Getting Started

Login to the KeeperMSP Administrative Console

If you're not logged in already, follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU) https://keepersecurity.com.au/console (AU)

(If the link doesn't work, just open KeeperSecurity.com > Login > Admin Console)

Setting Up Your Administrators and Technicians

Click on the "Admin" tab to set up your Keeper Administrators. Click on "Add Users" and fill out the name and email address.

Add MSP Technician Users

Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture* and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role.

* More information about Keeper’s Zero-Knowledge Security Architecture can be found here: https://keepersecurity.com/security

Creating Roles

Click on the “Roles” tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies and/or purchase licenses from Keeper).

Once roles are defined then you can assign a role to the user in order to provide them with permissions (click on the gear icon). You'll notice that Keeper MSP includes a default Keeper Administrator and License Pool Manager role.

Roles
Create a Role
Set Enforcement Policies
Add Users to Role
Add Administrative Permissions to Role
Apply to Node
Define Administrative Permissions
Customize Permission Level

Teams

If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current tenant or Managed Company will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.

Add Team
Add User to Team

Automated / Advanced Provisioning

Keeper MSP provides several automated provisioning methods that allow you to add your users, teams and roles through several methods including:

  • Active Directory / LDAP (using the Keeper Bridge)

  • SAML 2.0 Identity Provider such as O365/Azure, G Suite, etc.

  • Email Provisioning

  • Command-Line or SDK integration

  • SCIM

The following advanced provisioning methods require an administrator account local to the MC. This is used to bind the service to the instance or in the case of Cloud SSO, it is needed to preform device approvals:

  • Keeper AD Bridge

  • On premises SSO Connect

  • Cloud SSO Connect

Be sure to use the localized admin account when registering the service as outlined in the installation documentation.

To learn more about provisioning, see the section of the Keeper Enterprise guide called User and Team Provisioning.

Adding a Managed Company (MC)

To add a new MC, click the "Add Managed Company" button and fill in the information. The new MC will appear in the company listing with the number of licenses you specified.

Add Managed Company
Allocate Licenses
Managed Companies Example

Each Managed Company has their own Keeper tenant. The tenant can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” role permission.

The "Active" column indicates how many of the MC's users have been issued, are accepted, and invitation to set up their Keeper vaults.

IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.

Available Plans for Managed Companies

Keeper provides multiple managed business plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.

Plan

Add-Ons Included

Keeper Business Plus

Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage

Keeper Enterprise Plus

Everything in Keeper Business Plus, with Advanced Provisioning

MSP Features

MSP technicians and employees are provided features and functionality as described below.

MSP Features

Adding Licensed Plans to Your Pool

The pool is a central “warehouse” of licenses from which you can distribute to your MC’s. An MSP will maintain an inventory of Keeper licenses by purchasing them directly from Keeper (or via a partner marketplace). Each time you add and allocate licenses to an MC, they are drawn from the pool. Conversely, when you reduce (or de-provision) licenses from an MC, the licenses are added back into your pool.

License Pool

Allocating Licenses from the Pool to Managed Companies (MC)

Once you have added an inventory of licenses to your pool, you can allocate those licenses to your MC’s so they have the licenses they need to support their users. Licenses can be removed from specified MC’s and assigned to other MC’s.

Manage License Allocation

Administering a Managed Company (MC)

To launch into the MC tenant, click on the “Launch” icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper enterprise tenant.

Launch MC Tenant
MC Tenant