User Guide

Welcome to Keeper

We're excited you have chosen Keeper to protect your business. This guide will provide valuable information on how to quickly onboard your employees and use the powerful features of the Keeper Enterprise platform.


Resources

To help the decision making process in adopting Keeper Enterprise, several resources are provided for your executive and IT management team.


Why Choose Keeper Enterprise?

Keeper Enterprise provides the highest levels of security while at the same time providing a simple user experience - with over 14 million users worldwide, Keeper is the proven industry leader.

Passwords are the single greatest cause of a data breach. 81% of data breaches are due to weak or stolen passwords. Password management solutions provide an affordable and simple way for companies to solve the root cause of most data breaches. By helping businesses to generate strong passwords, manage them and securely share them among teams, they reduce the risk of data breach significantly.

Zero-Knowledge Security Architecture

Keeper's architecture is the most secure in the industry. Built from the ground up with record-level encryption and client-side key generation, the foundation of Keeper Enterprise is built upon a model that provides least privileged access. This foundation is what gives Keeper the ability to apply the most granular level of protection to user data and enables the core features and capabilities of the product. Users, Roles, Teams, Records and Shared Folders are all protected and managed through the use of client-side generated keys.

To learn more, visit Keeper Security Architecture

Fills Critical Gaps in Single Sign-On

SSO and SAML simplify login to many cloud applications, however, it does have its limitations. Keeper (with Keeper SSO Connect) complements the two major gaps with your SSO deployment:

  • Offering privileged access to applications that don’t support SAML protocols.
  • Enabling non-password use cases, such as management and sharing of digital certificates, SSH keys, API keys, secret notes, lists, files and more.

With Keeper SSO Connect, you can easily add Keeper to the apps that your IdP services. Whether you use AWS, Okta, Centrify, Ping, Jumpcloud or any other SAML 2.0 Identity Provider, Keeper will easily integrate. Keeper SSO Connect logs the user directly into their encrypted vault while maintaining true zero knowledge.

Keeper SSO Connect is essentially an on-prem hosted high availability solution that the customer hosts and manages. This architecture preserves zero knowledge and allows the end-user to authenticate directly into their vault.

Role-Based Access Controls

The ability provide "least privilege access" to an employee is critical in the deployment of an Enterprise Password Manager. Keeper gives fine-grained control over what users are capable of accessing and managing within the platform through the use of customizable role policies. By providing a flexible role policy engine, you can lock down restrictions and access based on the risk profile of the employee. For example, you may want your IT Admins to be restricted from accessing their vault outside of the office network. Or you may want administrative assistants the ability to onboard new users, manage teams and run reports. The entire process is fully customizable through a user friendly interface.

Role Enforcements Include:

  • Password Complexity Rules and Biometrics
  • Multi-Factor Authentication, Token Expiration and Device Restriction
  • IP Whitelisting, Sharing and Data Export Restrictions
  • Account Transfers (Employee offboarding and break-glass scenarios)
  • Administrative Permissions

Delegated Administration

Keeper Administrators can create organizational units (called "Nodes"). A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different people in the organization to have management controls over subsets of teams of users, roles and shared folders.

Eliminate the Risk of Critical Data Loss

Keeper's Zero Knowledge "Account Transfer" capabilities provide Enterprise customers with the peace of mind that an employee will never walk away with critical data when they leave the organization.

Access from Any Platform or Device

Keeper is a cross-platform solution that provides full capabilities from every major platform and device including iOS, Android, Windows, Mac and Linux. Browser plugins are compatible with Chrome, Firefox, Edge, Safari and Internet Explorer.

Increase Productivity Gains

There's a significant productivity gain by rolling out a password manager since 50% of help desk calls are estimated to be password related. When employees don't need to worry about remembering passwords, the cost savings are massive.

Meet Compliance Needs

Compliance is becoming even more complex with requirements mandating internal control policies and standards. An enterprise password management product solves many of the pain points in enforcing complex passwords and safeguarding of data that is protected by these passwords.

Keeper is SOC 2 Compliant, GDPR Compliant, GSA Certified, SAM Certified and TRUSTe Certified.


Implementation Overview

For the most successful rollout of Keeper Enterprise, we recommend following the below steps:

  1. 1. Inform your POC users, stakeholders, DevOps and IT Admin teams that you'll be adopting Keeper as your password management solution. Let users know that Keeper is secure, easy to use and will help everyone in the long run by protecting, generating and storing strong passwords and confidential information in their vault.
  2. 2. Create a Keeper Enterprise Trial from our website or by contacting the sales team. Ensure to allocate the necessary number of total users you expect to onboard.
  3. 3. Create your Keeper Admin account and login to the Keeper Admin Console by following the instructions sent via email from the trial registration form.
  4. 4. Schedule a demo/training session with our Business Support team by contacting your sales representative or emailing business.support@keepersecurity.com.
  5. 5. Onboard your users using one of the methods described in the "User Provisioning & Onboarding" section below.

End-user documentation is available in our Keeper Enterprise End-User Guide.


Getting Started with Keeper Admin Console

Admin Tab

When you first login to the Admin Console, it will bring you to the "Admin" tab. From here, you can access Nodes, Users, Roles, Teams, Two Factor Authentication, Provisioning and License. On-screen guides will highlight the main functional area.

Nodes

Nodes are a way to organize your users into distinct groupings, similarly to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure that makes sense. By default, the top-level node, or "Root Node" is set to the organization name, and all Nodes can be created underneath.

  • Smaller Businesses may benefit to administer Keeper at a single level - all provisioned users, roles, and teams are accessed from the root node by default.
  • Larger Organizations may benefit in organizing by locations or departments - Nodes are not visible or configurable by default. To activate the Node configuration, select "Advanced Configuration" and then enable "Show Node Structure".

For more information, refer to Nodes & Organizational Structure

Users

Keeper is easy to deploy to your users in the organization, and our flexible tools provide many options in your rollout plans. To get started, we recommend that you consider the organizational structure of your Keeper account. The building blocks of Keeper's security model are Nodes, Users, Roles and Teams which are covered in detail throughout this guide.

All users who join the organization's Keeper subscription will be responsible for managing their own encrypted vault. Whether users are manually created or provisioned, their vault is protected by a Master Password which is used to encrypt and decrypt the user's "data key" which is then used to encrypt their data.

We recommend separating your personal, private records from your business records by creating two separate user accounts. When enforcements are applied to the enterprise (such as Account Transfer privileges), users who have personal records mixed with business information risk having their personal information transferred.

When preparing for a rollout, you can consider one of the following options when adding users:

For more information, refer to Users

Roles

Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions.

For more information, refer to Roles

Account Transfer Setup

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer.

