> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/password-manager/knowledge-base/application-knowledge-base/devolutions-password-manager-pre-configuration.md).
# Devolutions Password Manager pre-configuration
{% tabs %}
{% tab title="Windows" %}
#### What is pre-configuration?
Pre-configuration allows IT administrators to deploy Devolutions Password Manager Windows app with pre-configured settings and workspaces (Devolutions Server and Devolutions Cloud) across Windows endpoints. This eliminates the need for end users to manually configure the application after installation.
#### Key benefits
* Zero-touch deployment: Users start with fully configured applications
* Consistency: Ensure all users have the same workspaces and settings
* Time savings: Eliminate manual configuration steps
* Flexibility: Multiple deployment methods to fit different IT infrastructures
* Scalability: Deploy to hundreds or thousands of endpoints efficiently
#### How it works
1. An IT Admin configures workspaces and settings via MSI parameters or configuration files.
2. Deployment tool pushes installation to managed devices (Intune, SCCM, PDQ Deploy, etc.).
3. Users launche app for the first time.
4. The app reads the configuration and automatically creates workspaces.
5. Users log in to complete the connection.
#### Important notes
* Authentication required: Pre-configured workspaces are created in a "pending" state. Users must still log in to complete the connection.
* First launch only: Configuration is applied once on first launch. Subsequent changes require app reinstallation or manual configuration.
* Credentials NOT Stored: Pre-configuration does NOT include user credentials. Users must log in with their own credentials.
### Deployment methods
#### Method 1: MSI Installer Parameters
Pass configuration parameters directly to the Windows installer during deployment. You can combine workspace parameters with application settings.
Use case: Quick deployments, simple configurations, testing
* Basic example (workspaces only):
```bash
msiexec /i Workspace.msi /qn DVLS_SERVER_URL="https://server.com" HUB_NAME="mycompany"
```
* With settings (workspaces + application settings):
```bash
msiexec /i Workspace.msi /qn ^
DVLS_SERVER_URL="https://server.com" ^
HUB_NAME="mycompany" ^
ORGANIZATION_ID="guid-here" ^
LANGUAGE="fr" ^
LOCKING_OPTION="windowsCredentials"
```
Limitations: Only one Devolutions Server can be configured via MSI parameters. For multiple servers, use Method 2.
#### Method 2: Configuration file deployment (recommended for enterprise)
Deploy a pre-created `.cfg` file to target systems.
* Use case: Intune, SCCM, complex configurations, multiple workspaces
**Option A: System-Wide Deployment (DEPLOY\_CONFIG) - RECOMMENDED**
```bash
msiexec /i Workspace.msi /qn DEPLOY_CONFIG="C:\path\to\Config.cfg"
```
* Target: `%ProgramData%\net.devolutions\Workspace\DefaultConfig.cfg`
* How it works:
1. MSI writes config to ProgramData during installation
2. When any user launches Devolutions Password Manager, the app detects system-wide config
3. Config automatically copies to user's Roaming profile
4. User has configured application
**Why DEPLOY\_CONFIG for enterprise:**
1. Reliable: Works regardless of user context (no "Default user" issues)
2. Consistent: All users on machine get same configuration
3. Automation-friendly: Perfect for Intune, SCCM, silent installs
4. Multi-user support: Applies to all existing and future users
* Best for: Intune, SCCM, silent installs, multi-user machines, shared workstations
**Option B: Per-user deployment (USER\_CONFIG)**
```bash
msiexec /i Workspace.msi /qn USER_CONFIG="C:\path\to\Config.cfg"
```
* Target: `%LOCALAPPDATA%\net.devolutions\Workspace\Config.cfg`
* How it works:
1. MSI writes config to installing user's Local AppData
2. User launches Devolutions Password Manager
3. Config copies to user's Roaming profile
4. Only that user has configured application
* Limitations:
1. Only configures the user who ran the installer
2. May fail in automated deployments (user context issues)
3. Not suitable for multi-user machines
* Best for: Interactive installations by end users, single-user devices
#### Method 3: UI-based configuration creator
Use the desktop application to create configuration files and MSI commands.
* Use case: IT administrators preparing deployment packages
* Access: ***Tools*** – ***Custom installation*** (in the desktop application)
See Configuration file creator section for details.
### Configuration file structure
Configuration files use the `.cfg` extension and contain JSON-formatted data.
#### File format
```json
{
"hubs": [
{
"url": "https://mycompany.devolutions.app",
"organizationId": "00000000-0000-0000-0000-000000000000",
"type": "Business",
"version": ""
}
],
"dvls": [
{
"name": "Production DVLS",
"serverUrl": "https://devolutions-server.company.com",
"serverVersion": ""
},
{
"name": "Development DVLS",
"serverUrl": "https://devolutions-server-dev.company.com",
"serverVersion": ""
}
],
"configs": {
"language": "en-US",
"reduceToTrayOnClose": true,
"clearClipboardSensitiveData": true,
"clipboardTimer": 30,
"useFavicon": true,
"useEntriesSyncOnDatasourceAccess": false,
"useHubEmbeddedBrowser": true,
"shareUsageData": false,
"lockingOption": "windowsCredentials",
"useBackgroundLock": true,
"useLockWhenInactive": true,
"lockInactivityDelay": 300
}
}
```
#### Schema components
**Devolutions Cloud array (optional)**
Array of Devolutions Cloud instances to configure.
| Field | Type | Required | Description |
| ------------------ | ------ | -------- | ----------------------------------------------------------------- |
| **url** | string | Yes | Devolutions Cloud URL (e.g., `https://mycompany.devolutions.app`) |
| **organizationId** | string | Yes | Organization GUID |
| **type** | string | No | Always "Business" (auto-populated) |
| **version** | string | No | Devolutions Cloud version (auto-populated on first connection) |
**Devolutions Server array (optional)**
Array of Devolutions Server instances to configure.
| Field | Type | Required | Description |
| ----------------- | ------ | -------- | ----------------------------------------------------------------------- |
| **name** | string | Yes | Display name for the server |
| **serverUrl** | string | Yes | Devolutions Server URL (e.g., `https://devolutions-server.company.com`) |
| **serverVersion** | string | No | Server version (auto-populated on first connection) |
**Configs Object (Optional)**
Application settings to pre-configure.
See [Configuration settings reference](https://docs.devolutions.net/password-manager/kb/application-knowledge-base/devolutions-password-manager-pre-configuration/#configuration-settings-reference) for complete list.
### Configuration file locations
Configuration files are loaded in priority order based on location.
#### User-level configuration
* Roaming AppData: `%APPDATA%\net.devolutions\Workspace\Config.cfg`
* Default: `C:\Users\[Username]\AppData\Roaming\net.devolutions\Workspace\Config.cfg`
* Syncs across domain-joined computers
* Highest priority (user-specific)
* Local AppData: `%LOCALAPPDATA%\net.devolutions\Workspace\Config.cfg`
* Default: `C:\Users\[Username]\AppData\Local\net.devolutions\Workspace\Config.cfg`
* Machine-specific, not synced
* Used during MSI installation, then copied to Roaming
#### System-wide configuration
* ProgramData: `%ProgramData%\net.devolutions\Workspace\DefaultConfig.cfg`
* Default: `C:\ProgramData\net.devolutions\Workspace\DefaultConfig.cfg`
* Applies to all users on the system
* Requires `config.ready` indicator file in same directory
* Copied to user Roaming location on first launch (if user config doesn't exist)
#### Indicator file
* File: `config.ready`
* Location: Same directory as `DefaultConfig.cfg`
* Purpose: Signals that system-wide config is ready for deployment
* Content: Empty file, presence is checked only
#### Priority order
Configuration sources are checked in the following order (first found wins):
1. User Configuration File – User – specific config
2. System Configuration File – System – wide default (copied to user location)
### MSI Installer Parameters
The Windows MSI installer accepts the following parameters for pre-configuration.
#### Workspace parameters
**Devolutions Server configuration**
| Parameter | Type | Description | Example |
| --------------------- | ------ | ---------------------- | ---------------------------------------- |
| **DVLS\_SERVER\_URL** | String | Devolutions Server URL | `https://devolutions-server.company.com` |
* Note: Only one (Devolutions Server can be configured via MSI parameters. For multiple servers, use a configuration file.)
**Devolutions Cloud configuration**
| Parameter | Type | Description | Example |
| -------------------- | ------ | ------------------------------------------------------------ | -------------------------------------- |
| **HUB\_NAME** | String | Devolutions Cloud subdomain name (required) | `mycompany` |
| **ORGANIZATION\_ID** | String | Organization GUID (optional - leave empty if not applicable) | `00000000-0000-0000-0000-000000000000` |
* Note: The full Devolutions Cloud URL is constructed as `https://{HUB_NAME}.devolutions.app`
* Note: `ORGANIZATION_ID` is optional. Some Devolutions Cloud instances don't require an organization ID. If not applicable, you can omit this parameter or pass an empty string.
#### Configuration file deployment parameters
| Parameter | Type | Description | Target Location |
| ------------------ | ------ | -------------------------------------- | ----------------------------------------------------------- |
| **DEPLOY\_CONFIG** | String | System-wide config (recommended) | `%ProgramData%\net.devolutions\Workspace\DefaultConfig.cfg` |
| **USER\_CONFIG** | String | Per-user config (interactive installs) | `%LOCALAPPDATA%\net.devolutions\Workspace\Config.cfg` |
#### Application settings parameters
**General settings**
| Parameter | Type | Values | Default | Description |
| -------------------- | ------ | ---------------------------- | --------- | ---------------------------- |
| **TARGET\_LOCATION** | String | `roaming`, `local`, `system` | `roaming` | Where to save configuration. |
| **LANGUAGE** | String | Language code | `en-US` | Application language. |
**User interface settings**
| Parameter | Type | Values | Default | Description |
| ------------------------------- | ------ | --------------- | ------- | ---------------------------------------------------------- |
| **REDUCE\_TO\_TRAY\_ON\_CLOSE** | String | `true`, `false` | `false` | Minimize to system tray instead of closing. |
| **USE\_FAVICON** | String | `true`, `false` | `false` | Download and display website favicons. |
| **USE\_HUB\_EMBEDDED\_BROWSER** | String | `true`, `false` | `true` | Use embedded browser for Devolutions Cloud authentication. |
**Security settings**
| Parameter | Type | Values | Default | Description |
| ------------------------------------- | ------ | --------------------------------------------- | ------- | --------------------------------------------- |
| **CLEAR\_CLIPBOARD\_SENSITIVE\_DATA** | String | `true`, `false` | `false` | Auto-clear clipboard after copying passwords. |
| **CLIPBOARD\_TIMER** | Number | Seconds (1-999) | `30` | Seconds before clearing clipboard. |
| **LOCKING\_OPTION** | String | `password`, `biometric`, `windowsCredentials` | (none) | Method to lock application. |
| **USE\_BACKGROUND\_LOCK** | String | `true`, `false` | `false` | Lock when minimized to tray. |
| **USE\_LOCK\_WHEN\_INACTIVE** | String | `true`, `false` | `false` | Lock after period of inactivity. |
| **LOCK\_INACTIVITY\_DELAY** | Number | Seconds (30-3600) | `30` | Seconds before auto-lock. |
**Synchronization settings**
| Parameter | Type | Values | Default | Description |
| ---------------------------------------------- | ------ | --------------- | ------- | ------------------------------------------- |
| **USE\_ENTRIES\_SYNC\_ON\_DATASOURCE\_ACCESS** | String | `true`, `false` | `false` | Auto-sync entries when accessing workspace. |
**Privacy settings**
| Parameter | Type | Values | Default | Description |
| ---------------------- | ------ | --------------- | ------- | --------------------------------- |
| **SHARE\_USAGE\_DATA** | String | `true`, `false` | `true` | Share anonymous usage statistics. |
### Configuration file creator
The desktop application includes a visual tool for creating configuration files.
#### Accessing the tool
1. Launch Devolutions Password Manager.
2. Navigate to: ***Tools*** – ***Custom Installation***.
#### Features
**Export tab (Create configuration)**
1. Workspace selection.
* View all configured (Devolutions Server and Devolutions Cloud instances)
* Select which workspaces to include via checkboxes
* Multiple workspaces supported
2. Settings Configuration
* Enable/disable individual application settings grouped by category:
* General (Language, Tray behavior)
* Security (Clipboard, Locking)
* Synchronization
* Privacy (Usage statistics)
3. Live Preview
* Real-time JSON preview of configuration
* Copy JSON to clipboard
* Preview updates as selections change
4. Export Options
* Generate .cfg File: Save configuration to `.cfg` file
* Copy MSI Command: Generate complete MSI command with all parameters
**Import tab (Load configuration)**
1. File Selection
* Browse for `.cfg` files
* File validation and parsing
2. Preview Before Import
* View workspaces and settings before applying
* Duplicate detection (warns if workspace already exists)
3. Import Actions
* Applies configuration to current application
* Creates new workspaces if they don't exist
* Updates settings immediately
### Configuration settings reference
Complete reference of all configurable settings.
#### Settings key mapping
| Export Key (Config/MSI) | Internal Key | Type | Default | Description |
| ------------------------------------ | --------------------------- | ------- | -------- | ---------------------------------------------------------- |
| **language** | languageCode | String | `en-US` | Application UI language |
| **reduceToTrayOnClose** | minimizeOnClose | Boolean | `false` | Minimize to tray instead of exiting |
| **clearClipboardSensitiveData** | removeSensitiveFromKeyboard | Boolean | `false` | Auto-clear clipboard timer |
| **clipboardTimer** | clipboardTimer | Integer | `30` | Seconds before clearing clipboard (1-999) |
| **useFavicon** | useRichIcons | Boolean | `false` | Download website favicons for entries |
| **useEntriesSyncOnDatasourceAccess** | useEntriesSyncSpaceAccess | Boolean | `false` | Auto-sync entries when accessing workspace |
| **useHubEmbeddedBrowser** | hubEmbeddedBrowser | Boolean | `true` | Use embedded browser for Devolutions Cloud authentication |
| **shareUsageData** | shareAnonymousData | Boolean | `true` | Share anonymous usage statistics |
| **lockingOption** | lockingOption | String | `(none)` | Lock method: `password`, `biometric`, `windowsCredentials` |
| **useBackgroundLock** | useBackgroundLock | Boolean | `false` | Lock when minimized to tray |
| **useLockWhenInactive** | useLockWhenInactive | Boolean | `false` | Lock after period of inactivity |
| **lockInactivityDelay** | lockInactivityDelay | Integer | `30` | Seconds before auto-lock (30-3600) |
#### Supported languages
| Code | Language |
| -------- | ----------------------- |
| `en-US` | English (United States) |
| `fr` | French |
| `de` | German |
| `es` | Spanish |
| `cs` | Czech |
| `hu` | Hungarian |
| `it` | Italian |
| `nl` | Dutch |
| `pl` | Polish |
| `ru` | Russian |
| `sv` | Swedish |
| `tr` | Turkish |
| `uk` | Ukrainian |
| `zh-CHS` | Chinese (Simplified) |
| `zh-TW` | Chinese (Traditional) |
#### Locking options
| Value | Description | Requirements |
| ---------------------- | ------------------- | -------------------------------- |
| **password** | Master password | User sets password on first lock |
| **biometric** | Fingerprint/Face ID | Biometric hardware required |
| **windowsCredentials** | Windows Hello | Windows 10/11 with Windows Hello |
* Note: If Windows Hello is not available, falls back to password.
