What are RoboForm policies ?
RoboForm for Business policies are designed to customize RoboForm features and settings according to company specific needs. RoboForm policies are deployed via RoboForm online management console. With RoboForm for Business Policies, companies are empowered to customize their RoboForm for Business accounts assigned to users down to the last detail and make sure it matches organizational needs and security regulations.
Who can use RoboForm policies ?
RoboForm policies are available only for RoboForm for Business accounts. RoboForm policies cannot be deployed or enforced on consumer grade accounts. RoboForm policies are also available during free trial.
Who can set RoboForm policies ?
RoboForm Policies can be configured and deployed by: Company admins to all company owned accounts or specific groups, and Group managers only to the group(s) they are managing. Policies set by a company admin and deployed to the entire company cannot be overwritten by a group managers policies. Group managers can only set policies not defined on the company level, and only to the members of the group(s) they are managing.
Who is subjected to company assigned RoboForm Policies ?
RoboForm for Business policies can be assigned to all accounts owned by the company (including joined users). RoboForm policies are enforceable on laptop and desktop computers (Windows and Mac) and also on mobile platforms (iOS, Android, and Windows Phone) both tablets and smartphones. RoboForm policies can be deployed to entire company, specific groups, or individual users.
Steps for setting and assigning RoboForm policies.
a) Log in to RoboForm for Business with company admin or group manager account and on the upper toolbar click on Company Settings -> RoboForm Policies.
b) On the selector on the top of the RoboForm Policies page choose for which group of users policies are set for. The policies can be enforced for the entire company or for the specific user groups.
c) Select the policies to be enforced for the group selected from the list below and click on "SAVE" button on each screen policies are selected on.
1. Master Password Policies
- Master Password Complexity
If checked this policy will enforce minimal master password complexity level according to the values provided. If not checked, the master password complexity minimum is automatically defaulted to total minimum of 8 (eight) characters with the requirement that 4(four) or less are non-numerical characters.
- Cache Master Password (SSA with AD account)
This policy is only enforceable on Windows and Mac OS. If policy is checked and set to "Yes", users master password will be captured by the OS system protected storage thus making RoboForm a single-sign-on solution attached to users AD password. If policy is set as "No" , this options will be unchecked and grayed out for end users.
- Disable Logoff
This policy can only be deployed in the combination with "Cache Master Password" policy. If checked this policy will disable users ability to log out of their RoboForm for Business account.
- Disable Master Password Change
This policy will prevent users from changing their initially created master password. If deployed, this policy will automatically prevent policy "Master Password Rotation Time Enforced" to be deployed to same set of users.
- Master Password Rotation Time Enforced
This policy will force users to change their master password on any set number of days. If deployed, this policy will automatically prevent policy "Disable Master Password Change" to be deployed to same set of users.
2. User Settings
Enforce Auto-Log Off Time
This policy will automatically log users out of RoboForm after set number of minutes of inactivity.
No Privately Created Items by End User
This policy will prevent end users from creating private RoboForm items specified below. If deployed, this policy will prevent end users from creating private (non-shared) RoboForm items on any laptop, desktop, or mobile platform they use their, company provided, RoboForm for Business accounts on. Policy can be deployed selectively for each RoboForm file type:
This policy is not applicable to company admins. Company admins will always be bale to create non-shared RoboForm items.
If enabled, this policy will automatically save forms filled manually by user. This policy will only take effect if users are allowed to create privately created items.
This policy enables RoboForm to offer automated filling for matching RoboForm files.
Show Passwords as Stars
This policy will not allow users to view shared passwords in plain text by default in RoboForm interface. Users with elevated permission level (regular user, group manager, and company admin) can still click on "show password" command and view and edit shared credential, this policy will only change the defaulted view to "view as stars" so the password is show as stars by default.
This policy will only be effective if end users are allowed to create/own private RoboForm items. Each RoboForm account has a built-in sharing feature to share RoboForm items with other RoboForm accounts directly from RoboForm client interface. This policy will disable end user’s ability to share any RoboForm items with other RoboForm user’s through this built-in sharing feature. This policy will NOT affect company admin or group manager’s ability to share company credentials via web interfaced management console.
This policy will deploy all domain equivalences set by company admin and enforce them on end users RoboForm client. Specify equivalent domains using "=" as a divider. Each new line is a new set of equivalences.
3. Dual Authentication and Device Settings
- Enforce One-Time Password
This policy will enforce RoboForm for Business defaulted dual authentication method: One-Time Password (OTP). Users will be required to enter OTP after their master password when they access their account for the first time and when accessing it from any new device. Defaulted delivery method for OTP is users email address, optionally this can be changed (subjected to policy) to SMS delivery to users cell phone number. Once OTP authentication procedure is over, the device will be marked as "enrolled" and will not ask for another OTP authentication until the enrollment period expires.
- Disable One-Time Password SMS Delivery Method
This policy will disable end users ability to change OTP delivery method from email to SMS. Policy can only be deployed in combination with "Enforce One-Time Password".
- Disable Mobile Platforms
This policy will prevent user to access their RoboForm for Business accounts on mobile platforms. Mobile platforms include all iOS, Android, and Windows Phone OS devices including both tablets and smartphones. If deployed on a company level, users will not be allowed to use their accounts on mobile platforms. If deployed only to a sharing group, users will not be able to use credentials shared through this group from their mobile platforms.
- Device Enrollment Period for OTP enforced
This policy will enforce device enrollment period expiration (in days) after which users will be prompted to go over OTP authentication procedure again.
- Allowed IP address ranges.
IP allowance will define the IP address, multiple IP addresses, or IP ranges behind which users will be allowed to access the RoboForm files assigned or shared with them via group membership.
4. Whitelist / Blacklist Domains
- Whitelist Domains
This policy will enforce what domains a user will be allowed to use RoboForm on. Start each new domain from a new line. Allowing a domain will automatically allow all sub-domains as well. This policy will allow end user to create RoboForm item only for whitelisted domains and only if users are allowed to create private RoboForm items by the policy "No privately created items by end user" described in Section 2.
- Blacklist Domains
This policy will enforce what domains a user will be allowed to use RoboForm on. Start each new domain from a new line. Disallowing a domain will automatically disallow all sub-domains as well. This policy will disable end users ability to save RoboForm items for specified domains only if users are allowed to create private RoboForm items by the policy "No privately created items by end user" described in Section 2.