Multifactor Authentication

Multifactor authentication refers to a device that can be enabled for use with your LastPass account and requires a second step before you can gain access to your account. You can set up Policies to require multifactor authentication for your Enterprise users. Multifactor authentication devices help protect your account from keyloggers and other threats - even if your Master Password were captured, someone would be unable to gain access to your account without this second form of authentication. LastPass offers several multifactor options for your Enterprise account, including:

Google Authenticator

Toopher Authentication

Duo Security Authentication

LastPass Sesame Authentication

YubiKey Authentication

 

Introduction



What is LastPass Enterprise?


LastPass Enterprise offers your employees and admins a single, unified experience that combines the power of SAML SSO coupled with enterprise-class password vaulting. LastPass is your first line of defense in the battle to protect your digital assets from the significant risks associated with employee password re-use and phishing.

LastPass Enterprise is deployed in days. It automatically 'Learns' and 'Remembers' usernames and passwords for virtually all online websites and Windows applications. It provides universal access to resources, seamlessly synchronizing passwords across all platforms and browsers. Deployed on the desktop and in the cloud, your employees will love using the powerful, intuitive features and readily adopt.   Your employees can familiarize themselves with LastPass' features by using our LastPass Manual.

The Enterprise Console allows your System Administrators to install and upgrade your installation, manage policies, user configurations, applications, authentication methods and user groups. It provides centralized reporting for auditing and compliance and automated user alerts for optimizing use of the tool.

Not Just Websites: SAML SSO


LastPass Enterprise supports SAML SSO for all of your essential cloud-based applications. Seamlessly onboard new users with automated provisioning and termination through our SAML dashboard.

Education and Outreach


LastPass gives you the tools and guidance that you need to ensure a seamless launch, grateful employees, and a happy boss. Our turnkey program includes a step-by-step Training Kit for the initial product intro, individual and aggregate Security Scores to measure the impact of the program, and a status summary report (coupled with email templates) to identify (and easily act on) education opportunities among your users.

Sharing


The sharing of login data is impossible to avoid in many cases. The problem with sharing is that you lose accountability. With LastPass Shared Folders, administrators can easily share credentials for a single website or for a group of sites while retaining the ability to tie activity back to the individual user. Password updates automatically and seamlessly propagate to all assigned users eliminating lock-out caused by version control issues.

Admin Access to User Accounts


In its default state, LastPass Administrators cannot access any data  stored in an employee's LastPass account. However, there are some exceptions: (1) the end user can explicitly share data with an Administrator via an individual share or a Shared Folder, or (2) the company can choose to enable either or both of the Super Admin Policies defined here https://lastpass.com/policy_doc.php . When the Super Admin Policies are enabled, a notification is sent automatically to every LastPass Admin in the Enterprise.

Integration


Already deployed SSO or Active Directory? You can use LastPass for web logins to improve productivity logging in to apps locally, or to handle apps that haven't been integrated into your SSO/Active Directory. Many implementations require minor changes for each application to specify domain or other settings that confuse users -- LastPass resolves those issues.

Deployment


LastPass supports command line install and updates. For the automated provisioning and termination of LastPass user accounts, clients can choose between: Active Directly Sync client, Windows Login Integration, or an open API. Clients looking for less automation can simply add users manually in the Enterprise Console and LastPass will take it from there with our automated welcome emails. If you need something custom to make deployment easier, let us know, we're here to help.

Synchronization


A Web 2.0 cloud based approach allows mobile workforces seamless access to their accounts on any computer or mobile device from any location.

Policies


Enforce site-wide policies on password strength, security features and password expiration.

Administration


Employee accounts can be instantly disabled when employees leave the organization.

Reporting


Administrators can view historical data and can audit employee logins and accesses.

Authentication


Multifactor authentication offering increased security.

Security & Privacy Is Our Priority


We've taken every step we can think of to ensure your security and privacy. Using an evolved host-proof hosted solution, LastPass employs localized, government-level encryption (256-bit AES implemented in C++ and JavaScript) and local one-way salted hashes to give you complete security with the go-anywhere convenience of syncing through the cloud. All encrypting and decrypting happens on your computer - no one at LastPass can ever access your sensitive corporate data. The LastPass™ Security Challenge also allows your users to identify weak account data and provides suggestions for significantly improving online security.

Breach Alerts


LastPass Sentry alerts your users the instant their username is found in a global database of breached accounts.

Training Kit for End Users

Getting the Most Out of Your LastPass Implementation

Implementing LastPass in your organization will be an exciting development for administrators and employees alike. While the driver behind a LastPass Enterprise purchase is often improved security, LastPass also brings huge convenience to end users. When properly implemented, LastPass will help alleviate administrative tasks for IT and Operations, and will help save considerable time and frustration for end users. However, like all new things, there can be a learning curve. The following recommendations are intended to help create comfort among your staff as well as drive down this learning curve. We hope that you will take full advantage of these materials and advice, and contact our staff if there is anything more that you feel would help.

End User Survey (1 week prior to roll out): Prior to implementing LastPass, we recommend that you survey your employees to establish a baseline around current password practices. This will help you to better steer your educational efforts, and will provide you a quantifiable proof point against which you can measure the impact of the program. Click here for a sample survey.

Warm 'em up (2 days prior to roll out): It is a good idea to send a 'heads up' email  2 days in advance of your implementation to put context around the goals of the LastPass program and to prepare your staff for what to expect. This email is also intended to let them know that LastPass is a corporate-sponsored program so that when they receive the welcome email they are less likely to see it as a potential phishing scam.  See suggested copy for the 'heads up' email here.


The Welcome Email: With most provisioning options, your end users will receive an automated welcome email from LastPass. This email can be customized to bring your own culture and message to your staff. See the boilerplate emails here.

LastPass Experts: We suggest you train a select group of employees to serve as "LastPass Experts". On the day of your launch, have your Experts wander the floor offering assistance and advice on how to use and optimize LastPass. For larger deployments, feel free to contact your sales representative for LastPass t-shirts for your experts.

Add LastPass screencasts to your Training Modules: Mandatory training is always best. Help your employees make the most of LastPass with a brief mandatory training. They can simply watch the screencast and then take a brief quiz to demonstrate completion.

Review your progress: At any point after the automated Welcome email is sent, you can check the progress of your users by visiting the Notifications Tab.  We suggest direct outreach to staff members that have not yet enabled their account. You can program these emails to be sent automatically on a regular basis until the user has taken action.

Training Email and Self-help Tool (48 hours after invite): It is best to offer your staff some form of training whether it is direct 'desk by desk' training, small group training, or a larger Webinar. We suggest that these invitations be sent out to end users approximately 2 days after the initial invite. See suggested copy here. For larger implementations, LastPass is happy to provide training for your trainers. Please contact your rep to schedule your training session at least 5 days prior to the target roll out.

Review your progress (1 month after invite): One month after the initiation of your LastPass program, we suggest that you visit the Notifications Page. Look for what you consider to be critical areas for outreach. Using the email templates, draft targeted messages to your end users that will be sent automatically based on the time frames that you designate.

Training Tools: We encourage you to distribute these tools to your End Users to help get them up to speed and to expose them to some of the broader benefits of LastPass.

LastPass End User Training Deck

Online screencasts:
Getting Started with LastPass: http://www.youtube.com/watch?v=a2GAYBMBm38
Other Screencasts: https://lastpass.com/support_screencasts.php

 

 

LastPass Sesame

LastPass Premium members can use an ordinary USB thumb drive as a second form of authentication when logging into their LastPass account. Having a physical second form of authentication will help further ensure that your account will remain safe because both your Master Password and your USB thumb drive are required to log in.

Enabling Sesame


If you are already a Premium member, you can simply download Sesame onto your USB device and run the application.  You will see the empty Sesame dialog:



On your first run, you will be prompted to activate the software by Adding your LastPass login to the user list.  Then, you will be sent an e-mail asking you to confirm the registry of Sesame.

By default, the email link will expire after 10 minutes to protect your security. If you click on the link and it says 'Link Expired', please re-send yourself the activation link and try again.

Once activated, Sesame will create secure One Time Passwords (OTP) that are subsequently required to login. You have the choice to copy the OTP to the clipboard or launch the browser and pass the value automatically.

Like all our multi-factor authentication options, you can elect to enable or disable Mobile and Offline Access within the settings for your particular username in Sesame:



 

If you lose your USB device, you can disable Sesame authentication by logging in to LastPass and using the link on the bottom of the Sesame screen.

Sesame is a cross platform application that is available for Windows, Mac and Linux.

Note for Linux users

The USB device is mounted noexec, which prevents running executables from the drive. To fix, remount the device with the exec flag, for example by "sudo mount -o remount,exec <device> <mountpoint>".

Administrating Sesame in Enterprise


You can require Sesame for your users via the 'Require LastPass Sesame' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require LastPass Sesame' from the dropdown menu:

SesamePolicy

 

Watch the Tutorial for Using Sesame


Google Authenticator



LastPass now supports Google Authenticator as a multi-factor authentication option.

Setting Up LastPass with Google Authenticator


If you would like to use Google Authenticator, please first ensure you're using the latest LastPass browser extensions and mobile clients everywhere.  You will also need a supported mobile device, to run the Google Authenticator application.

Next, install the Google Authenticator application on your mobile device.  Google officially supports Android, iOS (iPhone, iPod Touch, or iPad), and BlackBerry devices.  You can follow the instructions here to install Google Authenticator onto these devices.

For other devices:

If you would like to run Google Authenticator on an Android device that doesn't have access to Google Play Store, you can install from here.

