# Endpoint Privilege Manager 1.2

## Overview

Keeper Endpoint Privilege Manager (KEPM) version 1.2 represents a **significant step forward in cross-platform endpoint privilege enforcement**, with the largest concentration of new capability on macOS. The macOS System Extension has been substantially expanded to intercept and enforce privilege elevation, file access, and command-line policies at the kernel level — covering both elevated and non-elevated processes on macOS Tahoe and later. This foundational work enables a new class of policy coverage that was previously unavailable on the platform.

Building on the System Extension, this release adds native `.pkg` and `.dmg` installation workflows, wildcard and DMG-targeted file access policies, app upgrade interception via Sparkle, and non-elevated command-line enforcement. Mac users also gain native notification support through KeeperNotify, a new Swift-based companion app that integrates directly with the macOS Notification Center. Installation and packaging have been overhauled as well, with a reordered install flow, a new App Bundle wrapper for Full Disk Access, and a bundled uninstall script.

On Linux, file access approvals now correctly launch the approved application after permissions are granted, and packaging has been updated to include ARM support, binary signing, and corrected installation script paths. On Windows, KEPM policy evaluation now works correctly in Azure AD — joined environments, and a new token-based elevation technique allows profile-aware applications such as AutoCAD to receive elevated privileges without promoting the user to a permanent admin.

Across all platforms, this release includes security hardening for the macOS System Extension, race-condition-safe file operations for sudoers management, signing certificate filter support in policy evaluation, KeeperClient and CLI feature parity, and gateway password rotation compatibility. Documentation additions cover the Watchdog service, process redirection, custom policy authoring, Windows hardware requirements, and a command-line application reference. Several customer-reported bugs on Windows are also resolved in this release.

## New Features

#### Command-Line Policy Configuration and Enforcement

* **KPAM-1333:** Administrators can now configure and validate command-line policies using both allowlist and restrict rules, with support for approval workflows and elevation controls for sensitive commands.
* **KPAM-944:** KeeperSudo and the allowed command list now function as designed, ensuring command-line policies are evaluated correctly for all sudo-equivalent operations.
* **KPAM-963:** KeeperSudo approval caching is now supported: once a command requiring approval has been approved, subsequent identical invocations within the approval window do not require a new approval request.
* **KPAM-966:** File access requests can now be submitted from headless environments via keepersudo --file-access, enabling users to request access to specific files without a graphical interface.
* **KPAM-1571:** Policy evaluation now supports signing certificate filters, allowing administrators to scope policies to applications signed by specific certificates.

#### Gateway Password Rotation Compatibility

* **KPAM-1664:** KEPM now correctly passes sudo -l -k (list/reset) arguments through `keepersudo` to the system sudo, ensuring that Keeper Gateway password rotation tooling continues to function correctly in KEPM-managed environments.

####  Encryption Key and State Recovery

* **KPAM-1651:** KEPM now includes a recovery mechanism to reset a machine to a clean state when the encryption key container or storage becomes corrupted, allowing re-registration and resumed operation without re-imaging.

####  Approval History Management

* **KPAM-1626:** KEPM now clears the local approval history cache on install and upgrade to prevent data format conflicts between versions.

#### Refresh Button Animation — KeeperAgent UI

* **KPAM-1621**: The refresh button in KeeperAgent now displays a spinning animation while a policy refresh is in progress, providing clear visual feedback to the user.

####  KeeperClient and CLI Feature Parity

* **KPAM-1123**: All critical functions available in the KEPM graphical client are now equally accessible through the CLI, including file access request submission.
* **KPAM-1338**: Completed a full validation pass to confirm KeeperClient GUI and CLI feature parity across elevation, file access, and command-line workflows.

#### Token-Based Elevation for Profile-Aware Applications

* **KPAM-1593:** Introduced a new elevation technique using CreateProcessWithToken that launches a process elevated with the current user's token — without granting the user permanent admin rights. This enables applications such as AutoCAD that require the current user's profile context to receive the necessary privileges without a full admin grant.

## macOS Specific New Features

#### System Extension — Privilege Elevation and File Access Interception

The macOS System Extension now intercepts and enforces privilege elevation, file access, and command-line policy requests at the kernel level, delivering full policy coverage on macOS Tahoe and above. The following capabilities are available:

* **KPAM-1107:** Deployed the macOS System Extension to intercept elevation requests system-wide, enabling KEPM policy controls to apply to any application or package that requires elevated privileges on macOS.
* **KPAM-1340:** Implemented full System Extension deployment and elevation interception so that privilege escalation attempts are securely controlled, logged, and enforced according to policy without breaking existing workflows.
* **KPAM-1299:** The System Extension now authorizes command execution inline with granular command-line policies, intercepting and approving commands before they run.
* **KPAM-1835:** The System Extension now routes package (.pkg) installs through privilege elevation policy controls, allowing users on macOS Tahoe to double-click a package in Finder and complete the install after satisfying configured controls such as MFA or justification.
* **KPAM-1861:** Replaced internal request queueing in the System Extension with PID-based caching, improving responsiveness and correctness for file access and command-line events.
* **KPAM-1852:** Documented System Extension platform coverage: full elevation and non-elevated command-line enforcement are available on macOS Tahoe and later; elevated command-line and file access policies for /Users and /Applications continue to apply on Sonoma and Sequoia.

#### File Access Policy Enhancements

* **KPAM-1422:** File Access policies with wildcards are now fully enforced by the System Extension, allowing administrators to target applications in user-relative paths such as {home}/Applications/\*.
* **KPAM-1821:** Wildcard File Access policies now correctly deny access to file types across all locations, including `{rootdir}/*/*.dmg` and `{home}/*/*.dmg` patterns.
* **KPAM-1857:** DMG files can now be targeted directly as File Access policy subjects, enabling administrators to block or control access to disk images regardless of location.
* **KPAM-1858:** File Access policies now apply to custom executables and shell scripts opened from Finder, routing the launch through Terminal under File Access controls.
* **KPAM-1894:** macOS users may now trash files that require elevated permissions when a Privilege Elevation policy applies, completing the operation without triggering the system elevation dialog.

#### Installation and Packaging

* **KPAM-1774:** KEPM now generates the correct installation command for .pkg files on macOS, using /usr/bin/installer rather than attempting to execute the package directly, resolving silent install failures.
* **KPAM-1783:** KEPM now correctly installs applications from .dmg files by mounting the image, copying its contents, and unmounting — replacing the previous behavior that attempted to execute the .dmg as a binary.
* **KPAM-1929:** macOS app upgrades delivered through Sparkle (e.g., auto-update workflows) are now intercepted by the System Extension and routed through KEPM controls before the update is applied.
* **KPAM-1463:** Created a macOS App Bundle wrapper for KeeperPrivilegeManager, enabling Full Disk Access to be granted to the agent through System Preferences without requiring it to be embedded in a third-party app bundle.
* **KPAM-1153:** KEPM now detects when Full Disk Access has not been granted and displays a clear message to the user, preventing silent failures in File Access policy enforcement.
* **KPAM-1440:** macOS packaging pipeline issues resolved; fresh installs, upgrades, PAM module installation, and uninstall via keepersudo all function correctly.
* **KPAM-1551:** Reordered the macOS manual install flow so that System Extension activation and Full Disk Access prompts occur in a logical sequence with consistent Keeper-branded dialogs, eliminating redundant prompts.
* **KPAM-951:** Added a dedicated uninstall script for macOS, bundled with each distribution package alongside the existing install script.

####  Native Notifications

* **KPAM-1287:** Introduced KeeperNotify, a Swift-based companion app that integrates with the macOS Notification Center to deliver native approval and status notifications, since KeeperClient does not have direct access to the Notification Center APIs.

