# Deployment
## Overview Deploying Endpoint Privilege Manager is very simple. The admin creates a custom deployment package associated to a collection of endpoints, and pushes the Keeper agent to those endpoints. When the agent starts up, it immediately registers itself with the Keeper tenant and starts collecting basic information about the endpoint, including the executables and local user accounts. By default, the Keeper agent goes into a "monitoring" mode, and no action is taken. ### Requirements * **macOS**: Sequoia, Sonoma * **Linux**: Ubuntu 22.04+ * **Windows**: 11, Server 2022 and 2025 (Intel x64 Only) ### Encryption All communications between the Keeper Agent and the Keeper Admin Console are using end-to-end encryption with a zero knowledge architecture, which means that Keeper's servers and employees have no ability to decrypt any information about the endpoint. Only the Keeper Administrator who logs in to the Admin Console can decrypt the endpoint collections and associated metadata. ### Deployment Package From the **Endpoint Privilege Manager** > **Deployments** screen, select "**New Deployment Package**". The Keeper agent can be deployed to any Windows, macOS or Linux endpoint. The executable requires local admin privilege to install the agent. For automatic deployment through your remote management solution or group policy, push out the installer in silent mode using the provided command-line string. ### Deployment Collections When creating a deployment package, the assigned "Collection" name is referenced throughout the privilege manager when applying policies. The collection name typically refers to a group of users sharing a common platform or use case.
## Agent Deployment From the Admin Console UI, copy the installer zip file and download it to your machine. Unzip the file to extract the packages for each specific platform. Copy the deployment token for use in the installer command. A valid deployment token is required to register the Keeper Agent to your tenant. {% hint style="danger" %} Always verify the Keeper agent in your sandbox or non-production test environment before installing directly on production systems. {% endhint %} The below documentation covers installation and configuration of the Keeper agent: * [Windows](#windows-installation) * [Linux](#linux-installation) * [macOS](#macos-installation) *** ### Windows installation {% stepper %} {% step %} **Download and Unpack** Download the installer via the Keeper Admin Console UI or use the PowerShell commands: {% code overflow="wrap" %} ``` Invoke-WebRequest -Uri "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerWindows.zip" -OutFile "KeeperPrivilegeManagerWindows.zip" Expand-Archive -Path "KeeperPrivilegeManagerWindows.zip" -DestinationPath "." Set-Location "windows" ``` {% endcode %} {% endstep %} {% step %} **Install the Agent** As an Administrator, run the installer with the provided token. {% code overflow="wrap" %} ``` msiexec /i KeeperPrivilegeManager-x-x-x-xxx.msi REGISTRATION_CODE="" /l*v in.txt /quiet ``` {% endcode %} (replace x-x-x-xxx with the version number of the .msi file) {% endstep %} {% endstepper %} Tips: * Ensure that the **Keeper Endpoint Privilege Manager** service is running. * You may need to update your endpoint security product to allow Endpoint Privilege Manager services to run. * The Keeper Client application will start up automatically on all **new** login sessions for users on the machine. #### Troubleshooting on Windows To restart the Endpoint Privilege Manager services, we recommend simply rebooting the machine. The service can also be restarted from Services. A new log file is created daily. Log files are retained for 15 days before automatically being deleted. The log files are located in: {% code overflow="wrap" %} ``` C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperLogger\Log> ``` {% endcode %} #### Uninstall on Windows To uninstall the Windows agent: {% code overflow="wrap" %} ``` msiexec /x KeeperPrivilegeManager-x-x-x.xxx.msi UNREGISTER_AGENT="true" /l*v out.txt /quiet ``` {% endcode %} To manually register or unregister an agent that has already been installed, the below can be invoked: {% code overflow="wrap" fullWidth="false" %} ``` C:\Program Files\Keeper Security\Endpoint Privilege Manager\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe ``` {% endcode %} *** ### **Linux Installation** {% stepper %} {% step %} **Download and Unpack** {% code overflow="wrap" lineNumbers="true" %} ``` curl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip" unzip KeeperPrivilegeManagerLinux.zip cd linux ``` {% endcode %} {% endstep %} {% step %} **Install the Agent** Ubuntu / Debian-based distributions: ``` sudo KEEPERREGCODE="" dpkg -i keeper-privilege-manager_*.deb ``` RPM-based distributions (RHEL, Rocky Linux, AlmaLinux, CentOS, Oracle Linux, SUSE Enterprise Server, etc.): ``` sudo KEEPERREGCODE="" rpm -ivh keeper-privilege-manager-*.rpm ``` Amazon Linux 2: ``` sudo KEEPERREGCODE="" yum install -y keeper-privilege-manager-*.rpm ``` Amazon Linux 2023: ``` sudo KEEPERREGCODE="" dnf install -y keeper-privilege-manager-*.rpm ``` {% endstep %} {% step %} **Optional: Install GNOME Agent UI** For customers using Linux systems running GNOME, the Keeper user interface is available as an extension. Ensure GNOME Shell is installed on the endpoint: ``` sudo apt install -y gnome-shell-extension-prefs or keepersudo apt install -y gnome-shell-extension-prefs (if Keeper is already installed) ``` Open the GNOME Extensions app (`gnome-extensions-app`) or Extension Manager from the system menu and toggle all options "ON". The Keeper EPM icon will then appear in the system tray or top bar, providing access to agent status and controls.
The full UI is available on Linux just like Windows and macOS devices.
