Feature request: force some security settings on Business accounts
We are currently deploying 1Password across our company, and I'd find it useful for owners to be able to force some settings for all employees, such as auto-lock settings, ssh-agent settings, the use of Windows Hello, etc. I understand that "Policies" don't currently govern the local settings of 1Password apps, but in the context of a business use, I think it would make sense to do so! Currently, the only solution is to write down a list of "best-practice / required settings", and hope that everyone will follow it (this is both fragile, and inconvenient for all employees to go through all settings).
(I also understand that a given 1Password app can connect to multiple accounts, incl. personal ones in addition to the business one; and that some settings would apply across the entire application. If we consider this is not ok, one could imagine that the client would make it possible for users to opt-out the automatic application of company settings, and this would only be flagged as such in the admin UI; at least this would cover the majority of use cases.)
I found similar requests that have been closed previously:
- https://1password.community/discussion/96220/feature-request-1password-for-teams-security-enforcement ==> " definitely an interesting idea. We are looking for ways to improve the business memberships." :-)
- https://1password.community/discussion/124018/feature-request-control-global-auto-lock-and-clipboard-options-as-admin
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Would MDM better fit your needs? About mobile device management Thank you for the examples. I'll get this before the team on your behalf.
0 -
Thanks @ag_tommy. IIUC, MDM is for iOS and Mac. In our case, the most important uses will be to secure the use of 1Password (1) under Windows (pro devices, but with no "group") and (2) for users' personal smartphones (BYOD...) connected to the 1Password Business account. We cannot control any setting on those personal smartphones, but to me, it still makes sense to have this level of control for the 1Password app (Windows, Android, iOS) from the 1Password admin dashboard since this is about the use of 1Password connected to the business account.
1 -
I would like to add +1 here; that is one of the longest parts of the initial setting for some of our employees at branch locations, where they have multiple computers they switch to.
Having more settings that we could either default or force them to would make the initial setup much easier.0 -
Thanks folks I've mentioned your request to the products team for further review.
ref: PB-40261059
1 -
In the changelog for 8.10.44 for Windows, I can see:
You’ll now see a message in Settings > Security if your app’s auto-lock settings are managed by an account administrator. #31297
This is quite intriguing and suggests some ways for administrators to manage such settings for all their business users. But I couldn't see where such config would happen in the admin panel, nothing about auto-lock it in Policies / App Usage for instance. So: what is this about, exactly :-) ?
0 -
Thanks for sharing the number in your original message; that was very helpful. I appreciate it. I talked with the team, and the feature is still in beta. That explains why I cannot see it in my testing account, as I keep it as close to everyday use as much as possible. When it exits beta, it should look something like this.
0 -
Excellent news, looking forward to getting this feature!
It would be great if other settings related to Auto-lock could also be enforced by administrators, such as, for Windows:
Similarly, being able to enforce e.g. "Require password = Every ..." on windows / smartphone would be great.
And ideally (do I ask too much...?), administrator should be able to specify different settings for various 1Password clients (Windows vs smartphones), and possibly also based on the user groups...
0 -
Another point : settings configured by Administrator could be interpret as minimum constraints, still letting users set up something more secure for their own application. E.g. if the admin says "Lock after 4 hours", some users could still decide to do "Lock after 5 minutes" but not "Lock after 12 hours".
0 -
Very good points. I am also the one in the group who would always pick the shorter period of time. :D So I'd be right there with you in your example.
Off-hand I'm not aware of any other changes just yet!? I suspect more may follow.
1 -
Something else which occurred to me, related to this feature : since a single 1Password client application can connect to multiple accounts, with different policies enforced by their respective administrators, there will need to be a way to combine such account policies; indeed there is a single "auto-lock" timeout for a given instance of the client app, even when connected to multiple accounts. Of course, the proposal of interpreting the admin policies as "minimum requirements" is compatible with that.
0 -
Ah! I see this is now available in beta (https://blog.1password.com/four-new-administrator-controls-1password-business/ ). Already applied!
0
