This document provides installation and configuration instructions for RoboForm Enterprise.
RoboForm Enterprise is a fully distributed system with RoboForm software components installed on user workstations and a central configuration utility called a Policy Editor.
The workstation component is responsible for the following functionality (unless system administrator restricts that functionality with the Policy Editor):
In a corporate environment where users don't have administrative access to their workstations, a system administrator may chose to securely restrict the functionality of RoboForm that is available to individual users with the Policy Editor.
Feature management of RoboForm is implemented through Windows registry. Certain keys may be added to HKEY_LOCAL_MACHINE that would prevent RoboForm from performing corresponding actions.
Windows configuration best practices prescribe granting individual non-administrative users READ-ONLY access to that part of the registry on their workstations. Only system administrators should be able to have WRITE access to it.
The security of the feature management of RoboForm relies on the acceptance of the best practices described in the paragraph above. Currently, there is no secure mechanism to enforce RoboForm functionality restrictions on a workstation where non-administrative workstation user has WRITE access to HKEY_LOCAL_MACHINE.
The Policy Editor is a utility that provides a user interface to administrators to configure a local installation of RoboForm (edit local registry) or to generate REG files that can be later deployed and executed on workstations of individual users. In order for the generated REG files to make necessary modifications, they have to be executed with administrative permissions (e.g., by a login script or scheduled in Active Directory to be run with proper credentials).
NOTE: REG files are files with extension "REG" that are typically used to make updates to the Windows registry. Windows natively understands these files and they can be "executed" automatically making modifications to the registry. WARNING: Please execute extreme caution when making manual modifications to REG files generated by Policy Editor! This file type can become infected and should be carefully scanned if someone sends you a file with this extension. Changing the registry improperly may result in damage to the functionality of any or all applications and/or data.
RoboForm checks the following location in the registry for its settings: 'HKEY_LOCAL_MACHINE\SOFTWARE\Siber Systems\RoboForm\Policies'. We recommend that only administrators have WRITE access to at least that portion of the registry and individual non-administrative users be granted READ-ONLY access to it.
Please follow these steps to install Policy Editor:
You may want to create a shortcut to the Policy Editor and place it on your desktop for future easy access.
You can now start using the Policy Editor to customize the RoboForm Enterprise installation to desired specifications. In the following chapters you will find detailed customization instructions.
RoboForm Enterprise deployment includes the following steps:
NOTE: An updated set of policies may be deployed to workstations before or after RoboForm is installed and while it is running.
Use these command line options of AiRoboForm.exe to automate installation of RoboForm.
Install options good for RoboForm Fixed and RoboForm2Go:
/? or /help - show help message.
/silent - silent install, user intervention allowed only on errors.
/unatt - silent install, no user intervention, errors are logged to _rf.log file. /silent and /close options are set by this option.
/reboot - force reboot if necessary to write over locked files, do not ask user.
/close - force browsers to close if necessary, do not ask user.
/lang=<xx-xxxxx> - set setup language to the specified RFI file.
/temp=<folder> - use the specified
/unpack=<folder> - unpack files to the specified folder.
RoboForm Fixed install options:
/home=<folder> - use the specified folder to store RoboForm data files.
/bin=<folder> - use the specified folder for RoboForm Program Files.
/options=<file> - copy options from the specified RFO file.
/import - import passwords from IE AutoComplete into Passcards.
/act="<order-id>,<user-name>" - perform RF Pro Online activation upon installation using the specified Order ID and User Name.
The Policy Editor is an administrative utility that optionally provides the following functionality:
This chapter provides detailed instructions on how to customize individual features of RoboForm installed on user workstations with the Policy Editor installed on an administrative computer.
The Policy Editor window features a browsable list of policies and a set of buttons that provide related functionality.
The browsable list of policies shows individual policy names and their current values on the computer on which the Policy Editor is running. On the left-hand-side of each line there is an icon meant to represent a pin in either horizontal or inserted position. Each pin plays a role of a checkbox: an inserted pin means that corresponding policy will be changed when the Apply button is pressed or will be saved to a REG file when the Create Reg buttons is pressed. If an icon of a horizontal pin is displayed next to a policy, that policy will not be affected.
