1) What are RoboForm policies?
RoboForm for Business policies are designed to customize RoboForm features and settings according to company specific needs. RoboForm policies are deployed via the RoboForm online management console. With RoboForm for Business Policies, companies are empowered to customize their RoboForm for Business accounts assigned to users, ensuring all organizational needs and security regulations are met.
2) Who can use RoboForm policies?
RoboForm policies are available only for RoboForm for Business accounts. RoboForm policies cannot be deployed or enforced on consumer grade accounts. RoboForm policies are also available during free trial.
3) Who can set RoboForm policies?
RoboForm Policies can be configured and deployed by:
- Company admins to all company owned accounts or specific groups
- Group managers only to the group(s) they are managing.
Policies set by a company admin and deployed to the entire company cannot be overwritten by a group manager's policies. Group managers can only set policies not defined on the company level, and only to the members of the group(s) they are managing.
4) Who is subject to company assigned RoboForm Policies?
RoboForm for Business policies can be assigned to all accounts owned by the company (including joined users). RoboForm policies are enforceable on laptop and desktop computers (Windows and Mac) and also on mobile platforms (iOS, Android, and Windows Phone) both tablets and smartphones. RoboForm policies can be deployed to an entire company, specific groups, or individual users.
5) Steps for setting and assigning RoboForm policies.
- Log In to RoboForm for Business with the company admin or group manager account. On the upper toolbar, click "Company Settings" -> "RoboForm Policies."
- In the selector ( top of the RoboForm Policies page), choose which group of users the policies should be imposed upon. The policies can be enforced for the entire company or for the specific user groups.
- Select the policies to be enforced and click the "SAVE" button on each screen you select policies from.
Master Password Policies
- Master Password Complexity
If checked, this policy will enforce a minimal Master Password complexity level according to the values provided. If unchecked, the minimum Master Password complexity defaults to a minimum of eight characters with the requirement that four or less are non-numerical characters.
- Cache Master Password (SSA with AD account)
This policy is only enforceable on Windows and Mac OS. If the policy is checked and set to "Yes", user's Master Password will be captured by the OS system protected storage thus making RoboForm a single-sign-on solution attached to user's AD password. If the policy is set to "No", this option will be unchecked and grayed out for end users.
- Enforce on Mobile Platforms
If checked, this policy will extend caching the Master Password to the end user's mobile device. This policy can only be deployed in combination with the "Cache Master Password" policy.
- Disable Logoff
This policy can only be deployed in combination with the "Cache Master Password" policy. If checked, this policy will disable the user's ability to Log Out of their RoboForm for Business account.
- Disable Master Password Change
This policy will prevent users from changing their Master Password. If deployed, this policy will automatically prevent the policy "Master Password Rotation Time Enforced" from being deployed to the same set of users.
- Master Password Rotation Time Enforced
This policy will force users to change their Master Password on any set number of days. If deployed, this policy will automatically prevent policy "Disable Master Password Change" to be deployed to the same set of users.
Enforce Auto-Log Off Time
This policy will automatically log users out of RoboForm after a set number of minutes of inactivity.
Disable RoboForm File Creation
If deployed, this policy will prevent end users from creating private (non-shared) RoboForm items on any laptop, desktop, or mobile platform on which they use their company provided, RoboForm for Business accounts. Policy can be deployed selectively for each RoboForm file type:
This policy is not applicable to company admins. Company admins will always be able to create non-shared RoboForm items.
Disable Sync of Local / User Created RoboForm Data
If checked and set to yes, any RoboForm data created by a user will not be synced to our server unless it is added to a RoboForm for Business company owned group. If checked and set to no, any data a user creates sill have an encrypted copy synced to our server.
- Force user created RoboForm data to be saved in company groups only
If checked, users will be forced to save any RoboForm data they create and a RoboForm for Business group. If the user does not have at least regular permission in any group then they will not able to create any RoboForm data.
- Disable Sharing
This policy will only be effective if the end users are allowed to create/own private RoboForm items. Each RoboForm account has a built-in sharing feature to share RoboForm items with other RoboForm accounts directly from the RoboForm client interface. This policy will disable the end user’s ability to share any RoboForm items with other RoboForm users through this built-in sharing feature. This policy will NOT affect a company admin or group manager’s ability to share company credentials via web interfaced management console.
If enabled, this policy will automatically save forms filled manually by the user. This policy will only take effect if users are allowed to create private items.
This policy enables RoboForm to offer automated filling for matching RoboForm files.
Show Passwords as stars
This policy will not allow users to view shared passwords in plain text by default in RoboForm interface. Users with elevated permission level (regular user, group manager, and company admin) can still click on "show password" command to view and edit shared credentials, this policy will only change the default view to "view as stars" so the password is shown as stars by default.
- Disable Emergency Access feature
This policy will disable the Emergency Access feature preventing your end users from designating someone from being able to access their RoboForm data. Through the radio buttons, this feature can instead be restricted to certain users in your company.
- Disable RoboForm New Version Update Notifications
This policy will prevent RoboForm from notifying your end users when new versions become available. This setting is only applicable to Windows and Mac.
This policy will deploy all domain equivalences set by the company admin and enforce them on the end user's RoboForm client. Specify equivalent domains using "=" as a divider. Each new line is a new set of equivalences.
Dual Authentication and Device Settings
- Enforce One-Time Password
This policy will enforce RoboForm for Business' default dual authentication method: One-Time Password (OTP). Users will be required to enter a OTP after their Master Password when they access their account for the first time and when accessing it from any new device. The default delivery method for OTP is the user's email address; this can be changed (subject to policy) to SMS delivery to the user's cell phone number. Once the OTP authentication procedure is completed, the device will be marked as "enrolled" and will not ask for another OTP authentication until the enrollment period expires.
- Disable One-Time Password SMS Delivery Method
This policy will disable the end user's ability to change the OTP delivery method from email to SMS. This policy can only be deployed in combination with "Enforce One-Time Password".
- Disable Mobile Platforms
This policy will prevent users from accessing their RoboForm for Business accounts on mobile platforms. Mobile platforms include all devices running iOS, Android, and Windows Phone OS. If deployed on a company level, users will not be allowed to use their accounts on mobile platforms. If deployed only to a sharing group, users will not be able to use credentials shared through this group from their mobile platforms.
- Device Enrollment Period for OTP enforced (days)
This policy will enforce device enrollment period expiration (in days) after which users will be prompted to go over OTP authentication procedure again.
- Device Enrollment Period for OTP enforced (minutes)
This policy will enforce device enrollment period expiration (in minutes) after which users will be prompted to go over OTP authentication procedure again.
- Allowed IP address ranges.
IP allowance will define the IP address, multiple IP addresses, or IP ranges behind which users will be allowed to access the RoboForm files assigned or shared with them via group membership.
Whitelist / Blacklist Domains
- Whitelist Domains
This policy will enforce what domains a user will be allowed to use RoboForm on. Start each new domain from a new line. Allowing a domain will automatically allow all sub-domains as well. This policy will only allow end users to create RoboForm data for the white listed domains and only if the users are allowed to create private RoboForm items by the policy. See "No privately created items by end user" described in Section 2.
- Blacklist Domains
This policy will enforce what domains a user will not be allowed to use RoboForm on. Start each new domain from a new line. Disallowing a domain will automatically disallow all sub-domains as well. This policy will disable the end user's ability to save RoboForm items for the specified domains, and only if users are allowed to create private RoboForm items by the policy. See "No privately created items by end user" described in Section 2.