1Password for Teams: Getting Started (Admin)

Starting your admin adventure with 1Password for Teams

Whew! Tuesday was an exciting day for the AgileBits family. In case you missed our big announcement, we’ve been working on a great new solution that makes it super simple to share secrets securely with your team. (Say that three times fast!)

We hope you’ve already signed up to reserve your team name. We’re letting people into the beta just as fast as we can. If you’ve already gotten your golden ticket, you’re probably pretty excited to get 1Password for Teams set up. So many new and exciting things to play with, but where to start? Let’s start at the very beginning. A very good place to start.

After you’ve signed in to your 1Password for Teams account, your adventure begins on the Home page. This is where you will find the vaults you can access. Initially, you will see Your Vault and the Everyone Vault on this page. Let’s get things rolling by creating a new vault for your team.

Anything that has to do with managing your 1Password for Teams account is done in the Admin Console. Head over there by clicking the Team menu in the top right corner and selecting the Admin Console menu option.

1Password for Teams Home: Admin Console menu option

Go ahead, seize the day and create a new vault now: while in the Admin Console, click the Vaults tab. On the Vaults page, click the + button to create a new vault. There’s no limit to the number of vaults you can create, and vaults can be shared with some or all of your teammates.

1Password for Teams Admin Console: Vaults

Every excellent adventure needs a crew, so click the Invitations tab in the Admin Console to invite your team members aboard. Send out email invitations to everyone, or use the special link that 1Password for Teams generates for you.

To add a teammate to a vault, two things need to happen: they must accept the invitation you sent them, and you must approve them. Once a user has accepted their invite, you can return to the Admin Console and confirm their membership.

1Password for Teams Admin Console: Invitations

Now you’ve got your vaults and your team. You’re almost ready to take off. All you need to do is decide who gets access to which vault. On the Vaults page, select the vault you want to share and click on Manage Access. Simply select the people you would like to add to this vault and it will show up immediately on their Home page.

1Password for Teams Admin Console: Manage vault access

I hope you’ve enjoyed the guided tour so far. Continue the adventure on your own by reading the Getting Started guide for admins, and stay tuned for more posts.

If there is something in this flow that could be improved to work better for you, please let us know in the forums. These beta days are the best days to get in your bug reports and suggestions for improvement. Thanks so much for trying out 1Password for Teams Beta!

Featured Image: Google Chrome (Scenery)

Adventures in beta testing, continued: Google Chrome Canary

Or, If you’re living on the bleeding edge, expect some paper cuts.

The Chromium team (the open-source project behind Google Chrome) is doing an amazing job of constantly moving the web forward and making the web a safer place for users of Google Chrome.

Recently, many users of the latest pre-release versions of Google Chrome have notified us that the 1Password extension refuses to work in OS X and Windows, showing the following error message:

1Password extension looking for app

What is going on?

The Google Chrome developers have started implementing changes to the types of connections extensions are allowed to establish. These changes are part of a larger and more complex plan to harden Google Chrome against certain kinds of web-based attacks (like cross-site request forgery attacks), in which a malicious website or extension attempts to compromise internal network devices and processes listening on the localhost IP address.

Unfortunately, in the process of implementing these new security measures, something was broken in a way that results in many Chrome extensions, including 1Password, not working anymore in the Canary build and the dev channel of Chrome.

What seems to be the issue?

The 1Password web browser extension needs to communicate with a helper process that runs in the background to access your 1Password data (1Password mini in OS X and 1Password Helper in Windows). This is facilitated by establishing WebSocket protocol connections at the localhost address of a computer. WebSocket connections are similar to the typical HTTP requests your web browser performs when visiting a website.

The way we understand the current situation is this:

  1. An extension tries to open a ws:// (WebSocket) connection.
  2. Chrome recognises the chrome-extension protocol and checks whether the connection attempt has a secure origin.
  3. If Chrome determines that the connection is not secure, it rejects the attempt and any further connection requests are never even attempted beyond that.

