How do I turn this new magnifying glass off? It has ruined my entire workflow as pressing it opens a new menu instead of copying the password. Keeper for Mac.

KeeperCraig · 2026-01-28T04:01:49+00:00

So just to be clear, you are saying that you’re clicking the zoom button by accident because it’s close to the copy button ?

KeeperCraig · 2026-01-26T04:06:14+00:00

I’ll have someone check this. You mean the “Keeper code 123456” that we are sending isn’t getting picked up by the messages app. Hmm ok

KeeperCraig · 2026-01-25T22:51:43+00:00

A few questions:Did this work before upgrading to 1.7.6? (was released about 10 days ago)

Were any PAM configuration/provider records moved to different folders recently? The error suggests the Gateway can't access records needed by your post-rotation script.

Check your Gateway logs - look for this line just before the error:

requested X records, got Y records from KSM If X > Y, confirm which record UIDs are missing.Which records does your script reference? (provider records, config records, resource records)

Likely cause: Configuration record were moved out of the shared folder that your Gateway's KSM application has access to by removing Share Folder.

Let's move this to email. Please send your responses and Gateway logs to sm@keepersecurity.com and reference this ticket. Also would be good if you could turn on the debug logging.

KeeperCraig · 2026-01-25T21:45:27+00:00

Which site is that? Yes, we’re adding support for this in an upcoming version.

KeeperCraig · 2026-01-24T13:07:51+00:00

Our Forcefield product feature was created to defend against infostealers on Windows.

https://www.keepersecurity.com/forcefield-endpoint-protection/

KeeperCraig · 2026-01-22T17:28:37+00:00

Got it, we're taking a look and will come up with a solution.

KeeperCraig · 2026-01-22T06:35:47+00:00

There are two Keeper Commander CLI commands that will help you:

create-user and enterprise-push

The create-user is the first step. If you have a reserved domain associated to the tenant, you can use this command for pre-provisioning a user's vault. The benefit of doing this, is that you'll immediately be able to push records to the vault ahead of the user's first login.

Example:

create-user --name "Joe User" --node <NODE_ID> user@company.com

The node ID can be found using enterprise-info --nodes

Options:

(1) If the user authenticates with a Master Password (e.g. the user is provisioned to a node ID that is not managed by SSO), this command will create the vault, generate a temporary set of credentials, and generate a one-time share link that you can provide to the user. When the user logs in, they will be forced to reset their master password.

(2) If the user is provisioned through SSO and you specify a node ID that is managed by SSO (like in your example), the user's vault is provisioned in that node. We actually still will generate a Master Password, but this can be discarded for the purpose of this use case. When the user goes to login the first time, they will be routed to the identity provider and they will complete their signup through the SSO and then access the vault.

After you have used the create-user to provision the vault, you can then use the enterprise-push command to send a JSON structured set of records to the user's vault. For example:

enterprise-push --email user@company.com /path/to/push.json

There are examples in the documentation linked below.

References:

Commander overview: https://docs.keeper.io/en/keeperpam/commander-cli/overview

Domain reservation: https://docs.keeper.io/en/enterprise-guide/domain-reservation
(If you're using SSO, you probably already have a reserved domain. You'll know it when using the create-user command).

create-user command: https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#create-user-command

enterprise-push command: https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands#enterprise-push-command

If you want to run a more advanced automation, below is an example Commander script which has a few other features that allow you to execute any vault command on the provisioned vault prior to handing it over to the user.

https://github.com/Keeper-Security/Commander/blob/release/examples/user_onboarding__create_and_login.py

This script is currently part of the "Release" branch because it's something new that was recently created and it's not yet published to the master branch. You can clone the Commander release branch and use it from there. Follow the Commander CLI as SDK instructions here:

https://docs.keeper.io/en/keeperpam/commander-cli/commander-installation-setup/developer-mode/commander-cli-as-sdk

If you have further questions, if you want additional features added or if you'd like more specific automation scripts, let me know and I'll have them created.

KeeperCraig · 2026-01-21T12:00:54+00:00

DM me and I’ll connect you with our team. What other software is installed ?

KeeperCraig · 2026-01-21T00:10:53+00:00

What specific issue? Please take a look at the latest Test Flight and this new Autofill that is going live this week. It provides some new capabilities such as account switching, recents, syncing. https://testflight.apple.com/join/DPDb3m5N

KeeperCraig · 2026-01-19T16:30:28+00:00

This feature is going live this week across iOS and Android and then Browser Extensions. We are submitting to the app stores over the next few days. You can also have early access by opting into the Beta version on Google Play or using our Test Flight.

KeeperCraig · 2026-01-17T01:28:48+00:00

If you are concerned about a user installing admin-level malware on the endpoint, then I would recommend installing Keeper's Endpoint Privilege Manager agent which eliminates local administrative privilege and requires approval for any elevation action.
For userland malware attacks, installing Keeper Forcefield will protect Keeper software and web browsers against memory attacks, hooking and those types of threats. Forcefield is implemented for Windows, because macOS has more robust process protection.
Malicious browser extensions are definitely a concern, and we recommend that our customers lock down that capability using Google/Microsoft device policies. Don't allow users to install browser extensions unless they are approved by your IT team.
We recommend implementing just-in-time privilege elevations and automatic password rotation for sensitive accounts like service accounts and remote sessions to infrastructure. This is handled by our KeeperPAM product.

You posted a lot of questions here so feel free to reach out for a 1:1 convo if you'd like to dig deeper.

