[AGKyle]

Really don't want to see anyone get down voted here for having an opinion. Different opinions are what drive conversation, so, I won't ignore your concerns here.

I'm not super big on the terminology, but I assume on-prem is on-premise, meaning you'd like to self-host. If I have that correct then unfortunately I can't promise anything here. I will most definitely pass this along to our team though so that they know there are some requests for it.

As for active directory integration. I'll be completely honest here and say I'm not totally sure how we can support this one. We use both an email, an Account Key, and a Master Password to access and decrypt your data. There isn't just a password to decrypt, we also use your Account Key combined with the Master Password. This could potentially provide some roadblocks to providing single sign on support. If you're looking at it for group integration (i.e. User X is in Group Y in AD/LDAP then they are in Group Y on 1Password for Teams), that might be a different story. I'll also pass your concerns and feedback for this one along.

I hope those are at least something, though I can certainly understand that it might not be to your liking. But if you have feedback or can help me understand things more I would certainly appreciate it. I'm just a developer and have never been a system admin, nor have I worked in a corporate environment. That leaves me a little green on those topics :)

Kyle

AgileBits

[tw04]

Correct - on-prem = on-premise.

AD integration meaning yes, ability to tie users/groups between 1password and existing AD infrastructure. The idea there being that if a user is terminated, and their AD account is deleted/locked out, everywhere else is locked at the same time. Having to go to 20 different systems to try to clean them out is a great way to miss accounts :)

[AGKyle]

Hey, thanks so much for that. Seriously, means a lot to come in here and know full well you're not really the right person to answer the question but give it a shot anyway and the other party is gracious enough to explain it.

I will definitely be passing this along so we have some proper request information on hand. My bosses are reading this, one has even interacted in this discussion already so they're seeing this already but I'll make it a bit more official tonight when I write up a summary of what I seen requested.

Thank you again for taking the time to make sure I was on the right track.

Kyle

AgileBits

[jms703]

Recommend including LDAP integration in addition to Active Directory. With such a large Mac userbase, you're likely to have more customers using LDAP than AD.

[keeper]

Keeper Enterprise has AD / LDAP integration! Check us out https://keepersecurity.com/enterprise.html

[samirageb]

1pw user here and long time AD architect. If you have any questions around AD/LDAP, I'd be happy to answer what is 'common' when dealing with AD-integrated solutions.

[jpgoldberg]

Ah, that is better. No promises (and nothing in the immediate future), but this does certainly remain in the realm of possibilities.

I don't want to speak for the down-voters (I'm not one of them and I think your comment is was a valuable contribution), but when I first saw AD integration requests I assumed that people wanted AD managed Kerberos authentication to 1Password for Teams; and so imagined delegating 1Password for Teams authentication and authorization to a third entity.

Don't get me wrong. I love Kerberos. And in very early planning stages we looked at it quite a bit. But Kerberos is only about authentication. We need client derived encryption keys as well as authentication tokens to achieve our security goals of end-to-end encryption.

[newman314]

No, not delegated auth although 2 factor might be nice.

Delegated user admin/sync would be what I'm looking for. Centralized user management along with RBAC makes it much easier to set policy.

[keeper]

Check out Keeper Enterprise. We have delegated auth, 2 factor, AD/LDAP sync and centralized user management with a policy engine. And much more :)

[newman314]

I see in your comments that you are a new user.

I have no issue checking Keeper out but two things to note:

1) It's considered good form to clearly disclose your affiliation

2) Repeatedly spamming/commenting a different product's thread isn't.

Comment once or twice. Feel free to submit your site to HN with something interesting (blog post?) and people will up vote accordingly if there is validity.

=)

[devonkim]

We already use something like this product but with a vastly worse UI / UX from CyberArk. That's the kind of feature set you'll need to sell to companies that aren't already Mac users or larger than 1000 employees on a consistent basis. Unfortunately, you'll probably need to hire 5 new people per F100 customer at a minimum but if that sort of growth is what you want I assure you it's mandatory.

Please try, please help make the enterprise security software market suck less :(

[keeper]

We're up for that task :) https://keepersecurity.com/enterprise.html Would love to hear your thoughts if you haven't already checked us out.

[devonkim]

Key points for that specific page from a UX perspective that may be a little off-base, but I'm trying to put myself in the shoes of some of the folks that have the purchasing power and are very much imperfect people.

1. Too much scrolling. Most of the people in these positions are in their late 40s, 50s and they are used to brochure-style pitches and just want to see some quick features on a single page probably. They are probably viewing this at work, not at home or even while commuting.

