Our community is getting an upgrade on July 2nd! Learn more in the FAQs →
1Password Group Policies / ADMX
Hi 1Password, I'm struggling to get more information regarding the GPO policy feature introduced last year. The only notice I can find is the changelog stating [Windows only]: Added group policy support using ADMX templates. Where can I find these? There is a page on MDM with some registry options, but I was hoping for a smoother process by using established GPO configurations. Note: I can't add links in the forum: it claims "Your post contains invalid HTML. Remove the following invalid tags before publishing: a, a (data-airgap-id)"
Group Policy Intune ADMX Ingestion Error
Hi 1Password Community, We've been looking at managing 1Password policies through the generated ADMX+ADML files. The files themselves upload to Intune fine, but when the client is attempting to ingest the file(s) we receive the following error: MDM ConfigurationManager: Command failure status. Configuration Source ID: (5B33F6A6-E59D-4384-8CB2-6858C3CCF0CD), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OnePassword82518298-c5ba-4142-b473-7d937e4105c6/Policy/OnePassword82518298-c5ba-4142-b473-7d937e4105c6), Result: (Catastrophic failure). See image 1 Originally, this was thought of as a bug as the feature was still fairly recently implemented. After a couple of months of waiting, I tried generating the files again earlier this week (currently using app version "1Password for Windows 8.11.20 (81120039)") and discovered the same error is still present. The patch notes for January 19th mention that this should have been fixed, but when trying again these past couple of days the error persisted. https://releases.1password.com/windows/stable/#1password-for-windows-8.12.0 See image 2 Doing some research, I came across the following GitHub-repo: https://github.com/Micke-K/IntuneManagement/blob/master/ADMXImport.md, which mentions that QWORD-values are unsupported and will generate a catastrophic failure on the clients - exactly the same as we've been experiencing on our clients. See image 3 Based on this revelation, I started to manually edit the ADMX and ADML-files to remove all entries for "longDecimal", which equals to these two policies: security_authenticatedUnlock_deviceBasedUnlock_askUnlockAfter security.autolock.minutes Once these entries were removed from both files and reuploaded to Intune - it started working without any further errors: ADMX Ingestion: MDM PolicyManager: ADMX Ingestion: EnrollmentId (8BE04C50-54DF-4B0D-AA1C-9A79C476C468), app name (OnePassword975d1c63-2406-4643-8f93-cb4034eb3382), setting type (Policy), unique Id (OnePassword975d1c63-2406-4643-8f93-cb4034eb3382), area (NULL). Policy Creation: MDM PolicyManager: Set policy string, Policy: (ManagedInstall), Area: (OnePassword975d1c63-2406-4643-8f93-cb4034eb3382~Policy~onepassword), EnrollmentID requesting merge: (8BE04C50-54DF-4B0D-AA1C-9A79C476C468), Current User: (Device), String: (<enabled/><data id="ManagedInstall" value="X" />), Enrollment Type: (0x6), Scope: (0x0). See image 4 and 5 As the error appears to be related to the ADMX Ingestion not being able to handle QWORD-values, the root cause of the problem may lie with Microsoft. Would it be possible from 1Passwords side to look into having the two policies be handled through either a DWORD or a String instead of a QWORD?
Help with 1Password SSO Unlock Across Multiple Desktops
Hi, I’m looking for some assistance with 1Password in a small office environment (around 45–50 desktops) that runs Hybrid AD. We’ve enabled Unlock with SSO, and it works fine on a user’s first workstation. However, when the same user signs in on another workstation, 1Password prompts them to transfer their encryption key. The challenge is that our users often move between desktops throughout the day depending on their work schedule. This constant key transfer prompt is disruptive. Is there a way to disable this key transfer requirement or a recommended best practice to allow seamless use of SSO across multiple desktops? Thanks in advance for any guidance!
BloodHound OpenGraph
Exploring a 1Password instance to map user access to vaults SpecterOps BloodHound is a tool for mapping identities and attack paths for Microsoft products, but has added OpenGraph to do the same for other products , with one of the first examples being 1Password. What is our Bloodhound users' experience with this new tool? How does this compare to using the native tools? I have no affiliation with SpecterOps or experience with their products, but am interested in identity and access discovery in an information security context.
Permit/block access to vault by IP?
I have a situation where we want to allow access to a specific vault when they're using a given source IP. When coming from that same IP, we would want to block access to all other vaults. When using other IPs, we would want to grant full access. It doesn't appear to be doable now, but I would like to put in a feature request.Microsoft Entra ID SSO issue
We have recently migrated all our users over to using Microsoft Entra ID SSO. It works fine except every time they close the app or shutdown their computer, it asks them to login using SSO. We have a set of employees who do not always have a connection available. They go from site to site and some basements where they need to go don't have network or wi-fi. When that happens, they are unable to use 1password. Keep in mind that most of the time when they access these places they are escorted by security to go down in the basements and it's wasting their time as well as the security employee. We have it set to ask the Entra password every 7 days. Expected behavior: if I close the app or restart the computer, the token should still be valid. Current behavior: Every time I close the app or restart the computer, I have to login to the microsoft account again.
Central Control for Autofill Exclusions in 1Password Business
It would be very helpful if administrators in 1Password Business could set a policy to disable autofill for specific domains or subdomains. For internal portals like Topdesk we don’t need login items, and autofill only gets in the way. As an admin, I’d like to be able to centrally push this setting to a group, so users don’t have to configure it themselves. This would remove frustration for our team and make management much easier.