### Deployment examples
#### Example 1: Single Devolutions Server with Security settings
```bash
msiexec /i Workspace.msi /qn ^
DVLS_SERVER_URL="https://devolutions-server.company.com" ^
LOCKING_OPTION="windowsCredentials" ^
USE_LOCK_WHEN_INACTIVE="true" ^
LOCK_INACTIVITY_DELAY="300" ^
CLEAR_CLIPBOARD_SENSITIVE_DATA="true" ^
CLIPBOARD_TIMER="60"
```
#### Example 2: Devolutions Cloud with French language
```bash
# With Organization ID
msiexec /i Workspace.msi /qn ^
HUB_NAME="mycompany" ^
ORGANIZATION_ID="12345678-1234-1234-1234-123456789abc" ^
LANGUAGE="fr" ^
REDUCE_TO_TRAY_ON_CLOSE="true"
# Without Organization ID (for Devolutions Cloud instances that don't require it)
msiexec /i Workspace.msi /qn ^
HUB_NAME="mycompany" ^
LANGUAGE="fr" ^
REDUCE_TO_TRAY_ON_CLOSE="true"
```
#### Example 3: Microsoft Intune deployment
**Step 1: Prepare files**
Create a working folder (e.g., `C:\IntuneApps\Workspace\`) and place these files:
* `Workspace.msi`
* `config.cfg` (created via ***Tools*** – ***Custom installation*** or manually)
* `Install-Workspace.ps1` (PowerShell script below)
**Step 2: PowerShell installation script**
Create `Install-Workspace.ps1`:
```powershell
# Install-Workspace.ps1
# Source files in the Intune package
$ConfigSource = "$PSScriptRoot\config.cfg"
$ConfigTarget = "C:\Program Files\config.cfg"
$MsiPath = "$PSScriptRoot\Workspace.msi"
# Copy config.cfg to Program Files
try {
Copy-Item -Path $ConfigSource -Destination $ConfigTarget -Force
} catch {
Write-Host "Error copying config file: $($_.Exception.Message)"
exit 1
}
# Install MSI silently with DEPLOY_CONFIG parameter
$Arguments = "/i `"$MsiPath`" /qn /norestart DEPLOY_CONFIG=`"C:\Program Files\config.cfg`""
$Process = Start-Process "msiexec.exe" -ArgumentList $Arguments -Wait -PassThru
# Return exit code to Intune
exit $Process.ExitCode
```
**Step 3: Create .intunewin Package**
Use the Microsoft Win32 Content Prep Tool (`IntuneWinAppUtil.exe`):
```bash
IntuneWinAppUtil.exe -c C:\IntuneApps\Workspace -s Install-Workspace.ps1 -o C:\IntuneApps\Output
```
**Step 4: Configure Intune application**
In Microsoft Intune Portal:
1. Navigate to: **Apps** – **Windows** – **Add** – **Windows app (Win32)**
2. App Package File: Upload `Workspace.intunewin`
3. App Information: Fill in name, description, publisher
4. Program configuration:
* Install command: `powershell.exe -ExecutionPolicy Bypass -File .\Install-Workspace.ps1`
* Uninstall command: `msiexec.exe /x {PRODUCT-CODE-GUID} /qn /norestart`
* Install behavior: System
5. Requirements: Windows 10 1607+ (64-bit)
6. Detection Rules: MSI product code (auto-detected)
7. Assignments: Assign to target groups
**Installation Flow on the endpoint**
When the app is deployed to a device, the following happens automatically:
1. Intune downloads and executes `Install-Workspace.ps1`
2. The script copies `config.cfg` to `C:\Program Files\config.cfg`
3. The script installs the MSI with `DEPLOY_CONFIG="C:\Program Files\config.cfg"`
4. The MSI reads the configuration file and writes it to `%ProgramData%\net.devolutions\Workspace\DefaultConfig.cfg`
5. When a user launches Devolutions Password Manager, the app detects the system-wide config and applies it
The result: the configuration file is distributed with the application, placed automatically in the correct location, and the installation is fully silent and Intune-compatible.
#### Example 4: SCCM Deployment
* Install command:
```bash
msiexec /i Workspace.msi /qn /norestart DEPLOY_CONFIG="%~dp0Config.cfg"
```
* Uninstall command:
```bash
msiexec /x {PRODUCT-CODE} /qn /norestart
```
* Detection method: Registry key `HKLM\SOFTWARE\Devolutions\Workspace\Version`
#### Example 5: Multiple Devolutions Server via config file
Create `config.cfg`:
```json
{
"dvls": [
{
"name": "Production Devolutions Server",
"serverUrl": "https://devolutions-server-prod.company.com"
},
{
"name": "Development Devolutions Server",
"serverUrl": "https://devolutions-server-dev.company.com"
},
{
"name": "Test Devolutions Server",
"serverUrl": "https://devolutions-server-test.company.com"
}
],
"configs": {
"language": "en-US",
"shareUsageData": false
}
}
```
Deploy via:
```bash
msiexec /i Workspace.msi /qn DEPLOY_CONFIG="\\fileserver\IT\Workspace\config.cfg"
```
### Troubleshooting
#### Configuration not applied
Configuration file present but settings not applied.
1. Check file location: Verify correct path (`%ProgramData%\net.devolutions\Workspace\DefaultConfig.cfg`)
2. Check JSON validity: Validate JSON syntax (no trailing commas, proper quotes)
3. Check permissions: User must have read access to config file
4. Verify indicator file: Check if `config.ready` file exists in same directory
5. Check logs: Review application logs for parsing errors
#### Indicator file missing
* Problem: System-wide configuration ignored.
* Solution: Create `config.ready` file:
```bash
type nul > "%ProgramData%\net.devolutions\Workspace\config.ready"
```
#### USER\_CONFIG deploys to "default" user profile
* Problem: USER\_CONFIG fails in silent/automated installs, config ends up in `C:\Users\Default\AppData\Local`.
* Cause: USER\_CONFIG requires active user session context, which isn't available during automated MSI installation.
* Solution: Use **DEPLOY\_CONFIG** for enterprise deployments:
```bash
# CORRECT for Intune/SCCM
msiexec /i Workspace.msi /qn /norestart DEPLOY_CONFIG="%~dp0Config.cfg"
# WRONG for automated deployment
msiexec /i Workspace.msi /qn /norestart USER_CONFIG="%~dp0Config.cfg"
```
#### MSI silent install not applying config
MSI parameters not creating configuration.
1. Check parameter syntax: Ensure proper quoting (use `"value"`, not `'value'`)
2. Log MSI installation: Add `/l*v install.log` to see detailed errors
3. Verify PowerShell execution: Check if execution policy blocks scripts
4. Administrative rights: Ensure installer runs with elevation
* Example with logging:
```bash
msiexec /i Workspace.msi /qn /l*v C:\Temp\install.log DVLS_SERVER_URL="https://server.com"
```
#### Settings not persisting
Settings revert to defaults after restart.
1. User vs System Config: System config only applies if user config doesn't exist. Once user modifies settings, they are saved to user config and override system defaults.
2. Group Policy Override: Check if GPO is enforcing settings
3. File Permissions: Verify write permissions to user config location
#### Workspace already exists
Problem: Import fails with "workspace already exists" message.
