Default Jobs

privilege-elevation-policy-controls

Handles PENDING for Privilege Elevation policies. Runs MFA, justification, and approval controls.

Event: PolicyEvaluationPending (PrivilegeElevation, has desktop)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo, HTTP (error handler)

privilege-elevation-policy-controls-macos

Same as above for macOS (PAM/System Extension flow).

Event: PolicyEvaluationPending (alternate when privilege-elevation-policy-controls condition not met)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast

file-access-policy-controls

Handles PENDING for File Access policies. Runs MFA, justification, approval; can create execution grants.

Event: PolicyEvaluationPending (FileAccess)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, HTTP (create-execution-grant)

file-access-policy-controls-headless

Headless variant: no UI; sends PENDING/ALLOW/DENY via MQTT.

Event: PolicyEvaluationPending (FileAccess, no desktop)

log-message, publish-mqtt, HTTP (create-execution-grant)

default-policy-controls

Handles PENDING for CommandLine and other non–Privilege Elevation / non–File Access policy types. Runs MFA, justification, approval.

Event: PolicyEvaluationPending (not PrivilegeElevation, FileAccess, or HttpAccess; has desktop)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo

default-policy-controls-headless

Headless variant: forwards PENDING or DENY via MQTT.

Event: PolicyEvaluationPending (alternate when default-policy-controls condition not met)

publish-mqtt

LaunchPrivilegeElevation

Launches the requested app with elevation. Can run redirect check first; then launches elevated process or substitute (e.g. Keeper.NetworkConnections).

Event: LaunchPrivilegeElevation

RedirectEvaluator (check-redirect), publish-mqtt, HTTP (launch-substitute, launch-elevated, create-execution-grant), display-message, cmd

LaunchApprovedRequest

Launches an already-approved elevation request (e.g. from keeperAgent).

Event: LaunchApprovedRequest

HTTP (ephemeral/launch API), cmd, publish-mqtt

create-approved-request-from-policy-result

Creates an approved request from a policy result so it can be launched later.

Event (from policy controls flow)

publish-mqtt, HTTP, etc.

GrantFileAccess

Grants temporary file access to a path for a user.

Event or API

KeeperFileAccessPolicyEnforcer (grant)

RevertFileAccess

Reverts (removes) a file access grant.

Event or API

KeeperFileAccessPolicyEnforcer (revert)

ApplyFileAccessPolicies

Applies file access policy rules (e.g. apply policies from backend).

Event or schedule

KeeperFileAccessPolicyEnforcer

FileAccessStartupCleanup

Cleans up expired file access entries on startup.

Event: Startup

KeeperFileAccessPolicyEnforcer or HTTP

LaunchFileAccess

Launches an application with the appropriate file access context.

Event: LaunchFileAccess

show-toast, HTTP (launch with file access)

inventory-basic

Basic system inventory (machine, OS, etc.).

Schedule or event

KeeperInventoryBasic

file-inventory

File-level inventory (e.g. executables).

Schedule (e.g. every 7200 min)

Inventory job executable (e.g. file inventory binary)

user-inventory

User account inventory.

Schedule or event

User inventory executable

composite-risk-evaluation

Computes composite risk score from location, user, application, machine risk.

Event (e.g. from policy or other jobs)

CompositeRiskEvaluator, echo

user-risk-assessment

User risk score.

Event or schedule

Risk assessment executable (parameterized, e.g. UserRiskAssessment)

machine-risk-assessment

Machine risk score.

Event or schedule

Risk assessment executable

location-risk-assessment

Location risk score.

Event or schedule

Risk assessment executable

file-risk-assessment

File risk score.

Event or schedule

File risk assessment executable

url-risk-assessment

URL risk score.

Event or schedule

URL risk assessment executable

ProcessConfigurationPolicies

Processes configuration policies (e.g. Update Settings, Update Jobs) from the backend.

Event: Startup or schedule

KeeperConfigurationPolicyProcessor

registration (agent_registration)

Registers the agent with the Keeper backend.

Event: Startup

KeeperRegistrationHelper

log-version-info

Logs version information (e.g. when error threshold reached).

Event (from Logger or manual)

HTTP or script

locale-cache-cleanup

Cleans locale cache.

Schedule or event

Script or executable

ephemeral-account-cleanup-if-unused

Removes ephemeral account if no longer in use.

Schedule (e.g. every 30 s)

HTTP (ephemeral cleanup endpoint)

send-audit-event

Sends an audit event to the backend or logger.

Event

publish-mqtt or HTTP

monitor-and-notify-notification

Sends a notification when a policy would have matched in Monitor & Notify mode.

Event

show-toast or publish-mqtt

keeperagent-silent-expiration-check

Checks approval expiration silently (e.g. for keeperAgent).

Schedule

HTTP or script

send-toast

Sends a toast notification to the user.

Event (e.g. from menu or policy)

show-toast (built-in)

ShowAgent

Launches the keeperAgent UI on the user’s desktop.

Event: ShowAgent (e.g. from KeeperClient menu)

keeperAgent

StartKeeperClient

Starts the KeeperClient system tray application.

Event (e.g. Startup or menu)

KeeperClient

least-privilege-check

Checks and enforces least-privilege rules (e.g. remove admin from users).

Event or schedule

KeeperLeastPrivilegeEnforcer

LaunchLeastPrivilegeEnforcer

Launches KeeperLeastPrivilegeEnforcer (e.g. for CommandLine approval in headless; creates sudoers entry).

Event: LaunchLeastPrivilegeEnforcer

KeeperLeastPrivilegeEnforcer, publish-mqtt

policy-evaluation-error-handler

Handles policy evaluation errors (e.g. missing file path); sends deny or error response.

Event (triggered by HTTP from other jobs)

display-message, publish-mqtt

policy-evaluation-error-handler-headless

Headless variant: no UI; sends response via MQTT.

Event

publish-mqtt

configure_pam_module

Configures the PAM module for Linux/macOS.

Event or manual

PAM configuration script/executable

remove_keeper_pam_module

Removes the Keeper PAM module.

Event or manual

PAM removal script/executable

KeeperMfa

MFA UI: user completes multi-factor authentication when policy requires MFA.

KeeperJustification

Justification UI: user enters a business reason when policy requires justification.

KeeperApproval

Approval UI: sends request to approvers; user or approver sees pending approvals.

KeeperMessage

Used by display-message or notifications (messages to the user).

display-message

Shows a message dialog to the user (title, body, level).

show-toast

Shows a toast notification (OS notification).

publish-mqtt

Publishes a message to an MQTT topic (responses, audit, launch events).

check-approval-provider

Routes approval to Keeper vs external provider.

RedirectEvaluator

Checks whether elevation should be redirected (e.g. to Keeper.NetworkConnections).

keeperAgent

Agent UI: manage requests, view status.

KeeperClient

System tray app: notifications, menu, launch elevation.

KeeperRegistrationHelper

Registers the agent with the Keeper backend.

KeeperFileAccessPolicyEnforcer

Grants/reverts file access; applies file access policies.

KeeperConfigurationPolicyProcessor

Processes configuration policies (settings, job updates).

CompositeRiskEvaluator

Calculates composite risk score.

KeeperInventoryBasic

Basic system inventory.

KeeperLeastPrivilegeEnforcer

Enforces least privilege (e.g. sudoers, admin removal).

HTTP tasks

Call local API (e.g. launch elevated, create execution grant, ephemeral cleanup).