Admin User Guide - Business

Jump to...

Request an Account | Activate your Account | Admin Responsibilities | How to use the Admin Console | Training and Support | LastPass Security Policies


Complete the LastPass Business Form

Request a LastPass Business account for your department via the LastPass Business Request Form. Before submitting your request, make sure you've read and understand the requirements at Getting Started with LastPass.

Activate your LastPass Business Account

Install Browser Extensions and Mobile Apps

Prepare your browser to use LastPass Business by going to the LastPass Download webpage and downloading the appropriate plug-on or browser extension: https://lastpass.com/misc_download2.php

Activate Your Account

ISO Staff will invite departmental administrators to the newly created instance. The email invitation will come from LastPass <do-not-reply-support@lastpass.com> and will include an activation code to activate your account and set your Master Password.

Activate LastPass Account Email Invitation

Click on the Activate LastPass button to get started.

Enter your Activation code (if it's not there already), and then create a master password.

Set Your Master Password

For security purposes, the master password must be a strong, complex password.

  • At least 20 Characters

  • Password characters must be from all 4 of the following character sets:

    • numbers [0-9]

    • lowercase letters[a-z]

    • uppercase letters[A-Z]

    • special characters[!@#$,^ etc]

  • The passwords must be complex and not easily guessed or obtained.

  • Do not use simple words. e.g. "password," "welcome," or "hello"

  • Do not include three or more consecutive characters from your user name

  • Master Passwords must be reset every 365 days

    • If you reuse a Master Password elsewhere in LastPass, you will be required to reset it. Your Master Password cannot be reused elsewhere.

Set Up Duo MFA

After the master password is set, log in again and click the link to verify your Duo Security setup. You will be asked to provide your CalNet ID on the next screen, and complete a Duo Security challenge before being logged in to LastPass Business.

Set Up Duo MFA

Link Personal Account

ISO offers the option to link a personal account to your Business account.  This is voluntary.  When a user completes their first login, they will be prompted to set up a linked account.

Option to Link Personal Account

Additional information on Linked account

Both the linked personal account and the Business account are encrypted, with different encryption keys.  When linked, the Business account can view data within the personal account but not vice versa.  The linked personal account can be any “free” or “premium” account.  Free LastPass Premium accounts are available to anyone with a valid berkeley.edu email address thanks to Premium as a Perk.  LastPass cannot auto-create a “premium” account for any entity, since the end-user will always need to define the master password for encryption and access. 

Browser Extensions and Mobile Apps

If you have not yet done so, install Browser Extensions and mobile apps. Downloads for plug-ins or add-ons for other browsers and operating systems can be downloaded at the LastPass Download webpage https://lastpass.com/misc_download2.php

Request Admin Access

Once you complete the steps above, you will be active in LastPass Business as regular users and not an administrator.  Reply back to the ServiceNow ticket, confirm that you have activated your account, and request administrative privileges. ISO staff will enable administrator privileges on your account.

Set Up Recovery Options

It is extremely important that you set up recovery options for your account.  https://support.logmeininc.com/lastpass/help/how-do-i-set-up-all-account-recovery-options-for-lastpass details all recovery options.  At a minimum, we recommend using the LastPass browser extension. Signing in to LastPass using the extension regularly will ensure that your administrators can help you reset your Master Password, if you forget it.

LastPass Admin Responsibilities

  • Provide support directly to your end users

  • User lock-outs and account deletion (only the User and Super Admin can reset master passwords)

  • Configure Admin roles and related policies – like Help Desk Restricted Admin

  • Re-inviting users whose invitations have expired

  • Software installation assistance (for the LastPass browser plugins and desktop apps)

  • User education and training

  • Initial troubleshooting on problem/resolution, including login issues on specific URLs

Accessing the Business Admin Console

Once ISO enables administrator privileges on an Business account, you should have access to the Business Console. To access the console, click the LastPass browser extension and select the “Admin Console” button at the bottom of the pulldown. Alternatively, go to lastpass.com, log in with your Business account, and click Admin Console on the left-hand menu.

Inviting Additional Users

Administrators will invite additional users/administrators to their LastPass instance. LastPass has detailed instructions on how to invite Business users individually or in bulk:

https://support.logmeininc.com/lastpass/help/manually-add-enterprise-users-lp010045

The email invitations will come from LastPass and will include an activation code for the users to activate their account and set their master password. You should provide instructions to your users to pre-install the LastPass Browser extension and share the LastPass Business Guide with new users

Reset a User’s Master Password

Details on how to reset a master password for a user are here:  Reset a User's Master Password (Super Admin) - LastPass Support.  A summary is provided below.

All Admins are, by default, set up to be able reset all user master passwords.  Users must login via the LastPass web browser extension to activate the option to reset master passwords.  Once a user is eligible to have an admin reset their master password, you will see the following under the Users page.

LastPass Admin Master Password Reset

Selecting “Reset Master Password” will take you through the following steps:

  • Enter your own master password to verify your identity

  • Select a new, temporary master password for the user. Make sure the checkbox to require them to change their master password is checked.  (Save the password as they will need to use it for their next login)

  • LastPass will re-encrypt the user’s vault

  • Share the new password with the user

  • The user will login, and be required to change their master password.

Managing Sharing and Shared Folders

Create a LastPass Business shared folder - LastPass Support

About LastPass Business Shared Folders - LastPass Support

Add and Manage LastPass Business Groups - LastPass Support

A note about shared folders: LastPass Admins will NOT automatically have access to all shared folders. In order to ensure that access to a shared folder is not lost when a user leaves campus, we recommend that users add their department Admin to shared folders.

  • An account can have multiple different shared folders, with different permissions on each folder.

  • In the case where UCB Staff need to access information in multiple Business accounts, teams can share folders with users in other campus LastPass Business accounts.  Note that shared folders can only be administered by members of the Business instance in which they were created.

Track & Report

Use the Reports tab in your Admin Dashboard to gauge the success of LastPass Business in your department by measuring usage and adoption. Detailed instructions on how to use the Reports tab can be found at:

https://support.logmeininc.com/lastpass/help/generate-enterprise-reports...

It’s recommended that you run a baseline report shortly after your department’s rollout. This report can be compared to reports of weekly/monthly reports following your rollout.

Test Functionality

  • Verify login and access your department’s admin console.

  • Verify that policies are in place and functioning as intended.

  • Verify that policies are not infringing on work duties

  • Verify that users are able to access all needed functions.

Training and Support

LastPass Video Tutorials

Online Training

LastPass provides a one hour training session with Q&A for users and administrators. We recommend everyone watch the live training or the recorded versions:  https://support.logmeininc.com/lastpass/help/free-live-training-lp010018

LastPass CLI Tool

https://support.logmeininc.com/lastpass/help/use-the-lastpass-command-line-application-lp040011

Support

Primary support is provided solely by LastPass and is accessible through your admin console (the Contact Us button in the top right corner):

If there is an outstanding issue that LastPass cannot solve or is specific to the UCB environment, secondary support will be provided by the CalNet team. Email calnet-admin@berkeley.edu with details of the problem and any information provided by LastPass support.

LastPass Security Policies

ISO will customize 42 LastPass Business policies and keep 8 default policies.

