Bitwarden Enterprise Password Manager Implementation Guide

Step 1: Administrator Training

Example special topics include, but are not limited to:

Demonstrating the configured SSO login flow

Custom fields

Custom roles

Setting up Bitwarden two-step login (if not configured with the SSO IdP)

Internal training / managers

Bitwarden Learning

Personalized training sessions are also available upon request

Step 2: Team Member Training 

A general training session for end users will cover:

How to Import current passwords into Bitwarden

Bitwarden for all devices

Setting up the Bitwarden Browser Extension

Creating your account

Getting to know the Bitwarden vault

How to use the Bitwarden Password Manager

Bitwarden Send

All levels

Bitwarden Learning

Personalized training sessions are also available upon request

Step 3: Service desk training

Optional dedicated training session to set your service desk team up for success

Service desk, customer success leads

Ongoing Education

All users can take advantage of monthly new and updated learning content in the Bitwarden Learning Center

New users brought on after initial onboarding can take advantage of the live Bitwarden Weekly Demo and Q&A or watch a pre-recorded version

All levels

Bitwarden Learning

Bitwarden Live Weekly Demo

Bitwarden Demo for Teams and Enterprises

Step 1: Confirm your ability to self-host

Cloud (recommended): Most businesses and users have all their needs served with a Bitwarden cloud deployment.

The Bitwarden cloud is a good fit for you if:
- You want a turn-key, set-and-forget solution
- You do not have the technical resources and experience to self-host
- You are looking to deploy immediately without any setup time

Self-host (for advanced businesses): Companies that have specific data sovereignty requirements or wish to configure Bitwarden behind a private firewall or reverse proxy may choose to self-host Bitwarden on premises. Server installation, maintenance, updates, backups, and general security are your responsibility.

What does it mean to self-host?
Running Bitwarden on your own servers requires advanced technical knowledge and IT infrastructure. It also means that you are responsible for server maintenance, security, uptime, and updates. Before deciding whether self-hosting is right for you, answer these questions:

- Do you already have anything else self-hosted?
- Do you have dedicated hardware to run the server?
- Is there an IT or DevOps team that will be responsible for the server?
- Are you familiar with Docker, Kubernetes, and/or Helm charts?
- Are you comfortable installing software using Linux terminal or PowerShell?

If any answers are no, then reconsider using the turn-key Bitwarden cloud service instead.

Self-hosting Bitwarden is a good fit for you if:
- You are subject to specific data controls
- You have the technical resources and knowledge to maintain a server
- You are confident in your team’s ability to secure and back up the server data
- You understand your organization’s Recovery Time Objective (RTO) and how to achieve the necessary service availability in your own infrastructure

If you decide to self-host Bitwarden, follow the steps below. If you decide to use the Bitwarden cloud service, skip to Phase 2: Deployment (Cloud).

IT Director

Linux Standard Deployment (self-host)

Windows Standard Deployment (self-host)

Step 2: Prepare for your installation

1. Configure your domain - Set DNS records for a domain name pointing to your dedicated machine (virtual or physical), and open ports 80 and 443 for that machine.

2. Install Docker and Docker Compose (Linux) or Docker Desktop (Windows) - Docker is used to containerize the various processes for Bitwarden. Ensure the machine for your server has at least 4GB of RAM, 25GB of storage, and a minimum of dual-core, 2GHz processor.

3. Retrieve your installation id and key - Visit bitwarden.com/host/ and enter the contact email address of the owner of the Bitwarden self-host server to retrieve this information.

IT Specialist

Organization Owner

Linux Standard Deployment (self-host)

Windows Standard Deployment (self-host)

Step 3: Deploy the Bitwarden server

1. Create Bitwarden local user & directory - Open terminal (Linux) or PowerShell (Windows) and type and enter the series of commands (Bash) in the relevant installation guide on the Bitwarden Help Center.

2. Install Bitwarden on your machine - Download and run the pre-built scripts to install Bitwarden. This step requires the installation id, installation key, and an SSL certificate. Review the relevant guide for more details.

3. Configure your environment - Adjust server settings within the environment file, including configuring the connection to your SMTP mail server so that your Bitwarden installation can send out emails to users, such as invitations.

4. Start your Bitwarden server - Enter the command to start Bitwarden. Bitwarden will automatically download the necessary images from Docker Hub. Review the Docker containers to ensure they’re running correctly. Visit the web app on your domain and verify that it is accessible.

IT Specialist

Organization Owner

Linux Standard Deployment (self-host)

Windows Standard Deployment (self-host)

Step 4: Create your self-hosted organization

Follow the substasks below to create your organization:

1. Start a cloud organization to use for billing purposes (Step 3 below)
2. Retrieve your license file from the Bitwarden cloud web app
3. Create your organization in the web app on your self-hosted server
4. Set up billing and license sync (optional)

After these steps your Bitwarden organization is functional. Thoroughly test features such as integrations like SCIM, and SSO to verify successful setup.

