Teams and Businesses

Create firewall rules in 1Password Business

Learn how to use Advanced Protection to restrict where your team can access 1Password.

With 1Password Business, you can use Advanced Protection to restrict where your team can access 1Password. Create rules to allow, report, or deny sign-in attempts from certain locations or IP addresses.

You can use Advanced Protection if you’re an owner, administrator, or part of a group with the Manage Settings permission.

To create firewall rules, sign in to your account on 1Password.com, click Security in the sidebar, then click “Manage rules”.

Create firewall rules

Choose to allow, report, or deny access by default, then add rules for exceptions. Rules are applied in order and stop when one matches.

A group of firewall rules that deny access from anonymous IPs, allow access from Canada, and report access from all other locations and IP addresses.

To create a new firewall rule, click Add Rule. Then:

  • Select Country or Continent and start typing to find the one you want.
  • Select IP Address and enter an IP address or CIDR range.
  • Or select Anonymous IP and remove the types that you don’t want to filter.

You can add multiple values to Country, Continent, and IP Address rules, and you can add as many rules as you want. For each rule, choose Allow, Report, or Deny. If you choose Report, team members can still sign in to 1Password; details will be added to your sign-in attempts report.

To reorder your firewall rules, click or to the left of a rule. To delete a rule, click Delete.

When you’re done, click Save.

Important

If a team member has already signed in to a 1Password app on their device, they’ll have access to their data even when they’re blocked by firewall rules. However, they won’t have access to any new changes until they’re in an allowed location.

For even more control, choose which 1Password apps can access each vault.

About IP addresses and anonymous IPs

To cover a range of IP addresses, enter a Classless Inter-Domain Routing (CIDR) range, like  1.2.3.4/24. Learn more about CIDR.

Anonymous IP detection is based on information from the MaxMind database . There are four types of anonymous IPs:

  • Tor: IP addresses where Tor traffic appears to come from.
  • Public VPNs: IP addresses registered to VPN services which hide someone’s true IP address.
  • Public Proxies: Proxies that are available for free and publicly posted.
  • Cloud Providers: IP addresses associated with hosting services that can be used as anonymizers.

Firewall rule examples

To only allow access from Canada:

Rule Action
Country: Canada ✅ Allow
All other locations and IP addresses ❌ Deny

To deny access from public VPNs even when they’re in Canada, but allow all other access from Canada and only Canada:

Rule Action
Anonymous IP: Public VPNs ❌ Deny
Country: Canada ✅ Allow
All other locations and IP addresses ❌ Deny

To only allow access from the office:

Rule Action
IP Address: 1.2.3.4/24 ✅ Allow
All other locations and IP addresses ❌ Deny

To allow access from the office, report access from Canada, and deny all other access:

Rule Action
IP Address: 1.2.3.4/24 ✅ Allow
Country: Canada 📄 Report
All other locations and IP addresses ❌ Deny

Learn more

Published: