Policies allow a company to impose RoboForm settings upon their users. Through policies, security standards can be maintained, ensuring all users within a company are utilizing RoboForm in a secure manner.
Policies can be applied to all users within the company or just to particular groups. Read more about managing groups here.
Security & Access
These policies apply to the user’s Master Password as well as additional security measures that can be enabled for user's accounts.
Authentication:
Master Password Complexity: This policy enforces minimal Master Password complexity based on the following criteria.
- Minimum number of characters: The Master Password must be at least this long. This value cannot be less than 8.
- Minimum number of non-numeric characters: The Master Password must contain at least this many non-numeric characters. This value cannot be less than 4.
- Must include at least one uppercase and one lowercase alphabetical character: If checked, this condition will apply.
- Must include a numeric character: If checked, the Master Password must contain at least one number.
Master Password Rotation Time Enforced (days):If checked, users will be required to change (rotate) their RoboForm Master Password after the number of days specified in this policy.
Enforce Master Password history: If selected, users will be prohibited from reusing previous Master Passwords based on the number of changes specified in this policy.
Disable Master Password Change:If checked, users will be unable to change their Master Password.
New user temporary Master Password expiration timeout (days): When a RoboForm account is created a temporary Master Password is emailed to the user the account was created for. If this policy is enabled then the temporary password will expire after the number of days specified in this policy.
Disable Master Password Restore: This policy will prevent users from using the Master Password restore feature included in the RoboForm mobile app.
Enforce Auto-Log Off Time(minutes): If checked, users will be automatically logged off of RoboForm if they are inactive for the number of minutes specified in this policy.
Cache Master Password (Desktop Only): If checked and set to "Force caching of the Master Password" the user's Master Password will be cached locally and they will not need to log in to their account. If set to "Require Master Password authentication every time" this option will be grayed out for your users. This policy will only effect RoboForm desktop platforms, Windows or Mac, and web browser extensions.
- Disable Logoff (Desktop Only): If checked, users will be unable to log out of RoboForm.
Auto-Logout on User Switch or Lock Workstation: If checked and set to "Yes" users will be automatically signed out of RoboForm if their device is locked or the user profile is switched. If checked and set to no then RoboForm will remain signed in in either of these events.
Disable authentication by PIN (Mobile Only): If checked users will not be able to set a pin as a sign in method for RoboForm. This feature is only applicable to the RoboForm mobile application for Android and iOS.
Disable authentication by Biometrics (Mobile Only): If checked users will not be able to set biometric authentication as a sign in method for RoboForm. This feature is only applicable to the RoboForm mobile application for Android and iOS.
Device data deletion after 5 wrong Master Password entries (mobile only): If checked the RoboForm mobile app will automatically wipe all locally stored RoboForm data if a user fails to enter their Master Password correctly five times consecutively. This will not effect any data stored on the RoboForm server or any other devices.
Two-factor authentication:
Enforce 2-Factor Authentication: If checked, users will be required to enter an OTP when signing into RoboForm from a new device or web browser.
- Disable One-Time Password SMS Delivery: If checked, users will be unable to receive OTPs via text messages to their phone.
- Disable Google Authenticator: If checked, users will be unable to receive OTPs via Google Authenticator
New device enrollment: If checked and set to "Allow user to enroll new devices" when users provide a OTP then their device will automatically be enrolled so they will not need to enter an OTP the next time they log in from that device. If checked and set to "Prevent user from enrolling new devices" users will never have their devices enrolled which means they will need to provide a OTP every time they login.
Device Enrollment Period (days): If checked, an OTP will enroll the user’s device for the number of days specified in this policy. After the enrollment period is over, a new OTP will need to be entered. This policy cannot be used if "Device Enrollment Period for OTP enforced (minutes)" is checked.
Device Enrollment Period for OTP enforced (minutes): If checked, an OTP will enroll the user’s device for the number of minutes specified in this policy. After the enrollment period is over, a new OTP will need to be entered. This policy cannot be used if "Device Enrollment Period for OTP enforced (days)" is checked.
Device & Access Controls:
Allowed IP address ranges: If checked, users will only be able to log in to their account from the IP addresses specified in this policy. Start each address or range from a new line or delimit each entry with a ‘,’ or ‘;’. To list a range of address use a ‘-‘, use a ‘*’ to denote all numbers in that range.
