We're excited you have chosen Keeper to protect your business. This guide will provide valuable information on how to quickly onboard your employees and use the powerful features of the Keeper Administration Console.
Within this guide are screenshots of the Admin Console and the Web Vault. When demonstrating features and functionality within the end-user Vault, we focus all examples on the Web Vault, however most features are also available within Keeper's native mobile, tablet and desktop applications.
|Keeper Web Vault||Browser-based end user vault. Users login to the Web Vault to access and manage their passwords and private information.|
|Keeper Admin Console||Administrators and "Delegated Admin" roles with Administrative Permissions can login to the web-based console to manage their organization.|
|Cloud Security Vault||Keeper's backend cloud-based infrastructure hosted with Amazon AWS. Details on Keeper's security architecture included in this document.|
|AD Bridge||Windows application that connects to Active Directory or LDAP and synchronizes users, roles and teams with an existing organizational structure.|
|Native Mobile App||iOS, Android, Windows Phone, Surface applications available for download from their respective app store.|
|Native Desktop App||Windows, Mac & Linux desktop application.|
|Thin Client App||Web Vault application which does not provide offline access.|
The Keeper Admin Console
Customers who purchase Keeper for Business are provided administrative controls in a highly secure zero-knowledge architecture called the Admin Console. The Admin Console is a cloud-based application that provides full configuration and management of your Keeper for Business account including user onboarding, role-based enforcement policies, delegated administration, team creation, two-factor authentication and other advanced account settings.
Admin Console Link
Creating your Keeper Admin Console Account
After purchasing Keeper for Business (or upon launch of your Free Trial) you will receive an email invitation that contains a link to the Keeper Admin Console to complete your account profile. This Keeper account that you create will inherit the Keeper Administrator role. For this reason, we suggest that you chose a strong master password, security question and immediately enable Two-Factor Authentication from the Account Settings screen within the Vault or Admin Console.
When you first login to the Admin Console it will bring you to the "Admin" tab. From here, you can access Nodes, Users, Roles, Teams, Keeper Bridge and License. On-screen guides will highlight the main functional area.
Planning your Keeper Rollout
Keeper is easy to deploy to your users in the organization, and our flexible tools provide many options in your rollout plans. To get started, we recommend that you consider the organizational structure of your Keeper account. The building blocks of Keeper's security model are Nodes, Users, Roles and Teams which are covered in detail throughout this document.
All users who join the organization's Keeper subscription will be responsible for managing their own encrypted vault. Their vault is protected by a self-chosen Master Password which is used to encrypt and decrypt the user's "data key" which is then used to encrypt their data.
We recommend separating your personal, private records from your business records by creating two separate user accounts. When enforcements are applied to the enterprise (such as Account Transfer privileges), users who have personal records mixed with business information risk having their personal information transferred.
When preparing for a rollout, you can consider one of the following options:1. Manual invitation (One-by-one or CSV import)
Organizations with a small number of users can simply add users manually through the Admin Console by clicking on the "Users" tab. Users will then be added to the Root Node. For a more advanced node structure, refer to the advanced section on nodes.2. Keeper Bridge (for AD/LDAP integration)
To provide larger organizations a more seamless onboarding and offboarding process Keeper has the ability to mirror and map the organizational structure in Active Directory / LDAP with the Keeper AD Bridge software. To download and authorize the Keeper Bridge, click on the "AD Bridge / SSO" tab within the Admin Console.3. Keeper SSO Connect
For organizations that currently use a SAML 2.0-compatible SSO identity provider (such as Okta, F5 Access Policy Manager, OneLogin, etc...), Keeper SSO Connect can be deployed as a SAML 2.0 service provider. Users on the SSO Connect platform do not need to manage their own master password, and onboarding is achieved dynamically upon successful SAML authentication. To set up and access the SSO Connect functionality, please contact your Keeper account manager at firstname.lastname@example.org.
