With 1Password Business, you can restrict where your team can access 1Password. Create rules to allow, report, or deny sign-in attempts from certain locations or IP addresses.
You can adjust your team’s firewall policies if you’re an owner, administrator, or part of a group with the Manage Settings permission.
To create firewall rules, sign in to your account on 1Password.com, click Policies in the sidebar, then click Manage on the Firewall policy.
Create firewall rules
Choose to allow, report, or deny access by default, then add rules for exceptions. Rules are applied in order and stop when one matches.
To create a new firewall rule, click Add Rule. Then:
- Select Country or Continent and start typing to find the one you want.
- Select IP Address and enter an IP address or CIDR range.
- Or select Anonymous IP and remove the types that you don’t want to filter.
You can add multiple values to Country, Continent, and IP Address rules, and you can add as many rules as you want. For each rule, choose Allow, Report, or Deny. If you choose Report, team members can still sign in to 1Password; details will be added to your sign-in attempts report.
To reorder your firewall rules, click the up arrow or the down arrow to the left of a rule. To delete a rule, click .
When you’re done, click Save.
Important
If a team member has already signed in to a 1Password app on their device, they’ll have access to their local data even when they’re blocked by firewall rules. However, they won’t have access to any new changes until they’re in an allowed location.
If a team member has 1Password unlocked when you create or modify a firewall rule, the rule will be applied the next time they unlock 1Password.
For even more control, choose which 1Password apps can access each vault.
About IP addresses and anonymous IPs
To cover a range of IP addresses, enter a Classless Inter-Domain Routing (CIDR) range, like 1.2.3.4/24. Learn more about CIDR.
Anonymous IP detection is based on information from the MaxMind database . There are four types of anonymous IPs:
- Tor: IP addresses where Tor traffic appears to come from.
- Public VPNs: IP addresses registered to VPN services which hide someone’s true IP address.
- Public Proxies: Proxies that are available for free and publicly posted.
- Cloud Providers: IP addresses associated with hosting services that can be used as anonymizers.
Firewall rule examples
To only allow access from Canada:
| Rule | Action |
|---|---|
Country: Canada | ✅ Allow |
| All other locations and IP addresses | ❌ Deny |
To deny access from public VPNs even when they’re in Canada, but allow all other access from Canada and only Canada:
| Rule | Action |
|---|---|
Anonymous IP: Public VPNs | ❌ Deny |
Country: Canada | ✅ Allow |
| All other locations and IP addresses | ❌ Deny |
To only allow access from the office:
| Rule | Action |
|---|---|
IP Address: 1.2.3.4/24 | ✅ Allow |
| All other locations and IP addresses | ❌ Deny |
To allow access from the office, report access from Canada, and deny all other access:
| Rule | Action |
|---|---|
IP Address: 1.2.3.4/24 | ✅ Allow |
Country: Canada | 📄 Report |
| All other locations and IP addresses | ❌ Deny |