Bitwarden for MSPs
Learn how to get started with Bitwarden Password Manager as Managed Service Provider (MSP) and deploy it to your customer in this video guide.
Learn more about becoming a Bitwarden MSP or reseller here, or jump to the following points in the video to learn more about specific topics:
1:36: Overview of Bitwarden Password Manager.
1:46: Bitwarden client apps.
2:15: How Bitwarden integrates with your tech stack.
4:53: Overview of terminology and concepts.
8:34: MSP architecture deep dive.
10:05: Your organization.
16:19: The Provider Portal.
23:13: Client organizations.
25:49: Manage your clients.
26:50: Manage policies.
27:43: Import data.
28:18: Set up SSO and SCIM.
29:00: Q&A.
MSP customer deployment guide
Use the following steps and best practices to deploy Bitwarden to your customers.
Phase 1 - Pre-onboarding
Define technical requirements and onboarding strategy for your customer's Bitwarden organization and environment.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
1 | Environment decision | Determine Cloud or Self-Hosted environment | 0.5 | |
2 | Authentication strategy | Determine if the customer will use Single Sign-On (SSO) | 0.25 | |
3 | Decryption method | If using Login with SSO, select Master Password or trusted devices for decryption | 0.25 | |
4 | Provisioning strategy | Select provisioning strategy like SCIM, directory connector, or manual provisioning. | 0.25 | |
5 | User identification | Identify users, teams, or departments for rollout groups | 0.25 | |
6 | Training strategy | Identify groups and internal advocates who will attend training. Example: end users, service desk, admins | 0.5 | |
7 | Document collection (sharing) strategy | Determine how collections will be configured. Considerations include: | 1 | |
8 | Policy planning | Select policies to be configured at launch | 0.5 | |
9 | Rollout timeline | Determine invitation and onboarding mechanisms and timing | 0.5 | |
10 | Internal communication | Create internal messaging or memo about Bitwarden rollout. Review Bitwarden templates to get a sense of the communications | 1 | |
11 | Leadership communication | Communicate to internal leaders about Password Management Rollout Strategy | 0.25 |
Phase 2 - Organization set up
Set up the technical foundation and configure Bitwarden settings for your customer.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
12 | Organization owner | Identify the organization owner. The owner is the super-user that can control all aspects of your organization. Decide if you want the email to be associated with a specific user or a team inbox. Additionally, the best practice is two owner accounts for redundancy | 0.25 | |
13 | Enterprise policies | Configure Enterprise policies. Account recovery administration Enforce organization data ownership Activate autofill | 1 | |
14 | Collection management settings | Choose how collections will behave in the organization. These settings allow for a spectrum of full admin control to completely self-serve where users can create their own collections. These settings can be used to establish a policy of least privilege | 0.25 | |
15 | Co-managed environment | Add administrators or owners to the client organization to co-manage. Best practice is to configure a second owner for redundancy | 0.5 | |
16 | Create collections | Collections are where secure items are located and shared with groups of users | 0.5 | |
17 | Create user groups | Creating user groups allows easy assignment of collections. If you decide to sync groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and group assignments later | 0.5 | |
18 | Collection assignment | Assign groups to collections, making sure to test and demonstrate 'Read Only' and 'Hide Password' options | 0.5 | |
19 | Add items | Add items manually to test collections or import via CSV or JSON from another password management application | 0.25 | |
20 | Login with SSO | If applicable, configure Login with SSO and organization identifier | 1.5 | |
21 | Domain verification | if applicable, verify company and/or other email domains to allow your users to skip entering the Organization identifier during the Enterprise SSO process. Not necessary for non-SSO organizations | 0.5 |
Phase 3 - Organization roll out
Deploy Bitwarden across your customer's teams and functions.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
22 | Technical cadence meeting | Plan implementation phase 3 with client | 0.5 | |
23 | Add items to collections | Add items manually to production collections or import data from another password management application | 0.25 | |
24 | Enterprise policies | Enterprise Policies can be used to tailor your Bitwarden Organization to fit your security needs. | 0.1 | |
25 | Login with SSO | If applicable, configure Bitwarden to authenticate using your SAML 2.0 or OIDC Identity Provider | 1.5 | |
26 | Early users | Add a set of users to the client organization manually and assign them to different groups. With these users, you'll broadly test all pre-configured functionality in the next step, before moving on to advanced functions like Directory Connector. Share the attached onboarding workflow instructions with the users | 0.5 | |
27 | SIEM integration | If applicable, connect Bitwarden to customer's SIEM tool | 0.5 | |
28 | Bitwarden clients | All Organization members added for the pilot group should download Bitwarden on an assortment of devices, login, and test access to shared items via collections. They should test the proper implementation of policies. | 0.5 | |
29 | Deploy client applications | Configure your application management or MDM tooling to prepare for mass deployment of Bitwarden applications | 0.5 | |
30 | Disable built-in password manager | Make Bitwarden Password Manager the default password manager and turn off built-in browser solutions. Educate users how to do the same when onboarded | 0.25 | |
31 | Test user onboarding | Configure and test Bitwarden SCIM or Directory Connector integrations to automatically sync users and groups | 1.5 | |
32 | User onboarding | Execute on SCIM or Directory Connector syncing to invite additional users in groups to the organization. Share the attached onboarding workflow instructions with the users | 1 |
Phase 4 - User training
Train all users and stakeholders on how to use Bitwarden and provide continuing education.
Step | Topic | Action | Resources | Duration (hours) |
|---|---|---|---|---|
33 | Admin training | Provide essential day-to-day task training for administrative users with the addition of any special topics requested | 0.75 | |
34 | Service desk training | Advise service desk users on their role/operations. | 0.75 | |
35 | Team member training | A general training session for end users will cover: | 0.75 | |
36 | Ongoing education | All users can take advantage of monthly new and updated learning content in the Bitwarden Learning Center | 0.75 |