Site Map | Privacy Policy | Support | Pricing | FAQs | Contact Us
RoboForm Enterprise
  • Home
  • Solutions
    • Overview
    • Features
    • Benefits
    • Managed Console
    • Why We’re Better than SSO
    • Cost of Ownership
    • Pricing
    • Product Comparison
    • How It Works
    • System Requirements
    • Screenshots
    • Free Trial
    •  
  • Support
    • Open a Ticket
    • Customer Support
    • Services
    • Training
    • User Documentation
    • Tutorials
    • Troubleshooting
    • Version History
    • Languages
    •  
  • Resources
    • Overview
    • White Papers
    • Analyst Reports
    • Multi-media
    • Case Studies
    • Datasheets
    • Quick Start Guide
    • FAQs
    • Compliance
    • Downloads
    •  
  • Buy Now
    • Buy Direct
    • Find a Reseller
    •  
  • Company
    • Overview
    • Our Customers
    • Partners
    • News
    • Press Releases
    • Events
    • Management Team
    • Careers
    •  
Search
  • Open a Ticket
  • Customer Support
  • Services
  • Training
  • User Documentation
  • Tutorials
  • Troubleshooting
  • Version History
  • Languages

User Documentation

RoboForm Enterprise Administration Guide — Deployment and Customization Instructions

  • Introduction
  • Deployment Overview
  • Choose the Deployment Scenario
  • Policies
    • RoboForm Toolbar
    • Login Browser
    • AutoSave Dialog
    • AutoFill Dialog
    • Master Password
    • User Data Options
    • Search Box
    • Keyboard Shortcuts
    • GUI Limited by Admin
    • Configuration Options
    • Domains
    • General
  • The Policy Editor
  • Master Password Recovery
  • Deploying RoboForm Enterprise with Group Policy
  • Deploying RoboForm Enterprise without Group Policy
  • Distributing RoboForm Enterprise
    • Installer Command Line Options
    • Example Deployment Script

Introduction

This document provides installation and configuration instructions for RoboForm Enterprise.

RoboForm Enterprise is a fully distributed Single Sign-On system with RoboForm Enterprise software components installed on user workstations or remote access servers, and is configurable through Group Policies in Active Directory.

The workstation component is responsible for the following functionality (unless the system administrator restricts the functionality through Group Policies):

  • capturing usernames and passwords from websites or applications,
  • securely storing captured usernames and passwords on the file system,
  • reading usernames, passwords and other user information from the file system,
  • automatically filling usernames, passwords and other credentials and into applicable websites and applications,
  • allowing users to make changes to their stored information including usernames and passwords.

In a corporate environment where users don't have administrative access to their workstations, a system administrator may chose to securely restrict the functionality of RoboForm that is available to individual users through Group Policies in Active Directory. The Policies chapter explains this in greater detail.

Back to the Top

Deployment Overview

RoboForm Enterprise deployment includes the following steps:

  1. Choose the Deployment Scenario that best fits your company
  2. Download the latest version of RoboForm Enterprise and install it on your administrative or testing computer
  3. Activate RoboForm on that computer to test locally the workstation component and the policy effects
  4. Download the Policy Editor to the same computer
  5. Use the Policy Editor to test the various policies that you will want to enable in your distribution (The following chapters contain detailed customization instructions)
  6. Add the RoboForm Enterprise ADM file into your Active Directory Server's Group Policy Editor
  7. Create/Apply GPO's containing the RoboForm Policies that you have decided to enforce
  8. Once the GPO's containing the RoboForm policies are in place use a mass-deployment method approved by your company to deploy the workstation component to the workstations of individual users

Back to the Top

Choose the Deployment Scenario

There are many different scenarios in which you can deploy RoboForm Enterprise depending on how your organization needs to utilize its features. The first choice is: allow the user to set their own Master Password; set all users to the same Master Password; set users to a random Master Password.

Allowing users to set their own Master Password gives the user slightly more freedom with the software, and ultimately leaves the security of their Passcards up to the password the user chooses. RoboForm Enterprise has Policies to enforce Master Password quality in order to ensure the user selects a strong password. There is also a Policy to enable Master Password Recovery that will allow the administrator to see what the user's have currently set their Master Passwords to (explained in more detail in the Master Password Recovery chapter).