To manually add a user, first select the node where the user will be placed (by default, users will be added to the Root Node). Click the “+” button and a “Add User” window will appear. Add the name of the user in the “Name” Field, the email address in the “Email Address” field, and select the “Add User” button. The email address will represent the user's Keeper user ID.
Users can also be imported via CSV file using the following format: Email, Address, Name, Role.
When users are added, they will receive an email invitation that contains an activation code and link to the Keeper Web Vault where they can complete their account registration. Any Keeper native app or web app can be used for account signup.
When a user accepts the invitation to Keeper, they choose their own Master Password, Security Question & Answer and optional Two-Factor Authentication method. If Two-Factor Authentication enforcements are turned on for their assigned role, the user will be forced to choose a method.
Searching for a User
In the Search Field, click on "Show Filter." Ensure the Users radio button is selected in the Filter and type the name of the user to be searched. Additional filter selections can be made on "Active," "Invited," "Locked" and "Disabled."
Editing/Making Changes to a User
Once the user has been added, the Administrator can edit or make changes to a user's profile. Select the user that you want to modify by clicking on the user. On the popup, you will see the fields that can be edited, such as Name, Roles, or Team.
Users can be in one of 4 states: Invited, Active, Locked, Blocked.
|INVITED||User has been invited to join Keeper but has not completed their account setup yet. User can be re-sent the invitation by clicking on the "Resend Invite" button.|
|ACTIVE||User has created their Keeper account and joined the organization.|
|LOCKED||User has been suspended (either manually by clicking on the Lock Account button or automatically via AD Bridge). To manually lock a user account, click on the "Lock" button.|
|BLOCKED||If Account Transfer enforcement policy is applied to the role which the user belongs, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked. Clicking the "Extend Transfer Acceptance Consent" icon will extend the time limit for another 7 days.|
Additional user actions that can be performed from the "Users" screen. Icons only show if an action is relevant to that user's account.
|Edit a user||Allow the change of a user's name.|
|Transfer Account||If Account Transfer is active on the user's role and the currently logged-in administrator has the Administrative Permission to perform a transfer, this action will move all records and shared folders from the user's account to a destination user account. Account must first be locked before you can perform a transfer. After transfer is completed, the user account is deleted. More information on the Transfer Account action is detailed throughout this document.|
|Delete User||Click the Trash Can Icon to delete a user account.
Note: this action cannot be undone. All of this user's owned vault records will be immediately deleted, and they will be removed from all Roles, Nodes and Teams.
|Lock Account||To suspend an account to prevent the user from accessing their Vault, you can just lock the account by clicking on the Lock Icon. This retains the user's owned records but blocks their access to their Keeper Vault. Any records and Shared Folders created by that user will still be accessible to other shared users and teams.|
|Expire Master Password||To expire a user's master password outside of the enforcement policy periodicity click on the master password expiration icon. This functionality allows the administrator to specifically target a user to rotate their master password if a potential compromise is suspected.|
|Extending Transfer Acceptance Consent||If Account Transfer enforcement policy is applied to the role which the user belongs, they have 7 days to accept the consent request that is presented to them from within their vault. If a user has not accepted the consent, their account will be blocked. Clicking the "Extend Transfer Acceptance Consent" icon will extend the time limit for another 7 days.|
Transferring a User's Account
IMPORTANT: Account Transfer is an optional feature that should be configured by the Keeper Administrator during the initial deployment phase of the Keeper rollout. The reason for this is because Account Transfer relies on the sharing of encryption keys between users that have rights to perform the transfer. The exchange of keys occurs when the user logs into their vault to retain Keeper's Zero Knowledge infrastructure. Therefore, the Account Transfer setup must be configured prior to the user's account being transferred. A successful transfer requires that the users had logged in at least once prior to the transfer action.
