Loading...
Loading...
Resources for getting started with Keeper Business and Enterprise edition
The following links will get you up and running with Keeper.
To schedule a demo or watch an on-demand demonstration of the Keeper platform, visit: https://keepersecurity.com/schedule-demo.html
Contact our sales team: https://keepersecurity.com/contact.html?t=b&r=sales or email sales@keepersecurity.com.
Keeper Security Government Cloud (KSGC) is a FedRAMP Authorized environment that protects your agency against ransomware and cyberthreats with zero-trust cybersecurity.
https://www.keepersecurity.com/industries/public-sector.html
Contact our public sector team at govsales@keepersecurity.com.
If you are an existing customer and need help, contact enterprise support: https://keepersecurity.com/support.html
The resource portal of our website provides several white papers and product data sheets: https://keepersecurity.com/resources.html
The end-user guides are available for our desktop, web and mobile applications: https://docs.keeper.io/user-guides/
If you're a security guru, we recommend taking a look at our encryption model.
Check out the latest release notes and updates across all platforms. https://docs.keeper.io/release-notes/
Loading...
Loading...
High level steps for successful rollout of Keeper Enterprise
For the most successful rollout of Keeper Enterprise, follow the steps below.
If you haven't already, create a Keeper Enterprise Trial from our website or by contacting the sales team. Be sure to allocate the necessary number of total users you expect to onboard.
Managed Service Provider (MSP) customers: Please sign up for the Keeper MSP product trial. Keeper MSP is a specialized version of the Keeper Enterprise product. To jump to the Keeper MSP guide, click here.
After creating your trial, login to the Admin Console and go through the onboarding.
Setup and configure your provisioning and authentication methods as described in the User and Team Provisioning section of this document. You can choose from many different provisioning methods such as:
Manual provisioning through the Keeper Admin Console
Active Directory provisioning with the Keeper Bridge service
Single Sign-On (SAML 2.0) with Just-In-Time (JIT) provisioning
SCIM automated provisioning
Email provisioning
Keeper Commander API / SDK provisioning
Contact us if you require assistance in configuring your environment.
Deploy the web vault, browser extensions and desktop application as described in our deployment guide or direct your users to install Keeper from our Download Page.
The Web Vault is available to Enterprise users at the URLs below:
US Data Center: https://keepersecurity.com/vault
US Public Sector / GovCloud: https://govcloud.keepersecurity.us/vault
EU Data Center: https://keepersecurity.eu/vault AU Data Center: https://keepersecurity.com.au/vault CA Data Center: https://keepersecurity.ca/vault
JP Data Center: https://keepersecurity.jp/vault
Upon first login, the user is walked through a simple onboarding experience.
Users are invited to join a training session via Google Meet or the customer's preferred meeting platform. This training invite can be contained within the email invitation body content, or sent separately by the Admin to their users. Contact your Customer Success manager at success@keepersecurity.com to start training your team.
The Keeper Admin can monitor the usage of users via the Risk Management Dashboard, Reporting & Alerts Module and also configure realtime web-hook alerts to Slack or Microsoft Teams. Installing Keeper Commander is also helpful for running automated reports.
We recommend that the Keeper Admin notifies users regarding the timeline in which built-in password manager saving will be disabled by GPO.
After the specified amount of time, the Keeper Admin should disable legacy built-in browser password managers, thus requiring and enforcing the use of Keeper on the browser.
Learn more about how to disable the built-in password manager.
It's critical that all employees use Keeper to manage their passwords and to prevent sharing of information over insecure channels. Update your password policies and employee onboarding processes to ensure that Keeper is utilized. Sharing new employee onboarding records to the user's vault is a great way to encourage them to login and start using the platform. Your customer success manager can also assist you with strategies.
Once the Enterprise Password Manager has been deployed to all of your employees, reach out to your security, compliance and engineering teams to review the privileged access capabilities that Keeper offers.
KeeperPAM consolidates enterprise password management, secrets management, connection management, zero-trust network access, remote browser isolation and an cloud-based access control plane in one unified product.
Learn more about the advanced capabilities of KeeperPAM.
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Creating a trial of Keeper Business and MSP
(1) To create your Keeper Business or KeeperMSP Trial version, visit this page: https://keepersecurity.com/password-manager-free-trial-sign-up.html ... or click on "Try it Free" from our homepage at: https://keepersecurity.com
(2) Select Business or MSP version
(3) Fill out the form using your Business email address, and click Start Free Trial.
