This document provides installation and configuration instructions for RoboForm Enterprise.
RoboForm Enterprise is a fully distributed Single Sign-On system with RoboForm Enterprise software components installed on user workstations or remote access servers, and is configurable through Group Policies in Active Directory.
The workstation component is responsible for the following functionality (unless the system administrator restricts the functionality through Group Policies):
In a corporate environment where users don't have administrative access to their workstations, a system administrator may chose to securely restrict the functionality of RoboForm that is available to individual users through Group Policies in Active Directory. The Policies chapter explains this in greater detail.
RoboForm Enterprise deployment includes the following steps:
There are many different scenarios in which you can deploy RoboForm Enterprise depending on how your organization needs to utilize its features. The first choice is: allow the user to set their own Master Password; set all users to the same Master Password; set users to a random Master Password.
Allowing users to set their own Master Password gives the user slightly more freedom with the software, and ultimately leaves the security of their Passcards up to the password the user chooses. RoboForm Enterprise has Policies to enforce Master Password quality in order to ensure the user selects a strong password. There is also a Policy to enable Master Password Recovery that will allow the administrator to see what the user's have currently set their Master Passwords to (explained in more detail in the Master Password Recovery chapter).
Setting all users to the same Master Password simplifies the administration of RoboForm Enterprise. RoboForm Enterprise has Policies to force it to cache the Master Password to the user's Windows account via System Protected Storage. Once the user logs into the machine he/she will be able to access and use any Passcards they need without having to enter, or know what the Master Password is. By disabling their windows account you are also disabling their RoboForm Enterprise access. This is a popular deployment scenario in high turnover environments since it simplifies the use of RoboForm Enterprise for the user, as well as simplifying the administration of the product without sacrificing security.
Setting all users to a random Master Password adds another layer of security to the encryption and protection of RoboForm Enterprise. The example Deployment Script shows how to set a random Master Password during the deployment process. Again the user would not need to know what the random Master Password is, if the administrator sets the Policy to force RoboForm Enterprise to cache the Master Password to the user's account. The administrator can also enable Master Password Recovery so that he can see what the Master Password is set to.
Feature management of RoboForm Enterprise is implemented through Group Policies. An ADM File is available containing all of the Group Policy options for RoboForm Enterprise. These policies will allow the administrator to perform the following:
NOTE: Companies that have 64bit machines may need to download and configure the RoboForm Enterprise WOW64 ADM File as well to ensure that policies are properly configured on these machines.
MyIdentitiesCausesSubmit
MatchingPasscardsCausesSubmit
MyIdentityNumber
This policy specifies the number of MyIdentity buttons on toolbar.
MyIdentityWidth
This policy controls the width of the MyIdentity button.
MatchingPasscardsButtonWidth
This policy specifies the width of the Matching Passcards button on toolbar.
SearchBoxWidth
This policy controls the width of the Search box on toolbar.
ShowLowerToolbarIE
When Upper RoboForm toolbar cannot be shown in Internet Explorer because it is not installed or not allowed, show Upper Attached Toolbar, Lower Toolbar or no toolbar. Preferred location of RoboForm toolbar is:
OrderByUrlMatch
This policy controls the order of Passcards in the Matching Passcards mini-dialog:
LoginOpensSiteType
This policy controls where the Login toolbar button opens the corresponding website:
TaskbarOpensSiteNewWindow
This policy controls where the Login taskbar icon or editor opens the corresponding web site:
TaskbarIconOpenBrowser
This policy controls the nature of the New Browser window for the Open icon from Taskbar:
NOTE: For RoboForm Pro, the default value is 'Default Browser'. For RoboForm2Go, the default value is 'Internet Explorer'.
UserDefinedWB
This policy specifies the browser that will be used when the User specified browser (TaskbarIconOpenBrowser=3) option is selected.
PopupBlockerUsing
DefaultActionForPasscardIsLogin
AutoSaveEnable
AutoSaveWinDialogsEnable
AutoSaveAltClickEnable
AutoSaveShiftEnterEnable
AutoSaveUseNewAccountFeature
This policy controls the behavior of the AutoSave dialog box, enabling or disabling the option to create a new account.
DisableSaveForms
This policy enables or disables the Save Forms and AutoSave dialog boxes.
AutoFillEnable
ConfirmAutoFillEnable
AutoFillWinDialogsEnable
AutoFillEmptyOnlyPC
AutoFillEmptyOnlyID
AutoFillEngSelValues
True: The Fill English Selection Values option will be selected by default in the AutoFill dialog box (Identities only).
