Released on July 23, 2025
Keeper Connection Manager 2.20.0 includes several important updates. Please read through the full release notes prior to upgrading. The updates include:
Required Action: Download the latest version of the kcm-setup.run script:
kcm-setup.runIf you have not modified your own docker-compose.yml since installing KCM, you can apply these changes automatically by:
Downloading the latest copy of kcm-setup.run from Keeper Security.
Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.
Running sudo ./kcm-setup.run reconfigure to regenerate docker-compose.yml.
docker-compose.ymlIf you have modified your own docker-compose.yml, these changes require some manual editing of docker-compose.yml to point the “guacd” container at the new profile:
Downloading the latest copy of kcm-setup.run from Keeper Security.
Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.
Editing /etc/kcm-setup/docker-compose.yml, adding an additional "apparmor:..." option to the security_opt
Running sudo ./kcm-setup.run apply to apply these latest changes from docker-compose.yml.
Only if necessary, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:
The profile should then be copied beneath /etc/apparmor.d so that it is automatically loaded on boot:
The new profile can then be loaded either by rebooting or by manually running apparmor_parser:
Important notice regarding Ubuntu Docker Installations
Do not use the docker.io package provided by Ubuntu. Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.
Instead, use the official Docker packages provided by Docker themselves:
As long as Docker isn’t already installed, kcm-setup.run will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.
With CentOS 7 having reached end-of-life in June 2024, and with RHEL 7 having reached end-of-maintenance at the same time, KCM will no longer provide EL7 builds. This means that the previous release (KCM 2.19.3) will be the last release with an EL7 build and KCM 2.20.0 will be the first release without EL7 support.
Users that are maintaining RPM-based installations of KCM but are still using RHEL 7, CentOS 7, or another EL7-derivative should upgrade to EL8 when possible so that they can upgrade to KCM 2.20.0. Support for EL9 and EL10 will be coming in future releases.
KCM-404: Add support for ignoring self-signed HTTPS certificates
Remote Browser Isolation (RBI) is strict in its enforcement of SSL/TLS certificate validation. If it is known that the domain of the initial URL of a connection has a self-signed or otherwise invalid certificate, and administrators wish to allow access to that server through RBI despite the invalid certificate, certificate validation can now be bypassed for the initial URL.
NOTE: This validation bypass affects only the domain of the initial URL. This means that bypassing SSL/TLS validation will not have any effect if:
There is no initial URL (the administrator leaves this connection parameter blank).
The domain with an invalid certificate does not identically match the domain of the initial URL (as may be the case if redirects are involved).
KCM-405: Allow connection clipboard limits to be configured
The clipboard within KCM has historically been limited to a maximum of 256 KB. If users will possibly need to copy larger amounts of data through a connection, this limit can now be overridden by the administrator on a per-connection basis.
KCM-433: Support certificate authentication for SSH
For SSH servers that require certificate authentication, KCM now accepts a public key parameter in addition to the private key parameter that would otherwise be sufficient. The public key that was signed by your CA should be provided with this new parameter.
KCM-390: RBI connections may fail when loading YouTube Shorts KCM-396: Allowed URL Patterns list truncated without warning KCM-410: Autofill for KCM fails with a sufficiently large "autofill-rules.yml" KCM-413: RBI freezes when attempting to input Japanese KCM-417: RBI autofill of TOTP may cause memory error KCM-419: RBI autofill cannot be used with Cloudflare login + reCAPTCHA KCM-425: Touch interaction does not work in RBI on iPad KCM-431: RBI autofill interferes with manual interaction KCM-435: RBI cannot be used to log into Google services
KCM-399: Binary column data may disrupt terminal output of MySQL connection KCM-437: KCM terminal emulator can become garbled when "vim" is used
KCM-380: KSM integration cannot be used on a RHEL system with FIPS mode enabled KCM-386: guacamole-db-mysql image appears to be broken on aarch64 KCM-392: Guacamole webapp warns "expected language resource does not exist" for Polish KCM-400: Mysterious "0:00" timestamps appear in the middle of keystroke logs KCM-403: Session recording playback heatmap broken for short videos KCM-411: File upload progress bar completes before file is fully uploaded KCM-426: KSM static token mapping does not work with a per user config KCM-427: Recording playback sometimes freezes KCM-439: __guac_wol_send_packet() uses incorrect structure for IPv6 address
KCM-453: Update third-party dependencies of KCM
curl -O https://keepersecurity.com/kcm/kcm-setup.runsecurity_opt:
- "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
- "apparmor:guacd-apparmor-profile"sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profilesudo cp guacd-apparmor-profile /etc/apparmor.d/sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile