Overview
IT Glue will allow the capability to store and access general and embedded passwords securely on local devices that pass and maintain on-device security checks. The installer for the Offline Mode Windows sync service runs security checks on the device to ensure the settings have enabled and updated Disc Encryption, On device malware protection and System Access. Password data is stored and transferred using SOC-2-compliant cryptographic algorithms, in transit and at rest on the local device. Account administrators and other approved users can view the passwords using the Offline Mode Chrome browser extension. If the IT Glue platform is down or undergoing maintenance, IT Glue customers can use this feature to continue with mission-critical operations.
Offline Password Access
Users can view general and embedded passwords stored securely on their devices via the Offline Mode browser extension. This feature ensures that account administrators and admin-approved users can continue mission-critical activities if the IT Glue platform is under maintenance or temporarily unavailable. Users will still need to have their device connected to a network to first install the sync service and extension. Once installed, users can authenticate without an internet connection using MFA.
Offline Mode will be made available only on devices running Windows 10 Pro and Windows 11 Pro, the most utilized version by IT Glue users. The Offline Mode browser extension will be available on Google Chrome browsers through the web store, other browsers will not be supported.
There are two key components to this feature. The Windows sync service will be installed on the local device, it is responsible for maintaining the encrypted passwords and communication with IT Glue.
The Offline Mode browser extension will display the passwords that were pulled through the Windows sync service.
Offline Mode Feature Management
Settings for Offline Mode will be configured through the IT Glue web application. Only users with an Administrator role have access to the account settings. Changes to the settings affect all approved Offline Mode instances, including all devices with access to this feature running the Windows sync service. It is possible to configure the browser extension session length forcing the User to re-authenticate. Settings will also allow Users to set the number of days an approved device is offline before automatically removing data and revoking access to Offline Mode.
To enable the feature, an administrator needs to read the Offline Mode general information article and the dedicated Offline Mode feature security white paper. They must also type “I UNDERSTAND” to the impact of turning on the feature i.e. upon turning on the feature, all IT Glue users with an Administrator role will have access to enabling this feature. We intentionally placed these information checks to ensure the user turning on the feature understood the full implications of their actions.
Once the feature is turned on, all account administrators will know when the feature was turned on, by whom, and at what time.
Password Management
The Offline Mode Windows sync service manages encrypted passwords stored on the device. It is the responsibility of the User to apply and maintain device security when installing Offline Mode and when Passwords are syncing. The sync service does not have any password-viewing capabilities. Password data information is encrypted in transit and at rest on the device. The sync service is designed to function as the workhorse of Offline Mode – it is “blind” to the information it manages. The sync service also speaks to the IT Glue web servers, scanning for requests to revoke Offline Mode every 15 minutes and for password changes every 1 hour. This ensures that the browser extension has access to new and updated passwords when the device has a Network connection. Additionally, to enhance the security of the stored passwords, the browser extension will use encryption to protect the passwords while they are in transit.
The browser extension will have read-only access that allows users to access their passwords, but not modify them. This read-only access feature helps to prevent accidental changes to the stored passwords, providing an additional layer of security.
Revoking Access
Administrators can revoke instances of Offline Mode through the IT Glue web application, under Account settings in the Offline Mode tab. When access has been revoked, the Windows sync service will identify this action, stop pulling passwords and remove passwords that previously synced on the device with a network connection. All Passwords that were previously synced will be removed from the Offline Mode Chrome browser extension and cannot be accessed. The browser extension can still be accessed if the Users session is active, but Passwords will not be accessible.
The Browser Instances Management table gives IT Glue Administrators privileges to approve, deny, or revoke access to this feature. We also designed the equivalent of a “kill switch” option in case of an emergency where all instances of this feature must be wiped; this would be toggling off the feature altogether. Making this action comes with a warning pop-up, fully explaining the implications of switching off the feature to the user before they can proceed.