Setting all users to the same Master Password simplifies the administration of RoboForm Enterprise. RoboForm Enterprise has Policies to force it to cache the Master Password to the user's Windows account via System Protected Storage. Once the user logs into the machine he/she will be able to access and use any Passcards they need without having to enter, or know what the Master Password is. By disabling their windows account you are also disabling their RoboForm Enterprise access. This is a popular deployment scenario in high turnover environments since it simplifies the use of RoboForm Enterprise for the user, as well as simplifying the administration of the product without sacrificing security.

Setting all users to a random Master Password adds another layer of security to the encryption and protection of RoboForm Enterprise. The example Deployment Script shows how to set a random Master Password during the deployment process. Again the user would not need to know what the random Master Password is, if the administrator sets the Policy to force RoboForm Enterprise to cache the Master Password to the user's account. The administrator can also enable Master Password Recovery so that he can see what the Master Password is set to.

Back to the Top

Policies

Feature management of RoboForm Enterprise is implemented through Group Policies. An ADM File is available containing all of the Group Policy options for RoboForm Enterprise. These policies will allow the administrator to perform the following:

  • selectively restrict certain actions within RoboForm Enterprise,
  • configure the Master Password Recovery Mechanism.

NOTE: Companies that have 64bit machines may need to download and configure the RoboForm Enterprise WOW64 ADM File as well to ensure that policies are properly configured on these machines.

Back to the Top

RoboForm Toolbar

MyIdentitiesCausesSubmit

  • True: the default action for the My Identity button on toolbar is Fill&Submit.
  • False: the default action for the My Identity button on toolbar in Fill Form (no automatic submit).

MatchingPasscardsCausesSubmit

  • True: the default action for the Matching Passcards button on toolbar is Fill&Submit;
  • False: the default action for the Matching Passcards button on toolbar is Fill Form (no automatic submit).

MyIdentityNumber
This policy specifies the number of MyIdentity buttons on toolbar.

MyIdentityWidth
This policy controls the width of the MyIdentity button.

MatchingPasscardsButtonWidth
This policy specifies the width of the Matching Passcards button on toolbar.

SearchBoxWidth
This policy controls the width of the Search box on toolbar.

ShowLowerToolbarIE
When Upper RoboForm toolbar cannot be shown in Internet Explorer because it is not installed or not allowed, show Upper Attached Toolbar, Lower Toolbar or no toolbar. Preferred location of RoboForm toolbar is:

  • 0: Upper Toolbar;
  • 1: Lower Toolbar;
  • 2: No Toolbar.

OrderByUrlMatch
This policy controls the order of Passcards in the Matching Passcards mini-dialog:

  • True: show matching Passcards with the best URL match on top;
  • False: order matching Passcards alphabetically.

Back to the Top

Login Browser

LoginOpensSiteType
This policy controls where the Login toolbar button opens the corresponding website:

  • 0: same window;
  • 3: new window.

TaskbarOpensSiteNewWindow
This policy controls where the Login taskbar icon or editor opens the corresponding web site:

  • 0: same window;
  • 1: new window.

TaskbarIconOpenBrowser
This policy controls the nature of the New Browser window for the Open icon from Taskbar:

  • 0: default browser
  • 1: Internet Explorer
  • 2: Firefox
  • 3: user specified browser

NOTE: For RoboForm Pro, the default value is 'Default Browser'. For RoboForm2Go, the default value is 'Internet Explorer'.

UserDefinedWB
This policy specifies the browser that will be used when the User specified browser (TaskbarIconOpenBrowser=3) option is selected.

PopupBlockerUsing

  • True: RoboForm will open a new browser window by calling the default browser, because low quality popup blocker that is present will not allow RoboForm to open them using other techniques;
  • False: RoboForm will use regular techniques to open a new browser window.

DefaultActionForPasscardIsLogin

  • True: the default action for RoboForm file type is Login;
  • False: the default action for RoboForm file type is Edit.

Back to the Top

AutoSave Dialog

AutoSaveEnable

  • True: AutoSave is turned on for HTML forms;
  • False: AutoSave is turned off for HTML forms.

AutoSaveWinDialogsEnable

  • True: AutoSave is turned on for Basic Authentication and Windows dialogs;
  • False: AutoSave is turned off for Basic Authentication and Windows dialogs.

AutoSaveAltClickEnable

  • True: the Alt+Click combination forces AutoSave;
  • False: the Alt+Click combination does not force AutoSave.

AutoSaveShiftEnterEnable

  • True: the Shift+Enter combination forces AutoSave;
  • False: the Shift+Enter combination does not force AutoSave.

AutoSaveUseNewAccountFeature
This policy controls the behavior of the AutoSave dialog box, enabling or disabling the option to create a new account.

  • True: enable the New Account feature;
  • False: disable the New Account feature.

DisableSaveForms
This policy enables or disables the Save Forms and AutoSave dialog boxes.

  • True: RoboForm does not give the user an option to save new username/password data or new form data; RoboForm also blocks all related functionality;
  • False: RoboForm will give the user an option to save new username/password data or new form data.

Back to the Top

AutoSave Dialog

AutoFillEnable

  • True: RoboForm will show the AutoFill dialog when there are forms to be filled;
  • False: RoboForm will disable the AutoFill dialog.

ConfirmAutoFillEnable

  • True: RoboForm will ask for user confirmation when performing the AutoFill action;
  • False: RoboForm will not ask for user confirmation when performing the AutoFill action.

AutoFillWinDialogsEnable

  • True: RoboForm will show the AutoFill dialog box when matching windows dialog appears;
  • False: RoboForm will not show the AutoFill dialog box when matching windows dialog appears.

AutoFillEmptyOnlyPC

  • True: the Fill Only Empty Fields option will be selected by default in the AutoFill dialog box for Passcards;
  • False: the Fill Only Empty Fields option will not be selected by default in the AutoFill dialog box for Passcards.

AutoFillEmptyOnlyID

  • True: the Fill Only Empty Fields option will be selected by default in the AutoFill dialog box for Identities.
  • False: the Fill Only Empty Fields option will not be selected by default in the AutoFill dialog box for Identities.

AutoFillEngSelValues
True: The Fill English Selection Values option will be selected by default in the AutoFill dialog box (Identities only).

AutoFillSubmitDefaultPC

  • True: Fill&Submit will be the default action in the AutoFill dialog when a Passcard is selected;
  • False: Fill Forms (Fill only, no Auto Submit) will be the default action in the AutoFill dialog when a Passcard is selected.

AutoFillSubmitDefaultID

  • True: Fill&Submit will be the default action in the AutoFill dialog when an Identity is selected;
  • False: Fill Forms (Fill only, no auto submit) will be the default action in the AutoFill dialog when an Identity is selected.

AutoFillOnlyIfPasswords

  • True: RoboForm will show the AutoFill dialog only on pages with password fields;
  • False: RoboForm will show the AutoFill dialog on all HTML pages with forms.

AutoFillFromIdentityOrPasscard
This policy controls when AutoFill dialog appears:

  1. when there is a Passcard only to fill;
  2. when there is an Identity only to fill;
  3. when there is either a Passcard or an Identity to fill.

AutoFillThreshold
This policy specifies the minimal number of fields that causes the AutoFill from Identity box to appear.

AutoFillDialogPosition
This policy controls the position of the AutoFill dialog when it appears:

  • 0: right out;
  • 1: center;
  • 2: right in.

AutoFillDialogStealFocus
This policy controls the behavior of the AutoFill dialog box when it appears.

  • True: the keyboard focus will be set to the AutoFill dialog when it appears;
  • False: the keyboard focus will not be set to the AutoFill dialog when it appears.

AutoFillDialogAutoHideOn
This policy controls if the AutoFill dialog automatically hides when its main window does not have focus.

  • True: the AutoFill dialog will automatically hide itself when its main window does not have focus;
  • False: the AutoFill dialog will NOT automatically hide itself when its main window does not have focus.

Back to the Top

Master Password

EncryptAlg
This policy specifies the encryption algorithm that RoboForm will use when saving files:

  • 1: 1DES;
  • 3: 3DES;
  • 4: AES;
  • 5: Blowfish;
  • 6: RC6.

EncryptionKeyScheme
This policy specifies the encryption schema used by RoboForm:

  • 0: normal (single password);
  • 1: dual password.

