Enterprise Policies
Enterprise polices allow Enterprise organizations to enforce security rules and default settings for all members, like mandating the use of a two-step login.
warning
We recommend setting enterprise policies prior to inviting users to your organization. Some policies will revoke non-compliant users when turned on, and some are not retroactively enforceable.
Set enterprise policies
Organization owners and admins can apply enterprise policies. To update a policy:
Within the Bitwarden web app, open the Admin Console.
Select Settings.
Select Policies.
Select the name of the policy you want to change:
Set policies Check or uncheck Turn on.
(Optional) If more options appear, configure them.
Select Save.
Available policies
Require two-step login
Turn on the Require two-step login policy to require members to use any two-step login method to access their vaults. If you are using an SSO or identity provider's 2FA functionality, you don't need to enable this policy. This policy is enforced even for users who have only
warning
Organization members who are not owners or admins and do not comply with this policy will have access revoked when you activate this policy. Users who have access revoked as a result of this policy will be notified via email, and must take steps to become compliant before their access can be restored.
Master password requirements
Turn on the Master password requirements policy to enforce a configurable set of minimum requirements for users' master password strength. Organizations can enforce:
Minimum master password complexity
Minimum master password length
Types of characters required
Password complexity is calculated on a scale from 0 (weak) to 4 (strong). Bitwarden calculates password complexity using the
Use the Require existing members to change their passwords option to require existing, non-compliant organization members, regardless of role, to update their master password during their next login. Users who create a new account from the organization invite will be prompted to create a master password that meets your requirements.
Remove Unlock with PIN
Turn on the Remove Unlock with PIN policy to prohibit members from configuring or using
note
Support for enforcing this policy on mobile apps is planned for a future release.
Members who are using unlock with PIN prior to the policy will have it enforced on their next log in, meaning if they have an already logged-in session they will still see the option in the UI and be able to unlock with PIN until they log out or turn off the unlock with PIN option in the client.
Account recovery administration
Turn on the Account recovery administration policy to allow owners and admins to help members regain access to their account. With this policy, owners and admins can send members enrolled in
To simplify account recovery enrollment, check Require new members to be enrolled automatically when activating the policy. This enrolls new members when their
The Account recovery administration policy is required for your organization to use
note
The
Password generator
Turn on the Password generator policy to enforce a configurable set of minimum requirements for any user-generated passwords for all members, regardless of role. Organizations can enforce:
Password, passphrase, or user preference
For passwords:
Minimum password length
Minimum number (0-9) count
Minimum special character (!@#$%^&*) count
Types of characters required
For passphrases:
Minimum number of words∂
Whether to capitalize
Whether to include numbers
warning
Existing non-compliant passwords will not be changed when this policy is turned on, nor will the items be removed from the organization. When changing or generating a password after this policy is turn on, configured policy rules will be enforced.
A banner is displayed to users on the password generator screen to indicate that a policy is affecting their generator settings.
Single organization
Turn on the Single organization policy to restrict non-owner/non-admin members of your organization from being able to join other organizations or from creating other organizations. This policy is enforced even for users who have only
warning
Organization members who are not owners or admins and do not comply with this policy will have access revoked when you activate this policy. Users who have access revoked as a result of this policy will be notified via email, and must take steps to become compliant before their access can be restored.
The Single organization policy must be turned on before activating the following policies:
If you are unable to turn off the Single organization policy, verify that all of the above policies are deactivated, that you don't have a
Require single sign-on authentication
Turn on the Require single sign-on authentication policy to require non-owner/non-admin users to log in with SSO. If you're self-hosting, you can enforce this policy for owners and admins using
Members of organizations using this policy will not be able to
note
The
Enforce organization data ownership
Turn on the Enforce organization data ownership policy to prevent private ownership of vault items. This adds
note
This policy only affects members who are not organization owners or admins. Organization owners and admins can continue using My vault.
Once turned on, all new saved items are placed in that member’s My items by default. When on the Add Item screen, a banner informs users that a policy affects item ownership options.
After a
warning
At this time, Bitwarden recommends only organizations that have not started onboarding members to turn on the
If your organization activated the policy before version
Remove Send
Turn on the Remove Send policy to prevent members who are not an owner or admin from creating or editing a Send using
A banner is displayed to users in the Send view and on opening any existing Send to indicate that a policy is restricting them to only deleting Sends.
Send options
Turn on the Send options policy to allow owners and admins to specify options for creating and editing Sends. This policy is not enforced for owners and admins. Options include:
Option | Description |
|---|---|
Do not allow users to hide their email address | Turning on this option removes the |
Remove card item type
Turn on the Remove card item type policy will prevent members from creating or importing credit cards to organization and individual vaults.
Users who are members of multiple organizations will still be able to use cards only in an organization that allows it, even if a different organization has activated this policy.
Existing cards will be automatically hidden, however the data will not be deleted and cards will re-appear should administrators disable the policy.
Default URI match detection
Turn on the Default URI match detection policy to set the
When turning on this policy, select your organization's Default URI match detection from the dropdown menu:
Base domain
Host
Exact
Never
note
Users not subject to this policy have two more options when setting their individual account's default match detection: Starts with and Regular expression. These options are not offered for an organization's default because they can match unintended pages and expose credentials.
Once the policy is activated, members cannot view or change their account's Default URI match detection in Settings → Autofill. They can, however, still choose a URI match for individual login items. This policy does not affect organization owners or admins.
note
The
Session timeout
Turn on the Session timeout policy to set limits and control members'
From the Maximum allowed timeout dropdown menu, set a limit to how long sessions can remain active:
Immediately: When the user stops interacting with Bitwarden
Custom: After the amount of time entered in Hours and Minutes
On system lock: When the device is locked or the screensaver activates (browser extension and desktop app only)
On app restart: When the Bitwarden app is closed and reopened
Never: No maximum session duration is set.
From the Session timeout action dropdown menu, choose what happens after a session ends. You can specify
Lock or Log outor select User preference to let members choose in their account settings.
note
New timeout options were added in
When this policy is turned on and users edit their account's Vault timeout settings, the Timeout options will not exceed the maximum you picked for the organization and some, like On browser restart and Never, will not be available. This policy does not affect organization owners.
note
The
Remove export
Turn on the Remove export policy to prohibit non-owner and non-admin members of your organization from
In the web app and CLI, a message is displayed to users indicating that a policy is affecting their options. In other clients, the option will simply be disabled:
Remove Free Bitwarden Families sponsorship
Turn on the Remove Free Bitwarden Families sponsorship policy to prevent members of your organization from having the option to
Users who have redeemed a sponsored Families organization prior to the policy being activated will continue to have their organization sponsored until the end of the current billing cycle. Their stored payment method will be charged for the organization when the next billing cycle begins.
Activate auto-fill
Turn on the Activate auto-fill policy to automatically turn on the
Automatic login with SSO
Turn on the Automatically login with SSO policy to allow login forms to be filled and submitted automatically when accessing non-SSO apps from your identity provider. In order to enable this setting:
To enable the Automatic login with SSO policy, check the Turn on box, and enter your Identity provider host URL(s). The URL should include
protocol://domain.Automatically log in users for allowed applications As an Administrator on your IdP, add an application, or app shortcut to your end-user dashboard containing the destination URL with the added parameter
?autofill=1Microsoft app example Once the application has been saved, users may select the application from the IdP dashboard and Bitwarden will autofill and login to the application.
note
Automatic login with SSO will autofill data based on the users current active account on the Bitwarden browser extension. Additionally, the data autofilled will be the most recent credential that user used associated with the target application's URL.