Note: If the user is outside the allowed range of IP addresses then they will be unable to access their RoboForm account.
Device type access restriction: If checked, users will be unable to Log In to their RoboForm account from the selected web browser/device.
RoboForm Data
These policies apply to how users are allowed to save and use RoboForm data.
Data type and storage:
Restrict RoboForm file creation by type:If checked, users will be unable to create data of the selected types.
Disable sync of user created RoboForm data: If checked and set to "Yes" any RoboForm data created by a user will not be synced to our server unless it is added to a RoboForm for Business company owned group. If checked and set to "No" any data a user creates will have an encrypted copy synced to our server.
Force user created data to be saved in company Groups only: If checked, users will be forced to save any RoboForm data they create in a RoboForm for Business group. If the user does not have at least regular permission in any group, they will not able to create any RoboForm data.
Disable custom RoboForm data directory location (Windows only): If checked, users will be unable to change where RoboForm saves their data. RoboForm defaults to saving data in %appdata%\RoboForm.
Note: This policy is enabled by default.
Export & Import
Enable RoboForm data export: If checked, users will be able to export their personal data to a CSV file. If left unchecked then this feature will be disabled in their local application.
Enable Print: If checked, users will be able to utilize the print list feature to print their data or export it in a PDF format. If left unchecked then this feature will be disabled in their local application.
User side sharing
Disable sharing: If checked, users will be unable to send or share their RoboForm data with other users. If unchecked, administrators can set whether users can only share RoboForm data with other users in their company or with any other RoboForm user.
Emergency Access
Disable Emergency Access feature: If checked, the Emergency Access feature will be disabled. To limit the use of the Emergency Access feature, select one of the radio buttons. Users can be restricted to providing emergency access to the company admin, group manager, or other company members.
Backup & Restore
Disable Backup & Restore feature for user owned data: If Checked, users will be unable to use the backup or restore features. Enabling this policy will not effect company administrators or group managers.
User Settings
These policies apply to the user’s settings in their RoboForm installations.
User Settings controls:
Enable new version notification (desktop only): If checked, users will receive notifications when new versions of RoboForm are available.
Offer to AutoSave: If checked and set to "Offer to AutoSave" RoboForm will automatically offer to save any submitted web form that contains an username and password combination for that form that RoboForm has not already saved. If checked and set to "No" users will need to manually prompt RoboForm to save new logins.
Offer to AutoFill: If checked and set to "Do not offer to AutoSave" RoboForm will automatically provide matching logins and identities applicable to any currently detected web forms. If checked and set to "No" users will need to manually prompt RoboForm to fill in logins and web forms.
RoboForm to work with applications (Windows only): If checked and set to "Yes" the RoboForm desktop application will automatically attempt to attach to local applications and capture and fill the users credentials. If set to "No" this feature will be disabled entirely.
Launching executables from Application Logins (Windows only): If checked and set to "Enable" RoboForm will launch the corresponding application with an application login is used. If set to "Disable" RoboForm will no launch other applications.
Domains & Websites controls:
Domain Equivalences: If checked, RoboForm will consider the domains paired in the following field to be the same domain for the purpose of saving and using logins. Each equivalence should begin on its own line and use an “=” between each URL in the equivalence.
White List Domains: If this policy is checked, users will only be able to use RoboForm on the domains specified in this policy. Start each domain on a new line, listing a domain will allow access to all of its sub-domains.
Blacklist Domains: If this policy is checked, users are unable to use RoboForm on any of the domains specified in this policy. Start each domain on a new line, listing a domain will prevent access to all of its sub-domains.
Block AutoSave feature on these URLs: If this policy is checked, users will not be automatically prompted to create a new login when signing into any of the domains specified in this policy. Start each domain on a new line, listing a domain will prevent access to all of its sub-domains.
Blacklist Applications: If this policy is checked, RoboForm will no longer attempt to attach to any of the applications specified in this policy. Start each application on a new line, the executable that launches the application needs to be listed in order to blacklist it correctly.
Comments
0 comments
Please sign in to leave a comment.