Comment on page
If you're not logged in already, follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU) https://keepersecurity.com.au/console (AU) https://keepersecurity.ca/console (CA) https://keepersecurity.jp/console (JP) https://govcloud.keepersecurity.us/console (GOV)
Click the Admin tab to set up your Keeper Administrators. Click Add Users and enter the name and email address of the user.
Add MSP Technician Users
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role. More information about our encryption model can be found here. Also, see Recommended Security Settings for best practices regarding your configuration.
Click on Roles tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies).
Once roles are defined, then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes default "Keeper Administrator" and "MSP Subscription Manager" roles. The MSP Subscription Manager role gives access to the MSP Subscription tab for changing the billing method and allocating secure add-ons for MSP internal use.
Create a Role
Set Enforcement Policies
Add Users to Role
Add Administrative Permissions to Role
Apply to Node
Define Administrative Permissions
Customize Permission Level
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Add User to Team
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
- Active Directory / LDAP (using the Keeper Bridge)
- SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
- Email Provisioning
- Command-Line or SDK integration
The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:
- Keeper AD Bridge
- On premises SSO Connect
- Cloud SSO Connect
Be sure to use the localized admin account when registering the service as outlined in the installation documentation.
To add a new MC, click the Add Managed Company button and enter their name and select the managing node.
- Choose a Base Plan and select any additional Secure-Add Ons you would like to add. You will be able to view what Secure-Add Ons are included in each Base Plan once you select it.
- By default, "Allow unlimited license consumption" will be enabled. To override this, deselect the checkbox and enter the maximum licenses allowed.
Keeper Business Plus and Enterprise Plus plans include the following Secure Add-Ons: Advanced Reporting & Alerts Module (ARAM), BreachWatch, and 1TB Secure File Storage.
Add New Managed Company
Company Details and Base Plan Selection
Secure Add-On Selection
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.
Keeper provides multiple MSP base plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
All plans include the following core features:
- Encrypted Vault
- Folders and Subfolders
- Shared Team Folders
- Unlimited Devices
- Role-Based Access Controls
- Security Audit
- Activity Reporting
- Team Management
- Basic 2FA
- 100 GB Secure File Storage
MSP technicians and employees are provided features and functionality as described below.
Keeper Administrators with "Manage Companies" permission can add, remove, and assign base-plans plus secure add-ons to their managed companies. These Keeper Administrators can also launch to the managed companies administrator consoles with full administrative permissions. This allows the MSP to set up the managed companies and optionally provision users, roles, and teams. User license allocation triggers consumption billing for the base plan and most secure add-on features.
To launch into the MC tenant, click the launch icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper Enterprise tenant.
Launch MC Tenant
Within an enterprise and within specific nodes, share admins have additional permissions that allow them to view, edit, share, and administer records and folders. General usage and configuration of Share Admins is documented here: Share Admin.
Share Admin rights and settings applies normally to managed companies. For MSPs, if an administrator has both 'Share Admin' permissions and the 'Manage Companies' permission, they will be Share Admins within the managed companies they have permissions over.
Admin permissions - Manage Companies (MSP) selected
The default Keeper Administrator role has both Share Admin permissions and Manage companies permissions. Therefore, the default MSP admin account has Share Admin permissions on all MCs.
MSPs and MCs can easily share records between each other without first needing to setup a sharing relationship. Additionally, Share Admins, teams and users are automatically suggested when adding share participants.
In the suggestions list when adding a new sharee to a record or folder, Share Admins will be suggested first, then users within your organization, then Teams and Users from Managed companies. If a user or team suggested is not from your organization, the organization name will also be displayed in the list.
MSP to MC Sharing