Loading...
Loading...
Resources for getting started with Keeper Business and Enterprise edition
The following links will get you up and running with Keeper.
To schedule a demo or watch an on-demand demonstration of the Keeper platform, visit: https://keepersecurity.com/schedule-demo.html
Contact our sales team: https://keepersecurity.com/contact.html?t=b&r=sales or email sales@keepersecurity.com.
Keeper Security Government Cloud (KSGC) is a FedRAMP Authorized environment that protects your agency against ransomware and cyberthreats with zero-trust cybersecurity.
https://www.keepersecurity.com/industries/public-sector.html
Contact our public sector team at govsales@keepersecurity.com.
If you are an existing customer and need help, contact enterprise support: https://keepersecurity.com/support.html
The resource portal of our website provides several white papers and product data sheets: https://keepersecurity.com/resources.html
The end-user guides are available for our desktop, web and mobile applications: https://docs.keeper.io/user-guides/
If you're a security guru, we recommend taking a look at our encryption model.
Check out the latest release notes and updates across all platforms. https://docs.keeper.io/release-notes/
This quick start guide will help get your small business team up and running with Keeper Business in just minutes
This video will demonstrate all that Keeper has to offer your small business and provide you with step-by-step instructions to get your team up and running in no time.
Short on time? Check out our 3 minute demo here.
When you first log in to the Admin Console, you will land on the Dashboard which will provide an overview of high level data on your user activity and overall security status.
The Dashboard provides oversight of the following:
Top Events and link to Timeline Chart
Security Audit Overall Score
BreachWatch Overall Score
User Status Summary
The Admin tab is where majority of your set-up and user deployment will take place. Here, is where you can access Nodes, Users, Roles, Teams and Two-Factor Authentication Settings.
As a first step, we recommend uploading your company logo to the vault and customizing the email invitation that will invite your employees to create their Keeper Vault. These configurations are highly recommended as they have shown to help with quick user adoption of Keeper's software.
Click Configuration
then click Edit
next to "Company Logo" to upload your image file.
Once uploaded, your company logo will appear in the upper left side of the header when users are logged into their Keeper Web Vault and Desktop App as well as Keeper One-Time Shares.
Click Configuration
then Edit
next to Email Invitation, then toggle "Send Custom Email Invitations" on.
The email invitation template supports customization of the following four attributes:
Subject
Message Heading
Message
Download Button Text
The body of the message supports plain text as well as basic markdown syntax.
Once you have finalized your changes, click Save
. When you are ready to add your users, they will receive your customized invite similar to the one below.
In Keeper's architecture, Roles allow you to define enforcement policies based on a user's job responsibility as well as provide delegated administrative functions. The number of roles you create is a matter of preference and/or business need.
Nodes are used to organize your users into distinct groupings, similar to organizational units in an Active Directory. You can create nodes based on location, department, division or any other structure. Smaller organizations may choose to administer Keeper as single level, meaning no additional nodes are created. In this scenario, all provisioned users are accessed from the default "Root Node".
We recommend you create a secondary Keeper Administrator as soon as possible. At its simplest configuration, the Keeper Administrator role is applied to the initial administrator who has set up the Keeper account for the organization as well as any other user you grant full admin rights. We strongly recommend you add a second user to the Keeper Administrator role in case one account is lost or no longer accessible.
Admin > Users > + Add Users
enter the user's full name and email address, then click Add
Select the new user from the list and click OK
to finish.
This will generate an email inviting the users to setup their Keeper account.
Account Transfer will allow a Keeper Administrator to transfer records and data from one user to another, should an employee leave the company. It is an optional, but highly recommended feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The Account Transfer setup must be configured prior to the user's account being transferred.
First you will need to enable the Transfer Account permission for the Keeper Administrator Role.
The Transfer Account permission is NOT enabled by default and must be manually activated by the Admin.
Admin > Roles > Keeper Administrator
Check the box next to "Transfer Account" and click OK
To learn more about Account Transfer, click here.
As a second step, Enable Account Transfer for the Keeper Administrator Role. This will allow the vaults of you and any delegated admins, under the Keeper Administrator role to be transferred.
Admin > Roles > Keeper Administrator
Click Enforcement Policies
From the Transfer Account tab, toggle "Enable Account Transfer" on then click Done
All users will be notified and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent one time, upon logging into their vault.
Roles allow you to define enforcement policies based on a user's job responsibility as well as provide delegated administrative functions.
You will need at least one role defined for your users, but you can create as many as you would like depending on the structure of your organization. Roles can be created to support a variety of policies depending on what enforcements should be applied to a user based on their position (e.g. Administrators, Executives, Managers, Staff, and Contractors). For smaller organizations, Keeper recommends you create a default, "General Employee" role.
Admin > Roles > + Add Role
Select the Node you want to add the Role to, enter the name of the role and click Add
To learn more about Roles, click here.
Nodes are used to organize your users into distinct groupings, similar to organizational units in an Active Directory. You can create nodes based on location, department, division or any other structure.
Smaller organizations may choose to administer Keeper as single level, meaning no additional nodes are created. In this scenario, all provisioned users are accessed from the default "Root Node" (e.g. ACME Co.).
Admin > + Add Node
Enter the name of the Node then click Add Node
to finish.
At any time, you can change which node you are viewing by navigating to or selecting the Nodes on the far left Node pane. To navigate to the root node or top level, select your business name (e.g. ACME Co.) in the navigation tree.
To learn more about Nodes, click here.
To ensure that a certain role is applied to all imported users, enable the “Set as Default Role for Node and Sub Nodes” setting. This will automatically assign new users that are added to a Node or Sub Node to a specified role.
Admin > Roles
select the target role then check the box next to "Set as Default Role for Node and Sub Nodes".
Role-based Access Controls (RBAC) provide your organization the ability to define Enforcements Policies based on a user's job responsibility as well as provide delegated administrative functions.
Enforcement Policies offer a wide-range of control features that are organized into the following categories:
Login Settings
Two-Factor Authentication (2FA)
Platform Restriction
Vault Features
Record Types
Sharing & Uploading
KeeperFill
Account Settings
Allow IP List
Keeper Secrets Manager
Transfer Account
Admin > Roles
select a role then click Enforcement Policies
A dialogue box will appear where you can configure the Enforcement Policies that will be applied to the selected role. Click Done
when finished.
To learn more about Enforcement Policies, click here.
Business customers can seamlessly deploy Keeper to their users using two different methods. Admins can either manually invite individual users or bulk import users via a CSV file. Advanced deployment options are also available.
Admin > Users > + Add Users
Select the Node you would like to add the user to, enter their Full Name and Email Address then click Add
This will generate an email inviting the user to setup their Keeper account. Instructions to customize the email can be found in the Key Configuration Steps section, above.
Admin > Users > + Add Users
Select the Node you would like to add the users to then simply drag and drop your formatted CSV file of users or click Browse Files
to upload the file from your local device (the Role field is optional). To learn more about formatting your CSV file, click here.
Review the user details and click Add
to complete the import.
This will generate an email inviting the users to setup their Keeper account. Instructions to customize the email can be found in the "Key Configuration Steps" section, above.
Keeper integrates with any SAML 2.0 identity provider for just-in-time provisioning:
Entra ID / Azure AD
Okta
Google Workspace
Microsoft AD FS
Amazon AWS
Auth0
Centrify
Duo SSO
F5
OneLogin
Ping Identity
PingOne
Rippling
RSA SecurID Access
SecureAuth
Shibboleth
Any other SAML 2.0 identity provider
See the User and Team provisioning section to learn more.
Next, we encourage you to create Teams. The purpose of creating teams is to give users the ability to share the records and folders within their vaults with logical groupings of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords) and adds individual users to the team. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals.
Admin > Teams > + Add Team
Select the Node you want to add the team to then enter the name of the team and click Add Team
You can then set the following team-level restrictions:
Disable record re-shares
Disable record edits
Apply privacy screen
Team-to-role mapping allows organizations to assign users directly to teams that can be assigned custom roles. With team-to-role mapping, a user who is a member of a team that is assigned to a role, will assume the enforcements of the given role.
It's important to note, that Keeper implements Least-Privileged policies, so when a user is a member of multiple roles or teams, their net policy is most restrictive or least privileged.
To learn more about teams and team-to-role mapping, click here.
