Deployment Packages, the Agent, & Requests
This section covers deployment groups, installing the agent, and managing requests so you can roll out Keeper EPM in a controlled way and handle elevation and approval flows.
Deployment Package
A deployment package(sometimes described as a deployment collection) is the way KEPM defines what gets installed on endpoints and which endpoints receive it, so you can roll out KEPM in a controlled, repeatable way.
What is Included in the Deployment Package
A deployment package typically includes:
The KEPM agent installer for the target platform (Windows, macOS, or Linux)
A Registration Token (or equivalent onboarding value) that allows endpoints to register to your Keeper environment after installation
Deployment Package Definition: A targeted rollout unit that bundles the KEPM agent installer and onboarding details (such as a registration token) and applies them to a defined set of endpoints so devices can register and sync the appropriate policies and configuration.
Once installed and registered, the agent can begin receiving configuration and policy updates from the Admin Console.
What it scopes (the “deployment collection”)
The “collection” aspect is the targeting layer that determines which endpoints receive the deployment. It’s used to:
Scope rollout to specific machines and/or users
Stage deployments (pilot group first, then broader rollout)
Ensure endpoints receive the correct policy/config set after registration, based on how they’re grouped and targeted
The Agent
Deployment means getting the Keeper Privilege Manager agent onto each endpoint and registering it so it receives policies from your Keeper deployment.
High-level steps
Obtain Agent Installer
Obtain the agent installer (or package) for your platform (Windows, Linux, or macOS) from your Keeper deployment or account team.
Install Agent
Install the agent on each endpoint using your normal deployment tools (e.g., GPO, MDM, script, or manual install). Install under an account that has local administrator (or root) rights so the service can be installed and started.
Restart the Workstation
Managing Requests
Managing requests means handling the flow when a user asks for something that requires approval, justification, or MFA—and giving approvers a clear way to approve or deny.
What Counts as a “request”
A privilege elevation request (e.g., run as administrator) when a policy requires approval.
Other actions that you’ve configured to require approval, justification, or MFA (e.g., certain file access or commands).
How Requests Flow
Action Triggered
User triggers an action (e.g., right‑click “Run as administrator” or open a controlled app).
Policy Evaluation
Agent evaluates policies and sees that approval (or justification, or MFA) is required.
New Request
Request is created and sent to the Keeper backend (or your integrated approval system).
Approval Request
Approver is notified and can approve or deny in the console or in the approval UI (e.g., KeeperApproval).
Response
Agent receives the result and either allows or blocks the action.
Where You Manage This
Approvers: Define who can approve in the dashboard (see Create Approvers).
Policies: Set which actions require approval, MFA, or justification (see Policies in Detail).
Requests and history: View and audit requests in the Keeper Admin Console so you can see who asked for what and who approved or denied.
By combining collections (who and which machines), policies (what requires approval), and approvers (who can approve), you get fine-grained control without blocking productivity.
Last updated
Was this helpful?