# Default Jobs
**Audience:** IT admins. This page lists the **default jobs** that ship with Keeper Privilege Manager and the **task(s)** each job runs—including which executables or UI apps (e.g. KeeperMFA, KeeperJustification, KeeperApproval) are invoked. Jobs are defined in the `Jobs/` directory. The tables below group them by purpose and show the main task commands or executables used. *** ### Policy Control Jobs These jobs handle **PolicyEvaluationPending** events: they run the controls (MFA, justification, approval) and send allow/deny responses. | Job ID | Description | Trigger | Main task(s) / executables | | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **privilege-elevation-policy-controls** | Handles PENDING for **Privilege Elevation** policies. Runs MFA, justification, and approval controls. | Event: PolicyEvaluationPending (PrivilegeElevation, has desktop) | **KeeperMfa**, **KeeperJustification**, **KeeperApproval**, display-message, publish-mqtt, show-toast, check-approval-provider, echo, HTTP (error handler) | | **privilege-elevation-policy-controls-macos** | Same as above for **macOS** (PAM/System Extension flow). | Event: PolicyEvaluationPending (alternate when privilege-elevation-policy-controls condition not met) | **KeeperMfa**, **KeeperJustification**, **KeeperApproval**, display-message, publish-mqtt, show-toast | | **file-access-policy-controls** | Handles PENDING for **File Access** policies. Runs MFA, justification, approval; can create execution grants. | Event: PolicyEvaluationPending (FileAccess) | **KeeperMfa**, **KeeperJustification**, **KeeperApproval**, display-message, publish-mqtt, show-toast, check-approval-provider, HTTP (create-execution-grant) | | **file-access-policy-controls-headless** | Headless variant: no UI; sends PENDING/ALLOW/DENY via MQTT. | Event: PolicyEvaluationPending (FileAccess, no desktop) | log-message, publish-mqtt, HTTP (create-execution-grant) | | **default-policy-controls** | Handles PENDING for **CommandLine** and other non–Privilege Elevation / non–File Access policy types. Runs MFA, justification, approval. | Event: PolicyEvaluationPending (not PrivilegeElevation, FileAccess, or HttpAccess; has desktop) | **KeeperMfa**, **KeeperJustification**, **KeeperApproval**, display-message, publish-mqtt, show-toast, check-approval-provider, echo | | **default-policy-controls-headless** | Headless variant: forwards PENDING or DENY via MQTT. | Event: PolicyEvaluationPending (alternate when default-policy-controls condition not met) | publish-mqtt | *** ### Privilege Elevation Jobs | Job ID | Description | Trigger | Main task(s) / executables | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | **LaunchPrivilegeElevation** | Launches the requested app with elevation. Can run redirect check first; then launches elevated process or substitute (e.g. Keeper.NetworkConnections). | Event: LaunchPrivilegeElevation | **RedirectEvaluator** (check-redirect), publish-mqtt, HTTP (launch-substitute, launch-elevated, create-execution-grant), display-message, cmd | | **LaunchApprovedRequest** | Launches an already-approved elevation request (e.g. from keeperAgent). | Event: LaunchApprovedRequest | HTTP (ephemeral/launch API), cmd, publish-mqtt | | **create-approved-request-from-policy-result** | Creates an approved request from a policy result so it can be launched later. | Event (from policy controls flow) | publish-mqtt, HTTP, etc. | *** ### File Access Jobs | Job ID | Description | Trigger | Main task(s) / executables | | ---------------------------- | -------------------------------------------------------------------- | ----------------------- | ------------------------------------------- | | **GrantFileAccess** | Grants temporary file access to a path for a user. | Event or API | **KeeperFileAccessPolicyEnforcer** (grant) | | **RevertFileAccess** | Reverts (removes) a file access grant. | Event or API | **KeeperFileAccessPolicyEnforcer** (revert) | | **ApplyFileAccessPolicies** | Applies file access policy rules (e.g. apply policies from backend). | Event or schedule | **KeeperFileAccessPolicyEnforcer** | | **FileAccessStartupCleanup** | Cleans up expired file access entries on startup. | Event: Startup | **KeeperFileAccessPolicyEnforcer** or HTTP | | **LaunchFileAccess** | Launches an application with the appropriate file access context. | Event: LaunchFileAccess | show-toast, HTTP (launch with file access) | *** ### Inventory Jobs | Job ID | Description | Trigger | Main task(s) / executables | | ------------------- | ------------------------------------------- | ------------------------------ | ----------------------------------------------------- | | **inventory-basic** | Basic system inventory (machine, OS, etc.). | Schedule or event | **KeeperInventoryBasic** | | **file-inventory** | File-level inventory (e.g. executables). | Schedule (e.g. every 7200 min) | Inventory job executable (e.g. file inventory binary) | | **user-inventory** | User account inventory. | Schedule or event | User inventory executable | *** ### Risk Assessment Jobs | Job ID | Description | Trigger | Main task(s) / executables | | ----------------------------- | ----------------------------------------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------- | | **composite-risk-evaluation** | Computes composite risk score from location, user, application, machine risk. | Event (e.g. from policy or other jobs) | **CompositeRiskEvaluator**, echo | | **user-risk-assessment** | User risk score. | Event or schedule | Risk assessment executable (parameterized, e.g. UserRiskAssessment) | | **machine-risk-assessment** | Machine risk score. | Event or schedule | Risk assessment executable | | **location-risk-assessment** | Location risk score. | Event or schedule | Risk assessment executable | | **file-risk-assessment** | File risk score. | Event or schedule | File risk assessment executable | | **url-risk-assessment** | URL risk score. | Event or schedule | URL risk assessment executable | *** ### Configuration and Maintenance Jobs | Job ID | Description | Trigger | Main task(s) / executables | | --------------------------------------- | -------------------------------------------------------------------------------------- | ----------------------------- | -------------------------------------- | | **ProcessConfigurationPolicies** | Processes configuration policies (e.g. Update Settings, Update Jobs) from the backend. | Event: Startup or schedule | **KeeperConfigurationPolicyProcessor** | | **registration** (agent\_registration) | Registers the agent with the Keeper backend. | Event: Startup | **KeeperRegistrationHelper** | | **log-version-info** | Logs version information (e.g. when error threshold reached). | Event (from Logger or manual) | HTTP or script | | **locale-cache-cleanup** | Cleans locale cache. | Schedule or event | Script or executable | | **ephemeral-account-cleanup-if-unused** | Removes ephemeral account if no longer in use. | Schedule (e.g. every 30 s) | HTTP (ephemeral cleanup endpoint) | | **send-audit-event** | Sends an audit event to the backend or logger. | Event | publish-mqtt or HTTP | | **monitor-and-notify-notification** | Sends a notification when a policy would have matched in Monitor & Notify mode. | Event | show-toast or publish-mqtt | | **keeperagent-silent-expiration-check** | Checks approval expiration silently (e.g. for keeperAgent). | Schedule | HTTP or script | *** ### Notification and UI Launch Jobs | Job ID | Description | Trigger | Main task(s) / executables | | --------------------- | ------------------------------------------------------ | ---------------------------------------------- | -------------------------- | | **send-toast** | Sends a toast notification to the user. | Event (e.g. from menu or policy) | **show-toast** (built-in) | | **ShowAgent** | Launches the **keeperAgent** UI on the user’s desktop. | Event: ShowAgent (e.g. from KeeperClient menu) | **keeperAgent** | | **StartKeeperClient** | Starts the **KeeperClient** system tray application. | Event (e.g. Startup or menu) | **KeeperClient** | *** ### Least Privilege Jobs | Job ID | Description | Trigger | Main task(s) / executables | | -------------------------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ---------------------------------------------- | | **least-privilege-check** | Checks and enforces least-privilege rules (e.g. remove admin from users). | Event or schedule | **KeeperLeastPrivilegeEnforcer** | | **LaunchLeastPrivilegeEnforcer** | Launches **KeeperLeastPrivilegeEnforcer** (e.g. for CommandLine approval in headless; creates sudoers entry). | Event: LaunchLeastPrivilegeEnforcer | **KeeperLeastPrivilegeEnforcer**, publish-mqtt | *** ### Error Handling Jobs | Job ID | Description | Trigger | Main task(s) / executables | | -------------------------------------------- | ---------------------------------------------------------------------------------------- | ----------------------------------------- | --------------------------------- | | **policy-evaluation-error-handler** | Handles policy evaluation errors (e.g. missing file path); sends deny or error response. | Event (triggered by HTTP from other jobs) | **display-message**, publish-mqtt | | **policy-evaluation-error-handler-headless** | Headless variant: no UI; sends response via MQTT. | Event | publish-mqtt | *** ### PAM Configuration Jobs (Linux/macOS) | Job ID | Description | Trigger | Main task(s) / executables | | ------------------------------- | ------------------------------------------ | --------------- | ----------------------------------- | | **configure\_pam\_module** | Configures the PAM module for Linux/macOS. | Event or manual | PAM configuration script/executable | | **remove\_keeper\_pam\_module** | Removes the Keeper PAM module. | Event or manual | PAM removal script/executable | *** ### Task / Executable Summary | Task or executable | Purpose | | -------------------------------------- | ----------------------------------------------------------------------------------- | | **KeeperMfa** | MFA UI: user completes multi-factor authentication when policy requires MFA. | | **KeeperJustification** | Justification UI: user enters a business reason when policy requires justification. | | **KeeperApproval** | Approval UI: sends request to approvers; user or approver sees pending approvals. | | **KeeperMessage** | Used by display-message or notifications (messages to the user). | | **display-message** | Shows a message dialog to the user (title, body, level). | | **show-toast** | Shows a toast notification (OS notification). | | **publish-mqtt** | Publishes a message to an MQTT topic (responses, audit, launch events). | | **check-approval-provider** | Routes approval to Keeper vs external provider. | | **RedirectEvaluator** | Checks whether elevation should be redirected (e.g. to Keeper.NetworkConnections). | | **keeperAgent** | Agent UI: manage requests, view status. | | **KeeperClient** | System tray app: notifications, menu, launch elevation. | | **KeeperRegistrationHelper** | Registers the agent with the Keeper backend. | | **KeeperFileAccessPolicyEnforcer** | Grants/reverts file access; applies file access policies. | | **KeeperConfigurationPolicyProcessor** | Processes configuration policies (settings, job updates). | | **CompositeRiskEvaluator** | Calculates composite risk score. | | **KeeperInventoryBasic** | Basic system inventory. | | **KeeperLeastPrivilegeEnforcer** | Enforces least privilege (e.g. sudoers, admin removal). | | **HTTP tasks** | Call local API (e.g. launch elevated, create execution grant, ephemeral cleanup). |