KDitty98
Thanks for answering those questions! Your users don't necessarily need access to the original linked device, they can add other devices such as a mobile phone where they're using 1Password. However, they do need to have access to any existing linked device in order to add their 1Password account to a new device. From our SSO best practices guide:
"Because the device key is unique to each linked app or browser, a critical part of migrating to Unlock with SSO is to make sure your team members link additional apps and browsers. Without access to at least one linked app or browser, they can’t sign in to new apps and browsers and will need an administrator to recover their account."
The requirement to transfer the encryption key from an existing device is fundamental to 1Password's end-to-end encryption that ensures that no one, not your identity provider or 1Password itself, can ever access your organization's information.
For example, someone might start off at our HQ, set up 1Password there, and then head to another office where they’re assigned a different workstation.
Are you using a VDI (Virtual Desktop Infrastructure) environment for these employees? If you are then have you looked into creating a roaming profile that will persist the user's 1Password data as they move from a physical device in one location to a physical device in another location?
If you persist 1Password data for your users for their user profile then they wouldn't need to setup 1Password again when they sign in on a new device using their roaming profile: Use 1Password in a virtual desktop environment
-Dave
