HELP FILE

Add and Manage LastPass Enterprise Policies

LastPass Enterprise offers a number of configurable and recommended policies around security levels and password strength that you can add, edit, or delete as an admin. Each policy can be applied to all users, or an inclusive or exclusive list of users (e.g., a policy that prohibits all users from exporting data except for those who are admins). With over 100 policies available for you to add and configure, you can achieve the most optimal security performance with LastPass.

You can view our complete listof LastPass Enterprise policies that you can add and manage. Please note that you must be actively logged in with a LastPass Enterprise account in order to view the full list of policies available.

 LastPass Enterprise policies are separate from those available in the LastPass SSO and/or MFA Admin Console – please see Policy Management for more information.

You can also learn about policies that affect federated users below.

If you have a LastPass Identity account, please see the policies specific to that account type below.

For LastPass Enterprise admins, there is a brand new policy available for hiding integrated SSO below.

Review recommended policies

You can view our LastPass Enterprise Recommended Policies to help guide you through common scenarios and determine which policies best suit the business needs of your organization.

Add a new policy

1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Password Manager Admin Console.
2. Go to Settings > Policies in the left navigation.
3. Click Add Policy.
4. Use the drop-down menu to select your desired policy.
5. When applicable, enter data into the "Value" field based on the data type outlined in the description (e.g., IP Address, domain name, email address, country abbreviation, etc.).
6. For the "Applies To" section, choose from the following:
   • All – Select this option to apply to all users on your account.
   • Inclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should be enforced. Click Save when finished.
   • Exclusive List of Users – Select this option then click Edit Users to add the names of individual users and/or groups for which this policy should not apply. Click Save when finished.
7. If desired, fill in the "Notes" field to add more information about the policy you are configuring.
8. If applicable, check the box for the option Enabled to enforce the policy immediately. If left unchecked, the policy will be added but not yet enforced, but you can edit the policy later to enable it.
9. If applicable, click Add new policy values if you find that you want to create additional configurations that are based on specific Inclusive or Exclusive user lists.
10. Click Save when finished.

Edit an existing policy

1. From within the Password Manager Admin Console, go to Settings > Policies in the left navigation.
2. Locate your desired policy, then click Edit under the "Action Menu" column.
3. Make your desired changes, then click Save when finished.

Delete a policy

1. From within the Password Manager Admin Console, go to Settings > Policies in the left navigation.
2. Go to Settings > Policies in the left navigation.
3. Locate your desired policy, then click Delete under the "Action Menu" column.
4. When prompted, click OK to confirm removal.

About policies for federated users

For admins that implement Active Directory Federation Services (AD FS) for LastPass Enterprise, the following policies should be noted:

• Super Admin Password Reset policy is required– learn more.
• All Master Password Strength policies will not be applied
• Account Recovery Email policy will not be applied
• All policies requiring the use of Multifactor Authentication in the LastPass Admin Console must be disabled

About policies for LastPass Identity accounts

Admins for LastPass Identity accounts (includes LastPass Vault, integrated SSO, and LastPass MFA) can enforce the following policies:

• The Require use of LastPass MFA policy can be enabled to require users to set up and use the LastPass MFA authenticator when accessing their LastPass Vault.
• The Hide Cloud Apps from end users policy can be enabled to hide the Cloud Apps menu item (used for integrated SSO) from appearing in the left navigation of users' LastPass Vaults (if the admin has already implemented their own single sign-on solution or does not need to use LastPass integrated SSO).

Not sure what type of LastPass account you have? Learn about the LastPass business account types that are available.

New policy for LastPass Enterprise accounts

Admins for LastPass Enterprise accounts (includes LastPass Vault and integrated SSO) can enforce the following new policy:

• The Hide Cloud Apps from end users policy can be enabled to hide the Cloud Apps menu item (used for integrated SSO) from appearing in the left navigation of users' LastPass Vaults (if the admin has already implemented their own single sign-on solution or does not need to use LastPass integrated SSO).

Related

What type of LastPass business account do I have?

Set Up Federated Login for LastPass Enterprise using AD FS

Reset a User's Master Password (Super Admin)

Manage Your LastPass Company Profile