For more information, refer to Account Transfer

Teams

The purpose of creating Teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team.

For more information, refer to Teams

Deploying Keeper to End-Users

Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari, Firefox, Edge and IE. Native app installation is available from the Keeper website and every public-facing app store (iTunes, Google Play, Microsoft Store, etc).

For more information, refer to Deploying Keeper to End-Users


Nodes and Organizational Structure

Nodes are a way to organize your users into distinct groupings, similarly to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure that makes sense. By default, the top-level node, or "Root Node" is set to the organization name, and all Nodes can be created underneath.

Nodes are not visible or configurable by default. To activate the Node configuration, select "Advanced Configuration" and then enable "Show Node Structure". If you do not require organizational units leave this feature turned off.

Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by navigating to the appropriate tab (user, role, teams).

Larger organizations may find benefit in organizing locations or departments into organizational containers called "Nodes". Users can then be provisioned under their perspective node and have roles configured to match the specific needs of the business. One of the advantages in defining nodes is help support the concept of delegated admins. A delegated administrator can be granted some or all of the Administrative permissions but only on their perspective node (or sub nodes) to help reduce administration from the primary Keeper Administrators.

When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups within specific organizational units in Active Directory will be placed in the corresponding Node in the Keeper Admin Console.

Adding Nodes Manually

To manually create Nodes and Sub Nodes, select the “+” button. The “Add Node” window will appear. Type the name of the Node in the “Name” field and select the node where you want the new node to be added in the tree structure.

At any time, you can change which node you are viewing by navigating to or selecting the nodes on far left Node pane. To navigate to the root-node or top level, select on the business name (e.g. The Company) in the navigation tree or in the breadcrumb along the top.

Hiding Nodes

If the use of nodes are not required by your organization, the Keeper Administrator can disable viewing nodes by selecting the "Advanced Configuration" and then disable "Show Node Structure".

Note Regarding Nodes and Users/Teams Visibility

Teams are only visible by users in the tree path above and below the node structure (not adjacent nodes) that the team is contained in. To make a team that everyone can see and share to, we recommend setting up your teams in the Root Node or a node at a higher level above the sub-nodes which will be visible to everyone. The visibility of users and teams is important in regards to Shared Folders.

Nodes and Administrative Permissions

If nodes are enabled either via Active Directory integration or configured from the Admin Console, the placement of the role is important with regards to where the administration permissions begin.

Placement of the role at the top level, “AD Root” will allow the permissions to flow down to any of the sub-nodes if the “Cascade Node Permissions” attribute is checked. If the role is placed in a sub-node, with the “Cascade Node Permissions” attribute checked then the permissions apply to that node and its two sub-nodes but not any others. If the “Cascade Node Permissions” attribute was not checked then the role permissions is only applied the the specific node to which it belongs.


Users

User provisioning is simple and easy with Keeper Enterprise. There are many choices to choose from based on your needs, the location of your user directory and the complexity of your organization's structure.

Customized Email Invitations

Before you invite users to your Keeper account, you may want to customize the Vault logo and email invitation message that they receive.

  • To customize the email language, subject and logo, select "Advanced Configuration" then "Edit" under "Email Invitations".
  • You can also customize the logo which appears on the upper left corner of the screen when users are logged into their vault. Select "Advanced Configuration" then "Edit" under "Add Company Logo".

Manual User Creation

For organizations who do not require any advanced directory integration or SSO, manual user creation can be performed at any time from within the Keeper Admin Console.

  1. 1. Login to the Admin Console
  2. 2. Select (+) Add User
  3. 3. Type in the Name and Email of the user

Bulk User Import

You can optionally import all of your user accounts via a flat file (.csv).

  1. 1. Login to the Admin Console
  2. 2. Select (+) Add User
  3. 3. Drag and drop a CSV file with 3 columns: Name, Email and Role.

Syncing Active Directory or LDAP

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory or LDAP service. To activate and install the Keeper Bridge, follow the below steps:

  1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration
  2. 2. Create a Node to sync with your Active Directory
  3. 3. Visit "Provisioning" tab to download the Bridge and proceed with setup.

Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment.

  • The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section.
  • Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
  • Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console.
    • For detailed installation instructions see the Keeper Bridge Guide.

      Single Sign-On (SAML 2.0) Authentication

      Keeper can dynamically (Just-in-time) provision and authenticate users through any SAML 2.0 compatible identity provider through the use of our proprietary Keeper SSO Connect component.

      Keeper SSO Connect is a SAML 2.0 application which leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision users to the platform. Keeper SSO Connect works with popular SSO IdP platforms such as G Suite, Microsoft AD FS / Azure, AWS, F5 BIG-IP APM, Okta, Centrify, OneLogin, Ping Identity and CAS.

      Keeper SSO Connect is installed on the customer's on-prem or cloud infrastructure in order to preserve Keeper's Zero-Knowledge architecture. Your SSO Identity Provider will communicate and authenticate users by communicating directly with the Keeper SSO Connect instances that you operate in a high availability configuration.

      Here's how Keeper SSO Connect works:

      1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration.
      2. 2. Create a Node to configure for your SSO provider beneath the root node.
      3. 3. Visit the "Provisioning" tab to download the Bridge and proceed with setup.

      The Keeper SSO Connect service application can be installed on a private on-premise or cloud-based server. Windows, Mac OS and Linux operating systems are fully supported. On Microsoft Windows environments, the Keeper SSO Connect application runs as a standard Windows service. This ensures the service won't exit when anyone logs off the PC and will automatically start up upon reboot. It can also be configured for High Availability (HA). In order to ensure the service is always active, Keeper SSO connect can be installed on multiple servers that sit behind a load balancer.

      When installing and configuring SSO on a node within your Keeper account, you will be asked to select an "Enterprise Domain". This is a unique string that will be typed in by your end-users to login to Keeper when accessing their account on a device. We recommend informing your users of the Enterprise Domain name so that they are able to access their Keeper vault on any device and platform. The Enterprise Domain is not needed when logging in to Keeper directly from the Identity Provider portal.

      For detailed setup instructions, FAQs and workflow questions please see the Keeper SSO Connect Guide. Our implementation engineers are also available by emailing business.support@keepersecurity.com. Most implementation issues can be addressed quickly via a screen sharing session or email.

      Combining AD and SSO Authentication

      Enterprise customers may want the benefit of automated provisioning and deprovisioning of users, roles, and team through Active Directory integration while also leveraging the ability for their users to Single Sign-On (SSO) to their vaults through authentication to an Identity Provider (IdP) like Active Directory Federated Services (AD FS), Okta, G Suite, Azure, etc.

