Your Keeper account and stored data will reside in the EU (Dublin) data center.
We're excited you have chosen Keeper to protect your business.
This guide will provide valuable information on how to quickly
onboard your employees and use the powerful features of the
Keeper Enterprise platform.
To help the decision making process in adopting Keeper
Enterprise, several resources are provided for your executive
and IT management team.
Keeper Enterprise provides the highest levels of security while at
the same time providing a simple user experience - with over 14 million
users worldwide, Keeper is the proven industry leader.
Passwords are the single greatest cause of a data breach. 81% of data
breaches are due to weak or stolen passwords. Password management solutions
provide an affordable and simple way for companies to solve the root cause
of most data breaches. By helping businesses to generate strong passwords,
manage them and securely share them among teams, they reduce the risk of data
Keeper's architecture is the most secure in the industry. Built from the
ground up with record-level encryption and client-side key generation,
the foundation of Keeper Enterprise is built upon a model that provides
least privileged access. This foundation is what gives Keeper the ability
to apply the most granular level of protection to user data and enables
the core features and capabilities of the product. Users, Roles, Teams,
Records and Shared Folders are all protected and managed through the
use of client-side generated keys.
To learn more, visit Keeper Security Architecture
SSO and SAML simplify login to many cloud applications, however, it does
have its limitations. Keeper (with Keeper SSO Connect) complements the
two major gaps with your SSO deployment:
With Keeper SSO Connect, you can easily add Keeper to the apps that your IdP services.
Whether you use AWS, Okta, Centrify, Ping, Jumpcloud or any other SAML 2.0 Identity Provider,
Keeper will easily integrate. Keeper SSO Connect logs the user directly into their encrypted
vault while maintaining true zero knowledge.
Keeper SSO Connect is essentially an on-prem hosted high availability solution that the customer
hosts and manages. This architecture preserves zero knowledge and allows the end-user to authenticate
directly into their vault.
The ability provide "least privilege access" to an employee is critical in the deployment
of an Enterprise Password Manager. Keeper gives fine-grained control over what users are
capable of accessing and managing within the platform through the use of customizable role
policies. By providing a flexible role policy engine, you can lock down restrictions and
access based on the risk profile of the employee. For example, you may want your IT Admins
to be restricted from accessing their vault outside of the office network. Or you may want
administrative assistants the ability to onboard new users, manage teams and run reports.
The entire process is fully customizable through a user friendly interface.
Role Enforcements Include:
Keeper Administrators can create organizational units (called "Nodes"). A role
can be given Administrative permissions over the node (or sub-nodes) for which
a role exists. This delegated administration allows different people in the
organization to have management controls over subsets of teams of users, roles
and shared folders.
Keeper's Zero Knowledge "Account Transfer" capabilities provide Enterprise
customers with the peace of mind that an employee will never walk away with
critical data when they leave the organization.
Keeper is a cross-platform solution that provides full capabilities from
every major platform and device including iOS, Android, Windows, Mac and
Linux. Browser plugins are compatible with Chrome, Firefox, Edge, Safari
and Internet Explorer.
There's a significant productivity gain by rolling out a password manager
since 50% of help desk calls are estimated to be password related.
When employees don't need to worry about remembering passwords,
the cost savings are massive.
Compliance is becoming even more complex with requirements mandating
internal control policies and standards. An enterprise password
management product solves many of the pain points in enforcing
complex passwords and safeguarding of data that is protected by
Keeper is SOC 2 Compliant, GDPR Compliant, GSA Certified, SAM Certified and TRUSTe Certified.
For the most successful rollout of Keeper Enterprise, we recommend following the below steps:
End-user documentation is available in our Keeper Enterprise End-User Guide.
When you first login to the Admin Console, it will bring you to the "Admin" tab. From here, you can access Nodes, Users, Roles, Teams,
Two Factor Authentication, Provisioning and License. On-screen guides will highlight the main functional area.
Nodes are a way to organize your users into distinct groupings, similarly to organizational units in Active Directory. The administrator can create nodes based on location,
department, division or any other structure that makes sense. By default, the top-level node, or "Root Node" is set to the organization name, and all Nodes can be created underneath.
For more information, refer to Nodes & Organizational Structure
Keeper is easy to deploy to your users in the organization, and our flexible tools provide many options in your rollout plans.
