Ctrlk
HomepageSystem Status

Endpoint Privilege Manager 1.3

Overview

Keeper Endpoint Privilege Manager (KEPM) version 1.3 introduces significant new capability across auto-update infrastructure, policy enforcement, and cross-platform reliability. The centerpiece of this release is the KeeperUpdater framework, which lays the foundation for policy-managed agent auto-update — enabling administrators to control update timing, versioning, and rollout behavior through the same policy model used for endpoint privilege enforcement. Alongside this, v1.3 introduces a new AgenticAccess policy type for AI and automation workflows, native elevation support for Windows MSI installer packages, and automatic agent re-registration on hostname change — eliminating a previously disruptive manual recovery step in managed environments.

On Windows, policy evaluation now includes parent process context, enabling more precise policy targeting based on the process hierarchy that initiated an elevation or access request. Azure AD / Microsoft Entra ID environments gain improved admin detection, resolving a long-standing gap in hybrid identity scenarios. On macOS, multi-file trashing is now supported through the KeeperTrash integration, and the System Extension gains high-load resilience with configurable fallback filters to ensure policy evaluation remains stable during intensive system events such as login storms and OS updates.

This release also includes the Rust-based KeeperFilterAgent for ZTNA DNS filtering, a redesigned About dialog, improvements to KeeperClient tray behavior, a broad set of localization fixes, and resolution of numerous customer-reported stability and UI issues across Windows, macOS, and Linux.

New Features (Cross-Platform)

AgenticAccess Policy Type

  • KPAM-2006: Introduced a new AgenticAccess policy type that enables administrators to define and enforce access controls for agentic and AI-driven workflows. Policies of this type can be applied to automated processes and AI agents operating on managed endpoints, bringing the same privilege gating, approval, and audit capabilities available for human-initiated elevation to non-interactive and AI-driven execution contexts.

Windows MSI Package Elevation

  • KPAM-1998: Users can now install MSI packages that require elevation through KEPM policy controls on Windows. When a user initiates an MSI installation that would normally require a UAC prompt, KEPM intercepts the request and routes it through configured privilege elevation policies — enabling MFA, justification, or approval workflows before the installer runs, without granting the user standing admin rights.

Automatic Agent Re-Registration on Hostname Change

  • KPAM-1984: The KEPM agent now automatically detects when the OS hostname has changed since initial registration and re-registers with the Keeper backend using the stored deployment token — without requiring administrator intervention. On startup, the agent compares the current hostname against the registered hostname; if a mismatch is detected, re-registration is initiated automatically and a HostnameChangeReregistered audit event is emitted. If re-registration fails, the agent logs a clear actionable error and surfaces a health warning. Policy enforcement continues from the local cache during the re-registration window, ensuring no coverage gap for end users.

KeeperUpdater Auto-Update Infrastructure

  • KPAM-1932: Introduced the KeeperUpdater job, the foundational component of KEPM's policy-managed auto-update framework. KeeperUpdater enables agents to receive, evaluate, and apply updates in a controlled manner governed by administrator-defined update policies. This release delivers the MVP job implementation alongside the supporting plugin shell, registration mechanism, job manifest versioning, plugin-core compatibility enforcement, and version snapshot tracking needed to support phased and pinned update rollouts in future releases.

Rust KeeperFilterAgent — ZTNA DNS Filter Driver

  • KPAM-1993: Delivered a Rust-based implementation of the KeeperFilterAgent responsible for loading and managing the ZTNA DNS filter driver on Windows. This replaces the prior C++ reference implementation with a Rust equivalent, improving memory safety and long-term maintainability for the network filtering component.

Windows Parent Process ID in Policy Evaluation

  • KPAM-2005: Policy evaluation on Windows now includes the parent process ID of the requesting process. This enables administrators to author policies that account for process hierarchy — for example, distinguishing whether an elevation was initiated from a terminal, a script host, or a user-facing application — enabling more precise and context-aware access controls.

KeeperClient — Update Policy Support

  • KPAM-2007: Extended KeeperClient to handle Update policies delivered from the Keeper backend, enabling client-side behavior and configuration to be adjusted through the policy pipeline without requiring agent reinstallation or manual configuration file changes.