      While the specific instructions on installation and configuration can be found in the Keeper Bridge Guide and in the Keeper SSO Connect Guide for specific identity providers, the below high level instructions will provide some best practices to leverage both integrations simultaneously.

      1. 1. Login to the Admin Console and turn on "Show Node Structure" from Advanced Configuration.
      2. 2. Create a Node to configure for your Bridge and SSO provider beneath the root node. Both Bridge and SSO will be activated in this node via the "Provisioning" tab.
      3. 3. Create a new Role for the node created in step 2. This will become the default role that all auto-provisioned users will receive.
      4. 4. Set the role enforcement policies:
        • Set desired enforcement settings like, 2FA, Sharing, etc.
        • Optional but recommended: Set up Account Transfer for break glass vault access.
        • Optional: Enable the “Don’t Send Email Invitations” if dynamic provisioning will be configured for SSO or if users will be notified of their vault access at a later time.
        • After the Role enforcement settings are configured. Check the “Add role to new users created in the Node and Sub nodes”.
      5. 5. Install and setup Keeper SSO Connect. Following our Keeper SSO Connect Guide, configure your identity provider with Keeper to automatically authenticate users into their Vault. Users will be provisioned into the default role for the node as set up in step 4.
      6. 6. Install and configure the Keeper AD Bridge. Following the instructions in the Keeper Bridge Guide. When the bridge is deployed your users, roles, and teams that meet the LDAP Query syntax will be added/invited to your Keeper subscription.
        • If you opt to enforce the “Don’t Send Email Invitations” role enforcement setting, users will not receive notification upon their first Keeper vault access.
        • We recommend sending a separate email to your end-users to communicate the onboarding process. The email should guide users to either login directly to their IdP and select the Keeper icon, or to sign in directly to Keeper using the "Enterprise Domain" that was configured in your Keeper SSO Connect installation. You may also provide your end-users with a Keeper Enterprise User Guide.
        • We recommend testing with a small user subset to validate configuration and workflow before rolling out to a larger group of users.
        • Install and configure SSO Connect before the AD Bridge. Choosing to implement SSO at a later time will cause more user friction by requiring existing users to change their login method from "master password" to SSO-based authentication. We recommend having SSO set up at the initial onboarding.
        • After successful testing, onboard the remaining users and send users instructions to create their accounts.
        • Users in an SSO-enabled node will not be able to change their master password. This enforcement is by design to ensure users who authenticated via SSO do not have the ability to bypass IdP authentication for access to their vault.

      Email Auto-Provisioning

      To facilitate the rapid onboarding of Keeper to a large number of end-users such as a university, Keeper supports email auto-provisioning. For example, anyone with the email address having a domain of "acme.com" can be automatically provisioned to a particular node and role within the "Acme Corp" Keeper Enterprise account upon creating their vault.

      1. 1. Login to Keeper Admin Console and go the "Provisioning" tab
      2. 2. Select (+) Add Method
      3. 3. Select "Email Auto-Provisioning"
      4. 4. After confirmation from the Keeper business support team that your domain has been provisioned, you can begin inviting your users. You can send users a link to signup that is either pre-populated with their email address, or just a generic link to the site. For example:

      https://keepersecurity.com/vault/#new/email/xxxxx@mycompany.com (Replace xxxxx with the email address)

      OR

      https://keepersecurity.com/vault/#new/

      Alternatively users can simply go to our app store or download page: https://keepersecurity.com/download

      Azure AD Sync (SCIM)

      Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams for receiving Shared Folders. Keeper/Azure provisioning integration supports the following features:

      • Create users in Keeper
      • Updates user attributes (display name in Keeper)
      • Deletes users (locks users in Keeper)
      • Creates teams in Keeper (from Azure groups)
      • Adds or removes users to groups (to teams in Keeper)

      When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state, new users will receive an email invitation prompting them to create a Keeper account.

      Requirements

      To setup Keeper user provisioning with Azure AD, you need to have an access to the Keeper Admin Console and an Azure account.

      Configuration Steps

      1. Go to your Azure Admin account and add “Keeper Password Manager” to the list of your applications. Open the app and go to the “Provisioning/API integration screen. Select “Automatic” option.

      2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Azure AD.

      3. Click “Add Method”. Choose “SCIM” option and click “Next”. Click “Create Provisioning Token”.



      4. Copy the values for URL and Token and paste them into “Tenant URL” and “Secret Token” fields in the Azure AD Keeper app. Click “Save” to finish provisioning setup on the Keeper side.

      5. Go back to the Azure AD Keeper app and click “Test Connection”. If successful, save the credentials. Change “Provisioning Status” to “On” and save the provisioning settings again.



      6. Go to the “Users and Groups” section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app. Wait for about 5 minutes and click the “Sync” button in the Admin Console. Verify that users appear under the “Users” tab.

      The SCIM protocol is used for provisioning of users and teams, not for authentication. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Guide.

      Provisioning API / SDK

      Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:

      • Command line access to your Keeper vault
      • Importing passwords, folders and shared folder
      • Provisioning users and teams
      • Sharing records and folders with users and teams
      • Performing targeted password rotation

      Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.

      Configuring SCIM with Okta

      Features

      Keeper/Okta provisioning integration supports the following features:

      • Create users in Keeper
      • Update user attributes
      • Activate or deactivate users (locks or unlocks them in Keeper)
      • Creates teams in Keeper (from Okta groups)

      When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state, new users will receive an email invitation prompting them to create a Keeper account.

      Requirements

      To setup Keeper user provisioning with Okta, you need to have an access to the Keeper Admin Console and an Okta account.

      Configuration Steps

      1. Go to your Okta Admin account and add “Keeper Password Manager” to the list of your applications. Open the app and go to the “Provisioning/API integration screen.

      2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account.

      3. Select “Add Method”. Choose “SCIM” option and select “Next”. Select “Create Provisioning Token”.



      4. Copy the values for URL and Token and paste them into their corresponding fields in the Okta Keeper app. Select “Save” to finish provisioning setup on the Keeper side.



      Note: Customers need to make sure that the username and email for users should always be the same during user assignment.



      5. In the Okta app select “Test API Credentials”. If successful, save the credentials. Assign the app to some users and after a short period, select the “Sync” button in the Admin Console. Verify that users appear under the “Users” tab.

      6. In the Okta "Sign On" tab, set the 'Application username format' to 'Email'. Click "Save".



      Known Issues/Troubleshooting and Tips

      • If you have decided to test API credentials before saving the provisioning method in the Admin Console, the test will fail.
      • Keeper user is identified by the email, therefore when assigning the Okta user to the Keeper app, make sure the Username contains a valid email address.

      • Keeper can use First and Last names that come from an Okta user record, but does not show those in the user interface of the Keeper Admin Console.
      • When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be approved to the group by a Keeper administrator or auto-approved by an existing Keeper team member logged into their Web Vault.

