Policies

Policies allow a company to impose RoboForm settings upon their users. Through policies, security standards can be maintained, ensuring all users within a company are utilizing RoboForm in a secure manner.

Policies can be applied to all users within the company or just to particular groups. Read more about managing groups here.
 

Security & Access
 

These policies apply to the user’s Master Password as well as additional security measures that can be enabled for user's accounts.

Authentication:
 

Master Password Complexity: This policy enforces minimal Master Password complexity based on the following criteria.



 

• Minimum number of characters: The Master Password must be at least this long. This value cannot be less than 8.
• Minimum number of non-numeric characters:  The Master Password must contain at least this many non-numeric characters. This value cannot be less than 4.
• Must include at least one uppercase and one lowercase alphabetical character: If checked, this condition will apply.
• Must include a numeric character: If checked, the Master Password must contain at least one number.

Master Password Rotation Time Enforced (days):If checked, users will be required to change (rotate) their RoboForm Master Password after the number of days specified in this policy.  

Enforce Master Password history: If selected, users will be prohibited from reusing previous Master Passwords based on the number of changes specified in this policy.

Disable Master Password Change:If checked, users will be unable to change their Master Password.

New user temporary Master Password expiration timeout (days): When a RoboForm account is created a temporary Master Password is emailed to the user the account was created for. If this policy is enabled then the temporary password will expire after the number of days specified in this policy.

Disable Master Password Restore: This policy will prevent users from using the Master Password restore feature included in the RoboForm mobile app.

Device data deletion after 5 wrong Master Password entries (mobile only): If checked the RoboForm mobile app will automatically wipe all locally stored RoboForm data if a user fails to enter their Master Password correctly five times consecutively. This will not effect any data stored on the RoboForm server or any other devices.

Passwordless Unlock:

Passwordless Unlock Methods (Desktop and Browser Extensions): Policies that govern what passwordless unlock methods users are allowed to use when signing in from the RoboForm desktop application or web browser extension.

• Disable locally stored passkeys: If checked, users will not be able to sign in using a passkey stored on their device. 
• Disable remotely stored passkeys: If checked, users will be unable to sign in using passkeys stored on other devices such as hardware tokens or mobile devices.
  
  

Passwordless Unlock Methods (Mobile Apps): Policies that govern what passwordless unlock methods user are allowed to use when signing in from the RoboForm mobile app.

• Disable device biometrics unlock: If checked, users will be unable to set biometric authentication, such as Face ID, Touch ID, or other biometric tools, as a sign in method for the RoboForm mobile app. 
• Disable PIN: If checked, users will be unable to set a PIN code as a sign in method for the RoboForm mobile app.
• Disable passkeys: If checked users will be unable to set a passkey as a sign in method for the RoboForm mobile app.
  
  

Auto-lock conditions (Desktop and Browser Extensions): If checked the following option will be set as the automatic lock condition for each user's RoboForm desktop application and web browser extension.

• On device Lock or after X minutes of inactivity: If checked RoboForm will automatically lock after the device has been inactive for the set period or when the device locks. 
• Never auto-lock RoboForm: If checked RoboForm will never lock even if the device is locked or their web browser is closed.

Disable manual lock: If checked, users will be unable to manually lock RoboForm. Once the user has signed in RoboForm will remain unlocked until it is explicitly signed out or reinstalled. This policy will not affect the RoboForm mobile app.

Two-Factor Authentication:

Two-Factor Authentication Controls (Web, Desktop and Browser Extension): If checked, the following option will define when users are prompted to complete a two-factor authentication prompt when signing into RoboForm using the desktop application, web browser extension, or website.

-Only on a new or unenrolled device: If checked users will only be prompted to complete a two-factor authentication prompt when signing in from a new or unenrolled device.

• New device enrollment control: If checked the following policy will define when a user's device is enrolled. If left unchecked users will be able to choose what devices to enroll.
  
  -Always enroll new devices: If checked any device a user signs in from will be enrolled.
  
  -Disable new device enrollment: If checked users will not be able to enroll any device, they will be       required to complete two-factor authentication each time they sign in.
• Device enrollment period (days): If checked,  two-factor authentication will enroll the user’s device for the number of days specified in this policy.  After the enrollment period is over, a new two-factor authentication prompt will need to be completed. This policy cannot be used if "Device enrollment period (minutes)" is checked.
• Device enrollment period (minutes): If checked, two-factor authentication will enroll the user’s device for the number of minutes specified in this policy. After the enrollment period is over, a new two-factor authentication prompt will need to be completed.  This policy cannot be used if "Device enrollment period (days)" is checked.