As a final step to further enhance your security practices, we recommend that you require the use of Two-Factor Authentication across your organization. This role enforcement can be enabled within each role's Enforcement Policy settings.
Admin > Roles
select the target role and click Enforcement Policies
Toggle "Require the use of Two-Factor Authentication" on.
Set your platform-specific enforcements, enable the desired 2FA methods then click Done
Keeper is a cybersecurity platform for preventing password-related data breaches and cyberthreats.
Keeper Enterprise provides the highest levels of security and at the same time provides a simple user experience - with millions of users worldwide, Keeper is the proven industry leader.
Keeper is SOC 2 Certified, ISO27001 Certified, FedRAMP Authorized and StateRAMP Authorized. Keeper's encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third party laboratories.
Below is a 25-minute demonstration of the Keeper Enterprise platform.
For a personalized demo with a Sales Engineer:
Passwords are the single greatest cause of a data breach. 81% of data breaches are due to weak or stolen passwords. Password management solutions provide an affordable and simple way for companies to solve the root cause of most data breaches. By helping businesses generate strong passwords as well as manage and securely share them among teams, they significantly reduce the risk of a data breach.
Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a model that ensures only the user is able to decrypt and access their privileged information.
The Keeper platform is built on an access layer and encryption layer. Access and authentication controls who is able to sync the encrypted ciphertext, and client-side encryption controls who is able to physically encrypt/decrypt the data. This foundation is what gives Keeper the ability to apply the most granular level of protection to user data and enables the core features and capabilities of the product.
Users, Roles, Teams, Records and Shared Folders are all protected and managed through the use of client-side generated keys. This complex distribution of keys is completely managed by the software with a simple and easy-to-use user interface.
Keeper Encryption and Security Model DetailsKeeper is a cross-platform solution that provides full capabilities from every major platform and device including iOS, Android, Windows, Mac and Linux. Browser plugins are compatible with Chrome, Firefox, Edge, Safari and any other chromium-based browser.
The Keeper Administrator can restrict vault access to specific platforms based on security requirements of the enterprise. End-user vault applications can be used completely independent of one another, or used together. For example, using the Web Vault or Desktop Application does not require the installation of a browser plugin.
The Keeper Vault is available on all devices and computers, with award-winning native applications:
Native Desktop Apps
Windows
Mac
Linux
Browser-Based Apps
Chrome
Edge
Safari
Firefox
Brave
Other Chromium-based Browsers
Native Mobile Apps
iOS
Android
Chrome, Firefox, Edge, IE and Safari Browsers
Key Differentiators
Keeper was named Best Password Manager by PC Mag in 2018, 2019, 2020 and 2021. Some of the reasons that customers select Keeper over the competition are listed below.
Keeper vs. LastPass https://www.keepersecurity.com/vs/lastpass.html
Keeper vs. Dashlane https://www.keepersecurity.com/vs/dashlane.html
Keeper vs. 1Password https://www.keepersecurity.com/vs/1password.html
Keeper vs. Keepass https://www.keepersecurity.com/vs/keepass.html
Keeper vs. Passportal https://www.keepersecurity.com/vs/nable-passportal.html
Keeper vs. Bitwarden https://www.keepersecurity.com/vs/bitwarden.html
SSO and SAML simplify login to many cloud applications, however, it does have its limitations. Keeper (with Keeper SSO Connect) complements the two major gaps with your SSO deployment:
Offering privileged access to applications that don’t support SAML protocols.
Enabling non-password use cases, such as management and sharing of digital certificates, SSH keys, API keys, secret notes, lists, files and more.
With Keeper SSO Connect, you can easily add Keeper to the apps that your IdP services. Whether you use AD FS, Entra ID/Azure, Okta, Google Workspace, Centrify, Ping, JumpCloud or any other SAML 2.0 Identity Provider, Keeper will easily integrate. Keeper SSO Connect logs the user directly into their encrypted vault while maintaining full zero knowledge. With SSO integration, there is also no master password to remember. Keeper SSO Connect is available as a customer-hosted or cloud-hosted high availability solution that preserves zero knowledge and allows the end-user to authenticate directly into their vault.
For more information about Keeper SSO Connect, visit our web page: https://keepersecurity.com/keeper-sso-connect.html
Keeper's Zero-Trust Platform seamlessly integrates into any existing identity stack and infrastructure.
Keeper's least-privilege access model, encryption model and role-based access model support the zero trust implementation guidelines of NIST and provide organizations with a substantial leap forward in the journey towards zero trust.
For reference, see the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 document which provides the following operative definition of zero trust and ZTA:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Keeper provides customers with the selection of geographic regions where data resides in-country.
United States
GovCloud US
Ireland
Frankfurt
Australia
Canada
Japan
The ability to provide least privileged access to an employee is critical in the deployment of an Enterprise Password Manager. Keeper gives fine-grained control over what users are capable of accessing and managing within the platform through the use of customizable role policies. By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of the employee. For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants the ability to onboard new users, manage teams and run reports. The entire process is fully customizable through a user friendly interface. Role Enforcements Include:
Password Complexity Rules and Biometrics
Multi-Factor Authentication, Token Expiration and Device Restriction
Offline Access Restrictions
Allow IP Listing, Sharing and Data Export Restrictions
Account Transfers (employee offboarding and break-glass scenarios)
Administrative Permissions
Keeper Administrators can create organizational units (called Nodes). A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different people in the organization to have management controls over subsets of teams of users, roles and shared folders. Users within different nodes can be provisioned and authenticated with different methods.
Keeper's Zero Knowledge Account Transfer capabilities provide Enterprise customers with the peace of mind that an employee will never walk away with critical data when they leave the organization.
Since 50% of help desk calls are estimated to be password related, there is a significant productivity gain by rolling out a password manager to your organization. When employees don't need to worry about remembering passwords, the cost savings are massive.
Compliance is becoming even more complex with requirements mandating internal control policies and standards. Organizations in heavily regulated industries are audited for password enforcement policies and practices. Keeper's password security platform solves many of compliance and regulation enforcement requirements that organizations face. Keeper Security is the most certified solution in the industry:
SOC 2 Certified
ISO 27001 and ISO 27017 Certified
FIPS 140-3 Validated
GDPR Compliant
GSA Certified
SAM Certified
Compliant with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”)
ITAR Compliant
FedRAMP Authorized
StateRAMP Authorized
Keeper Security is listed as Authorized on the FedRAMP Marketplace with an authorization date of 8/23/2022.
See: The Federal Risk And Management Program Dashboard (fedramp.gov)
Keeper supports compliance with United States International Traffic in Arms Regulations (ITAR). Companies that are subject to ITAR export regulations must control unintended exports by restricting access to protected data to U.S. Persons, and by restricting physical location of protected data to the U.S.
Keeper’s FedRAMP Moderate environment supports ITAR requirements through the following:
Fully compliant data storage hosted on AWS GovCloud and restricted to the U.S.
Secure data encryption in transit and at rest.
Zero knowledge and zero trust security, in conjunction with granular permissions, allows organizations to ensure that only approved personnel can access sensitive data.
Robust compliance reporting features provide a traceable, electronic audit trail of all actions performed and data entered.
Sequestered Customer Success team comprised of U.S. Persons specifically trained in safe handling of Export Controlled and ITAR-governed data.
No non-U.S. based support on public sector environments.
The Keeper FedRAMP environment has been audited by an independent third-party assessment organization (3PAO) to validate that proper controls are in place to support customer export compliance programs.
For more information about ITAR, please visit https://www.pmddtc.state.gov/.
High level steps for successful rollout of Keeper Enterprise
For the most successful rollout of Keeper Enterprise, follow the steps below.
If you haven't already, create a Keeper Enterprise Trial from our website or by contacting the sales team. Be sure to allocate the necessary number of total users you expect to onboard.
Managed Service Provider (MSP) customers: Please sign up for the Keeper MSP product trial. Keeper MSP is a specialized version of the Keeper Enterprise product. To jump to the Keeper MSP guide, click here.
After creating your trial, login to the Admin Console and go through the onboarding.