Organization Owner

License setup and retrieval

Step 5: Create a maintenance and backup plan

Develop a plan and assign ongoing tasks for updating the server and setting up a system for creating backups. Prepare an off-site backup of your server data, and test disaster recovery protocols.

IT Specialist

Update your instance

Backup your hosted data

Once these steps have been completed, move to Step 3: Configure Enterprise Policies in the section below.

Step 1: Identify Organization Owner

Create a free user account on using the email intended for Organization ownership and administration. The Owner is the super-user that can control all aspects of your organization. Decide if you want the email to be associated with a specific user or a team inbox.

Note: If you’re being assisted by a Bitwarden representative, skip this step

Organization Owner

Step 2: Create Organization

Create a free Organization on Bitwarden Cloud at . This will be used for billing purposes even if self-hosted.

Note: If you’re being assisted by a Bitwarden representative, skip this step

Organization Owner

Organizations

Step 3: Configure Enterprise Policies

Best practice is to enable and configure all policies before user onboarding begins.

Note: Any Policies should be enabled prior to user invitation as not all policies are retroactive.

Organization Owners + Admins

Enterprise policies

Step 4: Select collection management settings

Choose how collections will behave in the organization. These settings allow for a spectrum of full admin control to completely self-serve where users can create their own collections. These settings can be used to establish a policy of least privilege.

Owner

Collection Management

Resource: Collections Management Settings

Step 5: Review and set up integrations

Visit the Integrations page in the Admin Console, set up desired integrations, such as Login with SSO.

Organization Owners + Admins

Resource: Choose the Right SSO Login Strategy

Step 6: Add additional administrators

Add Administrators to the Organization as needed. We also recommend configuring a second Owner for redundancy.

Organization Owners + Admins

User Management

Step 7: Create Collections for Administrators and users to share

Collections are where secure items are located that are shared with Groups of users. 

Organization Owners + Admins

Collections

Step 8: Create Groups for managing users

Creating Groups allows easy assignment of Collections. Please note: If you decide to sync Groups and users from your Identity Provider or Directory Service, you may need to reconfigure user and Group assignments later.

Organization Owners + Admins

Groups

Step 9: Assign Collections to Groups to begin sharing passwords

Assign Groups to Collections, making sure to test and demonstrate 'Read Only' and 'Hide Password' options.

Organization Owners + Admins

Member Roles and Permissions

Step 10: Add items to test Collections

Add items manually or import via CSV or JSON from another password management application.

Organization Owners + Admins

Import Data to Your Vault

Integration Engineer (Optional)

Assistance in further structuring the organization's policies, collections and groups.

Organization Owners + Admins

Collections

Groups

Step 1: Determine timeline for rollout to initial wave

Senior leadership / Security teams

Onboarding workflows

Step 2: Create internal messaging / memo about Bitwarden rollout

Check out Bitwarden tutorial videos on YouTube and the Bitwarden 101 video series in the  Learning Center.

Internal training / managers

Bitwarden on YouTube

Step 3: Leverage the Customer Activation Kit

Utilize the Customer Activation Kit to access ready-to-use marketing materials such as brand assets, one-pagers, and explainer videos. These resources can enhance your internal communications and support end-user activation.

Internal training / managers

Customer Activation Kit

Step 4: Communicate to internal leaders about Password Management policies

Internal leaders / Security teams

Step 5: Download and login to Bitwarden Client Applications

Download and implement Bitwarden client applications to confirm proper configuration for secure data sharing, and intended Enterprise Policies are working, and the onboarding function is successful.

Note: Some organizations will already have a policy in place to configure clients through device management software.

Note: Self-hosted users will need to set the client's environment:

All users

Install and Sync All of Your Devices

Step 6: Configure Directory Connector or SCIM to invite users

Begin the Directory Connector or SCIM integration provisioning to start inviting users to the organization 

Provide the script to bypass the user acceptance step that can be input within the CLI (optional).

Review secure offboarding procedure

Organization Owners + Admins

About SCIM

About Directory Connector

Step 7: User Account Migration 

Instruct users how to migrate from their current password manager to Bitwarden.

All Users 

Import Data to Your Vault

Step 8: Ask your users to disable their browser's built-in password manager

Built-in password managers for browsers are more vulnerable to security threats and can interfere with the Bitwarden experience.

All users

Disable a browser's built-in password manager

For larger customers, Bitwarden offers ongoing meetings with Customer Success Engagement Managers and Bitwarden executives

Assistance in any further deployment practices 

Q&A Sessions

Check In Meetings

Organization Owners + Admins + Internal leaders / Security teams

Collections

Groups

Ongoing: Billing support requests

Contact Support for expedited billing support assistance

Organization Owners

Bitwarden Help Center

Ongoing: Technical support requests

Contact Support for expedited technical support assistance

All users

Bitwarden Help Center

For larger customers, Bitwarden offers ongoing meetings with a Customer Success Engagement Manager and Bitwarden executives

Regular meetings with Customer Success Engagement Manager 

Periodic meetings with Bitwarden executives and product team 

Review feedback and feature requests from first two months of deployment

Organization owners, admins, project managers, service desk teams, and end users of larger enterprise customers