Endpoint Privilege Manager v1.1
Release ETA: Feb 23, 2026
Overview
Keeper Endpoint Privilege Manager (KEPM) is an agent-based solution that removes standing administrator access from users and replaces it with just-in-time policy-driven elevation so users and machines can run approved applications with elevated privileges.
New Features
Global Approvals
Approvals are now centralized under Admin → Approvals, making them global across all request types. Teams can be designated as approvers or escalated approvers, while Keeper Administrators retain full approval rights. Approval windows are now configurable, supporting customer-requested limits of up to 30 days.
KPAM-72: Role-Based Approver Mapping with Admin Enforcement and Minimum Approval Thresholds
KPAM-674: Enforce Approval Timeouts and Prevent Invalid Post-Expiration or Post-Denial Actions
KPAM-899: Backend Validation for Approval SLAs and Expired/Denied Request State Enforcement
KPAM-1335: Configure and Validate KEPM Approval Workflows for Privilege Elevation and Restricted Actions
KPAM-1343: Approval Workflow with Primary and Escalated Approvers
KPAM-1356: Extensible Policy Control Framework for Pluggable MFA, Justification, and Approval Providers
Improved Visibility & Auditing
It’s easier to see what happened and why (clearer screens, better history/audit information, and more useful visibility for admins and users).
KPAM-99: Add “Copy Request ID” Button to Keeper Client Modal Under OK Action
KPAM-191: Display Item Counts on Open Requests and History Tabs in Endpoint Privilege Manager
KPAM-345: Windows: Audit and Surface Failed ACL Modification Attempts for Administrative Review
KPAM-489: Improve KeeperClient UI Visibility and Launch Behavior Across Operating Systems
KPAM-847: Display MFA Record User for Elevation Requests (Dashboard & ARAM Event)
KPAM-918: Investigate and Validate Audit Events for Application Allows, Launches, and Denials
KPAM-941: Enhance Approval Modal with Additional Context for Improved Decision-Making
KPAM-953: Differentiate Expired vs. Denied Requests in KeeperClient History Tab
KPAM-971: Windows Agent: Display Clear Messaging When Non-Executable Files Are Selected for Elevation
KPAM-1206: Add KeeperClient Shortcut to System Shortcut Menu
KPAM-1244: Create KepmMonitor Tray App for MQTT-Based Notifications and Context-Aware Actions
KPAM-1334: Audit Messaging Configuration and Validation for Privilege and Policy Events
Real‑Time Request Updates
The Request page now updates dynamically via webhook, providing real-time visibility into changes, and the overall event flow has been streamlined to make request progression clearer and easier to follow.
KPAM-192: Add Cancel Button to KeeperControls
KPAM-216: Enhance KeeperMessage to Support Request Creation Actions
KPAM-686: Display Confirmation Pop-Up After “Refresh Policy” Action in KeeperClient
KPAM-1166: Implement Friendly End-User Toast Notifications for Request Activity
KPAM-1290: Display User Notification on Approval Status Change (Sync-Based Update Trigger)
KPAM-1300: Implement Notification Cache to Prevent Duplicate Approval Alerts
KPAM-1344: Display Toast Notification Upon Approval Request Submission
Collections & Wildcards
Wildcards are now immediately available for policy creation, and new tenants automatically receive wildcard-based application entries to accelerate onboarding and simplify baseline configuration.
KPAM-383: Add Wildcard Search Support to “Add Item to Collection” Filter Option
KPAM-1327: Basic Endpoint Inventory Collection and Verification Across Registered Devices
KPAM-1328: File Inventory Collection and Verification Across Registered Endpoints
KPAM-1329: Local User Account Inventory Collection and Verification Across Registered Endpoints
KPAM-1359: Add Wildcard and File Pattern Support to KeeperPolicy Folder Filters
KPAM-1431: Enhance PolicyFilter to Support Path Variables and Wildcards for AllowCommands Matching
Policy Targeting Enhancements
New filtering options—including Policy Type, Status, Control, Collection, Machine, Application, and User—provide more precise policy targeting, while granular command-level elevation enables tighter control over elevated actions, and enhancements to the “Deny Everything” policy introduce protected-path logic to strengthen default-deny enforcement.
KPAM-740: Differentiate File Selection Behavior for File Access vs. Privilege Elevation Policies on Ubuntu
KPAM-753: Prevent Least Privilege Policy from Removing Domain Admin from Local Administrators Group
KPAM-1167: Folder-Based Application AllowList / DenyList for Standard Execution with OS Default Directories
KPAM-1330: Privilege Elevation Policy Configuration and Validation for Controlled Elevation Workflows
KPAM-1331: Least Privilege Policy Configuration and Enforcement with Controlled Elevation Workflows
KPAM-1332: File Access Policy Configuration and Validation Across Enforcement Modes
KPAM-1342: Application AllowList and DenyList Policy Configuration and Validation for Controlled Execution
KPAM-1376: Implement Full Policy Management API with Unified Storage Integration and MQTT Synchronization
Job Orchestration
Jobs can now be created, updated, and deleted without requiring agent updates, and remote settings changes—such as log level adjustments—are supported for greater operational flexibility.
KPAM-1302: Convert PamConfig from Persistent Plugin to On-Demand Job Execution
KPAM-1348: Enhance Job System for Secure, Validated, and Cross-Platform Script Execution
Deployment & Agent Management
The deployment UI has been streamlined to simplify rollout, and administrators can now delete disabled agents directly from the console.
KPAM-1321: Add "policy_evaluation_requested" KEPM Audit Event for Pending Agent Updates
KPAM-1325: Agent Installation, Registration, and Initial Policy Validation Across Windows, macOS, and Linux
KPAM-1326: Endpoint Registration and Collection/Policy Association Validation
KPAM-1341: Agent User-Facing Messaging Validation for Clarity, Consistency, and Actionability
KPAM-1421: Make Agent Registration Dependent on Main Service Availability
KPAM-1435: Linux Packaging Validation: Install, Service Startup, Policy Enforcement, and Clean Uninstall Verification
KPAM-1463: Create macOS App Bundle Wrapper to Enable Full Disk Access for KeeperPrivilegeManager
Enhanced Logging
Logging and observability have been enhanced with full-session tracking supported by correlation IDs, live log tailing for improved troubleshooting, MFA audit failure detection for stronger security insight, and a foundation that enables future behavioral analytics.
KPAM-440: Log KeeperClient Version to KeeperLogs on Service Startup
KPAM-471: Windows: Create Log Collection Utility to Bundle Debug Logs into ZIP for Support Diagnostics
KPAM-1230: Configurable Agent Log Level via KeeperLogger Configuration File Across Platforms
KPAM-1405: Configurable Log Retention with Safe Defaults and Dynamic Reload Support
Keeper Watchdog Service
A new Watchdog capability automatically restarts Keeper Privilege Manager if it is terminated, helping ensure platform stability during updates and configuration changes.
KPAM-57: Add Watchdog Service to the Core Agent
Localization
The agent and client are now fully localizable, and customers can update translations directly via JSON for greater flexibility and global usability.
KPAM-459: Implement Agent Localization
KPAM-1109: Prepare Strings for Localization
KPAM-1337: Client Localization Validation Across Supported Languages with English Audit Log Consistency
Bugs
KPAM-185: Prevent KeeperClient from Launching Twice
KPAM-225: macOS: Restore Missing Folders and Files in Keeper Directory
KPAM-229: macOS: Reduce Excessive CPU Usage by Agent
KPAM-256: Windows: Prevent Policy from Blocking Domain Admin PowerShell Execution
KPAM-268: Fix Cross-Platform Agent Auto-Registration Failures
KPAM-280: Fix Agent Displaying as “Unknown” and Missing Inventory Data on Windows 11 and macOS
KPAM-288: macOS: Fix Full Inventory Scan Failures in Large AppTranslocation Directories
KPAM-290: macOS: Ensure KeeperInventoryFull Restarts Properly After Initial Run
KPAM-331: macOS Sequoia: Restore Command Line Approval Prompt Trigger
KPAM-444: Windows: Resolve SentinelOne Blocking Agent Installation
