Jobs & Applications

Keeper EPM uses jobs to automate policy enforcement, inventory, risk assessment, and maintenance—and applications (UI components) to interact with users and approvers. This section gives you a customer-oriented overview.

Jobs

Jobs are defined tasks that the agent runs. They can be triggered by policy (e.g., when a user requests elevation), on a schedule, or by the dashboard. They give you automation and consistency without scripting on each endpoint.

Job tasks can run in these four execution modes:

• Service — Runs as the service account (default). Trusted context; supports MergeStdoutJsonIntoContext and SkipWhenPluginSettingFalse.

• User — Runs in the logged-on user’s session, non-elevated.

• UserDesktop — Runs on the user’s desktop session, non-elevated; used for MFA/approval and other resumable UI flows.

• UserElevated — Runs elevated in the user context (e.g. on the user’s desktop with elevation).

In job JSON you set executionType on each task (e.g. "executionType": "Service"). Default is Service if omitted.

What Jobs Do (use-case examples)

• Policy control: Evaluate policies, enforce controls (e.g., launch elevation, request approval), and handle redirects (e.g., send the user to a substitute app instead of the risky one).

• Inventory: Collect basic or full inventory (machine, user, or file) and report to the backend.

• Risk assessment: Compute risk scores for users, machines, files, locations, or URLs so policies can allow or restrict based on risk.

• File access: Grant or revert temporary file access, apply file-access policies, and launch apps with the right file access.

• Privilege elevation: Launch an app with elevation, launch an approved request, or create an approved request from a policy result.

• Configuration: Process configuration policies (e.g., push plugin or job settings), register or unregister the agent, and run PAM configuration on Linux/macOS.

• Maintenance: Log version info, clean caches, send audit events, handle policy evaluation errors, and manage ephemeral accounts.

Jobs are configured in the dashboard or via configuration policy; the agent receives the definitions and runs them when the right trigger (policy, schedule, or API) fires.

Job Reference (summary)

For an exhaustive list of jobs, please Reference: Default Jobs

You don’t need to edit job definitions by hand unless you’re doing advanced customization; the dashboard and configuration policies are the recommended way to manage them.

Tasks

Tasks are the steps inside a job (e.g., “call this API,” “run this script,” “wait for approval”). Some jobs use distributed binaries—small programs that run on the endpoint to perform a task. The agent runs these in a controlled way so policy enforcement and automation stay consistent and secure. From a customer perspective, you manage jobs as a whole; the product takes care of running the right tasks and binaries.

UI Applications

These are the user- and approver-facing components that make KEPM usable day to day:

Run-As & Elevation Components

These components are not UI applications; they run processes with the right identity or elevation under policy:

Together, jobs, UI applications, and these run-as/elevation components give you automated enforcement and a clear experience for both users and approvers—without exposing internal implementation details.