Older release note content is still available, but anything older than the last 10 updates is placed here.
Backend API Version 15.1.1
Estimated Released Date: December 29, 2020
Bug Fixes
KA-3692: "get_available_bridges" command fails for an MSP logged in as an MC
KA-3687: Keeper DNA push notifications are not appearing on Apple Watch for 2FA
Backend API Version 15.0.32
Estimated Release Date November 20, 2020
Improvements
EM-4399: BreachWatch events now include the record UID to inform Admins what records trigger BreachWatch Events
Bug Fixes
KA-3580: Re-trying an Admin Device Approval for pre-approved devices must reply success and send push
KA-3582: ARAM is missing "Removed User from Team" event
KA-3493: Log Error - users with region issues
Backend API Version 16.0.0
Release ETA March 15, 2021
Improvements
KA-2836: Support for new Record Types feature
Backend API Version 15.1.0
Released on December 21, 2020
Improvements
TRAN-3497: ARAM event added: Enterprise is out of seats
KA-3586: File download for Enterprise users currently looks at file_plan_expiration
KA-3862: Support for Node Isolation
KA-3857: Provide free Family Plan to all linked personal accounts
KA-2517: An audit event is created when a user is removed from a role or team
KA-3909: Support for automatic enterprise invite re-sends on the backend
Bug Fixes
KA3873: Enforcement values missing from get_enterprise_data_for_user_response
KA-3693: API requests to the backend are slow to turn on 2FA
KA-3870: IP blocked events are not being reported in Reporting & Alerts Module
KA-3880: Extending the share expiration of a user, fails to save new expiration date
KA-3869: Shared Records Report returns unwanted data
KA-3894: Admin Console crashes when the last user of a team deleted
TRAN-3498: ARAM event added: Admin approved a device
KA-3654: Keeper removes pending users when SCIM provider patches user to inactive status
KA3610: Improved performance impacts due to API throttling
KA-3592: Allow Admins to provision invited users into Teams
Bug Fixes
KA-3625: MSP Keeper Admin is unable to approve SSO Cloud users from managed companies
KA-3560: SCIM email change issues
KA-3615: Broken Access Control - Change permission of other users in the same sharing record
KA-3614: Broken Access Control - Remove user in the same sharing record
KA-3624: Keeper Push fails for Cloud SSO users with DUO enabled
KA-3585: 2FA code duration preference fails for SSO Cloud users
KA-2558: Team folders are not being pushed to users upon login
KA-3637: Unable to login to Web Vault using Alternate Master Password and 2FA
KA-3235: Changed Email Address event isn't displayed in ARAM
KA-3641: Attempting to save empty shared folder record key
KA-3663: Cloud SSO accounts require two Admin approvals
Backend API Version 15.2.0
Estimated Release Date: January 22, 2021
Bug Fixes
KA-3782: Change SCIM GROUP PATCH implementation to return 204 Status
KA-3588: Support for SSO Connect On-Prem alias checking on email changes
KA-3578: Turning on Stay Logged In did not work the very first time
KA-3756: Stay Logged In setting not honored on particular login flows
KA-3626: Syslog push fails in EU
KA-3638: Adding ARAM event causes throttling
KA-3725: Various issues with record sharing
KA-3718: User is unable to set alternate Master Password
KA-3582: ARAM is missing the event "Removed User from Team"
KA-3607: SSO does not send SessionIndex on SAML logout
KA-3628: Entity ID fails to update when moving configuration
KA-3674: Records fail to appear in shared folder after a team is added
KA-3661: "Offline Master Password" role enforcement fails
KA-3548: Error message appears when login to US SSO Cloud account in EU region
KA-3514: Event is not triggered when delete command is used
KA-3701: MSP Admin is unable to approve SSO Cloud users from Managed Companies
KA-3719: File usage is not properly updated
KA-3726: A server error is generated when deleting a team
KA-3730: "Account Recovery Requested" ARAM event is not triggered
KA-3741: Cloud SSO users that are also admins, require Master Password to export
KA-3746: Errors are generated when deleting a record in a team shared folder
KA-2654: Backend APIs for Admin Console login for customers with over 100k users
KA-2837: Addition of new APIs for upcoming Record Types feature
KA-3316: Create user event not reported in ARAM
KA-3728: Sending hyperlink to invalid domain in some scenarios
Backend API Version 15.0.11
Released September 4, 2020
Bug Fixes
KA-32632: Web app version 15.0.1 is receiving errors upon login
KA-3259: DUO IP-based bypass mode generates 500 error
KA- 3257: 2FA approval method produces error and enumeration
Backend API Version 15.0.23
Released October 6, 2020
Enhancements & Benefits
KA-3423: The server will allow all access currently reserved to restrict and sync down
Bug Fixes
KA-3448: Fix to allow Admin to invite a user to an enterprise when the user exists in a different region
KA-3436: When a user provides the 6-digit code for DUO 2FA, the response displays an error message
KA-3420: When a user creates a Business trial and switches regions, they receive and error message when attempting email verification
Backend API Version 15.0.22
Released October 1, 2020
Enhancements & Benefits
KA-3362: KeeperFill Enforcement Policies - Role policies, implemented via checkboxes to enforce each of the various features and settings of the KeeperFill Browser extension.
Backend API Version 15.0.17
Released September 12, 2020
Bug Fixes
KA-3310: Request to create a user fails due to ECC validator; emails not received
Backend API Version 15.0.14
Released September 6, 2020
Bug Fixes
KA-3270: New JIT Cloud SSO users are prompted for device approval during onboarding
KA-3268: Non-JIT Cloud SSO users receive error message at login
Backend API Version 15.0.29
Released October 21, 2020
Improvements
KA-15.0.29: Server communication improvements made
Backend API Version 14.7.10
Released on September 15, 2019
Features & Benefits
Support for import of extra-large record notes
Backend API Version 15.0.27
Released October 12, 2020
Bug Fixes
KA-3459: ARAM alerts read "unknown event" instead of the event name
Backend API Version 15.0.26
Released October 12, 2020
Bug Fixes
KA-3454: Fix for IP auto-approval broken in production
Backend API Version 16.4.1
Released on April 8, 2022
Bug Fixes
KA-4702: Slow query causing timeouts on login
Backend API Version 15.0.15
Released September 11, 2020
Enhancements & Benefits
KA-3283: Support for deleting invited user via SCIM PUT
Backend API Version 15.0.25
Released October 10, 2020
Benefits & Enhancements
KA-3443: Support for SAML 2.0 IsPassive option in Cloud SSO
Backend API Version 15.0.7
Released on August 13, 2020
Bug Fixes
KA-3094: Improved handling of SSO data for users when moved out of SSO node and back into SSO node (retains data).
