Plugins & Settings
Keeper EPM runs as a service with plugins that handle policy, communication, logging, and user interaction. Settings let you tune behavior without reinstalling. This section explains what matters to you as a customer.
Plugins
Plugins are components that extend what the agent can do. They run alongside the main service and are started automatically in normal operation. You don’t install them separately; they’re part of the product.
What Each Plugin Does (Summary)
KeeperAPI
Talks to the Keeper backend: registration, policy sync, and reporting. Required for cloud-managed deployments.
Linux, macOS, Windows
KeeperPolicy
Evaluates policies on the endpoint: decides allow/deny, MFA, approval, justification. Core of policy enforcement.
Linux, macOS, Windows
Logger (KeeperLogger)
Centralized logging: level, retention, and where logs go. Helps with troubleshooting and compliance.
Linux, macOS, Windows
KeeperUSession
User-session handling so the agent can work correctly in multi-user or session scenarios.
Windows Only
KeeperClient
System tray and client UI: notifications, tray icon, and user-facing actions.
Linux, macOS, Windows
PAM Module
Core endpoint component that enforces PAM policies locally and coordinates actions like elevation, approvals, and auditing with the backend.
Linux & macOS
System Extension
macOS system-level extension that provides the required OS hooks to monitor and enforce PAM controls (e.g., process/file activity) on Mac devices.
macOS
Other components (e.g., RunAs, RunElevated, approval/justification/MFA UIs) may appear as separate executables or jobs; they work with these plugins to deliver the full experience.
Do You Need to “Manage” Plugins?
In typical use, no. The product starts and monitors the required plugins. If you change settings (see below), you may need to restart a plugin or the service for changes to take effect; the dashboard or your operations runbook will indicate when that’s needed.
Settings
Settings control how the agent and its plugins behave. There are two levels that matter to you:
Plugin Settings
Each plugin can have its own options, for example:
KeeperPolicy: Broker (messaging) host/port, subscription topics, HTTPS port for local calls, timeouts, rate limits, and whether policies apply to administrators when no policy matches (enforce-for-admins behavior).
KeeperAPI: Backend URL, sync interval, and similar.
Logger: Log level, file path, retention, rotation.
You can change these from the dashboard (e.g., via configuration or “Update Settings” policies) so that all agents in a deployment group get the same behavior. After a change, the product may need to restart the plugin or service to apply it; follow the guidance in the console.
Global Settings
Global settings apply to the whole agent: ports (HTTP/HTTPS, MQTT), paths (storage, plugins), logging levels, and similar. They’re typically set in the agent’s configuration file or pushed via the dashboard and are configured in appsettings.json. Again, the dashboard is the preferred place to manage them so you don’t have to edit files on each endpoint.
Reverting or Refreshing Settings
If your deployment supports it, you can revert plugin settings to the values from the last configuration push (or from the default config). That’s useful when a change didn’t work as expected or you want to roll back. The exact action (“Revert settings,” “Refresh from dashboard,” etc.) depends on your console; the result is that the agent picks up the intended configuration again.
Summary
Plugins are the engine (policy, API, logging, client); settings are the knobs you use to tune behavior from the dashboard. You get control without needing to open developer or administrator documentation.
Last updated
Was this helpful?