AutoForgetTime
This policy specifies the AutoLogoff time in minutes. RoboForm will forget the Master Password after AutoLogoff minutes of inactivity.

AutoLogoffScreensaverStart
This policy controls the behavior of RoboForm when the screensaver starts.

  • True: RoboForm will perform the AutoLogoff and forget the Master Password on Screensaver Start.
  • False: RoboForm will not perform the AutoLogoff on Screensaver Start.

AutoLogoffStandby
This policy controls the behavior or RoboForm when user's computer goes into the Standby mode.

  • True: RoboForm will perform the AutoLogoff and forget the Master Password on Standby;
  • False: RoboForm will not perform the AutoLogoff on Standby.

AutoLogoffOnUserSwitch This policy controls the behavior or RoboForm when a different user logs in into the computer on which RoboForm is running.

  • True: RoboForm will perform the AutoLogoff and forget the Master Password on User Switch;
  • False: RoboForm will not perform the AutoLogoff on User Switch.

LogoffEmptyClipboard

  • True: RoboForm will empty clipboard upon logoff;
  • False: RoboForm will not empty clipboard upon logoff.

LogoffClearSearchHistory

  • True: RoboForm will clear search history upon logoff;
  • False: RoboForm will not clear search history upon logoff.

ClearGeneratedPasswordsOnLogoff

  • True: RoboForm will clear the list of generated passwords on logoff;
  • False: RoboForm will not clear the list of generated passwords on logoff.

EncryptNewPasscard

  • True: RoboForm will offer the user to encrypt new Passcard;
  • False: RoboForm will not offer the user to encrypt new Passcard.

EncryptNewIdentity

  • True: RoboForm will offer the user to encrypt new Identity;
  • False: RoboForm will not offer the user to encrypt new Identity.

EncryptNewSafenote

  • True: RoboForm will offer the user to encrypt new Safenote;
  • False: RoboForm will not offer the user to encrypt new Safenote.

MasterPasswordMinLength
This policy specifies the minimal length of Master Passwords that RoboForm will enforce

MasterPasswordMinUpperCaseChars
This policy specifies the minimal number of upper-case letters in Master Password that RoboForm will enforce.

MasterPasswordMinLowerCaseChars
This policy specifies the minimal number of lower-case letters in Master Password that RoboForm will enforce.

MasterPasswordMinDigitChars
This policy specifies the minimal number of letters in Master Password that RoboForm will enforce.

DisableChangeMasterPassword
This policy allows or prevents the user from changing his or her Master Password.

  • True: RoboForm will not allow users to change their Master Password;
  • False: RoboForm will allow users to change their Master Password.

ProtectNewObject
This policy controls how RoboForm protects new user files:

  • 0: user can choose encryption mode when creating new Passcard/Safenote/Identity;
  • 1: always protect; user cannot create an unprotected object;
  • 2: always unprotect; user cannot create a protected object.

DisableProtectCommand
This policy allows or prevents the user from protecting unprotected Passcards, Identities, and Safenotes.

  • True: RoboForm will not allow the user to protect existing unprotected Passcards/Identities/Safenotes; RoboForm will also disable the Protect All command in the Set Master Password dialog.
  • False: RoboForm will allow the user to protect existing unprotected Passcards, Identities, and Safenotes.

DisableUnprotectCommand
This policy allows or prevents the user from unprotecting Passcards, Identities, and Safenotes that have been previously protected with a Master Password.

  • True: RoboForm will not allow the user to unprotect existing protected Passcards, Identities, or Safenotes. RoboForm will also disable the Unprotect All command in the Set Master Password dialog;
  • False: RoboForm will allow the user to unprotect existing protected Passcards, Identities, and Safenotes.

StoreMPInSystemProtectedStorage
This policy tells RoboFrom to cache the user's Master Password in System Protected Storage. (ie: The Master Password is then tied to the windows account so the user can access it by just logging in)

PasswordRecoveryStorage
This policy specifies the output folder where encrypted copies of Master Passwords will be saved.

Back to the Top

User Data Options

MruMaxNumber
This policy specifies the maximum number of items in the Most Recently Used list.

ShowIconsInMenu

  • True: RoboForm will show icons in its menus. Menus will be shown by default;
  • False: RoboForm will not show icons in its menus.

ShowObjectContextMenuByTimer

  • True: RoboForm will show context menu in Passcards/Identities/Safenotes menu after 5 seconds of inactivity;
  • False: RoboForm will not show context menu in Passcards/Identities/Safenotes menu after 5 seconds of inactivity.

DisableChangeUserDataFolder
This policy controls user ability to change the location of the User Data folder.

  • True: RoboForm will not allow the user to change the location of the User Data folder and disable most commands in Profiles menu;
  • False: RoboForm will allow the user to change the location of the User Data folder and will allow all commands in the Profiles menu.

DisableBackupRestore
This policy controls the ability of the user to perform backup and restore of Passcards, Identities, and Safenotes.

  • True: RoboForm will not allow the user to perform backup and restore operations;
  • False: RoboForm will allow the user to perform backup and restore operations.

NoIdentities
This policy enables or disables the use of Identities.

  • True: RoboForm hides from the user all controls related to Identities: buttons, menu items, context menu items; RoboForm also blocks all functionality related to Identities;
  • False: RoboForm allows the use of Identities.

Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.

NoSafenotes
This policy enables or disables the use of Safenotes.

  • True: RoboForm hides from the user all controls related to Safenotes: buttons, menu items, context menu items; RoboForm also blocks all functionality related to Safenotes;
  • False: the use of Safenotes is allowed.

Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.

NoPasscards
This policy enables or disables the use of Passcards.

  • True: all controls related to Passcards are hidden from the user: buttons, menu items, context menu items; all functionality related to Passcards is blocked;
  • False: the use of Passcards is allowed.

Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.

Back to the Top

Search Box

ShowSearchResultsInNewWindow

  • True: RoboForm will show search results in new window;
  • False: RoboForm will show search results in the same window;

SaveSearchHistory

  • True: RoboForm will save Search History;
  • False: RoboForm will not save Search History.

SearchHistoryMaxNumber
This policy controls the maximum number of items that RoboForm will save in Search History.

EnableSelectionSearch

  • True: RoboForm will put the text selection of the current browser into the Search box when the user clicks on it;
  • False: RoboForm will not put the text selection of the current browser in the Search box when the user clicks on it.

Back to the Top

Keyboard Shortcuts

DisableShortcuts

  • True: RoboForm will disable keyboard shortcuts;
  • False: RoboForm will enable keyboard shortcuts.

RightAltForShortcuts

  • True: RoboForm will enable the use of right ALT button for keyboard shortcuts;
  • False: RoboForm will disable the use of right ALT button for keyboard shortcuts.

ShortcutAuxKey
Use these keys for RF keyboard shortcuts:

  • 1: Ctrl;
  • 2: Shift;
  • 4: Alt.

Back to the Top

Graphical User Interface (GUI) Limited by Admin

NoToolbar

  • True: do not register toolbar and its classes with IE;
  • False: register toolbar.

NoContextMenu

  • True: do not register context menu and its classes with IE.
  • False: register RoboForm context menu.

NoBHO

  • True: do not register RoboForm Browser Helper Object (BHO) with IE. NOTE: WE DO NOT RECOMMEND SELECTING THIS OPTION;
  • False: register RoboForm Browser Helper Object (BHO) with IE.

NoStartMenu

  • True: do not register AI RoboForm Start Menu items;
  • False: register Start Menu items.

NoTaskbarIcon

  • True: do not register/start RoboForm Taskbar Icon;
  • False: register RoboForm taskbar icon to start when Windows starts.

Back to the Top

Configuration Options

NoUninstall

  • True: disable RoboForm uninstaller to be shown in Add/Remove Programs.
  • False: add RoboForm uninstaller to Add/Remove Programs.

NoConfirmOpenPasscard

  • True: RoboForm will suppress Open/Save confirmation dialog showing when user clicks on a link to RoboForm file on a web page;
  • False: RoboForm allow the Open/Save confirmation dialog showing when user clicks on a link to RoboForm file on a web page.

CreateNewAsContact

  • True: RoboForm will offer to create New Identity as Contact;
  • False: RoboForm will not offer to create New Identity as Contact.

MiniDialogShowDelayTime
This policy specifies the delay time of the Mini Dialog.

AttachToFirefox
This policy tells RoboForm to attach or not to Firefox if adapter is not installed. This policy is ON by default.