Setup and configure your provisioning and authentication methods as described in the User and Team Provisioning section of this document. You can choose from many different provisioning methods such as:
Manual provisioning through the Keeper Admin Console
Active Directory provisioning with the Keeper Bridge service
Single Sign-On (SAML 2.0) with Just-In-Time (JIT) provisioning
SCIM automated provisioning
Email provisioning
Keeper Commander API / SDK provisioning
Contact us if you require assistance in configuring your environment.
Deploy the web vault, browser extensions and desktop application as described in our deployment guide or direct your users to install Keeper from our Download Page.
The Web Vault is available to Enterprise users at the URLs below:
US Data Center: https://keepersecurity.com/vault
US Public Sector / GovCloud: https://govcloud.keepersecurity.us/vault
EU Data Center: https://keepersecurity.eu/vault AU Data Center: https://keepersecurity.com.au/vault CA Data Center: https://keepersecurity.ca/vault
JP Data Center: https://keepersecurity.jp/vault
Upon first login, the user is walked through a simple onboarding experience.
Users are invited to join a training session via Google Meet or the customer's preferred meeting platform. This training invite can be contained within the email invitation body content, or sent separately by the Admin to their users. Contact your Customer Success manager at success@keepersecurity.com to start training your team.
The Keeper Admin can monitor the usage of users via the Risk Management Dashboard, Reporting & Alerts Module and also configure realtime web-hook alerts to Slack or Microsoft Teams. Installing Keeper Commander is also helpful for running automated reports.
We recommend that the Keeper Admin notifies users regarding the timeline in which built-in password manager saving will be disabled by GPO.
After the specified amount of time, the Keeper Admin should disable legacy built-in browser password managers, thus requiring and enforcing the use of Keeper on the browser.
Learn more about how to disable the built-in password manager.
It's critical that all employees use Keeper to manage their passwords and to prevent sharing of information over insecure channels. Update your password policies and employee onboarding processes to ensure that Keeper is utilized. Sharing new employee onboarding records to the user's vault is a great way to encourage them to login and start using the platform. Your customer success manager can also assist you with strategies.
Once the Enterprise Password Manager has been deployed to all of your employees, reach out to your security, compliance and engineering teams to review the privileged access capabilities that Keeper offers.
KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and an cloud-based access control plane in one unified product.
Learn more about the advanced capabilities of KeeperPAM.
Reserve the use of domains for privacy and security
Keeper's Cloud architecture is Zero Knowledge (more information about our security model is here).
For security reasons, Keeper's Enterprise tenants are restricted to inviting and creating end-user accounts within certain email domains. When you sign up for a Keeper Business or Enterprise account, we recommend that you use a business email domain, e.g. mycompany.com.
If you sign up for the Enterprise account using @mycompany.com for your email address, this domain will be reserved to your tenant.
Keeper's architecture requires a domain to be reserved before it can be used by the Enterprise. This serves several purposes:
(1) Ensures that end-users cannot create "rogue" accounts without being explicitly invited or provisioned by the Enterprise Admin.
(2) Reduces administrative burden in locating free or personal accounts associated with a domain
(3) Prevents a malicious actor from creating a Keeper account with a domain reserved by an Enterprise customer.
If you require additional email domains (e.g. us.company1.com and eu.company2.com), please open a support ticket with the Keeper team and we will assist you in reserving the domain.
If you own a set of domains that your users will use for logging in, be sure to contact your Keeper account manager to request domain reservation for all of your domains. We can lock the domains to your preferred region to ensure that users don't sign up in the wrong geographic data center.
Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.
If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.
Organizations have the option to add a “corporate alias” to their account. For example, in situations where an organization domain change occurs, our team can easily transition your users to the new domain without any interruption in service. Please contact Keeper's support team to add a domain alias to your account.
If you are using Keeper SSO Connect Cloud or Keeper SSO Connect On-Prem, you can enable Just-In-Time Provisioning. If Just-In-Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.
If you would like to ensure that new users who access the vault are automatically routed to your SSO based on the email domain, please contact support and we will assist in setting up the routing.
Customers who attempt to login or provision accounts from a different region may or may not automatically get routed to the proper region where their tenant is hosted. If the routing is not occurring, please open a support ticket.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Keeper is the leading cybersecurity platform for preventing password-related data breaches and cyberthreats.
Congratulations on your decision to deploy Keeper to protect your organization. This guide will provide valuable information on how to onboard your users, deploy the application to end-user devices and manage the platform.
Keeper's platform provides the following high level capabilities:
Password & Passkey Management
Privileged Access Management
Secrets Management
Zero-Trust Network Access
Secure Vendor Access
OT Security
Connection Management
Remote Browser Isolation
Admin Console
Control Plane
This Keeper Enterprise guide covers the deployment of the core password management platform to your users. Additional guides and documentation of advanced privileged access capabilities are covered in later sections.
Keeper’s platform:
Provides each employee with a secure, encrypted digital vault in which to store their passwords, passkeys, files and other sensitive data. Employees can access their vault from any device and from all web browsers, automatically generate unique, complex passwords for all their accounts, and automatically fill their login credentials into all of their sites and apps.
Provides IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, two-factor authentication (2FA), role-based access control (RBAC), and other security policies.
Provides DevOps and engineering teams with a fully managed cloud-based, zero-knowledge Secrets Management platform for securing infrastructure secrets such as privileged accounts, API keys, database passwords, access keys, certificates and any type of confidential data.
Provides modern privilege access through connection management, OT security, secure vendor access, zero-trust network access and remote browser isolation with session management, monitoring and recording.
A brief platform demo can be viewed below:
Creating a trial of Keeper Business and MSP
(1) To create your Keeper Business or KeeperMSP Trial version, visit this page: https://keepersecurity.com/password-manager-free-trial-sign-up.html ... or click on "Try it Free" from our homepage at: https://keepersecurity.com
(2) Select Business or MSP version
(3) Fill out the form using your Business email address, and click Start Free Trial.
(4) On the next screen, you'll create your account (or if you're using an existing Keeper personal email address, you can select "Use an Existing Account").
Important: At this step, please ensure that you select your desired Geographic Data Center location.
Signup for US, EU, AU, CA, JP data center locations are available.
US GovCloud (FedRAMP Compliant) region is available on request.
The choices available are US, EU, AU, CA, JP. Contact us for GovCloud public sector signup.
If you select the wrong data center region, please contact support to delete your trial and start over.
(5) Select your Administrator account Master Password.
Ensure you select a strong Master Password that is only used for managing Keeper. If you forget your Master Password, Keeper support cannot perform a password reset due to our Zero Knowledge architecture. We recommend activating Account Recovery (via a recovery phrase) after logging in and visiting the Settings screen.
(6) After verifying your email address and selecting a Master Password, you will be logged into the Keeper Admin Console. Click on "Admin" to add users and begin your configuration.
(7) Click on "Add Users" to invite other users for your trial, or to set up additional admin accounts. Users who are manually invited will login with a self-selected Master Password.
(8) Proceed through this Enterprise Guide to learn about best practices for deploying Keeper, Single Sign On ("SSO") integration, Role enforcement policies, Teams, Advanced Administration and other important topics.
Deploying KeeperFill to macOS devices using device management platforms
Follow these steps to deploy KeeperFill to all Mac devices in your organization using your preferred device management platform.
To set up KeeperFill on Mac, you create configuration files in MCX Property List (.plist) format. When you deploy the configuration files to the device using your preferred mobile device management (MDM) tool, the settings are applied.
These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.
Use your preferred editor to create the Keeper .plist policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all macOS devices in your organization using your preferred mobile device management (MDM) tool.
You can launch the Keeper Password Manager automatically when you start your computer.
To set Keeper Password Manager app to launch at start up, go to Start > Run and type shell:startup
Your startup folder will be shown. Place a shortcut Keeper Desktop into this folder. Now Keeper will launch automatically on startup.
From Settings, go to General > Login Items
Click the Plus (+), go to Applications, and select Keeper Password Manager
Now Keeper will launch when you start your mac.
KeeperFill makes it easy to login, save passwords and access your vault on web browsers.
The KeeperFill browser extension can be installed directly by the user or pushed to users by the Keeper administrator.