####  Non-Elevated Command-Line Policy (macOS Tahoe and Later)

* **KPAM-1823:** Non-elevated command-line policies now behave correctly when the AllowCommands list is empty (policy applies to no commands) and treat null and wildcard (\*) equivalently.
* **KPAM-1828:** The System Extension now passes the full command path as part of the CommandLine field in policy evaluation requests, enabling granular command-line rules (beyond wildcard-only) to match correctly.

##  Linux Specific New Features

#### File Access and Packaging

* **KPAM-1820:** After a File Access approval on Linux, the approved application now launches automatically — previously, permissions were updated but the application was not started.
* **KPAM-1410:** Linux packaging updated to include an ARM package, binary and package signing from v1.0.4, correct script paths for KeeperPamConfig, and both registration and unregistration scripts. 

***

## Feature Improvements

#### KeeperClient Window Behavior

* **KPAM-509:** Applications launched via KeeperClient UI now open in the foreground with focus, KeeperAgent falls behind newly opened windows, the default window position has moved to the lower-right corner, and tray/menu interactions behave consistently across supported operating systems.

####  File Hash ID Optimization

* **KPAM-552:** File hashes in command-line arguments are now referenced by dictionary key rather than inline, preventing argument string length limits from causing KeeperRunAs or KeeperRunElevated launch failures for applications with large hash sets.

####  Race-Condition-Safe File Operations

* **KPAM-1367:** KEPM components that modify sudoers and Unix account files now use atomic, file-locked operations, eliminating race conditions and potential file corruption when multiple processes attempt concurrent modifications.

####  Injector — MQTT Library Replacement

* **KPAM-1596:** Replaced the paho.mqtt.c library in the Injector component with an alternative due to licensing concerns.

####  KeeperClient — Disabled Status Visibility

* **KPAM-1851:** KeeperClient now displays the Disabled agent status on its About screen, giving users and administrators immediate visibility into the agent state.

####  Package Build Script — Alias Fix

* **KPAM-1417:** Restored the missing keeperagent and keepersudo aliases in the v1.1 package build script to match the alias configuration present in v1.0.4 builds.

####  Example Project — Granular Command-Line Processing

* **KPAM-1237:** A standalone example project is now available that demonstrates granular command-line evaluation logic, serving as a reference implementation for custom policy development.

####  Preview Release Workflow

* **KPAM-1875:** Established a Preview deployment workflow that publishes KEPM packages to a dedicated S3 path under a separate manifest, enabling beta testing of pre-production builds without affecting the production update channel.

## macOS Specific Feature Improvements

#### System Extension Security Hardening

* **KPAM-1372:** Multiple security gaps in the macOS System Extension have been resolved: SSL certificate validation is now enforced for all policy communications, root-only policy enforcement is applied, fail-safe behavior is activated on timeout or communication failure, connection timeout has been reduced, and a policy key parsing issue has been corrected.

#### KeeperClient Startup

* **KPAM-186:** Resolved a race condition that caused KeeperClient to register two system tray icons after installation on macOS and RockyLinux. Only a single instance now launches.

#### Agent Upgrade Without Re-Registration

* **KPAM-1212**: macOS agents can now be upgraded without requiring the registration token to be re-entered, matching the upgrade behavior on other platforms.

#### Packaging — Build Script Compatibility

* **KPAM-1864:** Updated the BuildScriptUniversal OS detection logic to recognize the new macOS version string format introduced in macOS 26.4, preventing build pipeline failures on updated GitHub runner images.

## Customer Reported Bug Fixes

* **KPAM-1725**: Fixed an issue where KEPM policy evaluation failed on Windows machines joined to Azure AD / Microsoft Entra ID. Policy enforcement now functions correctly in Azure-joined environments.
* **KPAM-1884**: Fixed an issue on Windows where process redirection was not registered when a privilege elevation request for NCPA.cpl was approved, leaving the approval without effect.

***

### Resources

* [Endpoint Privilege Manager Documentation](/en/keeperpam/endpoint-privilege-manager/overview.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/release-notes/enterprise/endpoint-privilege-manager/endpoint-privilege-manager-1.2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.