Keeper eliminates standing access rights and enables Just-in-Time (JIT) access across all Windows, Linux and macOS endpoints.
Administrators simply deploy a lightweight agent that remove standing admin rights while enabling temporary, policy-based privilege elevation only when necessary. The system enforces customisable security policies through just-in-time access, with optional approval workflows and MFA enforcement.
All privileged actions are executed through ephemeral accounts that automatically revoke elevated access once tasks are complete. It works across Windows, macOS and Linux environments while providing visibility through a centralised dashboard that logs all elevation activities for auditing and compliance.
A Keeper agent is installed on every managed endpoint. This agent intercepts and evaluates privilege elevation requests based on defined organisational policies.
Administrators define elevation policies using the Keeper Admin Console. These policies determine what actions users can perform, what applications can be run with elevated privileges and whether approvals or MFA are required.
Users are not granted permanent local admin rights. Instead, Keeper Endpoint Privilege Manager temporarily elevates privileges for specific actions using ephemeral, Keeper-controlled accounts.
The Keeper Admin Console provides real-time visibility into all elevation activity, requests and policy applications across environments. Admins can review, approve or deny requests and view audit logs for compliance.
Users follow a simple elevation flow for applications or processes that require elevated permissions through the Keeper agent.
If an application or process requires elevation, the Keeper agent checks the relevant policy.
If approval is required, the request is routed to an admin via the Admin Console or Command Line Interface (CLI).
If no approval is needed, the elevation proceeds automatically. MFA enforcement is optional as an additional step.
Consistent management is enforced across operating systems, with platform-specific implementations tailored for Windows, macOS and Linux.
Information about end-user devices, applications and access requests is fully encrypted on the user's device and can only be decrypted by authorised administrators within the Keeper Admin Console. Keeper never has access to or visibility into customer data, end-user activity or application details - ensuring complete privacy and control always remain with our customers.
Temporary, system-generated privileged accounts are created and managed to perform specific elevated tasks, then automatically removed to ensure zero standing privilege and minimise security risk.
Restricts users and systems to only the minimum access rights necessary to perform their authorised tasks.
Utilises industry protocols and specifications to ensure systems can easily work together across different platforms and technologies.
Provides users with temporary elevated privileges only when needed for specific authorised tasks, automatically revoking these rights once the task is completed or after a predetermined time period.
Allows administrators to create customised, context-aware rules for privilege elevation that adapt to different user roles, applications and security requirements across the organisation.
Selectively grants elevated privileges to specific applications rather than to users, allowing necessary programs to perform administrative functions while maintaining overall system security.
Eliminates standing admin rights and enables just-in-time elevation only for approved applications to reduce attack surfaces and improve security.
Provides comprehensive audit trails of privilege usage and ensures adherence to regulatory requirements through documented administrative access control.
Reduces help desk workload by automating approvals for routine administrative tasks.
Allows users to complete necessary tasks without IT delays through automated privilege elevation for approved applications.
Enables organisations to efficiently enforce least-privilege policies and manage privileged access across thousands of Windows, macOS and Linux endpoints from a centralised platform.
Gives insight into elevation activity, approvals and endpoint policy enforcement with detailed logging and integration into SIEM tools for faster incident response.
Keeper Endpoint Privilege Manager is a Privilege Elevation and Delegation Management (PEDM) solution that enforces least-privilege access policies across endpoints in Windows, macOS and Linux environments. It eliminates standing local admin rights and provides Just-in-Time (JIT) elevation for both users and processes.
When approval is required, the user's access request is routed to a Keeper administrator and managed through the Admin Console or the Commander CLI. If no approval is needed based on the applied policy, the Keeper agent automatically allows the privilege elevation. In cases where MFA is enforced, the user is prompted to complete MFA before proceeding. This flexible approach supports both interactive and policy-driven JIT access across devices.
Through agent-based deployment on Windows, macOS and Linux, Endpoint Privilege Manager eliminates standing local admin rights and introduces process-level controls via just-in-time access. Users operate without persistent admin privileges, with privileged commands executed through Keeper-managed ephemeral accounts and roles, ensuring a true Zero Standing Privilege (ZSP) environment.
The Keeper platform supports a standards-based architecture, leveraging protocols like SPIFFE and MQTT to ensure secure, scalable integration. Policy enforcement is flexible and tailored to an organisation's risk tolerance, with granular controls available at both the machine and process levels.
The centralised dashboard offers a clear view of all recent events, including those in monitoring mode, and serves as the entry point for key workflows:
Keeper Endpoint Privilege Manager extends KeeperPAM's zero-trust approach by controlling the elevation of privileges directly on endpoints, complementing the secure connection capabilities of the broader PAM solution. While the rest of the KeeperPAM platform secures how users connect to systems, Endpoint Privilege Manager governs what administrative rights they can exercise once connected.
Admins running the Keeper agent see a desktop interface that displays all applied privilege policies and tracks their elevation requests. When a user attempts an action that requires elevated access, a prompt appears based on the organisation's policies.
Endpoint Privilege Manager can work seamlessly alongside LAPS in organisations that have already invested in LAPS deployment. In this complementary arrangement, LAPS can continue managing the rotation of local administrator passwords on domain-joined computers, while KeeperPAM handles credential management for domain accounts, service accounts and other privileged credentials that fall outside LAPS's scope. This integration preserves your existing LAPS investment while extending privileged access protection across more systems and account types.
Endpoint Privilege Manager enhances this security ecosystem by implementing least-privilege enforcement on endpoints. While LAPS focuses on securing the credentials of standing admin accounts, Endpoint Privilege Manager reduces the need to use those accounts in the first place by enabling temporary privilege elevation for specific tasks. Together, these solutions provide comprehensive coverage: LAPS secures local admin passwords, KeeperPAM manages and controls access to those credentials and other privileged accounts, and Endpoint Privilege Manager ensures users receive elevated privileges only when necessary and authorised.
Technical documentation for Keeper Endpoint Privilege Manager can be found here.
You must accept cookies to use Live Chat.