AutoFillSubmitDefaultPC
AutoFillSubmitDefaultID
AutoFillOnlyIfPasswords
AutoFillFromIdentityOrPasscard
This policy controls when AutoFill dialog appears:
AutoFillThreshold
This policy specifies the minimal number of fields that causes the AutoFill from Identity box to appear.
AutoFillDialogPosition
This policy controls the position of the AutoFill dialog when it appears:
AutoFillDialogStealFocus
This policy controls the behavior of the AutoFill dialog box when it appears.
AutoFillDialogAutoHideOn
This policy controls if the AutoFill dialog automatically hides when its main window does not have focus.
EncryptAlg
This policy specifies the encryption algorithm that RoboForm will use when saving files:
EncryptionKeyScheme
This policy specifies the encryption schema used by RoboForm:
AutoForgetTime
This policy specifies the AutoLogoff time in minutes. RoboForm will forget the Master Password after AutoLogoff minutes of inactivity.
AutoLogoffScreensaverStart
This policy controls the behavior of RoboForm when the screensaver starts.
AutoLogoffStandby
This policy controls the behavior or RoboForm when user's computer goes into the Standby mode.
AutoLogoffOnUserSwitch This policy controls the behavior or RoboForm when a different user logs in into the computer on which RoboForm is running.
LogoffEmptyClipboard
LogoffClearSearchHistory
ClearGeneratedPasswordsOnLogoff
EncryptNewPasscard
EncryptNewIdentity
EncryptNewSafenote
MasterPasswordMinLength
This policy specifies the minimal length of Master Passwords that RoboForm will enforce
MasterPasswordMinUpperCaseChars
This policy specifies the minimal number of upper-case letters in Master Password that RoboForm will enforce.
MasterPasswordMinLowerCaseChars
This policy specifies the minimal number of lower-case letters in Master Password that RoboForm will enforce.
MasterPasswordMinDigitChars
This policy specifies the minimal number of letters in Master Password that RoboForm will enforce.
DisableChangeMasterPassword
This policy allows or prevents the user from changing his or her Master Password.
ProtectNewObject
This policy controls how RoboForm protects new user files:
DisableProtectCommand
This policy allows or prevents the user from protecting unprotected Passcards, Identities, and Safenotes.
DisableUnprotectCommand
This policy allows or prevents the user from unprotecting Passcards, Identities, and Safenotes that have been previously protected with a Master Password.
StoreMPInSystemProtectedStorage
This policy tells RoboFrom to cache the user's Master Password in System Protected Storage. (ie: The Master Password is then tied to the windows account so the user can access it by just logging in)
PasswordRecoveryStorage
This policy specifies the output folder where encrypted copies of Master Passwords will be saved.
MruMaxNumber
This policy specifies the maximum number of items in the Most Recently Used list.
ShowIconsInMenu
ShowObjectContextMenuByTimer
DisableChangeUserDataFolder
This policy controls user ability to change the location of the User Data folder.
DisableBackupRestore
This policy controls the ability of the user to perform backup and restore of Passcards, Identities, and Safenotes.
NoIdentities
This policy enables or disables the use of Identities.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
NoSafenotes
This policy enables or disables the use of Safenotes.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
NoPasscards
This policy enables or disables the use of Passcards.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
ShowSearchResultsInNewWindow
SaveSearchHistory
SearchHistoryMaxNumber
This policy controls the maximum number of items that RoboForm will save in Search History.
EnableSelectionSearch
DisableShortcuts
RightAltForShortcuts
ShortcutAuxKey
Use these keys for RF keyboard shortcuts:
NoToolbar
NoContextMenu
NoBHO
NoStartMenu
NoTaskbarIcon
NoUninstall
NoConfirmOpenPasscard
CreateNewAsContact
MiniDialogShowDelayTime
This policy specifies the delay time of the Mini Dialog.
AttachToFirefox
This policy tells RoboForm to attach or not to Firefox if adapter is not installed. This policy is ON by default.
RequestChangesConfirmationInEditor
FillingFromPasscardChecksDomain
This policy allows or prevents from using a Passcard to fill a form located on a domain that is different from the Domain that is specified in the Passcard. This policy (when set to False) is used to protect against phishing attacks and enforce the privacy of passwords (e.g., when the user is not allowed to view the information in the passcard, he or she may choose to create a custom HTML form that reveals the username and password to them).
OnlyDomains
This policy is obsolete. Use AutoSaveOnlyInDomains instead.
AutoSaveOnlyInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will work. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoAutoSaveInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will not work. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
DisableForceNonOnlyDomains
This policy controls the availability of the forced AutoSave (ALT+Click and SHIFT+Enter) to the users for domains which are not listed in AutoSaveOnlyInDomains or listed in NoAutoSaveInDomains. This key takes effect when AutoSaveOnlyInDomains and/or NoAutoSaveOnlyInDomains are not empty.
SaveFormsOnlyInDomains
This policy forces RoboForm to restrict the SaveForms functionality only to the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoSaveFormsInDomains
This policy forces RoboForm to prevent the user from using the SaveForms functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
AutoFillOnlyInDomains
This policy forces RoboForm to restrict the AutoFill functionality only on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoAutoFillInDomains
This policy forces RoboForm to prevent the user from using the AutoFill functionality on domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
FillFormsFromPasscardsOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Passcards functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoFillFormsFromPasscardsInDomains
This policy forces RoboForm to present the user from using the FillForms from Passcards functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
FillFormsFromIdentitiesOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Identities functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoFillFormsFromIdentitiesInDomains
This policy forces RoboForm to present the user from using the FillForms from Identities functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
FillSubmitWithoutAskingOnURLs
This policy specifies a list of URLs that RoboForm will automatically Fill and Submit from an exact matching passcard. Seperate multiple URLs with \n
FillWithoutAskingOnURLs
This policy specifies a list of URLs that RoboForm will automatically Fill from an exact matching passcard. Seperate multiple URLs with \n
NoAutoUpdate
This policy controls the AutoUpdate functionality of RoboForm.
NoEmailingDataFiles
This policy controls the ability of the user to send his or her data files (Passcards, Identities, and Safenotes) via email.
NOTE: the user will still be able to send his data files via email with other programs outside of RoboForm.
DisableAddShortcutToDesktop
This policy controls the availability of the Add Shortcut To Desktop command to the user.
NOTE: the user will still be able to manually add a shortcut to the desktop.
DisableAddShortcutToLinksToolbar
This policy controls the availability of the Add Shortcut To Links Toolbar command to the user.
DisableAddShortcutToQuickLaunch
This policy controls the availability of the Add Shortcut To QuickLaunch command to the user.
ForbiddenIdentityEditorGroups
This policy allows the administrator to restrict user access to different tabs in Identities. The following is the list of all tab names to which access can be restricted (you can list multiple tabs separated by a comma):
Example: to disallow Credit Card and Bank tabs, this policy must be set to: Credit Card,Bank Account.
DisableChangeCustomDomainEquiv
This policy controls the ability of the user to change custom domains equivalences.
The Policy Editor is an administrative utility that provides the following functionality:
To begin using the Policy Editor make sure you first have RoboForm Enterprise software installed and activated on your administrative or testing machine then download the latest copy of the RoboForm Policy Editor to the same machine. It is a standalone application that does not need to be installed so you may want to create a shortcut for it and place it on your desktop for easy access.
If you are running Windows Vista/7/Server 2008 make sure that you launch the Policy Editor as an Administrator by Right Clicking on it and selecting the "Run as Administrator" option.
The Policy Editor window features a browsable list of policies and a set of buttons that provide related functionality. The browsable list of policies shows individual policy names and their current values on the computer on which the Policy Editor is running. On the left-hand-side of each line there is an icon meant to represent a pin in either horizontal or inserted position. Each pin plays the role of a check box: an inserted pin means that corresponding policy will be changed when the Apply button is pressed or will be saved to a REG file when the Create Reg buttons is pressed. If an icon of a horizontal pin is displayed next to a policy, that policy will not be affected. Two buttons, Pin All and Pin None, either check or uncheck all policies respectively. When the Policy Editor starts, all policies are arranged by the functional area to which each policy is related. The Sort by Name button allows the user toggle sorting between the default method or an alphabetical list of policies.
The Reset Changes button sets the values of all policies back to the values that they had when the Policy Editor was last started.
The Set Default button sets the values of all policies to default values.
The Test Values button allows the operator to test values of all policies for compliance with rules (e.g., length policy can not contain letters).
The Create Reg button will create a REG file that will allow you to apply the Policies you have editied manually if Group Policy is unavailable.
When a policy is highlighted in the list, a textual description appears in the Description text area below the list of policies.
RoboForm Enterprise allows system administrators to enable the mechanism that would force RoboForm to store a copy of Master Passwords of individual users in an encrypted form that is recoverable by the system administrator.