Backend API Version 14.12.1
Released April 24 & 27, 2020
Subsequent releases 14.12.2 - 14.12.4 are also included in the following release notes.
Bug Fixes
Fixed: Unable to register new users on current chat clients.
Backend API Version 14.6.0
Released July 2, 2019
Features & Benefits
BreachWatch for Business
Backend API Version 14.7.6
Released on August 6, 2019 @ 7PM PST
Due to issues experienced with Twilio (EU regulations surrounding delivery of messages using local numbers, confusing user experience around the use of Authy services), we made a migration of Keeper SMS 2FA services to Amazon AWS, our infrastructure provider.
The new backend SMS capabilities of Amazon AWS provide the following benefits:
Local delivery of phone numbers via Short Codes
Backend API Version 14.10.0
Released February 14 & 28, 2020
Subsequent release 14.10.1 is also included in the following release notes.
Bug Fixes
Fixed: SSO Connect JIT flag turns off when SSO settings for a node are saved.
Backend API Version 14.7.16
Released November 1, 2019
Bug Fixes
Fixed: The verification link to change a user's email generates an error message
Backend API Version 15.0.10
Released September 3, 2020
Bug Fixes
KA-3255: 2FA is bypassed when alternate Master Password is used
Backend API Version 16.3.0
Released on Jan 6, 2022
Features
KA-4409: Support for Keeper Secrets Manager new record creation
Backend API Version 14.12.6
Released May 15 & July 2, 2020
Subsequent releases 14.12.7 - 14.12.13 are also included in the following release notes.
Bug Fixes
Fixed: Unable to run custom reports in ARAM.
Backend API Version 16.1.0
Released on Aug 9, 2021
This backend release provides support for the following major capabilities:
Keeper Secrets Manager
Provides your DevOps, IT Security and software development teams with a fully cloud-based, Zero-Knowledge platform for managing all of your infrastructure secrets such as API keys, Database passwords, access keys, certificates and any type of confidential data.
GovCloud Support
Keeper is going live with AWS GovCloud in the US data center to support FedRAMP compliant environments. AWS GovCloud is designed to host sensitive data, regulated workloads, and address the most stringent U.S. government security and compliance requirements.
To discuss GovCloud and FedRAMP compliance, please email [email protected].
Backend API Version 15.0.16
Released September 12, 2020
Bug Fixes
KA-3307: Account summary returning null for Family Plan admin
Backend API Version 16.0.2
Release ETA April 12, 2021
Bug Fixes
KA-3939: User is unable to send record share invites (AU accounts)
Backend API Version 16.3.6
Released on Feb 25, 2022
This update fixed Session Resumption on Keeper Commander and Keeper Azure Function for device approvals.
Commander
For Commander users, there is no change required. Persistent login will begin working after the next successful master password login.
Backend API Version 14.5.2
Released on May 6, 2019
Bug Fixes
"Recent Activity" screen has not been displaying the user's custom Device Name setting since the 14.0 release. This is now resolved.
Backend API Version 15.0.19
Released September 18, 2020
Bug Fixes
KA-3350: Alternate Master Password login 500 internal server error
Backend API Version 16.2.12
Release ETA Nov 12, 2021
Bug Fixes and Improvements
KA-4354: "Prevent sharing with file attachments" not working if Record Types activated
Backend API Version 15.0.24
Released October 7, 2020
Bug Fixes
KA-3440: User invite fails when the domain is reserved by multiple enterprises
Backend API Version 16.2.14
Released on Nov 17, 2021
Bug Fixes
KA-4442: Security updates to SSO Cloud. SSO Special thanks to the team at for their findings.
KA-3263: Role enforcement policy created to disable account recovery
KA-3237: ARAM event created for "Enterprise is out of seats"
KA-3263: ARAM event created for Admin approved a device"
KA-3182: Endpoint created that allows a support tool user to verify a user's 2FA code
Bug Fixes
KA-3304: SAML Logout returns 404 with no IdP logout endpoint configured
KA-3294: Logout timer enforcement on Desktop logs user out at max duration instead of max idle
KA-3242: SSO logout doesn't redirect to IdP to perform logout from mobile client
KA-2994: Throttled re-authentication enforcement in vault is persistent on next log in.
Bug Fixes
KA-3434: Deleting an enterprise does not release the kinfo.domain
KA-3438: Biometric login to wrong region generates "DEVICE_ACCOUNT_LOCKED" message
KA-3415: User unable to update an existing push token for a new device using device SNS registration service
KA-3393: Creation of a new user fails to trigger an ARAM event
KA-3388: Cloud SSO loses configuration parameters
KA-3377: Error message fails to appear when a user selects RSA option during 2FA setup and RSA has not yet been configured
KA-3103: Editing a shared folder name or color changes default permissions.
KA-3093: Very slow login when thousands of shared folders are present in the vault.
KA-3099: Improved handling of migration from US to EU data centers
KA-2960: Addition of alias_add event for adding alias username/emails
KA-3097: Improved handling of login to US SSO account from EU vault
KA-3074: Added events for Device Approval
KA-3110: Prevent admin from moving user from on-prem SSO to Cloud SSO
KA-3022: Submitting verification code for pending invited user returning 403 error
Features
Backend support for Keeper SSO Connect Cloud
Fixed: SSO (pre version 14.2.1) is not validating IP and device link for Enterprise.
Fixed: Transferred direct shared records do not show up in both root and transferred folders.
Fixed: Adding a 2FA duration to an enforcement generates server errors.
New APIs for BreachWatch Business client apps (retrieving public key)
Billing support for BreachWatch Business
Bug Fixes
Improved BreachWatch performance to reduce CPU load
User with expired personal license was unable to login and accept Enterprise invite.