{% endstep %} {% endstepper %} #### Linux sudo usage After installation, Keeper modifies the PAM module on the device to wrap `sudo`. Any usage of the `sudo` command is delegated to `keepersudo`. See the [Command Line Policy](https://docs.keeper.io/endpoint-privilege-manager/policies/policy-types/command-line-policy-type.md) documentation for configuration and usage instructions. #### Updating To update the Agent that has already been registered: ``` curl -o KeeperPrivilegeManagerLinux.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerLinux.zip" unzip KeeperPrivilegeManagerLinux.zip cd linux keepersudo dpkg -i keeper-privilege-manager_*.deb ``` To identify which version is running: ``` dpkg -l keeper-privilege-manager ``` #### Troubleshooting on Linux Error logs will be located in `/var/log/syslog` or `/var/log/messages` depending on the flavor of Linux. To restart the services: ``` systemctl restart keeper-privilege-manager ``` #### Uninstall on Linux Uninstalling the Keeper agent varies based on the platform and the install method used above. Ubuntu / Debian-based distributions: ``` keepersudo apt remove -y keeper-privilege-manager ``` To remove and purge all configuration file: ``` keepersudo apt purge -y keeper-privilege-manager ``` RPM-based distributions: ``` keepersudo rpm -e keeper-privilege-manager ``` On RHEL / Rocky / Alma / CentOS / Oracle Linux: ``` keepersudo yum remove -y keeper-privilege-manager or: keepersudo dnf remove -y keeper-privilege-manager ``` To manually register an agent that has already been installed, the below can be invoked: 
/opt/keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"
*** ### **macOS Installation** {% stepper %} {% step %} **Download and Unpack** {% code overflow="wrap" lineNumbers="true" fullWidth="false" %} ``` curl -o KeeperPrivilegeManagerMacOS.zip "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerMacOS.zip" unzip KeeperPrivilegeManagerMacOS.zip cd macos/ chmod +x install_endpoint_privilege_manager.sh ``` {% endcode %} The script will determine which package to install based off of keeper-privilege-manager version number and OS architecture type. It is safe to run with multiple package versions and architectures. {% endstep %} {% step %} **Install the Agent** ``` sudo KEEPERREGCODE="" ./install_endpoint_privilege_manager.sh ``` {% endstep %} {% step %} **Full Disk Access** **Important:** The agent must be provided Full Disk Access permission for File Access and Command Line policies to function. * Go to: **Settings** → **Privacy & Security** → **Full Disk Access** to the **KeeperPrivilegeManager** application. * After full disk access is granted, you can restart the computer, or just reload the agent process by running: ``` sudo /Library/Keeper/sbin/Plugins/bin/KeeperPamConfig/KeeperPamConfig ``` {% endstep %} {% endstepper %} {% hint style="info" %} The agent is signed from "Callpod Inc." which is the holding company of Keeper Security. All of Keeper's software on macOS and iOS devices are digitally signed by Callpod Inc. due to Apple's policies. {% endhint %} To manually register an agent that has already been installed, the below can be invoked: 
/Library/Keeper/sbin/Plugins/bin/KeeperRegistration/KeeperRegistration --token="<token>"
#### **Restarting the service** If a service restart is required on macOS, the following commands can be used: {% code overflow="wrap" %} ``` launchctl unload /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist launchctl load /Library/LaunchDaemons/com.keeper.keeper-privilege-manager.plist ``` {% endcode %} #### **Uninstall on macOS** To uninstall the Keeper agent from macOS, run the attached script: {% code overflow="wrap" fullWidth="false" %} ``` curl -o uninstall_macos.sh "https://raw.githubusercontent.com/Keeper-Security/KeeperPAM/refs/heads/main/pedm/uninstall_macos.sh" chmod +x uninstall_macos.sh keepersudo ./uninstall_macos.sh ``` {% endcode %} Notes: * The Keeper Agent will launch for users upon a new login session. Therefore logout/login may be required. * The `sudo` policy controls are documented on the [Command Line Policy](https://docs.keeper.io/endpoint-privilege-manager/policies/policy-types/command-line-policy-type.md) page. * Installation of packages (.pkg) and images (.dmg) requires that the user explicitly opens the request from the Keeper agent UI. *** ## Discovery of Inventory Data #### Inventory Collection Schedules **Basic (inventory-basic / InventoryBasic):** runs every 7200 minutes (5 days); also runs on AgentRegistered and Startup\ **User (user-inventory / UserInventory):** runs every 7200 minutes (5 days); also runs on AgentRegistered and Startup\ **Application (file-inventory / FileInventory):** runs every 7200 minutes (5 days); also runs on Startup only (no AgentRegistered trigger) #### **Details** **Schedule:** All three use the same interval: intervalMinutes: 7200 (120 hours = 5 days).\ Basic and User also run on:\ **AgentRegistered –** when the agent registers with the backend\ **Startup –** when the agent starts\ Application (file inventory) runs on the same 5‑day interval and on Startup only; it does not have an AgentRegistered trigger. User, Application, and Basic all run on a 5‑day (7200‑minute) schedule; Basic and User additionally run on agent registration and startup. When the agent is installed and deployed to the endpoints, there are 3 types of discovery that is performed on the endpoint: * **Basic Inventory**: Operating system, version, type * **Account Inventory**: Local users and groups * **File Inventory**: All executables on the system The Keeper Admin Console will receive the discovered inventory as encrypted telemetry data, containing information about the endpoint including: * Computer name and type * OS information (Windows, macOS, Linux) and version * Local user account information * Local group account information * Installed applications {% hint style="info" %} When deploying Keeper, we recommend installing the agent on reference machines in order to collect as much standardized inventory data as possible, before deploying to your fleet of devices. {% endhint %} The Deployment page displays the endpoint stats organized by collection.

