Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Keeper Admin Console is a web-based application for Business, Enterprise and MSP administrators to manage their Keeper deployments.
Please click on the navigation to the left in order to read each release note.
Early access Preview (pre-release) Keeper Admin Console
In order to access the Keeper Admin Console preview, please use the below links:
US: https://keepersecurity.com/console/preview EU: https://keepersecurity.eu/console/preview AU: https://keepersecurity.com.au/console/preview JP: https://keepersecurity.jp/console/preview CA: https://keepersecurity.ca/console/preview GovCloud: Preview not available
If you encounter any issues with the preview, please email feedback@keepersecurity.com.
Released on July 5, 2023
EM-5804: Implemented RESTRICT_IMPORT_SHARED_FOLDERS enforcement to restrict importing LastPass shared folders from the desktop application.
EM-5701: The "Last login" data was empty in the user status report on the Admin Console when there are more than 1,000 users.
EM-5770: There were times in which logging into the Admin Console does not approve pending team users. The user must click on “Full Sync” in order for the users to be approved.
EM-5685: Pagination selector on user list goes off the screen
EM-5610: In the Compliance Reports section, the Admin is able to click the "save" filters button multiple times and have a filter created for each click
EM-5838: In GovCloud region, activating Secrets Manager rotation policy generates white screen.
Various language and UI fixes
Released October 8, 2024.
The Security Audit tab of the Admin Console has been updated with a fresh new design that makes it easy to identify areas that need your attention.
The Overall Security Score calculation logic is unchanged and features prominently at the top of the Security Audit tab. The security areas that factor into the score (strong record passwords, unique record passwords, and 2FA status) are shown as separate cards below the Overall Security Scores. If a card is at a 100% score (all records have strong passwords, no reused passwords exist, or 2FA is enabled for all users), the card will be in a collapsed state. Otherwise, the card will be expanded to include additional details.
The user details table now has four Record Password strength categories that match the Vault: Weak, Fair, Medium, and Strong. The table is sorted by default on the users’ overall Security Audit score, showing users with the lowest Security Audit score first. You can reverse this sort order or sort instead on the user's name, password strength, resued passwords, or two-factor method.
Additionally, you can filter the table on the following fields:
Record Password Strength: Strong, Medium, Fair, or Weak
Unique Record Password: Resued or Unique
2FA: Text Message, Authenticator App (TOTP), Smartwatch (KeeperDNA), Security Keys, RSA SecurID, Duo Security, or No 2FA
This release provides administrators an easy way to refresh security scores on the UI without having to log out of the Console and log back in. The ability to refresh scores is useful when the admin is expecting users to log into their Vaults to have their latest security scores sync with the Console. When the user has logged into their Vault, the admin needs to simply click the Refresh Scores button to sync the latest scores to the Console.
Administrators can now easily reset security scores from the UI if the scores have gotten out-of-sync with user Vaults. The administrator can either reset scores for the entire enterprise using the Reset Scores button on the Security Audit screen or for specific users. Please note that only Root Admins can reset the Security Audit score.
The Reset Scores button on the Security Audit screen will reset scores for the entire enterprise. Once the scores are reset, users will need to log in to their Vaults for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.
Alternatively, the administrator can navigate to the User Details modal and select Reset Security Score under User Actions to reset individual users' Security Audit scores. As is the case with performing an enterprise-wise score reset, once the scores are reset, the user will need to log in to their Vault for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.
EM-6734: Fixed an issue that would cause the browser to crash for large Security Audit datasets
The Security Audit screen does not load security data for some users due the browser not detecting the updated Admin Console version. Please follow the browser-specific steps below to clear site data to resolve this issue.
Released on Mar 21, 2024
This release provides several bug fixes and UI improvements to business and enterprise customers.
New Console Onboarding experience that enables Keeper Administrators to get up and running quickly and easily
Refreshed UI for the following areas:
Nodes
Users tab, table, drawers
Roles tab, table, drawers
Teams tab, table, drawers
2FA tab, table, drawers
Provisioning tab, table, drawers
Various Console usability improvements, including:
Additional Identity Providers available in Single Sign-On settings
New edit button directly on Cloud SSO page
Edit provisioning settings by clicking anywhere in the row
Email is now displayed in user list dialogs
New copy button next to email in user dialog
Added status for Transfer Policy acceptance in user detail dialog
Added status for 2FA in user detail dialog
Role name is now shown in upper left corner when editing role policies
Users are now sorted alphanumerically in role listing
Implemented a prefix based mapping for SCIM groups to roles
Added ability to duplicate roles
Improved consistency of inactivity logout timer settings
Added enforcement policy to prevent role duplication
Added enforcement policy to require PIN for security keys
Gradient MSP PSA Billing integration is now available to distributors
KA-5666: Fixed an issue with calculating KSM usage by tier
EM-5756: Fixed an issue that caused objects with long names to be excluded from search results
EM-5802: Fixed an issue with displaying ARAM alerts for expired/inactive licenses
EM-5843: Fixed an issue that caused deleted roles to continue to be displayed within user details pages
EM-5588: Fixed an issue that caused unlinked data to remain in the database after deleting role enforcements
EM-5944: Fixed an issue where CSV downloads were susceptible to code injection in older versions of Excel that have Dynamic Data Exchange enabled
EM-5257: Fixed an issue that prevented notifications from appearing in the console when 2FA is disabled for a user
EM-6131: Added more detail to the error message displayed when attempting to add a user with an email address that has already been used
EM-5782: Fixed an issue that caused admins to be prompted for approvals in incorrect nodes
EM-6092: Added page number to screens with multiple page results
EM-6045: Fixed an issue that caused incorrect navigation when adding a recipient to an existing alert
EM-6074: Admins can now update settings for active SIEM integrations
EM-6185: Improved hardening against MITM attacks
EM-6234: Updated the behavior of dependent enforcement settings to actually change related settings along with disabling the dependent UI elements
Released on Sep 12, 2023
KA-4724: Support for Cloud SSO SAML Parameter ForceAuthn in the SSO cloud configuration screen. When ForceAuthn="true" is set in the SAML request, the Service Provider (Keeper) is telling the IdP that even though the user is already authenticated, they need to force a new authenticated session.
EM-4577: Support for Unverified Certificates in the setup of Splunk, Syslog, QRadar and LogRhythm.
EM-5071: Add role enforcement policy "Prevent Keeper Family License Invites" which restricts the users from creating a free family license.
EM-5850: Support for Brazilian Portuguese
EM-5278: Add node path for each user in the exported Security Audit Report
EM-5926: Add 12-hour and 24-hour 2FA time durations
EM-5242: Allow the creation of MSP and Enterprise free trial signups on a mobile device. Previously this was limited to desktop browsers.
EM-5236: Login screens with new feature promotion content
KA-4144: Record type changes were not syncing to the console without clicking the sync button
EM-4750: SSO user asked for Master Password when clicking into Admin Console sometimes.
Released on May 2, 2023
EM-5703: Implementation of Recovery Phrase. We have upgraded our account recovery process with a new and more secure 24-word “recovery phrase” feature. Read more on the .
With this update the existing setting to disable Account Recovery now applies to legacy security answers in addition to the Recovery Phrase method.
Note the following:
Users who currently have a security answer will be prompted to replace their security question/answer with an auto-generated 24-word recovery phrase.
If you have this policy disabled already, users will not be prompted.
If you change the policy to restrict recovery phrase, the effect is immediate on all users.
If you
EM-5758: The SSO Master Password policy language and functionality has been updated slightly. Previously, users who created an SSO Master Password were able to use this login method even after the Admin enforced the policy. Now, users are unable to login or create master passwords if this policy is enforced. The language on the user interface has been updated to reflect this information.
Released on Nov 23, 2024.
Keeper's Risk Management Dashboard feature is a powerful new feature of the Keeper Admin Console that provides comprehensive security posture information covering end-user deployment, utilization, cloud configuration, and event monitoring. This critical data helps administrators ensure that risks are remediated and compliance is enforced effectively. Documentation on this new feature can be found .