When an employee leaves the organization, an administrator with the proper Administrative Permissions can transfer a user's vault to another user within the organization. This account transfer functionality is an important and powerful way to take ownership of the content within user's vault while retaining a secure role-based hierarchy in the organization.
Setting up Account Transfer is described in detail in the "Account Transfer Functionality" section below. Account Transfer is configured with very specific paths based on the user's role. For example, an Engineer could only be transferred by the Engineering Manager, and the Engineering Manager's account can be transferred only by the CEO.
To perform an account transfer, first LOCK the user account which you will be transferring (this is to ensure that you don't transfer the account by accident). Then click on the Transfer button: Only active users which you currently have the rights to perform the transfer on will appear in the dialog. Select the user who will receive all of the records and click OK to perform the transfer. The user being transferred will be immediately deleted and their vault records are now owned by the new user, including any shared records & folders.
Roles provide the organization the ability to define enforcements based on a user's job responsibility as well as provide delegated administrative functions. By default the account registered to the Keeper for Business company profile is assigned the "Keeper Administrator" role underneath the "Root Node". Other users can be assigned this role as well.
The number of roles a business creates is a matter of preference and/or business need. At its simplest configuration the default role “Keeper Administrator” is applied to the initial administrator who set up the Keeper account for the organization as well as any other user who you wish to grant full admin rights. Roles can be assigned enforcement policies, and they can be assigned administrative permissions for access to the admin console. The creation of other roles is not required, but highly encouraged.
You can add roles manually through the Admin Console or via Active Directory through the Keeper Bridge. To learn more about how to add users through Active Directory, please refer to our Keeper AD Bridge section in this guide.
To add roles manually, click on the "Roles" tab. Once on roles tab you can navigate to the specific node in which the role is to be part of. Click on the “+” button. An “Add Role” window will appear. Verify or select the appropriate Node in the organization tree (or set to Root Node). Add the name of the role you are creating in the “Role Name” field and click on save. After the role has been created, you can configure the role enforcement settings, select the users to assign the role and set administrative permissions.
Role Enforcement Settings
Click on the role that you want to configure enforcement settings for. The role dialog box will appear on the right. Now click on the “Enforcement Settings” button. The “Enforcement Setting” dialog box will appear. The settings are structured into seven different areas: Login Settings, Two-Factor Authentication, Platform Restrictions, Sharing & Uploading, Account Settings, Email Invites, and Advanced Settings.
On this screen you have the ability to configure the Master Password Complexity settings for users that are assigned the selected role. Settings include: password length, special characters, how many uppercase letters, and how many digits will be required.
Master Password Expiration
Turning on this policy will require users to change the master password at the selected time interval. When this option is turned on the “Master password expires every” option appears. To configure the number of days that the master password must be changed click the setting and choose one of the selections from 10 to 150 days.
iOS, Mac OS (Mac Store), Windows 10 (Microsoft Store) and Android platforms support fingerprint login. By default, all fingerprint logins are allowed.
Two Factor Authentication
Turning on this policy will require users to select and set up a 2FA method when setting up their Keeper profile. Existing users will be forced to enable 2FA if this enforcement is applied.
More information on DUO Security and RSA SecurID can be found here.
An admin can restrict the use of certain platforms (Web Vault, Extensions, Mobile and Desktop devices). By default all platforms are allowed.
Restrict offline access
Turning this on will prevent users from accessing their Keeper vault without internet access. Toggle this on to enforce.
Restrict email change
Turning this on prevents users from changing their email address.
You can select how often your users backup their data to Keeper's Cloud Security Vault. Simply click the drop down menu to select how frequently you would like this to happen.
Restrictions Based on IP Address
Users within the specified role can be restricted from using Keeper outside of a specified IP address range. The IP address must be your external (public) address as seen by the Keeper infrastructure at the time of user login.
Time limits can be set before a platform logs out the user. Time limits from 1, 2, 5, 10, and 30 minutes can be set on specific platforms.