To get started, we recommend that you consider the organizational structure of your Keeper account. The building blocks of Keeper's security model are Nodes, Users, Roles and Teams which are covered in detail
throughout this guide.
All users who join the organization's Keeper subscription will be responsible for managing their own encrypted vault. Whether users are manually created or provisioned, their vault is protected by a Master Password which is used to encrypt and
decrypt the user's "data key" which is then used to encrypt their data.
We recommend separating your personal, private records from your business records by creating two separate user accounts. When enforcements are applied to the enterprise (such as Account Transfer privileges),
users who have personal records mixed with business information risk having their personal information transferred.
When preparing for a rollout, you can consider one of the following options when adding users:
For more information, refer to Users
Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions.
For more information, refer to Roles
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer.
For more information, refer to Account Transfer
The purpose of creating Teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator
simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team.
For more information, refer to Teams
Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari,
Firefox, Edge and IE. Native app installation is available from the Keeper website and every public-facing
app store (iTunes, Google Play, Microsoft Store, etc).
For more information, refer to Deploying Keeper to End-Users
Nodes are a way to organize your users into distinct groupings, similarly to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other
structure that makes sense. By default, the top-level node, or "Root Node" is set to the organization name, and all Nodes can be created underneath.
Nodes are not visible or configurable by default. To activate the Node configuration, select "Advanced Configuration" and then enable "Show Node Structure". If you do not require organizational units leave
this feature turned off.
Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are
accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by
navigating to the appropriate tab (user, role, teams).
Larger organizations may find benefit in organizing locations or departments into organizational containers called "Nodes". Users can then be provisioned under their perspective node and have roles configured
to match the specific needs of the business. One of the advantages in defining nodes is help support the concept of delegated admins. A delegated administrator can be granted some or all of the Administrative
permissions but only on their perspective node (or sub nodes) to help reduce administration from the primary Keeper Administrators.
When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups within specific organizational units in Active Directory
will be placed in the corresponding Node in the Keeper Admin Console.
To manually create Nodes and Sub Nodes, select the “+” button. The “Add Node” window will appear. Type the name of the Node in the “Name” field and select the node where you want the new node to be added in
the tree structure.
At any time, you can change which node you are viewing by navigating to or selecting the nodes on far left Node pane. To navigate to the root-node or top level, select on the business name (e.g. The Company)
in the navigation tree or in the breadcrumb along the top.
If the use of nodes are not required by your organization, the Keeper Administrator can disable viewing nodes by selecting the "Advanced Configuration" and then disable "Show Node Structure".
Teams are only visible by users in the tree path above and below the node structure (not adjacent nodes) that the team is contained in. To make a team that everyone can see and share to, we recommend setting up your teams in
the Root Node or a node at a higher level above the sub-nodes which will be visible to everyone. The visibility of users and teams is important in regards to Shared Folders.
If nodes are enabled either via Active Directory integration or configured from the Admin Console, the placement of the role is important with regards to where the administration permissions begin.
Placement of the role at the top level, “AD Root” will allow the permissions to flow down to any of the sub-nodes if the “Cascade Node Permissions” attribute is checked. If the role is placed in a sub-node, with the
“Cascade Node Permissions” attribute checked then the permissions apply to that node and its two sub-nodes but not any others. If the “Cascade Node Permissions” attribute was not checked then the role permissions is only
applied the the specific node to which it belongs.
User provisioning is simple and easy with Keeper Enterprise. There are many choices to choose
from based on your needs, the location of your user directory and the complexity of your organization's structure.
Before you invite users to your Keeper account, you may want to
customize the Vault logo and email invitation message that they receive.
For organizations who do not require any advanced directory integration or SSO,
manual user creation can be performed at any time from within the Keeper Admin Console.
You can optionally import all of your user accounts via a flat file (.csv).
The Keeper Bridge is an enterprise-class service application that supports the
ability to automatically sync Nodes, Users, Roles and Teams to your Keeper
Enterprise account from an Active Directory or LDAP service. To activate
and install the Keeper Bridge, follow the below steps:
Keeper Bridge supports single and multi-domain, multiple forest domains and
other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment.
For detailed installation instructions see the Keeper Bridge Guide.
Keeper can dynamically (Just-in-time) provision and authenticate users through any SAML 2.0
compatible identity provider through the use of our proprietary Keeper SSO Connect component.