Explanation: Configuration parser detects duplicates by normalized URL (case-insensitive, trailing slash removed).
1. Remove existing workspace manually before importing
2. Edit configuration file to remove duplicate entries
3. Use Custom Installation tool to merge configurations
#### Locking option not working
Windows Hello not activating.
1. Windows Hello Setup: Ensure Windows Hello is configured in Windows Settings
2. Fallback: System automatically falls back to password if hardware unavailable
3. Check logs: Review application logs for biometric initialization errors
### Best practices
#### 1. Test configuration first
Before deploying to all users:
1. Create a test user/device group
2. Apply configuration to test group
3. Verify workspaces and settings work as expected
4. Roll out to production
#### 2.Use DEPLOY\_CONFIG for enterprise
* Always use DEPLOY\_CONFIG for:
* Intune deployments
* SCCM deployments
* Silent/unattended installations
* Multi-user machines
* Shared workstations
* Only use USER\_CONFIG for:
* Interactive installations by end users
* Single-user devices
* Testing scenarios
#### 3. Document configuration
Maintain documentation of your configuration including:
* Which workspaces are pre-configured
* What settings are enforced
* Expected user experience
* Support contact for issues
#### 4. User communication
Inform users:
* Workspaces will be pre-configured
* They still need to log in with their credentials
* Configuration happens on first app launch
* Contact IT if workspaces don't appear
#### 5. Security considerations
**Recommended security settings**:
```json
{
"lockingOption": "windowsCredentials",
"useBackgroundLock": true,
"useLockWhenInactive": true,
"lockInactivityDelay": 300,
"clearClipboardSensitiveData": true,
"clipboardTimer": 60,
"shareUsageData": false
}
```
**Why**:
* Enforces Windows Hello authentication
* Locks app immediately when backgrounded
* Auto-locks after 5 minutes of inactivity
* Clears clipboard after 60 seconds
* Disables usage data collection (optional)
#### 6. URL format requirements
All URLs must:
* Include protocol (`https://`)
* Be valid, accessible URLs
* Not end with trailing slash (app will normalize)
**Examples:**
* `https://devolutions-server.company.com`
* `https://password-manager.devolutions.app`
* `devolutions-server.company.com` (missing https\://)
* `http://devolutions-server.company.com` (HTTP not recommended)
#### 7. Domain vs standalone considerations
* Domain-Joined: Use Roaming AppData (`TARGET_LOCATION="roaming"`) for profile sync
* Standalone: Use Local AppData (`TARGET_LOCATION="local"`) or System (`TARGET_LOCATION="system"`)
### Quick reference
#### Minimal configuration template
```json
{
"dvls": [
{
"name": "Devolutions Server",
"serverUrl": "https://devolutions-server.example.com"
}
]
}
```
#### Recommended enterprise deployment command
```bash
msiexec /i Workspace.msi /qn /norestart DEPLOY_CONFIG="\\server\share\Config.cfg"
```
{% endtab %}
{% tab title="macOS" %}
#### What is pre-configuration
Pre-configuration allows IT administrators to deploy Devolutions Password Manager with pre-configured settings and workspaces (Devolutions Server and Devolutions Cloud instances) across managed macOS endpoints. This eliminates the need for end-users to manually configure the application after installation.
#### Key benefits
* Zero-touch deployment: Users start with fully configured applications
* Consistency: Ensure all users have the same workspaces and settings
* Time savings: Eliminate manual configuration steps
* Centralized management: Configure from MDM console
* Policy enforcement: Can prevent users from changing settings
* Enterprise standard: Recommended approach for managed macOS fleets
#### How it works
1. IT Admin configures workspaces and settings via MDM or configuration files
2. MDM pushes configuration to managed devices
3. User launches app for the first time
4. App reads configuration and creates workspaces automatically
5. User authenticates to complete the connection (enters credentials)
#### Important notes
* Authentication required: Pre-configured workspaces are created in a "pending" state. Users must still authenticate (log in) to complete the connection.
* First launch only: Configuration is applied once on first launch. Subsequent changes require app reinstallation or manual configuration.
* Credentials NOT Stored: Pre-configuration does NOT include user credentials. Users must log in with their own credentials.
### Deployment methods
#### Method 1: MDM/managed preferences (recommended)
Deploy configuration via Mobile Device Management (MDM) solutions for managed macOS environments.
* Use case: Jamf Pro, Microsoft Intune for Mac, other MDM solutions
* Priority: Highest (overrides all file-based configurations)
* Preference domain: `net.devolutions.authenticator`
**Advantages:**
* Centralized management: Configure from MDM console
* Policy enforcement: Can prevent users from changing settings
* Highest priority: Overrides local configuration files
* Enterprise standard: Recommended approach for managed macOS fleets
See [MDM/Managed Preferences](https://docs.devolutions.net/password-manager/kb/application-knowledge-base/devolutions-password-manager-pre-configuration/#method-1-mdmmanaged-preferences-recommended) section for detailed instructions.
#### Method 2: Configuration file deployment
Deploy a pre-created `.cfg` file to target systems.
* Use Case: Scripted deployments, non-MDM environments, testing
* System-Wide Location: `/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg`
* Per-User Location: `~/Library/Application Support/Workspace/Config.cfg`
See [Configuration file structure](https://docs.devolutions.net/password-manager/kb/application-knowledge-base/devolutions-password-manager-pre-configuration/#configuration-file-structure-1) section for details.