(4) On the next screen, you'll create your account (or if you're using an existing Keeper personal email address, you can select "Use an Existing Account").
Important: At this step, please ensure that you select your desired Geographic Data Center location.
Signup for US, EU, AU, CA, JP data center locations are available.
US GovCloud (FedRAMP Compliant) region is available on request.
The choices available are US, EU, AU, CA, JP. Contact us for GovCloud public sector signup.
If you select the wrong data center region, please contact support to delete your trial and start over.
(5) Select your Administrator account Master Password.
Ensure you select a strong Master Password that is only used for managing Keeper. If you forget your Master Password, Keeper support cannot perform a password reset due to our Zero Knowledge architecture. We recommend activating Account Recovery (via a recovery phrase) after logging in and visiting the Settings screen.
(6) After verifying your email address and selecting a Master Password, you will be logged into the Keeper Admin Console. Click on "Admin" to add users and begin your configuration.
(7) Click on "Add Users" to invite other users for your trial, or to set up additional admin accounts. Users who are manually invited will login with a self-selected Master Password.
(8) Proceed through this Enterprise Guide to learn about best practices for deploying Keeper, Single Sign On ("SSO") integration, Role enforcement policies, Teams, Advanced Administration and other important topics.
Keeper is the leading cybersecurity platform for preventing password-related data breaches and cyberthreats.
Congratulations on your decision to deploy Keeper to protect your organization. This guide will provide valuable information on how to onboard your users, deploy the application to end-user devices and manage the platform.
Keeper's platform provides the following high level capabilities:
Password & Passkey Management
Privileged Access Management
Secrets Management
Zero-Trust Network Access
Secure Vendor Access
OT Security
Connection Management
Remote Browser Isolation
Admin Console
Control Plane
This Keeper Enterprise guide covers the deployment of the core password management platform to your users. Additional guides and documentation of advanced privileged access capabilities are covered in later sections.
Keeper’s platform:
Provides each employee with a secure, encrypted digital vault in which to store their passwords, passkeys, files and other sensitive data. Employees can access their vault from any device and from all web browsers, automatically generate unique, complex passwords for all their accounts, and automatically fill their login credentials into all of their sites and apps.
Provides IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, two-factor authentication (2FA), role-based access control (RBAC), and other security policies.
Provides DevOps and engineering teams with a fully managed cloud-based, zero-knowledge Secrets Management platform for securing infrastructure secrets such as privileged accounts, API keys, database passwords, access keys, certificates and any type of confidential data.
Provides modern privilege access through connection management, OT security, secure vendor access, zero-trust network access and remote browser isolation with session management, monitoring and recording.
A brief platform demo can be viewed below:
Keeper is a cybersecurity platform for preventing password-related data breaches and cyberthreats.
Keeper Enterprise provides the highest levels of security and at the same time provides a simple user experience - with millions of users worldwide, Keeper is the proven industry leader.
Keeper is SOC 2 Certified, ISO27001 Certified, FedRAMP Authorized and StateRAMP Authorized. Keeper's encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third party laboratories.
Below is a 25-minute demonstration of the Keeper Enterprise platform.
For a personalized demo with a Sales Engineer:
Passwords are the single greatest cause of a data breach. 81% of data breaches are due to weak or stolen passwords. Password management solutions provide an affordable and simple way for companies to solve the root cause of most data breaches. By helping businesses generate strong passwords as well as manage and securely share them among teams, they significantly reduce the risk of a data breach.
Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a model that ensures only the user is able to decrypt and access their privileged information.
The Keeper platform is built on an access layer and encryption layer. Access and authentication controls who is able to sync the encrypted ciphertext, and client-side encryption controls who is able to physically encrypt/decrypt the data. This foundation is what gives Keeper the ability to apply the most granular level of protection to user data and enables the core features and capabilities of the product.
Users, Roles, Teams, Records and Shared Folders are all protected and managed through the use of client-side generated keys. This complex distribution of keys is completely managed by the software with a simple and easy-to-use user interface.
Keeper Encryption and Security Model DetailsKeeper is a cross-platform solution that provides full capabilities from every major platform and device including iOS, Android, Windows, Mac and Linux. Browser plugins are compatible with Chrome, Firefox, Edge, Safari and any other chromium-based browser.
The Keeper Administrator can restrict vault access to specific platforms based on security requirements of the enterprise. End-user vault applications can be used completely independent of one another, or used together. For example, using the Web Vault or Desktop Application does not require the installation of a browser plugin.