EM-6779: Fixed an issue that caused some users attempting to log in to the Admin Console from the Keeper Security landing page to get stuck in a login loop
EM-6782: Fixed an issue that prevented users from de-selecting allowed password separators for a domain under the Record Passwords role policy
EM-6790: Fixed an issue for MSPs that prevented the user from updating the Secure Add-Ons selection when changing Base Plans
EM-6624: Fixed an issue that impacted adding administrative permissions on a new role
EM-6754: Fixed an issue that displayed a white screen when users navigated to the Teams tab
EM-6778: Fixed erroneous links on the Connection Manager tab
EM-6765: Fixed an issue that prevented users from editing the Retention of Deleted Records policy under Vault Features
EM-6765: Instated limits on the length of user name permitted on a new user invite
EM-6806: Fixed Bugcrowd report regarding the validate_master_password endpoint
EM-6826: The button to copy a record UID deep link now intelligently pastes the value elsewhere in the Admin Console, depending on the target text field. If the target text field expects just the UID (not the entire deep link), only the UID value will be pasted
EM-6758: Fixed an issue that caused the Omni Search text box to pop out inappropriately
EM-6859: Enhancement to only show available roles for the selected node
EM-6868: Fixed an issue that caused the Active Directory or LDAP Sync provisioning method to incorrectly show text to ‘Download SSO Connect On-Prem’
EM-6866: Updated SIEM partner names and logos to be up-to-date on the External Logging tab under Reporting & Alerts
EM-6834: Added support for region selection for AWS S3 SIEM configuration
EM-6772: Updated SSO IDP names to be up-to-date
EM-6785: Changed the Send BreachWatch events to external SIEM solutions role policy under Vault Features to be on by default
EM-6648: Tool tip for Offline Mode role policy updated to state that maximum allowed offline time is 30 days
EM-6901: Fixed an issue that caused some user browsers to cache an outdated version of the Admin Console
EM-6899: Added a visual indicator that is displayed when a Reset Scores request is being processed on the Security Audit tab
EM-6902: Fixed an issue that caused stability issues for users with multiple Admin Console browser tabs open
EM-6692: Fixed an issue that caused the Test Connection link to malfunction on the External Logging section under Reporting & Alerts tab
EM-6897: Replaced ‘null’ and ‘unknown’ values for ARAM event location with ‘Internal’
EM-6907: Fixed an issue that incorrectly showed the text ‘Icon Approved’ instead of the actual approval icon when a device was approved from an email
EM-6870: An explicit error message is now displayed if a non-root Admin tries to configure External Logging
EM-6910: Fixed an issue that showed an error message on the login screen if the user approved a Duo 2FA request on their phone
KA-6310: Updated BouncyCastle encryption library to recently certified new cryptographic module
Released on March 31, 2022
EM-5178: Automated SSO Migration from On-Prem to Cloud
More information about the migration tool can be found here:
https://docs.keeper.io/sso-connect-guide/sso-migration-to-cloud
The Admin Console allows the creation of SSO Connect and SSO Connect Cloud on same node on provisioning screen and will display the status of migration to cloud.
Please request a support engineer for assistance with migration before you start the process.
EM-5159: Redirect method for SSO login
With this change, users who login to the Admin Console with SSO will login with a URL redirect (similar to the Web Vault) instead of a popup window. This change prevents timing-related issues with login.
EM-5007: Changing a user's name is not showing in search results
EM-5086: Admin Console throws errors when approving SCIM users and teams.
EM-5222: Show the authentication method used in ARAM login events.