In the case of 1Password, this results in the extension thinking that the 1Password application does not exist on the PC/Mac in the first place or that something is blocking the WebSocket connection.

What is going to happen?

This is an ongoing issue that we’re still investigating but so far it is clear that the Chromium development community has recognised that many extensions communicate with host applications using WebSocket and other protocols. To our current knowledge, they are treating this issue as a regression in need of fixing, but any fix requires careful consideration in light of their efforts to increase security.

There are various active discussion threads and bug reports related to this situation in the Chromium project. To name only a few:

What to do now?

Testing pre-release software can be fun and is incredibly useful for the developers of that software and the developers of apps that interact with it — seriously, we love our beta testers. 1Password supports the latest stable builds of Safari, Chrome, Firefox, and Opera. While we make every effort to maintain compatibility with Beta, Dev, Nightly, Canary builds or other birds or browsers, we can’t guarantee that 1Password will always work as browsers go through their various development and release cycles.

If 1Password is as essential to your daily life as it is to ours, our suggestion is to temporarily return your browser to the stable version and check out the new Canary build/dev channel releases in a week or two — did I mention how much we appreciate beta testers sending in feedback? If you do want to live on the bleeding edge, please be aware of the potential for bugs in development and public beta versions of browsers and software in general and be patient with the developers of browsers, apps, and extensions as they negotiate a shifting landscape. We’ve added the article, “Prerelease (beta, dev, nightly) browser builds,” to our knowledge base to keep you apprised of any issues with unfinished versions of browsers.

As with any other questions regarding 1Password, please sound off about any issues you run into when using 1Password with pre-release versions of browsers in our discussion forums.

DevBits header

The endless waltz: making custom UI for Windows Modern

Branding is a promise. It’s a guarantee of what to expect and a derivation of an identity. Here at AgileBits, we have strong brand identity and our customers can immediately recognize our app, no matter the platform on which they see it. As a recent addition to the AgileBits family, working on the latest addition to the 1Password application family, one of my priorities has been to ensure our new app feels like 1Password. But this, like so many other things, is easier said than done.

At first blush (and second, and third, and…), Windows Modern applications look nothing like apps on Mac, iOS, Android or any other platform; right out of the gate, we had our work cut out for us and we had to decide how to balance the unique Windows Modern style with what has come to be recognized as the 1Password style. In the end, we decided to keep the Windows Modern app as true to the 1Password style as possible. Despite having to deal with an overly verbose pattern for overriding the style template (in some cases 100 lines of code just to change a single property for a button) we continued to customize nearly every area of the app; when the dust had finally settled, our shared stylesheet (for phone and desktop) was the largest single file in our entire project (~1200 lines of code).

But we were able to stay true to the 1Password brand, as evident in our lock screen:

So it was well worth the effort, and we certainly learned a few new tricks along the way! But styling with such reckless abandon does have a cost.

There will be blood (and hacks)

Issues first began to arise when we started testing theme-switching for Windows Phone. Windows Phone gives users the ability to switch between a dark and a light theme. This is a hallmark feature of Windows Phone and one that users have come to expect. But of course, this feature is only available on Windows Phone; the iOS and Android platforms don’t have this capability by default, which added a new wrinkle: do we introduce a feature on Windows Phone that is not available on our other mobile platforms? We also noticed very poor performance with accessibility features when using high-contrast themes, and ease-of-access font scaling had a very low ceiling before the majority of text was cut off.

