Deploying the Keeper Agent to your endpoints
Deploying Endpoint Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken.
macOS: Sequoia, Sonoma, Tahoe
Linux: RedHat 9.4+, Ubuntu 20.04+, Amazon Linux 2, Rocky Linux 9+, Debian 11, 12, SUSE 15sp 2+, AlmaLinux 9.4+
Windows: 11, Server 2022 and 2025 (Intel x64 Only)
All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata.
From the Endpoint Privilege Manager > Deployments screen, select "New Deployment Package". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string.
When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.
From the Admin Console UI, copy the installer zip file and download it to your machine. Unzip the file to extract the packages for each specific platform. Copy the deployment token for use in the installer command. A valid deployment token is required to register the Keeper Agent to your tenant.
Always verify the Keeper agent in your sandbox or non-production test environment before installing directly on production systems.
The below documentation covers installation and configuration of the Keeper agent:
Tips:
Ensure that the Keeper Endpoint Privilege Manager service is running.
You may need to update your endpoint security product to allow Keeper Privilege Manager services to run.
The Keeper Client application will start up automatically on all new login sessions for users on the machine.
To restart the Endpoint Privilege Manager services, we recommend simply rebooting the machine. The service can also be restarted from Services.
The log files are located in:
To uninstall the Windows agent:
To manually register an agent that has already been installed, the below can be invoked:
After installation, Keeper modifies the PAM module on the device to wrap sudo. Any usage of the sudo command is delegated to keepersudo.
See the documentation for configuration and usage instructions.
To update the Agent that has already been registered:
To identify which version is running:
Error logs will be located in /var/log/syslog or /var/log/messages depending on the flavor of Linux.
To restart the services:
Uninstalling the Keeper agent varies based on the platform and the install method used above.
Ubuntu / Debian-based distributions:
To remove and purge all configuration file:
RPM-based distributions:
On RHEL / Rocky / Alma / CentOS / Oracle Linux:
To manually register an agent that has already been installed, the below can be invoked:
To manually register an agent that has already been installed, the below can be invoked:
If a service restart is required on macOS, the following commands can be used:
To uninstall the Keeper agent from macOS, run the attached script:
Notes:
The Keeper Agent will launch for users upon a new login session. Therefore logout/login may be required.
The sudo policy controls are documented on the page.
Installation of packages (.pkg) and images (.dmg) requires that the user explicitly opens the request from the Keeper agent UI.
When the agent is installed and deployed to the endpoints, there are 3 types of discovery that is performed on the endpoint:
Basic Inventory: Operating system, version, type
Account Inventory: Local users and groups
File Inventory: All executables on the system
The Keeper Admin Console will receive the discovered inventory as encrypted telemetry data, containing information about the endpoint including:
Computer name and type
OS information (Windows, macOS, Linux) and version
Local user account information
Local group account information
The Deployment page displays the endpoint stats organized by collection.
The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.
Individual endpoints can also be disabled, to prevent the agent from applying policies.
Keeper Commander supports deployment automation through our command-line interface, Service Mode and Python SDK. about Endpoint Privilege Manager commands.
The pedm agent command provides management over individual agents running on the endpoint.
The pedm deployment command provides management over agent deployments.
The pedm report command provides event logs and event reports.
Once you have deployed the agent, discovery kicks in and generates .
As an Administrator, run the installer with the provided token.
(replace x-x-x-xxx with the version number of the .msi file)
Ubuntu / Debian-based distributions:
RPM-based distributions (RHEL, Rocky Linux, AlmaLinux, CentOS, Oracle Linux, SUSE Enterprise Server, etc.):
Amazon Linux 2:
Amazon Linux 2023:
For customers using Linux systems running GNOME, the Keeper user interface is available as an extension.
Ensure GNOME Shell is installed on the endpoint:
Open the GNOME Extensions app (gnome-extensions-app) or Extension Manager from the system menu and toggle all options "ON".
The Keeper EPM icon will then appear in the system tray or top bar, providing access to agent status and controls.
The full UI is available on Linux just like Windows and macOS devices.
Important: The agent must be provided Full Disk Access permission for File Access and Command Line policies to function.
Go to: Settings → Privacy & Security → Full Disk Access to the KeeperPrivilegeManager application.
After full disk access is granted, you can restart the computer, or just reload the agent process by running:
sudo apt install -y gnome-shell-extension-prefs
or
keepersudo apt install -y gnome-shell-extension-prefs
(if Keeper is already installed)Invoke-WebRequest -Uri "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerWindows.zip" -OutFile "KeeperPrivilegeManagerWindows.zip"
Expand-Archive -Path "KeeperPrivilegeManagerWindows.zip" -DestinationPath "."
Set-Location "windows"C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperLogger\Log>msiexec /x KeeperPrivilegeManager-x-x-x.xxx.msi UNREGISTER_AGENT="true" /l*v out.txt /quietC:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperRegistration\KeeperRegistration --token="<token>"curl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip"
unzip KeeperPrivilegeManagerLinux.zip
cd linuxcurl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip"
unzip KeeperPrivilegeManagerLinux.zip
cd linux
keepersudo dpkg -i keeper-privilege-manager_*.debdpkg -l keeper-privilege-managersystemctl restart keeper-privilege-managerkeepersudo apt remove -y keeper-privilege-managerkeepersudo apt purge -y keeper-privilege-managerkeepersudo rpm -e keeper-privilege-managerkeepersudo yum remove -y keeper-privilege-manager
or:
keepersudo dnf remove -y keeper-privilege-manager/opt/keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"curl -o KeeperPrivilegeManagerMacOS.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerMacOS.zip"
unzip KeeperPrivilegeManagerMacOS.zip
cd macos/
chmod +x install_endpoint_privilege_manager.sh/Library/Keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"launchctl unload /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist
launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plistcurl -o uninstall_macos.sh "https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/pedm/uninstall_macos.sh"
chmod +x uninstall_macos.sh
keepersudo ./uninstall_macos.shMy Vault> pedm agent -h
pedm command [--options]
Command Description
---------- -------------------------
list List PEDM agents
edit Update PEDM agents
delete Delete PEDM agents
collection List PEDM agent resourcesMy Vault> pedm deployment -h
pedm command [--options]
Command Description
--------- --------------------------------
list List PEDM deployments
add Add PEDM deployments
update Update PEDM deployment
delete Delete PEDM deployment
download Download PEDM deployment packageMy Vault> pedm report -h
pedm command [--options]
Command Description
--------- -----------------------------
column Run column reports
event Run audit event reports
summary Run audit summary reportsmsiexec /i KeeperPrivilegeManager-x-x-x-xxx.msi REGISTRATION_CODE="<token>" /l*v in.txt /quietsudo KEEPERREGCODE="<token>" dpkg -i keeper-privilege-manager_*.debsudo KEEPERREGCODE="<token>" rpm -ivh keeper-privilege-manager-*.rpmsudo KEEPERREGCODE="<token>" yum install -y keeper-privilege-manager-*.rpmsudo KEEPERREGCODE="<token>" dnf install -y keeper-privilege-manager-*.rpmsudo KEEPERREGCODE="<token>" ./install_endpoint_privilege_manager.shsudo /Library/Keeper/sbin/Plugins/bin/KeeperPamConfig/KeeperPamConfig