      User Status

      Users can be in one of 5 states: Invited, Active, Disabled, Locked, Blocked.

      Status Description
      INVITED User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by selecting the "Resend Invite" button.
      ACTIVE User has created their Keeper account and joined the organization.
      DISABLED User has been disabled in the enterprise Active Directory.
      LOCKED User has been suspended (either manually by selecting the Lock Account button or automatically via AD Bridge). To manually lock a user account, select the "Lock" button.
      BLOCKED If Account Transfer enforcement policy is applied to the role which the user belongs, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked. Selecting the "Extend Transfer Acceptance Consent" icon will extend the time limit for another 7 days.

      User Actions

      Additional user actions that can be performed from the "Edit User" pop-up. Icons only show if an action is relevant to that user's account.

      Edit a user Allow the change of a user's name.
      Transfer Account If Account Transfer is active on the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. Account must first be locked before you can perform a transfer. After transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this guide.
      Delete User Select the Trash Can Icon to delete a user account.

      Note: this action cannot be undone. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams.
      Lock Account To suspend an account to prevent the user from accessing their Vault, you can just lock the account by selecting the Lock Icon. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.
      Expire Master Password To expire a user's master password outside of the enforcement policy periodicity select the master password expiration icon. This functionality allows the administrator to specifically target a user to rotate their master password if a potential compromise is suspected.
      Extending Transfer Acceptance Consent If Account Transfer enforcement policy is applied to the role which the user belongs, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked. Selecting the "Extend Transfer Acceptance Consent" icon will extend the time limit for another 7 days.
      User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by clicking on the "Resend Invite" button.7 Resend the email invitation so user can complete their account registration.

      In the Search Field, select "Filter." Type the name of the user to be searched. Additional filter selections can be made on "Active," "Invited,", "Disabled", "Locked" and "Blocked".

      Editing a User

      Once the user has been added, the Administrator can edit or make changes to a user's profile. Select the user that you want to modify by selecting the pencil icon on the row for that user. On the popup, you will see the fields that can be edited, such as Name, Roles, or Team.


Roles

Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the "Keeper Administrator" role underneath the "Root Node". Other users can be assigned this role as well.

The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role “Keeper Administrator” is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console.

Note: The "Keeper Administrator" role requires at least two users in this role. We strongly recommend adding a secondary admin to this role in case one account is lost or no longer accessible. The creation of other roles is not required, but highly encouraged.

Adding Roles

You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge section in this guide.

To add roles manually, select the "Roles" tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Select the “+” button. An “Add Role” window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the “Role Name” field and select save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.

Role Enforcement Settings

Select on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now select the “Enforcement Settings” button. The “Enforcement Setting” dialog box will appear. The settings are structured into eight different areas: Login Settings, Two-Factor Authentication, Platform Restriction, Sharing & Uploading, Account Settings, Transfer Account, Email Invites, and Advanced Settings.

Login Settings

Master Password Complexity

On this screen you have the ability to configure the Master Password Complexity settings for users that are assigned the selected role. Settings include: password length, special characters, how many uppercase letters, and how many digits will be required.

Master Password Expiration

Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the “Master password expires every” option appears. To configure the number of days that the master password must be changed select the setting and choose one of the selections from 10 to 150 days.

If a user's Master password needs to be expired immediately, this can be done from the "Users" tab. Select the user(s) that you wish to expire the master password for and select "Expire Master Password" option on the top right of all the users. This will instantly expire a user's password and require a password reset.

Biometrics

iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.

Two Factor Authentication

Turning on this policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.

More information on DUO Security and RSA SecurID can be found in the Two Factor Authentication section.

Platform Restriction

An admin can restrict the use of certain platforms (Web Vault, Extensions, Mobile and Desktop devices). By default all platforms are allowed.

Sharing & Uploading

Prevent record sharing outside of Keeper Enterprise

Turning on this policy will ensure records are not shared with users outside of your organization.

Prevent record sharing with anyone

Enabling this option will prevent your users from sharing records with anyone.

Prevent exporting of records from Web App and Desktop App

This will prevent your users from exporting their data from their Keeper Web and Desktop Apps.

Prevent user from uploading files

When this is enabled, your users will not be able to upload any files (e.g. photos, documents, attachments) to their Keeper vault.

Note: By default, all Sharing & Uploading restrictions are not enabled.

Account Settings

Restrict offline access

Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce.

Prevent users from changing their email

Turning this on prevents users from changing their email address.

Restrictions Based on IP Addresses

Users within the specified role can be restricted from using Keeper outside of a specified IP address range. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login.

Logout Timer

Time limits can be set before a platform logs out the user. Time limits from 1, 2, 5, 10, and 30 minutes can be set on specific platforms.

Transfer Account

Enable Account Transfer

Select the role which can perform the account transfer

Note: Accounts can only be transferred after the user accepts the transfer account agreement upon Vault login.

For more in-depth information, refer to Account Transfer - Employee Offboarding

Email Invites

Don't send email invitations.

Advanced Settings

PBKDF2 Minimum Iterations

Increasing PBKDF2 iterations improves the level of security. However certain desktop web browsers cannot handle this level of encryption and you will be unable to login.

Role Enforcement Conflicts

If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles the user is a member of. For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.

Delegated Admin via "Administrative Permissions"

A role can be given Administrative permissions over the node (or sub-nodes) for which a role exists. This delegated administration allows different roles to have different permissions inside of the Admin Console.

An example of a role that can be created would be a “Delegated Admin" role. In this role the administrator can set up one or more Administrative Permissions that allow that user in the role to login to the Keeper Admin Console and perform administrative functions. For example, the delegated admin can be given permission to create teams, add users, create or edit roles, run reports and perform account transfers. These permissions can be limited to a single node or they can cascade or traverse down the tree structure to all the sub-nodes. In order to have the role applied to multiple nodes, simply select the + button after “Administrative Permissions” (see below) and add the node the role will manage. Each node a role manages has its own set of permissions and those permissions can cascade down from that node. For example: If the role was created in the top root level node and the there were three other nodes created each under the top level node. The Administrative Permission can be added as the top node, the privileges added, and “cascade node permissions” selected. This would then give those permissions to all 4 nodes to members of that role.

  1. 1. To give Administrative Permissions to a Role, select the “+” button on the Role screen.
  2. 2. Select a node. Select Save.
  3. 3. Select the gear next to the node you added.


When "Cascade Node Permissions" is selected, the permissions will be applied to all sub-nodes of the parent node. It is important to note that Administrative Permissions cannot be added to a Role if one or more of its users are still in the "INVITED" status.