#### Method 3: Manual configuration (defaults command)
For manual configuration or scripting:
```bash
# Set language
defaults write net.devolutions.authenticator language -string "en-US"
# Enable tray minimize
defaults write net.devolutions.authenticator reduceToTrayOnClose -bool true
# Set locking option
defaults write net.devolutions.authenticator lockingOption -string "biometric"
```
**Use case**: Manual setup, testing, shell scripts
### MDM/Managed preferences
#### Jamf Pro deployment
**Option A: Using JSON schema (recommended)**
1. Download or copy the Jamf Pro JSON Schema for Devolutions Password Manager:
Click to expand: Devolutions Password Manager Jamf Pro JSON Schema
```json
{
"title": "Devolutions Password Manager Configuration (net.devolutions.authenticator)",
"description": "Configuration settings for Devolutions Password Manager deployed via Jamf Pro. These settings are deployed as managed preferences to managed devices.",
"__version": "1.0",
"__preferencedomain": "net.devolutions.authenticator",
"options": {
"remove_empty_properties": true
},
"properties": {
"dvls": {
"title": "DVLS Configuration",
"description": "Devolutions Server connection settings",
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"title": "Server Name",
"description": "Display name for the Devolutions Server",
"type": "string",
"default": "Devolutions Server"
},
"serverUrl": {
"title": "Server URL",
"description": "Full URL to the Devolutions Server (e.g., https://server.company.com)",
"type": "string",
"pattern": "^https?://.*"
},
"serverVersion": {
"title": "Server Version",
"description": "Devolutions Server version (optional)",
"type": "string",
"default": ""
}
},
"required": ["serverUrl"]
},
"default": []
},
"hubs": {
"title": "Devolutions Cloud Configuration",
"description": "Devolutions Cloud connection settings",
"type": "array",
"items": {
"type": "object",
"properties": {
"url": {
"title": "Devolutions Cloud URL",
"description": "Full Devolutions Cloud URL (e.g., https://yourcompany.devolutions.app)",
"type": "string",
"pattern": "^https://.*\\.devolutions\\.app$"
},
"organizationId": {
"title": "Organization ID",
"description": "Organization identifier for Devolutions Cloud",
"type": "string"
},
"type": {
"title": "Devolutions Cloud Type",
"description": "Devolutions Cloud connection type (optional)",
"type": "string"
},
"version": {
"title": "Devolutions Cloud Version",
"description": "Devolutions Cloud version compatibility",
"type": "string",
"default": "2020"
}
},
"required": ["url"]
},
"default": []
},
"configs": {
"title": "Application Settings",
"description": "User preferences and application behavior settings",
"type": "object",
"properties": {
"language": {
"title": "Language",
"description": "Default language for Devolutions Password Manager interface",
"type": "string",
"enum": [
"en-US", "fr", "de", "es", "cs", "hu", "it", "nl", "pl", "ru", "sv", "tr", "uk", "zh-CHS", "zh-TW"
],
"default": "en-US",
"options": {
"enum_titles": [
"English", "Français", "Deutsch", "Español", "Čeština", "Magyar", "Italiano",
"Nederlands", "Polski", "Русский", "Svenska", "Türkçe", "Українська", "简体中文", "繁體中文"
]
}
},
"reduceToTrayOnClose": {
"title": "Minimize to Tray on Close",
"description": "When enabled, closing the window minimizes to system tray instead of quitting",
"type": "boolean",
"default": false
},
"clearClipboardSensitiveData": {
"title": "Clear Clipboard Sensitive Data",
"description": "Automatically clear sensitive data from clipboard after a specified timeout",
"type": "boolean",
"default": false
},
"clipboardTimer": {
"title": "Clipboard Timeout (seconds)",
"description": "Duration in seconds before clearing clipboard when sensitive data clearing is enabled",
"type": "integer",
"enum": [30, 60, 120, 180, 240, 300, 0],
"default": 30,
"options": {
"enum_titles": ["30 seconds", "1 minute", "2 minutes", "3 minutes", "4 minutes", "5 minutes", "Never"]
}
},
"useFavicon": {
"title": "Use Favicons",
"description": "Download and display website favicons for entries",
"type": "boolean",
"default": false
},
"useEntriesSyncOnDatasourceAccess": {
"title": "Sync Entries on Workspace Access",
"description": "Automatically synchronize entries when accessing a workspace",
"type": "boolean",
"default": false
},
"useHubEmbeddedBrowser": {
"title": "Use Devolutions Cloud Embedded Browser",
"description": "Open Devolutions Cloud connections in embedded browser (disable if using credential providers)",
"type": "boolean",
"default": true
},
"lockingOption": {
"title": "Locking Method",
"description": "Authentication method used when locking/unlocking Devolutions Password Manager. Leave empty for no locking method.",
"type": "string",
"enum": ["", "password", "biometric"],
"default": "",
"options": {
"enum_titles": ["None", "Password/PIN", "Biometric (Touch ID)"]
}
},
"useBackgroundLock": {
"title": "Lock When Backgrounded",
"description": "Automatically lock the application when minimized or sent to system tray",
"type": "boolean",
"default": false
},
"useLockWhenInactive": {
"title": "Auto-Lock When Inactive",
"description": "Automatically lock the application after a period of inactivity",
"type": "boolean",
"default": false
},
"lockInactivityDelay": {
"title": "Inactivity Lock Delay (seconds)",
"description": "Time in seconds before locking due to inactivity (requires Auto-Lock to be enabled)",
"type": "integer",
"enum": [30, 60, 120, 180, 240, 300],
"default": 30,
"options": {
"enum_titles": ["30 seconds", "1 minute", "2 minutes", "3 minutes", "4 minutes", "5 minutes"]
}
}
}
},
"preventStartup": {
"title": "Prevent Startup",
"description": "When true, prevents Devolutions Password Manager from starting automatically after configuration deployment",
"type": "boolean",
"default": true
}
}
}
```
2. In Jamf Pro, navigate to: **Computers – Configuration Profiles – Application & Custom Settings**
3. Click **Configure** and upload the JSON schema file
4. Configure your desired settings using the GUI interface provided by Jamf
5. Scope the profile to your target computers
6. Deploy the configuration profile
**Option B: Manual configuration profile**
If not using Jamf Pro, you can create a standard macOS configuration profile:
**Example profile** (com.devolutions.workspace.mobileconfig):
```xml
PayloadContent
PayloadType
net.devolutions.authenticator
PayloadVersion
1
PayloadIdentifier
net.devolutions.authenticator.config
PayloadUUID
GENERATE-UUID-HERE
PayloadDisplayName
Devolutions Password Manager Configuration
language
en-US
reduceToTrayOnClose
lockingOption
biometric
dvls
name
Corporate DVLS
serverUrl
https://devolutions-server.company.com
```
Deploy via:
* Jamf Pro: Configuration Profiles – Upload profile
* Microsoft Intune: Device Configuration – Custom profile
* Other MDMs: Custom configuration profile upload
#### Microsoft Intune for Mac
1. Navigate to: **Devices** – **Configuration profiles** – **Create profile**.
2. Platform: **macOS**.
3. Profile type: **Custom**.
4. Upload the configuration profile (`.mobileconfig` file).
5. Assign to target groups.
6. Deploy.
#### Verifying MDM configuration
On a managed Mac:
```bash
# Check if preferences are set
defaults read net.devolutions.authenticator
# Check for specific setting
defaults read net.devolutions.authenticator language
```
### Configuration file structure
Configuration files use the `.cfg` extension and contain JSON-formatted data.
#### File format
```json
{
"hubs": [
{
"url": "https://mycompany.devolutions.app",
"organizationId": "00000000-0000-0000-0000-000000000000",
"type": "Business",
"version": ""
}
],
"dvls": [
{
"name": "Production DVLS",
"serverUrl": "https://devolutions-server.company.com",
"serverVersion": ""
},
{
"name": "Development DVLS",
"serverUrl": "https://devolutions-server-dev.company.com",
"serverVersion": ""
}
],
"configs": {
"language": "en-US",
"reduceToTrayOnClose": true,
"clearClipboardSensitiveData": true,
"clipboardTimer": 30,
"useFavicon": true,
"useEntriesSyncOnDatasourceAccess": false,
"useHubEmbeddedBrowser": true,
"shareUsageData": false,
"lockingOption": "biometric",
"useBackgroundLock": true,
"useLockWhenInactive": true,
"lockInactivityDelay": 300
}
}
```
#### Schema Components
**Devolutions Cloud Array (Optional)**
Array of Devolutions Cloud instances to configure.
| Field | Type | Required | Description |
| ------------------ | ------ | -------- | ----------------------------------------------------------------- |
| **url** | string | Yes | Devolutions Cloud URL (e.g., `https://mycompany.devolutions.app`) |
| **organizationId** | string | Yes | Organization GUID |
| **type** | string | No | Always "Business" (auto-populated) |
| **version** | string | No | Devolutions Cloud version (auto-populated on first connection) |
**Devolutions Server Array (Optional)**
Array of Devolutions Server instances to configure.
| Field | Type | Required | Description |
| ----------------- | ------ | -------- | ------------------------------------------------------------------------ |
| **name** | string | Yes | Display name for the server |
| **serverUrl** | string | Yes | (Devolutions Server URL (e.g., `https://devolutions-server.company.com`) |
| **serverVersion** | string | No | Server version (auto-populated on first connection) |
**`configs` Object (optional)**
Application settings to pre-configure.
See [Configuration settings reference](https://docs.devolutions.net/password-manager/kb/application-knowledge-base/devolutions-password-manager-pre-configuration/#configuration-settings-reference-1) for complete list.