The Keeper Vault is available on all devices and computers, with award-winning native applications:
Native Desktop Apps
Windows
Mac
Linux
Browser-Based Apps
Chrome
Edge
Safari
Firefox
Brave
Other Chromium-based Browsers
Native Mobile Apps
iOS
Android
Chrome, Firefox, Edge, IE and Safari Browsers
Key Differentiators
Keeper was named Best Password Manager by PC Mag in 2018, 2019, 2020 and 2021. Some of the reasons that customers select Keeper over the competition are listed below.
Keeper vs. LastPass https://www.keepersecurity.com/vs/lastpass.html
Keeper vs. Dashlane https://www.keepersecurity.com/vs/dashlane.html
Keeper vs. 1Password https://www.keepersecurity.com/vs/1password.html
Keeper vs. Keepass https://www.keepersecurity.com/vs/keepass.html
Keeper vs. Passportal https://www.keepersecurity.com/vs/nable-passportal.html
Keeper vs. Bitwarden https://www.keepersecurity.com/vs/bitwarden.html
SSO and SAML simplify login to many cloud applications, however, it does have its limitations. Keeper (with Keeper SSO Connect) complements the two major gaps with your SSO deployment:
Offering privileged access to applications that don’t support SAML protocols.
Enabling non-password use cases, such as management and sharing of digital certificates, SSH keys, API keys, secret notes, lists, files and more.
With Keeper SSO Connect, you can easily add Keeper to the apps that your IdP services. Whether you use AD FS, Entra ID/Azure, Okta, Google Workspace, Centrify, Ping, JumpCloud or any other SAML 2.0 Identity Provider, Keeper will easily integrate. Keeper SSO Connect logs the user directly into their encrypted vault while maintaining full zero knowledge. With SSO integration, there is also no master password to remember. Keeper SSO Connect is available as a customer-hosted or cloud-hosted high availability solution that preserves zero knowledge and allows the end-user to authenticate directly into their vault.
For more information about Keeper SSO Connect, visit our web page: https://keepersecurity.com/keeper-sso-connect.html
Keeper's Zero-Trust Platform seamlessly integrates into any existing identity stack and infrastructure.
Keeper's least-privilege access model, encryption model and role-based access model support the zero trust implementation guidelines of NIST and provide organizations with a substantial leap forward in the journey towards zero trust.
For reference, see the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 document which provides the following operative definition of zero trust and ZTA:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Keeper provides customers with the selection of geographic regions where data resides in-country.
United States
GovCloud US
Ireland
Frankfurt
Australia
Canada
Japan
The ability to provide least privileged access to an employee is critical in the deployment of an Enterprise Password Manager. Keeper gives fine-grained control over what users are capable of accessing and managing within the platform through the use of customizable role policies. By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of the employee. For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants the ability to onboard new users, manage teams and run reports. The entire process is fully customizable through a user friendly interface. Role Enforcements Include:
Password Complexity Rules and Biometrics
Multi-Factor Authentication, Token Expiration and Device Restriction
Offline Access Restrictions
Allow IP Listing, Sharing and Data Export Restrictions
Account Transfers (employee offboarding and break-glass scenarios)
Administrative Permissions
Keeper Administrators can create organizational units (called Nodes). A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different people in the organization to have management controls over subsets of teams of users, roles and shared folders. Users within different nodes can be provisioned and authenticated with different methods.
Keeper's Zero Knowledge Account Transfer capabilities provide Enterprise customers with the peace of mind that an employee will never walk away with critical data when they leave the organization.
Since 50% of help desk calls are estimated to be password related, there is a significant productivity gain by rolling out a password manager to your organization. When employees don't need to worry about remembering passwords, the cost savings are massive.
Compliance is becoming even more complex with requirements mandating internal control policies and standards. Organizations in heavily regulated industries are audited for password enforcement policies and practices. Keeper's password security platform solves many of compliance and regulation enforcement requirements that organizations face. Keeper Security is the most certified solution in the industry:
SOC 2 Certified
ISO 27001 and ISO 27017 Certified
FIPS 140-3 Validated
GDPR Compliant
GSA Certified
SAM Certified
Compliant with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”)
ITAR Compliant
FedRAMP Authorized
StateRAMP Authorized
Keeper Security is listed as Authorized on the FedRAMP Marketplace with an authorization date of 8/23/2022.