Manage Users The ability to add, remove, or edit users.
Manage Nodes The ability to add, remove, or edit nodes.
Manage Licenses The ability to manage and upgrade the organization's license capacity.
Manage Roles The ability to add, remove, or edit roles.
Manage Teams The ability to add, remove, or configure the Enterprise Bridge settings.
Manage Bridge The ability to add, remove, or configure the Enterprise Bridge settings.
Run Reports The ability to run and configure reports on usages within the admin console.
View Tree The ability to see the node structure.
Transfer Account

The ability to transfer a user's vault.

Note: Only administrators who are a member of this role are able to check that box. If needed, you can add yourself to the role or another administrator within the role can set this permission. Once this box is selected, only members of this role can add members to this role.


Administrative Permission versus Role Enforcements

Both Administrative permissions and enforcements are configurable from within a role. "Enforcements" are rules or policies that apply to the end user's Vault experience and security. "Administrative Permissions" grant rights to perform certain actions within the admin console (also known as "delegated administration").

We recommend that only specific roles are given Administrative Permission, and the permission level should be based on the least amount of privilege required by that role.

For example, the default Keeper Administrator may have created a role called “Users” specifically to handle the policies that are desired for all the users that have been onboarded to the Keeper platform. If one of those users are intended to be able to perform some of the administrative permissions it wouldn't make sense to configure the “Users” role with the additional entitlements for that one user as it would be applied to all the users and not congruent with a least privilege security model. So instead of editing the “Users” role to add in additional administrative permissions, it would make the most sense to create a new role called “Delegated Admin”, grant the administrative permissions, and make the user a member of that role.

Account Transfer - Employee offboarding

Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.

When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within user's vault while retaining a secure role-based hierarchy in the organization.

When to Enable Account Transfer

By default the Account Transfer permission is off. The Keeper Business administrator can optionally turn on the permission which permits the ability to take the contents of a user's vault and transfer it to another user. One important note is that this permission will need to be enabled prior to the need of using it. For example, if “User A” has a password that gains access to a business essential application or account in their vault that no one else in the organization has access to, and “User A”, for any number of reasons is no longer able to authenticate to their vault, the business may find they are left in a tough situation to recover access. However, if the Account Transfer permission had been enabled in the default “Keeper Administrator” role (and any other role that is desired to have the permission to transfer capability) and applied to the role that “User A” is a member of, the Keeper Administrator would have the ability to transfer the full contents of “User A's” vault to another user.

Why is the initial setup required?

When the decision is made to enable the Account Transfer feature on a particular role, all the users that are a member of that role will be subjected to the possibility of having the entire contents of their vault transferred and their account deleted at will by the Keeper Administrator. After the enforcement setting is enabled, the users within the managed role will receive a pop up message inside of their vault informing them that the business has chosen to enable the capability of transferring their vault if needed. Each user will need to Accept that consent notification. Upon acceptance, Keeper performs the necessary encryption key exchange between users and roles to facilitate the data transfer in the future, if needed. Without this encryption key exchange, the user within the Admin Console would be unable to decrypt and transfer the data. The reason for this process flow is to maintain zero knowledge, and to also ensure that only specified users are able to be transferred or perform the transfer. Once the vault has been transferred to another user, the transferred user's vault is deleted.

Will the administrator have full access to a user's vault?

No. While the Account Transfer feature does give the administrator the ability to migrate the entire contents to another user, it does not give the admin the capability to access the vault whenever they feel like it. The vault being transferred has to be locked first and after the contents are transferred the account gets deleted. The end user will receive notification when their account is locked by the admin and when it's transferred and deleted.

How to Enable Account Transfer Functionality

"Account Transfer" functionality must be enabled and the user must login to their vault (and accept the account sharing consent) prior to performing a transfer by an administrator. Below are the steps that must be performed.

  1. 1. Enable the Transfer Account in the Administrative Permissions of the role that will have to ability to initiate the account transfer.

    Note: If the "Transfer Account" checkbox cannot be checked, it is because the user must be logged into an account that is a member of the role, like the default Keeper Administrator, that has the “Transfer Account” permission enabled.

    Simply add yourself to the role by selecting the plus button. After you are added to the role, you will be able to select the "Transfer Account" permission on that role. A role (e.g. the Keeper Administrator role) must have the permission enabled before any other role can be granted transfer account permission.

  2. 2. Turn on the “Enable Transfer Account” option under the Sharing & Uploading section of the Enforcement Settings of the desired role.
  3. 3. Select the administrative role that will have the ability to initiate a transfer (multiple roles may have the ability but only one role can be selected per enforcement).

    Note: Both new users as well as existing users will be notified and are required to acknowledge the organization's ability to transfer records from their vault. Users only have to agree to this consent one time, upon logging into the vault.

Performing an Account Transfer

  1. 1. Lock the account of the user by selecting on the lock icon inside user's configuration panel under "User Actions" (The configured admin will only have the ability to transfer records from a locked user).

  2. 2. The administrator will select the transfer icon inside user's configuration panel under "User Actions". A window will open with a list of users. Select the user that will receive the transfer of records and select OK.

  3. 3. The user's account is transferred and their account is permanently deleted.

Teams

The purpose of creating teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team.

Adding a Team

Navigate to the "Teams" tab and select on the “+” icon. The “Add Team” window will appear and you can add the team name that you are creating. Just like Roles, the teams will get added to the specific node that is selected.


Deploying Keeper to End-Users

Keeper works on every smartphone, tablet and computer. Keeper supports popular browsers including Chrome, Safari, Firefox, Edge and IE. Native app installation is available from the Keeper website and every public-facing app store (iTunes, Google Play, Microsoft Store, etc).

Keeper Web Vault

Many enterprise customers utilize the Keeper Web Vault, which is a fully featured web-based application. To access the Keeper Web Vault login, visit https://keepersecurity.com/vault

Desktop App Deployment

Benefits of Desktop App vs. Web Vault

The Desktop App has a few more capabilities than the Keeper Web Vault such as:

  • Ability to Autofill native apps using KeeperFill for Apps functionality
  • Ability to automatically import existing passwords without additional component installation
  • Offline access
  • Increased performance

Microsoft Windows .MSI file download vs .EXE file download:

  • .MSI is for multi-user enviroments - supports multi-user or shared physical environments. This allows each user on a shared computer to have their own vault.
  • .EXE is for single user environments - one install per computer. Only one vault may be used per physical environment.
  • .EXE auto-updates, where .MSI does not.