If you would like to run Google Authenticator on your Windows Phone, Jamie Garside has developed Authenticator.

If you would like to run Google Authenticator on your webOS device, Greg Stoll has developed GAuth.

If you would like to run Google Authenticator on your Symbian device, or any device that supports Java ME, Rafael Beck has developed lwuitgauthj2me.  Alternatively, Rodrigo A. Diaz Leven has developed gauthj2me.

 

Once you have the Google Authenticator application running on your mobile device, go to https://lastpass.com/?ac=1&opengoogleauth=1.  Follow the instructions there to finish setting up Google Authenticator.

You will be prompted to use a Bar Code scanning app (Androids,  iPhones and supported devices with cameras) to scan your unique bar code or you can manually enter the Google Authentication Key found on that setup page.

 EnableGoogleAuth



After your LastPass account is registered within the Google Authenticator app, the next time you login to LastPass on an untrusted device, you will receive the Google Authentication dialog:

GoogleAuthEnable

Go to your Google Authenticator App and input the current authentication code you see in the app into this dialog.  If the code expires before you have a chance to authenticate, simply use the next code that appears in the app.

Logging in Offline when Google Authenticator is Enabled


As with our other multifactor authentication options, you can choose whether to allow LastPass to store an encrypted vault locally so you can log in without an internet connection. If you enable offline access, you will be able to login without using your Google Authenticator code in case of a connectivity issue.

With some internet configurations (typically wireless connections and waking from sleep), LastPass may log in offline first before establishing connectivity to your online vault and prompting for your authenticator code.  This may cause LastPass to AutoFill any login credentials you have saved in LastPass for the current page you are on.   If you wish to disable offline access, you may do so in your Account Settings.

Administrating Google Authenticator in Enterprise


You can require Google Authenticator for your users via the 'Require use of Google Authenticator' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of Google Authenticator' from the dropdown menu:

GoogleAuthPolicy

 

 

Sample Survey

When surveying your employees, we suggest that the survey be offered anonymously to promote honest answers.
Password Questionnaire



1. What system are you using to keep track of your passwords?








  • Spreadsheet or other written medium (contacts, sticky notes, Word doc)

  • Same or similar password everywhere

  • Rotate between 3 (or so) passwords

  • The password manager in my browser

  • 3rd party password manager



2. How many work-related passwords do you use on a weekly basis?








  • 0 – 10

  • 11 – 15

  • 15 – 20

  • More than 20



3. Do you frequently re-set passwords because you have forgotten them?








  • Yes, weekly

  • Yes, monthly

  • No



4. Do you check the ‘Remember Me’ button on login screens?








  • Yes, always

  • Yes, occasionally

  • No



5. Do you share passwords with colleagues such as group logins to virtual meeting software, social media sites, servers, etc.?








  • Yes

  • No



6. Have you ever contacted the helpdesk at work regarding a password-related issue?








  • Yes

  • No



7. What functional team do you work for in the company (ie: sales, customer service, finance, HR, IT, etc.)



Duo Security

Enabling Duo


LastPass supports multifactor authentication with Duo Security. It is a secure, two-factor authentication application offered for all leading smartphone platforms, including Android, iPhone, Blackberry, and Windows Phone. You can get Duo Security here: https://www.duosecurity.com/editions

Once you have authenticated your Duo account, make sure to select 'Auth API'  from the 'Integration type' dropdown at the  'New Integration' login page:

DuoStep1

Once you have finished setting up your new integration, then you will need to log in to your LastPass Vault and click Settings > Multifactor Options > Duo Security. Make sure that you have your integration key, security secret key, and API hostname filled in the appropriate fields and that the 'Duo Security Authentication' dropdown is set to 'Enabled':

DuoEnabled

After selecting 'Enabled' from the Duo Security dropdown, you will then want to select the 'Click here to enroll your device with Duo Security' link. Then, click 'Start Setup':

DuoStartSetup

 

You will then see another screen which will prompt you to choose which type of device you would like to enroll to use for two-factor authentication. Please note that LastPass currently only supports the enrolling of a single device:

DuoAuthenticatorType

 

Select the type of device that you would like to enroll and then click the "Continue" button. You will then be given on-screen instructions on how to enroll each specific device. Once you have enrolled the device(s) that you would like to use for Duo authentication, you can then use it to authenticate you in the login process.

 

Administrating Duo in Enterprise


You can require Duo for your users via the 'Require use of Duo Security' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of Duo Security' from the dropdown menu:

DuoPolicy

 

If you would like to set the username portion of a user's email address to be used as their Duo Security username, enable the "Use username portion of email address as Duo Security username" policy:

DuoUsernamePolicy

Toopher

Setting Up LastPass with Toopher


To install Toopher with LastPass please do the following:

  1. Download the Toopher App to your smartphone ( iOS – Apple App Store or for Android from the Google Play Store).

  2. Login to your LastPass Vault.

  3. Select  "Settings" (left sidebar).

  4. Then select "Multifactor Options" (fourth tab from the left on top).

  5. Here is where you will be able to switch over to Toopher by selecting the "Toopher" radio button at the top of the page.

  6. Once you have selected Toopher, you will be taken to a different screen. On the new screen you will switch "Toopher Authentication" from "Disabled" to "Enabled", at this time you will be prompted to enter a  2-word “pairing phrase”.  This paring phrase will be generated by the Toopher app on your mobile device (see next step).

  7. Open the Toopher App on your mobile device and select the "+" button in the top-right of the app screen. This will generate a 2-word pairing phrase.  Back on the computer browser; Enter this 2 word pairing phrase into the browser field and then select enter.


You will receive a push notification on your phone that will prompt you to select allow or deny.  Select allow, pairing is complete and you have now enabled Toopher with Last Pass.

Now if you choose, the Toopher - LastPass, two factor authentication can be automated. That is if you are on the same computer, in the same location logging into LastPass (the same site) you can tell your mobile device to automatically log you in next time.  Simply slide  the “automate when near here” slider to the right. Now Toopher will automatically enable two factor authentication for you. This feature can be turned on or off when ever you wish.

Administrating Toopher in Enterprise


You can require access to Toopher for your users via the "Require use of Toopher" policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of Toopher' from the dropdown menu:

ToopherPolicy

YubiKey

A YubiKey is a key-sized device that you can plug into your computer's USB slot to provide another layer of security when accessing your LastPass Account. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.

YubiKey support is a Premium and Enterprise feature, and the device must be purchased through Yubico.com for $25.

Up to 5 YuibKeys can be associated with one LastPass account.

Adding Your YubiKey


Once you have purchased and received your YubiKey, you can enable the device and manage your preferences by launching your Account Settings and clicking on the 'Multifactor Options' tab > 'YubiKey' radio button:

Yubikey

To add a new YubiKey to your LastPass account, enter the device in your USB port, click in the first empty YubiKey field, and lightly press your YubiKey on the grooved circle. You will need to enter your LastPass Master Password to save any updates you have made to your YubiKey settings.

After the field is filled, you can specify your YubiKey preferences:

YubiKey Authentication: Enable or disable your YubiKey multifactor authentication. When enabled, you will be prompted to enter the YubiKey data the next time you login to LastPass.

Permit Mobile Device Access: Controls whether mobile devices that do not possess USB ports, such as a smartphone, will be allowed to bypass YubiKey multifactor authentication when enabled.

Permit Offline Access: Controls whether access to your vault will be allowed when you are not connected to the Internet. Allowing offline access to your vault is slightly less secure since YubiKey OTPs can not be validated, and only the static portion of the key is validated.

To begin using your YubiKey, be sure that the 'YubiKey Authentication' field is marked as 'Enabled'.

To save changes to your YubiKey preferences, click 'Update' before exiting the Account Settings dialog.

To disassociate a YubiKey device with your LastPass account, simply clear the entire input field of all characters and click 'Update'.

Logging In with YubiKey


Now that you have enabled your YubiKey device, the next time you login to your LastPass account, you will be prompted to enter your YubiKey code. Simply click your LastPass Icon to login as normal, enter your email and Master Password, then submit. However, you will now be asked by LastPass to press your YubiKey device to enter the code:

Yubikey Auth

If you would like to leave YubiKey authentication enabled but do not want to enter it every time you login to a particular device, simply check the trusted computer option before swiping your YubiKey.

Administrating YubiKey in Enterprise


You can require Yubikey for your users via the 'Require use of YubiKey' policy. This policy can be enabled for your Enterprise account by accessing your Enterprise console and clicking the 'Setup' tab > 'Add Policy' button > Select 'Require use of YubiKey' from the dropdown menu:

YubikeyPolicy

 

You can also restrict your users to only permit the use of a single YubiKey for their account via the "Only allow a single YubiKey per account" policy:

YubiKeySingleAccountPolicy

Using a VIP YubiKey with LastPass


The VIP enabled YubiKey (http://yubico.com/vip) has two configuration slots. When the VIP enabled YubiKey is shipped, it's first configuration slot is factory programmed for Symantec VIP credentials and the second configuration slot programmed with a standard Yubico OTP is dormant in the second identity slot and can be activated using the YubiKey Personalization Tool. The two configuration slots of the YubiKey work independently and each can be independently reconfigured into OTP or static password mode has two configuration slots.

If you touch and hold the YubiKey button between 1-3 seconds before releasing, the first configuration slot will emit the password (based on slot 1 configuration). And if you touch and hold the YubiKey button about 4-5 seconds before releasing, the second configuration slot will emit the password (based on slot 2 configuration). In case if you happen to touch and hold it longer for more than 5 seconds, the touch button indicator will flash rapidly without emitting any password.

