> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/release-notes/desktop/web-vault-+-desktop-app/vault-release-18.4.0.md).

# Vault Release 18.4.0

## New Features

#### **Keeper Privileged Cloud — Just-In-Time Access for the Modern Enterprise**

Keeper Privileged Cloud delivers identity-based, just-in-time (JIT) access across cloud platforms and directory services. By granting temporary elevated access only when needed — and revoking it automatically when the session ends — Keeper Privileged Cloud eliminates standing privilege risk while keeping your workforce productive and your security posture strong.

Access is enforced directly at the identity layer by temporarily modifying role assignments, group memberships, or entitlements within your existing identity provider — whether that's through SSO, federated applications, or role-based access controls. No manual cleanup, no forgotten permissions, and a full audit trail every step of the way.

#### **Key Benefits**

* Eliminates standing access risk with automatic, time-bound privilege grants
* Identity-native enforcement through your existing SSO, group, and RBAC policies
* Full auditability with complete logs of every access grant and revocation events

#### When to Use Privileged Cloud

Privileged Cloud is the right fit when:

* Access is granted through an identity provider, directory group, or cloud role
* Users sign in through SSO or a federated login flow
* You want temporary entitlements instead of shared privileged accounts
* Access must be approved, time-bound, and fully auditable

#### Prerequisites

Privileged Cloud extends KeeperPAM's [Just-In-Time Access (JIT)](https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit) framework. Before configuring, confirm the following are in place:

* A [Keeper Secrets Manager application](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/applications) is configured and operational
* A [KeeperPAM Gateway](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways) is deployed and can reach the identity provider APIs
* [Workflow](https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit/workflow) is enabled for approval and time-bound access
* A [PAM Configuration](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-configuration) exists for a supported identity platform
* The target user exists in both Keeper and the identity source
* The target group, role, or entitlement already exists in the identity platform
* The target cloud account, tenant, or application already trusts that identity platform
* The Gateway has outbound network access, DNS resolution, and HTTPS connectivity to the required endpoints

{% hint style="info" %}
If you use federated access, confirm the trust relationship between the target platform and the external identity provider is working before enabling Privileged Cloud.
{% endhint %}

#### Identity Modes

Privileged Cloud supports two identity modes. When a request is submitted, KeeperPAM applies the elevation through one of the following paths:

**Direct identity mode** — KeeperPAM communicates directly with the identity system defined in the PAM Configuration. Use this when the target platform manages its own identities and roles.

**Federated identity mode** — KeeperPAM routes the request through a separate identity provider configuration. Use this when the target platform relies on an external IdP for authentication or entitlement mapping. To enable, turn on Federated Identity in the PAM Configuration and select the separate PAM Configuration that points to the external IdP. KeeperPAM applies the temporary identity change in the federated directory, then lets the target platform evaluate that change through its normal SSO or federation path.

For a full list of supported platforms, see [Supported Identity Platforms](https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit/keeper-privileged-cloud#supported-identity-platforms).

{% hint style="info" %}
Visit the[ Keeper Privilege Cloud ](https://docs.keeper.io/keeperpam/privileged-access-manager/just-in-time-access-jit/keeper-privileged-cloud#workflow-settings)docs to learn more.&#x20;
{% endhint %}

## Improvements

* **VAUL-9031:** Add zero-state screen for CNAPP Cloud Security
* **VAUL-9034:** Enhance Manage Access and Enable JIT from Remediate Action modal
* **VAUL-9072:** Add new CNAPP Remediation Action — Remove Standing Privilege
* **VAUL-7557:** Audit dependencies
* **VAUL-9035:** Update wording on CNAPP modals for "Enable JIT" and "Manage Access"
* **VAUL-9047:** Update record/folder selected state in dark mode
* **VAUL-9081:** Fix CNAPP fields showing on both "General" and "Features" tabs
* **VAUL-9089:** Resolve vault SBOM vulnerabilities
* **KDE-2119:** Allow folder names to span 2 lines of text
* **KDE-2137:** Resolve desktop SBOM vulnerabilities

## Bug Fixes

* **VAUL-8831:** Permission error message when clicking Share button on non-KD account
* **VAUL-8869:** Sharee with "Can Manage Records" in classic SF missing disabled fields for KD account
* **VAUL-8870:** Sharee with "Can Manage Users" in classic SF missing disabled fields for KD account
* **VAUL-8893:** Error message when clicking Share in record options menu on non-KD account
* **VAUL-9007:** CNAPP issue stays in "Requires Attention" when rotation fails without resolution submission
* **VAUL-9025:** Cloud Security titles, tags, and severity not translated
* **VAUL-9033:** Japanese translation misses
* **VAUL-9053:** Team Name and View Team link on same line; missing space beneath My Folders label
* **VAUL-9060:** PAM rotating SSH Admin with private key failing
* **VAUL-9062:** Add missing restricted-to-share message in KD GRE
* **VAUL-9076:** Fix zero state for Cloud Security
* **KDE-2088:** LastPass Shared Folders fail to import via Automated Import
* **KDE-2123:** Linux Fedora checksum errors when updating to 18.2.1
* **KDE-2134:** Microsoft Defender ASR blocking bootstrap executable from Microsoft Store install path

## Web Vault Update Instructions

* To ensure you're using the latest Web Vault, simply reload the vault login page (or Shift+Ctrl/Cmd+R to force refresh)

## Desktop Update Instructions

* If you installed Keeper Desktop directly from the Keeper website, download the latest version from:\
  <https://www.keepersecurity.com/download.html?t=d>
* If you installed Keeper Desktop from the Mac App Store or Microsoft Store, visit the store to perform the update.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/release-notes/desktop/web-vault-+-desktop-app/vault-release-18.4.0.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
