> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/endpoint-privilege-manager/overview.md).

# Overview

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fml8iK5RrnBwZQltfz0KC%2FPEDM%20Overview.jpg?alt=media&#x26;token=fbd44161-930b-48b9-be1e-c5e30fde2865" alt=""><figcaption></figcaption></figure>

## Overview

Keeper Endpoint Privilege Manager (KEPM) is a **Privileged Elevation and Delegation Management (PEDM)** solution. It controls privilege elevation, file access, application execution, command-line activity, agentic AI activity, and outbound network access across Windows, macOS, and Linux.

KEPM lets users work without standing admin rights. Security teams still get policy control, audit visibility, and consistent enforcement.

<figure><img src="/files/EiLODx6zPMhluoj0MVMV" alt=""><figcaption></figcaption></figure>

### What KEPM does

KEPM helps you:

* Control elevation, file access, commands, AI agents and DNS access
* Remove standing local admin rights
* Require MFA, approval, or justification for sensitive actions
* Enforce policy across Windows, macOS, and Linux
* Audit every decision and workflow outcome

<figure><img src="/files/hyFaR0pJ5ZOXRj8UBoPu" alt=""><figcaption><p>Endpoint Discovery and Governance</p></figcaption></figure>

Policies are defined in the **Keeper Admin Console** and enforced locally by the endpoint agent. Elevation attempts, file access, commands, AI agent actions, policy matches, and approvals are all auditable.

<figure><img src="/files/BWtnNSdzrJpJi7SRf2xC" alt=""><figcaption></figcaption></figure>

KEPM strengthens governance with centralized approvals, detailed audit trails, granular policy controls, AI agent governance, and built-in resilience.

### Core capabilities

* **Agent-based deployment** across Windows, macOS, and Linux
* **Least-privilege enforcement** for users and workloads
* **Just-in-time elevation** at the process or machine level
* **Approval workflows** with MFA and justification
* **Agentic AI detection and governance**
* **DNS-based zero trust controls**
* **Detailed audit and reporting**
* **Integrations** with ITSM and security workflows

### Governance and audit

KEPM gives security teams clear, usable visibility:

* Audit events for elevation, file access, commands, AI activity, and policy evaluation
* Visibility into which policy matched and why
* Tracking for justifications, MFA, and approvals
* Event streams for SIEM and security monitoring tools

The same policy model also supports workflows such as MFA challenges, approval routing, justification capture, redirects, custom filters, and jobs.

### Zero-standing privilege

KEPM helps organizations move to zero-standing privilege:

* Users are not local administrators by default
* Elevation is requested only when needed
* Policies decide whether to allow, deny, require MFA, require justification, or require approval

The **Least Privilege** policy removes local admin rights on managed devices. On **Windows**, users are removed from the local Administrators group. On **macOS** and **Linux**, users are removed from `sudo`.

Privileged actions run through a Keeper-managed **ephemeral account**.

{% hint style="info" %}
For rollout guidance, see [Policy: Phased Rollout Planning](/keeperpam/endpoint-privilege-manager/setup/policy-phased-rollout-planning.md).
{% endhint %}

### Policy coverage

KEPM provides fine-grained, application-aware enforcement.

#### Privilege elevation

* **Target** specific applications, command lines, users, groups, or machines.
* Apply Allow, Deny, MFA, Justification, or Approval actions per policy
* **Elevate processes** without elevating the entire user account
* Grant time-bound elevation using a configurable **duration**

#### File and data access

* Allow, deny, or gate access to files or folders
* Require justification or approval for sensitive access
* Flag individual files as sensitive to trigger approval on access
* Grant time-bound access using a configurable **duration**

#### Command line control

* Define rules for commands or patterns
* Apply policies to CLI-triggered activity
* Govern `sudo` usage through `keepersudo` on macOS and Linux

#### Agentic AI governance

* **Detect** known AI agents (such as GitHub Copilot, Cursor, and Claude Code) and flag unknown processes that behave like AI agents
* **Monitor** agent activity and assign a risk score to the actions agents take
* **Govern** what agents are allowed to do — gate access to sensitive files, privileged commands, or network destinations
* Require **human-in-the-loop approval** (end-user or administrator) before an agent performs a sensitive operation
* Trigger response actions when an agent's **risk score exceeds a defined threshold**

#### Network access

* Evaluate outbound **DNS resolutions** against allowed and denied hostname patterns
* Allow, deny, or hold a query pending justification, MFA, or approval
* Scope controls per user, machine, application, or AI agent
* Issue time-bounded **DNS access grants** so repeated, approved queries proceed without re-evaluation

**Variables**, **wildcards**, and **collections** let you scale policy targeting without maintaining long rule lists.

{% hint style="info" %}
ZTNA DNS controls are available on Windows endpoints.
{% endhint %}

#### Inventory and risk visibility

The Admin Console also surfaces endpoint inventory to support detection and policy authoring:

* **Agentic AI Inventory** for known and possible AI agents
* **Certificate Inventory** with validity status and CVE risk
* **Product Inventory** with software versions and CVE-based risk scoring

<figure><img src="/files/c26Sycp09ElTsQnYRVfC" alt="" width="563"><figcaption></figcaption></figure>

### Admin experience

#### Dashboard

The **Keeper Admin Console** is the central administration console for EPM. The default Dashboard contains all recent events, including any events in monitoring mode.

<figure><img src="/files/EiLODx6zPMhluoj0MVMV" alt=""><figcaption><p>EPM Dashboard</p></figcaption></figure>

From the dashboard, administrators can:

* Activate EPM and manage licensing.
* Create and manage **Policies** across the fleet.
* Define **Collections** for applications, machines, users, DNS names, command-line arguments, and AI agents.
* Configure **Approvers** and approval workflows.
* Manage **Deployment Groups**.
* Monitor **Deployments** and endpoint status.
* Review **AI agent risk** and endpoint inventory.
* Review **Requests** and approval history.
* Access detailed **Audit History** and reporting data.

