# Jobs & Applications
Keeper EPM uses **jobs** to automate policy enforcement, inventory, risk assessment, and maintenance—and **applications** (UI components) to interact with users and approvers. This section gives you a customer-oriented overview. *** ## Jobs **Jobs** are defined tasks that the agent runs. They can be triggered by policy (e.g., when a user requests elevation), on a schedule, or by the dashboard. They give you **automation and consistency** without scripting on each endpoint. Job tasks can run in these four execution modes: * Service — Runs as the service account (default). Trusted context; supports MergeStdoutJsonIntoContext and SkipWhenPluginSettingFalse. * User — Runs in the logged-on user’s session, non-elevated. * UserDesktop — Runs on the user’s desktop session, non-elevated; used for MFA/approval and other resumable UI flows. * UserElevated — Runs elevated in the user context (e.g. on the user’s desktop with elevation). In job JSON you set executionType on each task (e.g. "executionType": "Service"). Default is Service if omitted. ### What Jobs Do (use-case examples) * **Policy control:** Evaluate policies, enforce controls (e.g., launch elevation, request approval), and handle redirects (e.g., send the user to a substitute app instead of the risky one). * **Inventory:** Collect basic or full inventory (machine, user, or file) and report to the backend. * **Risk assessment:** Compute risk scores for users, machines, files, locations, or URLs so policies can allow or restrict based on risk. * **File access:** Grant or revert temporary file access, apply file-access policies, and launch apps with the right file access. * **Privilege elevation:** Launch an app with elevation, launch an approved request, or create an approved request from a policy result. * **Configuration:** Process configuration policies (e.g., push plugin or job settings), register or unregister the agent, and run PAM configuration on Linux/macOS. * **Maintenance:** Log version info, clean caches, send audit events, handle policy evaluation errors, and manage ephemeral accounts. Jobs are configured in the dashboard or via configuration policy; the agent receives the definitions and runs them when the right trigger (policy, schedule, or API) fires. ### Job Reference (summary) | Category | Examples | | ----------------------- | --------------------------------------------------------------------------------------------------------- | | **Risk & inventory** | Composite Risk Evaluator, User/Machine/File/Location/URL Risk Assessment, Inventory Basic/Full/User | | **Policy enforcement** | Configuration Policy Processor, File Access Policy Enforcer, Redirect Evaluator, Least Privilege Enforcer | | **File access** | Grant/Revert File Access, Apply File Access Policies, Launch File Access | | **Privilege elevation** | Launch Privilege Elevation, Launch Approved Request, Create Approved Request from Policy Result | | **Agent lifecycle** | Registration Helper, Unregistration Helper | | **Configuration & PAM** | Process Configuration Policies, PAM Configuration (Linux/macOS) | | **UI & notifications** | Send toast, Show Agent, Start KeeperClient | For an exhaustive list of jobs, please Reference: [Default Jobs](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/reference/default-jobs) You don’t need to edit job definitions by hand unless you’re doing advanced customization; the dashboard and configuration policies are the recommended way to manage them. ## Tasks **Tasks** are the steps inside a job (e.g., “call this API,” “run this script,” “wait for approval”). Some jobs use **distributed binaries**—small programs that run on the endpoint to perform a task. The agent runs these in a controlled way so policy enforcement and automation stay consistent and secure. From a customer perspective, you manage jobs as a whole; the product takes care of running the right tasks and binaries. ## UI Applications These are the **user- and approver-facing** components that make KEPM usable day to day: | Application | Purpose | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | **KeeperAgent** | Agent UI: status, basic controls, and entry point for user-facing actions. | | **KeeperApproval** | Approval UI: approvers see pending requests and can approve or deny. | | **KeeperJustification** | Justification UI: prompts the user to enter a reason when policy requires it. | | **KeeperMessage** | Messaging/notifications: shows messages and notifications to the user. | | **KeeperMFA** | MFA UI: guides the user through multi-factor authentication when policy requires it. | | **KeeperClient** | System tray / client: tray icon, notifications, and quick access to elevation or other actions. | | **Keeper.NetworkConnections** | Substitute UI for network settings: when you redirect “open network settings” to this app, users get a controlled experience instead of the OS default. | ## Run-As & Elevation Components These components are **not** UI applications; they run processes with the right identity or elevation under policy: | Component | Purpose | | ---------------------- | --------------------------------------------------------- | | **Keeper.RunAs** | Run processes with the appropriate identity under policy. | | **Keeper.RunElevated** | Run processes with privilege elevation under policy. | Together, jobs, UI applications, and these run-as/elevation components give you **automated enforcement** and a **clear experience** for both users and approvers—without exposing internal implementation details.