1Password Configuration

Background

Twingate integrates with 1Password by leveraging their device verification to restrict access to only secure devices. Admins can add 1Password as a verification requirement to macOS, Windows, and Linux Trusted Profiles. In turn, devices will be required to be verified by 1Password to sign in to Twingate or access certain Resources.

How it works

Twingate integrates with 1Password by matching the device serial numbers returned by the Twingate Client to those managed by 1Password. Devices are considered 1Password-verified if they meet the following requirements:

  • Its serial number is returned by 1Password
  • The device meets 1Password’s device checks

Configuring the 1Password integration in Twingate

Generate a 1Password API key

To set up the integration, you’ll need an API key from 1Password Device Trust:

  • Log into your 1Password Device Trust Console
  • Click on your user account on the upper right corner
  • Go to Settings
  • On the left panel, click on Developers
  • Click on Create New Key
  • Give it a name and click Save. No special write permissions are required for this integration

Configure the integration on the Twingate Admin Console

  • In Twingate, navigate to Settings and then select Device Integrations
  • Select Connect next to 1Password and input your 1Password Device Trust API Key
  • After the integration is configured, the Device Integrations page will show the current status of the integration

Incorporate 1Password into Security Policies

After the 1Password integration has been set up, it can be configured into Device Security Trusted Profiles.

For macOS, Windows, and Linux, create a Trusted Profile and require 1Password as a Trust Method. Only devices verified by 1Password will satisfy the requirements of this Trusted Profile. This Trusted Profile can now be incorporated into Security Policies.

Troubleshooting

After the 1Password integration is set up, the Device Integrations page will show the status as “Waiting to sync”. During this time, devices may be missing the correct 1Password verification state. After a few minutes, the Device Integrations page will show the most recent sync time and devices will correctly show their state on their device details page.

A device can be listed as 1Password not verified for the following reasons:

  • The device is not managed by 1Password
  • The device auth_state is blocked

In the case of an error, the 1Password integration will show the time of the last successful sync. Twingate will attempt to connect for 28 hours. When we are able to reach the 1Password API, the errors will be resolved automatically. If Twingate is unable to connect within 28 hours, the integration will stop attempting to connect. Admins will be notified via email that the integration needs attention. For these errors, we recommend reconfiguring the integration and inputting new API client information.

Last updated 2 months ago