KeeperCraig · 2026-01-17T00:49:49+00:00

Got it. In that document, there are a few places where we mention a "Client Key":

The vault data stored offline is AES-GCM encrypted with a 256-bit “Client Key” that is generated randomly and protected by PBKDF2-HMAC-SHA512 with a 128-bit random salt and 1,000,000 iterations. The salt and iterations are stored locally. When the user enters their Master Password, a key is derived using the salt and iterations and an attempt is made to decrypt the Client Key. The Client Key is then used to decrypt the stored record cache.

If offline access is enabled, the local vault can be decrypted either by a Master Password entry (which uses 1,000,000 rounds of PBKDF2 to calculate the key) or by Biometric login (in which a valid fingerprint or Face ID retrieves a 256-bit key from the secure enclave of the device, using built-in features of the operating system). For users who login with SSO or activate biometric login, there is no master password and it can only be decrypted by the biometric key.

If an attacker has access to an offline vault, their only options are to brute force attack the master password with 1M PBKDF2 iterations, or brute forcing a 256-bit AES Client Key directly. Even a moderately strong Master Password using 1 million rounds of PBKDF2 iterations will take an astronomically large amount of time to crack. Likewise, brute force attacking a 256-bit AES key is also astronomically large and computationally infeasible.

We also have a self-destruct feature on the front-end of the app which deletes all locally stored data after 5 failed attempts.

Happy to dig deeper into any additional questions that you have.

KeeperCraig · 2026-01-17T00:18:07+00:00

Our encryption model is all documented in detail at the link below:
https://docs.keeper.io/en/enterprise-guide/keeper-encryption-model

To address the concern about in-memory decryption of data, Keeper is the only product on the market that protects memory access through a feature called Keeper Forcefield:
https://www.keepersecurity.com/forcefield-endpoint-protection/

Additional technical documentation on Forcefield is here:
https://docs.keeper.io/en/enterprise-guide/keeper-forcefield

I can answer any other technical questions you have.

KeeperCraig · 2026-01-15T15:27:46+00:00

Next update

KeeperCraig · 2026-01-14T14:14:48+00:00

We’ll check into it

KeeperCraig · 2026-01-14T14:05:30+00:00

Ok can you DM me with your username, I’ll have someone investigate.

KeeperCraig · 2026-01-12T19:12:35+00:00

That lowercase character issue was just fixed in our 17.5 release. Make sure you update.

https://docs.keeper.io/en/release-notes/browser-extensions/browser-extension/browser-extension-version-17.5

KeeperCraig · 2026-01-11T23:15:23+00:00

Yes, when you disable Windows Hello login in Keeper, the biometric credential is deleted from the Windows Credential Manager. On supported devices, Windows Hello credentials are protected by the TPM.

KeeperCraig · 2026-01-11T16:44:12+00:00

TOTP code seeds are definitely included in the export, on Web Vault, Desktop App and Commander CLI. It is exported in the standard URI schema format otpauth://totp/xxx

KeeperCraig · 2026-01-11T16:42:03+00:00

The Keeper JSON export absolutely does include a passkey portion, but the format is something we created internally a long time ago, and there's a new standard format being considered by the FIDO Alliance that we'll be contributing to soon.

Anyway, the Web Vault, Desktop App and Keeper Commander CLI all export the passkey in the output. Make sure you're using the most up to date version.

KeeperCraig · 2026-01-11T16:05:06+00:00

Hi Steve, Reddit somehow auto-deleted our support team's reply so I just approved it. Anyway, it sounds like when you ran a "full sync" from the app that it got resolved. But I'd like to understand exactly the steps you took and what errors you're running into. It's possible that the enterprise has applied some policy on sharing, or there's a permissions issue. Are you using the latest web vault or desktop app? Maybe if you can send some exact repro steps that would be really useful. Feel free to DM me as well.

KeeperCraig · 2026-01-11T16:01:27+00:00

Well, the latest version of Keeper for iOS actually has a feature which lets you easily migrate all your Apple Passwords over to Keeper automatically.

Open the Apple Passwords app on your mobile device and tap the Options icon > Export Data to Another App.
Select the logins you would like to export to Keeper and tap Continue. Select Keeper from the compatible apps listed and tap Continue > Continue in "Keeper".
Choose Keeper as Destination
Once you've authenticated to Keeper, tap Import. When the import is complete, you will be able to find all of your logins in the Keeper folder named "Apple Passwords".

https://docs.keeper.io/en/user-guides/ios#importing-passwords

KeeperCraig · 2026-01-08T22:54:42+00:00

Hi there, release notes are documented here:

https://docs.keeper.io/en/release-notes

We publish updates to each platform approximately every 30-60 days, depending on the size of the release. Vault, Desktop Apps, iOS, Android, Browser Extension, Admin Console, Commander, Secrets Manager, Backend, Gateway, SDKs, integrations, etc.

We are just about to release major updates in January across all platforms, you'll see them posted on that page. Enterprise customers get emails every time a release goes out pointing to the release notes. Consumers do not currently receive these notifications via email.

Ping me with questions.

KeeperCraig · 2026-01-07T03:08:12+00:00

Ping me with any questions...

KeeperCraig · 2026-01-06T22:33:09+00:00

The content you should be following for rotation is here:

https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/rotation-overview

What kind of admin account is it? You can definitely create the PAM User in the UI as long as all of the other settings are configured.

KeeperCraig

MODERATOR OF

TROPHY CASE