EM-4895: Users imported through CSV not being assigned to specified role
Published on May 24, 2022
EM-4860: Role Enforcement: Set Stay Logged In default setting to "On" for new users in this role
EM-4881: Role Enforcement: Enable "Self Destruct" for users in this role
EM-5291: Mask prices on enterprise receipts when enterprise licenses sold through a distributor or reseller
EM-5321: SSO migration status shows "complete" immediately after configuration
EM-5092: ARAM timeline events with low numbers are displayed incorrectly
EM-4933: Missing descriptive text on "forgot password" screen
EM-4852: User able to create a role with a blank name
EM-5287: Persist hover controls on role detail screen
EM-5268: Display issue with node selector
EM-5328: Console screen freezes when trying to unlock a locked account
EM-5342: MSP Console screen goes blank when selecting license allocation history
EM-5343: Incorrect expiration date on subscription banner
Released on May 4, 2022
Released on Oct 20, 2022
Share Admin Keeper's Share Admin feature is a role-based permission that gives administrators elevated access rights over your organization's shared folders and shared records. Share Admins have full user and record privileges for any shared record that they have access to. See: https://docs.keeper.io/enterprise-guide/share-admin
EM-5569, EM-5581, EM-5557, EM-5587, EM-5590, EM-5608, EM-5602: Multiple layout or visual issues
EM-5605: Remove "include myself in team" when MSP is logged into MC console and creating a team.
Released on Jan 15, 2024
This release provides two major features to business and enterprise customers: Granular Sharing Enforcements and Security Key as the Only 2FA Method.
KA-5689: Keeper's Granular Sharing Enforcements enable administrators to apply detailed restrictions for record creation and sharing to user roles. Administrators can configure these enforcements in the “Creating and Sharing” section within role enforcement policies.
KA-5628: Keeper Administrators can now enforce the use of a hardware-based security key as the only two-factor method via a role enforcement policy setting. Additionally, administrators can now require a PIN to be entered in conjunction with the key, for FIDO2 user verification. Click here for more information on FIDO2 Security Keys.
Enforcing the use of a FIDO2 hardware security key has several implications for users which admins need to be aware of. The below items are updated as of January 15, 2024.
Support for enforcing a FIDO2 Security Key can vary based on the device operating system and device firmware capabilities.
Keeper on iOS requires using NFC keys.
The activation of security keys as the only factor requires the use of the Web Vault or Desktop App. Enrollment of security keys as the only factor on iOS/Android will be rolled out in a later release.
Some components of the mobile application do not support NFC hardware keys natively, such as iOS app extensions (during Autofill functions). Keeper's iOS team has a workaround for this issue in development, and this update will be published at the end of January 2024 with Keeper iOS Version 16.10.10. The solution is to extend the login session between iOS main app and iOS autofill extension to reduce the need for re-authentication.
The PIN requirement is supported based on the capabilities of the device. As of this writing, mobile OS support for PIN enforcements is limited. We do not recommend enforcing the PIN if users are accessing Keeper on their mobile device.
Released to production on Oct 18, 2021
Keeper is currently FedRAMP in-process and public sector entities can now establish their Keeper tenant in the GovCloud environment. Contact the public sector sales team at govsales@keepersecurity.com for more information.
Record Types Admin Controls allow administrators to customize the use of record types for their enterprise. Keeper administrators with permission to manage record types, can create new custom record type templates and restrict the use of any record types by role and/or node.
Compliance Reports provide on-demand visibility of the access permissions associated with your enterprise records. These reports simplify the compliance auditing process for Sarbanes Oxley (SOX) and other regulations requiring access control monitoring. The user-defined reports can be exported and fed into automated compliance systems or sent directly to external auditors. This is a secure add-on feature to your Keeper license package.
Security Model for Compliance Reports
To support Compliance Reports, certain non-secret fields of the Keeper vault records are encrypted with the Elliptic Curve Enterprise Public Key. Keeper Administrators are able to decrypt the Enterprise Private Key when they login to the Admin Console. Since the reports contain some non-credential encrypted record data, an administrator must have permission to run and view these reports. The encrypted record data is included in the report and can also be used as report filters. The encrypted record data includes:
Record Title
Record Type
URL
Zero-knowledge remains preserved because the encrypted data is decrypted on the Keeper Administrator Console using the Enterprise Private Key, restricted to administrators that have Compliance Reporting permission.
The Advanced Reporting & Alerts Module now contains several new event types to cover Compliance Reporting and Record Types.
EM-4867: Renew button is not active on expired accounts