Keeper SSO Connect is a SAML 2.0 application which leverages Keeper’s zero-knowledge
security architecture to securely and seamlessly authenticate users into their Keeper
Vault and dynamically provision users to the platform. Keeper SSO Connect works with
popular SSO IdP platforms such as G Suite, Microsoft AD FS / Azure, AWS, F5 BIG-IP APM,
Okta, Centrify, OneLogin, Ping Identity and CAS.
Keeper SSO Connect is installed on the customer's on-prem or cloud infrastructure in
order to preserve Keeper's Zero-Knowledge architecture. Your SSO Identity Provider will
communicate and authenticate users by communicating directly with the Keeper SSO Connect
instances that you operate in a high availability configuration.
Here's how Keeper SSO Connect works:
The Keeper SSO Connect service application can be installed on a private on-premise or cloud-based server. Windows,
Mac OS and Linux operating systems are fully supported. On Microsoft Windows environments, the Keeper SSO
Connect application runs as a standard Windows service. This ensures the service won't exit when anyone
logs off the PC and will automatically start up upon reboot. It can also be configured for High Availability (HA).
In order to ensure the service is always active, Keeper SSO connect can be installed on multiple servers that
sit behind a load balancer.
When installing and configuring SSO on a node within your Keeper account, you will be asked to select
an "Enterprise Domain". This is a unique string that will be typed in by your end-users to login to
Keeper when accessing their account on a device. We recommend informing your users of the
Enterprise Domain name so that they are able to access their Keeper vault on any device
and platform. The Enterprise Domain is not needed when logging in to Keeper directly
from the Identity Provider portal.
For detailed setup instructions, FAQs and workflow questions please see the Keeper SSO Connect Guide. Our implementation
engineers are also available by emailing email@example.com. Most implementation issues can be
addressed quickly via a screen sharing session or email.
Enterprise customers may want the benefit of automated provisioning and deprovisioning of users, roles, and team
through Active Directory integration while also leveraging the ability for their users to Single
Sign-On (SSO) to their vaults through authentication to an Identity Provider (IdP) like Active
Directory Federated Services (AD FS), Okta, G Suite, Azure, etc.
While the specific instructions on installation and configuration can be found in the Keeper Bridge Guide and in the
Keeper SSO Connect Guide for specific identity providers, the below high level instructions will provide some best practices to leverage both integrations simultaneously.
To facilitate the rapid onboarding of Keeper to a large number of end-users such as a university, Keeper
supports email auto-provisioning. For example, anyone with the email address having a domain of
"acme.com" can be automatically provisioned to a particular node and role within the "Acme Corp"
Keeper Enterprise account upon creating their vault.
https://firstname.lastname@example.org (Replace xxxxx with the email address)
Alternatively users can simply go to our app store or download page: https://keepersecurity.com/download
Keeper supports the ability to provision users and teams from Microsoft Azure AD
or other identity platforms using the SCIM protocol. For customers that utilize
Azure AD, users can be provisioned to the platform and automatically added to
Teams for receiving Shared Folders. Keeper/Azure provisioning integration supports the following features:
When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state, new users will receive an email invitation prompting them to create a Keeper account.
To setup Keeper user provisioning with Azure AD, you need to have an access to the Keeper Admin Console and an Azure account.
1. Go to your Azure Admin account and add “Keeper Password Manager” to the list of your applications. Open the app and go to the “Provisioning/API integration screen. Select “Automatic” option.
2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Azure AD.
3. Click “Add Method”. Choose “SCIM” option and click “Next”. Click “Create Provisioning Token”.
4. Copy the values for URL and Token and paste them into “Tenant URL” and “Secret Token” fields in the Azure AD Keeper app. Click “Save” to finish provisioning setup on the Keeper side.
5. Go back to the Azure AD Keeper app and click “Test Connection”. If successful, save the credentials. Change “Provisioning Status” to “On” and save the provisioning settings again.
6. Go to the “Users and Groups” section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app. Wait for about 5 minutes and click the “Sync” button in the Admin Console. Verify that users appear under the “Users” tab.
The SCIM protocol is used for provisioning of users and teams, not for authentication.
To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow
the setup instructions in the Keeper SSO Connect Guide.
Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The
Keeper Commander SDK is open source Python code that is available for download from Keeper's
Github Repository. The Commander SDK can assist in the following use cases:
Since Keeper Commander is an open source SDK and written in Python, it can be
customized to meet your needs and integrated into your back-end systems.