Fast and reliable delivery
Full integration into Keeper's existing AWS infrastructure
We apologize for any disruption of SMS 2FA services over the past several days as we have completed the migration. If you have any questions or experience any issues receiving SMS messages from Keeper, please contact support or switch to a TOTP-based authentication method, such as Google Authenticator or Duo.
Fixed: Issue causing Master Password complexity requirement in French to appear truncated.
Fixed: The "record_add" command does not specify which file ID's are invalid in its response.
Fixed: When moving a record from the root into a shared folder, it is not observing the default folder settings.
Fixed: When added to a team, users do not immediately see shared folders until their next login. to the vault.
KA-3252: RSA SecurID fails with Login_v3
KA-4467: Secrets Manager triggers proper push notifications on record update and client device changes
KA-4541: Enable record types for all Business customers.
Bug Fixes
KL-102: Japanese email invite issues with HTML template.
KL-101: Azure Log Analytics endpoint wrong in the Azure GovCloud region
KL-104: ARAM events not being triggered for Secrets Manager events.
Fixed: Device verification must be forced on.
Fixed: SCIM group provisioning is unsuccessful.
KA-3300: 2FA users who enter a "0" leading their area code during setup, don't receive SMS messages
KA-3267: SCIM PATCH add username exception in production log
KA-3953: User receives an error message in attempt to empty their trash (AU accounts)
Azure Functions
For Azure Functions, you'll need to generate a new config.json file from Commander and then upload the file to Azure.
See the link below for step-by-step instructions to update the Azure function config file:
Resolved SSO login when a user is moved into a subnode within the sub-node of the same tree.
KA-3351: user_account_summary error
KA-4378: If you have an existing MC that is the basic plan and then upgrade it to the Plus plan the BreachWatch and ARAM is not being added to the MC. If you down grade the MC from plus to basic they are getting the getting the add ons added when they should not.
KA-3965: Imported users from CSV are receiving email invites even if "disable invites" selected
KA-4106: No email is sent when account recovery is disabled
KA-4305: Partial email and name searching is not working in Share screens
KA-4405: Team-role mapping of Secrets Manager permissions not working
KA-3292: Allowing Libya and Iraq IP address ranges to access the Keeper service
KA-3439: EU SSO Cloud user who attempts to login from the Desktop App with their email address is routed to Device Approval screen rather than their IdP
KA-3435: In an attempt to switch account after an account logout prompts user to update their password
KA-3485: Fix to change Enterprise storage expiration to license expiration date
KA-3430: Inviting a reserved domain user triggers an incorrect error message
KA-3433: iOS devices do not receive "device_locked" push notifications from admin tool
KA-3436: When providing the 6-digit code from an account that is using DUO, the response displays an error
KA-3460: SAML validation errors are incorrectly being logged
KA-3447: A log error is generated when deleting a role or privilege
KA-3464: Forgot Password flow is generating several error messages
KA-3477: SQL error is generated in "ChangeMasterPasswordCommand"
KA-3480: Command returns an invalid session token type for expired Unlimited account
KA-3281: Enterprise tool search functionality is not working as expected
KA-3489: Login fails for SSO On-Prem users when IP auto-approval is turned off, or if it's ON and new IP / Device
Backend API Version 15.0.12
Released September 5, 2020
Bug Fixes
KA-3265: EU users logging into US are not properly routed to the appropriate region
Backend API Version 14.7.9
Released on August 16, 2019
Bug Fixes
Free Breach Scan emails not sending to existing paid subscribers. Fixed.
Enterprise invite re-sending to users on expired licenses. Fixed.
Backend API Version 15.1.2
Released December 31, 2020
Improvements
KA-3705: Allow sync_down on iOS and Android v15 for expired users
KA-3703: Silence alerts to iOS that contain an empty message
KA-3699: Return success on recognized device on register_device_in_ region
Bug Fixes
KA-3704: Users unable to adjust the logout timer
Backend API Version 16.0.6
Released on May 19, 2021
Bug Fixes and Improvements
KA-4012, KA-3596, KA-4015:
Resolved several Sharing and Emergency Access related API calls to eliminate all possible enumeration attack vectors on Login V3. Also resolved confusing error messages and popups within the application when handling the sharing handshakes between users.
Note that in order to share records between users, a sharing relationship must first exist and be established. In the case of Enterprise accounts, a sharing relationship between users already exists. A share relationship must be established manually for all consumer users and Enterprise-to-consumer accounts, or Enterprise users between different tenants.
KA-4004, KA-4006, KA-4023: Added additional push notifications and auto-syncing to the Admin Console for MSP tenants to trigger instant updates when MC license changes occur, and for Vault Transfer actions.
KA-4052: Resolved issue where linked Family Plans are not getting enough family member licenses added.
Backend API Version 14.9.12
Released February 3, 2020
Subsequent release 14.9.13 is also included in the following release notes.
Bug Fixes
Fixed: Issue preventing MSP admin from logging into Managed Company if assigned a role that enforces 2FA at every log in.
Fixed: Some EU users unable to successfully login after updating their email address.
KA-3508: start_login returns error after biometric login attempts to Cloud SSO accounts
KA-3512: Keeper Push does not work in attempt to enable 2FA in EU SSO Cloud account
KA-3513: A user is unable to login with SSO Cloud after being moved to an SSO node with the precondition that the user has not first logged in with their Master Password
KA-3519: A pending Enterprise user in an attempt to login to the vault receives an invalid account creation email
KA-3520: Recent Activity in account summary is missing iOS sync
KA-3521: The browser extension logout timer uses the timeout value set within the vault
KA-3509: Log Error, NPE in getManagedEnterpriseInfo
Backend API Version 14.2.0
Released December 27, 2018.
Enhancements & Benefits
This release contains minor bug fixes and several new backend features.
Added support for upcoming Advanced Event Reporting & Auditing system
Added additional API throttling monitoring and abuse prevention measures
Translation changes
Known Limitations
None
Bug Fixes
Duplicate shared folders returned in certain situations
Removed deleted record metadata when no record references found
Coming Soon
Version 14.3.0: Major release with over 20 tickets, containing bug fixes, new features and general backend improvements affecting all client applications.