As the second configuration slot of the YubiKey is left blank, you can program it to the YubiKey OTP mode, upload the AES Key to the online validation server and configure it to work with LastPass.

To program the second slot to work with the online Yubico OTP validation server, please follow the steps below:

  1. First, download and install the latest Cross Platform Personalization Tool for Windows from the Yubico Website at: http://www.yubico.com/products/services-software/personalizationtools/use/ under the section "Cross platform personalization tools". There are a number of  different installers for various operating systems – pick the installer for your operating system.

  2. Once the Cross-Platform Personalization tool has been installed, insert your VIP YubiKey in a USB port on your computer and launch the YubiKey Personalization Tool.

  3. In the Cross-Platform Personalization Menu, open the "Settings" menu by clicking on the link “Update Settings” on the main page or the “Settings” option from the menu at the top.

  4. In the Settings menu, locate the Update Settings button in the lower right corner and click on it.

  5. The Update YubiKey Settings menu should be displayed. If this is not the case, confirm youhave a VIP YubiKey with a firmware version of 2.3.0 or above.

  6. Locate the section labelled Configuration Slot and select Configuration Slot 2

  7. Locate the checkbox labelled Dormant and ensure the box is not checked

  8. Locate the Configuration Protection section, and open the menu labelled “YubiKey(s)unprotected – Keep it that way”. From this menu, select the option “YubiKey(s) protected –Keep it that way”.

  9. This will activate the “Current Access Code” field in the Configuration Protection section. Enteryour VIP YubiKey’s current access code, which will be five 0s followed by the YubiKey’s serialnumber in Decimal format, as reported by the Personalization tool.For example:If your Serial Number is “1234567”, then your Current Access Code will be “00 00 01 23 45 67”

  10. Press the Button labelled “Update” to activate your VIP YubiKey’s second slot with the Yubico OTP configuration.


Yubico also has a video that describes the steps required for uploading the AES Key. For more information, please visit the link below:

http://www.yubico.com/aes-key-upload

Video Tutorial for Using LastPass with YubiKey



Watch How to use LastPass with YubiKey NEO




After you've registered the YubiKey with your LastPass account, ensure that mobile access is "disallowed" in your LastPass Icon > My LastPass Vault > Account Settings link > YubiKey tab.

Then download the Personalization Tool from Yubico. In the Personalization tool, select the "Tools" option from the menu at the top.

In the Tools menu, select the NDEF Programming Option.

In the NDEF Programming option page, select Configuration Slot 1. Set the NDEF Type to "URI (http://..)", then in the NDEF payload field, type: "https://lastpass.com/mobile/?otp="

Press the Program button to write the NDEF2 string to your YubiKey NEO.

Now you can use the YubiKey NEO when logging in via the LastPass Android app, the LastPass Windows Phone 8 app, or used as a normal YubiKey on your desktop.

YubiKey NEO with Windows Phone 8 App


The updated Windows Phone 8 app with Yubikey NEO support (for phones that have NFC) is now available in the Windows Phone store: http://www.windowsphone.com/en-us/store/app/lastpass/9b86eadc-16e8-df11-9264-00237de2db9e

Configuring the Yubikey NEO should be done the same way as for Android, shown above. You also have to set the "permit mobile device access" in your LastPass vault to "disallow" in order to enable prompting.


A known issue is that when you touch the Yubikey NEO to the phone, the LastPass app will accept and verify the key, but the OS will open a dialog asking what to do with the URL, which you will have to ignore/cancel.  Hopefully Microsoft will fix this in a future release of the OS.


Why Use LastPass Enterprise?

Designed and built from the ground up by an experienced team of highly-talented developers, LastPass Enterprise finally delivers on the long-desired -- but rarely delivered -- promise of Enterprise SSO. LastPass Enterprise brings a new technical approach to Single Sign-On, designed and delivered the way YOU have always envisioned it.

Benefits


For End Users



For Help desk



For System Administrators



For CISO, CIO, CTO, and IT Managers



For SVP Sales and SVP Operations



For CEO



 

Email Templates for End User Roll Out and Training

The 'Heads Up' Email (2 days prior to invite)

Hello Team:

We are pleased to announce that we have recently contracted with a great new service provider called LastPass. LastPass offers a service that will help you better manage your passwords. The goals of this program are to:

In the next couple of days, you will receive a welcome email from LastPass. Please follow the instructions to get started. While this is required, it is also something that we are certain will bring you great utility and convenience. We hope that you will embrace and enjoy this new tool.

Regards,
Your friends in IT

____________________________________________________________________________________________________

The Automated Welcome Emails: Click here.

_____________________________________________________________________________________________________

The Training Invite (2 days following invite)

Hello Team:

Two days ago you should have received your invitation to create a LastPass account. Hopefully you have done so, and are enjoying the benefits of the service.

We will be conducting required training sessions at the following dates and times. Please respond to this email to reserve your spot:

XXXXXXXXXX

Attached is a desk reference that might also be helpful as you start using LastPass.

Regards,
Your friends in IT

LastPass Enterprise Desk Reference

 

How is LastPass Safe?

Your security and privacy are our top priority - that's why we've taken every step possible to ensure that your data is safely stored and synced in your LastPass account.

All sensitive data is encrypted locally


All encryption/decryption occurs locally on the user's device, not on our servers. This means that your sensitive data does not travel over the Internet and never touches our servers, only the encrypted data does.

We use government-level encryption


We use the same encryption algorithm that the U.S. Government uses for top-secret data. Your encrypted data is meaningless to us and to everyone else without the decryption key (your emails and Master Password combinations).

Only your users know the key to decrypt their data


Your encryption keys are created from your users' email addresses and Master Passwords. The Master Passwords are never sent to LastPass - only a one-way hash of your password when authenticating - which means that the components that make up your keys remain local to your users. LastPass also offers configurable corporate policies that let you add more layers of protection.

You control your policies


We know that one size does not fit all when balancing corporate security and ease of use. That's why we allow you to define your preferences by providing a full range of configurable corporate policies. We strongly encourage you to review the policy options prior to rolling out LastPass across your organization.

Your users can generate unique, strong passwords


No more using the same password for all sites. No more writing down passwords on little pieces of paper. No more emailing yourself when you forget your password. With the LastPass password generator users can create strong passwords for each site and automatically save them to their individual vault. With LastPass, your data will be safer online than ever before without the hassle of remembering unique passwords.

No more using your browser's insecure password manager


Any malicious application can easily retrieve saved passwords from your users' browsers. With LastPass, you're protecting  your users from these attacks!

Learn more about protecting yourself from phishing scams

Building a Business Case for LastPass Enterprise

LastPass Enterprise typically pays for itself within two to three months in the form of increased employee productivity and reduced help desk calls/cost.  The following detailed ROI Calculators can be used to help quantify the impact of password automation and to help build a compelling business case for an investment in LastPass Enterprise:  Pricing and ROI Calculators.

The benefits of LastPass Enterprise go well beyond productivity and cost reduction. Our LastPass Enterprise Overview can help you articulate the importance of strong password hygiene for your company.

Our Password Management Sample Survey can help you establish a baseline and assess the current 'state of the nation' at your company.

If Compliance and Security are your primary concerns, the LastPass Security and Compliance document helps illuminate the impact of LastPass Enterprise on your compliance efforts.

Getting Started with LastPass Enterprise

Trialing LastPass Enterprise


Getting started with LastPass Enterprise is easy, starting off with a free 14-day trial. Simply sign up for a LastPass account and complete the Enterprise Trial Request Form. Once this form is filled out, the Enterprise features will automatically be activated on the account in question and can include up to 10 individuals from your organization.


Choosing which LastPass Account to Use


'Enterprise' is a set of features that can be activated on any new or existing account. New Enterprise users often wonder whether to use their existing personal account, or to create a new account for professional purposes. Here are the options:


 

1) Using separate accounts for personal and professional use. This is the only way to ensure that you will never lose your personal data if/when you leave the enterprise. For a more seamless experience, you can link the two accounts behind your single enterprise login. If you do choose to link your personal account, it is important to note that the logins from your personal account will never be reported in the Enterprise logs. Once you have linked a personal account, you can migrate entries from your personal account to your enterprise account. We highly recommend you use this approach.


2) The other option is to use a single account for both personal and professional data. This approach will ultimately give your employer control over the termination of the account, and we do not recommend this approach in most cases. The administrator of the account has the ability to 'remove user from company',  which allows you to preserve your data and to continue using LastPass as a standard user. But they can also 'delete' the account, which will delete the account in its entirety including all personal logins that you may have saved.

Adding Users to Your Trial


Once you are in trial, you can invite other employees to the trial by email. After logging into the Admin Console, please click on Setup >> Create New User and enter in the email addresses of the employees you wish to invite.



An account will be created for them with a temporary password. They will receive a welcome email with instructions on how to reset their password and get started. If the user's email address is already associated with a LastPass account, they will be sent an email with an activation URL.

Purchasing LastPass Enterprise


You must be in a trial or an active Enterprise customer in order to purchase LastPass Enterprise licenses. You can make your purchase using the purchase link found on the Admin Console Dashboard home page. Any additional purchases made throughout the year will be pro-rated for just a single annual renewal.




Implementation Guide


Click here for a step by step guide to implementing LastPass Enterprise: Implementation Guide.

Importing Existing Data into LastPass

Once you have installed LastPass, you may need to import any existing password entries and secure data from another LastPass account or from another password manager or file format. To do so, follow the instructions below.