  • True: RoboForm will attach itself to Firefox if adapter is not installed;
  • False: RoboForm will not attach itself to Firefox if adapter is not installed.

RequestChangesConfirmationInEditor

  • True: RoboForm will force users to confirm that the changes they made to Passcard, Identity, or SafeNote in RoboForm Editor are actually desired;
  • False: RoboForm will not force users to confirm that the changes they made to Passcard, Identity, or SafeNote in RoboForm Editor are actually desired.

FillingFromPasscardChecksDomain
This policy allows or prevents from using a Passcard to fill a form located on a domain that is different from the Domain that is specified in the Passcard. This policy (when set to False) is used to protect against phishing attacks and enforce the privacy of passwords (e.g., when the user is not allowed to view the information in the passcard, he or she may choose to create a custom HTML form that reveals the username and password to them).

  • True: the user is allowed to use a Passcard to fill a form on a domain that is different from the Domain on the Passcard;
  • False: the user is not allowed to use a Passcard to fill a form on a domain that is different from the Domain on the Passcard.

Back to the Top

Domains

OnlyDomains
This policy is obsolete. Use AutoSaveOnlyInDomains instead.

AutoSaveOnlyInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will work. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

NoAutoSaveInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will not work. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

DisableForceNonOnlyDomains
This policy controls the availability of the forced AutoSave (ALT+Click and SHIFT+Enter) to the users for domains which are not listed in AutoSaveOnlyInDomains or listed in NoAutoSaveInDomains. This key takes effect when AutoSaveOnlyInDomains and/or NoAutoSaveOnlyInDomains are not empty.

  • True: RoboForm will not allow the users to use the forced AutoSave on domains which are not listed in AutoSaveOnlyInDomains or listed in NoAutoSaveInDomains.
  • False: RoboForm will allow the users to use the forced AutoSave on domains which are not listed in AutoSaveOnlyInDomains or listed in NoAutoSaveInDomains.

SaveFormsOnlyInDomains
This policy forces RoboForm to restrict the SaveForms functionality only to the domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

NoSaveFormsInDomains
This policy forces RoboForm to prevent the user from using the SaveForms functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

AutoFillOnlyInDomains
This policy forces RoboForm to restrict the AutoFill functionality only on the domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

NoAutoFillInDomains
This policy forces RoboForm to prevent the user from using the AutoFill functionality on domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

FillFormsFromPasscardsOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Passcards functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

NoFillFormsFromPasscardsInDomains
This policy forces RoboForm to present the user from using the FillForms from Passcards functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

FillFormsFromIdentitiesOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Identities functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

NoFillFormsFromIdentitiesInDomains
This policy forces RoboForm to present the user from using the FillForms from Identities functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.

Example: roboform.com;roboform.org;searchcardplace.com

FillSubmitWithoutAskingOnURLs
This policy specifies a list of URLs that RoboForm will automatically Fill and Submit from an exact matching passcard. Seperate multiple URLs with \n

FillWithoutAskingOnURLs
This policy specifies a list of URLs that RoboForm will automatically Fill from an exact matching passcard. Seperate multiple URLs with \n

Back to the Top

General

NoAutoUpdate
This policy controls the AutoUpdate functionality of RoboForm.

  • True: RoboForm will not check for a new version on www.siber.com/roboform/version.txt;
  • False: RoboForm will check for a new version on www.siber.com/roboform/version.txt.

NoEmailingDataFiles
This policy controls the ability of the user to send his or her data files (Passcards, Identities, and Safenotes) via email.

  • True: RoboForm will not allow the user to send his or her data files by email;
  • False: RoboForm will allow the user to send his or her data files by email.

NOTE: the user will still be able to send his data files via email with other programs outside of RoboForm.

DisableAddShortcutToDesktop
This policy controls the availability of the Add Shortcut To Desktop command to the user.

  • True: RoboForm will not present the Add Shortcut To Desktop command to the user;
  • False: RoboForm will present the Add Shortcut to Desktop command to the user.

NOTE: the user will still be able to manually add a shortcut to the desktop.

DisableAddShortcutToLinksToolbar
This policy controls the availability of the Add Shortcut To Links Toolbar command to the user.

