Evaluating 1P Business for public school use

Hi,

I work for a public school and we'd like to move a few staff to using a password manager that has the following capabilities/features:

  1. Works with Windows and MacOS and has the ability to restrict users from downloading/installing the browser extension or desktop app from being installed on a non-approved device (we don't want it to being installed on mobile devices or devices that we don't manage using InTune and Jamf). I can't seem to find anything related to device approval in the support pages although a deauth is mentioned for lost devices.
  2. We have long periods of shutdown at the end of the year (at least a month) when the device may be turned off. We'd like the client to have the ability to cache the vault locally and not expire/expunge the contents of that vault automatically (or at the very least can be set to a timeout of more than a month). It's not clear to me if 1P expunges local vaults or not.
  3. We work with different consultants, partners, and other schools/orgs. We often have to share passwords with them. We'd like the ability to share a password with them whether they are 1P users or not. I know 1P can do this via guest sharing for individual items BUT we also often have different sets/collections of passwords to share with each partner so we'd like to create different "sets" that may contain/share the same items/passwords. To me, it sounds like I have to choose between being able to share individual items to guests OR sharing vaults to 1P users.
  4. If a password is shared with multiple partners, we'd prefer that when we update the password, the shared ones will get updated as well. It seems from this post that a copy has to be re-shared for the updated password to become available to others. It would be awesome to be able to create and share Vault-A, Vault-B and Vault-C where Vault A contains password1 and password2, Vault B contains password2 and password3 and Vault C contains password3 and password4.

Are these doable with 1P for Business?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @M_Anon

    I'd be happy to help answer these questions. I would also suggest getting in touch with our sales team using this form (or calling the phone number indicated) to start the conversation from that end:

    Contact our sales team

    As to the technical questions:

    Works with Windows and MacOS and has the ability to restrict users from downloading/installing the browser extension or desktop app from being installed on a non-approved device (we don't want it to being installed on mobile devices or devices that we don't manage using InTune and Jamf). I can't seem to find anything related to device approval in the support pages although a deauth is mentioned for lost devices.

    We do support Mac and Windows, along with Linux, iOS, and Android. 1Password Business has a setting which allows you to restrict access to "modern apps" to help prevent folks from getting out of date with the software. Additionally individual vaults can be customized to disallow access from specific apps:

    For example, you might have a Financial vault that you don't ever want anyone to access from iOS or Android (if that were the case it would also be prudent to disable 1Password for Web). It is not currently possible to more broadly restrict everyone from using a particular platform, though, and everyone would always be able to access their Private/Personal vault from any of the compatible clients. The modern app rule would apply though, if enabled.

    We have long periods of shutdown at the end of the year (at least a month) when the device may be turned off. We'd like the client to have the ability to cache the vault locally and not expire/expunge the contents of that vault automatically (or at the very least can be set to a timeout of more than a month). It's not clear to me if 1P expunges local vaults or not.

    This is the de facto way that 1Password works. As it stands there is no expiration on the local cache: it is kept indefinitely.

    We work with different consultants, partners, and other schools/orgs. We often have to share passwords with them. We'd like the ability to share a password with them whether they are 1P users or not. I know 1P can do this via guest sharing for individual items BUT we also often have different sets/collections of passwords to share with each partner so we'd like to create different "sets" that may contain/share the same items/passwords. To me, it sounds like I have to choose between being able to share individual items to guests OR sharing vaults to 1P users.

    There are two options for sharing items with 1Password: sharing a vault, or sharing a copy of an individual item. If you're going to be sharing more than a couple of items with someone, I'd recommend going the vault route.

    For the former, the person must have an account within your membership. If they only need very limited access, a guest account may be appropriate. Guests do not have their own Private/Personal vault within your membership, and they can only be granted access to one vault. For the latter option, the end user does not have to have a 1Password account (inside your membership or otherwise).

    Items can only exist in a single vault. You can create copies of an item into another vault, but the copies will not be linked in any way to the original. If for example you update the password on the original item the copies would not change. This is also true of the individual item sharing mechanism: updating the original item does not update the shared copy.

    To best achieve what you're looking for I would suggest considering breaking items into more vaults than it sounds like you're currently considering, and then granting the appropriate people access to those vaults. With this, you likely wouldn't make extensive use of guests or item sharing. That way you only have to maintain a single copy of an item across your organization.

    If a password is shared with multiple partners, we'd prefer that when we update the password, the shared ones will get updated as well. It seems from this post that a copy has to be re-shared for the updated password to become available to others. It would be awesome to be able to create and share Vault-A, Vault-B and Vault-C where Vault A contains password1 and password2, Vault B contains password2 and password3 and Vault C contains password3 and password4.

    I got a little ahead of myself with the above answer, and I think I largely covered this there. In this case I'd suggest 4 vaults, each with their respective item. Then you can individually grant access as you've described and multiple copies aren't necessary. The one downside to this approach is that it does make the use of guests less practical, but that may be a worthwhile tradeoff.

    Also worth noting you can build groups, and the groups can have access to vaults. So if you do end up with a lot of separate vaults that have overlap, you can dole out access to all of them in one shot through the use of a group. This can help prevent having as many individual one-off permissions:

    Use custom groups in 1Password Business

    I hope that's helpful! If we can be of further assistance, please don't hesitate to contact us.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file