MSP Playlist & Deployment
Use the following steps and best practices to deploy Bitwarden to your customers.
Demo
Learn more about becoming a Bitwarden MSP or reseller here.
1:36: Overview of Bitwarden Password Manager.
1:46: Bitwarden client apps.
2:15: How Bitwarden integrates with your tech stack.
4:53: Overview of terminology and concepts.
8:34: MSP architecture deep dive.
10:05: Your organisation.
16:19: The Provider Portal.
23:13: Client organisations.
25:49: Manage your clients.
26:50: Manage policies.
27:43: Import data.
28:18: Set up SSO and SCIM.
29:00: Q&A.
Define technical requirements and onboarding strategy for your customer's Bitwarden organisation and environment.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
1 | Environment decision | Determine Cloud or self-hosted environment | 0.5 | |
2 | Authentication strategy | Determine whether the customer will use Single Sign-On (SSO) | 0.25 | |
3 | Decryption method | If using Login with SSO, select Master Password or trusted devices for decryption | 0.25 | |
4 | Provisioning strategy | Select a provisioning strategy such as SCIM, directory connector, or manual provisioning. | 0.25 | |
5 | User identification | Identify users, teams, or departments for rollout groups | 0.25 | |
6 | Training strategy | Identify groups and internal advocates who will attend training. Example: end users, service desk, admins | 0.5 | |
7 | Document collection (sharing) strategy | Determine how collections will be configured. Considerations include: Will users be allowed to create collections? Will collections be configured by department, project, or function? Will data be imported from another application, which often defines structure? Do Admin and Owner users get access to all shared items, or only the Managers of delegated Collections? | 1 | |
8 | Policy planning | Select policies to be configured at launch | 0.5 | |
9 | Rollout timeline | Determine invitation and onboarding mechanisms and timing | 0.5 | |
10 | Internal communication | Create internal messaging or a memo about Bitwarden rollout. Review Bitwarden templates to get a sense of the communications | 1 | |
11 | Leadership communication | Communicate with internal leaders about the password management roll-out strategy | 0.25 |
Set up the technical foundation and configure Bitwarden settings for your customer.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
12 | Organisation owner | Identify the organisation owner. The owner is the super-user who can control all aspects of your organisation. Decide whether you want the email to be associated with a specific user or a team inbox. Additionally, best practice is to have two owner accounts for redundancy. | 0.25 | |
13 | Enterprise policies | Configure Enterprise policies. Any policies should be enabled before inviting users. Be sure to check out the following policies: Account recovery administration Enforce organisation data ownership Activate autofill | 1 | |
14 | Collection management settings | Choose how collections will behave in the organisation. These settings allow for a spectrum from full admin control to complete self-service, where users can create their own collections. These settings can be used to establish a policy of least privilege. | 0.25 | |
15 | Co-managed environment | Add administrators or owners to the client organisation to co-manage. Best practice is to configure a second owner for redundancy. | 0.5 | |
16 | Create collections | Collections are where secure items are located and shared with groups of users. | 0.5 | |
17 | Create user groups | Creating user groups allows easy assignment of collections. If you decide to sync groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and group assignments later. | 0.5 | |
18 | Collection assignment | Assign groups to collections, making sure to test and demonstrate the 'Read Only' and 'Hide Password' options. | 0.5 | |
19 | Add items | Add items manually to test collections or import via CSV or JSON from another password management application. | 0.25 | |
20 | Log in with SSO | If applicable, configure Log in with SSO and the organisation identifier. Configure to work with SAML 2.0 or OpenID Connect | 1.5 | |
21 | Domain verification | If applicable, verify company and/or other email domains to allow your users to skip entering the organisation identifier during the Enterprise SSO process. Not necessary for non-SSO organisations. | 0.5 |
Deploy Bitwarden across your customer's teams and functions.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
22 | Technical cadence meeting | Plan implementation phase 3 with client | 0.5 | |
23 | Add items to collections | Add items manually to production collections or import data from another password management application | 0.25 | |
24 | Enterprise policies | Enterprise policies can be used to tailor your Bitwarden organisation to fit your security needs. Enable and configure the desired policies before user onboarding begins | 0.1 | |
25 | Centralise organisation ownership | To take full advantage of reporting such as Access Intelligence, consider enabling the Centralise organisation ownership policy. This ensures all items saved to Bitwarden are owned by the organisation. | 0.1 | |
26 | Log in with SSO | If applicable, configure Bitwarden to authenticate using your SAML 2.0 or OIDC identity provider | 1.5 | |
27 | Early users | Add a set of users to the client organisation manually and assign them to different groups. With these users, you’ll broadly test all preconfigured functionality in the next step, before moving on to advanced functions like Directory Connector. Share the attached onboarding workflow instructions with the users | 0.5 | |
28 | SIEM integration | If applicable, connect Bitwarden to the customer's SIEM tool | 0.5 | |
29 | Bitwarden clients | All organisation members added for the pilot group should download Bitwarden on a range of devices, log in, and test access to shared items via collections. They should test the proper implementation of policies. | 0.5 | |
30 | Deploy client applications | Configure your application management or MDM tooling to prepare for mass deployment of Bitwarden applications | 0.5 | |
31 | Disable built-in password manager | Make Bitwarden Password Manager the default password manager and turn off built-in browser solutions. Educate users on how to do the same when onboarded | 0.25 | |
32 | Test user onboarding | Configure and test Bitwarden SCIM or Directory Connector integrations to automatically sync users and groups | 1.5 | |
33 | User onboarding | Run SCIM or Directory Connector syncing to invite additional users in groups to the organisation. Share the attached onboarding workflow instructions with the users | 1 |
Train all users and stakeholders on how to use Bitwarden and provide continuing education.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
33 | Admin training | Provide essential day-to-day task training for administrative users, with the addition of any special topics requested Example special topics include, but are not limited to: Demonstrating the configured SSO login flow User onboarding and offboarding Custom roles | 0.75 | |
34 | Service desk training | Advise service desk users on their role/operations. Review which tasks can be done with the custom role and which require admin intervention | 0.75 | |
35 | Team member training | A general training session for end users will cover: Bitwarden for all devices Setting up the Bitwarden Browser Extension Creating your account Getting to know the Bitwarden vault How to use the Bitwarden Password Manager Bitwarden Send | 0.75 | |
36 | Ongoing education | All users can benefit from monthly new and updated learning content in the Bitwarden Learning Centre | 0.75 |
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support