Deployment Dashboard

The collection can be enabled or disabled from the dashboard. When a collection is disabled, the policy engine will no longer apply to those devices.

Enable or Disable Collections of Endpoints

Individual endpoints can also be disabled, to prevent the agent from applying policies.

Enable or Disable individual endpoints

*** ### Automation with Commander Keeper Commander supports deployment automation through our command-line interface, Service Mode [REST API](https://docs.keeper.io/en/keeperpam/commander-cli/service-mode-rest-api) and Python SDK. [Learn more](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/endpoint-privilege-manager-commands) about Endpoint Privilege Manager commands. #### Agent Management The `epm agent` command provides management over individual agents running on the endpoint. ``` My Vault> epm agent -h pedm command [--options] Command Description ---------- ------------------------- list List EPM agents edit Update EPM agents delete Delete EPM agents collection List EPM agent resources ``` #### Deployment The `epm deployment` command provides management over agent deployments. ``` My Vault> epm deployment -h pedm command [--options] Command Description --------- -------------------------------- list List EPM deployments add Add EPM deployments update Update EPM deployment delete Delete EPM deployment download Download EPM deployment package ``` #### Reports The `epm report` command provides event logs and event reports. ``` My Vault> epm report -h pedm command [--options] Command Description --------- ----------------------------- column Run column reports event Run audit event reports summary Run audit summary reports ``` ## Antivirus / EDR Exclusion Requirements When deploying Keeper Endpoint Privilege Manager alongside third‑party antivirus or EDR solutions, the EPM installation directory should be excluded from real‑time scanning. This prevents performance degradation and avoids interference with policy evaluation, process interception, and privilege‑elevation workflows. ### Required Exclusion Path ``` C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperUSession ``` ### Product‑Specific Instructions **Microsoft Defender**\ Run in elevated PowerShell: ``` Add-MpPreference -ExclusionPath 'C:\Program Files\Keeper Security\Endpoint Privilege Manager' ``` **CrowdStrike Falcon**\ Falcon Console → Endpoint Security → Configure → Exclusions → Add folder path (include subfolders)\ \ **SentinelOne**\ Management Console → Sentinels → Exclusions → Add Path Exclusion\ Mode: Interoperability – Extended (include subfolders)\ \ **Sophos Central**\ Global Settings → Global Exclusions → Add Exclusion → File or Folder (Windows)\ Apply to real‑time and scheduled scanning\ \ **Symantec/Broadcom SEP**\ SEPM Console → Policies → Exceptions → Add Windows Exception → Folder (include subfolders)\ \ **Trend Micro Apex One**\ Apex Central or local console → Scan Exclusion List → Add directory ### GPO Deployment (Microsoft Defender) ``` Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions → Path Exclusions ``` **Add:** *C:\Program Files\Keeper Security\Endpoint Privilege Manager* **with a value of 0.** ### Next Steps Once you have deployed the agent, discovery kicks in and generates [collections](https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/collections).