 

Importing using pre-established formats


To begin, click on the LastPass Icon, click the Tools submenu, and click Import:



You will then be presented with a submenu for the Google Chrome Password Manager and ‘Other’. Selecting Other will open a new page with a drop-down list of options for all support import options:


 

We continue to add formats and password managers to the list of supported import option, so check the version of LastPass you are running if you do not see the format you need.


Since importing from each password manager is different, we have provided instructions for each under the name. Simply follow the instructions that we provide for the specific password manager that you use.


After importing, you can then begin to organize your sites into Groups as well as delete unnecessary or duplicate sites.



Importing from a Generic CSV File


If LastPass does not support importing from your current password manager, you may be able to import using a Generic CSV (comma separated value) file. Try seeing if your current password manager has an option to export to a CSV file.


To import data from a CSV file, we suggest you use our Import Template found here:  Sample Import Spreadsheet.


If you use your own spreadsheet instead, it is important that the title of the columns match those in the template! The column titles can include any of the following: url, username, password, extra, name, grouping, type, hostname.


Fill the columns with the values you'd like for each entry (leave blank if the value is not relevant). Please note that 'extra' means either (1) the notes section of a site entry or (2) the body of a secure note, and 'grouping' is the group (or folder) where you would like the item to be stored in your vault.


Instructions for importing Sites

To import Site data you must define at least the following values: “url” (typically this will be the login url), “username”, “password” and “name”. “Extra” and “Group” are other fields that you might consider.

Instructions for importing Secure Notes

To import data as a generic Secure Note, enter the values as follows: “url” = http://sn, “extra” = the contents of the note. Give the note a “name”, and then consider adding “group”. It is important to leave the username and password columns blank.

Instructions for importing Server Login credential

To import data as a Server Secure Note, enter the values as follows: “url” = http://sn, “type” = server. You must also populate “hostname”, “username”, “password” and “name”. In this case, you must enter the username and password in the actual username and password columns of the template, rather than the 'extra' section. Consider adding “group”.
Please click here to download our Sample Import Spreadsheet, which includes examples of all 3 of the aforementioned data types.



 

Passive Imports


Certain password managers simply do not support export functions. In these cases you can still use LastPass to pick up this data through a 'passive' import. This entails running both password managers simultaneously, having your former password manager enter your login credentials into a site, and then using LastPass to pick up the filled website entry.

Importing into Shared Folder


Please note that importing into shared folders is currently not supported. If the name of a shared folder is listed in your CSV file, you will encounter an error upon attempting to import into your LastPass Vault. Once you import your credentials, rather than moving them from the general folder to the shared folder in batches of 10 (the limit for drag and drop), simply right click and ‘rename’ the regular folder with the name of the Shared Folder where you would like them to go. Please note you will have to pre-create the Shared Folder before using this method to move sites.

Link Personal Account

The Link Personal Account tool now allows LastPass Enterprise users to link their Personal LastPass Accounts with their Enterprise Accounts.  This enables users to access their personal LastPass entries while using their Enterprise Account, all while keeping the two accounts separate.

To set up Linked Personal Accounts  login to LastPass with your Enterprise credentials.  Go to the LastPass Plug-In -> My LastPass Vault, and click on the "Link Personal Account" link on the left-hand actions menu. Follow the prompts.

LinkPersonalAccount

Once linked, the user's personal account will appear in their Enterprise Account as a separate folder in the account under the personal username/email address.  This personal folder is essentially a Shared Folder between the Enterprise Account and Personal Account, and is subject to the same restrictions and properties that a Shared Folder is limited to.  These restrictions can be read about at the Shared Folders page.

Data can be moved from the Personal Linked Account Folder to the Enterprise Folder, and vice versa. Click here to learn more about migrating data between accounts.

Migrate Data from Personal to Enterprise

Migrate Data Between Accounts


Often new LastPass Enterprise users already have an existing personal account which contains some work-related tools. In this case, it is easy to create a new account and migrate the data between the two. Once the two accounts are linked, data can be migrated from a personal account to an Enterprise account through the drag and drop method between folders. Here are two migration scenarios:

The user already has a LastPass account under his/her work email address. He/she wants to change this to a personal account and then migrate data from personal to Enterprise:

  1. Change the username/email address on your existing account from work to personal (LastPass Plug-In -> Preferences -> Account Settings -> email)

  2. Create a new Enterprise account (invite must come from your Admin)

  3. Ask your Admin to remove the old account from Enterprise (if it was already in the system)

  4. Link your personal account to your work account (log into your Enterprise account -> vault -> Linke Personal Account. Click here to learn more about linking accounts.)

  5. Look for the new personal folder in your Enterprise vault (the folder name will be your personal username)

  6. Drag and drop any relevant sub-folders or sites from the personal folder to any Enterprise folders (or right-click > move to group)


The user has a LastPass account under his/her personal email address that is already tied to the Enterprise. Skip step 1 above. Otherwise the process is the same.

FAQs


Can my employees move data from their Enterprise account into their Personal account?
By default, yes, HOWEVER, this can be prevented by enacting the policy to prohibit updating personal account.

Can my employees move data from Shared Folders to their Personal account? 
Data cannot be moved directly from a Shared Folder to the personal account, but it can be moved from the Shared folder to the Enterprise account, and then to the personal account. This too can be prevented via policies and user permissions.

Implementation Guide

Implementation Guide


Every implementation of LastPass is different based on your unique environment and program goals. The following is meant to serve as a high level guide with just some of the features and options you might consider when implementing LastPass Enterprise. 

Phase I: Proof of Concept 




  1. Follow the prompts and submit LastPass Trial Request Form to initiate a free, 14-day trial including up to 10 staff members.

  2. Weigh provisioning options and software installation options, and determine best path for your enterprise.

  3. Review the policy options and determine relevance for your enterprise.

  4. Create at least 5 beta test accounts from the 'create new users' tab of the Admin Console.

  5. Populate the beta accounts with top sites and applications utilized by your employees. Test all logins to make sure that they are functioning seamlessly.

  6. Determine who will need Admin rights within your enterprise and assign them from the Users tab of the Admin Console. Conduct Admin training as necessary.

  7. Determine if cloud-based Single Sign-on (using SAML) is needed/wanted. Advise your LastPass representative if support is needed for any new applications not already available. Integrate and test the desired applications.

  8. For larger implementations, consider training one or more internal helpdesk contact(s) for end user support.

  9. For larger implementations, determine how much education/tutorials you intend to push out to your staff. Most enterprises send only the welcome email.

  10. For larger implementations, consider customizing the welcome email to include internal helpdesk contact.

  11. Review the automated user notification options found here. These notifications are very important for driving adoption and for optimizing employee use of the service to improve the safety or your corporate data.


Phase II: Enterprise-wide Roll Out 

  1. For larger implementations, download the software to all work stations.

  2. Purchase your LastPass licenses.

  3. Provision all users, or provision in batches, per your preference.  If using the Sync Client with ‘pending users’ configuration, then go to the ‘pending users’ page to ‘accept’ all users for whom you would like accounts to be provisioned.

  4. Determine if any new users should be granted LastPass Admin rights. If so, assign them from the Users tab of the Admin Console. Conduct Admin training as necessary.

  5. Create User Groups to help facilitate the assignment of policies and/or Shared Folders.

  6. If using cloud-based Single Sign-on (using SAML), activate the desired groups/apps.

  7. If sharing credentials is desired then have each divisional manager consider their shared folder structure – (1) one universal folder or multiple, (2) who will have admin versus standard access and hidden/visible, (3) what sites/secure notes will be shared. Create shared folders and populate with desired sites. (Folders can be created at any point in time).

  8. Owners assign Shared Folders to the appropriate users/groups.

  9. Report any bugs or enhancement requests to LastPass using the ticket system.

  10. See the LastPass Training Kit for End Users for suggested training program and resources.

System Requirements

LastPass currently supports the following web browsers, operating systems and mobile devices:

Operating Systems





Web Browsers



Tablets (Premium and Enterprise Only)



Mobile Devices (Premium and Enterprise Only)



Users are strongly recommended to download and run the installer from our website on all browsers you regularly use.

Notes on Google Chrome

It is recommended that you disable Chrome's built-in password manager by clicking on the Chrome menu >> Settings:



Then scroll down to select 'Show advanced settings' >> Passwords and Forms



And make sure these options have been disabled.

If you were previously using Chrome's password manager, the installer will also help you import your stored Google Chrome passwords into LastPass.  The installer can be found at  https://lastpass.com/lastpass.exe

If you continue to actively participate in Chrome's Beta and dev builds, you may find that LastPass runs into occasional problems. Contact LastPass Support with any suspected functionality issues.

*Known Limitations:


Logging in to the Enterprise Administration Console

LastPass Enterprise offers employers an Administrative Console where admins can add and remove employees, create policies, create roles and view reporting.

To open the Enterprise Console, click the LastPass icon on your browser bar and select 'Enterprise Console'. This option is visible to LastPass Administrators. The creator of a LastPass trial is made Admin by default. He or she can then assign admin rights to any other users from the Users tab of the Admin Console.

console2

Clicking on the 'Enterprise Console' option will open the home page of the Admin Console shown below.

console1


Please see the video below for an overview of the Enterprise Administration Console:

Reporting

LastPass offers extensive reporting geared at helping you safeguard your data and build compliance. Click on any of the following categories of reports to learn more:

Logins: Every login, password/username update, or form fill attempted or completed by your LastPass Enterprise users.

Shared Folders: A summary of all Shared Folders under your Enterprise account, including assigned staff and their access rights relative to each folder.

Admin Events: A log of most activities taking place with the Admin Console.

Notifications: A user status summary report combined with easy-to-use email templates designed to automate end user alerts relative to Lastpass inactivity or sub-optimal use.