Administrators manage once in the dashboard. Policies are enforced everywhere by the agent.

#### Deployment groups and targeting

Deployment Groups allow staged rollout and granular targeting.

<figure><img src="/files/WVJ9AkhUalAFSDVzCDI0" alt=""><figcaption><p>Deployment Groups and Targeting</p></figcaption></figure>

You can:

* Deploy in phases (test → pilot → department → enterprise).
* Scope policies by:
  * User or Group
  * Machine
  * Application
  * AI Agent
  * DNS Name
  * Platform
* Tune policy modes using:
  * Off
  * Monitor
  * Monitor & Notify
  * Enforce

This ensures safe rollout and governance precision. Agentic AI policies default to Monitor mode so teams can observe agent behavior before enabling enforcement.

<figure><img src="/files/yjrMMOCQALYyEP3lGaK8" alt=""><figcaption><p>Policies</p></figcaption></figure>

#### KEPM within KeeperPAM

Keeper Endpoint Privilege Manager is part of the broader **KeeperPAM** platform. KeeperPAM combines:

* **Password Management**: Secure storage and rotation of credentials
* **Secrets Management**: Control of application secrets and API keys
* **Zero Trust Network Access**: Secure, verified remote connections
* **Connection Management**: Streamlined access to remote systems
* **Secure Tunneling**: Protected pathways to sensitive resources

KEPM extends Zero Trust principles directly to the endpoint by controlling local privilege, application execution, agentic AI activity, and outbound DNS resolution.

While KeeperPAM secures access to infrastructure, sessions, and credentials, KEPM governs what users and AI agents can do on the endpoint after access is granted.

### End-User Experience

KEPM is designed to enable productivity while maintaining security.

Users running the Keeper agent can see applied policies, approvals, and elevation requests. The UI is available on Windows, macOS, and Linux.

* Users request elevation **when needed**
* Clear dialogs explain **required justification or MFA**
* **Approved actions** proceed seamlessly
* Users may be asked to **approve or deny an AI agent's action** when a policy requires human-in-the-loop review
* Redirects offer **secure alternatives** rather than hard denials
* **Elevation is temporary and policy-controlled**

The experience is consistent across supported platforms.

#### Windows

When a Windows user runs an application that requires elevation:

* The EPM dialog displays justification and/or MFA requirements
* Approval workflows trigger if required
* Elevation is time-bound and policy-controlled

<figure><img src="/files/iOBlEcpSFM9chbPoTQoe" alt="Windows OS Elevation"><figcaption><p>Windows OS Elevation</p></figcaption></figure>

#### macOS

On macOS, elevation and file access controls use the same policy model:

* Users see native-style dialogs for justification or MFA.
* Policies govern GUI apps and command-line tools.

<figure><img src="/files/TlgFhPMtdSBm9Ze33W0i" alt="macOS Elevation"><figcaption><p>macOS Elevation</p></figcaption></figure>

#### Linux and command line

On Linux, EPM enforces policy through controlled elevation flows:

* CLI activity is governed via keepersudo.
* Policy evaluation occurs before privileged execution.

<figure><img src="/files/ia1iF3RxMeFRCmUJ2D95" alt="Linux Device Running GNOME"><figcaption><p>Linux Device Running GNOME</p></figcaption></figure>

On macOS and Linux, Keeper protects `sudo` through the **Command Line** policy type. Users elevate through `keepersudo`.

<figure><img src="/files/JhOhS59DnaluS3OYWlqx" alt="Linux Desktop Running GNOME"><figcaption><p>Linux Desktop Running GNOME</p></figcaption></figure>

In the example below, the user requests elevation to root and an admin approves it.

<figure><img src="/files/ENJsEqoUMoRiXuS6JJ3N" alt="Linux SSH session with elevation request"><figcaption><p>Linux SSH Session with Elevation Request</p></figcaption></figure>

#### Elevation approvals

Administrators can approve requests in the **Keeper Admin Console**, **Commander CLI**, or connected applications.

<figure><img src="/files/YlFPPrrAqZVFv91tXS1T" alt="Approval of a Command Line Elevation Request"><figcaption><p>Approval of a Command Line Elevation Request</p></figcaption></figure>

<figure><img src="/files/D5R9BGXFeo8RU5DthJRU" alt=""><figcaption></figcaption></figure>

#### Operational Flexibility

KEPM supports phased rollout, dynamic configuration, plugin and job management, agent updates with version pinning, scalable targeting with variables and wildcards, and offline registration for air-gapped environments.

#### Integrations

Keeper Endpoint Privilege Manager integrates with popular enterprise tools for approval automation, reporting and alerting. Examples include:

* [ServiceNow](/keeperpam/secrets-manager/integrations/servicenow-workflow.md) - Workflow requests approvals and ITSM ticket generation
* [Jira](/keeperpam/secrets-manager/integrations/jira-workflow.md) - Workflow requests, approvals and ITSM ticket generation
* [Slack App](/keeperpam/secrets-manager/integrations/slack-app.md) - Approve or deny elevation requests from your Slack App
* [Teams](/keeperpam/secrets-manager/integrations/teams-app.md) - Approve or deny elevation requests from your Teams app

#### Automation

Keeper Commander CLI supports full automation of any operation of the endpoint privilege manager workflows, approvals, deployments, discovery, reporting and policy management.

* [Keeper Commander CLI - EPM Commands](/keeperpam/commander-cli/command-reference/endpoint-privilege-manager-commands.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/overview.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
