Default Jobs

privilege-elevation-policy-controls

Handles pending evaluations for Privilege Elevation policies. Runs MFA, justification, and approval controls.

Event: PolicyEvaluationPending (PrivilegeElevation, has desktop)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo, HTTP error handler

privilege-elevation-policy-controls-macos

Same as above for macOS PAM / System Extension flow.

Event: PolicyEvaluationPending (alternate when the standard job's condition is not met)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast

file-access-policy-controls

Handles pending evaluations for File Access policies. Runs MFA, justification, approval; can create execution grants.

Event: PolicyEvaluationPending (FileAccess)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, HTTP create-execution-grant

file-access-policy-controls-headless

Headless variant — no UI; sends pending, allow, or deny via MQTT.

Event: PolicyEvaluationPending (FileAccess, no desktop)

log-message, publish-mqtt, HTTP create-execution-grant

default-policy-controls

Handles pending evaluations for CommandLine and other policy types that are not Privilege Elevation, File Access, or HTTP Access.

Event: PolicyEvaluationPending (not PrivilegeElevation, FileAccess, or HttpAccess; has desktop)

KeeperMfa, KeeperJustification, KeeperApproval, display-message, publish-mqtt, show-toast, check-approval-provider, echo

default-policy-controls-headless

Headless variant — forwards pending or deny via MQTT.

Event: PolicyEvaluationPending (alternate when the standard job's condition is not met)

publish-mqtt

LaunchPrivilegeElevation

Launches the requested application with elevation. Optionally runs a redirect check first, then launches the elevated process or a configured substitute.

Event: LaunchPrivilegeElevation

RedirectEvaluator (check-redirect), publish-mqtt, HTTP launch-substitute / launch-elevated / create-execution-grant, display-message, cmd

LaunchApprovedRequest

Launches an already-approved elevation request, for example from the keeperAgent UI.

Event: LaunchApprovedRequest

HTTP ephemeral/launch API, cmd, publish-mqtt

create-approved-request-from-policy-result

Creates an approved request from a policy result so it can be launched later.

Event (from policy controls flow)

publish-mqtt, HTTP

GrantFileAccess

Grants temporary file access to a path for a user.

Event or API

KeeperFileAccessPolicyEnforcer (grant)

RevertFileAccess

Reverts a file access grant.

Event or API

KeeperFileAccessPolicyEnforcer (revert)

ApplyFileAccessPolicies

Applies file access policy rules from the backend.

Event or schedule

KeeperFileAccessPolicyEnforcer

FileAccessStartupCleanup

Cleans up expired file access entries at agent startup.

Event: Startup

KeeperFileAccessPolicyEnforcer or HTTP

LaunchFileAccess

Launches an application with the appropriate file access context.

Event: LaunchFileAccess

show-toast, HTTP launch-with-file-access

inventory-basic

Basic system inventory — machine, OS, and related metadata.

Schedule or event

KeeperInventoryBasic

file-inventory

File-level inventory of executables and related assets.

Schedule (typically every 7200 minutes)

File inventory binary

user-inventory

User account inventory.

Schedule or event

User inventory executable

composite-risk-evaluation

Computes a composite risk score from location, user, application, and machine risk factors.

Event (from policy or other jobs)

CompositeRiskEvaluator, echo

user-risk-assessment

User risk score.

Event or schedule

Risk assessment executable

machine-risk-assessment

Machine risk score.

Event or schedule

Risk assessment executable

location-risk-assessment

Location risk score.

Event or schedule

Risk assessment executable

file-risk-assessment

File risk score.

Event or schedule

File risk assessment executable

url-risk-assessment

URL risk score.

Event or schedule

URL risk assessment executable

ProcessConfigurationPolicies

Processes configuration policies from the backend — settings updates, job updates, and similar.

Event: Startup or schedule

KeeperConfigurationPolicyProcessor

registration

Registers the agent with the Keeper backend.

Event: Startup

KeeperRegistrationHelper

log-version-info

Logs version information, for example when an error threshold is reached.

Event (from Logger or manual)

HTTP or script

locale-cache-cleanup

Cleans the locale cache.

Schedule or event

Script or executable

ephemeral-account-cleanup-if-unused

Removes an ephemeral account if it is no longer in use.

Schedule (typically every 30 seconds)

HTTP ephemeral cleanup endpoint

send-audit-event

Sends an audit event to the backend or logger.

Event

publish-mqtt or HTTP

monitor-and-notify-notification

Sends a notification when a policy would have matched in Monitor & Notify mode.

Event

show-toast or publish-mqtt

keeperagent-silent-expiration-check

Checks approval expiration silently for keeperAgent.

Schedule

HTTP or script

send-toast

Sends a toast notification to the user.

Event (from menu or policy)

show-toast (built-in)

ShowAgent

Launches the keeperAgent UI on the user's desktop.

Event: ShowAgent (from KeeperClient menu)

keeperAgent

StartKeeperClient

Starts the KeeperClient system tray application.

Event (Startup or menu)

KeeperClient

least-privilege-check

Checks and enforces least-privilege rules — for example, removing admin rights from users.

Event or schedule

KeeperLeastPrivilegeEnforcer

LaunchLeastPrivilegeEnforcer

Launches KeeperLeastPrivilegeEnforcer, for example for CommandLine approval in headless mode or to create a sudoers entry.

Event: LaunchLeastPrivilegeEnforcer

KeeperLeastPrivilegeEnforcer, publish-mqtt

policy-evaluation-error-handler

Handles policy evaluation errors such as a missing file path. Sends a deny or error response.

Event (triggered by HTTP from other jobs)

display-message, publish-mqtt

policy-evaluation-error-handler-headless

Headless variant — no UI; sends response via MQTT.

Event

publish-mqtt

configure_pam_module

Configures the PAM module for Linux or macOS.

Event or manual

PAM configuration script or executable

remove_keeper_pam_module

Removes the Keeper PAM module.

Event or manual

PAM removal script or executable

KeeperMfa

MFA UI — the user completes multi-factor authentication when a policy requires it

KeeperJustification

Justification UI — the user enters a business reason when a policy requires it

KeeperApproval

Approval UI — sends the request to approvers; user or approver sees pending approvals

KeeperMessage

Used by display-message and notifications to show messages to the user

display-message

Shows a message dialog to the user with a title, body, and severity level

show-toast

Shows a toast notification via the OS notification system

publish-mqtt

Publishes a message to an MQTT topic — responses, audit events, launch events

check-approval-provider

Routes approval to Keeper or an external provider

RedirectEvaluator

Checks whether an elevation request should be redirected to a substitute executable

keeperAgent

Agent UI — manage requests and view status

KeeperClient

System tray application — notifications, menu, and launching elevation requests

KeeperRegistrationHelper

Registers the agent with the Keeper backend

KeeperFileAccessPolicyEnforcer

Grants and reverts file access; applies file access policies

KeeperConfigurationPolicyProcessor

Processes configuration policies — settings updates, job updates

CompositeRiskEvaluator

Calculates the composite risk score from multiple risk inputs

KeeperInventoryBasic

Collects basic system inventory

KeeperLeastPrivilegeEnforcer

Enforces least privilege rules — sudoers management, admin removal

HTTP tasks

Call the local API — for example, launch elevated, create execution grant, ephemeral cleanup