-On every Unlock and Log In: If checked users will not be able to enroll any device, they will be required to complete two-factor authentication each time they sign in.

-Disable two-factor authentication (not recommend): If checked users will never be required to complete two-factor authentication when signing in. Two-factor authentication is an additional layer of security that prevents malicious actors from gaining access to a user's account. We recommend leaving two-factor authentication enabled for your users.

Two-Factor Authentication Controls (Mobile Apps): If checked, the following option will define when users are prompted to complete a two-factor authentication prompt when signing into RoboForm using the mobile app.

-Only on a new or unenrolled device: If checked users will only be prompted to complete a two-factor authentication prompt when signing in from a new or unenrolled device.

• New device enrollment control: If checked the following policy will define when a user's device is enrolled. If left unchecked users will be able to choose what devices to enroll.
  
  -Always enroll new devices: If checked any device a user signs in from will be enrolled.
  
  -Disable new device enrollment: If checked users will not be able to enroll any device, they will be       required to complete two-factor authentication each time they sign in.
• Device enrollment period (days): If checked,  two-factor authentication will enroll the user’s device for the number of days specified in this policy.  After the enrollment period is over, a new two-factor authentication prompt will need to be completed. This policy cannot be used if "Device enrollment period (minutes)" is checked.
• Device enrollment period (minutes): If checked, two-factor authentication will enroll the user’s device for the number of minutes specified in this policy. After the enrollment period is over, a new two-factor authentication prompt will need to be completed.  This policy cannot be used if "Device enrollment period (days)" is checked.

-On every Unlock and Log In: If checked users will not be able to enroll any device, they will be required to complete two-factor authentication each time they sign in.

-Disable two-factor authentication (not recommend): If checked users will never be required to complete two-factor authentication when signing in. Two-factor authentication is an additional layer of security that prevents malicious actors from gaining access to a user's account. We recommend leaving two-factor authentication enabled for your users.

Two-Factor Authentication Methods (All Apps): This policy defines what two-factor authentication methods users are allowed to use. 

• Disable SMS: If checked users will not be able to set a text message via SMS as their two-factor authentication method.
• Disable Authenticator App: If checked users will not be able to set a third part time-based one-time password (TOTP) authenticator as their two-factor authentication method.
• Disable Passkeys: If checked users will not be able to use passkeys stored on remote devices, such as phones or hardware security keys, as their two-factor authentication method.

Device & Access Controls:

Allowed IP address ranges: If checked, users will only be able to log in to their account from the IP addresses specified in this policy. Start each address or range from a new line or delimit each entry with a ‘,’ or ‘;’. To list a range of address use a ‘-‘, use a ‘*’ to denote all numbers in that range.

Note: If the user is outside the allowed range of IP addresses then they will be unable to access their RoboForm account.


 

Device type access restriction: If checked, users will be unable to Log In to their RoboForm account from the selected web browser/device.



Disable Log Out and Account Switching (Desktop and Browser Extensions): If checked, users will be unable to log out after signing in. This will effectively block the ability for users to switch between RoboForm accounts. To use a different RoboForm account on this device RoboForm will need to be reinstalled.

Offline Access Control: Policies that control whether users can sign into RoboForm without connecting to the RoboForm server. These policies do not affect company administrators.

• Disable offline access on Desktop and Browser Extensions: If checked users will be unable to sign into the RoboForm desktop application or web browser extension while offline. An internet connection with the RoboForm server is required to verify credentials and enforce policies before unlocking.
• Disable offline access on Mobile Apps: If checked users will be unable to sign into the RoboForm mobile app while offline. An internet connection with the RoboForm server is required to verify credentials and enforce policies before unlocking.

RoboForm Data

These policies apply to how users are allowed to save and use RoboForm data.

Data type and storage:

Restrict RoboForm file creation by type:If checked, users will be unable to create data of the selected types. 



Disable sync of user created RoboForm data:  If checked and set to "Yes" any RoboForm data created by a user will not be synced to our server unless it is added to a RoboForm for Business company owned group. If checked and set to "No" any data a user creates will have an encrypted copy synced to our server.



Force user created data to be saved in company Groups only: If checked, users will be forced to save any RoboForm data they create in a RoboForm for Business group. If the user does not have at least regular permission in any group, they will not able to create any RoboForm data.



Disable custom RoboForm data directory location (Windows only): If checked, users will be unable to change where RoboForm saves their data. RoboForm defaults to saving data in %appdata%\RoboForm.

