Enterprise Policy for Vault-Timeout

Enterprise Policy for Vault-Timeout

Feature function

  • Bitwarden already has enterprise policies for master password strength, 2fa and password generation
  • As an entreprise I want to prevent users from setting the vault timeout to “never”, potentially compromising our security
  • If Bitwarden lets organizations manage this feature per policy it would help create a safer enterprise landscape :slight_smile:

Excellent request :slight_smile:

We’ll be adding this during Q1 2021 or so.

[Edit: 2021 - we have yet to invent a time machine!]

3 Likes

Q1 means Jan, Feb March right?
Did you mean 2021?

Fixed :+1:

2020 doesn’t need any more advertisement :sweat_smile:

1 Like

Hello what is the status of this feature, is it still on the roadmap for 2021? We need to be able to manage these settings at the organization level.

Sorry for the delay folks - it’s on our backlog, no ETA just yet. We initially did aim for this to be underway last quarter.

Enterprise Application Management

Feature function

As a business, it’s important to control some options within an application. Bitwarden offers some good minimal policies but lacks when it comes to managing the applications users are free to use. The example I am thinking of right now is if you are not using SSO or you are using SSO but lack the licensing for conditional access, a user can have almost indefinite access to passwords stored in their “personal” vault.

Ideally, the organization owner/admin should be able to specify some default/unchangeable settings for the browser extension and desktop app such as the default timeout action. Currently, it’s set to lock but locking doesn’t stop a terminated employee from unlocking and doing whatever they want with the passwords.

Related topics + references

Dashlane offers something similar here: Policy settings – Dashlane

  1. Global setting is: “Never” to lock out - which is bad for data-security - I can hardly enforce my users to set the timeout individually, therefore the Vault does not lock!
    → please set globally the timeout for each user at least to 15 minutes.

1.1 Maybe, use this feature-request via Global Policies

  1. If 2FA is enabled, I would prefer to automatically Log out all users. This needs to be done globally!

Beneftis:

  • Hardening data- and IT-security
  • centralized admin-Policy to ehance overview

Current status of Vault timeout is here:
https://bitwarden.com/help/article/vault-timeout/

Many thanks!

This is on our near-term TODO list :slight_smile:

1 Like

meanwhile you are implementing the function could you set the sae Vault Timeouts as you did for the Vault also in the add ins for all kinds of browsers? also for the windows version it would be great to set the same timeout values.

In Bitwarden - Kostenloser Passwortmanager – Microsoft Edge Addons microsoft edge you still have to option to never timeout.

image

Hi @christinafiona,

The vault timeout policies haven’t been made available just yet. I believe they will be available within the next release or two, though :+1:

That’s good to know. It’s the feature I’ve been waiting for before rolling out BitWarden to the majority of our company. I don’t trust the majority of our users to update the timeout time, and it’s just too unsecure otherwise. Hoping this is actually going to happen.

Going out with the release at the end of this month :partying_face:

1 Like

This is live for Cloud services now, available for self-hosted in a few days :+1:

1 Like