The latest KeeperFill Browser Extension can be installed by users at the links below, or by visiting the Keeper download page. Chrome, Brave, Opera and other Chromium-based Browsers: https://chrome.google.com/webstore/detail/keeper%C2%AE-password-manager/bfogiafebfohielmmehodmfbbebbbpei Firefox: https://addons.mozilla.org/en-US/firefox/addon/keeper-password-manager/ Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/keeper%C2%AE-password-manager-/lfochlioelphaglamdcakfjemolpichk
Safari: https://apps.apple.com/us/app/keeper-for-safari/id6444685332
Chrome, Edge and Firefox deployment guides are linked below:
Deploying Firefox with Extensions (Mozilla)
For environments where devices are managed through platforms such as Microsoft Intune or Jamf.
If your group policy does not support installation of extensions, your SCCM administrator may be able to use the below links to push the extensions or directly:
Microsoft Edge and Chrome: chrome.zip
Firefox: firefox.xpi
Direct package install is not recommended for most environments. Using app store management portals such as Google Admin are preferred.
User guides are available for every web browser at the links below:
Methods for deploying the Keeper app to end-user devices.
This section describes the methods of deploying Keeper to end-users. Keeper can be deployed as a web browser application, browser plugin, mobile app and native desktop application.
A series of Keeper 101 videos are available to help train your end-users. Below is the Enterprise End-User guide:
Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari, Firefox, Edge, Brave and Opera. Native app installation is available from the Keeper website and every public-facing app store (iTunes, Google Play, Microsoft Store, Mac App Store, etc).
Device
OS Version Supported
Windows
7 / 8 / 10+
Mac OS
Current Version - 2
Linux
Fedora, Red Hat, CentOS, Debian, Ubuntu, Mint
iOS
9+
Android
4.4+
Chrome OS
Current Version - 2
Edge
Current Version - 2
Safari
Current Version - 2
Firefox
Current Version - 2
Opera
Current Version - 2
Brave
Current Version - 2
The latest Keeper downloads can be found at https://keepersecurity.com/download
Keeper provides customers with a fully native desktop application as an optional component. The desktop app has some unique capabilities compared to the web vault, such as native app autofill and hot keys. See the subsection Desktop Application.
Keeper's browser extension provides autofill capabilities on every web browser. See the subsection Browser Extension (Keeper Fill).
Keeper for mobile and tablet devices can be deployed through the public-facing app stores. MDM solutions can also push these applications to end-user devices without any special requirements. When the users register or sign into an account, Enterprise enforcement policies are automatically applied.
Keeper supports authentication, provisioning and deployment through your existing SAML 2.0 identity provider such as Azure AD, Okta, Google Workspace, JumpCloud, Ping and many others. See the SSO Connect Cloud setup guide for deployment instructions.
When deployed through Azure AD, Keeper fully supports Azure conditional access policies across web, mobile and desktop applications.
Methods for deploying Keeper to user desktops
Keeper offers users two different desktop vaults. The Keeper Web Vault in the web browser, and the native Keeper Desktop application for Windows, Mac and Linux.
The Keeper Desktop App has several benefits compared to the Keeper Web Vault such as:
Ability to Autofill and auto-type passwords into native apps using KeeperFill for Apps feature.
Ability to automatically import existing passwords without additional component installation.
Automatically migrate from existing LastPass vaults.
Secure biometric login using Touch ID on compatible MacBook Pro computers.
Secure biometric login using Windows Hello (Windows 10).
Windows Hello for Business, including biometrics and smart card capabilities (Windows 10).
Increased performance.
Offline access using biometrics or master password (if permitted by Keeper Admin)
Keeper Desktop is a cross-platform native desktop application for Windows, MacOS and Linux. Several installer files are provided at the links below. For additional details on each package, see the Additional Deployment Details section below.
Windows 10 AppInstaller (64 and 32-bit, supports Windows Hello) [Install Link] Command-line deployment:
Microsoft Store Version (64 and 32-bit, supports Windows Hello) [Microsoft Store Link]
Command-line deployment:
Windows 10 MSIX Installer: [MSIX Installer Link] (Note: MSIX does not auto-update) Command-line deployment:
Windows 10 MSI Installer: [MSI Installer Link] (Note: MSI does not auto-update, no support for Windows Hello)
Command-line deployment:
Mac OS .dmg [Install Link (.dmg)]
Mac App Store [Mac App Store Link] (Note: does not support iCloud Keychain import)
Linux Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint: (Please refer to the below Download Page for the latest links) [Download Page Link]
Password Importer Standalone (Windows 10): [Install Link (.exe)]
Password Importer Standalone (Mac OS): [Install Link]
Installer: [Install Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %localappdata%\Packages\KeeperSecurityInc.KeeperPasswordManager_xxx
Auto-Updates: Yes
Windows Hello: Yes
The appinstaller is just a lightweight wrapper around the msixbundle that enables auto-update functionality, which is checked on app launch. Due to including the auto-update feature, the appinstaller requires Windows 10 version 1803.
Users download a small appinstaller file that automatically fetches the msixbundle from https://keepersecurity.com/desktop_electron/packages/KeeperPasswordManager.msixbundle. It otherwise behaves the same as the MSIX install.
The appinstaller can be deployed with PowerShell like this:
The contents of the KeeperPasswordManager.appinstaller
file is below:
Install Link: [MSIX Installer Link]
Supported Platforms: Windows 10 build 1703 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: Yes
The msixbundle file is an appx bundle containing multiple architectures, currently x86 and x86_64 are supported. The asset requires at least Windows 10 version 1703 to install, and installs to C:\Program Files\WindowsApps with a package identity which enables additional features such as Windows Hello. The installed app is owned by TrustedInstaller.
Command-line deployment:
Install Link: [MSI Installer Link]
Supported Platforms: Windows 7, Windows 8, Windows 8.1, Windows 10
Supported Architectures: x64, ia32
Install Location: %programfiles%\keeperpasswordmanager
Data Location: %appdata%\Keeper Password Manager\IndexedDB
Auto-Updates: No
Windows Hello: No
The MSI installer does not auto-update. This is to satisfy enterprise administrators who require complete control over application updates.
The MSI installer is 32-bit, and it has the best compatibility with older versions of Windows.
The MSI installer does not support Windows Hello.
The MSI can be silently installed from an elevated command prompt (otherwise it will silently fail at the unanswered Windows UAC prompt that never happens because it's a silent install) in this way:
The MSI installer does not allow selecting the installation location to mitigate a security weakness whereby an administrator can install the application in a location, such as C:\
where non-privileged users have access to modify or replace the binary. Instead, the MSI installer always installs to %programfiles%
.
The Keeper .MSI installer utilizes Microsoft Msiexec. Standard switches are documented here: https://docs.microsoft.com/en-us/windows/desktop/msi/standard-installer-command-line-options
Install Link: [Microsoft Store Link]
Supported Platforms: Windows 10 build 1803 or newer.
Supported Architectures: x64, ia32
Install Location: %programfiles%\WindowsApps\KeeperPasswordManager_*
Auto-Updates: Yes (via Microsoft Store)
Windows Hello: Yes
The Windows Store build is almost identical to the normal msixbundle, but has a different app identity which is assigned by the Microsoft Store. Updates are managed by the Microsoft Store, and the app is also installed to C:\Program Files\WindowsApps
and is owned by TrustedInstaller.
The desktop app is able to be installed silently from the Microsoft Store using Microsoft's package manager winget
:
Businesses may push the Microsoft Store app to Intune using an Intune Connector setup to use the Microsoft Store For Business (businessstore.microsoft.com), which is different than the consumer Microsoft Store (apps.microsoft.com), which some companies block. Companies are given the option to publish two different types of apps, an "offline" (which wont update automatically via the store) and an "online" (should update via the store) version. The “online” version will update the app in Company Portal as well, so every time a user installs it from Company Portal, it’s the newest version.
Minimum Requirements:
Mac OS 10.10+ with Intel or Apple M1 ARM-based processor, 64-bit. 512MB RAM. Keeper Desktop for Mac contains a universal installer which is optimized for both chipsets.
Auto-Updates: Yes
Download Link:
Keeper for Mac (.dmg)
Fedora 28 or above Ubuntu LTS releases 16.04 or above Red Hat Enterprise Linux 7.0 or above CentOS version 7.3 and above Debian 8 and above Hardware: 512MB RAM
Auto-Updates: No
Keeper for Linux - Fedora, Red Hat and CentOS
Keeper for Linux - Debian, Ubuntu and Linux Mint
For file verification, Keeper Desktop SHA1 hashes are computed based on the most recent version and can be retrieved at the below URL: https://keepersecurity.com/desktop_electron/SHASUM256.txt
Keeper supports Enterprise Configuration settings to control the end-user experience.
