Fundamentals
To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.
The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes answering a security question, email verification and two-factor verification.
Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.
MSP Technicians exist at the root level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.
New MSP and Managed Company accounts are created either in US or EU geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.
KeeperMSP product licensing is structured as a wholesale model which enables an MSP to purchase licenses in bulk from the Keeper checkout page. These licenses become part of the MSP’s central pool for allocation to the MC’s when needed. This centralized purchasing and inventory help minimize “round trip” purchases by the MSP for every MC they manage.
Licenses in an MSP’s pool can be allocated or deallocated and are billed based on the net number of licenses in the pool, on a monthly basis.
Licenses in the MSP’s pool are computed monthly in consideration of relevant volume discounts which is recalculated up or down, based on the actual count in the MSP’s pool.
Adjustments, up or down, can be made at any time during the month. Licenses are pre-paid for the month. No prorated adjustment is given during the monthly billing period if they are not used.
MSPs can purchase and sell four different product offerings. These offerings consist of bundles which combine the most popular configurations for Business and Enterprise-class MC’s. These optimized bundles simplify the MSP’s monthly billing and offer a wide range of security products for the MSP’s customer base.
Each time a license is allocated or deallocated from an MC by an authorized administrator, a log entry is created which can then be reported and exported, via .csv, to a third-party billing system. Although Keeper provides pricing guidance for an MSP for the resale of its software to MC’s, pricing is ultimately determined and set by the MSP, based on their own business practices.
An optional, open-text field is provided when adjusting the licensing levels in order to manually record any pricing notes.
Summary reports which aggregate the net changes during a specified period are also provided.
Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.
Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are available at the MSP level and MC level.
For MSP administrators, additional permissions are provided to control the authorization of different operations:
An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.
An MSP administrator can also be granted permission to adjust the amount of licenses an MC has via its central pool. The central pool must have the license already purchased and available “in inventory” in order for them to be allocated to the MSP.
A separate “License Pool Manager” role exists which allows and MSP administrator to add or remove licenses from the MSP’s license pool. This permission allows the MSP to limit who has the authority to purchase and distribute licenses to a MC, without restricting their right to act as an administrator.
Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.
This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:
A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”
This folder could be shared with a user, or users at the client.
Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.
A common method of setting up folder structure is to create a folder in the vault e.g. "Customers". Within that folder, you can add any number of Shared Folders. Each Shared Folder can be shared among technicians or shared to a team. Example below:
Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.
We recommend that Account Transfer is configured at the MSP level and also at the MC level. The admin who receives the transferred vault must be local to the MC - vaults cannot be transferred to MSP staff.
Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:
KeeperFill for Apps is a convenient tool for accessing information in your vault and filling into native applications or remote sessions.
Upon downloading the latest version of Keeper Desktop App, you will have full use of KeeperFill for Apps, available on both MacOS and Windows devices. Logging into the Keeper Desktop App will simultaneously log you into KeeperFill for Apps (and vice versa). The Keeper Desktop App can be closed but will remain running and can be accessed through your computer's menu bar (MacOS) or system tray (Windows) via the familiar Keeper icon.
Keeper Commander, the command-line and Python/.Net/PowerShell SDK provides special functionality for MSP technicians.
MSP-specific commands
Keeper Commander allows the MSP technician to switch between MSP and Managed Company context to manage both internal and customer environments. MSP-specific commands include the following:
msp-down: Download the latest MSP data
msp-info: Display the MSP and MC configuration including MC identifiers for switch-to-mc
msp-license: View the current license allocation
msp-license-report: Run a historical license allocation report
switch-to-mc: Switch to managed company context
switch-to-msp: Switch back to MSP context