 

 

 

Reporting - Login Reports

The Login Report is a comprehensive log of every login, password/username update, form filled, and site deletion that is attempted or completed by your LastPass Enterprise users. The reports can be filtered by date range, or by user and can be exported to Excel for back up.  There is a link on the page to a key explaining what each action designation means.

 

Reporting Main

 

Users Sub-tab

The 'Users' Sub-tab: This tab provides you with a complete list of all LastPass accounts that have been provisioned under your enterprise, and several actions that can be taken on each:

Users Tab

 

 

User Details - this report offers a summary of the user’s account including their general account information, security check score, policies they are subject to, shared folder access and groups they are apart of. You can click on several of these headings in order to see a detailed list pertaining to his/her account including all of the policies that are active on the account and any folders that have been shared or created by the user. Scroll to the bottom of the page and click 'Click to see sites' to see a full, read-only list of all entries stored in the user's account.

User Details

 

Usage Reporting - redirects you to the full reporting tab within the console.

Edit Name - assign a nickname to the account that may be more recognizable to you than the user's email address.

Make or Remove Admin – you can promote any number of users to admin status and remove this status at any time. Granting Admin rights means that the individual will have full access to the Admin Console.

Reset Password - This option will be available only if the 'Super Admin - Password Reset' policy is enabled and if the user is 'eligible' for reset. For more information, see the 'Super Admin - Password Reset' policy at the bottom of the Policies page.

Disable User - temporarily disable the user's account making it inaccessible to them but not deleting the account entirely.

Edit roles - This is for legacy 'roles' users. For new users, we would recommend sharing using the 'Shared Folders' feature instead. To learn more, click here: Shared Folders.

Require Password Reset - This will force the user to manually reset their master password.  They will receive the notification to do this the next time the user logs in.

Delete User and Remove User from Company: At the bottom of the list you see ‘delete user’ or ‘remove user from company’. This is a decision that you should weigh carefully. ‘Delete user’ will delete that user’s account entirely. If the user has saved any personal logins or other data to their vault then they will no longer have access to that data. Some enterprises prefer the ‘Remove user from company’ option which will remove the user from your enterprise account, and will delete all Shared Folders from the user's account. With this option, the user will continue to have access to his/her account as a standard LastPass user.

Whether a user account is deleted, disabled or removed from the Enterprise, this will in no way impact any remaining users. For example, if the departing employee was an administrator of several Shared Folders, these folders will remain 100% available and intact for all remaining users. That said, there is a possibility that the folder will be left with no Admin. To avoid this scenario, you might consider enabling the Super Admin - Shared Folders policy.

As a best practice and an added precaution, we suggest that any shared credentials be changed upon the exit of an employee regardless of how you choose to manage their exit from LastPass. These changes to any Shared Folder will automatically sync to all assigned users, and this will give you an added layer of security.

SuperAdmin Password Reset:  If an Admin has been set as a SuperAdmin Password Reset via policy, there will be option on this user actions dialog to change the password for that particular user.  This change will be immediate and the Admin will be asked to create a new password for the account on the spot.

 

Shared Folders with Users Outside your Enterprise

LastPass now supports creating Shared Folders with users outside of your Enterprise system.  You can share any Shared Folder with up to three users that are not in your Enterprise.  These users can be free, premium, or in another Enterprise.  The only limit is that the maximum of outside users that can be added per folder is three.

To add an outside user to a Shared Folder, do the following:

  1. Go to your Manage Shared Folders link in your Vault as you normally would.

  2. Type in the email address of the user you would like to add and click 'Share.'

  3. The outside user will appear in your list of users and the user will receive an email invitation to accept the shared folder.

  4. Once accepted, the user will be added to the Shared Folder!

  5. Restrict what sites they see and change permissions as appropriate


If you run into the error:  "An Error occurred - Cannot retrieve any public keys. The user may need a sharing key to be created." This means that the user you are trying to share with does not have a sharing key. To obtain the sharing key, the user must log into the LastPass Extension at least once.

Full List of Policies

Click here for the full list of LastPass Enterprise Policies.

Reporting - Shared Folders

This report offers a master view of every Shared Folder created under the Enterprise. You can click on the column headings to sort alphabetically or by user. You can drill down on each folder to see the particular sites and notes that are contained within, as well as all assigned users and the specific access rights granted to each (ie: hidden or visible access to the credentials, admin rights, read-only/write.)

This report is read only. To guarantee Admin access to every Shared Folder created within the enterprise - including the login credentials of the stored entries, you must enable the 'Super Admin - Shared Folders' policy.

Top level: Shared Folder Report sorted alphabetically:

Reporting SF

Detailed view of an individual shared folder:

Reporting SF indv

Set-Up - Policies, Installing the Software and Provisioning Accounts

(1) Policies

(2) Create New User

(3) Install Software


 

Set-Up - Policies Tab

LastPass offers a number of configurable policies around security levels and password strength. Each policy can be applied to all users, or an inclusive or exclusive list of users. For example, you might elect to implement a policy that will prohibit the general workforce from exporting data, while your senior executives are exempt.   There are a number of important policy options on this tab. You should consider them carefully.  Click here for a  full list of LastPass Enterprise policies.

Click on the 'Add Policy' button in your Setup > Policies menu to create a new policy on your Enterprise Account (see screen shot below). Select your inclusive or exclusive group of users, or leave blank. And fill in the 'Value' and 'Notes' fields where applicable. By hitting save, the policy will be activated immediately:

console6

 

 

Home Tab

The home page of the console gives you a summary of your account including the number of licenses that you already have and the option to purchase more. After your initial purchase, all subsequent purchases will be pro-rated to renew at the same time as your initial purchase. You can also view all past invoices from this tab.

console4


The home page also provides you with a snapshot of all enterprise logins over the past seven days.

console3

Finally, the home page offers important alerts regarding features that have been newly added to the Enterprise service.

 

 

 

 

Policies - Other Enterprise Options

On the Policies tab of the Admin Console, there are links to Manage Policies and  to Other Enterprise Options.  Other Enterprise Options takes you to a page containing NEVER URLS and Equivalent Domain options.


Global Never URLs, Global Only URLs


Global Never URLs and Global Only URLs enable you to create whitelists and blacklists of URLs upon which you do or do not want LastPass to be enabled.

If there is a certain, select group of URLs upon which you do not want LastPass prompts enabled, you should enter these domains under the 'Global Never URL' box.

If you want to disable LastPass prompts altogether with the exception of just a select group of domains, then you should enter these domains under the 'Global Only URL' box. We do not recommend using Only URLs unless you have a very limited use case in mind.

Creating Equivalent Domains


You can also create ‘equivalent domains’. Equivalent domains allow you to manage a single login for different domains that are related. An example is Google and YouTube.  Since they are both owned by the same company, your login works on both sites. So rather than having the same login twice, you can have it for one and we will treat both domains equivalently.

 

Windows Login Integration

LastPass can invisibly integrate with the standard Windows Login process to automatically create new users and sign existing users in. Users within the LastPass Enterprise system will be provisioned using their Windows username followed by the @companydomain.com address that your Enterprise use.  New users to LastPass will be created upon their first login to the Windows domain after the Login integration with LastPass is added. From that point on, users will login to the Windows domain as they normally would, and will automatically be logged into LastPass as well.

Frequently Asked Questions


FAQ:

Q: What happens if a user's windows user name and company domain address that is used to login outside of the work environment does not correlate to an existing e-mail address?

A:  If the windows username@companydomain.com address does not correlate to an existing email address, upon first logging into the account  the user will be prompted to set a security email address which will be used for all communications regarding LastPass.  This e-mail address can be changed within the Account Settings at a later date by the individual user.

Q: Can a user set up a form of multi-factor authentication with LastPass while using Windows Login Integration?

A: Because we intend Windows Login integration to be a seamless login experience, we do not allow multi-factor authentication to be used when logging into the work environment where Windows Login Integration is utilized.  However, when logging into the LastPass account outside of the work environment, multi-factor authentication can be used on the account, as it would on any other LastPass account.

Q:  What happens if the user already has a LastPass Account under their work e-mail?
A:  If the username and password for the LastPass account are the same as the windows login and password, LastPass will attempt to login using these credentials.

Q:  What happens if the password the user has to login to Windows is NOT the same as the password for the pre-existing LastPass account?
A:  The user will see a bubble from LastPass icon in the tray that says "Login failed, does your Windows password match your LastPass password?"

Q:  What should the user do if his or her existing password does not match the Windows password?
A:  The user will need to login to LastPass using their existing LastPass password, go to Account Settings, and change the master password to match the Windows login password.

Q:  Could a user continue to use two different passwords for Windows login and LastPass login?
A:  Yes, a user could continue using two different passwords, one to login to Windows, and another to login to LastPass.  The AutoLogin to LastPass when logging into Windows would continually fail, though, and this would largely defeat the purpose of Windows login integration.

Q:  If you delete Windows domain login can manually login to your LastPass account?
A: Yes, you can also manually login to your LastPass account using your LastPass username and password.

Q: Can you login anywhere using your LastPass credentials?
A: Yes, you can always use your LastPass Credentials to login to your account and gain access to your data.

LastPass Active Directory Synchronization Service

The LastPass Active Directory Sync Client is a windows service that is run locally. The Client connects to your Active Directory using LDAP to support a variety of provisioning and management processes in LastPass:

AD Provisioning Synchronization Tool

(1) With this option enabled, you can feed relevant information from your AD into LastPass.
(2) Sync new user profiles to LastPass for automated provisioning of LastPass user accounts.
(3) Sync disabled or deleted user profiles to LastPass for automated termination of LastPass user accounts.
(4) Sync user groups to LastPass for policy designations, Shared Folders, and SAML application assignments.
(5) Apply filters based on your groups in AD so that only the relevant groups sync to LastPass.

