Keeper MSP
KeeperMSP is natural extension of Keeper’s Enterprise Password Management solution which allows an MSP to manage multiple independent tenants (a.k.a. "Managed Companies" or "MC’s") from a central console. To serve the MSP market, Keeper Security created an enterprise-class, purpose-built solution which allows Keeper's password management and security software to be managed and distributed by MSP’s. The enterprise version of Keeper has been architected for scale and has the core features and functionality that MSP’s require, including:
Organizational roles
Robust enforcement policies
Multiple provisioning methods
Full support for 2FA methods
Robust event logging, auditing and reporting capabilities
Keeper vaults can be provisioned by MSPs to every one of their customers - to protect every employee on every device they use. Keeper is the leading password management application in the industry - with unmatched security, cross-platform capabilities and top ratings by industry services, press and end users. This guide supplements the Keeper Enterprise Guide and details the specific functionality for MSP-level administration and license management. Please refer to the Enterprise Guide for a broader overview of Keeper software which covers core functionality at the Managed Company level.
KeeperMSP can support a wide spectrum of deployment models, from full service (“white glove” ) MSP’s who manage everything for their users all the way to pure resellers who do little or no administration for their clients.
MSP Technicians have access to their MC’s Keeper Admin Console and thus have full rights to provision end users, set up MC-specific roles, login enforcements and teams for sharing credentials. These technicians may also choose to set-up a login credentials for users which can be done by sharing records from their private vaults to those of an MC. This allows an MSP to offer a fully integrated set of services that include a set of pre-configured login credentials they can keep updated if needed.
In this model, resellers primarily act as distributors and sell Keeper software to customers who can administer the solution themselves. The MSP can designate an administrator user at the MC to handle all management of the system.
Both the MSP Technician and the MC Administrator can share responsibilities to manage the system. For frequently changing or highly-specific settings (e.g. which employees are in a team folder) the “local” MC administrator could manage. For large scale initial provisioning and configuration, the MSP may be better equipped to facilitate this with Keeper’s Active Directory bridge, SSO or other provisioning methods.
If you want to try KeeperMSP before buying, then a trial is for you! Free trials are available for new customers and include a fixed number of licenses (for all plans offered) to work with. During a trial you can exercise all the core functionality of Keeper, set up your own staff administrators and create Managed Companies. The only limitation is that you can’t change the number of licenses provided during the trial period.
If you elect to purchase the product after a trial then the users, vault data and administrative configurations you have set up will be preserved for live production operation. You can adjust the MSP license counts and managed plans during the checkout process.
To start a trial of KeeperMSP click on the Trial button from the MSP product page her: https://keepersecurity.com/msp-password-manager.html
Once you’ve signed up with an account please follow the Getting Started section below.
If you're not logged in already, follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU)
(If the link doesn't work, just open KeeperSecurity.com > Login > Admin Console)
Click on the "Admin" tab to set up your Keeper Administrators. Click on "Add Users" and fill out the name and email address.
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture* and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role.
* More information about Keeper’s Zero-Knowledge Security Architecture can be found here: https://keepersecurity.com/security
Click on the “Roles” tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies and/or purchase licenses from Keeper).
Once roles are defined then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes a default Keeper Administrator and License Pool Manager role.
Teams
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Automated Provisioning
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
Active Directory / LDAP (using the Keeper Bridge)
SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
Email Provisioning
Command-Line or SDK integration
SCIM
To learn more about provisioning, see the section of the Keeper Enterprise guide called User and Team Provisioning.
To add a new MC, click the "Add Managed Company" button and fill in the information. The new MC will appear in the company listing with the number of licenses you specified.
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
The "Active" column indicates how many of the MC's users have been issued, are accepted, and invitation to set up their Keeper vaults.
IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.
Keeper provides multiple managed business plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
Plan | Add-Ons Included |
Keeper Business | 100GB Secure File Storage |
Keeper Business Plus | Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage |
Keeper Enterprise | Advanced Provisioning, 100GB Secure File Storage |
Keeper Enterprise Plus | Advanced Provisioning, Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage |
* For more details on all available plans, please visit https://keepersecurity.com/msp
The pool is a central “warehouse” of licenses from which you can distribute to your MC’s. An MSP will maintain an inventory of Keeper licenses by purchasing them directly from Keeper (or via a partner marketplace). Each time you add and allocate licenses to an MC, they are drawn from the pool. Conversely, when you reduce (or de-provision) licenses from an MC, the licenses are added back into your pool.
Once you have added an inventory of licenses to your pool, you can allocate those licenses to your MC’s so they have the licenses they need to support their users. Licenses can be removed from specified MC’s and assigned to other MC’s.
To launch into the MC tenant, click on the “Launch” icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper enterprise tenant.
To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes answering a security question, email verification and two-factor verification.
Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.
MSP Technicians exist at the root level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.
New MSP and Managed Company accounts are created either in US or EU geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.
KeeperMSP product licensing is structured as a wholesale model which enables an MSP to purchase licenses in bulk from the Keeper checkout page. These licenses become part of the MSP’s central pool for allocation to the MC’s when needed. This centralized purchasing and inventory help minimize “round trip” purchases by the MSP for every MC they manage.
Licenses in an MSP’s pool can be allocated or deallocated and are billed based on the net number of licenses in the pool, on a monthly basis.
Licenses in the MSP’s pool are computed monthly in consideration of relevant volume discounts which is recalculated up or down, based on the actual count in the MSP’s pool.
Adjustments, up or down, can be made at any time during the month. Licenses are pre-paid for the month. No prorated adjustment is given during the monthly billing period if they are not used.
MSPs can purchase and sell four different product offerings. These offerings consist of bundles which combine the most popular configurations for Business and Enterprise-class MC’s. These optimized bundles simplify the MSP’s monthly billing and offer a wide range of security products for the MSP’s customer base.
Each time a license is allocated or deallocated from an MC by an authorized administrator, a log entry is created which can then be reported and exported, via .csv, to a third-party billing system. Although Keeper provides pricing guidance for an MSP for the resale of its software to MC’s, pricing is ultimately determined and set by the MSP, based on their own business practices.
An optional, open-text field is provided when adjusting the licensing levels in order to manually record any pricing notes.
Summary reports which aggregate the net changes during a specified period are also provided.
Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.
Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.
For MSP administrators, additional permissions are provided to control the authorization of different operations:
An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.
An MSP administrator can also be granted permission to adjust the amount of licenses an MC has via its central pool. The central pool must have the license already purchased and available “in inventory” in order for them to be allocated to the MSP.
A separate “License Pool Manager” role exists which allows and MSP administrator to add or remove licenses from the MSP’s license pool. This permission allows the MSP to limit who has the authority to purchase and distribute licenses to a MC, without restricting their right to act as an administrator.
Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.
This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:
A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”
This folder could be shared with a user, or users at the client.
Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.
A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:
Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.
We recommend that Account Transfer is configured at the MSP level and also at the MC level. The admin who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.
Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:
KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.
Upon downloading the latest version of Keeper Desktop App, you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.
Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians.
MSP-specific commands
Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:
msp-down: Download the latest MSP data
msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc
msp-license: View the current license allocation
msp-license-report: Run a historical license allocation report
switch-to-mc: Switch to managed company context
switch-to-msp: Switch back to MSP context