Why did we perform so poorly? In part, it was because of all the customization we had done. We became so focused on achieving the 1Password look and feel that we customized nearly everything, including many things that we never needed to touch. We also used the RequestedTheme property heavily, which allowed us to force a page to always render in a specific theme; this is a big no-no for a universal app. But more than anything else, it’s how the platform handles custom styles. The moment you create a custom style, you’re entirely accountable for it: you must tell it exactly how to behave under every single scenario a user may throw at you; and on the Windows Modern platform, there are a lot of possible scenarios. There are two default themes for Windows Phone (and two other high-contrast themes), and Windows desktop has the default theme (not light, not dark, just right) along with four other high-contrast themes. Yep, that’s eight themes developers need to support when they choose to add some of their own styling and branding to their apps. The moment you decide to change a background colour, adjust a font’s opacity, or change letter spacing, you’re abandoned by the Windows app platform, and left to your own devices. This desertion isn’t too much of an issue for developers working primarily on Windows modern, as the support the platform gives you to handle all of these scenarios right out of the box is excellent. But it’s an unfeasible expectation for Windows to extend this support to developers who customize their apps so heavily, so we got to work and began getting our stylesheets under control.

The taming of the shrew

After all of our customization, we had to take a step back and see how we could make 1Password work with the Windows Modern ecosystem, instead of against it.

We had no desire to rewrite all of the styles and themes that Microsoft had given us for free with the operating system. The code was ready and available; all we had to do was let the platform do its work without losing our brand in the platform.

Our first order of business was getting our stylesheets under control. We went through the entire app, page by page, and removed any properties we could live without, thereby giving responsibility back to Windows. We then rebuilt support for all the missing themes by first including them explicitly in our stylesheets, and only overriding the system colors in the default or base theme; for high contrast and light/dark themes, we once again passed responsibility back to Windows.


Prior to coming to work at AgileBits, I gained a lot of experience working on web accessibility for the Canadian Government, and we often discussed how different platforms handled accessibility.  On the Mac, instead of separate themes, users are given sliders in the OS preferences to adjust contrast and invert colours when necessary. Keeping these preferences at the OS level takes a lot of the responsibility away from app developers. While it can seem a bit daunting to oversee eight themes (at least) on Windows, the aesthetic and practical usefulness of these themes cannot be denied. For example, users can create custom themes that can be saved to their profile and be made available on the different PCs they use. Also, these themes being predefined make selecting appropriate themes much easier for users.


Branding is a promise. This is our endless waltz, and we cannot fail our dance partners. It’s a delicate balance that we must strike between Windows Modern and the 1Password experience, so that we may engender harmony among 1Password and Windows users.

1Password 5 for Mac logo

Adventures in beta testing: 1Password, El Capitan, and iOS 9

Let’s talk about betas. Specifically, let’s talk about Apple’s operating system betas. It used to be that you had to be an active member of the Apple Developer Program to get access to the betas. Last year, Apple launched a beta software program that enables anyone to sign up to test-drive pre-release versions of OS X. This year, for the first time, anyone can sign up to evaluate iOS 9 beta in addition to OS X 10.11 El Capitan beta.


There’s something thrilling about using beta software. It’s exciting to experience the software development process, with frequent updates that fix and improve things before our very eyes. It’s gratifying to participate in that process, seeing our bug reports get resolved and change requests considered and sometimes implemented. I don’t know about you, but I love feeling like I’ve helped make an improvement from which everyone using the software will benefit.

Hark, the cheers from developers far and wide

One of the most difficult things for software developers is getting the feedback they need before an application version goes public. This is because the pool of beta testers is generally so small. We could think everything is just fine, and then it gets out there and—BOOM—suddenly there are all these edge cases that never came up during the beta, because there are so many more people using it.

Public betas can be a real boon to developers, in that they help to increase the size of the beta pool and the degree to which the beta application is tested.

Hard hats required

under construction

Perhaps you remember those “Under construction” images from the early days of web publishing? It’s a very real metaphor for beta software. The most important thing to remember1 is that beta software is incomplete. Some things will not be implemented yet, some will be broken, and some may cause unexpected system kerfufflery.

