# Getting Started

<figure><img src="/files/wLA5xBBLb08gOwPT4tCc" alt=""><figcaption></figcaption></figure>

Keeper Endpoint Privileged Manager (EPM) helps you control privilege elevation, file access, and command execution across your endpoints. This section walks you through licensing, activation, permissions, deployment overview, and how requests are managed at a high level.

## Setup Steps

Keeper Endpoint Privileged Manager (EPM) helps you control privilege elevation, file access, and command execution across your endpoints. This section walks you through licensing, activation, permissions, deployment overview, and how requests are managed at a high level.

Follow the below steps to start using Endpoint Privilege Manager.

{% stepper %}
{% step %}
**Keeper Enterprise license**

Keeper EPM is part of **Keeper Enterprise**. You need:

* An active **Keeper Enterprise** subscription that includes Endpoint Privileged Manager (EPM).
* Enough **endpoint seats** for the agents you plan to deploy.

Activation and seat allocation are done in the **Keeper Admin Console**. If you’re not sure about your license or EPM entitlement, contact Keeper or your account team.

If you are not a Keeper customer or do not have the required license, you can [start a free trial](https://www.keepersecurity.com/password-manager-free-trial-sign-up.html) from our website. The free trial includes KeeperPAM full capabilities.
{% endstep %}

{% step %}
**Activate Endpoint Privileged Manager**

1. **Log in** to the Keeper Admin Console (dashboard).
2. **Turn on** Endpoint Privileged Manager for your organization. The exact menu may be named “Endpoint Privileged Manager,” “Privilege Manager,” or similar depending on your console version.
3. **Get a registration token** for your agents. You’ll use this when registering each endpoint. The token format is:\
   `hostname:deployment-uid:private-key`\
   Store it securely; you’ll need it for every new agent.

After activation, you can define approvers, collections, policies, and deployment groups, then deploy agents to your endpoints.

<figure><img src="/files/8YQm2lx9JPGLZOrshcFW" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Enable Permissions**

With Endpoint Privilege Manager, an admin role is required with permissions covering end-user privilege.

* Login to the Keeper Admin Console for your region.
* Under **Admin** > **Roles**, create a new role or modify an existing role
* In the Role settings select the "**Administrative Permissions**" tab and select "**Add Managing Node**".
* Activate the "**Manage Privileged Access**" permission.
* Assign yourself or your test admin account to this role.

<figure><img src="/files/WU17wWmOFtqVRo6ZOiAt" alt=""><figcaption><p>Activating the Privilege Manager permissions in the Admin Console</p></figcaption></figure>

{% hint style="warning" %}
**⚠️ Directory Integration Required**

EPM policies targeting user and group collections depend on AD or Entra ID sync to function correctly. The `epm scim` command requires an Active Directory integration in the Keeper Admin Console before use. If this integration is not configured, collections will be incomplete and policy enforcement will not apply as expected. \
\
Visit this [Commander CLI: Endpoint Privilege Manager Commands](/en/keeperpam/commander-cli/command-reference/endpoint-privilege-manager-commands.md) for more information.&#x20;
{% endhint %}
{% endstep %}

{% step %}
**Check the Installation**

Confirm the product is installed in the expected location:

* **Windows:** e.g. `C:\Program Files\KeeperPrivilegeManager`
* **Linux / macOS:** e.g. `/opt/keeper/`

You should see the main executable, configuration file (`appsettings.json`), and folders such as `Plugins/`, `Jobs/`, and `KeeperStorage/`.
{% endstep %}

{% step %}
**Verify and Start the Service**

* **Windows (PowerShell):**\
  Check: `Get-Service | Where-Object {$`*`.Name -match 'keeper' -or $`*`.DisplayName -match 'keeper'} | Select-Object Name, DisplayName, Status`\
  Start: `Get-Service | Where-Object {$`*`.Name -match 'keeper' -or $`*`.DisplayName -match 'keeper'} | Where-Object {$_.Status -ne 'Running'} | Start-Service`
* **Linux (KeeperSudo):**\
  Check: `sudo systemctl status keeper-privilege-manager`\
  Start: `sudo systemctl start keeper-privilege-manager`\
  Optional: `sudo systemctl enable keeper-privilege-manager` for auto-start.
* **macOS:**\
  Use the provided launchd configuration to load and start the Keeper service.
  {% endstep %}
  {% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.