See: The Federal Risk And Management Program Dashboard (fedramp.gov)
Keeper supports compliance with United States International Traffic in Arms Regulations (ITAR). Companies that are subject to ITAR export regulations must control unintended exports by restricting access to protected data to U.S. Persons, and by restricting physical location of protected data to the U.S.
Keeper’s FedRAMP Moderate environment supports ITAR requirements through the following:
Fully compliant data storage hosted on AWS GovCloud and restricted to the U.S.
Secure data encryption in transit and at rest.
Zero knowledge and zero trust security, in conjunction with granular permissions, allows organizations to ensure that only approved personnel can access sensitive data.
Robust compliance reporting features provide a traceable, electronic audit trail of all actions performed and data entered.
Sequestered Customer Success team comprised of U.S. Persons specifically trained in safe handling of Export Controlled and ITAR-governed data.
No non-U.S. based support on public sector environments.
The Keeper FedRAMP environment has been audited by an independent third-party assessment organization (3PAO) to validate that proper controls are in place to support customer export compliance programs.
For more information about ITAR, please visit https://www.pmddtc.state.gov/.
This quick start guide will help get your small business team up and running with Keeper Business in just minutes
This video will demonstrate all that Keeper has to offer your small business and provide you with step-by-step instructions to get your team up and running in no time.
Short on time? Check out our 3 minute demo here.
When you first log in to the Admin Console, you will land on the Dashboard which will provide an overview of high level data on your user activity and overall security status.
The Dashboard provides oversight of the following:
Top Events and link to Timeline Chart
Security Audit Overall Score
BreachWatch Overall Score
User Status Summary
The Admin tab is where majority of your set-up and user deployment will take place. Here, is where you can access Nodes, Users, Roles, Teams and Two-Factor Authentication Settings.
As a first step, we recommend uploading your company logo to the vault and customizing the email invitation that will invite your employees to create their Keeper Vault. These configurations are highly recommended as they have shown to help with quick user adoption of Keeper's software.
Click Configuration
then click Edit
next to "Company Logo" to upload your image file.
Once uploaded, your company logo will appear in the upper left side of the header when users are logged into their Keeper Web Vault and Desktop App as well as Keeper One-Time Shares.
Click Configuration
then Edit
next to Email Invitation, then toggle "Send Custom Email Invitations" on.
The email invitation template supports customization of the following four attributes:
Subject
Message Heading
Message
Download Button Text
The body of the message supports plain text as well as basic markdown syntax.
Once you have finalized your changes, click Save
. When you are ready to add your users, they will receive your customized invite similar to the one below.
In Keeper's architecture, Roles allow you to define enforcement policies based on a user's job responsibility as well as provide delegated administrative functions. The number of roles you create is a matter of preference and/or business need.
Nodes are used to organize your users into distinct groupings, similar to organizational units in an Active Directory. You can create nodes based on location, department, division or any other structure. Smaller organizations may choose to administer Keeper as single level, meaning no additional nodes are created. In this scenario, all provisioned users are accessed from the default "Root Node".
We recommend you create a secondary Keeper Administrator as soon as possible. At its simplest configuration, the Keeper Administrator role is applied to the initial administrator who has set up the Keeper account for the organization as well as any other user you grant full admin rights. We strongly recommend you add a second user to the Keeper Administrator role in case one account is lost or no longer accessible.
Admin > Users > + Add Users
enter the user's full name and email address, then click Add
Select the new user from the list and click OK
to finish.
This will generate an email inviting the users to setup their Keeper account.
Account Transfer will allow a Keeper Administrator to transfer records and data from one user to another, should an employee leave the company. It is an optional, but highly recommended feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The Account Transfer setup must be configured prior to the user's account being transferred.
First you will need to enable the Transfer Account permission for the Keeper Administrator Role.
The Transfer Account permission is NOT enabled by default and must be manually activated by the Admin.
Admin > Roles > Keeper Administrator
Check the box next to "Transfer Account" and click OK
To learn more about Account Transfer, click here.
As a second step, Enable Account Transfer for the Keeper Administrator Role. This will allow the vaults of you and any delegated admins, under the Keeper Administrator role to be transferred.
Admin > Roles > Keeper Administrator
Click Enforcement Policies
From the Transfer Account tab, toggle "Enable Account Transfer" on then click Done
All users will be notified and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent one time, upon logging into their vault.
Roles allow you to define enforcement policies based on a user's job responsibility as well as provide delegated administrative functions.