Backend API Version 16.2.15
Released on Dec 8, 2021
Bug Fixes
KA-4388: Changing email address in the vault doesn't update immediately on the Console when clicking Sync
KA-4328: Compliance Report bugs when a record is shared to another Enterprise tenant user.
KA-4393: Compliance Report needs to include consumer accounts when a record is shared externally.
KA-4121: Marking a node as isolated from Commander not working
KA-4425: Previous email verification links are not expiring after generating a new one from changing email address.
KA-4118, KA-4424: Email rate limiting
KA-4471: Some users are not found by SCIM GET query
Improvements
KA-4304: Added additional helpful security information in the "Share" notifications sent through email. The Record UID, Location and device name of the sender is provided.
KA-4389: Provide Team/Group Display Name in SCIM user group queries
Backend API Version 16.1.3
Released on Aug 31, 2021
Bug Fixes
KA-4235: Deleted users get "Unable to connect" after attempting to re-register
KA-4204: Deleting pending invited users causes errors when re-adding the user
Backend API Version 16.3.2
Released on Jan 25, 2022
Features & Improvements
KA-4153: Support for Webauthn and migration from U2F to Webauthn
KA-4507: Support for nested SSO nodes
Backend API Version 14.12.5
Released May 15, 2020
Bug Fixes
Fixed: Domain name not provided in login error message for SSO.
Fixed: Error message received when attempting the "Forgot Password" flow.
Fixed: Internal server error on add users for SCD Provisioning
Backend API Version 14.7.7
Released on Aug 9, 2019
Bug Fixes
IP throttling too aggressive, adjusting to prevent false positive.
Some customers unable to accept Enterprise invitation. Fixed.
SCIM messaging from Centrify returning 404 errors. Fixed.
Backend API Version 15.0.20
Released September 22, 2020
Bug Fixes
KA-3359: Correct SSO accounts transition from pending_enterprise_user to enterprise_user
KA-3358: send_email_verification link is being rejected
KA-3271: Deleting user from v10 admin tool doesn't fully delete user
KA-3233: Error message is received when a new user attempts to accept and create a family account via email invite's deep link.
Backend API Version 15.0.31
Released on November 13, 2020
Improvements
KA-3553: Improved performance for SCIM filter by external ID
KA-2571: Validate a user's domain when an enterprise is created or when an enterprise user is added
KA-3583: Restrict Admins from adding teams with missing encrypted_team_key
Bug Fixes
KA-3448: Admin is able to invite a user to an enterprise when the user exists in a different region
KA-3273: Implemented prefix-based SCIM role mapping
KA-3214: Support signature embedded in the SAML response
KA-3210: Role enforcement created to disallow v2 clients
KA-3133: Without recovery data, removing a user from Cloud SSO node is prevented
Bug Fixes
KA-3343: Azure email formatting causes SSO to throw exception
KA-3332: Database error received during enterprise_delete
KA-3329: In attempt to delete SCIM user, user is locked instead of deleted
Backend API Version 14.9.0
Released November 28, 2019 | December 13, 21 & 23, 2019 | January 2 & 27, 2020
Subsequent releases 14.9.1, 14.9.2, 14.9.3, 14.9.4, 14.9.5. 14.9.6 14.9.7, 14.9.8, 14.9.9, 14.9.10 and 14.9.11 are also included in the following release notes.
Features & Benefits
Enabled IP range based MFA prompt rules (NCINO).
KeeperApp now responds to "/api" prefaced commands.
Support for LogRhythm SIEM provider.
API implementation for node to Managed Company conversion.
Bug Fixes
Fixed: "Bad_request" error message received on login containing ".con" in email field.
Fixed: Error occurs when user links a record from one shared folder to another.
Fixed: Text key visible in error message when a user attempts to add a record to the same shared folder it already resides in.
Backend API Version 14.12.0
Released April 24, 2020
Features & Benefits
Team Roles - This release introduces a major improvement geared toward increasing the efficiency of managing role enforcements. Enterprise Admins now have the ability to manage enforcements more precisely by assigning teams to roles. Furthermore, a user who is a member of a team assigned to a role will assume the enforcement of that given role.
Master Password Re-entry Enforcement - This role enforcement allows Admins to further enhance their security policies by requiring users to re-enter their Master Password in order to unmask or copy a password. Once unmasked, the password will be re-masked after 30 seconds have passed.
Account Transfer Improvement - A transferred account will be replicated in its structure and content and all data will be housed in a dedicated transfer folder that includes deleted records and record history.
Web Vault & Desktop App Import Prevention- This role enforcement allows Admins to restrict users from importing data from the Web Vault and Desktop App.
Bug Fixes
Fixed: Issue requiring an update of Google's phone number parser library to v8.11.3.
Fixed: Users are denied access when moving a record within a shared folder containing restricted team sharing capabilities.
Fixed: Business to MSP conversion fails for nodes that contain account transfer roles.
Backend API Version 14.8.2
Released November 15, 2020
Features & Benefits
Creation of new API to send email verification link.
Bug Fixes
Fixed: Root Admin receives intimate spinner in attempt to log into Managed Companies located in a sub node.
Fixed: Body of Japanese and German welcome emails for Keeper Business accounts are not translated.
Fixed: Records that are deleted from a shared folder are displaying incorrect deletion dates in Deleted Items folder.
Backend API Version 16.0.4
Released May 10, 2021
New Features & Improvements
Windows Hello Role Enforcement PolicyRole policy for admin to prevent their users from enabling Windows Hello Login. This will launch with the next Admin Console.
Bug Fixes
KA-3989 and others: Support for Quick and Full sync methods in the Admin Console
KA-4016, KA-4021, KA-3988, KA-3987: Improved Session timeout handling with Browser Extension and Desktop Apps
KA-3970: AU user receives and error message when attempting to empty their trash
Backend API Version 14.11.0
Released March 30, 2020
Subsequent release 14.11.1 is also included in the following release notes.
Features & Benefits
API implementation allowing Enterprise Admins to disable 2FA for their users so they no longer have to contact support to do so.
Admins able to set a role enforcement preventing users of the browser extension to enable Auto Submit and Prompt to Fill features.
Bug Fixes
Fixed: DUO 2FA experiencing intermittent failures.