.EXE installs to:

  • User preferences is stored in C:\Users\{username}\AppData\Roaming\Keeper Password Manager\
  • The application binary is installed to C:\Users\{username}\AppData\Local\keeperpasswordmanager\

.MSI installs to:

  • C:\Program Files\keeperpasswordmanager\

Microsoft Windows
32-bit EXE | 64-bit EXE | 32-bit MSI

Mac OS
Keeper for Mac

Linux
Keeper for Linux

Note: Keeper supports Fedora, Red Hat, CentOS, Debian, Ubuntu and Linux Mint.



Microsoft Store for Business - Offline Deployment

https://businessstore.microsoft.com/


Keeper Microsoft Store applications can be downloaded from the Microsoft Store for Business for offline deployment. A Microsoft account is required to log in. If the email address used is for an Azure domain the account must be authorized to access the store or be the primary admin on the Azure account.

Once logged in to the Microsoft Store for Business settings need to be changed in order to display offline downloads for an application. Select Manage from the top bar…

Then select Settings from the left pane…

Enable showing offline files under Shopping Experience. This will then show a drop down option for each application in the store when the application is enabled for offline deployment.

Search for Keeper in the store. Select the Keeper Security application desired. A drop down menu will display titled License Type. The default selection will say Online. Change the drop down to the Offline option and select the Manage button.

The app will display with options to download…

Select the highest minimum version supported by the platforms where the deployment is intended. Select the Architecture and Language. The Download button next to Language will download a metadata file. This may be helpful for some deployment methodologies.

Once the Minimum Version and language have been selected scroll down to the Package details section.

Download the package and the license file. Scroll past the License file section and download any Framework packages available for the application. For the Keeper Edge Extension no Frameworks are required. For the Keeper Password Manager several Frameworks files are required. The application package does not include dependencies and cannot be deployed alone if Frameworks are required.

Once the meta-data, package, framework and license files are downloaded they can be deployed through SCCM Manager. This msdn blog post provides an example of how to create the application for deployment…

https://blogs.msdn.microsoft.com/teju_shyamsundar/2016/05/30/deploy-an-application-from-windows-store-for-business-via-system-center-configuration-manager/

Mobile App Deployment

Keeper for mobile and tablet devices can be deployed through the public-facing app stores. MDM solutions can also push these applications to end-user devices without any special requirements. When the users register or sign into an account, Enterprise enforcement policies are automatically applied.


Folders

Personal Folder

A personal folder is only visible by the user who created the folder. A personal folder can be made up of subfolders and records. A personal folder can also contain other shared folders and shared records.

Shared Folder

A shared folder can be shared to an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records.

When a user is provisioned to a Team through any of the previously described onboarding methods (Active Directory Bridge, SSO, Azure AD, SCIM, API, etc...) the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, they are revoked access from any shared folders and those folders are immediately removed from their vault.

Any user within the Keeper Vault can create a personal folder or shared folder (unless restricted by the Keeper Administrator).

Subfolders

Both personal folders and shared folders can be nested and can contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent.

  • If the parent folder is a shared folder and you move a personal folder into it - the personal folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
  • In the screen below, the Region 1 folder is not shared but 1 of its 2 subfolders is shared (Monthly Sales Projections) and has the shared folder icon. The records it contains are also shared and are displayed with the "shared record icon" to the right of the record name. Region 2 is a shared folder so all the records contained within its subfolders are also shared and have the "shared record icon". The permissions on the Region 2 shared folder are also on the subfolders and records. Only the parent shared folder will recive the shared folder icon.

User and Team Permissions

There are 2 permissions available from the Shared Folder screen when adding users and teams, "Can Manage Records" and "Can Manage Users".

Can Manage Records

When this setting is checked, the user is able to add and remove records from the shared folder.

Can Manage Users

When this setting is checked, the user is able to add and remove other users & teams from the Shared Folder.

Record Permissions

Permissions on records within the Shared Folder can be individually controlled with "Can Edit" and "Can Share" permission. Records with "Can Edit" permission are editable by anyone in the shared folder. Records with "Can Share" permission are re-shareable by anyone in the shared folder.

Default Folder Settings

When creating a Shared Folder, we recommend setting the Default Folder Settings to ensure that records added to the folder by team members retain a desired set of permissions. By default, the permissions are least privileged access. Select on the "Default Folder Settings" and configure the 4 options:

Location Permission Icon Description
"Can Manage Users" Users or teams added to the shared folder can add and remove other users and teams from the folder.
"Can Manage Records" Users or teams added to the shared folder can add and remove records from the folder.
"Can Edit Record" Users or teams added to the shared folder can edit the record contents.
"Can Share Record" Users or teams added to the shared folder can share the individual records in a different shared folder or with another individual.

Changing the default folder settings applies to only new users and records added moving forward. Therefore we recommend always setting default folder permissions when creating a new shared folder.

Managing Folders and Subfolders

A Folder and a Shared Folder are objects that are created independently of records. Keeper's implementation of Subfolders (Nested Folders) is powerful and flexible, providing Enterprise customers with the most secure encryption model while providing ease-of-use functionality like Drag & Drop.

  • A Folder can be made up of personal records, shared records or other subfolders.
  • Subfolders can be either shared or personal.
  • You can create an unlimited number of folders and shared folders.
  • A Shared Folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent.
  • There is no limit to the folder tree depth.
  • A folder is a container of records and record references (shortcuts).
  • A Shared Folder is a container of records, with flexible user and team sharing capability.

Creating a Folder

To create a new Folder or Subfolder, select "Create New" then "Folder" or "Shared Folder". You can select the parent folder or select "My Vault" to add the folder at the root level.

To provision a Shared Folder to a Team, select the folder from the vault then select "Edit". From the "Users" screen select the Team and then assign the team level permissions.

To provision a Shared Folder to an individual user, select the folder from the vault then select "Edit". From the "Users" screen type in the user's email address or select from the drop-down of previously shared users then assign the user permissions.

Moving Records

A record can exist outside of a folder, inside a folder or inside a Shared Folder. A record can also be linked into multiple folders or Shared Folders. A linked record is also referred to as a "Shortcut" or a "reference". In either case, modifying a linked record will change it everywhere that it is referenced.

There are two ways to Move a record into a folder:

  • Drag & Drop the record from the left pane and select "Move" when prompted
  • Right-click a record from the left pane and select "Move to..."

Creating Record Shortcuts

To add a record to multiple folders (e.g. create a Shortcut), follow one of these methods:

  • Select the Folder and then select "Edit". In the "Add Records" search box, search for the records to add and select "Add". This method will always add a Shortcut (reference) to the folder.
  • Drag & Drop the record from the left pane and select "Create Shortcut" when prompted
  • Right-click a record from the left pane and select "Create Shortcut..."

Teams in Shared Folders

Teams are created by the Keeper Administrator, or any user who has been provided administrative permissions to the Keeper Admin Console for a specific node or organizational unit. There is no limit to the number of teams that can be created.

