FAQs

Frequently Asked Questions regarding Keeper Privilege Manager

Does Keeper have endpoint access?

No, Keeper is a zero-knowledge platform. All information collected by the Keeper agent is encrypted on the user's device and can only be decrypted by the Keeper administrator in the Admin Console.

Do Keeper's servers know what programs my employees are running?

No, Keeper is a zero-knowledge platform. All information collected by the Keeper agent is encrypted on the user's device and can only be decrypted by the Keeper administrator in the Admin Console.

How does Keeper provide Just-in-Time access when approval is required?

When approval is required, the request is sent to the Keeper admin and handled through the Admin Console or Commander CLI.

How does Keeper provide Just-in-Time access when there is no approval required?

If the policy applied to the device does not require an approval for the specific event, the Keeper agent will allow the elevation without any additional approval steps. If MFA is required, the user will be asked to present their multi-factor token to proceed.

How does Keeper allow users to elevate when they are offline and do not have an internet connection?

Keeper's agent caches the encrypted policy information offline. When the user is offline, the policies will still be enforced on the user. After the user is back online, the event logs are relayed back to the Keeper cloud.

Using KeeperPAM, Privilege Manager and Microsoft LAPS Together

KeeperPAM and Privilege Manager can work seamlessly alongside Microsoft LAPS in organizations that have already invested in LAPS deployment. In this complementary arrangement, LAPS can continue managing the rotation of local administrator passwords on domain-joined computers, while KeeperPAM handles credential management for domain accounts, service accounts, and other privileged credentials that fall outside LAPS's scope. This integration preserves your existing LAPS investment while extending privileged access protection across more systems and account types.

Privilege Manager enhances this security ecosystem by implementing least-privilege enforcement on endpoints. While LAPS focuses on securing the credentials of standing admin accounts, Privilege Manager reduces the need to use those accounts in the first place by enabling temporary privilege elevation for specific tasks. Together, these solutions provide comprehensive coverage: LAPS secures local admin passwords, KeeperPAM manages and controls access to those credentials and other privileged accounts, and Privilege Manager ensures users only receive elevated privileges when necessary and authorized.

How can Keeper replace LAPS?

Keeper offers a more comprehensive approach to privileged access management than Microsoft LAPS. While LAPS only manages local administrator passwords on domain-joined computers, Keeper provides a complete solution through two complementary components:

  1. KeeperPAM handles credential management and rotation for both domain and local accounts

  2. Privilege Manager implements least-privilege policies and just-in-time elevation

Organizations can either replace LAPS entirely with Keeper's solution or use them together during transition periods.

How does KeeperPAM manage credentials on the end-user machines?

KeeperPAM, through the Keeper Gateway, can rotate credentials for:

  • Any domain user account within Active Directory

  • Local administrator accounts on individual machines (requires access via WinRM for Windows or SSH for Linux/macOS)

This means KeeperPAM can manage both centralized domain credentials and decentralized local admin credentials across your environment.

What approach does Privilege Manager take for securing admin access?

Privilege Manager focuses on privilege elevation rather than credential management:

  • Removes users from the local admin groups

  • Requires users to request elevation when admin privileges are needed

  • Can configure policies requiring that a default admin account must approve or perform elevation requests

  • Provides just-in-time access without exposing admin credentials

What are the options for using Keeper solutions with or without Microsoft LAPS?

Option 1: Replace LAPS with KeeperPAM

  • KeeperPAM manages and rotates both domain and local admin passwords

  • Provides more comprehensive credential management than LAPS

  • Enhances security through vaulting, MFA, and detailed access controls

Option 2: Complement LAPS with Keeper Solutions

  • LAPS continues to manage local admin passwords

  • KeeperPAM manages domain admin and service account credentials

  • Privilege Manager implements least-privilege policies and just-in-time elevation

Option 3: Full Keeper Solution (Most Secure)

  • KeeperPAM manages all admin credentials (domain and local)

  • Privilege Manager implements least-privilege policies

  • Users never need direct access to admin credentials

  • Admin credentials are only used in emergency scenarios

Which approach is recommended for maximum security?

The full Keeper solution (Option 3) provides the most comprehensive approach by addressing both credential management through KeeperPAM and privilege management through Privilege Manager. This effectively renders traditional LAPS unnecessary while providing superior security controls and detailed audit trails.

PreviousManaging RequestsNextSecrets Manager Overview

Last updated

Was this helpful?