Here are a few tips to help make your beta experience safe and enjoyable:

Spare a square

Ideally, beta software should be installed on spare hardware. If you have only one Mac, you can install El Capitan beta on separate partition of your Mac’s hard drive. If the iPhone you use every day is your only iOS device, it’s probably best not to install iOS 9 beta. If you have a non-critical iPad or an iPod touch, that would be a good place to install the beta.

Back that thang up

I know some of you are going to ignore me completely and install the betas on your mission-critical devices. Before you do that, please make sure to create a reliable backup!

We hear you

Your feedback is indispensable. If you notice anything wonky, be sure to report it to developers. I’ve seen beta issues reported in App Store reviews. While developers certainly read those and learn from them, they have no way of reaching out to the customer to help. It is best to contact developers directly with your beta feedback.

If you’re using 1Password beta, we have dedicated beta discussion forums. The beta forums are monitored by our developers and our support team is around to help you seven days a week!

If something you report isn’t immediately addressed, don’t worry. Developers may not be able to do anything about it just yet. Rest assured that the issue will be resolved as quickly as possible.

1Password 5, El Capitan, and iOS 9

I’m happy to tell you that we have thus far encountered no major issues in our testing. I have noticed a couple of graphical and layout issues in El Capitan beta, but it’s too early to tell whether the issues are in 1Password 5 for Mac or in El Capitan beta. We don’t want to spend time fixing something that may not actually be broken on our end, so for the moment we’re waiting to see how things pan out. We’ve documented the issues so we don’t lose track of them.

How to test 1Password beta for Mac

You are warmly invited to join our family of beta testers. The more, the merrier! 1Password 5.4 beta for Mac doesn’t require El Capitan beta, but it does require that you use the AgileBits Store version of 1Password, not the Mac App Store version. It’s very easy to switch over, but you will not be able to sync with iCloud.

How to test 1Password beta for iOS

Apple’s TestFlight Beta Testing program enables developers to extend a limited number of invitations to customers. There has been a great deal of interest in 1Password beta for iOS, and we are not looking for additional testers at this time. You can be the first to hear about opportunities to join our beta family for iOS by following @1PasswordBeta on Twitter.

1Password beta for Mac does not require 1Password beta for iOS.

1Password happy face

Have fun!

I lied earlier. The most important thing is to have fun, but keeping in mind the foibles of beta software and protecting yourself against them are a close second. =)

DevBits header

Wi-Fi Sync in 1Password for Android: Design Overview

Today, I’m happy to tell you that Wi-Fi Sync is coming to 1Password for Android! In fact, it is already available in the latest beta, so you can join our beta family and try it out right now. In this edition of our DevBits series, I am going to talk about how we implemented Wi-Fi Sync in 1Password for Android.

Wi-Fi Sync in 1Password for Android uses only standard Android APIs. We don’t use any third-party libraries. All the required communication logic was written in-house (although inspirational ideas for WebSocket implementation were taken from elsewhere). Using Android APIs keeps the .apk file small and eliminates version incompatibility, licensing issues, or any other trouble that might arise when incorporating third-party code into the app.

Wi-Fi Sync in 1Password for Android consists of three parts: Network Service Discovery (NSD), Network Service Resolution, and the actual sync itself. Both the Network Service Discovery and Network Service Resolution are based on the NSD framework built in to Android. The sync is implemented using synchronous Websocket communication with a service provided by 1Password for Mac or 1Password for Windows.

Network Service Discovery

When you choose to sync using Wi-Fi in 1Password for Android, Network Service Discovery is launched asynchronously and continues to run in the background until you stop it. The service looks for all network services matching the type used by 1Password (in our case “_1password4._tcp.”).

This network service type matches the type used by the latest versions of 1Password on both Mac and Windows when Wi-Fi Sync is enabled. Any discovered Wi-Fi services are displayed in a list for you to select from in order to set up the initial sync. It is important to note that the service info found by NSD contains no information other than the service name and type.