Fixed: Push server is not re-registering after a fail to connect to database and is removed from database table too quickly preventing users to successfully login.
Fixed: Error received when converting nodes to Managed Company if user data is present.
Backend API Version 16.0.8
Released on Jun 25, 2021
Bug Fixes
KA-4097: Australia data center unable to perform Vault Transfer
KA-4077: Support RFC7159 "Accept: application/json" and "Accept: application/scim+json"
KA-4078: Support for Account Recovery of expired free users.
KA-4055: Support for Account Recovery of SSO users with clients implementing Login V3
KA-4103: Vault login not properly redirecting the user to the proper datacenter upon clicking on the device approval link.
Improvements
KA-3800: Implemented Role Enforcement policies for Record Type creation
KA-4074: Improved Session Invalidation upon the following events:
Changed 2FA
Backend API Version 14.7.11
Released on September 21, 2019
Features & Benefits
Text Message 2FA codes now include the platform requesting the code (Web Vault, Desktop App, iOS, Android, Console, etc...)
Updated template content for default Enterprise invitation
Support for Yubikey 5Ci Hardware Security Key
Bug Fixes
Fixed: Account recovery flow when customer attempts recovery in wrong geographic data center
Fixed: Admin is unable to delete a user having many record revisions
Fixed: Cannot create a family plan if once was admin of a family plan
Subsequent releases 14.7.12, 14.7.13, 14.7.14 and 14.7.15 resolved the following bugs:
Fixed: Issue decrypting old device session tokens
Fixed: Custom email templates reverting to default template in certain sub-nodes
Fixed: Personal license validation link produces 404 error
Security Updates
Prevent external SIEM host connectivity test misuse by enumerating ports on the local network
Backend API Version 15.0.9
ETA for release: Sept 8, 2020
The Backend API version 15.0.9 release is focused on Login V3 and SSO Cloud APIs.
KA-4469: Record Type link changes doesn't sync to affected users
KA-4737: Record Type does not support record larger than 32kb
Backend API Version 16.2.8
Released on Oct 18, 2021
Bug Fixes
KA-4220: GovCloud Email device approval link broken
Backend API Version 14.4.0
Released on March 14, 2019
Enhancements & Benefits
Ability to login to Keeper when offline and SSO is unavailable, on the Web Vault and Desktop App. In this use case, the Keeper Admin enables the feature from the admin console role enforcement policy. This feature is disabled by default. It will only appear as an option within an SSO-enabled node.
Backend API Version 16.3.4
Released on Feb 23, 2022
Bug Fixes
KA-4391: Shared folder 'Can Manage Users' should restrict editing default permissions for an Admin outside of their node
Backend API Version 16.5.1
Released on May 2, 2022
Features
Added new policy for requiring Self Destruct (REQUIRE_SELF_DESTRUCT)
Backend API Version 16.6.x
Released Sept 2, 2022
Bug Fixes
KA-4892: Share Admin implementation for Managed Companies
Backend API Version 16.8.x
Released on Nov 23, 2022
Features
KA-4917: Add support for new SIEM providers: Datadog, Logz.io, Elastic
Backend API Version 16.4
Released on April 4, 2022
Bug Fixes
KA-4647: SMS delivery issues
Backend API Version 16.2.0
Released on Sep 16, 2021
Features
Support for the new Compliance Reports feature which goes into Beta
Learn more:
Backend API Version 14.7.8
Released on Aug 16, 2019
Features & Benefits
Enterprise end-user invitations are now sent once every 48 hours to maximize user adoption. Previously sent email invitation codes are invalidated by the most recent code.
KA-3534: Log Error - NPE in SharedFolderUpdateCommand
KA-3491: A server error is generated while editing MSP user's name and email
KA-3493: User with region issues generates log error
KA-3407: Android users are prompted twice for code during 2FA setup
KA-3540: Cloud SSO IdP-initiated login URL is not displayed as expected
KA-3549: Cloud SSO does not return an error to the user if a bad IdP metadata XML file is uploaded
KA-3394: BreachWatch and Security Audits reports are not updating as expected
KA-3555: Log Error - ArrayIndexOutOfBounds in CreateAccountController
KA-3556: Log Error - NPE in ManagedNodePrivilegeRemoveCommand
KA-3554: Network error calling kinfo when user already exists locally
KA-3568: KeeperApp should prevent active SSO connections from being deleted
KA-3571: Errors are generated when a user attempts to approve existing devices via Keeper Push
KA-3573: Requests are not removed from Approval Queue once approved by Admin
KA-3301: Master Password re-entry fails for biometrics
KA-3284: get_user account_information fails to return pending devices
KA-3264: Prevent account enumeration via 2FA throttle
Fixed: An issue blocking clients that don't send in a user agent.
Fixed: An issue causing BreachWatch API to reject IE submissions.
Fixed: Crash occurs during login to various Managed Company accounts.
Fixed: User receives an SSO error message after they are moved out of an SSO for the purpose of recovering their Master Password.
Fixed: SSO new user/device access check initiates for SSO Connect >14.1.3.
Fixed: When enabling account transfer permissions and enforcement, the MSP loses the ability to launch into the Managed Company.
Fixed: Unable to move Managed Company to sub nodes without errors.
Fixed: Issue preventing imported records from inheriting the default folder settings.
Fixed: MSP receives "missing_keys" error when attempting to assign a user to a role with administrative permission.
Fixed: Error message displaying key values is received in Enterprise Console when a user attempts to add SCIM provisioning method to the Bridge.
Fixed: Support for enterprise client tool version.
Fixed: Managed Companies are duplicated when filtered by node.
Fixed: Some users in SSO nodes are unable to login as expected.
Fixed: "Added Shared Folder" events only appear under the "Added Folder" event type in ARAM.
Fixed: Adding a user to a shared folder does not send record meta data.
Fixed: Translation keys visible in some Enterprise customer email invitations.
