KeeperMSP Administration Guide

Introduction

KeeperMSP is natural extension of Keeper’s Enterprise Password Management solution which allows an MSP to manage multiple independent tenants (a.k.a. "Managed Companies" or "MC’s") from a central console.

To serve the MSP market, Keeper Security created an enterprise-class, purpose-built solution which allows Keeper's password management and security software to be managed and distributed by MSP’s. The enterprise version of Keeper has been architected for scale and has the core features and functionality that MSP’s require, including: organizational roles, robust enforcement policies, multiple provisioning methods, full support for 2FA methods and robust event logging, auditing and reporting capabilities. Keeper password management and security vaults can be provisioned by MSPs to every one of their customers - to protect every employee on every device they use. Keeper is the leading password management application in the industry - with unmatched security, cross-platform capabilities and top ratings by industry services, press and end users.

This guide supplements the Keeper Enterprise Guide and details the specific functionality for MSP-level administration and license management. Please refer to the Enterprise Guide for a broader overview of Keeper software which covers core functionality at the Managed Company level.

MSP’s and Managed Customers (MC’s)

KeeperMSP can support a wide spectrum of deployment models, from full service (“white glove” ) MSP’s who manage everything for their users all the way to pure resellers who do little or no administration for their clients.

Full Service Model

MSP Technicians have access to their MC’s Keeper Admin Console and thus have full rights to provision end users, set up MC-specific roles, login enforcements and teams for sharing credentials. These technicians may also choose to set-up a login credentials for users which can be done by sharing records from their private vaults to those of an MC. This allows an MSP to offer a fully integrated set of services that include a set of pre-configured login credentials they can keep updated if needed.

Reseller Model

In this model, resellers primarily act as distributors and sell Keeper software to customers who can administer the solution themselves. The MSP can designate an administrator user at the MC to handle all management of the system.

Hybrid Model

Both the MSP Technician and the MC Administrator can share responsibilities to manage the system. For frequently changing or highly-specific settings (e.g. which employees are in a team folder) the “local” MC administrator could manage. For large scale initial provisioning and configuration, the MSP may be better equipped to facilitate this with Keeper’s Active Directory bridge, SSO or other provisioning methods.

Free Trial

If you want to try KeeperMSP before buying, then a trial is for you! Free trials are available for new customers and include a fixed number of licenses (for all plans offered) to work with. During a trial you can exercise all the core functionality of Keeper, set up your own staff administrators and create Managed Companies. The only limitation is that you can’t change the number of licenses provided during the trial period.

If you elect to purchase the product after a trial then the users, vault data and administrative configurations you have set up will be preserved for live production operation. You can adjust the MSP license counts and managed plans during the checkout process.

To start a trial of KeeperMSP click on the Trial button from the MSP product page at: https://keepersecurity.com/msp-password-manager.html Once you’ve signed up with an account please follow the Getting Started section below.

Getting Started

Login to the KeeperMSP Administrative Console

The KeeperMSP Admin Console can be accessed from here: https://keepersecurity.com/console

Setting Up Your Administrators and Technicians

Click on the "Admin" tab to set up your Keeper Administrators. Click on "Add Users" and fill out the name and email address.

Important: We recommend creating at least two administrators in case the primary admin loses access to their Keeper account. Keeper is built using a Zero-Knowledge Security Architecture and therefore, Keeper Security cannot restore an administrator’s account. Additionally, Keeper cannot elevate a user to an Administrative role.

* More information about Keeper’s Zero-Knowledge Security Architecture can be found here: https://keepersecurity.com/security

Creating Roles

Click on the “Roles” tab to establish roles which can have a robust set of enforcements as well as a variety of administrative permissions (such as rights to Manage Companies and/or purchase licenses from Keeper). Once roles are defined then you can assign a role to the user in order to provide them with permissions (click on the gear icon).

Teams

If you have a group of technicians that need to share passwords, you can set them up in a team. Then, the team can be added to a shared folder within the user's vault. Only those users local to the current enterprise (Managed Company) will be visible in the search bar when adding a user to a shared folder. You can also share records and folders with users in teams.

Adding a Managed Company (MC)

To add a new MC, click the "Add Managed Company" button and fill in the information. The new MC will appear in the company listing with the number of licenses you specified.