2. You need to emphasize compliance over the crypto standards - the compliance is what determines is "good enough" anyway for your crypto strength requirements and most execs don't care if you're using a more secure algorithm over another as long as it meets compliance and can be flexible enough to change in the future as requirements from a regulatory agency could change. Learn your acronyms to get attention from these folks (you have about 5 of the 30+ that Amazon Web Services is very informed about on their pages) - they won't care about a product unless they are confident that their vendor understands compliance very much. This is a huge reason for the shift by enterprise to AWS when people joked that it'd never pass enterprise muster - they started packing tons of alphabet soup and whitepapers along with reference customers at the right conferences. I might try to get a vendor partnership or something with someone to get a reputable logo namedropped onto that page or two specifically under compliance. The big win will be with an actual quote with a specific outcome from a reputable reference customer. That's hard in security space but perhaps a F1000 could work instead of a F500 / F100...

3. Cost doesn't matter generally when it comes to enterprise purchases because for most start-ups what they can charge is insane (but is a problem for people-centric tech vendors like old school software companies that are themselves very bloated and inefficient capital-wise), $1M is a rounding error for most F100 companies and POCs are paid maybe like, $100k for a few months or so maybe, which is easy to float most start-ups even with a regional account manager that commands a $600k / yr comp package. So don't bother with a pricing section, it'll go out the door in the middle of negotiations anyway.

4. Password management of endpoints is not mentioned and that's a huge reason that companies buy software like this, not for team / user passwords (the user penetration rate compared to shared sticky notes and tribal knowledge is pretty poor - trust me, I don't even do it and I just drop it in a private gist or something because just logging into a system is enough inconvenience).

5. No prominent "talk to a representative" kind of link. Most of these people want to talk to a human / sales person first (they want a throat to choke if things go wrong - they want a relationship, not a product / service), and they don't want to read a whitepaper probably either. Some rather technical folks will be interested, but the number of info security executives I've seen that are still technical to the degree they could understand a solid security paper in a F100 are countable on one hand from my experience.

From a more abstract level, it really doesn't sound the most friendly / human-centric of a pitch to me, it might as well be a set of bulletpoints. It doesn't look like a "here are your problems, here's how we'll solve them" narrative. Most successful enterprise and b2b pitches are based around demonstrating you have competency in solving the fundamental problem through using your product / service, not selling the technical product or anything at all. For example, Square had the problem where they were compliant, simple, and everything awesome after tons of feedback, but merchants didn't care. Then with some real-life reference users they broke through.

For a reference point of "quality," the Cyberark vault implementation in place where I'm now is horrifically bad - 8 character passwords rotated through maybe every day and passwords are locked when a user checks it out, and only administrators can break locks on "checked out" passwords. So it means single user mutual exclusion root access to a server. Supposedly we don't use anyone else because nobody else would bend to the really bad / insecure demands we asked, but I am no authority on the steps that led to such a poor system.

The enterprise security model is that every administrative access to systems must be gated somehow behind 2FA or a physical presence (ID badge swipe works). VPN counts perhaps, but then we're asked for 2FA again when accessing passwords. But even with this secrets store system most admins that are productive here don't use it because it's so restrictive UX-wise (it doesn't support ssh key access, for example). There's a separate effort going on for ssh key management that's being custom-developed with some partners, and that'll take so long it'll be 2017 probably before it's released.

Anyway, best of luck. Enterprise is a hard space to break into but once you're in you're basically in for life at this point even if your software is so bad that it directly causes the death of someone... unless a lawsuit is involved. Then you're out the door in less than a week. That's the only thing I've seen enterprise companies take swift action on that destroys start-up competencies - legal issues.

[signal11]

I realise you may not want to do Active Directory, however it is quite common even in small companies -- and you can even get AD via Azure nowadays. Even lots of Mac-only shops have AD.

Maybe v1.x doesn't need AD, however it's something the dev team should definitely consider for later versions. Beyond that, it's really upto AgileBits about how much of the large-corporate market they want to cater for (companies like Centrify seem to have found a niche there)

Thanks for listening.

[AGKyle]

Hi there!

Sorry for the delay in responding. Seems I managed to skim past your comment several times before noticing it.

I don't know if it's a "not want" so much as "technically difficult" due to the way we handle the encryption.

Your feedback will definitely be passed along to the team though!

Kyle

AgileBits

[newman314]

Second on the request for on-prem and AD integration.

Maybe you can explore Okta integration as possibly a faster route to AD integration.