If you’re an administrator in 1Password Teams or 1Password Business, you can use mobile device management (MDM) to enforce stricter controls for employees who use 1Password on their devices. You can use these settings to configure 1Password using your MDM solution.
The preference domain for 1Password 8 for Mac is com.1password.1password. These settings must be applied using MDM and cannot be set manually using the defaults command.
Download a sample .mobileconfig profile.
General
These settings allow you to control basic options for the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Start at login | app.startAtLogin | Boolean |
| Save new items in [vault]* | app.defaultVaultForSaving | String |
| Submit automatically with Universal Autofill | security.autofill.autosubmit | Boolean |
* If this string is left empty, 1Password will suggest a vault.
Security
These settings affect how a team member unlocks 1Password and uses data in it.
| Setting | Key | Type |
|---|---|---|
| Enforce unlock using Touch ID | security.authenticatedUnlock.appleTouchId | Boolean |
| Enforce unlock using Apple Watch | security.authenticatedUnlock.appleWatchUnlock | Boolean |
| Set the account password requirement timeframe* | security.authenticatedUnlock.requireAccountPasswordAfter | String |
| Set auto-lock timeout† (in minutes) | security.autolock.minutes | Integer |
| Lock when device locks or sleeps | security.autolock.onDeviceLock | Boolean |
| Lock when main window is closed | security.autolock.onWindowClose | Boolean |
| Remove copied information and one-time passwords after 90 seconds | security.clipboard.clearAfter | Boolean |
| Use Universal Clipboard to copy to other devices | security.deviceClipboardSharing | Boolean |
| Keep device active for Large Type | security.blockSleepEnabled | Boolean |
| Always show passwords and full credit card numbers | security.revealPasswords | Boolean |
| Always show Wi-Fi QR codes | security.revealWifiQrCodes | Boolean |
* The allowed values are "one-day", "two-weeks", "thirty-days", and "never". Each value must be enclosed in quotation marks, as shown here.
† You can choose a number from 1 to 1440 (1 day).
Privacy
These settings allow you to manage settings related to privacy and Watchtower.
| Setting | Key | Type |
|---|---|---|
| Show app and website icons | privacy.downloadRichIcons | Boolean |
| Check for compromised websites | privacy.checkCompromisedWebsites | Boolean |
| Check for vulnerable passwords | privacy.checkHibp | Boolean |
| Check for two-factor authentication | privacy.checkMfa | Boolean |
| Check for passkeys | privacy.checkPasskeys | Boolean |
Browsers
These settings allow you to control how 1Password connects with browsers.
| Setting | Key | Type |
|---|---|---|
| Allow connections with unsupported browsers | browsers.other-trusted-apps.enabled | Boolean |
Updates
Important
These settings can only be controlled if you deploy or install 1Password with the 1Password.app installer. If you use the PKG installer, you can monitor updates and deploy them with your MDM solution.
These settings allow you to manage 1Password updates.
| Setting | Key | Type |
|---|---|---|
| Automatically check for updates | updates.autoUpdate | Boolean |
| Set release channel* | updates.updateChannel | String |
* The allowed values are PRODUCTION, BETA, and NIGHTLY.
Authentication
These settings allow you to control the process of signing into the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Set a default sign-in address* | authentication.defaultDomain | String |
| Enforce the default sign-in address† | authentication.enforceDomain | Boolean |
* Use the following structure for the sign-in address: domain.1password.com. The scheme (https://) shouldn't be included.
† To use this setting, you must set a sign-in address for the authentication.defaultDomain setting.
You can create an administrative template (ADMX) to control settings in 1Password through Group Policy. You can import templates directly into Active Directory or Intune.
To create a template:
Download and install 1Password for Windows on your PC.
Open 1Password, then select the ellipsis at the top of the sidebar and choose Quit.
Open a Command Prompt window and run the following command:
1password --write-admx-templates="<output-path>" --open-dirIf you installed 1Password using the MSI, replace
1passwordwith the full path to the 1Password application.
To learn how to setup and use the template in your organization, review the README.md file in the template folder for further instructions.
Important
If you’re using the HKEY_LOCAL_MACHINE\SOFTWARE\Agilebits Inc.\1Password\Policy registry key to control settings in your organization, you should migrate to administrative templates.
This registry key is deprecated, and we’ll be removing support for it in March 2026. You can find steps to migrate in the README.md file after you create a template.
General
These settings allow you to control basic options for the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Show the main app window at login* | app.openAppOnStartup | Boolean |
| Save new items in [vault]† | app.defaultVaultForSaving | String |
| Allow the use of Auto-Type | app.autoTypeEnabled | Boolean |
| Submit automatically with Auto-Type | security.autofill.autosubmit | Boolean |
* To control this setting, 1Password must be turned on in Windows Settings > Apps > Startup.
† If this string is left empty, 1Password will suggest a vault.