Keeper/Okta provisioning integration supports the following features:
When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state, new users will receive an email invitation prompting
them to create a Keeper account.
To setup Keeper user provisioning with Okta, you need to have an access to the Keeper Admin Console and an Okta account.
1. Go to your Okta Admin account and add “Keeper Password Manager” to the list of your applications. Open the app and go to the “Provisioning/API integration screen.
2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account.
3. Select “Add Method”. Choose “SCIM” option and select “Next”. Select “Create Provisioning Token”.
4. Copy the values for URL and Token and paste them into their corresponding fields in the Okta Keeper app. Select “Save” to finish provisioning setup on the Keeper side.
Note: Customers need to make sure that the username and email for users should always be the same during user assignment.
5. In the Okta app select “Test API Credentials”. If successful, save the credentials. Assign the app to some users and after a short period, select the “Sync” button in the Admin Console. Verify that
users appear under the “Users” tab.
6. In the Okta "Sign On" tab, set the 'Application username format' to 'Email'. Click "Save".
Known Issues/Troubleshooting and Tips
Users can be in one of 5 states: Invited, Active, Disabled, Locked, Blocked.
Additional user actions that can be performed from the "Edit User" pop-up. Icons only show if an action is relevant to that user's account.
In the Search Field, select "Filter." Type the name of the user to be searched. Additional filter selections can be made on "Active," "Invited,",
"Disabled", "Locked" and "Blocked".
Once the user has been added, the Administrator can edit or make changes to a user's profile. Select the user that you want to modify by selecting
the pencil icon on the row for that user. On the popup, you will see the fields that can be edited, such as Name, Roles, or Team.
Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account
registered to the Keeper for Business company profile is assigned the "Keeper Administrator" role underneath the "Root Node". Other users can be assigned this role as well.
The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role “Keeper Administrator” is applied to the initial
administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they
can be assigned administrative permissions for access to the admin console.
Note: The "Keeper Administrator" role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is
not required, but highly encouraged.
You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory,
please refer to our Keeper AD Bridge section in this guide.
To add roles manually, select the "Roles" tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the “+” button.
An “Add Role” window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the
“Role Name” field and select save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.
Select on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now select the “Enforcement Settings” button. The
“Enforcement Setting” dialog box will appear. The settings are structured into eight different areas: Login Settings, Two-Factor Authentication, Platform Restriction,
Sharing & Uploading, Account Settings, Transfer Account, Email Invites, and Advanced Settings.
On this screen you have the ability to configure the Master Password Complexity settings for users that are assigned the selected role. Settings include: password length,
special characters, how many uppercase letters, and how many digits will be required.
Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the “Master password expires every”
option appears. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.
If a user's Master password needs to be expired immediately, this can be done from the "Users" tab. Select the user(s) that you wish to expire the master password for and select "Expire Master Password" option on
the top right of all the users. This will instantly expire a user's password and require a password reset.
iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.
Turning on this policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.
An admin can restrict the use of certain platforms (Web Vault, Extensions, Mobile and Desktop devices). By default all platforms are allowed.
Prevent record sharing outside of Keeper Enterprise
Turning on this policy will ensure records are not shared with users outside of your organization.
Prevent record sharing with anyone
Enabling this option will prevent your users from sharing records with anyone.
Prevent exporting of records from Web App and Desktop App
This will prevent your users from exporting their data from their Keeper Web and Desktop Apps.
Prevent user from uploading files
When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.
Note: By default, all Sharing & Uploading restrictions are not enabled.
Restrict offline access
Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce.
Prevent users from changing their email
Turning this on prevents users from changing their email address.
Restrictions Based on IP Addresses
Users within the specified role can be restricted from using Keeper outside of a specified IP address range. The IP address must be your external (public) address as
seen by the Keeper infrastructure at the time of user login.
Time limits can be set before a platform logs out the user. Time limits from 1, 2, 5, 10, and 30 minutes can be set on specific platforms.
Select the role which can perform the account transfer
Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.
For more in-depth information, refer to Account Transfer - Employee Offboarding
Don't send email invitations.
Increasing PBKDF2 iterations improves the level of security. However certain desktop web browsers cannot handle this level of encryption and you will be unable to login.
If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles the user is a member of.
For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.
