# Jobs & Applications

Keeper EPM uses **jobs** to automate policy enforcement, inventory, risk assessment, and maintenance—and **applications** (UI components) to interact with users and approvers. This section gives you a customer-oriented overview. *** ## Jobs **Jobs** are defined tasks that the agent runs. They can be triggered by policy (e.g., when a user requests elevation), on a schedule, or by the dashboard. They give you **automation and consistency** without scripting on each endpoint. Job tasks can run in these four execution modes: * Service — Runs as the service account (default). Trusted context; supports MergeStdoutJsonIntoContext and SkipWhenPluginSettingFalse. * User — Runs in the logged-on user’s session, non-elevated. * UserDesktop — Runs on the user’s desktop session, non-elevated; used for MFA/approval and other resumable UI flows. * UserElevated — Runs elevated in the user context (e.g. on the user’s desktop with elevation). In job JSON you set executionType on each task (e.g. "executionType": "Service"). Default is Service if omitted. ### What Jobs Do (use-case examples) * **Policy control:** Evaluate policies, enforce controls (e.g., launch elevation, request approval), and handle redirects (e.g., send the user to a substitute app instead of the risky one). * **Inventory:** Collect basic or full inventory (machine, user, or file) and report to the backend. * **Risk assessment:** Compute risk scores for users, machines, files, locations, or URLs so policies can allow or restrict based on risk. * **File access:** Grant or revert temporary file access, apply file-access policies, and launch apps with the right file access. * **Privilege elevation:** Launch an app with elevation, launch an approved request, or create an approved request from a policy result. * **Configuration:** Process configuration policies (e.g., push plugin or job settings), register or unregister the agent, and run PAM configuration on Linux/macOS. * **Maintenance:** Log version info, clean caches, send audit events, handle policy evaluation errors, and manage ephemeral accounts. Jobs are configured in the dashboard or via configuration policy; the agent receives the definitions and runs them when the right trigger (policy, schedule, or API) fires. ### Job Reference (summary)

Category	Examples
Risk & inventory	Composite Risk Evaluator, User/Machine/File/Location/URL Risk Assessment, Inventory Basic/Full/User
Policy enforcement	Configuration Policy Processor, File Access Policy Enforcer, Redirect Evaluator, Least Privilege Enforcer
File access	Grant/Revert File Access, Apply File Access Policies, Launch File Access
Privilege elevation	Launch Privilege Elevation, Launch Approved Request, Create Approved Request from Policy Result
Agent lifecycle	Registration Helper, Unregistration Helper
Configuration & PAM	Process Configuration Policies, PAM Configuration (Linux/macOS)
UI & notifications	Send toast, Show Agent, Start KeeperClient

For an exhaustive list of jobs, please Reference: [Default Jobs](/keeperpam/endpoint-privilege-manager/reference/default-jobs.md) You don’t need to edit job definitions by hand unless you’re doing advanced customization; the dashboard and configuration policies are the recommended way to manage them. ## Tasks **Tasks** are the steps inside a job (e.g., “call this API,” “run this script,” “wait for approval”). Some jobs use **distributed binaries**—small programs that run on the endpoint to perform a task. The agent runs these in a controlled way so policy enforcement and automation stay consistent and secure. From a customer perspective, you manage jobs as a whole; the product takes care of running the right tasks and binaries. ## UI Applications These are the **user- and approver-facing** components that make KEPM usable day to day:

Application	Purpose
KeeperAgent	Agent UI: status, basic controls, and entry point for user-facing actions.
KeeperApproval	Approval UI: approvers see pending requests and can approve or deny.
KeeperJustification	Justification UI: prompts the user to enter a reason when policy requires it.
KeeperMessage	Messaging/notifications: shows messages and notifications to the user.
KeeperMFA	MFA UI: guides the user through multi-factor authentication when policy requires it.
KeeperClient	System tray / client: tray icon, notifications, and quick access to elevation or other actions.
Keeper.NetworkConnections	Substitute UI for network settings: when you redirect “open network settings” to this app, users get a controlled experience instead of the OS default.

## Run-As & Elevation Components These components are **not** UI applications; they run processes with the right identity or elevation under policy:

Component	Purpose
Keeper.RunAs	Run processes with the appropriate identity under policy.
Keeper.RunElevated	Run processes with privilege elevation under policy.

Together, jobs, UI applications, and these run-as/elevation components give you **automated enforcement** and a **clear experience** for both users and approvers—without exposing internal implementation details. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/setup/jobs-and-applications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.