KPAM-447: macOS: Fix Agent Auto-Registration Failure
KPAM-448: macOS Sequoia: Ensure KeeperClient Auto-Starts After Installation
KPAM-457: macOS Sequoia: Fix KeeperInventoryUser Execution Failure
KPAM-480: macOS Sequoia/Sonoma: Fix Endpoints Registering as “Unknown” Hostname
KPAM-499: macOS Sequoia: Fix KeeperInventoryFull Execution Failure
KPAM-534: Stop Repeated Disabled ARAM “Agent Auth Failed” Events
KPAM-548: Suppress ACL Rule Warnings on AD-Joined Windows Server
KPAM-600: Windows Server 2022: Fix Submit Button Hover State Issue
KPAM-612: Prevent Agent Request Spoofing
KPAM-614: Validate and Sanitize File Paths in Client and Control Components
KPAM-669: macOS Sequoia: Fix User Exclusion Not Applying in Enforced Least Privilege
KPAM-730: Add Approver and Escalated Approver Tags to Users in Elevation Policies
KPAM-779: Windows Server 2022: Fix “Denied Application” Error After Approval
KPAM-801: Windows: Add User Confirmation Toast for Elevation Request Submission
KPAM-834: Ensure Ephemeral User Is Removed on Agent Uninstall (All Platforms)
KPAM-844: Ensure Privilege Elevation Policy Changes Propagate to Agents
KPAM-894: Windows Server 2022/2025: Correct Event Type When File Access and Elevation Policies Overlap
KPAM-898: Fix Privilege Elevation Access Validity Timing Mismatch
KPAM-914: Ubuntu: Allow Admins to Uninstall Agent When SudoWrapper Is Active
KPAM-920: Windows: Prevent Admin Prompts for Allowed Apps via KeeperClient
KPAM-922: Ubuntu 22.04: Fix Missing Escalation for Expired Command Line Requests
KPAM-939: Windows: Fix Incorrect Access-Denied Prompt in Mixed Admin/Standard Sessions
KPAM-949: Windows: Fix App Launch Context with Multiple Logged-In Users
KPAM-956: Add Help Menu and Version Display to KeeperAgent
KPAM-990: Standardize Privilege Elevation Cancel Flow Messaging
KPAM-995: Standardize Deny Messaging in KeeperClient UI
KPAM-1111: Fix Applications Launching Under Wrong User Context
KPAM-1117: Improve Mouse-Over UI State Consistency
KPAM-1118: Windows: Restore Network Settings Editing When Elevating ncpa.cpl
KPAM-1125: Fix Audit Showing Approved While Request Remains Pending
KPAM-1126: Add Support for Protected Files Management
KPAM-1132: Fix Button Hover and Focus UI States
KPAM-1145: Correct Audit Logging for Out-of-Collection Apps in File Access Monitor Mode
KPAM-1149: Windows 25: Fix “No Associated Policy” Message for Out-of-Collection Apps
KPAM-1162: Windows: Correct Audit Event Type for File Access Launches
KPAM-1163: Windows: Fix Audit and Denial Messaging Inconsistencies with Least Privilege
KPAM-1195: Windows Server 2022: Fix Incorrect Policy Denials for Uncovered Apps
KPAM-1196: Windows: Prevent Duplicate Approval Requests for Same Application
KPAM-1210: Windows: Remove KeeperUserSession Folders on Agent Uninstall
KPAM-1214: Prevent Duplicate Requests from Repeated Filtered App Clicks
KPAM-1229: Add CreateProcess Fail-Safe Handling
KPAM-1231: Fix Thread Description Handling
KPAM-1234: Resolve CreateProcess Hanging Issues
KPAM-1236: Add User Feedback for Agent Registration Failures
KPAM-1240: Console: Fix Garbled Unicode in Approval Requests
KPAM-1250: Fix Agent Registration Failures
KPAM-1255: GovCloud: Allow Non-Admin Approvers in Policies
KPAM-1296: Windows: Fix KeeperUSession Crash When Closing UWP Apps
KPAM-1297: Rewrite KeeperWatch Injector Component
KPAM-1298: Refactor Injector Process Polling Logic
KPAM-1305: Fix KeeperInventoryUser Job Execution
KPAM-1306: Fix InventoryUser Group Handling
KPAM-1308: Fix InventoryBasic Shared Storage Path Mismatch
KPAM-1311: Fix Approval Window Dragging Jitter
KPAM-1312: Fix UI Element Shift on Screen Launch
KPAM-1313: Injector: Correct CreateProcess Handle Management
KPAM-1314: Add Application Icon to Toast Notifications
KPAM-1315: Windows: Fix Blue Background Rendering for Transparent Toast Icons
KPAM-1316: Investigate and Resolve KeeperUSession Performance Lag
Last updated
Was this helpful?