Getting Started
If you're not logged in already, follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU)
(If the link doesn't work, just open KeeperSecurity.com > Login > Admin Console)
Click on the "Admin" tab to set up your Keeper Administrators. Click on "Add Users" and fill out the name and email address.
Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture* and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role.
* More information about Keeper’s Zero-Knowledge Security Architecture can be found here: https://keepersecurity.com/security
Click on the “Roles” tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies and/or purchase licenses from Keeper).
Once roles are defined then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes a default Keeper Administrator and License Pool Manager role.
Teams
If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.
Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:
Active Directory / LDAP (using the Keeper Bridge)
SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.
Email Provisioning
Command-Line or SDK integration
SCIM
The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:
Keeper AD Bridge
On premises SSO Connect
Cloud SSO Connect
Be sure to use the localized admin account when registering the service as outlined in the installation documentation.
To learn more about provisioning, see the section of the Keeper Enterprise guide called User and Team Provisioning.
To add a new MC, click the "Add Managed Company" button and fill in the information. The new MC will appear in the company listing with the number of licenses you specified.
Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.
The "Active" column indicates how many of the MC's users have been issued, are accepted, and invitation to set up their Keeper vaults.
IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.
Keeper provides multiple managed business plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.
Plan | Add-Ons Included |
Keeper Business Plus | Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage |
Keeper Enterprise Plus | Everything in Keeper Business Plus, with Advanced Provisioning |
MSP technicians and employees are provided features and functionality as described below.
The pool is a central “warehouse” of licenses from which you can distribute to your MC’s. An MSP will maintain an inventory of Keeper licenses by purchasing them directly from Keeper (or via a partner marketplace). Each time you add and allocate licenses to an MC, they are drawn from the pool. Conversely, when you reduce (or de-provision) licenses from an MC, the licenses are added back into your pool.
Once you have added an inventory of licenses to your pool, you can allocate those licenses to your MC’s so they have the licenses they need to support their users. Licenses can be removed from specified MC’s and assigned to other MC’s.
To launch into the MC tenant, click on the “Launch” icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper enterprise tenant.
