| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
privilege-elevation-policy-controls | Handles pending evaluations for Privilege Elevation policies. Runs MFA, justification, and approval controls. | Event: PolicyEvaluationPending (PrivilegeElevation, has desktop) | KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo, HTTP error handler |
privilege-elevation-policy-controls-macos | Same as above for macOS PAM / System Extension flow. | Event: PolicyEvaluationPending (alternate when the standard job's condition is not met) | KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast |
file-access-policy-controls | Handles pending evaluations for File Access policies. Runs MFA, justification, approval; can create execution grants. | Event: PolicyEvaluationPending (FileAccess) | KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, HTTP create-execution-grant |
file-access-policy-controls-headless | Headless variant — no UI; sends pending, allow, or deny via MQTT. | Event: PolicyEvaluationPending (FileAccess, no desktop) | log-message, publish-mqtt, HTTP create-execution-grant |
default-policy-controls | Handles pending evaluations for CommandLine and other policy types that are not Privilege Elevation, File Access, or HTTP Access. | Event: PolicyEvaluationPending (not PrivilegeElevation, FileAccess, or HttpAccess; has desktop) | KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo |
default-policy-controls-headless | Headless variant — forwards pending or deny via MQTT. | Event: PolicyEvaluationPending (alternate when the standard job's condition is not met) | publish-mqtt |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
LaunchPrivilegeElevation | Launches the requested application with elevation. Optionally runs a redirect check first, then launches the elevated process or a configured substitute. | Event: LaunchPrivilegeElevation | RedirectEvaluator (check-redirect), publish-mqtt, HTTP launch-substitute / launch-elevated / create-execution-grant, display-message, cmd |
LaunchApprovedRequest | Launches an already-approved elevation request, for example from the keeperAgent UI. | Event: LaunchApprovedRequest | HTTP ephemeral/launch API, cmd, publish-mqtt |
create-approved-request-from-policy-result | Creates an approved request from a policy result so it can be launched later. | Event (from policy controls flow) | publish-mqtt, HTTP |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
GrantFileAccess | Grants temporary file access to a path for a user. | Event or API | KeeperFileAccessPolicyEnforcer (grant) |
RevertFileAccess | Reverts a file access grant. | Event or API | KeeperFileAccessPolicyEnforcer (revert) |
ApplyFileAccessPolicies | Applies file access policy rules from the backend. | Event or schedule | KeeperFileAccessPolicyEnforcer |
FileAccessStartupCleanup | Cleans up expired file access entries at agent startup. | Event: Startup | KeeperFileAccessPolicyEnforcer or HTTP |
LaunchFileAccess | Launches an application with the appropriate file access context. | Event: LaunchFileAccess | show-toast, HTTP launch-with-file-access |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
inventory-basic | Basic system inventory — machine, OS, and related metadata. | Schedule or event | KeeperInventoryBasic |
file-inventory | File-level inventory of executables and related assets. | Schedule (typically every 7200 minutes) | File inventory binary |
user-inventory | User account inventory. | Schedule or event | User inventory executable |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
composite-risk-evaluation | Computes a composite risk score from location, user, application, and machine risk factors. | Event (from policy or other jobs) | CompositeRiskEvaluator, echo |
user-risk-assessment | User risk score. | Event or schedule | Risk assessment executable |
machine-risk-assessment | Machine risk score. | Event or schedule | Risk assessment executable |
location-risk-assessment | Location risk score. | Event or schedule | Risk assessment executable |
file-risk-assessment | File risk score. | Event or schedule | File risk assessment executable |
url-risk-assessment | URL risk score. | Event or schedule | URL risk assessment executable |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
ProcessConfigurationPolicies | Processes configuration policies from the backend — settings updates, job updates, and similar. | Event: Startup or schedule | KeeperConfigurationPolicyProcessor |
registration | Registers the agent with the Keeper backend. | Event: Startup | KeeperRegistrationHelper |
log-version-info | Logs version information, for example when an error threshold is reached. | Event (from Logger or manual) | HTTP or script |
locale-cache-cleanup | Cleans the locale cache. | Schedule or event | Script or executable |
ephemeral-account-cleanup-if-unused | Removes an ephemeral account if it is no longer in use. | Schedule (typically every 30 seconds) | HTTP ephemeral cleanup endpoint |
send-audit-event | Sends an audit event to the backend or logger. | Event | publish-mqtt or HTTP |
monitor-and-notify-notification | Sends a notification when a policy would have matched in Monitor & Notify mode. | Event | show-toast or publish-mqtt |
keeperagent-silent-expiration-check | Checks approval expiration silently for keeperAgent. | Schedule | HTTP or script |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
send-toast | Sends a toast notification to the user. | Event (from menu or policy) | show-toast (built-in) |
ShowAgent | Launches the keeperAgent UI on the user's desktop. | Event: ShowAgent (from KeeperClient menu) | keeperAgent |
StartKeeperClient | Starts the KeeperClient system tray application. | Event (Startup or menu) | KeeperClient |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
least-privilege-check | Checks and enforces least-privilege rules — for example, removing admin rights from users. | Event or schedule | KeeperLeastPrivilegeEnforcer |
LaunchLeastPrivilegeEnforcer | Launches KeeperLeastPrivilegeEnforcer, for example for CommandLine approval in headless mode or to create a sudoers entry. | Event: LaunchLeastPrivilegeEnforcer | KeeperLeastPrivilegeEnforcer, publish-mqtt |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
policy-evaluation-error-handler | Handles policy evaluation errors such as a missing file path. Sends a deny or error response. | Event (triggered by HTTP from other jobs) | display-message, publish-mqtt |
policy-evaluation-error-handler-headless | Headless variant — no UI; sends response via MQTT. | Event | publish-mqtt |
| Job ID | Description | Trigger | Main Tasks / Executables |
|---|---|---|---|
configure_pam_module | Configures the PAM module for Linux or macOS. | Event or manual | PAM configuration script or executable |
remove_keeper_pam_module | Removes the Keeper PAM module. | Event or manual | PAM removal script or executable |
| Task or Executable | Purpose |
|---|---|
KeeperMfa | MFA UI — the user completes multi-factor authentication when a policy requires it |
KeeperJustification | Justification UI — the user enters a business reason when a policy requires it |
KeeperApproval | Approval UI — sends the request to approvers; user or approver sees pending approvals |
KeeperMessage | Used by display-message and notifications to show messages to the user |
display-message | Shows a message dialog to the user with a title, body, and severity level |
show-toast | Shows a toast notification via the OS notification system |
publish-mqtt | Publishes a message to an MQTT topic — responses, audit events, launch events |
check-approval-provider | Routes approval to Keeper or an external provider |
RedirectEvaluator | Checks whether an elevation request should be redirected to a substitute executable |
keeperAgent | Agent UI — manage requests and view status |
KeeperClient | System tray application — notifications, menu, and launching elevation requests |
KeeperRegistrationHelper | Registers the agent with the Keeper backend |
KeeperFileAccessPolicyEnforcer | Grants and reverts file access; applies file access policies |
KeeperConfigurationPolicyProcessor | Processes configuration policies — settings updates, job updates |
CompositeRiskEvaluator | Calculates the composite risk score from multiple risk inputs |
KeeperInventoryBasic | Collects basic system inventory |
KeeperLeastPrivilegeEnforcer | Enforces least privilege rules — sudoers management, admin removal |
| HTTP tasks | Call the local API — for example, launch elevated, create execution grant, ephemeral cleanup |