A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different roles to have different permissions inside of the Admin Console.
An example of a role that can be created would be a “Delegated Admin" role. In this role the administrator can set up one or more Administrative Permissions that allow that user in the role to login to the Keeper Admin Console
and perform administrative functions. For example, the delegated admin can be given permission to create teams, add users, create or edit roles, run reports and perform account transfers. These permissions can be limited to a
single node or they can cascade or traverse down the tree structure to all the sub-nodes. In order to have the role applied to multiple nodes, simply select the + button after “Administrative Permissions” (see below) and add
the node the role will manage. Each node a role manages has its own set of permissions and those permissions can cascade down from that node. For example: If the role was created in the top root level node and the there were
three other nodes created each under the top level node. The Administrative Permission can be added as the top node, the privileges added, and “cascade node permissions” selected. This would then give those permissions to
all 4 nodes to members of that role.
When "Cascade Node Permissions" is selected, the permissions will be applied to all sub-nodes of the parent node. It is important to note that Administrative Permissions cannot be added to a Role if one or more of its
users are still in the "INVITED" status.
The ability to transfer a user's vault.
Note: Only administrators who are a member of this role are able to check that box. If needed, you can add yourself to the role or another administrator
within the role can set this permission. Once this box is selected, only members of this role can add members to this role.
Both Administrative permissions and enforcements are configurable from within a role. "Enforcements" are rules or policies that apply to the end user's Vault experience and security. "Administrative Permissions" grant rights
to perform certain actions within the admin console (also known as "delegated administration").
We recommend that only specific roles are given Administrative Permission, and the permission level should be based on the least amount of privilege required by that role.
For example, the default Keeper Administrator may have created a role called “Users” specifically to handle the policies that are desired for all the users that have been onboarded to the Keeper platform. If one of those
users are intended to be able to perform some of the administrative permissions it wouldn't make sense to configure the “Users” role with the additional entitlements for that one user as it would be applied to all the users
and not congruent with a least privilege security model. So instead of editing the “Users” role to add in additional administrative permissions, it would make the most sense to create a new role called “Delegated Admin”,
grant the administrative permissions, and make the user a member of that role.
Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer
relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure.
Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.
When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is
an important and powerful way to take ownership of the content within user's vault while retaining a secure role-based hierarchy in the organization.
By default the Account Transfer permission is off. The Keeper Business administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user.
One important note is that this permission will need to be enabled prior to the need of using it. For example, if “User A” has a password that gains access to a business essential application or account in their vault that
no one else in the organization has access to, and “User A”, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However,
if the Account Transfer permission had been enabled in the default “Keeper Administrator” role (and any other role that is desired to have the permission to transfer capability) and applied to the role that “User A” is a
member of, the Keeper Administrator would have the ability to transfer the full contents of “User A's” vault to another user.
When the decision is made to enable the Account Transfer feature on a particular role, all the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault
transferred and their account deleted at will by the Keeper Administrator. After the enforcement setting is enabled, the users within the managed role will receive a pop up message inside of their vault informing
them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption
key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data.
The reason for this process flow is to maintain zero knowledge, and to also ensure that only specified users are able to be transferred or perform the transfer. Once the vault has been transferred to another user,
the transferred user's vault is deleted.
No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the admin the capability to access the vault whenever they feel like it.
The vault being transferred has to be locked first and after the contents are transferred the account gets deleted. The end user will receive notification when their account is locked by the admin and when it's transferred
"Account Transfer" functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an administrator. Below are the steps that must be performed.
The purpose of creating teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator
simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team.
Navigate to the "Teams" tab and select on the “+” icon. The “Add Team” window will appear and you can add the team name that you are creating. Just like Roles, the teams will get added to the specific node that is selected.
Once the team is created, select the team name on the left, and in the right panel it will display editable options. The Team name, "disable record re-shares", "disable record edits", "disable viewing passwords",
Node and Users can be configured. To delete a team, select on the trashcan icon.
Team Restrictions (Disable record edits, etc) are explained in detail below in the section Team-Level Restrictions.
Teams can be configured with several restrictions that will override any folder-level permission settings.
1. Disable viewing passwords
With this restriction in place, passwords are usable for logging in from the browser extension but are "masked" visually on the user interface. Note that password masking is visual in nature and the password is still stored
in the user's vault and accessible via API communication and browser inspection.
