# Plugins & Settings

<figure><img src="/files/GPejUW8mfOFkcHsm36fI" alt=""><figcaption></figcaption></figure>

Keeper EPM runs as a **service** with **plugins** that handle policy, communication, logging, and user interaction. **Settings** let you tune behavior without reinstalling. This section explains what matters to you as a customer.

***

### Plugins

**Plugins** are components that extend what the agent can do. They run alongside the main service and are started automatically in normal operation. You don’t install them separately; they’re part of the product.

#### What Each Plugin Does (Summary)

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="212.3333740234375">Plugin</th><th width="321.666748046875">Role</th><th>OS</th></tr></thead><tbody><tr><td><strong>KeeperAPI</strong></td><td>Talks to the Keeper backend: registration, policy sync, and reporting. Required for cloud-managed deployments.</td><td>Linux, macOS, Windows</td></tr><tr><td><strong>KeeperPolicy</strong></td><td>Evaluates policies on the endpoint: decides allow/deny, MFA, approval, justification. Core of policy enforcement.</td><td>Linux, macOS, Windows</td></tr><tr><td><strong>Logger (KeeperLogger)</strong></td><td>Centralized logging: level, retention, and where logs go. Helps with troubleshooting and compliance.</td><td>Linux, macOS, Windows</td></tr><tr><td><strong>KeeperUSession</strong></td><td>User-session handling so the agent can work correctly in multi-user or session scenarios.</td><td>Windows Only</td></tr><tr><td><strong>KeeperClient</strong></td><td>System tray and client UI: notifications, tray icon, and user-facing actions.</td><td>Linux, macOS, Windows</td></tr><tr><td><strong>PAM Module</strong></td><td>Core endpoint component that enforces PAM policies locally and coordinates actions like elevation, approvals, and auditing with the backend.</td><td>Linux &#x26; macOS</td></tr><tr><td><strong>System Extension</strong></td><td>macOS system-level extension that provides the required OS hooks to monitor and enforce PAM controls (e.g., process/file activity) on Mac devices.</td><td>macOS</td></tr></tbody></table>

Other components (e.g., RunAs, RunElevated, approval/justification/MFA UIs) may appear as separate executables or jobs; they work with these plugins to deliver the full experience.

#### Do You Need to “Manage” Plugins?

In typical use, **no**. The product starts and monitors the required plugins. If you change settings (see below), you may need to **restart a plugin or the service** for changes to take effect; the dashboard or your operations runbook will indicate when that’s needed.

## Settings

**Settings** control how the agent and its plugins behave. There are two levels that matter to you:

### Plugin Settings

Each plugin can have its own options, for example:

* **KeeperPolicy:** Broker (messaging) host/port, subscription topics, HTTPS port for local calls, timeouts, rate limits, and whether policies apply to administrators when no policy matches (enforce-for-admins behavior).
* **KeeperAPI:** Backend URL, sync interval, and similar.
* **Logger:** Log level, file path, retention, rotation.

You can change these from the **dashboard** (e.g., via configuration or “Update Settings” policies) so that all agents in a deployment group get the same behavior. After a change, the product may need to restart the plugin or service to apply it; follow the guidance in the console.

### Global Settings

**Global settings** apply to the whole agent: ports (HTTP/HTTPS, MQTT), paths (storage, plugins), logging levels, and similar. They’re typically set in the agent’s configuration file or pushed via the dashboard and are configured in appsettings.json. Again, the dashboard is the preferred place to manage them so you don’t have to edit files on each endpoint.

### Reverting or Refreshing Settings

If your deployment supports it, you can **revert** plugin settings to the values from the last configuration push (or from the default config). That’s useful when a change didn’t work as expected or you want to roll back. The exact action (“Revert settings,” “Refresh from dashboard,” etc.) depends on your console; the result is that the agent picks up the intended configuration again.

***

#### **Summary**

**Plugins** are the engine (policy, API, logging, client); **settings** are the knobs you use to tune behavior from the dashboard. You get control without needing to open developer or administrator documentation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/setup/plugins-and-settings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.