KA-3971: Enterprise transactions are being duplicated
KA-3976: Quick syncs are not correctly sending license information for purchased add-ons
KA-3987: Logging into the vault then using using the BE, fails to reset the idle timeout
KA-3988: Logging out after the session token is expired generates an error
KA-3994: Managed Company data is incorrect on full syncs
KA-3995: Attempt to pause a Managed Company fails
KA-4005: Unable to delete a user in the AU data center Admin Console
KA-4003: Throttling error contains "XXX" in the response message
KA-4014: Okta SCIM error - invited user is not deleted on PATCH message
Fixed: MSPs unable to pause Managed Companies as expected.
Fixed: Issue causing the new push servers to incorrectly handle the DNA push token.
Fixed: "auth_failed" appearing in Admin Console due to invalid session token detection when outbound IPs are load balanced.
Fixed: Spaces in 2FA backup code result in "server_failure".
Change master password
User locked by Enterprise Admin
User locked by Keeper Support
Device locked by Enterprise Admin
Enterprise user deleted
User deleted via SCIM
Enterprise deleted
MSP managed company deleted
MSP managed company removed
KA-4080: In case of downstream SMS 2FA provider failure, Keeper can offer support for email delivery of 2FA codes.
Fixed: User is member of a Team and can receive shares in Shared Folder, but not add the Team to a Shared Folder.
Fixed: Shared folders in Account Transfer do not retain permissions.
Resolved: Prevent user from linking a personal license to existing business license from a different data center region.
Fixed: Removing a favorite from a record does not sync with other platforms.
Fixed: SCIM provisioning failing with 400 error
Fixed: Free Data Breach Scan in EU region generating confusing error message
Fixed: Hyperlink to signup from SSO-provisioned user inside email template generated 404 error
Translation fixes regarding certain new role enforcement policies
Record "delete" events not logged when deleted from root user folder
SCIM triggers email to admin if the max number of licenses has been exceeded
KA-3798: New "Share Report" API for Vault and Commander SDK
KA-3627: Adding an alias for an SSO user fails
KA-3027: Issue causing transferred records to have two owners
KA- 2672: "Removed record permission" event fails to be triggered
KA-3827: Transferring an account can create a "read only" owned record
KA-3767: Unable to logout from SSO Cloud if there is no IdP session id
KA-3842: Commander times out after 30 days
KA-3027: Transferring a record, the new owner deletes the transfer record, went to the original owner's trash can.
KA-3827: Transferring an account can create a read-only owned record.
KA-4992: Various security updates from CodeQL findings
KA-5094: Null pointer exception during update_secret calls
KA-5118: Consolidated event reports are throwing errors in Keeper Commander and UI
KA-3802: Error processing large number of SSO Cloud Admin Approvals
KA-3801: Adding users via customer-specific provisioning method generates Server 500 error
KA-3808: Some records do not return user information in "Last modified" record history information.
KA-3824: New records are not visible to all team members of a shared folder
KA-3790: Denying a Keeper Push via 2FA method caused approval
KA-4752: Errors during onboarding new users on Cloud SSO while migration taking place from SSO On-Prem to SSO Cloud
KA-4760: Azure SIEM export verification issues in GovCloud region
KA-4219: GovCloud Change Email Address function broken
KA-4255: GovCloud Change Master Password email notifications not being sent
KA-4364: Account Transfer of Read Only direct record shares to transferee get elevated permissions (edit/share) for transfer recipient
Features and Improvements
KA-4264: API to convert non-type records to Record Types
KA-4298, KA-4300: Vault Transfer support for Record Types records (in Admin Console)
KA-4316: Better handling of connection timeouts when setting up the Keeper Automator
KA-4350: Added support for Devo (SIEM provider)
KA-4411: Share link invites change the Web Vault interface to the wrong language if the users are set to different languages.
KA-4462: File upload issues with multiple devices open
KA-4144: Custom record type changes not generating instant push notifications
KA-4143: Sending a share invite to a user who is hosted in a different data center is sending the wrong email content
KA-4157: Bugcrowd ticket for rate limiting enterprise invite email
KA-4506: WebAuthn hardware key setup from the Admin Console not functional
KA-4229: Improved Commander "keep-alive" function while using the application to prevent user from being logged out suddenly.
KA-4604: Unable to verify RSA ID
Improvements
KA-4365: Added location information to any email which contains IP address
KA-4144: Added "Login Method" to the ARAM SIEM events so that the Admin knows which method of login was used (SSO, master password, biometrics, alternate SSO master password)
KA-4093: Backend support for new "Stay Logged In" role policy that will allow a Default=ON
KA-4137: Support for Enable Self Destruct role policy
KA-3938: Prevent extra syncing to users when a shared record is simply autofilled
Added support for Keeper Automator 2.0
Bug Fixes
Security updates based on NCC Group pen test
KA-4885: Event record_add not generated if a record is added directly to a shared folder
KA-4912: Incorrect message when deleting a shared-folder-folder
KA-4935: Stay Logged In (persistent login) showing OFF in situations when it's ON
KA-4984: SSO login and logout generates 502 error for some customers
Features
KA-2593: Share Admin feature
KA-4188: Add the owner's email to the ARAM record removal event
KA-4844: MSP to MC Team Sharing
KA-4619: Support for multi-pagination syncing
KA-4832: Support the ability for Keeper Secrets Manager to delete a record
KA-5017: Support for MSP Distributors
KA-5019: Creation of bulk user upload API for Admin Console CSV import
Bug Fixes
KA-5120: Keeper DNA login broken on the Web Vault
KA-4956, KA-5085: Errors from record linking and record history
KA-5096: Email not being triggered when an enterprise runs out of licenses
KA-4275: Remove from All Shares API / Button in the vault throws error
KA-5078: Improved query performance
KA-4726: SSO Connect bug from NCC Group pen test in October 2022
KA-4561: SCIM totalResults is incorrect in some cases
KA-4555: Allow SCIM "filter" param to search users by email
KA-4609: Wrong email template sent when user changes email
KA-4444: Missing ARAM event when user added to a default role
KA-4390: Accepting Enterprise Invite needs to send a Push to console
KA-4657: SCIM fails on user PATCH with emails as an Array
Several other bug fixes
Features
KA-4666: Support for Keeper One Time Share
KA-4676: Support for new role policy to change Stay Logged In default to ON
Updated the formatting, layout and branding of general email templates sent from the backend API in accordance with Keeper's new corporate branding.
Bug Fixes
Duo 2FA setup was not fully activated in some end-user scenarios after first setup. Fixed.