### Configuration file locations
#### User-level configuration
* Path: `~/Library/Application Support/Workspace/Config.cfg`
* Priority: Highest for user-specific configs
#### System-wide configuration
* Path: `/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg`
* Priority: Applied if user config doesn't exist
#### Managed preferences (MDM/Jamf)
* Priority: Highest (overrides all file-based configs)
* Preference domain: `net.devolutions.authenticator`
* Keys: Same as `configs` object in JSON format
* Configuration: Via MDM profile or `defaults` command
#### Priority order
Configuration sources are checked in the following order (first found wins):
1. macOS managed preferences – MDM/Jamf policies (highest priority)
2. User configuration file – User-specific config
3. System configuration file – System-wide default (copied to user location)
### Configuration settings reference
Complete reference of all configurable settings.
#### Settings key mapping
| Export Key (Config/MDM) | Type | Default | Description |
| ------------------------------------ | ------- | ------- | --------------------------------------------------------- |
| **language** | String | `en-US` | Application UI language |
| **reduceToTrayOnClose** | Boolean | `false` | Minimize to tray instead of exiting |
| **clearClipboardSensitiveData** | Boolean | `false` | Auto-clear clipboard timer |
| **clipboardTimer** | Integer | `30` | Seconds before clearing clipboard (1-999) |
| **useFavicon** | Boolean | `false` | Download website favicons for entries |
| **useEntriesSyncOnDatasourceAccess** | Boolean | `false` | Auto-sync entries when accessing workspace |
| **useHubEmbeddedBrowser** | Boolean | `true` | Use embedded browser for Devolutions Cloud authentication |
| **shareUsageData** | Boolean | `true` | Share anonymous usage statistics |
| **lockingOption** | String | (none) | Lock method: `password`, `biometric` |
| **useBackgroundLock** | Boolean | `false` | Lock when minimized to tray |
| **useLockWhenInactive** | Boolean | `false` | Lock after period of inactivity |
| **lockInactivityDelay** | Integer | `30` | Seconds before auto-lock (30-3600) |
#### Supported Languages
| Code | Language |
| -------- | ----------------------- |
| `en-US` | English (United States) |
| `fr` | French |
| `de` | German |
| `es` | Spanish |
| `cs` | Czech |
| `hu` | Hungarian |
| `it` | Italian |
| `nl` | Dutch |
| `pl` | Polish |
| `ru` | Russian |
| `sv` | Swedish |
| `tr` | Turkish |
| `uk` | Ukrainian |
| `zh-CHS` | Chinese (Simplified) |
| `zh-TW` | Chinese (Traditional) |
#### Locking Options
| Value | Description | Requirements |
| ------------- | --------------- | -------------------------------- |
| **password** | Master password | User sets password on first lock |
| **biometric** | Touch ID | Touch ID hardware required |
### Deployment examples
#### Example 1: Jamf Pro with Devolutions Server and security settings
Using Jamf JSON Schema:
1. Upload the JSON schema to Jamf Pro
2. Configure via GUI:
* Devolutions Server configuration: Add server with URL `https://devolutions-server.company.com`
* Locking Method: Biometric (Touch ID)
* Lock When Backgrounded: Enabled
* Auto-Lock When Inactive: Enabled
* Inactivity Lock Delay: 5 minutes (300 seconds)
3. Scope to target computers
4. Deploy
#### Example 2: Manual configuration Profile for Devolutions Cloud
```xml
PayloadContent
PayloadType
net.devolutions.authenticator
PayloadVersion
1
PayloadIdentifier
net.devolutions.authenticator.config
PayloadUUID
REPLACE-WITH-UNIQUE-UUID
PayloadDisplayName
Devolutions Password Manager Cloud Configuration
hubs
url
https://mycompany.devolutions.app
organizationId
12345678-1234-1234-1234-123456789abc
type
Business
version
2020
configs
language
en-US
lockingOption
biometric
```
#### Example 3: defaults command for testing
```bash
#!/bin/bash
# Configure Devolutions Server (complex structure requires plist file)
defaults write net.devolutions.authenticator dvls -array-add \
'{name = "Production DVLS"; serverUrl = "https://devolutions-server.company.com"; }'
# Configure application settings
defaults write net.devolutions.authenticator language -string "en-US"
defaults write net.devolutions.authenticator lockingOption -string "biometric"
defaults write net.devolutions.authenticator useBackgroundLock -bool true
defaults write net.devolutions.authenticator useLockWhenInactive -bool true
defaults write net.devolutions.authenticator lockInactivityDelay -int 300
defaults write net.devolutions.authenticator clearClipboardSensitiveData -bool true
defaults write net.devolutions.authenticator clipboardTimer -int 60
```
#### Example 4: Configuration file deployment via script
```bash
#!/bin/bash
# Create system-wide configuration directory
sudo mkdir -p "/Library/Application Support/Devolutions/Workspace"
# Deploy configuration file
sudo cp "/path/to/config.cfg" "/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg"
# Set proper permissions
sudo chmod 644 "/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg"
```
#### Example 5: Multiple Devolutions Server via configuration file
Create `config.cfg`:
```json
{
"dvls": [
{
"name": "Production DVLS",
"serverUrl": "https://devolutions-server-prod.company.com"
},
{
"name": "Development DVLS",
"serverUrl": "https://devolutions-server-dev.company.com"
},
{
"name": "Test DVLS",
"serverUrl": "https://devolutions-server-test.company.com"
}
],
"configs": {
"language": "en-US",
"shareUsageData": false
}
}
```
Deploy via script or manually place in system-wide location.
### Troubleshooting
#### MDM configuration not applied
Configuration profile installed but settings not applying.
1. **Verify preference domain**: Ensure using `net.devolutions.authenticator` (not `net.devolutions.workspace`).
2. **Check profile status**: System Preferences – Profiles – Verify profile is installed.
3. **Force profile refresh**: `sudo profiles renew -type enrollment`.
4. **Check for conflicts**: Remove any existing user configuration files.
5. **Review logs**: Check Console.app for Devolutions Password Manager – related errors.
#### Configuration file not loaded
Configuration file present but not being applied.
1. Check file location: Verify correct path (`/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg`).
2. Check JSON validity: Validate JSON syntax (no trailing commas, proper quotes).
3. Check permissions: Ensure file is readable by all users (`chmod 644`).
4. Check ownership: Should be owned by root or admin.
5. Delete user config: Remove `~/Library/Application Support/Workspace/Config.cfg` to allow system config to apply.
#### Locking option not working
Touch ID not activating.
1. Hardware Check: Verify Mac has Touch ID hardware
2. Touch ID Setup: Ensure Touch ID is configured in System Preferences – Touch ID
3. Fallback: System automatically falls back to password if hardware unavailable
4. Check logs: Review application logs for biometric initialization errors
#### Preference domain confusion
Unsure which preference domain to use.
Solution: Always use `net.devolutions.authenticator` for all Devolutions Password Manager configurations (both mobile and desktop).
#### Settings Not Persisting
Settings revert to defaults after restart.
1. MDM vs User config: MDM settings have highest priority and will override user changes
2. User vs System config: System config only applies if user config doesn't exist
3. File permissions: Verify write permissions to user config location
#### Workspace already exists
Import fails with "workspace already exists" message.
Explanation: Configuration parser detects duplicates by normalized URL (case-insensitive, trailing slash removed).