Category

Policy Name

Policy Result

Administration

Disable Password Ping checks

We will activate the Security Dashboard and Dark Web Monitoring features

https://blog.lastpass.com/2020/08/new-lastpass-security-dashboard-and-dark-web-monitoring-now-available/

Administration

Don't send email upon account change

Users will be notified of email or password change

Administration

Don't send email upon master password reset

Users will be notified of password change

Administration

Notify admins upon account recovery

Audit logs will be generated

Administration

Notify admins upon added/removed user

Audit logs will be generated

Administration

Notify admins upon user lockout

Audit logs will be generated

Administration

Notify upon login event

Audit logs will be generated

Administration

Permit super admins to reset master passwords

ISO and Local Admins will be able to assist with master password resets

Administration

Pre-create sharing key

Sharing keys will be created on account activation and first use of the LastPass extension

Administration

Prevent user status emails to shared folder admins

Folder admins will get an email if a user's status changes

Administration

Prohibit account email change

A user’s login account cannot be changed

Limit Features

Hide Cloud Apps from users

Cloud Apps section of the app will be hidden

Limit Features

Prohibit export

Exports will be disabled but can be temporarily activated on request. Users will be able to export saved data in LastPass. 

Limit Features

Prohibit import

Imports will be disabled but can be temporarily activated on request. Users will be able to import data into LastPass.

Limit Features

Prohibit master password hint

Master Password hints are enabled.

Limit Features

Prohibit shared folders outside business

Shared Folders can be shared with other LastPass Business users

Limit Features

Prohibit sharing except shared folders

Shared Folders can be shared with other LastPass Business users

Limit Features

Show master password strength

Security Dashboard Feature

Linked Personal Account

Recommend or require linked personal account

It is recommended that you link your Free Premium Account to your business account so you have access to all of your needed passphrases/passwords.

Linked Personal Account

Save personal sites to personal vault

LastPass will save personal sites to the personal account

Linked Personal Account

Set default account for new sites

LastPass will save institutional accounts to the Business account

Login Rules

Block TOR Access

LastPass Default Policy

Login Rules

Lockout period

A master password is locked out after 5 failed attempts in 15 minutes

Login Rules

Remember master password

A user can not select ‘Remember Password, but they can use hints, and Admins can reset their master password

Login Rules

Restrict login attempts before lockout

A master password is locked out after 5 failed attempts in 15 minutes

Logoff Overrides

Account logoff (website)

Automate logging off of browser or Extension

Logoff Overrides

Account logoff on browser close

Automate logging off of browser or Extension

Logoff Overrides

Account logoff on browser idle (extension)

Automate logging off of browser or Extension

Logoff Overrides

End existing sessions on login

Automate logging off of browser or Extension

Master Password Rules

Prohibit reuse of old master passwords

LastPass Default Policy, the last 24 passwords can not be reused

Master Password Rules

Require master password change

Every 365 days for MFA users

Master Password Rules

Require master password change when reuse detected

If a user reuses their Master Password for an application, the master password must be changed.

Master Password Strength

Length of master password

20 Characters

Master Password Strength

Minimum character sets in master password

4 Character sets.

Mobile

Force logoff from background

Automate logging off of browser or Extension

Mobile

Log mobile activity

LastPass Default Policy

Mobile

Override mobile lock option

Lock Mobile app after 15 minutes, unlock with pin or biometric

Mobile

Prohibit login from jailbroken phones

LastPass Default Policy

Mobile

Require PIN

Auto-Lock Mobile app after 15 minutes, unlock with pin or biometric

Multifactor

Prohibit multifactor disable via email

Super admins can temporarily disable MFA if the user is having MFA issues

Multifactor

Require MFA for admin console

Duo MFA (Duo Push or Duo App Token) required

Multifactor

Require use of Duo Security

Duo MFA (Duo Push or Duo App Token) required

Multifactor

Use Duo Web SDK when possible

Duo MFA (Duo Push or Duo App Token) required

Multifactor

Use local-part of email as Duo Security username

Duo MFA (Duo Push or Duo App Token) required

Reporting

Log full URL in reporting

Provides detailed reporting

Reporting

Log item name in reporting

Provides detailed reporting

Reporting

Log username in reporting

Provides detailed reporting

Security Audit

Check for compromised user accounts

Security Dashboard Feature

Security Audit

Show security challenge score

Security Dashboard Feature

Please do not modify or disable these policies. Please contact ISO if you have any questions about this.