KeeperAgent — Open on Tray Icon Left-Click

  • KPAM-1630: Left-clicking the KEPM system tray icon now opens the KeeperAgent window directly, consistent with standard tray application behavior across Windows, macOS, and Linux. Previously, left-clicking produced no action.

Redesigned About Dialog

  • KPAM-1437: The agent About dialog has been redesigned to match updated UX specifications, providing a cleaner presentation of version, registration status, and connection information across all supported platforms.

Incompatible File Selection Warning

  • KPAM-975: When a user selects files that are incompatible with a requested operation — such as files that cannot be processed by the current policy control — the agent now displays a clear, descriptive message explaining why the selection cannot be acted on, rather than failing silently or producing a generic error.

Agent Version Exposed in Endpoints

  • KPAM-839: The current installed agent version is now included in the agent's local endpoint responses, enabling administrators and integrations to programmatically query the running version of the KEPM agent on a managed endpoint.

macOS Specific New Features

Multi-File Support for KeeperTrash

  • KPAM-1978: KeeperTrash on macOS now supports moving multiple selected files to the trash in a single operation. Previously, when a user selected multiple files and initiated a trash action through Keeper, only the first file in the selection was processed. Files subject to different policy controls (justification, MFA, approval) are handled appropriately per-file through the policy evaluation pipeline.

Feature Improvements

Azure AD / Microsoft Entra ID Admin Detection

  • KPAM-2010: KEPM now correctly identifies users with administrative privileges in Azure AD-joined and Microsoft Entra ID environments. This resolves a gap where KEPM failed to recognize Entra-managed admin accounts, causing policy evaluation to treat them as standard users. Policy enforcement now functions correctly in cloud-identity and hybrid-join configurations.

macOS System Extension — High Load Resilience

  • KPAM-1868: The macOS System Extension now implements configurable fallback filters for high-load scenarios. When the policy evaluation engine receives more requests than it can process — such as during system startup, login, or OS update events — the System Extension falls back to a pre-defined list of safe system paths that are automatically allowed, preventing login hangs and UI freezes while maintaining policy enforcement for non-system processes.

macOS System Extension — Parent Process ID and Activity Correlation

  • KPAM-1994: The macOS System Extension now includes the parent process ID and activity correlation ID in policy evaluation requests, enabling more accurate process-context tracking and matching the information available on Windows and Linux for audit and policy targeting purposes.

Least Privilege Policy — Admin Cache Correctness

  • KPAM-1877: Resolved a caching bug in Least Privilege policy enforcement where the stored set of administrative accounts was never refreshed after initial population. This caused accounts removed from admin status to be incorrectly restored when the Least Privilege policy was toggled off, and prevented accurately tracking which accounts held admin rights across policy change cycles. The admin set is now correctly re-evaluated on each policy application.

Localization — Locale Takes Precedence Over Region

  • KPAM-1804: Updated the localization resolution logic so that a user's configured locale takes precedence over region when selecting the display language. This corrects cases where users in one region with a locale configured for another language received UI strings in the wrong language.

Plugin Settings Refresh Without Service Restart

  • KPAM-1853: Added an MQTT ConfigsChanged topic that plugins subscribe to in order to detect and reload updated settings without requiring a service restart. Administrators can now push plugin configuration changes and have them take effect on running agents without interrupting the service lifecycle.

Installation Progress Indicator

  • KPAM-1839: The "Installation in Progress" KeeperMessage dialog now displays a progress bar, giving users clear visual feedback that an installation is actively running rather than appearing to hang at a static screen.

File Access Executable Skip List — Now Configurable

  • KPAM-1890: The list of executables excluded from File Access policy enforcement (previously a static compile-time list) has been moved to configuration, allowing administrators to customize which executables are exempt from File Access controls without requiring an agent update.

Full Inventory Scan — No Longer Runs on Service Startup

  • KPAM-1898: The Full Inventory scan is no longer triggered automatically on every service startup. This eliminates unnecessary resource consumption during agent initialization, particularly on endpoints where the inventory has not changed since the last scheduled scan.

Resources

Last updated