2. Disable record re-shares
With this restriction in place, passwords shared to this team cannot be re-shared by team members. Shared Folder permissions take precedence.
3. Disable record edits
With this restriction in place, passwords are usable and viewable but cannot be edited. Shared Folder permissions take precedence.
4. Hide Shared Folders
Selecting the "Hide Shared Folders" checkbox will hide Shared Folders which have been shared to this team for a particular user within the team. The purpose of this is to allow an admin to be a member of
a team so that they can share the team encryption keys, but not have to receive the records associated with the team. This is not for security, since they could always turn off the Hide Shared Folders, but
rather for convenience so they don't get a lot of unwanted records in their vault.
Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari,
Firefox, Edge and IE. Native app installation is available from the Keeper website and every public-facing
app store (iTunes, Google Play, Microsoft Store, etc).
Many enterprise customers utilize the Keeper Web Vault, which is a fully featured web-based application.
To access the Keeper Web Vault login, visit https://keepersecurity.com/vault
Benefits of Desktop App vs. Web Vault
The Desktop App has a few more capabilities than the Keeper Web Vault such as:
Microsoft Windows .MSI file download vs .EXE file download:
.EXE installs to:
.MSI installs to:
32-bit EXE | 64-bit EXE | 32-bit MSI
Keeper for Mac
Keeper for Linux
Note: Keeper supports Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint.
Microsoft Store for Business - Offline Deployment
Keeper Microsoft Store applications can be downloaded from the Microsoft Store for Business for offline deployment. A Microsoft account is required to log in.
If the email address used is for an Azure domain the account must be authorized to access the store or be the primary admin on the Azure account.
Once logged in to the Microsoft Store for Business settings need to be changed in order to display offline downloads for an application. Select Manage from the top bar…
Then select Settings from the left pane…
Enable showing offline files under Shopping Experience. This will then show a drop down option for each application in the store when the application is enabled for offline deployment.
Search for Keeper in the store. Select the Keeper Security application desired. A drop down menu will display titled License Type. The default selection will say Online.
Change the drop down to the Offline option and select the Manage button.
The app will display with options to download…
Select the highest minimum version supported by the platforms where the deployment is intended. Select the Architecture and Language. The Download button next to Language will
download a metadata file. This may be helpful for some deployment methodologies.
Once the Minimum Version and language have been selected scroll down to the Package details section.
Download the package and the license file. Scroll past the License file section and download any Framework packages available for the application. For the Keeper Edge Extension no Frameworks
are required. For the Keeper Password Manager several Frameworks files are required. The application package does not include dependencies and cannot be deployed alone if Frameworks are required.
Once the meta-data, package, framework and license files are downloaded they can be deployed through SCCM Manager. This msdn blog post provides an example of how to create the application for deployment…
Keeper for mobile and tablet devices can be deployed through the public-facing app stores.
MDM solutions can also push these applications to end-user devices without any special
requirements. When the users register or sign into an account, Enterprise enforcement
policies are automatically applied.
A personal folder is only visible by the user who created the folder. A personal folder can be made
up of subfolders and records. A personal folder can also contain other shared folders and shared records.
A shared folder can be shared to an individual Keeper user or to a Keeper Team. Shared Folder
permissions can be applied to Users, Teams and Records.
When a user is provisioned to a Team through any of the previously described onboarding methods
(Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...) the user will instantly receive the
shared folders for that team, and the records associated with those shared folders. When
the user is removed from a team, they are revoked access from any shared folders and those
folders are immediately removed from their vault.
Any user within the Keeper Vault can create a personal folder or shared folder (unless restricted by the Keeper Administrator).
Both personal folders and shared folders can be nested and can contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent.
There are 2 permissions available from the Shared Folder screen when adding users and teams, "Can Manage Records" and "Can Manage Users".
When this setting is checked, the user is able to add and remove records from the shared folder.
When this setting is checked, the user is able to add and remove other users & teams from the Shared Folder.
Permissions on records within the Shared Folder can be individually controlled with "Can Edit" and
"Can Share" permission. Records with "Can Edit" permission are editable by anyone in the shared folder.
Records with "Can Share" permission are re-shareable by anyone in the shared folder.
When creating a Shared Folder, we recommend setting the Default Folder Settings to ensure that
records added to the folder by team members retain a desired set of permissions. By default,
the permissions are least privileged access. Select on the "Default Folder Settings" and
configure the 4 options:
Changing the default folder settings applies to only new users and records added moving forward.
