# Integrations **Audience:** Developers and DevOps engineers who need to run a custom executable on KEPM-managed endpoints. Keeper Endpoint Privilege Manager is not only a policy enforcement platform — it is also an extensible agent that your tools can run on top of. If your team needs to deploy a custom executable on managed endpoints (for example, a secrets scanner, a compliance reporter, or a maintenance utility), the KEPM agent can run it on a schedule, monitor its output, and route its logs through the same pipeline that operators already watch. This section covers how to build that integration end to end: from authoring the job or plugin JSON that tells the agent what to run, to connecting to the local MQTT broker to publish structured logs, to deploying and registering your binary via the local HTTPS API. ## Integration Patterns KEPM supports two ways to integrate a custom executable. Understanding the distinction up front will save you time. ### Jobs **Jobs** are the right choice for most custom tools. A job is a JSON document that defines *when* something runs — on a schedule, at agent startup, or on a specific event — and *what* runs: a task that points at your binary. The agent starts the process, tracks its exit code, captures its output, and grants it access to MQTT for structured logging. Job tasks do not require a long-running process and do not require plugin registration. If you are building a scanner, reporter, or any tool that runs and exits, start here. ### Plugins **Managed plugins** are the right choice when you need a long-running process that is part of the agent's lifecycle — started with the agent, monitored, restarted on failure, and subscribed to MQTT topics as a first-class component. This is a deeper integration pattern typically used for bridges, daemons, or other persistent services. *** ## Integration Guides The [**Custom Job Integration Guide**](/keeperpam/endpoint-privilege-manager/integrations/custom-job-guide.md) explains how to build, deploy, and configure a job task binary end to end, including binary layout, job JSON, execution context, code signing, MQTT logging, and the pre-launch checklist. The [**Custom Plugin Integration Guide**](/keeperpam/endpoint-privilege-manager/integrations/custom-plugin-guide.md) covers how to register a managed plugin, including plugin JSON fields, lifecycle settings, MQTT subscription, and how plugins differ from job tasks. The [**HTTP Reference Guide**](/keeperpam/endpoint-privilege-manager/integrations/http-reference-guide.md) the local HTTPS API endpoints your integration will call, including creating and deploying jobs via `/api/Jobs`, reading runtime settings via `/api/PluginSettings`, and understanding the Admin vs. Plugin authorization tiers. *** ### Before You Start You will need a few things from the team that manages the KEPM deployment before you can develop or test your integration: * The **agent version** running on target endpoints — validation rules and available features vary by release. * The **`KeeperApiBaseUrl`** for the local HTTPS API (typically `https://127.0.0.1:6889`, but confirm with your administrator). * Confirmation of whether **Last Known Good** (`ConfigurationLkg`) is enabled, which affects how you deploy job JSON files to endpoints. * If your binary needs to publish to MQTT: whether **`AlternativeSignatures`** needs to be updated to trust your code-signing certificate, and whether `AllowedNonAdminExecutables` applies to your use case. * The **deployment method** your organization uses for pushing job definitions to endpoints: the local HTTPS API, `JobUpdate` policy via the Keeper console, or another supported path. For most custom tool integrations, the [Custom Job Integration Guide](/keeperpam/endpoint-privilege-manager/integrations/custom-job-guide.md) is the right starting point. Read the [HTTP Reference](/keeperpam/endpoint-privilege-manager/integrations/http-reference-guide.md) alongside it when you are ready to script deployment or call Plugin Settings from your binary at runtime. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/integrations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.