DomainName
String
Enterprise SSO Domain to pre-populate on app launch.
Region
String
Region identifier where your Keeper tenant is hosted. Must be one of ("us", "eu", "au", "usg")
HideCreateAccount
Boolean
Hides the Create Account button from the start page
UseDefaultBrowserForSSO
Boolean
Routes the user to their default web browser for SSO authentication instead of using a popup window.
Keeper Desktop can be configured using standard macOS NSUserDefaults
objects using the com.keepersecurity.passwordmanager
domain. If your MDM solution is able to push macOS user defaults, you can use this method for enforcing configuration settings. Note the capital letter on the key value.
Testing the Config
You can test the configuration on the local machine using the below commands:
For example:
Keeper Desktop's mac app bundle has an Information Property List File, Info.plist
, which contains key-value pairs that identify and configure a bundle.
Finding the App Bundle ID and App Version
The following keys in Information Property List file contains the values for the App Bundle ID and App Version:
CFBundleIdentifier: App Bundle ID
CFBundleShortVersionString: App Version
To find the values of the above keys, you need to access the Information Property List File, Info.plist
, and find the corresponding values.
Location of Info.plist
after mounting DMG file:
Alternatively, you can run the defaults read
command:
For the Keeper Desktop App, running the following commands would give you the App Bundle ID and Version:
All Windows, macOS and Linux end-user installations can be configured by using a UTF-8 encoded JSON file placed in the user's home folder under ".keeper/desktop.config.json
". Note the identifiers are using camel case for JSON defaults with a lowercase on the first letter.
Example File
macOS End Users
Alternatively, for macOS end-users, Keeper Desktop can be configured using the standard macOS NSUserDefaults
. Visit the following section for more information.
The desktop.config.json file must be UTF-8 encoded.
From your text editor, in File > Save As...
In the "Save as type" drop-down, select All Files.
In the "Encoding" drop-down, select UTF-8.
Ensure the name of the file is desktop.config.json
Note that Keeper can automatically route your users to the proper enterprise tenant, SSO provider and data center based on the email domain that they type into the Keeper login form. If you are using SSO, make sure that the "Just In Time Provisioning" option is enabled in the SSO configuration. Also, ensure that your domain is reserved, which means that typing anything @ yourcompany.com will get routed to the proper region.
If the routing of user to the proper region and SSO is not working correctly for you, please open a support ticket.
Admin > Roles > Keeper Administrator
and clicknext to Users
Under Admin Permissions, hover over your company name and click
Clickto add individual Users and Roles to the team.
Deploying KeeperFill via JSON Policy
If you currently do not have JSON Policy files created in which you want to utilize to deploy the Keeper Browser extension to all PCs in your organization, please proceed to creating your Keeper JSON policy file to your desired location, Ex: /tmp, and name it keeperbe.json
OR create your keeperbe.json file via command-line
2. In your preferred JSON file editor or basic file editor, copy, paste and save the contents, below, into the keeperbe.json file or the policy file in which you currently utilize for your organization.
If you currently have configuration folders setup for the user PCs in your organization, proceed to Step 3: Deploying the Keeper JSON Policy File.
On each PC, in your organization, that you would like to apply this policy on, you’ll need at least one folder to apply this policy.
If it does not already exist, create the directory structure, verbatim, as follows; /etc/opt/chrome/policies/managed
and set the proper permissions for that directory.
OR create your directory structure via command-line
The creation of this directory will most likely NOT be in the same directory as where Chrome is installed on the target Linux devices. Ex: My Chrome installed directory is /opt/google/chrome but my managed policy directory, in which my organization manages my Chrome install, is in the /etc/opt/chrome/policies/managed directory.
Use your preferred method (utility or script) to push the keeperbe.json policy file and Chrome Browser to the target Linux devices in your organization.
Push the keeperbe.json file to the /etc/opt/chrome/policies/managed
directory on all target Linux devices in your network.
Confirm that the files are in the correct directories on all the target Linux devices.
On a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied.
You may need to select "Reload Policies" to apply this new policy to the target Linux devices.
You may need to close and reopen Google Chrome before the new policies appear.
Deploying Custom Configuration Profiles using Jamf Pro
This is a general overview of how to deploy Google Chrome's .plist configuration profile, to computers within your organization, using Jamf Pro.
Upload the manually created Google Chrome PLIST file that defines the properties for the preference domain you specify in Jamf Pro.
Log in to Jamf Pro.
Click Computers at the top of the page.
Click Configuration Profiles.
Click New.
Use the General payload to configure basic settings, including the level at which to apply the profile and the distribution method.
Click the Application & Custom Settings payload, and then click Upload.
Click Add.
Enter com.google.Chrome in the Preference Domain field.
To upload the custom PLIST file choose Upload File, enter the preference domain for which you want to set properties. Click Upload PLIST File, and then choose the com.google.Chrome.plist file previously created.
Note: If the PLIST file contains formatting errors, follow the PLIST (.plist) Policy Deployment instructions to remediate the issue.
10. Click the Scope tab, and then configure the scope of the configuration profile. 11. Click Save.
Deploying Custom Configuration Profiles using Microsoft Intune
This is a general overview of how to deploy Google Chrome .plist configuration profile, to computers within your organization, using Microsoft Intune.
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Enter the following properties:
Platform: Select macOS
Profile: Select Preference file.
Select Create.
5. In Basics, enter the following properties:
Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is macOS: Add preference file that configures Google Chrome on devices.
Description: Enter a description for the policy. This setting is optional, but recommended.
6. Select Next.
7. In Configuration settings, configure your settings:
Preference domain name: Enter the bundle ID as com.google.Chrome
Property list file: Select the property list file associated with your app. Be sure to choose the com.google.Chrome.plist file previously created.
The key information in the property list file is shown. If you need to change the key information, open the list file in another editor, and then re-upload the file in Intune.
Note: Be sure your file is formatted correctly. The file should only have key value pairs, and shouldn't be wrapped in <dict>
, <plist>
, or <xml>
tags. If the PLIST file contains formatting errors, follow the PLIST (.plist) Policy Deployment instructions to remediate the issue.
8. Select Next.
9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-IL IT Team
or Chicago_ITDepartment
. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
10. Select Next.
11. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.
12. Select Next.
13. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Select Devices > Configuration profiles. All the profiles are listed.
Select the profile you want to assign > Properties > Assignments > Edit:
Select Included groups or Excluded groups, and then choose Select groups to include. When you select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
Select Review + Save. This step doesn't assign your profile.
Select Save. When you save, your profile is assigned. Your groups will receive your profile settings when the devices check in with the Intune service.
When you create or update a profile, you can also add scope tags and applicability rules to the profile.
Scope tags are a great way to filter profiles to specific groups, such as US-IL IT Team
or Chicago_ITDepartment
. For more information about scope tags, see Use RBAC and scope tags for distributed IT.
Deploying KeeperFill to Windows devices using device management platforms
There are many options to deploy the Keeper Browser Extension (KeeperFill) to browsers on Windows machines including Group Policy, SCCM and Intune.
Sample reference guides are linked below:
Deploying KeeperFill to Linux devices using device management platforms
Follow these steps to deploy KeeperFill to all Linux devices in your organization using your preferred deployment tool or script.
To set up KeeperFill on Linux, you create configuration files in JavaScript Object Notation (.json) format.
These procedures are a General Guide and assume that you have already deployed the Chrome Browser within your organization.
Use your preferred editor to create the Keeper JSON policy file.
Set up KeeperFill browser extensions.
Push the configuration files to all Linux PCs in your organization using your preferred deployment tool or script.
Deploying KeeperFill to Chrome via PLIST Policy
If you currently do not have a Policy file created, please proceed to creating your Keeper plist policy file to your desired location, Ex: /tmp and name it com.google.Chrome.plist by selecting GO on the top Menu Bar of you MacOS Desktop and select Terminal to open a Terminal Console.
Copy and paste the contents below, into your Terminal, and hit Enter / Return. This will create your plist file within the /tmp directory and display that the file is there.
In your preferred file editor or basic file editor, copy, paste and save the contents, below, into the com.google.Chrome.plist file.