To enable this feature, the system administrator will need to enable the PasswordRecoveryStorage policy by specifying a full UNC path to a publicly available directory. This directory will be used to store the encrypted copy of the users Master Password.
RoboForm Enterprise uses public key cryptography to protect Master Passwords of individual users in storage. System administrator will generate a public/private key pair using the Generate New Key Pair button in Policy Editor.
The public key from that pair will be used by RoboForm to automatically encrypt the newly created user's Master Password and to save it in a file with extension "ENP" in the directory that is specified in the PasswordRecoveryStorage policy after the Master Password is changed or created for the first time.
That public key must be saved in a file "pub.rfk" and a copy of it has to be saved in the directory that is specified in the PasswordRecoveryStorage policy.
When system administrator generates the public/private key pair, he or she will be prompted for a password that will be used to generate an AES key to encrypt the file containing private key that can be later used to recover user passwords from encrypted storage files. The default name for the file containing the private key is "prv.rfk", but it can be changed to any other name. The file containing the encrypted private key can be stored in any folder and does not have to be in the folder specified in the PasswordRecoveryStorage policy.
When system administrator needs to recover user's Master Password, he or she needs to go to the Policy Editor, make sure that the proper file containing the private key is selected in the Private Key File text box and click on the Recover RoboForm Master Password button. After that an Open RoboForm Master Password backup file dialog box will appear where an encrypted password (file with the extension "ENP") corresponding to that user must be selected. After the file is selected, a window will appear with the network login ID of the user and the Master Password in plain text.
NOTE: the use of the Master Password recovery feature provides a useful business continuity mechanism but also poses a threat related to the fact that the security of access to all system resources for all users ultimately resides in the security of the password with which the administrator protected his or her private key. We recommend that the multiple copies of the encrypted file with the private be stored outside of the network and additional means of protection like a locked physical storage be used to provide additional security.
Once you have chosen your deployment scenario and tested all of the Policies you wish to enforce with the Policy Editor you are ready to begin deploying RoboForm Enterprise. Open the Group Policy Editor on your Active Directory Server and load the RoboForm Enterprise ADM File. Configure all of the policies that you wish to enforce and apply the GPO. It is important to wait for the Policy settings to replicate across the network before trying to distribute RoboForm to the user workstations since some Policies effect the install process. Once all policies are in place proceed to the Distributing RoboForm Enterprise chapter.
If you are in an environment without Group Policy, or have machines that are not managed through Group Policy, the Policy Editor can create custom REG files to allow you to manage them as well. Open the Policy Editor and verify that all Policies are configured correctly and then press the Create REG button. These REG files will need to be run on the machines before RoboForm is installed since some Policies effect the install Process. Once all policies are in place proceed to the Distributing RoboForm Enterprise chapter.
RoboForm Enterprise can be distributed to your network in various ways. The two most popular methods are by using the RoboForm MSI and distributing the software via Group Policy, or using a custom Deployment Script that allows you to have some greater control over how RoboForm is installed and configured. These scripts take advantage of some of the RoboForm Enterprise installer command line arguments.
Use these command line options of AiRoboForm.exe to automate installation of RoboForm.
Install options good for RoboForm Fixed and RoboForm2Go:
/? or /help - show help message.
/silent - silent install, user intervention allowed only on errors.
/unatt - silent install, no user intervention, errors are logged to _rf.log file. /silent and /close options are set by this option.
/reboot - force reboot if necessary to write over locked files, do not ask user.
/close - force browsers to close if necessary, do not ask user.
/lang=<xx-xxxxx> - set setup language to the specified RFI file.
/temp=<folder> - use the specified
/unpack=<folder> - unpack files to the specified folder.
RoboForm Fixed install options:
/home=<folder> - use the specified folder to store RoboForm data files.
/bin=<folder> - use the specified folder for RoboForm Program Files.
/options=<file> - copy options from the specified RFO file.
/passwd=file-path - where file points to password file to be copied to user dataset as smpenc.rfo
/gator - import data from Gator file when installing
/import - import passwords from IE AutoComplete into Passcards.
/act="<order-id>,<user-name>" - perform RF Pro Online activation upon installation using the specified Order ID and User Name.
You can download one of our example deployment scripts to use in your deployment or to reference as an example. The deployment script comes with a README file that contains detailed information on configuring and using the script. In general, the example deployment script can install RoboForm Enterprise, activate the product, set additional options not controlled through Group Policy, and set a static or random Master Password for the user. You can push this script out through Group Policy, or any other mass-distribution method approved by your company.