Onboarding

White Glove Provisioning

The following section covers the creation of a managed company to be managed by the MSP as opposed to handing off the instance to the client for future administration and management.

Schema Design

It's best to start a design by looking at your overall customer base across all account and extract as much commonalty as possible. We are looking for common requirements across all MC's. The closer all the MC's are to each other, the easier they will be to administer as a whole. Our goal is to create a templated procedure which can be re-used by future MC's.

In the table below, we can use a role named "Vault Transfer Required" across all the MC's. At first look, one might be tempted to create a role named "2FA" to handle each MC's different 2FA requirement. However, this naming is ambiguous as Keeper has over a dozen 2FA options. For long term platform management, it's best to name roles for the exact setting(s) they enforce. Our goal is consistent role naming and results across all MC's.

Roles are all about platform administration, so they will have a lot of commonality across MC's. On the other hand, due to varying business requirements, Teams and Shared Folders tend to be MC specific. In the table below we would create one shared folder for each Team present in a given MC. Unlike the table, try and use a common naming convention across all MC. Resist creating an "AP" team in one MC and a "Accounts Payable" team in another.

Create a New Managed Company

From the console interface, create a new managed company, decide on a provisioning method and create any desired roles and teams.

Additionally, create any desired MC customizations including corporate logo and or customized email invitations.

Nodes & Provisioning Methodology

Once the "MC" had been created, a provisioning method need to be chosen as this will effect the node structure. If Single Sign-On or Advance Provisioning will be utilized, a node needs to be added to host the provisioning method. For our example, we will use basic master password access and manual provisioning so no additional nodes will be required.

Create Roles

Create all desired Roles within the admin console. Roles are stackable, i.e., users can belong to multiple roles and will receive the lest permissive outcome of the summed roles. Keeper recommends naming your roles for the function they provide as opposed to a business unit or geo location. If a role enforces vault transfer, name it "Vault Transfer"

Any roles with the "Set as Default Role for Node and Sub Nodes "Create Teams" option enabled will be automatically assigned to all new users. Users can also be indirectly added to roles via team memberships as roles can contain to both users and teams.

For small companies, often, only two roles are required. An administrative role for platform administration and a second for the general user base. Keeper recommends enabling the following minimum "role enforcement" policies:

"Keeper Administer" Role (predefined)

Note - Administrative access can be restricted to the MC's public facing egress IP addresses by creating an "Allow IP List" This will require an administrator to be on the MC's LAN or VPN to administer the platform.

"Default" user role

Generally, two-factor is configured for master password based authentication. Try and encourage your clients to adopt "Require code at every login" policy settings, especially for mobile devices. "Require code at every 30 days" is often used for desktop clients. If using SSO authentication with two-factor enabled at the idP, it can be off or un-configured . By default, users can still opt to setup and use two-factor unless all the "available" methods are explicitly disabled within the enforcement policy.

Create Teams

Teams offer the ability to group users for sharing and applying additional sharing options. If using SCIM provisioning you can indirectly add users to roles via team to role assignments.

1. Create all desired Teams.

2. Add any applicable role mappings as needed.

Pre-Deploy Keeper Applications and Extensions

Prior to onboarding users, you may wish to distribute certain Keeper's browser extensions, desktop and mobile apps. Details on centralized software distribution methods are covered here.

Configure Reporting & Alerts for "Plus" MC's

Onboard Users

Keeper offers several options for onboarding users. Multiple methods can be used in parallel.

• Manual entry via the admin console

• CSV import via the admin console

• Active Directory provisioning via Keeper's AD Bridge agent

• Just In Time (JIT) provisioning via Keeper's Cloud SSO Connect or SSO Connect On-Prem.

• SCIM provisioning via an IdP

• SCIM provisioning via API.

• Email provisioning via domain entry

• Advanced automated provisioning via Keeper Commander's API / CLI interface

Account Recovery

Due to Keeper's zero-knowledge architecture, additional configuration may be required for account recovery. If SSO is in use, the administrator can perform an end-user password reset via the IdP's user management interface. Master Password-based users do not have this option so extra steps are required to ensure recover is possible if needed. The first option for Master Password based users is a self-service solution by providing a recovery phrase. A recovery phrase is a simple, auto-generated set of 24 words that was configured when setting up their vault. If the user has forgotten their recovery phrase and vault transfer policy has been configured by the administrator and accepted by the end user, you can use the vault transfer feature to recover the vault.

Configure Logging and Custom Reporting & Alerts