The Admin console for that company can then be accessed by an MSP admin (“technician”) who has the “Managed Companies” permission. Active indicates how many of the MC's users have been issued, are accepted, and invitation to set up their Keeper vaults.

IMPORTANT: You should set up a local administrator at the MC after you create the company. This will serve as secondary, backup and/or emergency contact. If a user at the MC leaves the organization, their vault can then be securely transferred to another administrator.

Choose a Plan

Keeper provides multiple managed business plans to best suit a variety of Managed Customer types. "Business" plans are intended for smaller businesses who do not need advanced provisioning capabilities. "Enterprise" plans include advanced provisioning capabilities including Active Directory, Single Sign On (SSO), Azure AD and SCIM.

Plan

Add-Ons Included

Keeper Business

100GB Secure File Storage

Keeper Business Plus

Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage

Keeper Enterprise

Advanced Provisioning, 100GB Secure File Storage

Keeper Enterprise Plus

Advanced Provisioning, Advanced Reporting & Alerts Module, BreachWatch, 1TB Secure File Storage

* For more details on all available plans, please visit https://keepersecurity.com/msp

Adding Licensed Plans to Your Pool

The pool is a central “warehouse” of licenses from which you can distribute to your MC’s. An MSP will maintain an inventory of Keeper licenses by purchasing them directly from Keeper (or via a partner marketplace). Each time you add and allocate licenses to an MC, they are drawn from the pool. Conversely, when you reduce (or de-provision) licenses from an MC, the licenses are added back into your pool.

Allocating Licenses from the Pool to Managed Companies (MC)

Once you have added an inventory of licenses to your pool, you can allocate those licenses to your MC’s so they have the licenses they need to support their users. Licenses can be removed from specified MC’s and assigned to other MC’s.

Administering a Managed Company (MC)

To administer a MC, click on the “Launch” icon next to the Managed Company name. This will open a new browser tab with the Admin console for that MC. Please refer to the Keeper Enterprise Guide for details on managing a Keeper enterprise environment.

Fundamentals

Keeper Vaults and Master Passwords

To access the Keeper Vault, each Keeper user (e.g. an MSP Administrator, Technician or user at a Managed Company) must choose a "Master Password.” This unique Master Password is only used for Keeper and not any other service. Keeper’s zero-knowledge security architecture ensures that no one – not even the administrator, MSP or Keeper employees – have access to a user’s master password.

The Master Password must adhere to the guidelines enforced by the Keeper Administrator and can be applied to users via role enforcement policies. In the case of a lost Master Password, users can recover their account through a zero-knowledge recovery process which includes answering a security question, email verification and two-factor verification.

Isolation of Managed Companies

Keeper MSP utilizes strict and secure data isolation between each Managed Company, at both the logical and encryption layer. This is critical for MC independence, privacy and security. It also preserves compliance with security and privacy standards covering SOC 2 Type I and II controls, ISO 27001, FINRA and HIPAA. Since Keeper uses a zero-knowledge security architecture, each MC’s data is completely separated and encrypted with a key derivation architecture that is specific to each MC. Therefore, no inadvertent sharing of MC-related data such as emails, admins, teams, roles or vault data is possible.

MSP Technicians exist at the root level of the MSP’s system and have the ability to “launch” into each MC instance for administrative purposes. Any “local” admins set up in the MC’s do not have this root level access to the MSP’s console or any of the MSP’s data. MC’s are strictly isolated within their own organizational architecture and therefore, cannot view or access another MC’s admin console or vault records.

Managed Customers are fully isolated from each other

Geographic SaaS Platform (US and EU)

New MSP and Managed Company accounts are created either in US or EU geographic regions. Once the region has been selected and established for an MSP or Managed Company, the region cannot be changed without re-creating the environment.

Key Supplemental Functionality for MSP’s

License Pool

KeeperMSP product licensing is structured as a wholesale model which enables an MSP to purchase licenses in bulk from the Keeper checkout page or from a partner page - e.g. Connectwise Marketplace. These licenses become part of the MSP’s central pool for allocation to the MC’s when needed. This centralized purchasing and inventory help minimize “round trip” purchases by the MSP for every MC they manage.

  • Licenses in an MSP’s pool can be allocated or deallocated and are billed based on the net number of licenses in the pool, on a monthly basis.

  • Licenses in the MSP’s pool are computed monthly in consideration of relevant volume discounts which is recalculated up or down, based on the actual count in the MSP’s pool.

  • Adjustments, up or down, can be made at any time during the month. Licenses are pre-paid for the month. No prorated adjustment is given during the monthly billing period if they are not used.

  • MSPs can purchase and sell four different product offerings. These offerings consist of bundles which combine the most popular configurations for Business and Enterprise-class MC’s. These optimized bundles simplify the MSP’s monthly billing and offer a wide range of security products for the MSP’s customer base.

Logging License Transactions for Billing Purposes

Each time a license is allocated or deallocated from an MC by an authorized administrator, a log entry is created which can then be reported and exported, via .csv, to a third-party billing system. Although Keeper provides pricing guidance for an MSP for the resale of its software to MC’s, pricing is ultimately determined and set by the MSP, based on their own business practices.

  • An optional, open-text field is provided when adjusting the licensing levels in order to manually record any pricing notes.

  • Summary reports which aggregate the net changes during a specified period are also provided.

Roles and Enforcement Policies

Administrators can create Roles and set a plethora of enforcement policies for users in each Role. A robust variety of enforcements are possible, including those limiting platforms, requiring strong passwords, and more. Roles with elevated permissions are also assignable for administrative staff, and allow a variety of actions like managing teams, roles, running reports and more.

Roles are set up in a hierarchical “tree” structure with visibility and inheritance of permissions limited to “nodes” below the current node, but not sideways to sibling nodes. Nodes are not available at the MSP level - they are available at the MC level.

Administrative Permissions

For MSP administrators, additional permissions are provided to control the authorization of different operations:

An MSP technician that has the “Manage Companies” permission enabled can launch into a MC’s Admin Console with a single click. This provides the MSP technician with administrative rights to set up and manage the MC’s Keeper Admin Console. There, they can set up the MC’s users, roles, teams, establish enforcement policies, provision Keeper Vaults to designated users and monitor its password security through detailed event logging and reporting capabilities.

An MSP administrator can also be granted permission to adjust the amount of licenses an MC has via its central pool. The central pool must have the license already purchased and available “in inventory” in order for them to be allocated to the MSP.

A separate “License Purchaser” role exists which allows and MSP administrator to add or remove licenses from the MSP’s license pool. This permission allows the MSP to limit who has the authority to purchase and distribute licenses to a MC, without restricting their right to act as an administrator.

[ADD SCREENSHOT FOR LICENSE PURCHASE ROLE]

Teams and Shared Folders

Teams can be created to allow groups of users to share login credentials which are stored as a collection of records in a folder.

This functionality can be leveraged by MSP’s to set up passwords for use by their MC client:

  1. A series of records with the URL, username, and an initial password could be setup by the MSP technician as the initial “owner.”

  2. This folder could be shared with a user, or users at the client.

  3. Once done, the MSP could relinquish ownership and visibility of that folder so that it is effectively transferred to the MC user and now completely private.

Account Transfer

Organizations can enable the Account Transfer feature, which provides a “break glass” recovery mechanism for all records which are stored in a user’s vault if that user was to leave the organization. An admin can be designated to recover that user’s vault so critical access credentials are not lost, thus avoiding a lock out.

The admin who receives the transferred vault must be local to the MC, vaults cannot be transferred to MSP staff.

Advanced Reporting and Alerts

Keeper's Advanced Reporting and Alerts Module ("ARAM") provides filtered views and real-time alerts for over 90 different event types, all which are driven by user-level and administrative-level activity. These event types have been expanded to include MSP-specific operations:

Support for ConnectWise

Control Helper Tool

Keeper provides a quick access to your Keeper Vault when running a ConnectWise Control remote desktop session. To establish and then access your Keeper vault from this tool take these steps:

  1. Establish an account with Keeper and store credentials in your secure vault.

  2. Install the Keeper Control tool from the ConnectWise Marketplace at https://marketplace.connectwise.com/

  3. Launch ConnectWise Control

  4. Establish a remote support session

  5. Click on the “+” button to access the Helper functionality, a Keeper tile should appear after it has been successfully installed

  6. Click on the Keeper tile and login to your Keeper vault

After logging in a search window will appear that can search your Keeper vault for passwords which can be filled into a login fields for a remote session

Once you come across a site or application in your remote session that you need to login to, search in the Keeper helper field for the name of the site to view available vault records. Then click on the record you need.

Keeper will then show your record content and fill in the credentials in the remote session .