What are RoboForm policies?
RoboForm for Business policies are designed to customize RoboForm features and settings according to company specific needs. RoboForm policies are deployed via the RoboForm online management console. With RoboForm for Business Policies, companies are empowered to customize their RoboForm for Business accounts assigned to users down to the last detail and make sure it matches organizational needs and security regulations.
Who can use RoboForm policies?
RoboForm policies are available only for RoboForm for Business accounts. RoboForm policies cannot be deployed or enforced on consumer grade accounts. RoboForm policies are also available during free trial.
Who can set RoboForm policies?
RoboForm Policies can be configured and deployed by: Company admins to all company owned accounts or specific groups, and Group managers only to the group(s) they are managing. Policies set by a company admin and deployed to the entire company cannot be overwritten by a group manager's policies. Group managers can only set policies not defined on the company level, and only to the members of the group(s) they are managing.
Who is subjected to company assigned RoboForm Policies?
RoboForm for Business policies can be assigned to all accounts owned by the company (including joined users). RoboForm policies are enforceable on laptop and desktop computers (Windows and Mac) and also on mobile platforms (iOS, Android, and Windows Phone) both tablets and smartphones. RoboForm policies can be deployed to an entire company, specific groups, or individual users.
Steps for setting and assigning RoboForm policies.
a) Log in to RoboForm for Business with company admin or group manager account and on the upper toolbar click on Company Settings -> RoboForm Policies.
b) In the selector at the top of the RoboForm Policies page choose which group of users the policies are set for. The policies can be enforced for the entire company or for the specific user groups.
c) Select the policies to be enforced and click the "SAVE" button on each screen you select policies from.
1. Master Password Policies
- Master Password Complexity
If checked this policy will enforce a minimal master password complexity level according to the values provided. If not checked, the minimum master password complexity defaults to a minimum of 8 (eight) characters with the requirement that 4(four) or less are non-numerical characters.
- Cache Master Password (SSA with AD account)
This policy is only enforceable on Windows and Mac OS. If the policy is checked and set to "Yes", users master password will be captured by the OS system protected storage thus making RoboForm a single-sign-on solution attached to users AD password. If policy is set as "No", this options will be unchecked and grayed out for end users.
- Enforce on Mobile Platforms
If checked this policy will extend caching the Master Password to the end user's mobile device. This policy can only be deployed in combination with the "Cache Master Password" policy.
- Disable Logoff
This policy can only be deployed in combination with the "Cache Master Password" policy. If checked this policy will disable users ability to log out of their RoboForm for Business account.
- Disable Master Password Change
This policy will prevent users from changing their master password. If deployed, this policy will automatically prevent the policy "Master Password Rotation Time Enforced" from being deployed to the same set of users.
- Master Password Rotation Time Enforced
This policy will force users to change their master password on any set number of days. If deployed, this policy will automatically prevent policy "Disable Master Password Change" to be deployed to same set of users.
2. User Settings
Enforce Auto-Log Off Time
This policy will automatically log users out of RoboForm after a set number of minutes of inactivity.
Disable RoboForm File Creation
If deployed, this policy will prevent end users from creating private (non-shared) RoboForm items on any laptop, desktop, or mobile platform they use their, company provided, RoboForm for Business accounts on. Policy can be deployed selectively for each RoboForm file type:
This policy is not applicable to company admins. Company admins will always be able to create non-shared RoboForm items.
- Disable Sharing
This policy will only be effective if end users are allowed to create/own private RoboForm items. Each RoboForm account has a built-in sharing feature to share RoboForm items with other RoboForm accounts directly from RoboForm client interface. This policy will disable end user’s ability to share any RoboForm items with other RoboForm user’s through this built-in sharing feature. This policy will NOT affect company admin or group manager’s ability to share company credentials via web interfaced management console.
If enabled, this policy will automatically save forms filled manually by the user. This policy will only take effect if users are allowed to create private items.
This policy enables RoboForm to offer automated filling for matching RoboForm files.
Show Passwords as Stars
This policy will not allow users to view shared passwords in plain text by default in RoboForm interface. Users with elevated permission level (regular user, group manager, and company admin) can still click on "show password" command to view and edit shared credentials, this policy will only change the default view to "view as stars" so the password is shown as stars by default.
- Disable Emergency Access feature
This policy will disable the Emergency Access feature preventing your end users from designating someone to be able to access their RoboForm data. Through the radio buttons this feature can instead be restricted to certain users in your company.
- Disable RoboForm New Version Update Notifications
This policy will prevent RoboForm from notifying your end users when new versions become available. This setting is only applicable to Windows and Mac.
This policy will deploy all domain equivalences set by company admin and enforce them on the end users RoboForm client. Specify equivalent domains using "=" as a divider. Each new line is a new set of equivalences.
3. Dual Authentication and Device Settings
- Enforce One-Time Password
This policy will enforce RoboForm for Business' default dual authentication method: One-Time Password (OTP). Users will be required to enter a OTP after their master password when they access their account for the first time and when accessing it from any new device. The default delivery method for OTP is the users email address, this can be changed (subject to policy) to SMS delivery to the users cell phone number. Once the OTP authentication procedure is over, the device will be marked as "enrolled" and will not ask for another OTP authentication until the enrollment period expires.
- Disable One-Time Password SMS Delivery Method
This policy will disable end users ability to change OTP delivery method from email to SMS. This policy can only be deployed in combination with "Enforce One-Time Password".
- Disable Mobile Platforms
This policy will prevent users from accessing their RoboForm for Business accounts on mobile platforms. Mobile platforms include all devices running iOS, Android, and Windows Phone OS. If deployed on a company level, users will not be allowed to use their accounts on mobile platforms. If deployed only to a sharing group, users will not be able to use credentials shared through this group from their mobile platforms.
- Device Enrollment Period for OTP enforced
This policy will enforce device enrollment period expiration (in days or minutes) after which users will be prompted to go over OTP authentication procedure again.
- Allowed IP address ranges.
IP allowance will define the IP address, multiple IP addresses, or IP ranges behind which users will be allowed to access the RoboForm files assigned or shared with them via group membership.
4. Whitelist / Blacklist Domains
- Whitelist Domains
This policy will enforce what domains a user will be allowed to use RoboForm on. Start each new domain from a new line. Allowing a domain will automatically allow all sub-domains as well. This policy will only allow end users to create RoboForm data for the whitelisted domains and only if the users are allowed to create private RoboForm items by the policy "No privately created items by end user" described in Section 2.
- Blacklist Domains
This policy will enforce what domains a user will not be allowed to use RoboForm on. Start each new domain from a new line. Disallowing a domain will automatically disallow all sub-domains as well. This policy will disable the end users ability to save RoboForm items for the specified domains, and only if users are allowed to create private RoboForm items by the policy "No privately created items by end user" described in Section 2.