Translations missing in invitations and transfer record dialogs in Admin Console.
Preventing user from changing email address to the same email.
IP Allowlisting with overlapping ranges caused errors. Fixed.
KA-3128: Do not redirect users to incomplete SSO Cloud configuration
KA-3134: Support for Region Redirect on SSO Domain login
KA-3088: Resolve missing Sign On URL in Cloud SSO metadata file for Azure
KA-3147: Throttling configuration for SSO Domain name
KA-3161: Duo Push web socket message not received by vault during account recovery
KA-3163: Changing Keeper SAML SP endpoint from kepr.co to keepersecurity.com
KA-2516: Master Password regex causing loop on iOS devices
KA-3175: Improved throttling on email verification codes
KA-4769: An email in 2 regions may get wrong region link from email invites.
Release 16.5.5 on May 14, 2022
KA-4770: Error creating SSO Connect instance
Release 16.5.6 on May 21, 2022
KA-4773: Improved SAML certificate checking
Release 16.5.7 on May 22, 2022
KA-4776: Emptying trash breaks version 3 record file attachments
KA-4109: Issues with password recovery for SSO users that have only have an SSO Master Password
Release 16.5.8 on May 24, 2022
KA-4778: Login issues with account_summary API are generating long delays
KA-4779: SCD Provisioning errors
Release 16.5.9 on June 8, 2022
KA-4570: Added keeper_fill_auto_suggest policy which controls the Browser Extension "suggestion" feature.
KA-4750: One time share link denied if record is deleted
KA-2620: After a vault transfer, the records were not immediately syncing to the recipient until logout/login.
KA-4788: Fixed email invites during Cloud SSO migration.
KA-4799: Forcing Stay Logged In to ON caused new vault users to error out.
Release 16.5.10 on June 16, 2022
KA-4749: If User A transfers record ownership to User B, then User B deletes the record - it does not appear in the trash.
Release 16.5.12 on July 17, 2022
KA-4863: Scenario where SSO login window closes before the browser extension can process data.
KA-4864: Handling for SSO login browsers where Javascript is not supported, such as with Devolutions integration.
KA-4283: Record Type attachment records or links are not properly restored via revisions or recovery from trash can.
Release 16.5.17 on Aug 12, 2022
KA-4894: Automator communication improved when the device has network failure issues.
Release 16.5.18 on Aug 26, 2022
KA-4933: Support for Domain Aliases. For customers who are changing their email domain for all their employees, they can open a support ticket and we can add a Domain Alias. This prevents any issues when changing emails from the identity provider.
For users who are part of an SSO-enabled node where the Admin has enabled Master Password login, the user will be able to login to the Web Vault and set a Master Password. Note that the Master Password complexity is enforced based on the rules of the role enforcement policy.
Master Password Setup for SSO-enabled Account
When offline mode is permitted by the Keeper Administrator, users can login to the Web Vault in a fully offline situation, or in a network that has no SSO access. Note that in order to make use of this feature, the user must login to the Web Vault on that particular user account at least one time.
If an account is available for offline login, an indicator graphic shows on the login screen:
Keeper Commander can now be utilized on SSO-enabled accounts through the use of the Master Password.
Security Update: We have added new security updates to prevent enumeration attacks against SSO Customer Enterprise Domain names.
We have added several new event types in the Advanced Reporting & Alert module to track the following events:
Alert Created
Alert Deleted
Alert Paused
Alert Resumed
Team Created
Team Deleted
Role Created
Role Deleted
Node Created
Node Deleted
Bug Fixes
Fixed issue where "Just-In-Time (JIT)" provisioning setting was being ignored
Known Issues
Offline mode will not work in Internet Explorer and the mobile version of Safari, due to the limitations of those platforms.
Master Password login for SSO Users
Backend API Version 14.7.0
Released on July 25, 2019
This is a major feature, bug fix, security and performance improvement release.
Features & Benefits
Admins with Team Management permission will soon be able to add other members to a team, even if the admin is not part of the team. NOTE: Front-end implementation of the feature must still be completed on the Admin Console.
Users will receive an email notification when a record has transferred ownership to them.
Vault Transfers performed by the approved administrator will also transfer deleted records. The deleted records will be in the "deleted" section of the destination vault.
Ability to assign free Personal Licenses to Business Licenses (not available for all Business customers).
Created API to provide a list of team members, in order to display the information in the Vault. NOTE: The vault update has not gone live yet.
Created process to periodically ask the customer to review and update their security questions.
Created Backend APIs to support the feature on the Keeper Security Website and BreachWatch services.
Roles can now be provisioned through SCIM (supported by Okta and other identity providers). The Role ID must be provided by the SCIM message.
Notes:
- When a new user is created, default roles will be assigned regardless of what provided in "roles" field.
- Roles with administrative permissions will cause the operation to fail with status 406 ("not acceptable") and "detail": "A role with Administrative Permissions may not be assigned by SCIM."
- To identify the Role ID, this information is will eventually be displayed in the Admin Console, but it can be also seen via Keeper Commander command "enterprise-info":
"Last Modified" in record history will be replaced with the date in which the backup of was created (not last modification date)
Shared records to users outside of the organization will be removed automatically when a "Vault Transfer" of the user account is performed by the admin.
Bug Fixes & Performance Improvements
Stop sending share invites between Enterprise users, as this is not needed.
Repaired the "Change Email Address" flow from certain clients, in which the verification email was not being sent properly.
Emergency Access not honoring the desired wait time in certain cases.
Backend API Version 16.8.12
Released on Feb 27, 2023
Security Updates
KA-5165: A change was made to prevent users outside of the SSO-enabled node to login with the designated SSO provider. If you have users experiencing issues logging in, ensure that the user has been provisioned to an SSO-enabled node. From the Admin Console, edit the user profile and select the proper node from the node tree drop-down.
Bug Fixes
KA-5219: Sharing enforcement policy not working on Team-Role mapped users
KA-5204: Account Transfer failing for users with all "general" record types
KA-5248: Unable to delete a pending enterprise invited user from the console
Backend API Version 14.5.0
Released on April 23, 2019
New Features & Benefits
Node Isolation Option for MSP Customers
The Keeper Backend now as the ability to enforce Node Isolation for business customers. When "Node Isolation" is activated, users and teams that show within Share screens on the vault are limited to parent and child nodes. This feature is built for MSP customers who configure each node in the Keeper Admin Console as a separate end-customer account.
