Enterprise Policies

Enterprise polices allow Enterprise organizations to enforce security rules and default settings for all members, like mandating the use of a two-step login.

Organization owners and admins can apply enterprise policies. To update a policy:

1. Within the Bitwarden web app, open the Admin Console.

2. Select Settings.

3. Select Policies.

4. Select the name of the policy you want to change:
   

   

5. Check or uncheck Turn on.

6. (Optional) If more options appear, configure them.

7. Select Save.

Turn on the Require two-step login policy to require members to use any two-step login method to access their vaults. If you are using an SSO or identity provider's 2FA functionality, you don't need to enable this policy. This policy is enforced even for users who have only accepted invitation to your organization.

Turn on the Master password requirements policy to enforce a configurable set of minimum requirements for users' master password strength. Organizations can enforce:

• Minimum master password complexity

• Minimum master password length

• Types of characters required

Password complexity is calculated on a scale from 0 (weak) to 4 (strong). Bitwarden calculates password complexity using the zxcvbn library.

Use the Require existing members to change their passwords option to require existing, non-compliant organization members, regardless of role, to update their master password during their next login. Users who create a new account from the organization invite will be prompted to create a master password that meets your requirements.

Turn on the Remove Unlock with PIN policy to prohibit members from configuring or using unlock with PIN on web apps, browser extensions, and desktop apps. This policy applies to all organization members when turned on, including admins and owners.

Members who are using unlock with PIN prior to the policy will have it enforced on their next log in, meaning if they have an already logged-in session they will still see the option in the UI and be able to unlock with PIN until they log out or turn off the unlock with PIN option in the client.

Turn on the Account recovery administration policy to allow owners and admins to help members regain access to their account. With this policy, owners and admins can send members enrolled in account recovery a link to reset their master password. By default, users must self-enroll in account recovery to be eligible.

To simplify account recovery enrollment, check Require new members to be enrolled automatically when activating the policy. This enrolls new members when their invitation to the organization is accepted and prevents them from withdrawing from account recovery. Current organization members are not retroactively added, so they still need to self-enroll.

The Account recovery administration policy is required for your organization to use SSO with trusted devices.

Turn on the Password generator policy to enforce a configurable set of minimum requirements for any user-generated passwords for all members, regardless of role. Organizations can enforce:

• Password, passphrase, or user preference

For passwords:

• Minimum password length

• Minimum number (0-9) count

• Minimum special character (!@#$%^&*) count

• Types of characters required

For passphrases:

• Minimum number of words∂

• Whether to capitalize

• Whether to include numbers

Turn on the Single organization policy to restrict non-owner/non-admin members of your organization from being able to join other organizations or from creating other organizations. This policy is enforced even for users who have only accepted invitation to your organization, however this policy is not enforced for owners and admins.

The Single organization policy must be turned on before activating the following policies:

• Account recovery administration

• Require single sign-on authentication

• Default URI match detection

• Vault timeout

If you are unable to turn off the Single organization policy, verify that all of the above policies are deactivated and then try again.

Turn on the Require single sign-on authentication policy to require non-owner/non-admin users to log in with SSO. If you're self-hosting, you can enforce this policy for owners and admins using an environment variable. For more information, see Using Login with SSO. This policy is not enforced for owners and admins.

Members of organizations using this policy will not be able to log in with passkeys.

Turn on the Enforce organization data ownership policy to require non-owner/non-admin users to save vault items to an organization by preventing private ownership of vault items for organization members.

A banner is displayed to users on the Add Item screen indicating that a policy is affecting their ownership options.

This policy is enforced even for users who have only accepted invitation to your organization, however this policy is not enforced for owners and admins.

Turn on the Remove Send policy to prevent members who are not an owner or admin from creating or editing a Send using Bitwarden Send. Members subject to this policy will still be able to delete existing Sends that have not yet reached their deletion date. This policy is not enforced for owners and admins.

A banner is displayed to users in the Send view and on opening any existing Send to indicate that a policy is restricting them to only deleting Sends.

Turn on the Send options policy to allow owners and admins to specify options for creating and editing Sends. This policy is not enforced for owners and admins. Options include:

Turn on the Remove card item type policy will prevent members from creating or importing credit cards to organization and individual vaults.

Users who are members of multiple organizations will still be able to use cards only in an organization that allows it, even if a different organization has activated this policy.

Existing cards will be automatically hidden, however the data will not be deleted and cards will re-appear should administrators disable the policy.

Turn on the Default URI match detection policy to set the default URI match detection for your members. This helps you configure autofill to best meet your organization's security and policy needs.

When turning on this policy, select your organization's Default URI match detection from the dropdown menu:

• Base domain

• Host

• Exact

• Never

Once the policy is activated, members cannot view or change their account's Default URI match detection in  Settings → Autofill. They can, however, still choose a URI match for individual login items. This policy does not affect organization owners or admins.

Turn on the Vault timeout policy to:

• Implement a maximum vault timeout duration for all members of your organization except owners. This option applies the timeout restriction to all client applications (mobile, desktop, browser extension, and more).

• Set a vault timeout action for all members of your organization except owners. This option can be set to User Preference, Lock, or Logout when a vault timeout occurs.
  
  The Logout option can be used, for example, to prompt users to use 2FA each time they access their vaults and to prevent offline use by regularly clearing local data from users' machines.

A banner is displayed to users during vault timeout configuration indicating that a policy is affecting their options. Some vault timeout options, like On browser restart or Never will not be available to users when this policy is activated. This policy is not enforced for owners and admins.

Turn on the Remove individual vault export policy to prohibit non-owner/non-admin members of your organization from exporting their individual vault data. This policy is not enforced for owners and admins.

In the web app and CLI, a message is displayed to users indicating that a policy is affecting their options. In other clients, the option will simply be disabled:

Turn on the Remove Free Bitwarden Families sponsorship policy to prevent members of your organization from having the option to redeem a free Families plan through your organization.

Users who have redeemed a sponsored Families organization prior to the policy being activated will continue to have their organization sponsored until the end of the current billing cycle. Their stored payment method will be charged for the organization when the next billing cycle begins.

Turn on the Activate auto-fill policy to automatically turn on the autofill on page load feature on the browser extension for all existing and new members of the organization. If activated, members will not have the ability to disable autofill on page load.

Turn on the Automatically log in users for allowed applications policy to allow login forms to be filled and submitted automatically when accessing non-SSO apps from your identity provider. In order to enable this setting:

1. To enable the Automatically log in users for allowed applications policy, check the Turn on box, and enter your Identity provider host URL(s). The URL should include protocol://domain.

2. As an Administrator on your IdP, add an application, or app shortcut to your end-user dashboard containing the destination URL with the added parameter ?autofill=1. For example, using Microsoft Azure:

3. Once the application has been saved, users may select the application from the IdP dashboard and Bitwarden will autofill and login to the application