There are multiple tools to deploy your PLIST policy. In the next set on instructions, we will walk through deploying your PLIST policy file via Jamf Pro, AirWatch and Microsoft Intune.
Deploying KeeperFill via Group Policy
This section describes how to utilize your Active Directory Group Policy Management, against Google Chrome templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
On your domain controller, navigate to the URL, provided below, and download the correct 32 or 64 bit zip bundle. Extract the Google Chrome bundle to your desired location. Ex: C:\temp
Navigate to the directory in which you extracted the Google Chrome Bundle and copy the chrome.admx file located within the
64-bit
\GoogleChromeEnterpriseBundle64\Configuration\admx
directory to C:\Windows\PolicyDefinitions
OR
32-bit
\GoogleChromeEnterpriseBundle\Configuration\admx
directory to C:\Windows\PolicyDefinitions
Navigate to the directory in which you extracted the Google Chrome Bundle and copy the chrome.adml file located within the
64-bit
\GoogleChromeEnterpriseBundle64\Configuration\admx\en-US
directory to C:\Windows\PolicyDefinitions\en-US
OR
32-bit
\GoogleChromeEnterpriseBundle\Configuration\admx\en-US
directory to C:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Chrome Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: “Chrome Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Chrome Policy -> Computer Configuration -> Policies -> Administrative Templates -> Google Chrome -> Extensions then Right click and Edit the “Configure the list of force-installed apps and extensions”
If this Policy will apply to Users instead of Computers, the Edge Policies you will be expanding will be located under User Configuration -> Policies -> Administrative Templates -> Google Chrome
5. Tick the Enable button, and then click the Show button.
6. Add the following text and click OK.
7. Click Apply, and then click OK
8. Disable Chrome's Built-In Password Manager by navigating to Google Chrome -> Password manager and then Right click and Edit the “Enable saving passwords to the password manager”
9. Tick the "Disabled" button, and then click Apply, and then click OK.
10. Following the same process as steps 8 - 9, direct within Google Chrome Administrative Templates Policy definitions, Disable Chrome's AutoFill capabilities by editing both "Enable AutoFill for addresses" and "Enable AutoFill for credit cards" and setting them to disabled.
11. (Optional) If you would like to disable Developer Tools, to further secure against users attempting to unmask a masked password / credential, still within the Google Chrome Administrative Templates Policy definitions, disable Developer Tools by editing "Control where developer tools can be used" end setting it to "Enabled" and select the Options value of "Don't allow using the developer tools" and click OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, in which contains your Computers or Users, and select Link an Existing GPO.
13. Select the “Chrome Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC within that OU, the “Chrome Policy” will automatically install the Keeper Security Browser Extension, if Chrome is installed on those PCs as well as disable Chrome's, less secure, built-in password manager and AutoFill capabilities.
On a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to chrome://extensions and ensuring your extensions are being forcefully installed.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Google Chrome before the new policies appear.
Deploying KeeperFill via Group Policy
This section describes how to utilize your Active Directory Group Policy Management, against Firefox Policy Templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
On your domain controller, download the zip file and extract the Firefox Policy Template file to your desired location. Ex: C:\temp
Navigate to the directory in which you extracted the Firefox Policy Template file and copy the firefox.admx file located within the
\policy_templates_v.(version)\windows
directory to C:\Windows\PolicyDefinitions
Navigate to the directory in which you extracted the Firefox Policy Template file and copy the firefox.adml file located within the
\policy_templates_v.(version)\windows\en-US
directory to C:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Firefox Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: "Firefox Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Firefox Policy -> Computer Configuration -> Policies -> Administrative Templates -> Firefox -> Extensions then Right click and Edit the “Extensions to Install”
5. Tick the Enable button, and then click the Show button.
6. Add the full hyperlink to the Add-on from Mozilla, like below:
7. Click Apply, and then click OK
8. Now proceed to right clicking and Edit the “Prevent extensions from being disabled or removed”
9. Add the URL again from Step 6 above in the value field.
10. Click Apply, and then click OK
11. Disable the Firefox Built-In Password Manager by navigating direct within Firefox Administrative Templates Policy definitions and then Right click and edit both the Offer to save logins and Offer to save logins (default) and set to Disabled, Click Apply and then OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, and select Link an Existing GPO.
13. Select the “Firefox Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC within that OU, the “Firefox Policy” will automatically install the Keeper Security Browser Extension, if Firefox is installed on those PCs as well as disable Firefox's, less secure, built-in password manager and AutoFill capabilities.
On a target client device, open Firefox and navigate to about:policies to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Firefox before the new policies appear.
Deploying KeeperFill via Group Policy
This section describes how to utilize your Active Directory Group Policy Management, against Microsoft Edge templates, to deploy the Keeper Browser extension to all PCs in your organization. Please note this is a general guide.
On your domain controller, go to the Microsoft Edge Enterprise landing page to download the Microsoft Edge policy templates file (MicrosoftEdgePolicyTemplates.cab), by clicking on "Get Policy Files" and extract the contents to your desired location. Ex: C:\temp
Please select and download the correct files in accordance to your organizations environment and preferences.
2. Browse to the directory in which you saved the downloaded MicrosoftEdgePolicyTemplates.zip file. Extract the contents of the MicrosoftEdgePolicyTemplates.zip file to your desired location. Ex: C:\temp
Navigate to the directory in which you extracted the Microsoft Edge Templates zip file and copy the msedge.admx file located within the
\windows\admx
directory to C:\Windows\PolicyDefinitions
Navigate to the directory in which you extracted the Microsoft Edge Templates zip file and copy the msedge.adml file located within the
\windows\admx\en-US
directory to C:\Windows\PolicyDefinitions\en-US
NOTE: If a different language is desired instead of en-US, please navigate to the directory for the correct language of your choosing. Ex: es-ES
Open Group Policy Manager on your domain controller and expand out your domain -> Group Policy Objects. If you currently do not have a Group Policy created in which you want to utilize for Edge Policies, proceed to right clicking on Group Policy Objects and create a New Policy.
2. Name the policy something relevant. Ex: “Edge Policy”
3. Once created, right click the new policy and select Edit.
4. Expand out Edge Policy -> Computer Configuration -> Policies -> Administrative Templates -> Microsoft Edge -> Extensions then Right click and Edit the “Control which extensions are installed silently”
If this Policy will apply to Users instead of Computers, the Edge Policies you will be expanding will be located under User Configuration -> Policies -> Administrative Templates -> Microsoft Edge.
5. Tick the Enable button, and then click the Show button.
6. Add the following text and click OK.
7. Click Apply, and then click OK
8. Disable Edge's Built-In Password Manager by navigating to Microsoft Edge -> Password manager and protection and then Right click and Edit the “Enable saving passwords to the password manager”
9. Tick the "Disabled" button, and then click Apply, and then click OK.
10. Following the same process as steps 8 - 9, directly within Microsoft Edge Administrative Templates Policy definitions, Disable the Edge AutoFill capabilities by editing both "Enable AutoFill for addresses" and "Enable AutoFill for credit cards" and setting them to disabled.
11. (Optional) If you would like to disable Developer Tools, to further secure against users attempting to unmask a masked password / credential, still within the Microsoft Edge Administrative Templates Policy definitions, disable Developer Tools by editing "Control where developer tools can be used" end setting it to "Enabled" and select the Options value of "Don't allow using the developer tools" and click OK.
12. Exit the Group Policy Management Editor, Right Click the OU of your choice, in which contains your Computers or Users and select Link an Existing GPO.
13. Select the “Edge Policy” and click “OK”
If you have more than one OU (Organizational Unit) that you would like to Link this new Group Policy to, repeat steps 12 - 13.
For any PC or User within that OU, the “Edge Policy” will automatically install the Keeper Security Browser Extension, if Edge is installed on those PCs, as well as disable the Edge browser, less secure, built-in password manager and AutoFill capabilities.
On a target client device, open Microsoft Edge and navigate to edge://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to edge://extensions and ensuring your extensions are being forcefully installed.
You may need to run gpupdate /force, in an elevated command prompt, to apply this new group policy to the PCs.
You may need to close and reopen Microsoft Edge before the new policies appear.
Deploy the Keeper browser extension to Google Chrome using Microsoft Intune
In Azure, open Intune and then select Devices.
Select Configuration profiles.
Select + Create profile.
For Platform, select Windows 10 and later. For Profile type, select Templates. For Template name, select Administrative templates. Select Create.
For Name, enter "Keeper-Chrome". For Description, enter "Keeper Web Extension for Chrome Browser". Select Next.
In Configuration settings, open the Google folder by double-clicking it.
Open the Google Chrome folder by double-clicking it.
Open the Extensions folder by double-clicking it.
Open the Configure the list of force-installed apps and extensions setting by double-clicking it.
For Support on: Microsoft 7 or later, select Enabled. For Extension/App IDs and update URLs to be silently installed, paste "bfogiafebfohielmmehodmfbbebbbpei;https://clients2.google.com/service/update2/crx". Select OK.
Make sure that the State for your setting is Enabled, and then select Next.
Select Next
Select Add Groups
Select the group that you are deploying the Keeper Extension to. Example: KeeperUsers
Make sure that Groups lists all groups you want to deploy to and select Next.
Select Create
The policy is now active. If a plan member hasn't enrolled with Intune, they'll be prompted to do so when they sign in on a managed device. After they enroll, the Keeper web extension is installed automatically.
This page describes how to deploy the Keeper Browser Extension with SCCM
This is a general guide in which describes how to utilize SCCM, against Google Chrome templates, to deploy the Keeper Browser extension to all desired PCs in your organization.
Create a new Configuration Item. This can be done within the Configuration Manager console, in the Assets and Compliance work space. Give it a suitable name, like Keeper Browser Extension, and click Next.
Select the appropriate platforms in which this Configuration will apply to and click Next.
Create a new settings configuration by clicking New.
Configure the new settings, as shown below, and click OK.
Name: ExtensionInstallForcelist
Description: Keeper Browser Extension
Key Name: Software\Policies\Google\Chrome\ExtensionInstallForcelist
Value Name: 1 This number is unique. Are you planning on adding other extensions this way, these should be added as 1, 2, 3 and so forth
Now click on the "Compliance Rules" tab and click on New.
Configure the new compliance rules, as shown below, and click OK.
Name: Keeper Security Extension Compliance Rule
Description: Keeper Browser
Within the "the following values:" field, add the value "bfogiafebfohielmmehodmfbbebbbpei;https://clients2.google.com/service/update2/crx" without the quotes.
Tick ON Remediate noncompliant rules when supported and Report noncompliance if this setting instance is not found
Click OK to create the new compliance rule.
Click Close to finish the new configuration item wizard.
In order to deploy this Configuration item, you need a baseline unless you have an existing baseline you would rather use.
If you have an existing baseline you would rather use, proceed to ?.
Create a new Configuration Baseline in the Configuration Manager console, in the Asset and Compliance work space. Give it a suitable name and click Add > Configuration Item.
Add your newly created Keeper Browser Extension Configuration Item, shown within the Available Configuration Items pane and click OK.
Finish creating the new Configuration Baseline by clicking on OK.
Finally!!!! The Configuration Baseline containing the Keeper Browser Extension Configuration Item needs to be deployed. When deploying a baseline, remember to tick ON the Remediate noncompliant rules when supported. Also, consider how often the compliance should be evaluated. For ex: Group policies updates, by default, every 90 minutes. If this is replacing a GPO, consider to lower the policies update interval. Click OK to complete the configuration baseline.
Once the SCCM client has updated its policies, per device, and the Configuration Baseline has run, on a target client device, open Google Chrome and navigate to chrome://policy to see all policies that are applied. If you applied policy settings on the local computer, policies should appear immediately.
You can also check your extension by navigating to chrome://extensions and ensuring your extensions are being forcefully installed.
Deploy the Keeper browser extension to Microsoft Edge using Microsoft Intune
In Azure, open Intune, and then select Devices.
Select Configuration profiles.
Select + Create profile.
For Platform, select Windows 10 and later. For Profile type, select Templates. For Template name, select Administrative templates. Select Create.
For Name, enter "Keeper-Edge". For Description, enter "Keeper Web Extension for Edge Browser". Select Next.
In Configuration settings, open the Microsoft Edge folder by double-clicking it.
Open the Extensions folder by double-clicking it.
Open the Configure which extensions are installed silently setting by double-clicking it.
For Support on: Microsoft Windows 7 or later, select Enabled. For Extension/App IDs and update URLs to be silently installed, paste "lfochlioelphaglamdcakfjemolpichk;https://edge.microsoft.com/extensionwebstorebase/v1/crx". Select OK.
Make sure that the State for your setting is Enabled, and then select Next.
Select Next.
Select Add groups.
Select the Azure AD Groups that you are deploying the Keeper browser extension to. In this example, the group is called "KeeperUsers". Select Next.
Make sure that Groups lists all groups you want to deploy to and select Next.
Select Create.
The policy is now active. If a plan member hasn't enrolled with Intune, they'll be prompted to do so when they sign in on a managed device. After they enroll, the Keeper web extension is installed on Microsoft Edge automatically.
Keeper AD Bridge supports automatic provisioning of nodes, roles, teams and users across any size Active Directory environment.
The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory service. To activate and install the Keeper Bridge, follow the steps below:
Login to the Admin Console.
Create a Node (under the root node) to sync with your Active Directory.
Visit the Provisioning tab and select Add Method and then Active Directory Sync.
Download the Keeper Bridge and proceed with setup.
For detailed Keeper Bridge setup and installation instructions see our Keeper Bridge Guide.
Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment. The Keeper AD Bridge Guide documents the full setup process.
The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.
Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console
Persisting KeeperFill settings on virtualized desktops
Some customers virtualize their workforce desktops with tools like VMware or Citrix. For the KeeperFill extension to function properly on such desktops, certain directories may need to be persisted.
This applies to the extensions for Chrome and Edge. For each, three directories within the user's home directory must be persisted, as listed below.
Some directory paths refer to an <Extension-ID>.
Where the ID is referred to, you can opt to persist the entire parent directory, or you can find the ID in the table below.
For Chrome, the ID may be either of the Chrome IDs listed. For Edge, the ID may be either of the Edge IDs listed; or, if you installed on Edge using the Chrome Web store, the ID will be one of the two Chrome IDs.
Edge
lfochlioelphaglamdcakfjemolpichk OR mpfckamfocjknfipmpjdkkebpnieooca
Chrome / Edge
bfogiafebfohielmmehodmfbbebbbpei OR kbedblbpfmeicfpadihimgombbafaeeh
The following three directories should be persisted when using the Edge extension.
Extension Installation:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\<Extension-ID>
Indexed DB:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>
Storage:
C:\Users\%username%\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\<Extension-ID>
The following three directories should be persisted when using the Chrome extension.
Extension Installation:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Extensions\<Extension-ID>
Indexed DB:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_<Extension-ID>
Storage:
C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\<Extension-ID>
Deploy Keeper to mobile phones
Configuration settings for Chrome Browser Extension
The behavior and settings of the Chrome extension can be customized through the ExtensionSettings policy on Windows, Mac and Linux.
Please see the below link to learn about the various settings can be applied:
Configuration settings for Edge Browser Extension
The behavior and settings of the Microsoft Edge extension can be customized through the ExtensionSettings policy on Microsoft Windows devices.
Please see the below link to learn about the various settings can be applied:
Other Policy Driven Deployment Tasks
As a general security practice, we recommend that Enterprise customers limit the ability of end-users to install unapproved 3rd party browser extensions. Browser extensions with elevated permissions could have the ability to access any information within any website or browser-based application. Please refer to your device management software to ensure that Keeper is allowed, and unapproved extensions are blocked or removed.
The Keeper Password Importer tool is typically downloaded by the user during account creation on the Web Vault. If you do not permit the installation of applications on end-user devices, you can preload the app using the binaries located below:
Password Importer (Windows): https://keepersecurity.com/pwd_importer/win32/keeperimport.exe
Password Importer (Mac): https://keepersecurity.com/pwd_importer/Darwin/KeeperImport.zip
Often times, Enterprise customers would like to automatically disable the less secure, built-in password saving features of web browsers. There are several methods of managing this as described in this section.
Google provides .adm and .admx files (.admx is a newer .xml file type) to make it easier to manage the Chrome browser using Group Policy. In G Suite and Chrome Enterprise environments, it is enabled via the Google Cloud platform using one of the below methods:
AD managed Chrome – Google provides adm and admx files that are incorporated into a GPO
Chrome Mac Policies and Quickstart – pushed via MDM tools (JAMF, etc...)