A team is made up of users within a node or sub-node. Teams can be provisioned in any of the below methods:

  • Manual creation in the Keeper Admin Console
  • Automatically provisioned through the Active Directory / LDAP Bridge software
  • Automatically provisioned through SCIM
  • Automatically provisioned through the Keeper Commander SDK

At the encryption layer, teams have a public and private key pair. In order to add a user to a team, you must first be a member of the team because you need to encrypt the Team Key with the recipient's public key. When the recipient logs into their vault, the Team Key is retrieved by decrypting it with the user's private key. This encryption process is automatically handled by the above provisioning methods.

Inside the Admin Console there are several team security options:

  • Individual users within the team can optionally hide shared folders from their own vault. This may be useful for Administrators who want to manage their teams but not see any of the shared folders in their own vault. To disable viewing shared folders, select "hide shared folders" in the team edit screen (hovering over the user name).

Creating Vault Records

A Keeper record can be any password, file or secret information that is stored in your encrypted vault. When every new user is onboarded to the Keeper platform, they are walked through a step-by-step guide to import existing passwords from their web browser, other password manager or file upload. The user is also walked through the process of creating records manually through their desktop computer.

Automatic Browser Import

Keeper's Import Tool will seamlessly import passwords that are stored in Chrome, Firefox, Edge and IE web browsers on your computer. From the Web Vault or Desktop App, select "More" > "Import" then select "Start Import".

Import from Password Managers

Keeper supports drag-and-drop import of files from other password managers or text files. From the Web Vault or Keeper Desktop app, select "More" > "Import" and then select the file format. Select on the "?" next to "Import Instructions" for a step by step guide to generating the proper file from the original password manager.

Bulk Import from .CSV File

File Format: Folder,Title,Login,Password,Website Address,Notes,Shared Folder,Custom Fields

  • To specify subfolders, use backslash "\" between folder names
  • To make a shared folder specify the name or path to it in the 7th field

Example 1: Create a regular folder at the root level with 2 custom fields

  • My Business Stuff,Twitter,marketing@company.com,123456,https://twitter.com,These are some notes,API Key,5555,Date Created, 2018-04-02

Example 2: Create a shared subfolder inside another folder with edit and re-share permission

  • Personal,Twitter,craig@gmail.com,123456,https://twitter.com,,Social Media#edit#reshare

In the preview screen, select the column header above each line to map the columns to the Keeper field.

Manual Record Creation

From any Keeper Vault application, select "Create New" > "Record" to add a record. When creating a record, a user may select the "Dice" icon to generate a strong password - with the ability to change the number of characters and if symbols, numbers, and capital letters are included. The "Title" is the only required field when saving a record.

Import from Commander SDK

The Keeper Commander SDK provides command-line or scripted capabilities to import records and folders into your Keeper Vault. Supported import formats are JSON, CSV, and Keepass.

  • JSON import files can contain records, folders, subfolders, shared folders, default folder permissions and user/team permissions.
  • CSV import files contain records, folders, subfolders, shared folders and default shared folder permissions.
  • Keepass files will transfer records, file attachments, folders and subfolders.

Most features available in the Keeper Admin Console are available through Commander's interactive shell and SDK interface. For more information, go to Keeper's Github Repository.

Browser Extension

The Keeper Browser Extension for Chrome, Firefox, Safari, Edge and Internet Explorer browsers can be used to dynamically add records to your vault and Autofill passwords.

Download and install the Keeper Browser Extension from https://keepersecurity.com/download.html

Features of Browser Extension:

  • Create New records
    From any website login screen, select "Create New Record" and then fill in the appropriate fields. Select the check mark to save the record and autofill the login and password.

  • Prompt to Login
    If you're logged out of Keeper, you'll be reminded to sign in to Keeper when visiting a website login screen.
  • Prompt to Fill
    When visiting a website login screen, Keeper will ask you to automatically login with your saved password.
  • Auto Submit
    After autofilling your login, Keeper will automatically submit the website form and login to the website.

  • Prompt to Save
    When manually logging into a website with a new password, Keeper will ask you to save your password to your vault.
  • Prompt to Change
    On "Change password" web pages, Keeper will automatically generate a new password and fill old and new password fields.

Keeper Record Fields

A Keeper record is made up of the following fields:

  • Title
  • Login / Username
  • Password
  • Website Address
    The Website Address is required to Autofill forms in websites. For security reasons, the website address (e.g. google.com) must match the website that you are visiting.
  • Custom Fields
    Designating Custom Fields takes away the pain of having to manually copy and paste your information into websites. For example, if you have a website like this one from the Bank of Melbourne, it requires a “Card/Access Number” field, “Security Number” and “Password.” Corresponding the website field title and the Custom Field Name will allow Keeper to auto-fill these fields with their values.

    Custom Fields may also allow the user to use the same record for multiple websites. For example, if a user has the same login and password for Amazon.com and eBay.com, the user may add the website address in the Custom Field Value and that single record will now recognize two different website logins. This allows the user to not have to create a record for each website where that username and password are used.
  • File Attachments
    File attachments can be any type of file, photo, video or other documents. An unlimited number of files can be attached to any Keeper vault record. File storage is an add-on subscription. If file storage is disabled, please contact your Keeper administrator or email sales@keepersecurity.com.
  • Notes

Individual Record Sharing

Keeper records can be shared on an individual basis to other Keeper users. Keeper sharing technology uses secure RSA encryption to exchange the individual record keys. Therefore, in order to share or transfer a record to another user, the recipient must first have a Keeper account. Attempting to share to a user without a Keeper account will invite them to the platform. For more detailed information, visit Keeper's Security Architecture.

To share a Keeper record with another user, select "Options" > "Share" and then type in the email address of the recipient (or select from previously shared users). Edit and re-share permission can be applied to any shared records.

Role enforcement policies can be applied from the Keeper Admin Console to control the ability for records to be shared.

Only the owner of a record is able to delete a record. A non-owner may see a "Delete" button but this will only remove the record from the non-owner's vault. When the owner of a record deletes it from their vault, it will delete it from everyone's vault and across the system.

Transfer Ownership

Record ownership can be transferred to another Keeper user. To perform a transfer, select "Options" > "Share" and then type in or select the email address of the recipient. Select on the "Make Owner" checkbox and select "Send". Note that after transferring record ownership, the record will no longer be accessible from your vault.

Version History

Every record created by a user is automatically backed up through the Keeper Cloud Security Vault architecture. Every record change is also backed up and a record version is created upon each change event. Each record is identified by a record UID and each record can have an unlimited number of version identifiers.

Version History is a critical capability to ensure that a password, record change is never lost by accident. Version History also ensures that a deleted record can be recovered.

