Enterprise Policies
What are Enterprise Policies?
Enterprise polices allow enterprise organizations to enforce security rules for all users, for example mandating use of two-step login.
Enterprise policies can be set by organization Admins or Owners.
warning
We recommend setting enterprise policies prior to inviting users to your organization. Some policies will remove non-compliant users when turned on, and some are not retroactively enforceable.
Setting Enterprise Policies
Policies can be set in your organization by opening the the Manage tab and selecting Policies from the left menu:
Available Policies
Require two-step login
Turning on the Require two-step login policy will require non-Owner/non-Admin users to use any two-step login method to access their vaults. If you're using an SSO or Identity Provider's 2FA functionality, you don't need to enable this policy.
warning
Users in the organization who do not have two-step login turned on will be removed from the organization when you activate this policy.
Users who are removed as a result of this policy will be notified via email, and must be re-invited to the organization.
Existing users will not be able to accept the invitation until two-step login is turned on for their vault.
New users will be automatically setup with email-based two-step login, but can change this at any time.
Master password requirements
Turning on the Master password requirements policy will enforce a configurable set of minimum requirements for users' master password strength. Organizations can enforce:
Minimum master password complexity
Minimum master password length
Types of characters required
Password complexity is calculated on a scale from 0 (Weak) to 4 (Strong). Bitwarden calculates password complexity using the zxcvbn library.
warning
Existing non-compliant users will not have their master passwords changed when this policy is turned on, nor will they be removed from the organization. The next time this group of users changes their master password, this policy will be enforced.
Master password reset
Turning on the Master password reset policy will allow Owners and Admins to use password reset to reset the master password of enrolled users. By default, users will need to self-enroll in password reset, however the Automatic Enrollment option can be used to force automatic enrollment of invited users.
Automatic enrollment
Turning on the automatic enrollment option will automatically enroll new users in password reset when their invitation to the Organization is accepted and prevent them from withdrawing.
note
Users already in the organization will not be retroactively enrolled in password reset, and will be required to self-enroll.
Password generator
Turning on the Password generator policy will enforce a configurable set of minimum requirements for any user-generated passwords. Organizations can enforce:
Password , Passphrase, or User Preference
For Passwords:
Minimum Password Length
Minimum Number (0-9) count
Minimum Special Character (!@#$%^&*) count
Types of characters required
For Passphrases:
Minimum number of words
Whether to capitalize
Whether to include numbers
warning
Existing non-compliant passwords will not be changed when this policy is turned on, nor will the items be removed from the organization. When changing or generating a password after this policy is turn on, configured policy rules will be enforced.
A banner is displayed to users on the password generator screen to indicate that a policy is affecting their generator settings.
Single organization
Turning on the Single organization policy will restrict non-Owner/non-Admin members of your organization from being able to join other organizations, or from creating other organizations.
warning
Users in the organization who are members of multiple organizations will be removed from your organization when you turn on this policy.
Users who are removed as a result of this policy will be notified via email, and must be re-invited to the organization. Users will not be able to be accept the invitation to the organization until they have removed themselves from all other organizations.
Require single sign-on authentication
Turning on the Require single sign-on authentication policy will require non-Owner/non-Admin users to log in with SSO. For more information, see Access Your Vault using SSO.
note
The Single organization policy must be on before activating this policy.
As a result, you must turn off the Require single sign-on authentication policy before you can turn off the Single organization policy.
Remove individual vault
Turning on the Remove individual vault policy will require non-Owner/non-Admin users to save vault Items to an organization by preventing ownership of vault items for organization members.
A banner is displayed to users on the Add Item screen indicating that a policy is affecting their ownership options.
note
Vault items that were created prior to the implementation of this policy or prior to joining the organization will remain in the user's individual vault.
Remove Send
Turning on the Remove Send policy will prevent non-Owner/non-Admin users from creating or editing a Send using Bitwarden Send. Users subject to this policy will still be able to delete existing Sends that have not yet reached their deletion date.
A banner is displayed to users in the Send view and on opening any existing Send to indicate that a policy is restricting them to only deleting Sends.
Send options
Turning on the Send options policy will allow Owners and Admins to specify options for creating and editing Sends. Owners and Admins are exempt from this policy's enforcement. Options include:
| Option | Description |
|---|---|
| Do not allow users to hide their email address | Turning on this option removes the hide email option, meaning that all received Sends will include whom they are sent from. |
Vault timeout
Turning on the Vault timeout policy will implement a maximum vault timeout duration for all members of your organization except Owners. This policy applies the timeout restriction to all client applications (mobile, desktop, browser extension, etc.).
A banner is displayed to users during vault timeout configuration indicating that a policy is affecting their options.
note
The Single organization policy must be enabled before activating this policy.
As a result, you must turn off the Vault timeout policy before you can turn off the Single organization policy.
Remove individual vault export
Turning oon the Remove individual vault export policy will prohibit non-Owner/non-Admin members of your organization from exporting their individual vault data.
In the web vault and CLI, a message is displayed to users indicating that a policy is affecting their options. In other clients, the option will simply be disabled.