The UChicago 1Password service provides a platform for Unit IT to offer an enterprise password manager to supported users. Admins can provision accounts for any employees (including faculty, staff, temporary employees, and students) that they support. IT staff can use ServiceNow to request this service for your unit.

In addition, all business license holders have the option to claim free licenses for personal and family use. Starting Autumn Quarter 2025, students will have the ability to claim personal/family accounts. All personal licenses are contingent on affiliation with the University and are supported directly by 1Password.

Roles and Responsibilities

Information Security

• Manage service, platform integration, and licensing
• Configure Enterprise Policy - see 1Password Policies (Box link requires sign-in)
• Support Unit IT admins
• Provide documentation specific to our use of 1Password to complement the vendor docs
• Facilitate support from the vendor as needed
• Provision Unit IT with admin accounts and a method to directly provision user accounts
• Create custom groups
• Communicate and collaborate regarding significant service changes
• Manage documentation and processes for business user and student access to personal licenses
• Monitor enterprise activity for unauthorized use and report on security concerns with user passwords

Unit IT Admins

• Communicate significant planned or actual changes in license needs
• Maintain continuity plan for Unit's IT admin role and closely manage admin accounts and privileges. Notify Security when administrators change to ensure permissions and access are appropriately adjusted
• Ensure admins are members of the 1Password email list
• Ensure that Security has correct information to refer your users for support (if they contact ITS or Information Security directly)
• Provision and deprovision users
• Assist Unit managers/HR with offboarding users to maintain business continuity
• Deploy software to users via automated or manual means
• Assist users with account recovery
• Support users in daily use (in conjunction with 1Password materials, training, etc.) including:
  • Create and manage shared vaults requested by users
  • Manage custom group membership and use
  • Assist users with questions regarding sharing items

Business/Enterprise Users

• Use their Employee Vault and provided Shared Vault(s) for business purposes
• Set up and use their Personal Vault for any personal passwords

Personal License Users

• Business license users will be able to add personal 1Password license that can be used in parallel with the UChicago account - the personal license is supported by 1Password directly.
• Students will be able to obtain personal 1Password licenses supported by 1Password directly.

How-to Manual for Unit IT Admins

This manual is oriented towards the most common activities that Unit IT will need to perform. You can also reference Vendor Support Resources, but note that they cover multiple license and configuration options so not all content is relevant to our service. Note that Units have two options for administrative roles: Unit IT Admins and Vault Managers.

• Unit IT Admins have a highly privileged role, including the ability to assist with Account Management, Domain Management, and Vault Management, and must be limited to a small number of senior full-time IT staff.
• Vault Managers have Vault Manager privileges. The number of Vault Managers can scale to whatever is needed to support the unit.

View the UChicago 1Password admin portal.

Account Management

Available to: Unit IT Admins

• Communicate significant planned or actual changes in license needs: email security@uchicago.edu with anticipated significant changes in the number of users who need 1Password licenses.
• Maintain continuity plan for Unit's IT admin role and closely manage admin accounts and privileges.
• Ensure admins are members of the 1Password email list: admins can be added/removed.
• Provision and deprovision users: provisioning is handled via Grouper using a group that was determined during service onboarding.
• Assist Managers/HR with offboarding users to maintain business continuity.
  • The Grouper group used to provision your users with 1Password should have the closure flag so that account closure triggers account suspension. If it does not, you are responsible for manually removing separating users in a timely way.
  • Develop an offboarding process to ask a departing employee to move passwords into a team's Shared Vault or an Offboarding Vault that you create for the manager/team.
  • Deprovision the account of the departing person using Grouper. Deprovisioned accounts are suspended. After 60 days of suspension, the 1Password account is permanently deleted. Note that 60 days is the closest option 1Password provides to the University's 45 day account closure.
  • For situations in which a 1Password user simply needs to be deauthorized and never needs access again, the process is straightforward. When a user account is removed from the 1Password group by an admin or by Day 45 account closure, the account is suspended and later deleted.
  • For situations in which a suspended account needs to be restored, the two key factors are the state of the 1Password account (e.g. active, suspended, deleted) and the state of user access to their University email (e.g. enabled, disabled, deleted), which is needed to restore a suspended account. Accounts that are removed from an authorizing group will enter a suspended state in 1Password for 60 days, during which time the account is unusable but can be restored as-is if needed via change in group membership by the admin and account recovery actions by the user. After 60 days of suspension the account will be permanently deleted. Account recovery requires interaction from the user via email. For users undergoing closure, this means the practical limit on account restoration is Day 45 when email services are discontinued.
    • Example scenario: On Day 1 of an employee separation Unit IT admins remove the user from the 1Password group which suspends the 1Password account for 60 days. If regular account closure begins that day for the account then the user's email access will cease on Day 45. At any point on Days 1-44 account recovery can be initiated by the Unit and completed by the user. From Day 45 onward the account will be unrecoverable until it is deleted on Day 60.
• Assist users with account recovery
  • Account recovery in a single sign-on environment can be complicated. For support staff it is critical to understand how to prevent the need for account recovery. Most importantly users should install 1Password at least twice on initial enrollment (e.g. desktop app and browser). For the conceptual background see Technical Overview of Zero Knowledge with Single Sign-On.
  • Completing account recovery requires actions by the user and a Unit IT admin with account recovery permissions. The user can initiate the process or an admin can begin recovery from the console. The user must respond to an email from 1Password then the admin must complete the process in the console. Please note that the 1Password documentation covers non-SSO environments, so you will need to adjust accordingly (e.g. there are no Emergency Kits).
    • Video: Account Recovery Overview
    • Recover accounts using 1Password CLI
  • Specifics of how to accomplish this may vary per unit, but all units must assist only their support users and must verify with the user that they need account recovery.

Domain Management

Available to: Unit IT Admins

1Password allows users to share individual items with others, even those without a 1Password account or at other institutions. We are restricting sharing of individual vault items to recipients with email addresses in approved domains. If your users are prevented from sharing an item due to this restriction we can add approved domains that 1Password admins request. Please note that we can only approve domains for identifiable organizations doing business with the university. We cannot approve general purpose domains like gmail.com.

1Password has the ability to monitor login items with usernames that include a university business domain as part of the email address. Business domains were established for each unit during onboarding. If new domains need to be added contact security@uchicago.edu. Benefits of identifying business domains:

• The Watchtower service monitors for breach notices.
• 1Password prompts users to move items from their Personal to Business Vault if the item username includes a business email address.

Vault Management

Available to: Unit IT Admins and Vault Managers

Create/manage shared vaults for users. When providing user access to a vault carefully set their permissions. The default Vault permission set for new users allows for most types of usage, without providing administrative or destructive capabilities. Adjust privileges as needed. For details see 1Password Policies (Box link requires sign-in).

• Understand vaults and permissions
  • Video: Using 1Password vaults and managing permissions
  • 1Password article: Create, share, and manage vaults in your team
• Create vaults using your naming convention (typically a prefix decided during onboarding)

Device and Software Management

Available to: determined by Unit, no 1Password role needed

Deploy software to users (desktop, browser extension, mobile) via automated or manual means. View new software releases. App stores for desktop operating systems (macOS, Windows) may not have the correct software installer. Do not use the app stores on those platforms unless you first validate what is provided.

• MDM
  • About Mobile Device Management
  • Turn off the built-in password manager in a browser on multiple computers
  • About the 1Password MSIX installer
• User download
  • Download 1Password for macOS
  • Download 1Password for your browser

Daily Usage

• 1Password at UChicago User Guide
• 1Password Support