Network Service Resolution

Once you have decided which service you want to use, the Network Service Resolution process is launched asynchronously for the chosen service. 1Password for Android is given the service credentials, including the IP address and port, so that communication with the server can be established. The service name is stored in 1Password preferences and used for subsequent communication sessions. This allows service discovery during incremental sync to automatically stop when a service matching the one stored in preferences is found.

Next, 1Password proceeds with service resolution. If the connection is successful, the actual sync process is launched using the provided service IP address and port. If service discovery is unable to discover the service in two seconds, or if the resolution is invalid, you will be asked to ensure that 1Password is running on the computer you are trying to sync with, and the sync attempt is aborted.

The actual sync

1Password for Android Wi-Fi logo

The actual sync process is handled by a subclass of Android’s AsyncTask that establishes synchronous communication with the server using the WebSocket protocol. In order to establish a connection, this task first requires valid service credentials (address and port) and a reference to the database manager. Once connected with the service, communication proceeds according to a proprietary JSON-based command protocol which is itself based on the WebSocket protocol.

Once 1Password for Android is successfully authenticated by the server it receives an item/folder list. Next, a request is made for items from the list which have been updated on the server, and these are then decrypted and saved in the 1Password for Android internal database.

In order to decrypt these items, your Master Password is requested during initial sync. Although the communication secret is stored in 1Password preferences, it should be noted that your Master Password is never stored in the system preferences or in the database.

Once the initial sync is complete and an incremental sync has begun, you may notice some minor differences between syncing with 1Password for Mac and 1Password for Windows. These differences are the result of architectural differences between the two versions, namely that 1Password for Windows doesn’t rely on an internal database. This results in slightly faster syncing with 1Password for Windows and the need to enter your Master Password on each incremental sync.

When the Wi-Fi Sync server has transmitted all of its updated items to 1Password for Android, and it has transmitted all of its updated items back to the Wi-Fi Sync server, the communication session is terminated and the network socket is closed. Detailed sync results of the latest session are written to the Diagnostics Report, which you can generate from the Settings > Advanced screen and review at any time.

At present, Wi-Fi Sync is designed to work between one computer and one or more mobile devices. We do not recommend switching between multiple desktops when syncing using Wi-Fi. Note that the sync method cannot be changed once it has been selected. For example, if your initial sync uses Wi-Fi, you cannot later switch to Dropbox. Because 1Password for Android supports sync with only the primary vault at this time, it is not possible to switch to a different vault once the Wi-Fi Sync connection to the chosen server has been established.

The addition of Wi-Fi Sync to 1Password for Android furthers our goal of placing you in control of your data. In addition to local storage and sync with Dropbox, you now have a third option for syncing your vault from your Android devices to your other devices. We hope you enjoy using it and welcome your feedback in our beta forums.

Want to help us test Wi-Fi sync in 1Password 4 for Mac and iOS?

I have good news and good news, so I’ll give you the good news first: Wi-Fi sync is coming back in 1Password 4 for Mac and will be a free update to 1Password 4 for iOS. Some of our users want a local, cloud-less option to sync 1Password data, and we aim to deliver it soon.

The other good news is we need your help to test it, so we’re opening our Mac and iOS beta programs again to recruit a few good testers. Wi-Fi sync has been rewritten entirely from scratch and it will be 1Password-4-only, so we’ll need you to beta test both iOS and Mac versions.

Do you have:

  • an inconsolable itch to use Wi-Fi sync in 1Password?
  • a Mac running at least 10.8 Mountain Lion and an iOS 6 device?
  • good-to-great beta testing skills?

Prove it—sign up for our beta list and help us make Wi-Fi sync in 1Password 4 the best it can be.

Please note: we have not announced a release date for 1Password 4 for Mac or for when Wi-Fi sync will arrive as a free update in 1Password 4 for iOS. Right now we’re focused on making Wi-Fi sync great, and we’ll release as soon as we can get it there.