Two buttons, Pin All and Pin None, either check or uncheck all policies respectively.
Options (Policies) are listed in the order they appear in the Policy Editor. The Sort by Name button allows the user to re-arrange the list of policies. When the Policy Editor starts, all policies are arranged by the functional area to which each policy is related. When the Sort by Name button is pressed, all policies in the list are re-arranged by name, and the button stays in a pressed state. When pressed once more, all policies are re-arranged in the original order, and the button returns to its original state.
The Reset Changes button sets the values of all policies back to the values that they had when the Policy Editor was last started.
The Set Default button sets the values of all policies to default values.
The Test Values button allows the operator to test values of all policies for compliance with rules (e.g., length policy can not contain letters).
The Create Reg button initiates the process of saving the REG file for further deployment to user workstations.
When a policy is highlighted in the list, a textual description appears in the Description text area below the list of policies.
Each policy described below is headed by the Policy Name, followed by an explanation.
AutoFillThreshold
This policy specifies the minimal number of fields that causes the AutoFill from Identity box to appear.
AutoFillFromIdentityOrPasscard
This policy controls when AutoFill dialog appears:
AutoFillOnlyIfPasswords
AutoFillSubmitDefaultPC
AutoFillSubmitDefaultID
AutoFillEmptyOnlyPC
AutoFillEmptyOnlyID
AutoFillEngSelValues
True: The Fill English Selection Values option will be selected by default in the AutoFill dialog box (Identities only).
AutoFillDialogPosition
This policy controls the position of the AutoFill dialog when it appears:
AutoFillDialogStealFocus
This policy controls the behavior of the AutoFill dialog box when it appears.
AutoFillDialogAutoHideOn
This policy controls if the AutoFill dialog automatically hides when its main window does not have focus.
AutoFillEnable
ConfirmAutoFillEnable
AutoFillWinDialogsEnable
AutoSaveEnable
AutoSaveWinDialogsEnable
AutoSaveAltClickEnable
AutoSaveShiftEnterEnable
AutoSaveUseNewAccountFeature
This policy controls the behavior of the AutoSave dialog box, enabling or disabling the option to create a new account.
DisableSaveForms
This policy enables or disables the Save Forms and AutoSave dialog boxes.
OnlyDomains
This policy is obsolete. Use AutoSaveOnlyInDomains instead.
AutoSaveOnlyInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will work. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoAutoSaveInDomains
This policy controls the list of domains on which the AutoSave functionality of RoboForm will not work. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
DisableForceNonOnlyDomains
This policy controls the availability of the forced AutoSave (ALT+Click and SHIFT+Enter) to the users for domains which are not listed in AutoSaveOnlyInDomains or listed in NoAutoSaveInDomains. This key takes effect when AutoSaveOnlyInDomains and/or NoAutoSaveOnlyInDomains are not empty.
SaveFormsOnlyInDomains
This policy forces RoboForm to restrict the SaveForms functionality only to the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoSaveFormsInDomains
This policy forces RoboForm to prevent the user from using the SaveForms functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
AutoFillOnlyInDomains
This policy forces RoboForm to restrict the AutoFill functionality only on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoAutoFillInDomains
This policy forces RoboForm to prevent the user from using the AutoFill functionality on domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
FillFormsFromPasscardsOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Passcards functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoFillFormsFromPasscardsInDomains
This policy forces RoboForm to present the user from using the FillForms from Passcards functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
FillFormsFromIdentitiesOnlyInDomains
This policy forces RoboForm to restrict the FillForms from Identities functionality to only domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoFillFormsFromIdentitiesInDomains
This policy forces RoboForm to present the user from using the FillForms from Identities functionality on the domains listed in this policy. Multiple domains must be separated with a semicolon.