Chrome Linux policies and Quickstart – pushed via MDM tools (Ivanti, etc...)
Chrome G Suite managed – Native management for G Suite subscribers
Chrome Enterprise managed – centralized Cloud based Management for Windows, Mac, or Linux computers – agnostic to directory services
Similar to Chrome, Mozilla provides .adm and .admx files to manage Firefox using Group Policy. Mac-based systems are provided a .pkg file and are managed via JAMF, etc. Linux users are provided a policies.json file.
Edge for Business is now available for Windows and Mac. Group policy is managed through .adm and .admx files on Windows, and .plist on Mac.
The new Edge for Business now supports "Internet Explorer Mode". We recommend using this mode for any IE browser requirements within your organization.
If legacy Internet Explorer is absolutely required by your users, management of password saving features can be disabled under traditional GPO found under:
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
Then disable “Turn on the auto-complete feature for user names and passwords.”
Deployment of mobile apps through Intune
Keeper's mobile applications for iOS and Android are native apps that support all vault capabilities including record management, sharing management and autofill. Deploying the app to end-users is possible either through the public app store download or through mobile device management platforms.
Keeper for iOS can be installed directly from the App Store:
Keeper for Android can be installed from the Google Play application at the link below:
Keeper can be easily deployed to users through Microsoft Intune.
To deploy the iOS app via Intune to your users, follow the steps below:
(1) From Intune, Select app type of "iOS store app"
(2) Search for Keeper
(3) Select the Keeper Password Manager app by Callpod Inc.
(4) Click Create
Notes regarding the iOS app:
The publisher shows as "Callpod Inc." which is the original holding company for Keeper Security. This is normal.
The Appstore URL is: https://apps.apple.com/us/app/keeper-password-manager/id287170072
If you need the Bundle ID, it is D4D2433BGC
(Case Sensitive)
To deploy the Android app via Intune to your users, follow the steps below:
(1) Select app type of "Android store app"
(2) Enter the below information, feel free to customize the description.
Name
Keeper Password Manager
Description
Keeper automatically generates strong passwords, stores them in a secure digital vault accessible from any device, and autofills them across all of your sites and apps. Keeper’s powerful encryption protects your passwords and sensitive information from data breaches, ransomware, and other cyberattacks.
Appstore URL
Minimum operating system
Android 8.0 (Oreo)
Category
Productivity
Show in portal
Yes
Developer
Keeper Security
(3) Create the application
Notes regarding the Android app:
If you need the identifier, it is com.callpod.android_apps.keeper
Keeper's node architecture scales for organizations of all sizes
Keeper's "node" architecture provides customers with a way to organize users into distinct groupings, similar to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure. A node is typically associated with different provisioning methods and identity providers.
By default, the top-level node, or Root Node is set to the organization name, and all Nodes can be created underneath the Root Node.
Smaller organizations might choose to administer keeper as single level. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. Larger organizations benefit from organizing locations or departments into multiple nodes. Users can then be provisioned under their respective node and have roles configured to match the specific needs of the business. One of the advantages in defining multiple nodes is to help support the concept of delegated administration. A delegated administrator can be granted some or all of the Administrative permissions but only on their respective node (or sub nodes) to help reduce the administration load on the primary Keeper Administrators.
When rolling out Keeper alongside an SSO identity provider, we require that those users are located within a node. This way, you can have any number of nodes associated with one or more SSO identity providers.
When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups, within specific organizational units in Active Directory, will be placed in the corresponding Node within the Keeper Admin Console.
Watch the video below to learn about nodes and organizational structure.
At any time, you can change which node you are viewing by navigating to or selecting the nodes on the Node selector. To navigate to the root-node or top level, select the business name (e.g. The Company) in the navigation tree.
When users are in the vault and sharing records, Teams and Users are visible in the auto-suggest field by all users regardless of what node the team or user resides in.
If the desire is to restrict visibility and control whether or not the usernames and teams associated with other parallel (a.k.a. "sibling") nodes will be hidden in the auto-suggestion dropdown menu when setting up sharing of folders, "node isolation" will need to be enabled. With node isolation enabled, "children" of a node can see each others's associated users/teams as well of those above it (parent nodes).
When a node is isolated, users and teams in the parent node will be visible. Node isolation only limits visibility between parallel nodes.
Note: Any user who is an a role with admin rights having Share Admin permissions will also appear in auto-suggestion drop-downs, if the role has management permissions over the node for the currently logged-in user.
To find a list of nodes and node IDs, use the enterprise-info
command:
To enable node isolation for a specific node, use the enterprise-node
command:
After node isolation is enabled, a visual indicator will show in the console:
Node Isolation affects the ability for users to share records and folders outside of their node tree. For example, when sharing a record from the vault, the auto-suggestion list is restricted.
Within a Node, the "Role" is defined that can enable administrative permissions.
If nodes are enabled either via Active Directory integration or configured manually from the Admin Console, the placement of the Role within the Node Tree is important with regards to where the administration permissions begin. Placement of the role at the top level will allow the Admin permissions to flow down to any of the sub-nodes if the Cascade Node Permissions attribute is checked within the "Administrative Permissions" setting of the role. If the role is placed in a sub-node with the Cascade Node Permissions attribute checked then the permissions apply to that node and its sub-nodes only. If the Cascade Node Permissions attribute was not checked then the role permissions are only applied the the specific node to which the role belongs.
Each node and sub-node within the Keeper deployment can provision users with different provisioning methods. For example, Finance and Sales & Marketing can use Single Sign-On, and Engineering can use Active Directory.
A node can contain one or more authentication or provisioning methods. For example, you can provision users with Active Directory and authenticate the users with Single Sign-On (SAML 2.0) integration. Or you can authenticate with SSO and privision with SCIM.
Navigate to the Node that you would like to provision users. Then click on the "Provisioning" tab and click "Add Method".
The Keeper Admin Console provides administrative controls, user onboarding, reporting and auditing.
Business customers login to the Keeper Admin Console to manage their environment. In the Admin Console, you can invite users, configure provisioning methods (SSO, SCIM, AD, etc..), set role policies, manage teams, run reports and monitor security. The Admin Console scales to organizations of any size.
When you first log in to the Admin Console, you will land on the Dashboard which will provide an overview of high level data on your user activity and overall security status.
The Dashboard provides oversight of the following:
Top Events and link to Timeline Chart
Security Audit Overall Score
BreachWatch Overall Score
User Status Summary
From the Admin screen, you can access Nodes, Users, Roles, Teams, 2FA settings, and User Provisioning.
By default, the top-level node, or Root Node is set to the organization name and all Nodes can be created underneath. Depending on your organization you may or may not need to set up nodes.
Small teams may not need multiple nodes and will be able to administer users, roles and teams from the default root node only.
Larger teams may benefit from organizing by location or department across multiple nodes.
Users and Teams within different nodes can have levels of visibility and sharing capability within the Keeper Vault. If full node isolation is required between users of different node trees, please contact Keeper support to activate this special backend feature.
Permissions for Administrators are also configurable here which toggle whether an Admin can manage nodes, users, teams, roles, SSO, AD Bridge, User Account Transfer and Run Reports.
As you prepare to rollout Keeper to your organization, consider one of the following options when inviting users:
The Risk Management Dashboard provides comprehensive security posture information covering end-user deployment, utilization, cloud configuration, and event monitoring.
Access to additional Secure Add-On functionality can be accessed through the Admin Console "Subscriptions" and "Secure Add Ons" screen:
Links to end-user guides for mobile and desktop devices.
Once you've deployed Keeper to your users, they can reference our many end-user guides listed below for step-by-step instructions for Keeper's web, desktop and mobile applications.
This video provides a general overview of the Keeper platform for new end-users.
Additional videos for getting started with Keeper are available at the page below:
Enhanced Risk Visibility With Keeper’s Risk Management Dashboard
The Keeper Risk Management Dashboard is a powerful feature of the Keeper Admin Console that provides comprehensive security posture information covering end-user deployment, utilization, cloud configuration, and event monitoring. This critical data helps administrators ensure that risks are remediated and compliance is enforced effectively.