Note: This policy is enabled by default.



Export & Import

Enable RoboForm data export: If checked, users will be able to export their personal data to a CSV file. If left unchecked then this feature will be disabled in their local application.



Enable Print: If checked, users will be able to utilize the print list feature to print their data or export it in a PDF format. If left unchecked then this feature will be disabled in their local application.



User side sharing

Disable sharing: If checked, users will be unable to send or share their RoboForm data with other users. If unchecked, administrators can set whether users can only share RoboForm data with other users in their company or with any other RoboForm user.



Emergency Access

Disable Emergency Access feature: If checked, the Emergency Access feature will be disabled.  To limit the use of the Emergency Access feature, select one of the radio buttons. Users can be restricted to providing emergency access to the company admin, group manager, or other company members.



Backup & Restore

Disable Backup & Restore feature for user owned data: If Checked, users will be unable to use the backup or restore features. Enabling this policy will not effect company administrators or group managers.



 

User Settings

These policies apply to the user’s settings in their RoboForm installations.

User Settings controls:

Enable RoboForm Desktop application auto-updates: If checked, user's desktop applicaitons will be automatically updated when new versions of RoboForm are available. Auto-update is supported on RoboForm for Windows version 9.6.7 and above, and RoboForm for macOS version 9.6.9 and above. This ensures users get the latest features and security fixes without manual action.

Offer to AutoSave: If checked and set to "Offer to AutoSave" RoboForm will automatically offer to save any submitted web form that contains an username and password combination for that form that RoboForm has not already saved. If checked and set to "No" users will need to manually prompt RoboForm to save new logins.



 

Offer to AutoFill: If checked and set to "Do not offer to AutoSave" RoboForm will automatically provide matching logins and identities applicable to any currently detected web forms. If checked and set to "No" users will need to manually prompt RoboForm to fill in logins and web forms.



 

RoboForm to work with applications (Windows only): If checked and set to "Enable" the RoboForm desktop application will automatically attempt to attach to local applications and capture and fill the users credentials. If set to "Disable" this feature will be disabled entirely.



Launching executables from Application Logins (Windows only): If checked and set to "Enable" RoboForm will launch the corresponding application with an application login is used. If set to "Disable" RoboForm will no launch other applications.



 

User notifications

Enforce email notifications for new data breaches detected: If checked and set to "Notify for All Breaches (Critical + Non-Critical) "users will receive an email notification any time the data breach monitoring tool detects that their information has been included in a known breach. If set to "Notify for Critical Breaches Only" users will only receive an email when a known breach contains their password, credit card number, back accounts, PIN codes, or Social Security number appears in a known breach. If set to "Disable notifications" users will not receive an email when the data breach monitoring tool detects their information in a known breach. 

Company-sponsored personal RoboForm Premium accounts

Enable company-sponsored personal RoboForm accounts: If checked users will be allowed to create a company-sponsored personal family accounts. These accounts remain licensed as long as the company’s RoboForm for Business subscription is active and the sponsoring user is not deleted. Once created, these personal accounts are independent from the company — they are not managed or governed by company policies. If a sponsoring user is deleted, the associated Family licenses are revoked, and the personal accounts revert to a 30-day free trial. When the policy is disabled, no new sponsored accounts can be created. Existing sponsored accounts will lose their company license and switch to a 30-day trial. If the policy is later re-enabled, any previously created accounts still in trial or free status will automatically regain their company-sponsored licenses. Only company admins can manage this policy, and it applies globally (no group-based control). This option is only available for RoboForm for Business companies with 10 or more licenses.

Domains & Websites controls

Domain Equivalences: If checked, RoboForm will consider the domains paired in the following field to be the same domain for the purpose of saving and using logins. Each equivalence should begin on its own line and use an “=” between each URL in the equivalence.

White List Domains: If this policy is checked, users will only be able to use RoboForm on the domains specified in this policy. Start each domain on a new line, listing a domain will allow access to all of its sub-domains.

Blacklist Domains: If this policy is checked, users are unable to use RoboForm on any of the domains specified in this policy. Start each domain on a new line, listing a domain will prevent access to all of its sub-domains.  

Block AutoSave feature on these URLs: If this policy is checked, users will not be automatically prompted to create a new login when signing into any of the domains specified in this policy. Start each domain on a new line, listing a domain will prevent access to all of its sub-domains.  

 

Blacklist Applications: If this policy is checked, RoboForm will no longer attempt to attach to any of the applications specified in this policy. Start each application on a new line, the executable that launches the application needs to be listed in order to blacklist it correctly.