Example: roboform.com;roboform.org;searchcardplace.com
NoToolbar
NoContextMenu
NoBHO
NoStartMenu
NoTaskbarIcon
DisableShortcuts
RightAltForShortcuts
ShortcutAuxKey
Use these keys for RF keyboard shortcuts:
DefaultActionForPasscardIsLogin
LoginOpensSiteType
This policy controls where the Login toolbar button opens the corresponding website:
PopupBlockerUsing
TaskbarOpensSiteNewWindow
This policy controls where the Login taskbar icon or editor opens the corresponding web site:
TaskbarIconOpenBrowser
This policy controls the nature of the New Browser window for the Open icon from Taskbar:
NOTE: For RoboForm Pro, the default value is 'Default Browser'. For RoboForm2Go, the default value is 'Internet Explorer'.
UserDefinedWB
This policy specifies the browser that will be used when the User specified browser (TaskbarIconOpenBrowser=3) option is selected.
AutoForgetTime
This policy specifies the AutoLogoff time in minutes. RoboForm will forget the Master Password after AutoLogoff minutes of inactivity.
AutoLogoffScreensaverStart
This policy controls the behavior of RoboForm when the screensaver starts.
AutoLogoffStandby
This policy controls the behavior or RoboForm when user's computer goes into the Standby mode.
AutoLogoffOnUserSwitch This policy controls the behavior or RoboForm when a different user logs in into the computer on which RoboForm is running.
ClearGeneratedPasswordsOnLogoff
MasterPasswordMinLength
This policy specifies the minimal length of Master Passwords that RoboForm will enforce
MasterPasswordMinUpperCaseChars
This policy specifies the minimal number of upper-case letters in Master Password that RoboForm will enforce.
MasterPasswordMinLowerCaseChars
This policy specifies the minimal number of lower-case letters in Master Password that RoboForm will enforce.
MasterPasswordMinDigitChars
This policy specifies the minimal number of letters in Master Password that RoboForm will enforce.
DisableChangeMasterPassword
This policy allows or prevents the user from changing his or her Master Password.
PasswordRecoveryStorage
This policy specifies the output folder where encrypted copies of Master Passwords will be saved.
ProtectNewObject
This policy controls how RoboForm protects new user files:
DisableProtectCommand
This policy allows or prevents the user from protecting unprotected Passcards, Identities, and Safenotes.
DisableUnprotectCommand
This policy allows or prevents the user from unprotecting Passcards, Identities, and Safenotes that have been previously protected with a Master Password.
EncryptAlg
This policy specifies the encryption algorithm that RoboForm will use when saving files:
EncryptNewPasscard
EncryptNewIdentity
EncryptNewSafenote
LogoffEmptyClipboard
LogoffClearSearchHistory
NoIdentities
This policy enables or disables the use of Identities.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
NoSafenotes
This policy enables or disables the use of Safenotes.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
NoPasscards
This policy enables or disables the use of Passcards.
Note that after change of this policy roboform.dll registration must be updated to apply new policies to IE's context menu and toolbar items. Other items will be updated after 'Refresh Folder' command or on next update of settings.
DisableChangeUserDataFolder
This policy controls user ability to change the location of the User Data folder.
DisableBackupRestore
This policy controls the ability of the user to perform backup and restore of Passcards, Identities, and Safenotes.
NoAutoUpdate
This policy controls the AutoUpdate functionality of RoboForm.
NoEmailingDataFiles
This policy controls the ability of the user to send his or her data files (Passcards, Identities, and Safenotes) via email.
NOTE: the user will still be able to send his data files via email with other programs outside of RoboForm.
DisableAddShortcutToDesktop
This policy controls the availability of the Add Shortcut To Desktop command to the user.
NOTE: the user will still be able to manually add a shortcut to the desktop.
DisableAddShortcutToLinksToolbar
This policy controls the availability of the Add Shortcut To Links Toolbar command to the user.
DisableAddShortcutToQuickLaunch
This policy controls the availability of the Add Shortcut To QuickLaunch command to the user.
ForbiddenIdentityEditorGroups
This policy allows the administrator to restrict user access to different tabs in Identities. The following is the list of all tab names to which access can be restricted (you can list multiple tabs separated by a comma):
Example: to disallow Credit Card and Bank tabs, this policy must be set to: Credit Card,Bank Account.