PBKDF2 Minimum Iterations
The number of rounds performed during the client-side encryption login process. A higher value will increase your security but also increase your login time. Note that users may be required to install Keeper Desktop software locally on their computer in order to support higher iteration levels on Edge, Safari and Internet Explorer web browsers.
Role Enforcement Conflicts
If a user is a member of multiple roles with differing enforcements, all enforcements must be satisfied for all the roles she is a member of. For example: Role A does not allow sharing. Role B does not allow sharing outside of the Keeper Account. The user will be unable to share to anyone because Role A does not allow it.
Adding Users to a Role
Selecting the “+” button next to the User section within the Role settings will bring up a “Select User to Add to Role Name” window. This will allow you to search for users, in any node, and add them to the selected role.
Note: Only active users can be added to a role with any administrative privilege. If a user is still in the “invited” state, he or she must activate their account profile from the invitation email.
The purpose of creating teams is to have logical groupings of individuals for the ability to share folders within the Keeper Vault to collective group of individuals. The administrator simply creates the team, sets any Team Restrictions (edit/viewing/sharing of passwords), and adds the individual users to the team.
The administrator who creates the team is automatically added to the team in order to have the permissions to manage the team users and set the global settings on the team. Removing the admin from the group will orphan the group if there are no other users with the Administrative Permission to manage teams.
In summary: Nodes are organization containers, Roles define enforcement policies and grant admin permissions to users who are their members, and Teams are grouping of users for the purpose of seamlessly sharing records within the Keeper Vault.
Adding a Team
Navigate to the "Teams" tab and click on the “+” icon.
The “Add Team” window will appear and you can add the team name that you are creating. Just like Roles, the teams will get added to the specific node that is selected.
Once the team is created, select the team name on the left, and in the right panel it will display editable options. The Team name, "disable record re-shares", "disable record edits", "disable viewing passwords", Node and Users can be configured. To delete a team, click on the trashcan icon.
Team Restrictions (Disable record edits, etc) are explained in detail below in the section titled "Team-Level Shared Folder Restrictions."
Hide Shared Folder
Clicking the "Hide Shared Folders" checkbox will hide Shared Folders which have been shared to this team for a particular user within the team. The purpose of this is to allow an admin to be a member of a team so that she can share the team encryption keys, but not have to receive the records associated with the team. This is not for security, since she could always click off the Hide Shared Folders, but rather for convenience so she doesn't get a lot of unwanted records in her vault.
There are 2 permissions available from the Shared Folder screen when adding users and teams, "Can Manage Records" and "Can Manage Users".
Can Manage Records
When this setting is checked, the user is able to add and remove records from the shared folder.
Can Manage Users
When this setting is checked, the user is able to add and remove other users & teams from the Shared Folder.
Default Folder Settings
Any user with "manage" privileges can set default permissions to a shared folder under the "Default Folder Settings" screen. When a new user or record is added to the shared folder, the permissions selected will apply to all new entries. This feature is useful when large amounts of records or users are added that use the same permissions. Note: The owner or user with "manage" privileges can override the default settings.
Individual Record Sharing and Ownership
In addition to sharing an entire folder, users can easily share a vault record directly to another user. To share an individual record, click on the "Share" button and then select "Share with User".
Transfer Record Ownership
In addition to sharing a record either as a stand alone entity or as part of a shared folder, a record can be transferred to a user making them the owner. Once ownership is transferred to another user, it will no longer be accessible from your vault.
To transfer ownership follow the following steps:
1. Highlight the record to be transferred.
4. Either select a user from recommendations or type in a user's email address. Check “Make Owner” and then click Send.
5. After clicking send confirm the transfer of the record to finalize the transfer by clicking “OK.”
Ownership and Deleting Records
Only the owner of a record is able to delete a record. A non-owner may see a "Delete" button but this will only remove the record from the non-owner's vault.
When the owner of a record deletes it from their vault, it will delete it from everyone's vault and across the system.