  • True: RoboForm will not present the Add Shortcut To Links Toolbar command to the user;
  • False: RoboForm will present the Add Shortcut To Links Toolbar command to the user.

DisableAddShortcutToQuickLaunch
This policy controls the availability of the Add Shortcut To QuickLaunch command to the user.

  • True: RoboForm will not present the Add Shortcut To QuickLaunch command to the user;
  • False: RoboForm will present the Add Shortcut To QuickLaunch command to the user.

ForbiddenIdentityEditorGroups
This policy allows the administrator to restrict user access to different tabs in Identities. The following is the list of all tab names to which access can be restricted (you can list multiple tabs separated by a comma):

  • Summary,
  • Person,
  • Business,
  • Address,
  • Credit Card,
  • Bank Account,
  • Authentication,
  • Custom.

Example: to disallow Credit Card and Bank tabs, this policy must be set to: Credit Card,Bank Account.

DisableChangeCustomDomainEquiv
This policy controls the ability of the user to change custom domains equivalences.

Back to the Top

The Policy Editor

The Policy Editor is an administrative utility that provides the following functionality:

  • allows for testing of policy options before Group Policy or GPO's are in place
  • configuration of the cryptographic keys used to recover Master Passwords of individual users;
  • recovery of Master Passwords of individual users that have been previously saved (requires several configuration steps)
  • Creation of custom REG files that allows the administrator to apply Policy options to machines not managed by Group Policy through Active Directory

To begin using the Policy Editor make sure you first have RoboForm Enterprise software installed and activated on your administrative or testing machine then download the latest copy of the RoboForm Policy Editor to the same machine. It is a standalone application that does not need to be installed so you may want to create a shortcut for it and place it on your desktop for easy access.

If you are running Windows Vista/7/Server 2008 make sure that you launch the Policy Editor as an Administrator by Right Clicking on it and selecting the "Run as Administrator" option.

The Policy Editor window features a browsable list of policies and a set of buttons that provide related functionality. The browsable list of policies shows individual policy names and their current values on the computer on which the Policy Editor is running. On the left-hand-side of each line there is an icon meant to represent a pin in either horizontal or inserted position. Each pin plays the role of a check box: an inserted pin means that corresponding policy will be changed when the Apply button is pressed or will be saved to a REG file when the Create Reg buttons is pressed. If an icon of a horizontal pin is displayed next to a policy, that policy will not be affected. Two buttons, Pin All and Pin None, either check or uncheck all policies respectively. When the Policy Editor starts, all policies are arranged by the functional area to which each policy is related. The Sort by Name button allows the user toggle sorting between the default method or an alphabetical list of policies.

The Reset Changes button sets the values of all policies back to the values that they had when the Policy Editor was last started.

The Set Default button sets the values of all policies to default values.

The Test Values button allows the operator to test values of all policies for compliance with rules (e.g., length policy can not contain letters).

The Create Reg button will create a REG file that will allow you to apply the Policies you have editied manually if Group Policy is unavailable.

When a policy is highlighted in the list, a textual description appears in the Description text area below the list of policies.

Back to the Top

User's Master Password Recovery by Admin

RoboForm Enterprise allows system administrators to enable the mechanism that would force RoboForm to store a copy of Master Passwords of individual users in an encrypted form that is recoverable by the system administrator.

To enable this feature, the system administrator will need to enable the PasswordRecoveryStorage policy by specifying a full UNC path to a publicly available directory. This directory will be used to store the encrypted copy of the users Master Password.

RoboForm Enterprise uses public key cryptography to protect Master Passwords of individual users in storage. System administrator will generate a public/private key pair using the Generate New Key Pair button in Policy Editor.

The public key from that pair will be used by RoboForm to automatically encrypt the newly created user's Master Password and to save it in a file with extension "ENP" in the directory that is specified in the PasswordRecoveryStorage policy after the Master Password is changed or created for the first time.

That public key must be saved in a file "pub.rfk" and a copy of it has to be saved in the directory that is specified in the PasswordRecoveryStorage policy.

When system administrator generates the public/private key pair, he or she will be prompted for a password that will be used to generate an AES key to encrypt the file containing private key that can be later used to recover user passwords from encrypted storage files. The default name for the file containing the private key is "prv.rfk", but it can be changed to any other name. The file containing the encrypted private key can be stored in any folder and does not have to be in the folder specified in the PasswordRecoveryStorage policy.