DisableChangeCustomDomainEquiv
This policy controls the ability of the user to change custom domains equivalences.
NoUninstall
NoConfirmOpenPasscard
CreateNewAsContact
MyIdentitiesCausesSubmit
MatchingPasscardsCausesSubmit
ShowObjectContextMenuByTimer
EncryptionKeyScheme
This policy specifies the encryption schema used by RoboForm:
ShowSearchResultsInNewWindow
SaveSearchHistory
SearchHistoryMaxNumber
This policy controls the maximum number of items that RoboForm will save in Search History.
EnableSelectionSearch
MyIdentityNumber
This policy specifies the number of MyIdentity buttons on toolbar.
MyIdentityWidth
This policy controls the width of the MyIdentity button.
SearchBoxWidth
This policy controls the width of the Search box on toolbar.
MatchingPasscardsButtonWidth
This policy specifies the width of the Matching Passcards button on toolbar.
MiniDialogShowDelayTime
This policy specifies the delay time of the Mini Dialog.
MruMaxNumber
This policy specifies the maximum number of items in the Most Recently Used list.
ShowLowerToolbarIE
When Upper RoboForm toolbar cannot be shown in Internet Explorer because it is not installed or not allowed, show Upper Attached Toolbar, Lower Toolbar or no toolbar. Preferred location of RoboForm toolbar is:
OrderByUrlMatch
This policy controls the order of Passcards in the Matching Passcards mini-dialog:
ShowIconsInMenu
AttachToFirefox
This policy tells RoboForm to attach or not to Firefox if adapter is not installed. This policy is ON by default.
RequestChangesConfirmationInEditor
FillingFromPasscardChecksDomain
This policy allows or prevents from using a Passcard to fill a form located on a domain that is different from the Domain that is specified in the Passcard. This policy (when set to False) is used to protect against phishing attacks and enforce the privacy of passwords (e.g., when the user is not allowed to view the information in the passcard, he or she may choose to create a custom HTML form that reveals the username and password to them).
RoboForm Enterprise allows system administrators to enable the mechanism that would force RoboForm to store Master Passwords of individual users in an encrypted form.
To activate this feature, system administrator has to populate the PasswordRecoveryStorage policy using the Policy Editor and with the full path to the directory where all user passwords will be backed up and deploy this change to all user workstations. We recommend choosing a place on the local area network that is visible from all user computers.
RoboForm Enterprise uses public key cryptography to protect Master Passwords of individual users in storage. System administrator will generate a public/private key pair using the Generate New Key Pair button in Policy Editor.
The public key from that pair will be used by RoboForm to automatically encrypt the newly created user's Master Password and to save it in a file with extension "ENP" in the directory that is specified in the PasswordRecoveryStorage policy after this Master Password is changed or created for the first time.
That public key must be saved in a file "pub.rfk" and a copy of it has to be saved in the directory that is specified in the PasswordRecoveryStorage policy.
When system administrator generates the public/private key pair, he or she will be prompted for a password that will be used to generate an AES key to encrypt the file containing private key that can be later used to recover user passwords from encrypted storage files. The default name for the file containing the private key is "prv.rfk", but it can be changed to any other name. The file containing the encrypted private key can be stored in any folder and does not have to be in the folder specified in the PasswordRecoveryStorage policy.
When system administrator needs to recover user's Master Password, he or she needs to go to the Policy Editor, make sure that the proper file containing the private key is selected in the Private Key File text box and click on the Recover RoboForm Master Password button. After that an Open RoboForm Master Password backup file dialog box will appear where an encrypted password (file with the extension "ENP") corresponding to that user must be selected. After the file is selected, a window will appear with the network login ID of the user and the Master Password in plain text.
NOTE: the use of the Master Password recovery feature provides a useful business continuity mechanism but also poses a threat related to the fact that the security of access to all system resources for all users ultimately resides in the security of the password with which the administrator protected his or her private key. We recommend that the multiple copies of the encrypted file with the private be stored outside of the network and additional means of protection like a locked physical storage be used to provide additional security.