Vault Backup and Recovery
A user's encrypted vault is synchronized via the Keeper Cloud Security Vault to ensure the contents of their vault are always accessible from any client (web app, desktop app, mobile app), in essence being backed up all the time. To add an additional layer of protection, backups can be performed on a routine basis to empower the end user to perform a restore from a snapshot in time.
As part of a role enforcement policy, the interval to which prompted backups are required for the end user can be configured by the Keeper Administrator in the admin console.
We recommend setting a the automatic backup time to no less than 10 days, because users will be interrupted in their workflow to create the backup on the web-based applications.
The steps to perform a backup are as follows:
1. The user will log into their vault and will be prompted for a backup.
2. The user fills out the fields: Title/Description, Security Question, and Answer.
4. The the user will receive success notification on screen.
The steps to perform a restore:
1. Within the Web App, click on the backup icon.
2. On the Cloud Backup & Restore window click on the “Restore Now” button.
3. On the Cloud Data Restore window, click the “Send Verification” button to send the verification code to the email address used for backup.
4. In the email that was sent copy the verification code.
5. Paste the code received in the email into the Cloud Data Restore window and click proceed.
6. Select the backup snapshot you wish to restore.
7. Answer the question that was selected/created in the backup process and click “Restore Now."
Important Restore Considerations
The backup and restore functionality of Keeper is a full vault restore - all records are replaced by the records contained in the backup file for the records owned by the user performing the restore. This will have consequences on the workflow in the organization due to the fact that outgoing shares (both direct shares and records in Shared Folders) will be removed by the restore action. Shared records will need to be re-shared by the user who performed the restore to the designated users and Shared Folders.
Nodes and Organizational Structure
Nodes are a way to organize your users into distinct groupings, similarly to organizational units in Active Directory. The administrator can create nodes based on location, department, division or any other structure that makes sense. By default, the top-level node, or "Root Node" is set to the organization name, and all Nodes can be created underneath.
Nodes are not visible or configurable by default. To activate the Node configuration, click on "Advanced Configuration" and then enable "Show Node Structure". If you do not require organizational units leave this feature turned off.
Smaller organizations might choose to administer keeper as single level, meaning no additional nodes are created by the Keeper Administrator. In this scenario, all provisioned users, roles, and teams are accessed from the default Root Node. The advantage to this configuration is there is no additional navigation required to find objects as they are listed under the default root level and easily accessed by navigating to the appropriate tab (user, role, teams).
Larger organizations may find benefit in organizing locations or departments into organizational containers called "Nodes". Users can then be provisioned under their perspective node and have roles configured to match the specific needs of the business. One of the advantages in defining nodes is help support the concept of delegated admins. A delegated administrator can be granted some or all of the Administrative permissions but only on their perspective node (or sub nodes) to help reduce administration from the primary Keeper Administrators.
When the Keeper Bridge is installed for Active Directory synchronization, AD Organizational Units are identified as Nodes. Users and security groups within specific organizational units in Active Directory will be placed in the corresponding Node in the Keeper Admin Console.
Adding Nodes Manually
To manually create Nodes and Sub Nodes, click the “+” button. The “Add Node” window will appear. Type the name of the Node in the “Node Name” field and select the node where you want the new node to be added in the tree structure.
Nodes and Administrative Permissions
If nodes are enabled either via Active Directory integration or configured from the Admin Console, the placement of the role is important with regards to where the administration permissions begin.
Placement of the role at the top level, “AD Root” will allow the permissions to flow down to any of the sub-nodes if the “Cascade Node Permissions” attribute is checked. If the role is placed in the “Sacramento” node, with the “Cascade Node Permissions” attribute checked then the permissions apply to that node and its two sub-nodes but not to the “East Coast” node. If the “Cascade Node Permissions” attribute was not checked in the above examples then the role permissions is only applied the the specific node to which it belongs.