# Deployment Packages, the Agent, & Requests

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FlZuxVSd2evg7N3KZEg2B%2FGetting%20Started%20-%20Deployment%20Packages%2C%20the%20Agent%2C%20%26%20Requests.png?alt=media&#x26;token=62a712e6-72cc-4608-aa43-459a0bd77424" alt=""><figcaption></figcaption></figure>

This section covers **deployment groups**, **installing the agent**, and **managing requests** so you can roll out Keeper EPM in a controlled way and handle elevation and approval flows.

## Deployment Package

A **deployment package**(sometimes described as a **deployment collection**) is the way KEPM defines **what gets installed** on endpoints and **which endpoints receive it**, so you can roll out KEPM in a controlled, repeatable way.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FyPnH6deWzDWmWOoFP5U8%2Fdeployments_email_JDoe_full.png?alt=media&#x26;token=972a6805-a6af-40c9-adfc-207796d8194f" alt=""><figcaption></figcaption></figure>

#### What is Included in the Deployment Package

A deployment package typically includes:

* The **KEPM agent installer** for the target platform (Windows, macOS, or Linux)
* A **Registration Token** (or equivalent onboarding value) that allows endpoints to **register** to your Keeper environment after installation

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FAfUefCV3mjRiJnDoUcVy%2Fimage.png?alt=media&#x26;token=8d14af53-2323-4e4b-8d36-6f5fc146c54c" alt="" width="375"><figcaption></figcaption></figure>

**Deployment Package Definition:** A targeted rollout unit that bundles the KEPM agent installer and onboarding details (such as a registration token) and applies them to a defined set of endpoints so devices can register and sync the appropriate policies and configuration.

Once installed and registered, the agent can begin receiving configuration and policy updates from the Admin Console.

#### What it scopes (the “deployment collection”)

The “collection” aspect is the **targeting layer** that determines **which endpoints** receive the deployment. It’s used to:

* **Scope rollout** to specific machines and/or users
* **Stage deployments** (pilot group first, then broader rollout)
* Ensure endpoints receive the **correct policy/config set** after registration, based on how they’re grouped and targeted

## The Agent

**Deployment** means getting Keeper's Endpoint Privilege Manager agent onto each endpoint and registering it so it receives policies from your Keeper deployment.

#### High-level steps

{% stepper %}
{% step %}
**Obtain Agent Installer**

**Obtain the agent installer** (or package) for your platform (Windows, Linux, or macOS) from your Keeper deployment or account team.
{% endstep %}

{% step %}
**Install Agent**

**Install the agent** on each endpoint using your normal deployment tools (e.g., GPO, MDM, script, or manual install). Install under an account that has local administrator (or root) rights so the service can be installed and started.
{% endstep %}

{% step %}
**Restart the Workstation**
{% endstep %}
{% endstepper %}

## Managing Requests

**Managing requests** means handling the flow when a user asks for something that requires approval, justification, or MFA—and giving approvers a clear way to approve or deny.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FOUNbrHFrtH1XNCl5j4DE%2Fedited_email_full.png?alt=media&#x26;token=08216dff-8845-4bd0-9ee0-76dc28f3ba9c" alt=""><figcaption></figcaption></figure>

#### What Counts as a “request”

* A **privilege elevation** request (e.g., run as administrator) when a policy requires approval.
* Other actions that you’ve configured to require approval, justification, or MFA (e.g., certain file access or commands).

#### How Requests Flow

{% stepper %}
{% step %}
**Action Triggered**

**User** triggers an action (e.g., right‑click “Run as administrator” or open a controlled app).
{% endstep %}

{% step %}
**Policy Evaluation**

**Agent** evaluates policies and sees that approval (or justification, or MFA) is required.
{% endstep %}

{% step %}
**New Request**

**Request is created** and sent to the Keeper backend (or your integrated approval system).
{% endstep %}

{% step %}
**Approval Request**

**Approver** is notified and can approve or deny in the console or in the approval UI (e.g., KeeperApproval).
{% endstep %}

{% step %}
**Response**

**Agent** receives the result and either allows or blocks the action.
{% endstep %}
{% endstepper %}

#### Where You Manage This

* **Approvers:** Define who can approve in the dashboard (see [Create Approvers](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/setup/create-approvers-collections-and-policies)).
* **Policies:** Set which actions require approval, MFA, or justification (see [Policies in Detail](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/setup/policies)).
* **Requests and history:** View and audit requests in the Keeper Admin Console so you can see who asked for what and who approved or denied.

By combining **collections** (who and which machines), **policies** (what requires approval), and **approvers** (who can approve), you get fine-grained control without blocking productivity.