You will need at least one role defined for your users, but you can create as many as you would like depending on the structure of your organization. Roles can be created to support a variety of policies depending on what enforcements should be applied to a user based on their position (e.g. Administrators, Executives, Managers, Staff, and Contractors). For smaller organizations, Keeper recommends you create a default, "General Employee" role.
Admin > Roles > + Add Role
Select the Node you want to add the Role to, enter the name of the role and click Add
To learn more about Roles, click here.
Nodes are used to organize your users into distinct groupings, similar to organizational units in an Active Directory. You can create nodes based on location, department, division or any other structure.
Smaller organizations may choose to administer Keeper as single level, meaning no additional nodes are created. In this scenario, all provisioned users are accessed from the default "Root Node" (e.g. ACME Co.).
Admin > + Add Node
Enter the name of the Node then click Add Node
to finish.
At any time, you can change which node you are viewing by navigating to or selecting the Nodes on the far left Node pane. To navigate to the root node or top level, select your business name (e.g. ACME Co.) in the navigation tree.
To learn more about Nodes, click here.
To ensure that a certain role is applied to all imported users, enable the “Set as Default Role for Node and Sub Nodes” setting. This will automatically assign new users that are added to a Node or Sub Node to a specified role.
Admin > Roles
select the target role then check the box next to "Set as Default Role for Node and Sub Nodes".
Role-based Access Controls (RBAC) provide your organization the ability to define Enforcements Policies based on a user's job responsibility as well as provide delegated administrative functions.
Enforcement Policies offer a wide-range of control features that are organized into the following categories:
Login Settings
Two-Factor Authentication (2FA)
Platform Restriction
Vault Features
Record Types
Sharing & Uploading
KeeperFill
Account Settings
Allow IP List
Keeper Secrets Manager
Transfer Account
Admin > Roles
select a role then click Enforcement Policies
A dialogue box will appear where you can configure the Enforcement Policies that will be applied to the selected role. Click Done
when finished.
To learn more about Enforcement Policies, click here.
Business customers can seamlessly deploy Keeper to their users using two different methods. Admins can either manually invite individual users or bulk import users via a CSV file. Advanced deployment options are also available.
Admin > Users > + Add Users
Select the Node you would like to add the user to, enter their Full Name and Email Address then click Add
This will generate an email inviting the user to setup their Keeper account. Instructions to customize the email can be found in the Key Configuration Steps section, above.
Admin > Users > + Add Users
Select the Node you would like to add the users to then simply drag and drop your formatted CSV file of users or click Browse Files
to upload the file from your local device (the Role field is optional). To learn more about formatting your CSV file, click here.
Review the user details and click Add
to complete the import.
This will generate an email inviting the users to setup their Keeper account. Instructions to customize the email can be found in the "Key Configuration Steps" section, above.
Keeper integrates with any SAML 2.0 identity provider for just-in-time provisioning:
Entra ID / Azure AD
Okta
Google Workspace
Microsoft AD FS
Amazon AWS
Auth0
Centrify
Duo SSO
F5
OneLogin
Ping Identity
PingOne
Rippling
RSA SecurID Access
SecureAuth
Shibboleth
Any other SAML 2.0 identity provider
See the User and Team provisioning section to learn more.
Next, we encourage you to create Teams. The purpose of creating teams is to give users the ability to share the records and folders within their vaults with logical groupings of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords) and adds individual users to the team. Teams can also be used to easily assign Roles to entire groups of users to ensure the consistency of enforcement policies across a collective group of individuals.
Admin > Teams > + Add Team
Select the Node you want to add the team to then enter the name of the team and click Add Team
You can then set the following team-level restrictions:
Disable record re-shares
Disable record edits
Apply privacy screen
Team-to-role mapping allows organizations to assign users directly to teams that can be assigned custom roles. With team-to-role mapping, a user who is a member of a team that is assigned to a role, will assume the enforcements of the given role.
It's important to note, that Keeper implements Least-Privileged policies, so when a user is a member of multiple roles or teams, their net policy is most restrictive or least privileged.
To learn more about teams and team-to-role mapping, click here.
As a final step to further enhance your security practices, we recommend that you require the use of Two-Factor Authentication across your organization. This role enforcement can be enabled within each role's Enforcement Policy settings.
Admin > Roles
select the target role and click Enforcement Policies
Toggle "Require the use of Two-Factor Authentication" on.
Set your platform-specific enforcements, enable the desired 2FA methods then click Done
Admin > Roles > Keeper Administrator
and clicknext to Users
Under Admin Permissions, hover over your company name and click
Clickto add individual Users and Roles to the team.