1. Remove existing workspace manually before applying configuration.
2. Edit configuration to remove duplicate entries.
3. Delete user config file to force re-import of system config.
### Best practices
#### 1. Test configuration first
Before deploying to all users:
1. Create a test computer group in Jamf/Intune.
2. Apply configuration to test group.
3. Verify workspaces and settings work as expected.
4. Roll out to production.
#### 2. Use MDM for managed fleets
Always use MDM/Managed preferences for:
* Jamf Pro managed Macs
* Intune managed Macs
* Any MDM-managed environment
Benefits:
* Centralized management
* Policy enforcement
* Highest priority (overrides local configs)
* Enterprise standard approach
#### 3. Document configuration
Maintain documentation of your MDM configuration including:
* Which workspaces are pre-configured
* What settings are enforced
* Expected user experience
* Support contact for issues
#### 4. User communication
Inform users:
* Workspaces will be pre-configured
* They still need to log in with their credentials
* Configuration happens on first app launch
* Contact IT if workspaces don't appear
#### 5. Security considerations
Recommended security settings:
```json
{
"lockingOption": "biometric",
"useBackgroundLock": true,
"useLockWhenInactive": true,
"lockInactivityDelay": 300,
"clearClipboardSensitiveData": true,
"clipboardTimer": 60,
"shareUsageData": false
}
```
Why:
* Enforces Touch ID authentication
* Locks app immediately when backgrounded
* Auto-locks after 5 minutes of inactivity
* Clears clipboard after 60 seconds
* Disables usage data collection (optional)
#### 6. URL format requirements
All URLs must:
* Include protocol (`https://`)
* Be valid, accessible URLs
* Not end with trailing slash (app will normalize)
Examples:
* `https://devolutions-server.company.com`
* `https://password-manager.devolutions.app`
* `devolutions-server.company.com` (missing https\://)
* `http://devolutions-server.company.com` (HTTP not recommended)
#### 7. Leverage Jamf JSON schema
For Jamf Pro deployments, always use the JSON schema:
* Provides user-friendly GUI interface
* Validates configuration before deployment
* Prevents syntax errors
* Shows all available options with descriptions
### Quick reference
#### Minimal configuration file
```json
{
"dvls": [
{
"name": "Devolutions Server",
"serverUrl": "https://devolutions-server.example.com"
}
]
}
```
#### Preference domain
```
net.devolutions.authenticator
```
#### System-Wide config location
```
/Library/Application Support/Devolutions/Workspace/DefaultConfig.cfg
```
#### Check MDM settings
```bash
defaults read net.devolutions.authenticator
```
{% endtab %}
{% tab title="iOS" %}
#### What is MDM pre–configuration
MDM (Mobile Device Management) pre–configuration allows IT administrators to automatically provision Devolutions Password Manager workspaces (Devolutions Server and Devolutions Cloud) and application settings on managed iOS devices ***before*** users first launch the app.
#### Benefits
* Zero–touch deployment: Users receive pre–configured workspaces.
* Consistent configuration: Ensure all users have the same settings.
* Reduced support burden: No need to manually guide users through setup.
* Enforce security policies: Pre–configure biometric lock, clipboard timers, etc.
#### How it works
1. IT Admin configures workspaces and settings in MDM console (Jamf or Apple MDM).
2. MDM pushes configuration to managed devices.
3. User launches app for the first time.
4. App reads MDM configuration and creates workspaces automatically.
5. User authenticates to complete the connection (enters credentials).
#### Important notes
* Authentication Required: Pre–configured workspaces are created in a "pending" state. Users must still authenticate (log in) to complete the connection.
* First Launch Only: Configuration is applied once on first launch. Subsequent changes require app reinstallation or manual configuration.
* Credentials NOT Stored: MDM pre–configuration does NOT include user credentials. Users must log in with their own credentials.
### Prerequisites
* Jamf Pro server or Apple MDM solution
* Devolutions Password Manager deployed via MDM (App Store or in–house)
* iOS 13.0 or later on managed devices
* Devices enrolled in MDM
### Deployment with Jamf Pro
#### Step 1: Create Managed app configuration
1. Log in to ***Jamf Pro***.
2. Navigate to ***Mobile Device Apps*** – Find "Devolutions Password Manager" app.
3. Click on the app – Go to ***App Configuration*** tab.
4. Click ***Add*** to create a new configuration.
#### Step 2: Configure settings
In the App configuration screen:
**Configuration Method**
* Select: ***Upload specfile*** to the Jamf AppConfig Generator for a GUI form (recommended), OR
* Select: ***Enter configuration directly*** as a plist/dictionary in Jamf Pro
**Option A: Using AppConfig Specfile (Recommended)**
Jamf Pro uses the [AppConfig community](https://www.appconfig.org/) standard for iOS managed app configuration. The specfile provides a GUI form in the Jamf AppConfig Generator where administrators can configure settings without writing raw configuration.
1. Download the [Devolutions Password Manager AppConfig specfile](https://cdnweb.devolutions.net/docs/workspace_mobile_appconfig_specfile.xml).
2. Open the [Jamf AppConfig Generator](https://generator.appconfig.jamfresearch.com/generator).
3. Upload the specfile and configure settings using the GUI form.
4. Download the generated configuration plist from the generator.
5. In Jamf Pro, navigate to ***Mobile Device Apps*** – ***Devolutions Password Manager*** – ***App Configuration***.
6. Paste the generated plist into the App Configuration field, scope to target devices, and deploy.
**Option B: Direct configuration (alternative)**
If not using the specfile, you can enter configuration directly as a plist dictionary in Jamf Pro. Use the flat key format below — the app automatically transforms flat keys (e.g., `dvls_serverUrl`, `hub_url`) into the internal nested structure:
```xml
dvls_serverUrl
https://devolutions-server.company.com
hub_url
https://password-manager.devolutions.app
hub_organizationId
your–org–id
language
en–US
lockingOption
biometric
shareUsageData
useBackgroundLock
backgroundLockDelay
0
useLockWhenInactive
lockInactivityDelay
300
useFavicon
autoSearch
useHubEmbeddedBrowser
```
Note: The flat key format (`dvls_serverUrl`, `hub_url`) is used for Jamf managed app configuration. The app automatically detects this format and transforms it into the internal nested structure. A display name is auto–generated from the DVLS URL.
#### Step 3: Assign to devices
1. Set ***Distribution Method*** to appropriate scope (users, devices, or groups).
2. Click ***Save***.
3. Push the configuration to target devices.
#### Step 4: Verify deployment
On a managed iOS device:
1. Install/launch Devolutions Password Manager.
2. App should automatically show pre–configured workspaces.
3. User taps workspace – enters credentials – connects.
### Configuration schema
#### Devolutions Server configuration
```typescript
{
"name": string, // Display name (required)
"serverUrl": string, // Full URL with https:// (required)
"serverVersion": string // Version like "2024.1" (optional)
}
```
#### Devolutions Cloud configuration
```typescript
{
"url": string, // Full URL with https:// (required)
"organizationId": string, // Org ID (optional)
"type": "business", // Always "business" (required)
"version": "2020" // Always "2020" (required)
}
```
#### Application settings
| Setting | Type | Valid Values | Description |
| ------------------------------ | ------- | ------------------------------- | --------------------------------------------------------- |
| language | String | "en-US", "fr", "de", "es", etc. | App display language |
| **lockingOption** | String | "", "biometric" | App locking method |
| **shareUsageData** | Boolean | true, false | Share anonymous usage analytics |
| **useBackgroundLock** | Boolean | true, false | Lock when app goes to background |
| **backgroundLockDelay** | Integer | 0, 60, 300, 900, 1800, 3600 | Delay before locking when backgrounded (seconds) |
| **useLockWhenInactive** | Boolean | true, false | Enable auto-lock after inactivity |
| **lockInactivityDelay** | Integer | 30, 60, 120, 180, 240, 300 | Inactivity timeout (seconds) |
| **useFavicon** | Boolean | true, false | Use website favicons |
| **autoSearch** | Boolean | true, false | Enable auto-search in vaults |
| **useHubEmbeddedBrowser** | Boolean | true, false | Use embedded browser for Devolutions Cloud authentication |
| **highlightSpecialCharacters** | Boolean | true, false | Highlight special characters in passwords |
### Configuration examples
#### Example 1: Single Devolutions Server only
***Jamf Configuration*** (using schema GUI):
* Devolutions Server: Add one server
* Name: "Corporate DVLS"
* Server URL: ""
* Server Version: "2024.1"
* Devolutions Cloud instances: Leave empty
* Application settings: Leave default
***Direct JSON*** (if not using schema):
```json
{
"dvls": [
{
"name": "Corporate DVLS",
"serverUrl": "https://devolutions-server.acme.com",
"serverVersion": "2024.1"
}
]
}
```
#### Example 2: Devolutions Cloud with security settings
***Jamf Configuration*** (using schema GUI):
* Devolutions Cloud ***instances***: Add one Devolutions Cloud instance
* Devolutions Cloud URL: ""
* Organization ID: (leave empty or enter your org ID)
* ***Application Settings***:
* Locking Method: "Biometric (Touch ID/Face ID)"
* Lock When Backgrounded: Enabled
* Background Lock Delay: "Immediately"
* Auto–Lock When Inactive: Enabled
* Inactivity Lock Delay: "3 minutes"
***Direct JSON*** (if not using schema):
```json
{
"hubs": [
{
"url": "https://password-manager.devolutions.app",
"organizationId": "",
"type": "business",
"version": "2020"
}
],
"configs": {
"lockingOption": "biometric",
"useBackgroundLock": true,
"backgroundLockDelay": 0,
"useLockWhenInactive": true,
"lockInactivityDelay": 180
}
}
```
#### Example 3: Multiple workspaces
***Jamf Configuration*** (using schema GUI):
* Devolutions Server: Add multiple
* Server 1: Name "Production DVLS", URL ""
* Server 2: Name "Test DVLS", URL ""
* ***Devolutions Cloud instances***: Add one
* Devolutions Cloud URL: ""
* Organization ID: "org–abc123"
* ***Application Settings***:
* Language: "English"
* Share Usage Data: Disabled
***Direct JSON*** (if not using schema):
```json
{
"dvls": [
{
"name": "Production devolutions-server",
"serverUrl": "https://devolutions-server–prod.company.com",
"serverVersion": "2024.1"
},
{
"name": "Test devolutions-server",
"serverUrl": "https://devolutions-server–test.company.com",
"serverVersion": "2024.1"
}
],
"hubs": [
{
"url": "https://password-manager.devolutions.app",
"organizationId": "org–abc123",
"type": "business",
"version": "2020"
}
],
"configs": {
"language": "en–US",
"shareUsageData": false
}
}
```
### Troubleshooting
#### Configuration not applied
***Problem:*** Users report no pre–configured workspaces appear.
***Solutions:***
1. ***Verify MDM enrollment:***
* iOS: Settings – General – VPN & Device Management – Check profile
2. ***Check configuration syntax:***
* Validate JSON syntax (use jsonlint.com)
* Ensure all required fields are present
3. ***Verify app is MDM–managed:***
* App must be deployed via MDM (not manually installed from App Store)
4. ***Re–apply configuration:***
* Delete app – Reinstall via MDM – Configuration applies on first launch
#### Users can't delete pending workspaces
Users stuck with pending workspaces they can't remove.
* ***New in version 2025.3.2:*** Users can now delete pending workspaces
* From drawer menu: Long–press workspace – Select "Remove"
* From pending screen: Tap "Remove" button
#### Wrong Settings Applied
Settings don't match expected values.
1. ***Check data types:***
* Booleans: Use `true`/`false` (not `"true"`/`"false"` strings)
* Integers: Use numbers without quotes (e.g., `60` not `"60"`)
* Strings: Always use quotes (e.g., `"en–US"`)
2. ***Verify setting names:***
* Check spelling (e.g., `lockInactivityDelay` not `lockInactivityTimeout`)
* Case–sensitive (use exact casing shown in schema)
#### Multiple instances of same workspace
Duplicate workspaces appear. Configuration was applied multiple times (app reinstalled or configuration changed).
* Pre–configuration checks for existing workspaces by URL
* If duplicates exist, users can delete extras via drawer menu
#### Biometric lock not working
Face ID/Touch ID not activating.
1. ***Check device support***: Verify device has Face ID or Touch ID hardware
2. ***Check iOS settings***: Ensure Face ID/Touch ID is set up in Settings
3. ***Check permissions***: App may need biometric permission from user
4. ***Fallback***: System automatically falls back to passcode if biometric unavailable
### Best practices
#### 1. Test configuration first
Before deploying to all users:
1. Create a test user/device group in Jamf.
2. Apply configuration to test group.
3. Verify workspaces and settings work as expected.
4. Roll out to production.
#### 2. Use AppConfig specfile
For Jamf Pro deployments:
* Always use the AppConfig specfile (option A).
* Provides user–friendly GUI form via the [Jamf AppConfig Generator](https://generator.appconfig.jamfresearch.com/generator).
* Validates configuration before deployment.
* Prevents syntax errors.
* Shows all available options with descriptions.
#### 3. Document configuration
Maintain documentation of your MDM configuration including:
* Which workspaces are pre–configured
* What settings are enforced
* Expected user experience
* Support contact for issues
#### 4. User communication
Inform users:
* Workspaces will be pre–configured
* They still need to log in with their credentials
* Configuration happens on first app launch
* Contact IT if workspaces don't appear
#### 5. Security considerations
***Recommended security settings:***
```json
{
"lockingOption": "biometric",
"useBackgroundLock": true,
"backgroundLockDelay": 0,
"useLockWhenInactive": true,
"lockInactivityDelay": 300,
"shareUsageData": false
}
```
***Why:***
* Enforces Face ID/Touch ID authentication
* Locks app immediately when backgrounded
* Auto–locks after 5 minutes of inactivity
* Disables usage data collection (optional)
#### 6. Version compatibility
* ***Minimum Version:*** 2025.3.2 (for full pending workspace support)
* Devolutions Server v***ersions:*** Devolutions Server 2023.3+ recommended
* ***iOS:*** 13.0+ required
#### 7. URL format requirements
All URLs must:
* Include protocol (`https://`)
* Be valid, accessible URLs
* Not end with trailing slash (app will normalize)
***Examples:***
* `https://devolutions-server.company.com`
* `https://password-manager.devolutions.app`
* `devolutions-server.company.com` (missing https\://)
* `http://devolutions-server.company.com` (HTTP not recommended)
#### 8. Handle multiple environments
For organizations with multiple environments (prod, dev, test):
* Create separate Jamf configuration profiles for each environment
* Scope each profile to appropriate device groups
* Users in each environment get correct workspaces automatically
### Quick reference
#### Minimal configuration
```json
{
"dvls": [
{
"name": "Devolutions Server",
"serverUrl": "https://devolutions-server.example.com"
}
]
}
```
#### Preference domain
```
net.devolutions.workspace.mobile
```
#### Deployment steps summary
1. Download the [AppConfig specfile](https://cdnweb.devolutions.net/docs/workspace_mobile_appconfig_specfile.xml).
2. Upload to the [Jamf AppConfig Generator](https://generator.appconfig.jamfresearch.com/generator).
3. Configure settings via the GUI form.
4. Download the generated plist.
5. In Jamf Pro: Mobile Device Apps – Devolutions Password Manager – App Configuration.
6. Paste the plist, scope to target devices, and deploy.
{% endtab %}
{% endtabs %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.devolutions.net/password-manager/knowledge-base/application-knowledge-base/devolutions-password-manager-pre-configuration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.