Admin Console.

---

Key changes made: split the file listing into a table so each file is identifiable at a glance, expanded the one-line script description to clarify the full sequence of what it does (detect → select → install → register), and added a plain-language note about the token placeholder.

3

Full Disk Access

Important: The agent must be provided Full Disk Access permission for File Access and Command Line policies to function.

• Go to: Settings → Privacy & Security → Full Disk Access to the KeeperPrivilegeManager application.

• After full disk access is granted, it may take up to two minutes for configurations to be updated.

The agent is signed from "Callpod Inc." which is the holding company of Keeper Security. All of Keeper's software on macOS and iOS devices are digitally signed by Callpod Inc. due to Apple's policies.

4

Start/Restarting the Service

Starting the Service

Keeper runs in the background using macOS’s service manager.

Start it with:

Check it’s running:

Restarting the Service

If a service restart is required on macOS, the following commands can be used:

5

Check That It’s Healthy

Make sure the agent is working:

You should see a successful response.

This confirms the service is running and responsive (the agent exposes a local health endpoint for monitoring ).

6

Register the Device

Now connect the device to your Keeper environment.

This step is what links the Mac to your organization so it can receive policies.

Check registration:

You should see:

• Registered = true

• Deployment ID present

7

(Optional) Deploy with MDM

For large environments, use Jamf, Intune, or another MDM.

Typical workflow

1. Upload the PKG installer

2. Deploy it to devices

3. Run a script to:

   • Start the service

   • Register the device

Example:

8

Validate Everything

After deployment, confirm:

1. Service is running

2. Health check works

3. Device is registered

4. Plugins are active (optional)

You should see key components like:

• KeeperAPI

• KeeperPolicy

These are core to how policies are evaluated and enforced.

What Happens After Installation

After installation, the agent is placed in /Library/Keeper/ and the background service starts automatically. The device begins collecting system data and synchronizes policies from the Keeper Admin Console.

On some systems, users may see prompts related to system extensions or security permissions. These prompts can typically be pre-approved using MDM tools to ensure a seamless deployment experience.

What the User Experiences

Most of the deployment process is invisible to end users. Installation is typically silent and does not require any interaction.

After setup, users will only see prompts when policies apply, such as for MFA, approval, or privilege elevation. This aligns with Keeper’s goal of allowing users to do their work while ensuring those actions are performed securely.

Default Behavior After Deployment

After deployment, the agent starts in Monitor mode, where policies are evaluated but not actively enforced. This allows you to safely test and validate policy behavior before enabling enforcement.

Uninstall on macOS

To uninstall the Keeper agent from macOS, run the uninstall script that is included with the install script that is downloaded with the deployment package.

Logs (If You Need Them)

To view recent activity, you can use the following command:

Logs are rotated automatically, and retention is managed by the macOS logging system.

For greater detail, access the logs directly at:

Important Notes & Common Adjustments

Permissions & Security Prompts

macOS may require approval for certain security-related components during deployment, including system extensions and Security & Privacy permissions. These prompts can be pre-approved using MDM tools to ensure a smooth and non-interactive user experience.

Protect Your Token

Registration tokens are sensitive credentials and should be handled securely. They should not be hardcoded in scripts and instead should be managed using secure MDM variables or other protected delivery methods. Additionally, tokens should be rotated as needed to reduce the risk of exposure.

Timing Issues

If registration fails, it may be because the service has not fully initialized yet. In these cases, increasing the delay before running the registration command—for example, from sleep 20 to sleep 40—can help ensure the service is ready.

Path Limitations (Older macOS)

On older macOS versions, certain system directories are restricted and cannot be controlled by policy. For example, paths under /System/* are typically read-only and should not be targeted.

Instead, use supported locations such as /Users and /Applications, where policies can be applied more reliably.

Troubleshooting

Service not running

If the service is not running, verify that the launchd configuration is properly loaded and configured. You should also review system logs to identify any errors or issues preventing the service from starting.

Device not registering

If a device is not registering, first verify that the registration token is correct. Then check that the device has proper network access, and ensure that the Keeper service is running before attempting registration.

Policies not working

If policies are not working as expected, check that the macOS version supports the required features, avoid targeting restricted system paths, and confirm that the device has been successfully registered.

Summary

Deploying Keeper EPM on macOS allows you to:

• Secure Apple devices with the same policy model as other platforms

• Control privilege elevation, file access, and commands

• Scale deployment easily with MDM tools

For the best results, use macOS Tahoe or later.