You already email admins when there is a pending user to confirm… why do you not email admins when there is a pending device request?
Seems like something that should have been included in the initial release of Trusted Devices.
Hi @Greyson, Welcome to the Bitwarden community! The team is working on ways to make the addition of trusted devices more self service for users. There is also work to identify the right way to incorporate notifications given that the volume of devices could be far larger than the volume of users.
Thank you @go12 … At the recommendation of our Bitwarden account team, we enabled Trusted Devices… and to be honest, I’m disappointed with the way that Bitwarden implemented it. It seems like a real rush-job.
- Inconsistency between users with Master Passwords and those without… and no way to tell which is which. So very confusion to educate users on how to add additional devices when SOME can do so via master password and others can’t.
- Lack of admin notification emails when there are pending device approvals.
- Lack of consistency about what qualifies as a “new device”… the web vault, the desktop app and browser plugin are all considered separate devices so must be approved.
- When new users get added to BW, they are obviously going to join via the web vault - since the email says to just click on a link… so they then authorize the browser… but are stopped by waiting for admin approval to setup their desktop app and/or browser plugin.
1 Like
Thank you @Greyson. The team is aware of the situations you have outlined and has plans to address them. Your feedback is appreciated.
Agreed – we need an admin notification email for pending device approvals at a minimum here. Seems likely a very simple QoL improvement.
A policy for setting ‘Use this device to approve login requests’ as default would also go a long way.
Hi @mikelelevate and @Greyson - thank you for your input.
The team is looking at introducing a way to automate device approvals via the CLI - would you still prefer the product to notify admins for individual device approvals? This was not initially introduced so that admins would not get overwhelmed by emails, given that devices outnumber users so would appreciate your thoughts on if the CLI automations would solve the need.
Hey Gina,
In my own MSP and across our customer base we would prefer the product to notify admins for individual device approvals. Our customers have a dedicated ‘Bitwarden Champion’ that is in charge of this – they’re not technical so CLI is of no use to them.
Outright automating the approvals via CLI somewhat defeats the security puprose of this feature. However, I have full faith in the security of SSO via M365 and our conditional access policies so maybe this would work if it was exposed as a setting you could toggle on/off per organization.
2 Likes
Hey @gtran,
Great to hear you’re working on it! I want to also add my support for email notifications as a must have for this feature. Since CLI automations are not possible within my company by the people managing it. And now they have to look into Bitwarden every morning to know if people made Device Approval requests or the user itself needs to message them.
Next to that, I have two suggestions that will improve the UX of this feature:
- If there are worries about spamming admin’s then please make a toggle in the Bitwarden UI that allows the user to disable the email notifications for admin’s.
- If it’s expected by you that people create automatic device approval’s via the CLI tooling, then maybe it will be a good idea to also allow it as a feature for everyone. E.g. having a toggle within the Bitwarden UI to automatically approve Devices.
Is there a way to see the timeline of this feature improvement?
I totally agree! I also have full faith in the security of SSO via M365. A toggle on/off per organization so that we can decide about that ourselves would be great.
The more so as we can’t have the synchronous communication needed to validate requested devices are valid. So we mainly decide by gut feeling anyway…
An update: the team will be starting on enabling an endpoint on the CLI to bulk approve devices as well as within the UI. This is targeted for sometime in May/June. The team will also be looking at building an email to owners and administrators when there are pending device approvals. More to come!
2 Likes
Great update - we’re extremely interested in this feature too!
One tiny request - can we also have an API endpoint so we can hit it from python etc? I’m assuming your CLI tooling uses it anyway 
1 Like
Added my vote for this. Would love to see device approval request notifications sent to admins. Otherwise, admins need to manually check the admin console frequently to check for any pending requests from users, especially as we start a rollout period with our organization. This would be a big time saver to have this notification feature added.
Hi @Until0842 and welcome to the Bitwarden community! As @gtran shared a couple of messages earlier, more is planned.
Thanks! Looking forward to an update on this topic in the May/June timeframe
Hi @gtran,
How are things progressing on this feature?
The lack of automatic device approval (even if just through the bw CLI, or the API) is the number one issue across my org.
We’re not enormous, but about 2k users, and getting a device approval is literally 80% of questions users have about bitwarden.
Help me understand. If an administrator is going to automatically approve devices, why would one not just allow users to self-approve with their master password?
I guess I am just not understanding the value of adding a “rubber stamp” to the middle of a process.
we already enforce SSO, so the device approval becomes exactly a rubber stamping exercise, but one that a user cannot complete themselves IF they first register on the web-app.
For us, it just adds a tonne of friction for no apparent benefit.
Bitwarden themselves kind of put us in this position. When setting up SSO, your options to decrypt your vault are master password or trusted devices.
My tenant is configured with SCIM so users are provisioned without master passwords. I don’t want to be in the business of setting and disseminating passwords to thousands of users that they’ll only use in this very niche scenario. On top of that users will inevitably forget it since we only allow sign in via SSO. Not to mention making users remember a second password for the same app flies in the face of single sign on principals.
End users can approve devices themselves via the Bitwarden app but you have to get THAT device approved to be allowed to log into it. Admin device approvals is a pointless feature for modern enterprises so our best recourse is just rubber stamping via automation (when the feature is finally available). Not ideal but I’ll take something at this point.
1 Like
Thanks for that tidbit. That is what I was missing.