Desktop Applications

Methods for deploying Keeper to user desktops

Overview

Keeper offers users two different desktop vaults. The Keeper Web Vault in the web browser, and the native Keeper Desktop application for Windows, Mac and Linux.

Benefits of Keeper Desktop App vs. Web Vault

The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:

  • Ability to Autofill and auto-type passwords into native apps using KeeperFill for Apps feature.

  • Ability to automatically import existing passwords without additional component installation.

  • Automatically migrate from existing LastPass vaults.

  • Secure biometric login using Touch ID on compatible MacBook Pro computers.

  • Secure biometric login using Windows Hello (Windows 10).

  • Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).

  • Increased performance.

  • Offline access using biometrics or master password (if permitted by Keeper Admin)

Keeper Desktop Deployment

Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the Additional Deployment Details section below.

Installer Options

  • Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [Install Link] Command-line deployment:

    Add-AppxPackage -AppInstallerFile .\KeeperPasswordManager.appinstaller

  • Microsoft Store Version (64 and 32-bit, supports Windows Hello) [Microsoft Store Link]

    Command-line deployment:

    winget install 9N040SRQ0S8C --accept-package-agreements --accept-source-agreements

  • Windows 10 MSIX Installer: [MSIX Installer Link] (Note: MSIX does not auto-update) Command-line deployment:

    Add-AppxPackage -Path .\KeeperPasswordManager.msixbundle

  • Windows 10 MSI Installer: [MSI Installer Link] (Note: MSI does not auto-update, no support for Windows Hello)

    Command-line deployment:

    msiexec.exe /i KeeperSetup32.msi /qn

  • Mac OS .dmg [Install Link (.dmg)]

  • Mac App Store [Mac App Store Link] (Note: does not support iCloud Keychain import)

  • Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) [Download Page Link]

  • Password Importer Standalone (Windows 10): [Install Link (.exe)]

  • Password Importer Standalone (Mac OS): [Install Link]

Additional Deployment Details

Microsoft Windows App Installer Distribution

  • Installer: [Install Link]

  • Supported Platforms: Windows 10 build 1803 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx

  • Auto-Updates: Yes

  • Windows Hello: Yes

The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.

Users download a small appinstaller file that automatically fetches the msixbundle from https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle. It otherwise behaves the same as the MSIX install.

The appinstaller can be deployed with PowerShell like this:

Add-AppxPackage -AppInstallerFile .\KeeperPasswordManager.appinstaller

The contents of the KeeperPasswordManager.appinstaller file is below:

<?xml version="1.0" encoding="utf-8"?>
<AppInstaller xmlns="http://schemas.microsoft.com/appx/appinstaller/2017/2" Version="16.6.0.0"
    Uri="https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.appinstaller">
    <MainBundle Name="KeeperSecurityInc.KeeperPasswordManager"
        Publisher="CN=Keeper Security Inc., O=Keeper Security Inc., L=Chicago, S=Illinois, C=US" Version="16.6.0.0"
        Uri="https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle" />
    <UpdateSettings>
        <OnLaunch HoursBetweenUpdateChecks="0" />
    </UpdateSettings>
</AppInstaller>

Microsoft Windows .MSIX Distributions

  • Install Link: [MSIX Installer Link]

  • Supported Platforms: Windows 10 build 1703 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Data Location: %appdata%\Keeper Password Manager\IndexedDB

  • Auto-Updates: No

  • Windows Hello: Yes

The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.

Command-line deployment:

Add-AppxPackage -Path .\KeeperPasswordManager.msixbundle

Microsoft Windows .MSI Distributions

  • Install Link: [MSI Installer Link]

  • Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\keeperpasswordmanager

  • Data Location: %appdata%\Keeper Password Manager\IndexedDB

  • Auto-Updates: No

  • Windows Hello: No

The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.

The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.

The MSI installer does not support Windows Hello.

The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:

msiexec.exe /i KeeperSetup32.msi /qn

The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\ where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%.

The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here: https://docs.microsoft.com/en-us/windows/desktop/msi/standard-installer-command-line-options

Windows Store

  • Install Link: [Microsoft Store Link]

  • Supported Platforms: Windows 10 build 1803 or newer.

  • Supported Architectures: x64, ia32

  • Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*

  • Auto-Updates: Yes (via Microsoft Store)

  • Windows Hello: Yes

The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps and is owned by TrustedInstaller.

The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget:

winget install 9N040SRQ0S8C --accept-package-agreements

Intune

Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (businessstore.microsoft.com), which is different than the consumer Microsoft Store (apps.microsoft.com), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.

Keeper Desktop for Mac

Minimum Requirements:

Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.

Auto-Updates: Yes

Download Link:

Keeper Desktop for Linux

Minimum Requirements:

Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM

Auto-Updates: No

Checksum / Hash

For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL: https://keepersecurity.com/desktop_electron/SHASUM256.txt

Enterprise Configuration

Enterprise configuration settings are available in Keeper Desktop version 16.7.0 and newer.

Keeper supports Enterprise Configuration settings to control the end-user experience.

Configuration Options

KeyTypeDescription

DomainName

String

Enterprise SSO Domain to pre-populate on app launch.

Region

String

Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")

HideCreateAccount

Boolean

Hides the Create Account button from the start page

UseDefaultBrowserForSSO

Boolean

Routes the user to their default web browser for SSO authentication instead of using a popup window.

macOS User Defaults

Keeper Desktop can be configured using standard macOS NSUserDefaults objects using the com.keepersecurity.passwordmanager domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.

Testing the Config

You can test the configuration on the local machine using the below commands:

defaults write com.keepersecurity.passwordmanager <key> <value>

For example:

defaults write com.keepersecurity.passwordmanager \
    DomainName mycompany.co.uk

defaults write com.keepersecurity.passwordmanager \
    Region eu
    
defaults write com.keepersecurity.passwordmanager \
    HideCreateAccount -bool true
    
defaults write com.keepersecurity.passwordmanager \
    UseDefaultBrowserForSSO -bool true

macOS - Information Property List File

Keeper Desktop's mac app bundle has an Information Property List File, Info.plist, which contains key-value pairs that identify and configure a bundle.

Finding the App Bundle ID and App Version

The following keys in Information Property List file contains the values for the App Bundle ID and App Version:

CFBundleIdentifier: App Bundle ID

CFBundleShortVersionString: App Version

To find the values of the above keys, you need to access the Information Property List File, Info.plist, and find the corresponding values.

Location of Info.plist after mounting DMG file:

<app_name>.app/Contents/Info.plist file

Alternatively, you can run the defaults read command:

defaults read /Applications/<app_name>.app/Contents/Info.plist <key>

For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:

defaults read /Applications/Keeper\ Password\ Manager.app/Contents/Info.plist CFBundleIdentifier
com.keepersecurity.passwordmanager

defaults read /Applications/Keeper\ Password\ Manager.app/Contents/Info.plist CFBundleShortVersionString
16.8.9

JSON Configuration File

All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.

Example File

{ "domainName": "MyCompany.com", "region": "us", "hideCreateAccount" : true, "useDefaultBrowserForSSO" : true }

macOS End Users

Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults. Visit the following section for more information.

The desktop.config.json file must be UTF-8 encoded.

From your text editor, in File > Save As...

  • In the "Save as type" drop-down, select All Files.

  • In the "Encoding" drop-down, select UTF-8.

  • Ensure the name of the file is desktop.config.json

Domain Routing Rules

Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is reserved, which means that typing anything @ yourcompany.com will get routed to the proper region.

If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.

Last updated