Deployment
Deploying the Keeper Agent to your endpoints
Overview
Deploying Keeper Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken.
Encryption
All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata.
Deployment Package
From the Privilege Manager > Deployments screen, select "New Deployment Package". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string.
Deployment Collections
When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.
Managing Deployments
As the agent is installed and deployed to the endpoints, the Keeper Admin Console will receive the encrypted telemetry information about the endpoint including:
Computer name and type
OS information (Windows, macOS, Linux) and version
Local user account information
Local group account information
Installed applications
The Deployment page displays the endpoint stats organized by collection.
The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.
Individual endpoints can also be disabled, to prevent the agent from applying policies.
Device Collections
When agents are deployed and aggregating information about the endpoints, Keeper automatically creates device collections. A collection is a group of resources. Collections are categorized by the following types:
Applications
Machines
Operating Systems
User Groups
Admins can also create their own custom collections within each category. Click on New Collection to create a collection and assign attributes. For example, a custom collection "Developers" can be created which includes all software engineers. Or a custom collection of type "Machines" might be called "Web Servers" where only web servers are added to the collection. Or as another example, a custom collection of type "Applications" might be called "Developer Tools" where applications such as GitHub.exe or Visual Studio Code is included.
Collections can not contain different resource types. For example a User Group collection can not contain a Machine resource.
Policies can be applied to device collections and deployment collections to control privilege on all of the endpoints. Visit the Policies page to learn more.
Commander CLI
Keeper Commander supports Deployment and Collection management through our command-line interface and Python SDK.
Agent Management
The pedm agent command provides management over individual agents running on the endpoint.
Deployment
The pedm deployment command provides management over agent deployments.
Collections
The pedm collection command provides management over collections.
Reports
The pedm report command provides event logs and event reports.
Next Steps
Once you have deployed the agent, it's time to set up policies.
Last updated
Was this helpful?