Therefore we recommend always setting default folder permissions when creating a new shared folder.
A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation
of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most
secure encryption model while providing ease-of-use functionality like Drag & Drop.
To create a new Folder or Subfolder, select "Create New" then "Folder" or "Shared Folder". You can select
the parent folder or select "My Vault" to add the folder at the root level.
To provision a Shared Folder to a Team, select the folder from the vault then select "Edit". From the "Users"
screen select the Team and then assign the team level permissions.
To provision a Shared Folder to an individual user, select the folder from the vault then select "Edit".
From the "Users" screen type in the user's email address or select from the drop-down of previously shared
users then assign the user permissions.
A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked
into multiple folders or Shared Folders. A linked record is also referred to as a "Shortcut" or a "reference".
In either case, modifying a linked record will change it everywhere that it is referenced.
There are two ways to Move a record into a folder:
To add a record to multiple folders (e.g. create a Shortcut), follow one of these methods:
Teams are created by the Keeper Administrator, or any user who has been provided administrative permissions
to the Keeper Admin Console for a specific node or organizational unit. There is no limit to the number
of teams that can be created.
A team is made up of users within a node or sub-node. Teams can be provisioned in any of the below methods:
At the encryption layer, teams have a public and private key pair. In order to add a user to a team, you must
first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When
the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key.
This encryption process is automatically handled by the above provisioning methods.
Inside the Admin Console there are several team security options:
A Keeper record can be any password, file or secret information that is stored in your
encrypted vault. When every new user is onboarded to the Keeper platform, they are walked
through a step-by-step guide to import existing passwords from their web browser, other
password manager or file upload. The user is also walked through the process of creating
records manually through their desktop computer.
Keeper's Import Tool will seamlessly import passwords that are stored in Chrome,
Firefox, Edge and IE web browsers on your computer. From the Web Vault or Desktop
App, select "More" > "Import" then select "Start Import".
Keeper supports drag-and-drop import of files from other password managers or text files. From the Web Vault
or Keeper Desktop app, select "More" > "Import" and then select the file format. Select on the "?"
next to "Import Instructions" for a step by step guide to generating the proper file from the
original password manager.
File Format: Folder,Title,Login,Password,Website Address,Notes,Shared Folder,Custom Fields
Example 1: Create a regular folder at the root level with 2 custom fields
Example 2: Create a shared subfolder inside another folder with edit and re-share permission
In the preview screen, select the column header above each line to map the columns to the Keeper field.
From any Keeper Vault application, select "Create New" > "Record" to add a record. When creating a record, a user may select the "Dice" icon to generate a strong password - with the ability to change the number of characters and if symbols, numbers, and capital letters are included. The "Title" is the only required field when saving a record.
The Keeper Commander SDK provides command-line or scripted capabilities to import records and folders into your Keeper Vault. Supported import formats are JSON, CSV, and Keepass.
Most features available in the Keeper Admin Console are available through Commander's interactive shell and SDK interface.
For more information, go to Keeper's Github Repository.
The Keeper Browser Extension for Chrome, Firefox, Safari, Edge and Internet Explorer browsers can be used to dynamically add records to your vault and Autofill passwords.
Download and install the Keeper Browser Extension from https://keepersecurity.com/download.html
Features of Browser Extension:
A Keeper record is made up of the following fields:
Keeper records can be shared on an individual basis to other Keeper users. Keeper sharing technology uses secure RSA encryption to exchange the individual record keys. Therefore, in order to share or transfer a record to
another user, the recipient must first have a Keeper account. Attempting to share to a user without a Keeper account will invite them to the platform. For more detailed information, visit
Keeper's Security Architecture.
To share a Keeper record with another user, select "Options" > "Share" and then type in the email address of the recipient (or select from previously shared users). Edit and re-share permission can be applied to any
Role enforcement policies can be applied from the Keeper Admin Console to control the ability for records to be shared.
Only the owner of a record is able to delete a record. A non-owner may see a "Delete" button but this will only remove the record from the non-owner's vault. When the owner of a record deletes it from their vault, it will
delete it from everyone's vault and across the system.
