Basically my idea is to add an option to disabled auto update from the Bitwarden desktop app. My reason is that I created a portableapps .com format for Bitwarden desktop (I know that Bitwarden-Portable-x.xx.x.exe exist but I wanted BW in PA.c format, so I created it) and if someone use the auto-update it will request admin right and install it like an official app for the computer which I don’t want to happen. So it is possible to add a settings like; Update>Allow auto update (Prompt) or Never update? Thanks for reading and for your work about Bitwarden.
I would appreciate this, too. On all my Windows machines I install the Bitwarden desktop app through the chocolatey package manager and all chocolatey packages are updated daily via task scheduler, so there is no need for an additional update check in this case.
1 Like
Perhaps a better option would be a way to manage these updates such as through Windows Group Policy.
This would allow for more fine grained administrative tasks
Hello, I have found another workaround that is better than using Chocolatey or another solution to update the Windows 10 app (in my humble opinion):
Bitwarden client is available in the Microsoft Store, which is already sandboxed and does not require admin rights to install.
If you are using Office 365, you can publish the app using Microsoft Store for Business and it will be available for users to install under your organization’s Private Store (which is a tab available in the Windows Store app).
Some enterprises also restrict which apps in the store can be installed by their users, so this might even be a better solution (it certainly requires less maintenance).
As far as I can tell, the Windows Store App is identical to the desktop app, except it doesn’t require any special permissions to update.
Hope this helps,
1 Like
I also have bitwarden installed through a package manager, except I use Homebrew on a Mac rather than Chocolatey on Windows. Moreover I’m hoping to switch to a linux distro soon, which will have its own package manager.
Bitwarden sending update notifications is merely an annoyance. When using a package manager, updates happen through the package manager so it doesn’t make sense for bitwarden to handle them (installing applications outside the package manager is anathema)
I would like to disable auto update for security reasons.
Recently, the supply chain of Passwordstate is hacked. Hackers pushed a new version that uploaded all saved data unencrypted to their servers. I would like to manually update in order to prevent such scenario.
https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/
1 Like
I read about this attack and because of that with all of a sudden this “strange” feature request has turned into a good idea.
Disabling updates is a bad idea, but being able to choose a delay would be a good compromise.
The reasoning is if Bitwarden found a 0-day and did a massive push to all apps the auto-update is a lifesaver. Though as we’ve seen it can also be abused which is less likely in comparison to them finding a bug in the code and needing to push to all clients.
Overall, the auto-updates are a good thing. We don’t need Nana for some reason turning it off and be left running a bad version. I wouldn’t let a 1% problem keep the 99% from being more secure.
2 Likes
It’s a dilemma, I think. The feature that could be a lifesaver can also be greatly misused when hacked. But I agree that zero days should be asap fixable.
Most important thing is that the update server is hardened and that the desktops verify the integrity of the updates via signatures. And of course that the private key is encrypted, only temporarily decrypted for signing purposes, etc…
3 Likes
for christs sake please stop releasing updates so often which create a popup on the desktop which requests me to install the update and restart bitwarden!
rolling releases and fast releasing may be convenient for the developers as we users are being used as testers but they annoy the sh*t out of me! it is such a bad habit of today’s world!
of course, fixes and stuff are delivered faster as well this way, but the majority of releases/updates exist due to new features, minor changes or fixes of previously introduced new features or minor changes (I HOPE!).
bitwarden is a freaking tool i want to use and not having to constantly restart, acknowledge UAC prompts and clicking finish in the setup wizard. most of the time i just open the gui, get my password and that’s it! i don’t care for new features every day.
reserve the update popup for critical patches, like security bugfixes or data corrupting stuff! PLEASE!
or make a stable branch, a testing branch and a nightly builds branch or whatever, just don’t annoy the crap out of regular users who don’t want their pliers to change color every second day!
THANK YOU!
Hi everyone,
Because of a graphics card failure I have a MacBook Pro which is stuck on Mac OS 10.12 (Sierra).
I have found that the Safari extension doesn’t work with this old version of the OS so I have tried to install an older version of Bitwarden. Sadly the auto update prevents me from doing this.
I would like to request that it should be possible to turn the auto update feature off.
Thanks, Steve
Thank you for your post!
- Please search for an existing topic before posting a new one
- Please review the feature request rules before posting as well
Feature name
- Enter the name/concept of the feature being requested
Feature function
- What will this feature do differently?
- What benefits will this feature bring?
- Remember to add a tag for each client application that will be affected
Related topics + references
- Are there any related topics that may help explain the need and function of this feature?
- Are there any references to this feature or function on other platforms that may be helpful?
Currently there is no way turn off auto updates. Updates will be automatically installed on your PC after it has been deployed by the company for offering users maximum security and convenience. If there was a switch to turn off updates, most users won’t even bother to update which is not a good choice.
Thank you for your response. I appreciate that updates and security are paramount in an application which is storing sensitive information, so you make a fair point.
If, however, auto updates were ‘on’ by default then those users you sight, who would not update, would be unlikely to to turn updates off, but at least those that needed to for sound operational reasons, such as myself, would have the option.
I understand you are in a pretty bad situation, I am not a mac user so I really cannot do anything. Will Apple fix the graphic card? It maybe expensive but it seems like the only option. or maybe you can switch to Linux?
You can disable auto-update via an electron environmental variable:
Sorry, I was not aware about this.
Thank you, It could be worse! I think Apple reluctantly fixed this problem for a while but not any more. I think I will move that machine to Linux, at some point, but it’s OK for now.
I am also interested in this, but for Windows.
one way of blocking auto updates would be to just block the bitwarden servers for your clients on the corporate firewall. gonna do this, as there is absolutely no progress or acceptance here from the devs.
more like ignorance and not thinking outside their own box.
- supply chain attack of the update servers
- users not being admins
- unnecessary updates security-wise or data consistency-wise
- disruption of workflow
- popups during powerpoint presentations
- controlled and validated rollout of software versions through corporate IT
If Bitwarden wants to play with the big kids, they have to implement some care for Enterprise demands.
And I certainly want Bitwarden to play with the big kids.
If there are critical updates (like 0-days), make a mailing list which warns admins, make a banner in the app which warns users, block access to your servers from unpatched versions, whatever…
especially users/corps which use the on-prem license shouldn’t be forced to update their clients. in our case, bitwarden isn’t even publicly accessible. nonetheless, the server is frequently being updated, of course.
@azzurro - that is a much better response than the previous one. Thank you for your contribution and for conveying it in a constructive and civil manner. I think this should make a favourable impression on the Bitwarden folks, and I agree with your assessment (other than ‘play with the big kids’ remark).