When system administrator needs to recover user's Master Password, he or she needs to go to the Policy Editor, make sure that the proper file containing the private key is selected in the Private Key File text box and click on the Recover RoboForm Master Password button. After that an Open RoboForm Master Password backup file dialog box will appear where an encrypted password (file with the extension "ENP") corresponding to that user must be selected. After the file is selected, a window will appear with the network login ID of the user and the Master Password in plain text.

NOTE: the use of the Master Password recovery feature provides a useful business continuity mechanism but also poses a threat related to the fact that the security of access to all system resources for all users ultimately resides in the security of the password with which the administrator protected his or her private key. We recommend that the multiple copies of the encrypted file with the private be stored outside of the network and additional means of protection like a locked physical storage be used to provide additional security.

Back to the Top

Deploying RoboForm Enterprise with Group Policy

Once you have chosen your deployment scenario and tested all of the Policies you wish to enforce with the Policy Editor you are ready to begin deploying RoboForm Enterprise. Open the Group Policy Editor on your Active Directory Server and load the RoboForm Enterprise ADM File. Configure all of the policies that you wish to enforce and apply the GPO. It is important to wait for the Policy settings to replicate across the network before trying to distribute RoboForm to the user workstations since some Policies effect the install process. Once all policies are in place proceed to the Distributing RoboForm Enterprise chapter.

Back to the Top

Deploying RoboForm Enterprise without Group Policy

If you are in an environment without Group Policy, or have machines that are not managed through Group Policy, the Policy Editor can create custom REG files to allow you to manage them as well. Open the Policy Editor and verify that all Policies are configured correctly and then press the Create REG button. These REG files will need to be run on the machines before RoboForm is installed since some Policies effect the install Process. Once all policies are in place proceed to the Distributing RoboForm Enterprise chapter.

Back to the Top

Distributing RoboForm Enterprise

RoboForm Enterprise can be distributed to your network in various ways. The two most popular methods are by using the RoboForm MSI and distributing the software via Group Policy, or using a custom Deployment Script that allows you to have some greater control over how RoboForm is installed and configured. These scripts take advantage of some of the RoboForm Enterprise installer command line arguments.

Back to the Top

Installer Command Line Options

Use these command line options of AiRoboForm.exe to automate installation of RoboForm.

Install options good for RoboForm Fixed and RoboForm2Go:

/? or /help - show help message.

/silent - silent install, user intervention allowed only on errors.

/unatt - silent install, no user intervention, errors are logged to _rf.log file. /silent and /close options are set by this option.

/reboot - force reboot if necessary to write over locked files, do not ask user.

/close - force browsers to close if necessary, do not ask user.

/lang=<xx-xxxxx> - set setup language to the specified RFI file.

/temp=<folder> - use the specified for temp files instead of %temp%.

/unpack=<folder> - unpack files to the specified folder.

RoboForm Fixed install options:

/home=<folder> - use the specified folder to store RoboForm data files.

/bin=<folder> - use the specified folder for RoboForm Program Files.

/options=<file> - copy options from the specified RFO file.

/passwd=file-path - where file points to password file to be copied to user dataset as smpenc.rfo

/gator - import data from Gator file when installing

/import - import passwords from IE AutoComplete into Passcards.

/act="<order-id>,<user-name>" - perform RF Pro Online activation upon installation using the specified Order ID and User Name.

Back to the Top

Example Deployment Script

You can download one of our example deployment scripts to use in your deployment or to reference as an example. The deployment script comes with a README file that contains detailed information on configuring and using the script. In general, the example deployment script can install RoboForm Enterprise, activate the product, set additional options not controlled through Group Policy, and set a static or random Master Password for the user. You can push this script out through Group Policy, or any other mass-distribution method approved by your company.

Back to the Top

  • But_dl_wp
  • But_free_trial
  • But_pricing
  • But_demo
  • But_reseller
  • But_contact
Mfg "RoboForm Enterprise provided 90% of the value that the Enterprise Single Sign-on solutions promised, with only 10% of the effort at a fraction of the cost."

Curt Rynties, M Financial Group
Copyright © 1999 - 2012 Siber Systems, Inc. All rights reserved.