Record ownership can be transferred to another Keeper user. To perform a transfer, select "Options" > "Share" and then type in or select the email address of the recipient. Select on the "Make Owner" checkbox and
select "Send". Note that after transferring record ownership, the record will no longer be accessible from your vault.
Every record created by a user is automatically backed up through the Keeper Cloud Security Vault architecture. Every record change is also backed up and a record version is created upon each change event. Each record is
identified by a record UID and each record can have an unlimited number of version identifiers.
Version History is a critical capability to ensure that a password, record change is never lost by accident. Version History also ensures that a deleted record can be recovered.
When a record is deleted by the record owner, the record is moved in the "Deleted Records" trash bin. Records will remain in this location until the record owner explicitly empties the trash bin.
Users can view the Version History of any Keeper record by accessing the Keeper Web Vault or Keeper Desktop. Select the record, then select "Options" and "Record History".
Keeper Web Vault and Keeper Desktop applications also include an "Export" capability which can be
enabled by the Keeper Administrator. Exporting records from your vault can serve as a backup mechanism,
however this does not retain any information about sharing relationships, folder structure or file
attachments. If Export is allowed by the Keeper Administrator, we recommend that the customer stores
the exported files in a secure location on an encrypted file system. The security and encryption model
of Keeper purposely does not permit a Keeper Administrator to export user vaults. A user must be
authorized on a Keeper record via the Team or User sharing capability in order to access and export
Keeper supports popular methods of Two-Factor Authentication ("2FA") including Text Message, TOTP applications such as Google and
Microsoft Authenticator, Duo Security, RSA SecurID and Keeper DNA (using Apple Watch and Android Wear devices).
Each user is able to individually configure their Two-Factor Authentication settings from their vault "Settings"
screen. Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the
Admin Console and perform up-front configuration.
To access the Two-Factor Authentication configuration, visit the "2FA" tab of the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced
from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.
Keeper supports Text Message (SMS) delivery of two-factor authentication codes. To select Text Message method,
visit the "Settings" or "DNA" screens within the Web App or Mobile App.
Download the Google Authenticator or any TOTP-compatible application on your mobile device and add a new
entry by scanning the barcode Keeper provides.
Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor
to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable Keeper
DNA 2FA method, visit the "DNA" screen on your iPhone or Android app.
To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper
account manager to initiate this integration at email@example.com.
To activate Duo Security, follow the below steps:
Once activated, each individual user can enroll in Duo by logging into their Keeper app and
going to Keeper's "Settings" or "DNA" screen, select "One-Time Passcodes"
(or Two-Factor Authentication) and selecting Duo Security. User is walked through
a process to activate their device.
Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware
security keys, including YubiKey, which provides secure and easy two-factor authentication (2FA).
Security Keys are configured on the Keeper Web Vault or Keeper Desktop App.
To activate 2FA using Security keys, follow the steps below:
Keeper also supports FIDO U2F for both Chrome and Firefox.
How to enable FIDO U2F in Firefox Quantum:
Keeper SSO Connect is a SAML 2.0 compatible Service Provider (SP) application that allows Keeper Business customers to seamlessly login to their Keeper Vault using their existing identity provider (IdP). This application
complies with Keeper's zero-knowledge security architecture while giving business customers the ability of providing seamless SSO login to their Keeper Vault.
Keeper SSO Connect is a software application that is installed on the enterprise customer's on-premise, private or cloud servers. User's account master passwords are generated dynamically by Keeper SSO Connect and
encrypted/stored locally on the installed computer.
For more in-depth information, refer to our Keeper SSO Connect Guide
The steps for setting up Keeper SSO Connect are below:
Keeper integrates out-of-the-box with several top Identity Providers. Please see the guides below for step-by-step integration with popular IdP providers:
For more in-depth instructions on installation and setup, refer to our Keeper SSO Connect Guide
Keeper Security provides our Enterprise customers with training, onboarding and individual end-user support through email, phone and live chat. We utilize web video tools for training and personalized support.
To contact your business support team, please email firstname.lastname@example.org.
Please ensure that outbound TCP port 443 to keepersecurity.com is whitelisted on your firewall. EU customers should also whitelist keepersecurity.eu.
Whitelisting Keeper Security Emails
To ensure that emails from Keeper Security are delivered to users with high success, we recommend whitelisting your email server filters using the below information:
Email: email@example.com, firstname.lastname@example.org, email@example.com
You must enable cookies to use Live Chat.