Local SAML Authentication Client

(1) With this option enabled your employees will login to LastPass using their local domain credentials. (Even if employing the SAML SSO service, you should leave this option disabled if you prefer the use of a separate, dedicated master password for your LastPass accounts.)
(2) New LastPass user accounts will be provisioned on the fly when the user enters his/her local domain credentials for the first time.
(3) Once they are logged in to LastPass, LastPass will proxy all login requests to your AD for seamless single sign-on to any SAML-supporting services that you enable.

On-the-Spot Provisioning for SaaS Applications

LastPass supports on-the-spot/just-in-time provisioning for a number of cloud-based applications including Google Apps and Salesforce.com. Add the user in AD, and let LastPass take it from there. No local provisioning necessary.

Setting up AD/LDAP sync is easy. You simply download the client from the "Set-Up - Create New User' tab in the Admin Console, and log in to LastPass.   The first step to take is to log in with your LastPass Enterprise administrator login credentials:

Login

After logging in, you will then be given an overview of each LDAP Active Directory sync option available and the settings that are currently in place:

AD_new

Start by configuring the connection between LastPass and your Active Directory:

Second

 

After configuring your connection, click on 'Actions' to configure the Account Provisioning and Deletion options.

Actions

To break down the options above:

"When a user in active directory is created you have the options:"

"Add the user in the Enterprise Console, but require approval": - This option will sync users between your AD and LastPass but will place them in LastPass under a 'pending' status, rather than immediately creating an account for each user. Click here to learn more about creating an account for 'Pending Users'.

"Automatically create user in LastPass" - When this option is enabled, LastPass will automatically create accounts for every new user, and send them an automated welcome email with a temporary password and instructions to create their individual Master Password.

Delete

"When a user in active directory is deleted:"

"Administratively disable the LastPass Account:"  This will 'lock' the Enterprise account, and free a license for other use; however, the account will still exist and be a part of the Enterprise

"Automatically delete their LastPass account:"  This will completely delete the LastPass account and all data included in the account.  The license applied to it will be available for use on another account.

"Remove from the Enterprise account, but do not delete user:"  This will remove the account from the Enterprise system, free up the license, and leave turn the account into a regular LastPass account.  All data within the account will still be available for use to the user.

Click here to learn more about the LastPass account deletion options.

disable

 

"When a user in active directory is disabled:"

"Administratively disable the LastPass Account:"  This will 'lock' the Enterprise account, and free a license for other use; however the account will still exist and be a part of the Enterprise

"Automatically delete their LastPass account:"  This will completely delete the LastPass account and all data included in the account.  The license applied to it will be available for use on another account.

"Remove from the Enterprise account, but do not delete user:"  This will remove the account from the Enterprise system, free up the license, and leave turn the account into a regular LastPass account.  All data within the account will still be available for use to the user.

active directory group remove

 

"When a user in active directory is removed from group in filter:

"Administratively disable the LastPass Account:"  This will 'lock' the Enterprise account, and free a license for other use; however the account will still exist and be a part of the Enterprise

"Automatically delete their LastPass account:"  This will completely delete the LastPass account and all data included in the account.  The license applied to it will be available for use on another account.

"Remove from the Enterprise account, but do not delete user:"  This will remove the account from the Enterprise system, free up the license, and leave turn the account into a regular LastPass account.  All data within the account will still be available for use to the user.

 

When you are done configuring the 'Actions', click 'Sync' to configure the fields, groups and users that you would like to sync between LastPass and your Active Directory:

Sync

To break down the options above:

"Sync user groups from AD" - When this option is enabled, the client will synchronize all groups from your AD into LastPass for the purpose of assigning policies.

'Filter Users':  By specifying a sync filter within the AD sync client to include any groups you can limit what users are added to your Enterprise.

When you have completed the configuration, click 'Sync to LastPass'.  The LastPass Client will continually 'listen' for changes in your active directory and continue to add and remove users. The application window can be closed and the app will continue to run in the system tray.

 Configuring SAML Authentication


AD_new2

 Active Directory FAQs


 

1.Do you need to designate a specific computer to run the AD sync client?

No, you can run the service on multiple computers for redundancy.  The computers do not need to be dedicated to this purpose.  The computer must be running Windows XP or later and can be a  workstation or server.  In general, the AD sync client requires very little computer resources (memory, disk, CPU).  The sync client also should be deployed within your firewall such that it can connect directly to your AD or LDAP server.

 

2. If I add a new person to my AD directory, how will that update in LP and how often does it check for changes?

Once started, the AD sync client will register itself with your AD server.  When a change occurs, such as when a user is added, updated, or deleted, then the sync client will immediately re-check for changes.

 

3. Does it work with other LDAP directories?

Yes.

 

4. I have thousands of names in my AD, will it time out while sending to LastPass?

The AD sync client has been successfully tested with AD servers having more than 10,000 users.

 

5. If I have admin accounts built into our AD directory how do I make sure that they don't import into LastPass?

You can control what users are imported in two ways:

a) By specifying a sync filter within the AD sync client to include only certain groups.

and/or

b) By specifying within the AD sync client that users be added as 'pending' and then later having an admin manually approve users from within the Enterprise Administration console.

 

6. How do I keep the name of the group from my AD directory in line with the LastPass groups?

On the AD sync client configuration screen, there is an option labeled 'Sync user groups from AD' that can be enabled.

 

7. AD provisioning didn't work, what do I do?

Click on the 'Show Debug' link within the AD sync client. Copy the debug log to a text file and open up a support ticket at https://lastpass.com/support.php and attach the file to the ticket for us to investigate.

 

8. Do groups sync and work with Shared Folders, or just policies?

Just policies.  In a future version of LastPass we will be trying to enhance our AD sync support to include Shared Folders.

 

9. Is any functionality of grouping lost when syncing them via AD?

No, the functionality is still available.

 

10. Can I manually sync, automatically sync AD, both?

Both.  To automatically sync, simply leave the AD sync client running and it will detect changes and sync when needed.  To manually sync changes, simply start the AD sync client on an as-needed basis.

11. Does Active Directory Sync run as a service?

Yes. Once you setup and run the AD LDAP sync client it will run as a persistent service. If you restart your computer, the AD Sync client will automatically restart on reboot.

12. What exactly is accessed and how is it transferred?

Username, name, group membership, email and account status, it's transferred via SSL to LastPass. With the SAML option enabled then user's domain credentials are transferred via SSL to LastPass.

LastPass Provisioning API

LastPass exposes a public API that can be used by enterprise accounts to create users, deprovision users, and manage groups.

For a full list of the API details and instructions, please go to the:  Enterprise Console > Setup > Create New Users > LastPass Provisioning API option.

If you would like to use the API to automatically add users to shared folders, you will need to perform encryption operations yourself. Thus, you will need to know some things about the underlying encryption operations LastPass uses. They will be documented below.

Adding a User



The first step is adding the user. You must first choose the number of PBKDF2 iterations you plan to use. LastPass currently recommends 5000 as a balance between security and performance.

Once you have the username, password, and iterations you plan to use, you can first calculate the user's encryption key. It is generated using PBKDF2-HMAC-SHA256, using the username as the salt. Here is an example using the OpenSSL PKCS5_PBKDF2_HMAC() function (please note that the username and password should be UTF-8 encoded):

const unsigned char *username = "user@lastpass.com";
const char *password = "T5O89kkUMGYT";
int iterations = 5000;
unsigned char key[32];
PKCS5_PBKDF2_HMAC(password, strlen(password), username, strlen(username), iterations, EVP_sha256(), 32, key);

If this function call succeeds, the user's encryption key will be present in the variable "key".

Now that you have the user's encryption key, you can use it to generate the user's password hash. This is the hash that's passed to the adduser API as parameter passwordhash. Here is an example, continuing from the above:

unsigned char hash[32];
PKCS5_PBKDF2_HMAC(key, 32, password, strlen(password), 1, EVP_sha256(), 32, hash);

If this function call succeeds, the user's password hash will be present in the variable "hash". Please note that you should hex-encode the hash before passing it to LastPass. Thus, passwordhash should always be 64 hexadecimal characters.

Generating RSA Keys



In order to immediately add the user to shared folders, you will also have to pass rsapublickey and rsaprivatekeyenc to the adduser command.

First, generate an RSA public/private key pair. This key must be 2048 bits.

Next, encode the public key in ASN.1 DER format. Then, hex-encode it. This is the value for rsapublickey that will be passed to LastPass. Click here to see an example of a valid rsapublickey.

Next, encode the private key in ASN.1 DER format. Then, hex-encode it. This is the value for rsaprivatekey that you will have to encrypt with the user's encryption key before passing it to LastPass. Click here to see an example of a valid rsaprivatekey.

Next, encrypt the rsaprivatekey using the user's encryption key. First, prepend "LastPassPrivateKey<" and append ">LastPassPrivateKey" to the rsaprivatekey. Then, encrypt via AES-CBC, using the first 16 characters of the user's encryption key as the IV. Pad via PKCS#7. Hex-encode the result to create rsaprivatekeyenc, which can then be passed to LastPass.

Once you have the passwordhash, rsapublickey, and rsaprivatekeyenc, you should be able to perform an adduser API call.

Adding a User to a Shared Folder



Now that you have created a user with valid RSA keys, you will be able to use the addusertosharedfolder API to add them to a shared folder.