In the example below, if Node Isolation is activated on the West Coast node then:
Users in "Developers" are able to see other users and teams up in Developers, West Coast, Regions, Engineering and Craig Lurey LLC.
Users in "Developers" are NOT able to see the users and teams in "East Coast" or "Sales", since those nodes are in parallel tree paths.
On the Vault, the screens affected by this change are the "Shared Folder" and "Record Share" screens:
To activate Node Isolation please contact us
Other Improvements
Migrating from Google Cloud messaging (GCM) to Firebase Cloud Messaging (FCM) for Android platforms.
During Vault Transfer / Account Transfer, team permissions are also transferred now.
Optimization for syncing a large number of folders and records, when team permissions and individual user permissions overlap the same records. Duplicates are removed from the sync down response which decreases the overall encrypted package size.
Bug Fixes
Fixed "record key already encrypted with datakey" error which occurs randomly
German translation improvement (backend errors and success messages)
Coming Soon
The next Backend API 14.6.0 release will support BreachWatch for Business.
Backend API Version 15.0.21
Released September 29, 2020
Enhancements & Benefits
KA-3387: Logic changed for session persistence
KA-5255: Transfer Records sends one email per record
KA-5274: Compliance reports generating 500 error for some environments.
KA-5297: When a shared folder is shared via a team, the sync response does not include team data that is needed to decrypt the shared folder. This is occurring in both partial and full syncs.
KA-5257: IP whitelist ranges are limited in the total number of ranges. The number of ranges needs to be increased.
KA-3381: Biometric count and date enforcement removed
KA-3207: Various Enterprise customer invite fixes
Backend API Version 14.8.1
Released November 1, 2019
Bug Fixes
Fixed: Various visual updates to email verification messages.
Fixed: Japanese record sharing popups are not translated.
Fixed: Issue causing push notification of email change to not be received by client.
Created an optimized "import" backend API for record import
KA-5090: Added role enforcement policy MAXIMUM_RECORD_SIZE to restrict overall Keeper record size. To enforce this policy, please use the Keeper Commander CLI or open a support ticket. When enforced, if the user attempts to create a record with a size greater than the allowed amount, the user will receive the following error message:
KA-4853: Email alias API for Admins. In a future update, the Enterprise Console will allow the Keeper Admin to create an email alias for a user within the organization. This can also be accomplished with Keeper Commander using the enterprise-user --add-alias feature
KA-5091: Added policy to prevent sharing to a user outside of an isolated node. The enforcement policy code is RESTRICT_SHARING_OUTSIDE_OF_ISOLATED_NODES and this can be set from Keeper Commander's command.
Records deleted from Shared Folders are difficult for participants to locate, if there are many people who manage a shared folder. They are forced to look in everyone's "Deleted" trash bin, which is not practical. We have implemented new backend features to view and restore deleted shared records.
New ARAM events associated with this feature are below.
New Event
Description
The front-end support for viewing deleted shared records are planned in an upcoming Web Vault and Desktop App release.
Bug Fixes
KA-4755: IdP-initiated account creation fails when the Vault Transfer policy expiration time has expired.
KA-4888: Missing ARAM event when changing the name of a Managed Company
KA-4786: Records moved out of a shared folder are still showing the "Share" icon in the UI
Improvements
KA-4937: Added throttling on SAML requests via SSO Cloud to prevent spamming. By default, the throttling logic is > 10 requests within 10 seconds. If 10 seconds passes since last request, the count resets. When throttled, response will be a 403 with a message indicating throttling.
KA-4919: Added additional throttling on Keeper Secrets Manager APIs including add_file, create_secret, delete_secret, update_secret, get_secret.
KA-5175: New and improved "welcome" emails when signing up with a trial or purchase
My Vault> enterprise-info --roles
Enterprise name: Craig Lurey LLC
Role ID Name Cascade? New User? Node
-------------- -------------------- ---------- ----------- ---------------------------------------------------------
47377784242422 Administrator Craig Lurey LLC\Finance
47377784242415 Administrator Craig Lurey LLC\Legal
47377784242418 Administrator Craig Lurey LLC\Contractors
47377784242533 Agent Manager Craig Lurey LLC\Agents
KA-4945: Created a new API to View and Restore deleted shared records for all participants.
KA-4428: Enforcement to restrict sharing when a file is attached did not take into account editing the record after initial creation.
KA-4809: Removed ARAM event that was not implemented
KA-5027: User and team searches in sharing auto-suggest UI had bad matches for some search strings
KA-5038: Compliance report is not displaying correctly for Share Admin who gained access to a record from a team.
KA-5117: Duplicate email being sent on account creation
KA-5114: Invited users showing in user criteria filter in Compliance Reports
KA-5112: Transfer Account feature can sometimes cause a transferred record to set the wrong permissions on the record, and sometimes create duplicate records.
KA-5093: If you log in with the an admin assigned to the Keeper Admin role and attempt to move yourself to any other node you are presented with an error that states “you may not move yourself into an SSO-enabled node. Please contact keeper for assistance.
KA-5023: If an SSO Cloud user is deleted from Enterprise console, logging into Android via IDP no longer properly onboards the user (an error dialog appears, user is unable to progress).
KA-4543: Error on Android devices when onboarding through SSO Cloud
KA-5193: Team member is able to incorrectly delete a Shared Folder without proper levels of permission.
KA-5187: on Keeper Secrets Manager: record can be created with read-only app permissions.
KA-5145: At the request of customers, we have removed MSP Share Admins from the Managed Company's sharing autosuggest list.
shared_folder_restored
User ${username} restored shared folder UID ${shared_folder_uid}
shared_folder_record_restored
User ${username} restored record UID ${record_uid} in shared folder UID ${shared_folder_uid}
shared_folder_folder_restored
User ${username} restored shared folder folder UID ${folder_uid}
shared_folder_folder_record_restored
User ${username} restored record UID ${record_uid} in shared folder folder UID ${folder_uid}