When a record is deleted by the record owner, the record is moved in the "Deleted Records" trash bin. Records will remain in this location until the record owner explicitly empties the trash bin.

Users can view the Version History of any Keeper record by accessing the Keeper Web Vault or Keeper Desktop. Select the record, then select "Options" and "Record History".

Data Export

Keeper Web Vault and Keeper Desktop applications also include an "Export" capability which can be enabled by the Keeper Administrator. Exporting records from your vault can serve as a backup mechanism, however this does not retain any information about sharing relationships, folder structure or file attachments. If Export is allowed by the Keeper Administrator, we recommend that the customer stores the exported files in a secure location on an encrypted file system. The security and encryption model of Keeper purposely does not permit a Keeper Administrator to export user vaults. A user must be authorized on a Keeper record via the Team or User sharing capability in order to access and export vault information.


Two-Factor Authentication

Keeper supports popular methods of Two-Factor Authentication ("2FA") including Text Message, TOTP applications such as Google and Microsoft Authenticator, Duo Security, RSA SecurID and Keeper DNA (using Apple Watch and Android Wear devices).

Each user is able to individually configure their Two-Factor Authentication settings from their vault "Settings" screen. Certain 2FA methods such as Duo Security and RSA SecurID require the Keeper administrator to login to the Admin Console and perform up-front configuration.

To access the Two-Factor Authentication configuration, visit the "2FA" tab of the Keeper Admin Console for the selected Node. 2FA methods and token retention behavior can also be enforced from the Role Enforcement policy screen. Role enforcement policies can enforce the use of 2FA channels on the specific node. Therefore, different nodes can be provisioned with different 2FA methods.

Text Message

Keeper supports Text Message (SMS) delivery of two-factor authentication codes. To select Text Message method, visit the "Settings" or "DNA" screens within the Web App or Mobile App.

Google Authenticator (TOTP)

Download the Google Authenticator or any TOTP-compatible application on your mobile device and add a new entry by scanning the barcode Keeper provides.

Smart Watch

Keeper DNA uses the connected devices you own to create your unique profile which serves as a second factor to verify your identity and log you in. Keeper supports Apple Watch and Android Wear devices. To enable Keeper DNA 2FA method, visit the "DNA" screen on your iPhone or Android app.

RSA SecurID

To enable RSA SecurID, additional customer integration points are necessary. Please contact your Keeper account manager to initiate this integration at business.support@keepersecurity.com.

DUO Security

To activate Duo Security, follow the below steps:

  1. 1. Make an account and login to Duo.com. Select “Applications” on the left side menu list.
  2. 2. Select "Protect An Application" to bring up a list of applications. Then select "Keeper Security" from the list.
  3. 3. Copy the provided credentials from Duo's website (including the Secret Key which needs to be selected to view)
  4. 4. Return to Keeper's admin console and select on the 2FA tab. Select on the gear icon under Duo and paste in the info copied information from Duo's site. Slide the switch to enable and select save.



Once activated, each individual user can enroll in Duo by logging into their Keeper app and going to Keeper's "Settings" or "DNA" screen, select "One-Time Passcodes" (or Two-Factor Authentication) and selecting Duo Security. User is walked through a process to activate their device.

Security Keys (FIDO U2F)

Users can protect their Keeper vault with FIDO Universal 2nd Factor (U2F) compatible hardware security keys, including YubiKey, which provides secure and easy two-factor authentication (2FA). Security Keys are configured on the Keeper Web Vault or Keeper Desktop App.

To activate 2FA using Security keys, follow the steps below:

  1. 1. Select "More" > "Settings" and then "Security" tab.
  2. 2. Setup and activate a standard 2FA method. This will be used as a backup method when your Security Key is not supported or not available. Google Auth or TOTP should be used as the fallback method instead of SMS otherwise you will get a SMS code every time you login with the security key. Keeper recommends using a TOTP (Google Auth or equivalent) generator for two-factor authentication to eliminate the possibility of SIM takeover attacks.
  3. 3. Select "Setup" under the "Security Keys" section.
  4. 4. Follow the on-screen prompts and give your Security Key a name and select "Register".
  5. 5. If your Security Key has a button or gold disc (e.g. Yubico), press the button to register.



Keeper also supports FIDO U2F for both Chrome and Firefox.

How to enable FIDO U2F in Firefox Quantum:

  • Type about:config into the Firefox browser.
  • Search for “u2f”.
  • Double click on security.webauth.u2f to enable U2F support.

Keeper SSO Connect

Keeper SSO Connect is a SAML 2.0 compatible Service Provider (SP) application that allows Keeper Business customers to seamlessly login to their Keeper Vault using their existing identity provider (IdP). This application complies with Keeper's zero-knowledge security architecture while giving business customers the ability of providing seamless SSO login to their Keeper Vault.

Keeper SSO Connect is a software application that is installed on the enterprise customer's on-premise, private or cloud servers. User's account master passwords are generated dynamically by Keeper SSO Connect and encrypted/stored locally on the installed computer.

For more in-depth information, refer to our Keeper SSO Connect Guide

System Architecture

End-User Experience

System Requirements

  • Mac OS 10.7+
  • Windows 7+
  • Linux OS with Java 8

Installation & Setup

The steps for setting up Keeper SSO Connect are below:

  1. 1. Enable SSO Connect on a node from the Keeper Admin Console
  2. 2. Install Keeper SSO Connect on your server (supports Windows, Mac, Unix/Linux)
  3. 3. Configure Keeper as a service provider on your existing Identity Provider

Keeper integrates out-of-the-box with several top Identity Providers. Please see the guides below for step-by-step integration with popular IdP providers:

For more in-depth instructions on installation and setup, refer to our Keeper SSO Connect Guide


Keeper Guides


Training and Support

Keeper Security provides our Enterprise customers with training, onboarding and individual end-user support through email, phone and live chat. We utilize web video tools for training and personalized support. To contact your business support team, please email business.support@keepersecurity.com.

Appendix

Whitelisting Keeper Security Applications

Please ensure that outbound TCP port 443 to keepersecurity.com is whitelisted on your firewall. EU customers should also whitelist keepersecurity.eu.

Whitelisting Keeper Security Emails

To ensure that emails from Keeper Security are delivered to users with high success, we recommend whitelisting your email server filters using the below information:

Domain: keepersecurity.com
Email: support@keepersecurity.com, noreply@keepersecurity.com, business.support@keepersecurity.com

IP Senders:
54.240.34.131
54.240.34.132
54.240.34.133
54.240.34.134
54.240.34.135
54.240.34.219
54.240.34.220
54.240.34.221
54.240.35.227
54.240.35.228
54.240.35.229
54.240.35.230
54.240.35.231