Security
These settings affect how a team member unlocks 1Password and uses data in it.
| Setting | Key | Type |
|---|---|---|
| Set the account password requirement timeframe* | security.authenticatedUnlock.requireAccountPasswordAfter | String |
| Set auto-lock timeout† (in minutes) | security.autolock.minutes | Integer |
| Lock when device locks or sleeps | security.autolock.onDeviceLock | Boolean |
| Lock when main window is closed | security.autolock.onWindowClose | Boolean |
| Remove copied information and one-time passwords after 90 seconds | security.clipboard.clearAfter | Boolean |
| Keep device active for Large Type | security.blockSleepEnabled | Boolean |
| Always show passwords and full credit card numbers | security.revealPasswords | Boolean |
| Always show Wi-Fi QR codes | security.revealWifiQrCodes | Boolean |
* The allowed values are "one-day", "two-weeks", "thirty-days", and "never". Each value must be enclosed in quotation marks, as shown here.
† You can choose a number from 1 to 1440 (1 day).
Privacy
These settings allow you to manage settings related to privacy and Watchtower.
| Setting | Key | Type |
|---|---|---|
| Show app and website icons | privacy.downloadRichIcons | Boolean |
| Check for compromised websites | privacy.checkCompromisedWebsites | Boolean |
| Check for vulnerable passwords | privacy.checkHibp | Boolean |
| Check for two-factor authentication | privacy.checkMfa | Boolean |
| Check for passkeys | privacy.checkPasskeys | Boolean |
Updates
These settings allow you to manage 1Password updates.
| Setting | Key | Type |
|---|---|---|
| Automatically check for updates* | updates.autoUpdate | Boolean |
| Set release channel† | updates.updateChannel | String |
* This setting only applies if 1Password is installed with the MSIX, MSI, or App Installer. Learn how to control updates if you deploy 1Password through the Microsoft Store.
† The allowed values are PRODUCTION, BETA, and NIGHTLY.
Authentication
These settings allow you to control the process of signing into the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Set a default sign-in address* | authentication.defaultDomain | String |
| Enforce the default sign-in address† | authentication.enforceDomain | Boolean |
* Use the following structure for the sign-in address: domain.1password.com. The scheme (https://) shouldn't be included.
† To use this setting, you must set a sign-in address for the authentication.defaultDomain setting.
The preference domain for 1Password 8 for iOS is com.1password.1password.
General
These settings allow you to control basic options for the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Save new items in [vault]* | app.defaultVaultForSaving | String |
* If this string is left empty, 1Password will suggest a vault.
Security
These settings affect how a team member unlocks 1Password and uses data in it.
| Setting | Key | Type |
|---|---|---|
| Enforce unlock using Touch ID | security.authenticatedUnlock.appleTouchId | Boolean |
| Enforce unlock using Face ID | security.authenticatedUnlock.appleFaceId | Boolean |
| Allow unlock with device passcode | security.authenticatedUnlock.appleDevicePinUnlock | Boolean |
| Set the account password requirement timeframe* | security.authenticatedUnlock.requireAccountPasswordAfter | String |
| Set auto-lock timeout† (in minutes) | security.autolock.minutes | Integer |
| Clear clipboard after timeout | security.clipboard.clearAfter | Boolean |
| Use Universal Clipboard to copy to other devices | security.deviceClipboardSharing | Boolean |
| Keep device active for Large Type | security.blockSleepEnabled | Boolean |
| Always show passwords and full credit card numbers | security.revealPasswords | Boolean |
| Always show Wi-Fi QR codes | security.revealWifiQrCodes | Boolean |
* The allowed values are "one-day", "two-weeks", "thirty-days", and "never". Each value must be enclosed in quotation marks, as shown here.
† You can choose a number from 0 to 480. If you choose 0, the app will lock immediately when no longer in focus.
Privacy
These settings allow you to manage preferences related to privacy and Watchtower.
| Setting | Key | Type |
|---|---|---|
| Show app and website icons | privacy.downloadRichIcons | Boolean |
| Use Apple Maps | privacy.mapsEnabled | Boolean |
| Check for compromised websites | privacy.checkCompromisedWebsites | Boolean |
| Check for vulnerable passwords | privacy.checkHibp | Boolean |
| Check for two-factor authentication | privacy.checkMfa | Boolean |
| Check for passkeys | privacy.checkPasskeys | Boolean |
Autofill
These settings allow you to manage preferences related to Autofill.
| Setting | Key | Type |
|---|---|---|
| Show passkey suggestions | app.autoFillPasskeyShowFillingSuggestions | Boolean |
Notifications
These settings allow you to manage the notifications that team members receive from 1Password.
| Notification type | Key | Type |
|---|---|---|
| One-Time Passwords | app.notifyCopyTotpToClipboard | Boolean |
Authentication
These settings allow you to control the process of signing into the 1Password app.
| Setting | Key | Type |
|---|---|---|
| Set a default sign-in address* | authentication.defaultDomain | String |
| Enforce the default sign-in address† | authentication.enforceDomain | Boolean |
* Use the following structure for the sign-in address: domain.1password.com. The scheme (https://) shouldn't be included.
† To use this setting, you must set a sign-in address for the authentication.defaultDomain setting.
Learn more
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.