First, retrieve the ID and encryption key for the shared folder you would like to add the user to. Click here to see these values for the shared folders you are in.

Next, you must encrypt the shared folder's encryption key with the user's RSA public key, first padding with OAEP. Hex-encode the result, which should end up being 512 hexadecimal bytes since you're using a 2048-bit RSA key. The result is what you should pass to LastPass as sharekey.

Next, you must encrypt the shared folder's name using the shared folder's encryption key. Be sure to encrypt the full name, including the "Shared-" prefix. For example, if your shared folder is named "LP", encrypt the string "Shared-LP". Use AES-ECB for this step, pad via PKCS#7, and base64-encode the result. The result is what you should pass to LastPass as sharename.

Once you have shareid, sharekey, and sharename, you should be able to perform an addusertosharedfolder API call.

User Groups - for Policies and Shared Folders

User groups can be utilized to assign policies and/or Shared Folders. From the 'User Groups' sub-tab you are able to create user groups manually within LastPass Enterprise. Alternatively, for those that have elected to use the LastPass AD client, the client can be configured to sync user groups automatically from your active directory.

To manually create a new group simply hit Add Group and type in the name of the Group, for example, 'Executive Team' or 'Marketing'. Then simply move the appropriate employees from column A to column B, and hit 'Save'. Once the group has been saved, you can jump to either policies or Shared Folders, and assign either to the group accordingly.

User Groups

Reporting - Admin Events

The Admin Events Report provides a detailed breakdown of all administrative actions taken via the Admin Console such as:

 

Reporting Admin

Set-Up - Create New User

Create New Users


You can provision new users via the 4 methods described below. You will want to weigh these options carefully before implementing LastPass across your organization:


(1) Batch Provisioning of Users (Windows/Mac/Linux)




(2) Automatic Provisioning Using Windows Login Integration



lastpassfull.exe -dl=<your domain name> -cid=<company ID> -chsh=<your ID> -winlogin --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass"


(3) LastPass Active Directory Sync Client



With this Client you can opt to sync user group information as well, which can be used in turn to assign policies and Shared Folders. Click here to learn more about the Active Directory Sync Client. Click here to download the client (scroll to the bottom of the page).

(4) LastPass Provisioning API



Please see the video below for how to create and provision new users:

Enterprise Employee Welcome Emails

When using the Batch Provisioning option, LastPass will look-up the email to determine if the username is new or existing. Based on this looking, either of the two emails below will be sent by LastPass automatically to the end user:

New User (no existing account under that username):

Hi, your employer has created a LastPass Enterprise account for you. LastPass is a password management tool that allows you to safely store your everyday passwords behind a single Master Password. LastPass will then automatically log you in to your sites and applications, keeping your data secure while helping you be more productive.

Your username is ___________
Your temporary password is ____________

To get started, click here to reset your password.

Click here for a 5-minute introductory tutorial. Other helpful screencasts can be found at:
https://lastpass.com/support_screencasts.php.

Thanks,
The LastPass Team

_________________________________________________________________________________________________________

Existing User:

Hi,

You have been invited to join your company's LastPass corporate account. As an existing LastPass user, you have two options:

1) Use your existing LastPass account thereby tying your current account into your company's corporate account. Depending on your company's policies, this could eventually lead to the deletion of your account by your company's admin. To use your existing LastPass account, log into your LastPass account and click on the following link to activate your account.
Activate Your LastPass Account

2) Create a new account strictly for professional purposes. After creating this account, you have the option to link your personal account to it should you so choose (click here to learn more). Click here to create a new account: Create a new Account and then follow step 1 to associate this new account with the corporate account.

Thanks,
The LastPass Team

 

 

 

Shared Folders

A ‘Shared Folder’ is a special folder in your vault that you can use to securely and easily share sites and notes with other people in your Enterprise account. Changes to the Shared Folder are synchronized automatically to everyone with whom the folder has been shared. Different access controls – such as 'Hide Passwords' - can be set on a person-by-person basis.  Shared Folders use the same technology to encrypt and decrypt data that a regular LastPass account uses, but are designed to accommodate multiple users for the same folder.

With Shared Folders:


Limitations of Shared Folders


The current limitations of Shared Folders are:


 

Creating and Using Shared Folders


To view a brief screencast regarding the benefits and use cases for Shared Folders, click here. For complete video instructions, click here.

To create a new Shared Folder, log in to your LastPass Vault and click on the ‘Manage Shared folders’ link from the ‘Actions’ menu:

Vault SF

This will take you to the main Shared Folders dialog:

Create Dialog


This gives you the options of creating new shared folders, or editing and deleting old shared folders.  To create a new Shared folder, simply click Create A New Shared Folder.  You'll be taken to the new folder dialog, where you can enter a folder name.  Once you have given the folder a name, hit ‘Add’.

Add SF


After creating, you'll be taken back to the main shared folder dialog.  In order to assign users, click ‘Edit’ next to any given folder and then select the appropriate group or user from the dropdown menu.  You can also add User Groups to Shared Folders.  Groups can be added and edited by LastPass Administrators only. All users who are a part of the group will be given access to the Shared Folder once you add the group.

Edit SF


 

With each user or group, you have several additional choices regarding access via the Edit Screen and when you initially add the user or group to the folder:

Edit Permission




Once you have made these selections, hit ‘Share’ and the user will be added to the list of assigned users. Next to each user’s name you will see the ‘Restrict’ and ‘Remove’ options:The ‘Remove’ button will remove the user from the folder which will automatically delete the Shared Folder from the user’s Vault – thereby preventing any future access to the sites or notes within the folder.The ‘Remove’ button will remove the user from the folder which will automatically delete the Shared Folder from the user’s Vault – thereby preventing any future access to the sites or notes within the folder.

Restrict

Now that the folder has been created and is in your Vault, you can proceed to populate the folder with sites and Secure Notes via several methods:

  1. Drag and drop

  2. Right-click in your vault and select 'Change Group'

  3. Edit site (in plugin) and select 'Change Group'

  4. Add a new site and set the 'Group' to the Shared Folder name


 

Adding User Groups to Shared Folders


You can add users to Shared Folders using User Groups.   This is a quick and easy way to add pre-made groups of users to Shared Folders.  User groups are added to Shared Folders just like individuals; the groups are available in the dropdown list of users when you create or edit a Shared Folder.  You can set 'Read-only', 'Hidden Passwords', and 'Can Administer' access once for the entire group.  You can also restrict what sites the group can view just like you can for an individual user.  When adding groups to Shared Folders, there are a few things to keep in mind to avoid conflicts:

Important note: Savvy end users could potentially access a hidden password if they capture it using advanced techniques during the login process such as using another password manager. LastPass recommends that you ensure that you've used a generated password specific to the individual site that you are sharing, and that you refrain from sharing any passwords that you are uncomfortable with the recipient obtaining. Regardless, LastPass helps facilitate the seamless update of passwords so that you can change them frequently and at a moment’s notice, without your end users even knowing that an update has taken place.

Active Directory Synced Groups and Shared Folders


You can use  the LastPass Active Directory Synchronization Service to automatically provision and sync users and user groups from your Active Directory into your LastPass Enterprise. LastPass also recommends provisioning users with our simple LastPass Provisioning API.

Please see the video below to learn more about Enterprise Shared Folders:

Set-Up - Install Software

Install the Software


Please take a moment to watch a video about our different installation options offered in LastPass Enterprise:









First, Download the LastPass Enterprise Client Software



Then, Choose An Install Option That Best Suits Your Organization's Needs


OPTION A: Manual Installation Using the GUI Install Wizard



  • Double click the downloaded file to open the GUI install wizard and follow the steps.
    LastPass requires administrative rights to be installed. If required, the installer will prompt you for your Administrator's credentials, which you will have to manually enter.


OPTION B: Silent Installation From an Administrative Command Prompt



  • Open an Administrative command prompt and run the LastPass client software as follows:















    For 32bit Windows lastpassfull.exe --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass"
    For 64bit Windows lastpass_x64full.exe --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass"
    For Mac OS X: sudo installer -pkg lpmacosx.pkg -tgt /


  • The above assumes that the Administrative user has an account on the computer where LastPass is being installed. If this is not the case, such as when installing LastPass into a 'Standard User' Windows Active Directory account, then you must also specify the Standard User's windows username as follows:















    For 32bit Windows lastpassfull.exe --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass" --windowsuser="johndoestandarduser"
    For 64bit Windows lastpass_x64full.exe --userinstallie --userinstallff --userinstallchrome --installforallusers -j "C:\Program Files\LastPass" --windowsuser="johndoestandarduser"
    For Mac OS X: Not applicable


  • You can use this option in combination with a login batch file to automate installation.


OPTION C: Install MSI File Using GPO (Group Policy Object)




    • Download the MSI Installer.

    • If you do not want to use our Windows Login Integration to automatically provision and log users in, skip to the final step.

    • If you want to use automatic provisioning, you will need to us Microsoft's Orca to edit the MSI to assign the necessary parameters.

    • Add the following variables under the properties table:






















CID generated automatically in LastPass Enterprise Admin console
CHSH generated automatically in LastPass Enterprise Admin console
DL your domain name
WINLOGIN -winlogin


  • Save the MSI and close Orca.  (If you leave Orca open and try to run the MSI, it will fail)

  • Setup a Software Installation via a GPO and specify lastpass.msi as the install package.


FINALLY, OPTIONALLY CUSTOMIZE YOUR INSTALLATION


All of the above options, will install the LastPass extension into Internet Explorer (Windows only), Firefox and Chrome as well as LastPass for Applications on Windows and the Safari extension on Mac OS X. Click here to show additional installation command line arguments for Windows.

 

Users Tab

The 'Users' tab of the Admin Console includes all of the tools that you need to manage your users:




 

Please see the video below to learn more about the Users Tab:

Reporting - Notifications

The Notifications Report is a summary of various critical user statuses around which additional education or training may be warranted. These statuses include such criteria as 'inactive user', 'over 3 duplicate passwords' and 'over 5 weak passwords'.  You can set up which notifications you would like to see on this page under the Add Notifications link.   The goal of this report is to help optimize the use of LastPass among your end users to help improve the security of your company's digital assets. This report is your first line of defense in the campaign to educate users on the importance of good password hygiene, and how to get there.

The Notifications Report also includes quick and easy email templates that can be programmed by the administrator to dispatch automatically on a configurable time-frame.

 

 Reporting Notifications

Pending Users (Only for Active Directory Sync Client Users)

The 'Pending Users' sub-tab: This tab is strictly for those companies that have chosen to utilize the LastPass AD Client to sync with Active Directory and who have configured the client such that new users from AD are added to LastPass as pending, rather than being automatically provisioned. To provision a LastPass account for a pending user, select the user and then click on 'Accept Checked'. Upon this action, LastPass will automatically provision an account and dispatch an automated welcome email to the user. To remove a user from the list, select the user(s), and click 'Reject Checked."

Pending Users

SAML Support for LastPass Enterprise

LastPass SAML support allows you to utilize your LastPass account as the single sign on point for a growing number of domains and associated services.

SAML will allow your employees to access their favorite services simply by being logged into LastPass.  Once logged into LastPass, and navigating to the service's URL,  the user will not be presented with an additional login screen - they can immediately use the apps they need every day.

Using SAML does not prevent you from logging in with previous domain password, or prevent your mobile device from accessing via the account password.

Setting up SAML in LastPass Enterprise


To set up SAML in LastPass Enterprise, first go to your Enterprise Console, and select the SAML tab at the top of the console. You will then be taken to the main SAML page:

console8

Then, click on the associated App icon that you would like to setup LastPass and SAML. Upon clicking on the icon, you will then be shown a page with specific instructions on how to setup SAML for that app:

 

console9

Once you use the instructions to set up LastPass SAML for the service of your choice, you can use the tools under that service's specific tab to pre-populate your users' vaults with a link to login to the service.  While setting up SAML ensure that your users will no longer need to enter any other credentials after logging into LastPass, in some cases, they may need to go to a specific URL in order to be automatically logged into the service.   In the example above, while mapping SAML for Google app services, users may need to navigate to specific URL on the the google.com domain.  Setting up SAML will give you the specific URLs that you may need to use depending on the service you're using.  Once you have established which URL you need, you can push to all users.  To learn more about pushing a site to your users and pre-populating their Vaults, please see our specific Push Sites to Users page.

After using the initial set up instructions, you can then go to the SAML user Map subtab for the particular app you're setting up.  From this tab, you are able to map the application username to the LastPass usernames of your employees:

console10

By clicking Edit on a specific username, you can edit the individual mapping of the usernames from LastPass account name to the service account name:

 

console11


 

Supported Apps


We are working to support new apps with LastPass SAML all the time. We currently support Box, Citrix Share File, Egnyte, Google Apps, Manits Bug Tracker, Microsoft Office 365, Moin Moin, SalesForce, Success Factors, Wordpress, Xmarks, Zendesk, ADP, Atlassian, Concur, Joomla!, phpBB, Shibboleth and Workday. We also allow custom services. However, if you have a specific application you would like to see supported by LastPass SAML, please let us know by sending feedback through our support channels!

Push Sites to Users

LastPass Enterprise Admins now have the option of directly placing a site in a user's vault through our new Push Sites to User feature.  This feature is helpful when you would like to pre-populate a site in a user's vault so the user will have this site to use upon his or her first login to LastPass.  Push Sites to Users is also helpful when used to push SAML specific URLs to services you have linked to your Enterprise to using LastPass SAML.

Admins should note that Push Sites to Users is a much different feature than Shared Folders.  Push Sites to users places the site entry directly into a user's vault, rather than in a central folder accessible to all as with Shared Folders.  Once pushed, a site cannot be removed from a user's vault by the Admin, as it is in the individual's vault like any other site entry the user may have saved.  When considering which sites to push to users, please remember that you cannot remove this site at a later time.

Another unique aspect of Pushed Sites is that due to how the technology behind pushing sites works, any data you elect to push to your users is accessible on LastPass servers in unencrypted form until the data is pushed to a user.  Once pushed to a user, the data will leave the LastPass server and be encrypted in the user's individual vault.  This is NOT the case with Persistent Pushes, which will stay on the LastPass server until deactivated or deleted.  For more information on Persistent Pushes please see below.

How to Push Sites to Your Users


To push sites to your users, first login to your Enterprise Admin Console, and navigate to the Setup Tab.  From there, you will see a sub-heading for Push Sites to Users.  Once clicking the sub-heading, you will see a straightforward menu on what information to fill out when pushing sites to users:

Push Sites

 

The first option you have when pushing sites to users is to upload a CSV file containing the relevant site and username data that you'd like to push.  To download a sample CSV and learn the format and information needed to do this, use the Sample CSV file provided.

The second option to use is to manually fill out the site data that you'd like to push to your users.  To do this, you need to fill out this key information:

  1. User(s):  Select the User or User Groups you'd like to push the site to.  You can also select to push to All current and future users in the Enterprise, or all current and future members of a User Group.

  2. URL: The URL of the site entry that you'd like to push

  3. Name The name you would like the site entry to have in the users' vaults

  4. Group: The name of the group you'd like this site to be added under in the users' vaults

  5. Username: The username the users will utilize to login to the site.  You can select to have this be the individual's full email address that is used as their LastPass account name, ONLY the username portion of their email, OR a custom username you manually enter

  6. Password: The password that will be used to login to the individual site

  7. Notes: Any notes that you would like to be entered into the notes portion of the site entry

  8. Favorite:  Designate whether or not you'd like this site to be marked as a Favorite in users' vaults


Once you are have filled out this relevant information, you can now push the site to your user(s)!

 

Persistent Site Pushes


Persistent site pushes are when you have elected to push a site to a group of users or All users.  LastPass will keep this site information on our servers and push to any new users that are added to the User Group or your Enterprise at large (in the case of All).  This will occur until you manually delete or deactivate the persistent push.  When you elect to use a persistent push, this means the data is accessible to LastPass.  Due to how pushing sites works, this data is not in its encrypted form when waiting to be pushed.  Only upon entering the Vault will the data become encrypted using the users' encryption keys. You can remove or delete persistent shares by viewing your previously pushed sites.

 

Previously Pushed Sites


At the top of the Push Sites to Users page is a link to view a log of previously pushed sites.  This link takes you to a view of ALL previously pushed sites.  This is where you can deactivate or remove persistent pushes.

Previoulsy Pushed Sites

 

This page shows the name of the pushed site, which users or user groups it was pushed to, whether or not it was persistent, and whether or not the push is still active.  You can take three actions on this page regarding the previously pushed sites:

  1. Details: Viewing Details shows the individual users that had the site pushed to them.

  2. Deactivate: Hitting deactivate prevents persistent pushes from being pushed to new users.  This effectively turns the persistent push "off."  Sites can be re-activated at a later time to be "re-pushed" to any new users that have been added since the push was deactivated.

  3. Delete:  This permanently deletes the pushed site from the system.  PLEASE NOTE: This will not remove the site entry from the individuals' vaults, but only the push from the LastPass servers.


If you have any more questions on pushing sites to users, please contact our support team for more information.

 

Terminating User Accounts from Your Enterprise

There are several termination/removal options available to your LastPass Administrator. Please consider your options carefully prior to deleting or removing users. These actions can be performed from the Users tab of the Admin Console.

(Please note that all LastPass Enterprise licenses are transferable once an account is disabled, removed, or deleted.)

1.  "Disable User": Disabling a user in your Enterprise puts a lock on the account. No one - not even your LastPass administrator - can log in to the account regardless of passwords or previous access.  Once disabled, the license will be available for reassignment.
 
2.  "Remove User From Company": Removing a user from your Enterprise will disassociate (spin out) that user's account from your company account. With this action, LastPass will automatically delete all Shared Folders within the account. The account will otherwise still be fully available for use by the account owner, including all data that has been stored in the user's vault. Once removed, the license will be available for reassignment.

3.  "Delete User": Deleting an account FULLY DELETES ALL CONTENTS in the account. Any data stored within the account will be gone forever. Once deleted, the license will be available for reassignment.

4.  Resetting the Account's Master Password:  This option is only available if the Super Admin - Password Reset policy is in place. From the Admin Console, the Admin of the Enterprise can reset the master password on the account. This option can be leveraged under the following scenarios:

(1) You would like to lock-out the owner of the account, but still allow Admin access. This can be helpful for audit purposes; in order to update and/or terminate any credentials to which the end user had access.


(2) If you would like to assign the entire account - with all of its contents - to another employee.


 Important Considerations 

LastPass for Applications

LastPass for Applications is included by default with LastPass Enterprise.  This program allows you to store your application logins just like the browser plugin allows you to save your website login credentials. Benefits:


Some applications will require a one-time training.  Applications, once trained, are trained for everyone in the enterprise.

Click here for more information on LastPass for Applications.

Mobile Apps

All mobile apps included in LastPass Premium are included in LastPass Enterprise!

https://helpdesk.lastpass.com/upgrading-to-premium/